From angray at beeb.net Tue May 1 01:29:29 2007 From: angray at beeb.net (Aaron Gray) Date: Tue, 1 May 2007 01:29:29 +0100 Subject: [Full-disclosure] Spam is funny! References: <20070412202204.52A46DA827@mailserver7.hushmail.com><20070429233622.907A.SHAUN@shaunc.com> <4636461E.12425.DBAD81F9@nick.virus-l.demon.co.uk> Message-ID: <015d01c78b87$c91634b0$0200a8c0@AMD2500> > Shaun wrote: > >> One trend I've noticed recently is that spammers appear to be tailoring >> the subject headers to individual recipients. I'm not talking about the >> crap where they stick your name in the subject, it seems they're getting >> much more specific, and perhaps tracking where they picked up an email >> address to begin with and which sort of subject lines might pique the >> recipient's interest. >> >> I receive a lot of spam where I glance at the subject - even if SA has >> tagged it - and actually have to wonder whether or not it's a legit >> message, because the subject is relevant to my interests. A quick >> example, >> >> Subject: The Redirect requests to SSL port option allows you to redirect >> requests to the specified SSL port. >> >> I do a lot with SSL, so naturally I opened up that email just to see >> what the heck they're on about. Of course it turns out to be a stock >> spam for CYTV. But I get a lot of spam now with unix-ish, programming, >> or other geek related subject lines that I have to take a look at >> because they _could_ be legit. > > I've seen a lot of spam lately (last 6-8 weeks -- maybe more) using, as > their "Subject" lines similar such "sentences" from online copies of > (mostly) Linux-ish books and "how to" articles (and often as the hash- > buster text in the message body). This may be loosely targeted -- we > quite possibly subscribe (and post?) to several similar mailing lists > and the use of our addresses _in this particular spam_ may be from > harvesting such lists or their web archives -- or it may be that some > spammer thinks (or knows from monitoring his RoI) that such "techno- > speak goobledegook" Subject: lines work better (non-tech folk _may_ > have been conditioned by much poorly-considered "tech support" to "dumb > down" when anyone starts "talking techie" at them...). Whats the point we still chuck it away. Aaron From electric_cissp at yahoo.com Tue May 1 06:47:30 2007 From: electric_cissp at yahoo.com (the electric) Date: Mon, 30 Apr 2007 22:47:30 -0700 (PDT) Subject: [Full-disclosure] NSA's surveillance project:True or crap In-Reply-To: <4636529F.1050305@bellsouth.net> Message-ID: <989887.130.qm@web32812.mail.mud.yahoo.com> This information at the time may or may not have been completely accurate however, it is outdated now. Most if not all of the coded projects have either changed names or been replaced since 1988. The is a plenty of newer information out there especially dealing with SIGNIT. scott wrote: I just came across this: > http://www.abovetopsecret.com/pages/echelon.html Want to know what everyone makes of it. True or crap? Regards, Scott _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070430/868262a5/attachment.html From hardwick.carl at gmail.com Tue May 1 08:26:21 2007 From: hardwick.carl at gmail.com (carl hardwick) Date: Tue, 1 May 2007 09:26:21 +0200 Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file Message-ID: Product: Firefox 2.0.0.3 Description: Out-of-bounds memory access via specialy crafted html file Type: Remote Vulnerability can be exploited by using a large value in a href tag to create an out-of-bounds memory access. Proof Of Concept exploit: http://www.critical.lt/research/opera_die_happy.html From jmm at debian.org Tue May 1 11:03:13 2007 From: jmm at debian.org (Moritz Muehlenhoff) Date: Tue, 1 May 2007 12:03:13 +0200 Subject: [Full-disclosure] [SECURITY] [DSA 1284-1] New qemu packages fix several vulnerabilities Message-ID: <20070501100313.GA4074@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1284-1 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 1st, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : qemu Vulnerability : several Problem-Type : local Debian-specific: no CVE ID : CVE-2007-1320 CVE-2007-1321 CVE-2007-1322 CVE-2007-1323 CVE-2007-1366 Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1320 Tavis Ormandy discovered that a memory management routine of the Cirrus video driver performs insufficient bounds checking, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1321 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1322 Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate the emulation, resulting in denial of service. CVE-2007-1323 Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. CVE-2007-1366 Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu through a division by zero, resulting in denial of service. For the oldstable distribution (sarge) these problems have been fixed in version 0.6.1+20050407-1sarge1. For the stable distribution (etch) these problems have been fixed in version 0.8.2-4etch1. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your qemu packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/qemu/qemu_0.6.1+20050407-1sarge1.dsc Size/MD5 checksum: 860 0d4d669e862d4249af1fd6d4e62ed21e http://security.debian.org/pool/updates/main/q/qemu/qemu_0.6.1+20050407-1sarge1.diff.gz Size/MD5 checksum: 456776 9940e2b1c7e3edce24a941d79cc45f1c http://security.debian.org/pool/updates/main/q/qemu/qemu_0.6.1+20050407.orig.tar.gz Size/MD5 checksum: 991912 a4cb70b9b701668c1c37705f9b5baae6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/qemu/qemu_0.6.1+20050407-1sarge1_i386.deb Size/MD5 checksum: 1888278 b3fd3a2a4c01ccd3a22ffb079c2da48a PowerPC architecture: http://security.debian.org/pool/updates/main/q/qemu/qemu_0.6.1+20050407-1sarge1_powerpc.deb Size/MD5 checksum: 1819756 d95ad449adf33a288cb509a5cf580593 Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1.dsc Size/MD5 checksum: 1122 9d55f0fd6f5261bff1a83f6ea0652afb http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1.diff.gz Size/MD5 checksum: 63407 e4f93234058f38d4fffbacb9524bbaa4 http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2.orig.tar.gz Size/MD5 checksum: 1501979 312eebc1386cca2e9b30a40763ab9c0d AMD64 architecture: http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1_amd64.deb Size/MD5 checksum: 3700158 ced2cb8925aadb4abb1d0bf9f49aaace Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1_i386.deb Size/MD5 checksum: 3675760 20e6e9eb0ea92b043397e3ea348a3925 PowerPC architecture: http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1_powerpc.deb Size/MD5 checksum: 3578440 e604fc75cead026b2581800f35c1f5b4 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGNxAnXm3vHE4uyloRAhhmAJ4w0DIQS8BdMfEiGpmkV2g4/LvTgwCgsVQm 5V5pBSZH6m6iHRFLzWNVOoY= =MqaT -----END PGP SIGNATURE----- From slythers at gmail.com Tue May 1 11:12:25 2007 From: slythers at gmail.com (Slythers Bro) Date: Tue, 1 May 2007 12:12:25 +0200 Subject: [Full-disclosure] Spam is funny! In-Reply-To: <00b001c78b74$ef6db4c0$c801a8c0@Nemo> References: <20070412202204.52A46DA827@mailserver7.hushmail.com> <20070429233622.907A.SHAUN@shaunc.com> <00b001c78b74$ef6db4c0$c801a8c0@Nemo> Message-ID: <8f6a58a30705010312k37e8b689xd5af589ce5a4f25c@mail.gmail.com> yeah spam is fun, the proof : http://pornmaster.ath.cx/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070501/d2cac1a9/attachment.html From kaharas at gmail.com Tue May 1 11:43:09 2007 From: kaharas at gmail.com (xxx xxx) Date: Tue, 1 May 2007 12:43:09 +0200 Subject: [Full-disclosure] Month of ActiveX Bug Message-ID: <20cf4a60705010343k569886daje70d719b08042b50@mail.gmail.com> Surfing on the net, I've found this initiative: http://moaxb.blogspot.com/ It seem quite interesting, maybe some of you would like to take a look :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070501/37658ecb/attachment.html From Larry at larryseltzer.com Tue May 1 12:27:01 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Tue, 1 May 2007 07:27:01 -0400 Subject: [Full-disclosure] Month of ActiveX Bug In-Reply-To: <20cf4a60705010343k569886daje70d719b08042b50@mail.gmail.com> References: <20cf4a60705010343k569886daje70d719b08042b50@mail.gmail.com> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD59D@becca.LarrySeltzer.local> >>http://moaxb.blogspot.com/ Wow, a DoS in a 3rd-party Poiwerpoint viewer. This ought to bring the Internet to its knees. I wonder if he'll have any actual ActiveX bugs or if they'll just be DoS's in controls. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070501/c4d56c61/attachment.html From hijacker at oldum.net Tue May 1 13:26:05 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Tue, 1 May 2007 15:26:05 +0300 Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access viaspecialy crafted html file References: Message-ID: <002801c78beb$e3ec5440$0600a8c0@hpa> Exploit works like a charm on FF 2.0.3 on win2k sp4. Regards, -Nikolay Kichukov ----- Original Message ----- From: "carl hardwick" To: Sent: Tuesday, May 01, 2007 10:26 AM Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access viaspecialy crafted html file > Product: Firefox 2.0.0.3 > Description: Out-of-bounds memory access via specialy crafted html file > Type: Remote > > Vulnerability can be exploited by using a large value in a href tag to > create an out-of-bounds memory access. > > Proof Of Concept exploit: > http://www.critical.lt/research/opera_die_happy.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From wesley at mcgrewsecurity.com Tue May 1 14:08:16 2007 From: wesley at mcgrewsecurity.com (Robert Wesley McGrew) Date: Tue, 1 May 2007 08:08:16 -0500 Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file In-Reply-To: References: Message-ID: On 5/1/07, carl hardwick wrote: > Product: Firefox 2.0.0.3 > Description: Out-of-bounds memory access via specialy crafted html file > Type: Remote > > Vulnerability can be exploited by using a large value in a href tag to > create an out-of-bounds memory access. > > Proof Of Concept exploit: > http://www.critical.lt/research/opera_die_happy.html This doesn't work in Firefox 2.0.0.3 in Ubuntu 7.04. This sounds like it might be another case of mistaken identity with the heap overflow vulnerability in Nvidia blob drivers for Linux, as this was one way to exploit it. -- Robert Wesley McGrew http://mcgrewsecurity.com From ismail at pardus.org.tr Tue May 1 14:24:32 2007 From: ismail at pardus.org.tr (Ismail =?iso-8859-1?q?D=F6nmez?=) Date: Tue, 1 May 2007 16:24:32 +0300 Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file In-Reply-To: References: Message-ID: <200705011624.37187.ismail@pardus.org.tr> On Tuesday 01 May 2007 10:26:21 carl hardwick wrote: > Product: Firefox 2.0.0.3 > Description: Out-of-bounds memory access via specialy crafted html file > Type: Remote > > Vulnerability can be exploited by using a large value in a href tag to > create an out-of-bounds memory access. > > Proof Of Concept exploit: > http://www.critical.lt/research/opera_die_happy.html Freezes Firefox 2.0.3 on my Linux box. Using Intel drivers fwiw. /ismail -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070501/d3866dcd/attachment.bin From mdontu at bitdefender.com Tue May 1 14:29:35 2007 From: mdontu at bitdefender.com (Mihai =?utf-8?q?Don=C8=9Bu?=) Date: Tue, 1 May 2007 16:29:35 +0300 Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file In-Reply-To: References: Message-ID: <200705011629.35795.mdontu@bitdefender.com> On Tuesday 01 May 2007 10:26, carl hardwick wrote: > Product: Firefox 2.0.0.3 > Description: Out-of-bounds memory access via specialy crafted html file > Type: Remote > > Vulnerability can be exploited by using a large value in a href tag to > create an out-of-bounds memory access. > > Proof Of Concept exploit: > http://www.critical.lt/research/opera_die_happy.html I don't know what this exploit is supposed to do (I assume crash the browser), but my FF just fires up my CPU and... that's it :) I can close the tab or click the Home button and everything goes back to normal. I have FF 2.0.3 (32bit) running on a 64bit Gentoo. -- Mihai From research at matousec.com Tue May 1 11:22:30 2007 From: research at matousec.com (Matousec - Transparent security Research) Date: Tue, 01 May 2007 12:22:30 +0200 Subject: [Full-disclosure] ZoneAlarm Insufficient validation of 'vsdatant' driver input buffer Vulnerability Message-ID: <463714E6.9000601@matousec.com> Hello, We would like to inform you about a vulnerability in ZoneAlarm 6. Description: ZoneAlarm insufficiently protects its driver \Device\vsdatant against a manipulation by malicious applications and it fails to validate its input buffer. It is possible to open the driver's device and send arbitrary data to it, which are implicitly believed to be valid. It is possible to assemble the data in the input buffer such that the driver performs an invalid memory operation and crashes the whole operating system. Further impacts of this bug (like arbitrary code execution in the kernel mode) were not examined. Vulnerable software: * ZoneAlarm Pro 6.5.737.000 * ZoneAlarm Pro 6.1.744.001 * probably all versions of ZoneAlarm products branches 6.x * possibly older versions of ZoneAlarm products Not vulnerable software: * ZoneAlarm Pro 7.0.302.000 and higher * probably all versions of ZoneAlarm products branches 7.x and higher More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/ZoneAlarm-Insufficient-validation-of-vsdatant-driver-input-buffer.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ From pdp.gnucitizen at googlemail.com Tue May 1 14:26:46 2007 From: pdp.gnucitizen at googlemail.com (pdp (architect)) Date: Tue, 1 May 2007 14:26:46 +0100 Subject: [Full-disclosure] 2057 - The City Message-ID: <6905b1570705010626j43e09df5s51503eaabfb0d174@mail.gmail.com> I stumbled across this documentary about cities of the future. For those who hasn't seen it yet, it is highly recommend. It will take only 43:29 minutes of your time. Believe me, it is worth looking at. It is quite exciting to look into stuff that may happen in the future. This documentary, in particular, is interesting because it depicts what will happen when our highly computerized world crashes and burns. Everything is so much dependent on IT security and I am not sure whether people realize it. So, I am not going to spam you more with this message. Those who are interested click here: http://www.gnucitizen.org/blog/2057-the-city -- pdp (architect) | petko d. petkov http://www.gnucitizen.org From labs-no-reply at idefense.com Tue May 1 15:56:54 2007 From: labs-no-reply at idefense.com (iDefense Labs) Date: Tue, 01 May 2007 10:56:54 -0400 Subject: [Full-disclosure] iDefense Security Advisory 04.30.07: Cerulean Studios Trillian Multiple IRC Vulnerabilities Message-ID: <46375536.8030500@idefense.com> Cerulean Studios Trillian Multiple IRC Vulnerabilities iDefense Security Advisory 04.30.07 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 30, 2007 I. BACKGROUND Cerulean Studios Trillian is a multi-protocol chat application that supports IRC, ICQ, AIM and MSN protocols. More information can be found on the vendor's site at the following URL. http://www.ceruleanstudios.com/learn/ II. DESCRIPTION Remote exploitation of multiple vulnerabilities in the Internet Relay Chat (IRC) module of Cerulean Studios' Trillian could allow for the interception of private conversations or execution of code as the currently logged on user. When handling long CTCP PING messages containing UTF-8 characters, it is possible to cause the Trillian IRC client to return a malformed response to the server. This malformed response is truncated and is missing the terminating newline character. This could allow the next line sent to the server to be improperly sent to an attacker. When a user highlights a URL in an IRC message window Trillian copies the data to an internal buffer. If the URL contains a long string of UTF-8 characters, it is possible to overflow a heap based buffer corrupting memory in a way that could allow for code execution. A heap overflow can be triggered remotely when the Trillian IRC module receives a message that contains a font face HTML tag with the face attribute set to a long UTF-8 string. III. ANALYSIS Exploitation of this vulnerability allows remote attackers to intercept private communications for Trillian IRC users or execute code with the credentials of the currently logged on user. In order to exploit the highlighted URL vulnerability, users would have to highlight the malicious URL. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Cerulean Studios Trillian 3.1. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE Cerulean Studios has addressed these vulnerabilities within version 3.1.5.0 of Trillian. For more information, visit their blog at the following URL. http://blog.ceruleanstudios.com/ VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 01/24/2007 Initial vendor notification 01/30/2007 Initial vendor response 04/30/2007 Coordinated public disclosure IX. CREDIT These vulnerabilities were reported to iDefense by enhalos. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From chris.rohlf at gmail.com Tue May 1 16:04:25 2007 From: chris.rohlf at gmail.com (Chris Rohlf) Date: Tue, 1 May 2007 11:04:25 -0400 Subject: [Full-disclosure] 2057 - The City&In-Reply-To= Message-ID: <1681f2df0705010804p199a6c96v205054a7b4f75f34@mail.gmail.com> I saw this on television a few weeks ago. A lot of it is a bit far-fetched IMO. But your point to IT security and how important of a role it will play is definitely right. Not many people understand whats at risk. Maybe the Discovery channel will make a show about computer security that doesn't involve a boring story from 1996 :-\ >So, I am not going to spam you more with this message. Those who are >interested click here: >http://www.gnucitizen.org/blog/2057-the-city chris -- http://em386.blogspot.com From alex.bierbaumer at chello.at Tue May 1 15:56:19 2007 From: alex.bierbaumer at chello.at (Alexander Bierbaumer) Date: Tue, 1 May 2007 16:56:19 +0200 Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file In-Reply-To: <200705011629.35795.mdontu@bitdefender.com> References: <200705011629.35795.mdontu@bitdefender.com> Message-ID: <20070501165619.24379ecb.alex.bierbaumer@chello.at> Same here on Gentoo with 2.6.19-beyond4 On Tue, 1 May 2007 16:29:35 +0300 Mihai Don?u wrote: > On Tuesday 01 May 2007 10:26, carl hardwick wrote: > > Product: Firefox 2.0.0.3 > > Description: Out-of-bounds memory access via specialy crafted html file > > Type: Remote > > > > Vulnerability can be exploited by using a large value in a href tag to > > create an out-of-bounds memory access. > > > > Proof Of Concept exploit: > > http://www.critical.lt/research/opera_die_happy.html > > I don't know what this exploit is supposed to do (I assume crash the browser), > but my FF just fires up my CPU and... that's it :) I can close the tab or > click the Home button and everything goes back to normal. > I have FF 2.0.3 (32bit) running on a 64bit Gentoo. > > -- > Mihai > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Alexander Bierbaumer From 300baud at gmail.com Tue May 1 16:24:46 2007 From: 300baud at gmail.com (Line Noise) Date: Tue, 1 May 2007 08:24:46 -0700 Subject: [Full-disclosure] NSA's surveillance project:True or crap In-Reply-To: <4636529F.1050305@bellsouth.net> References: <4636529F.1050305@bellsouth.net> Message-ID: <739e7bb20705010824q79eeedabocc60dc6dd2dcb657@mail.gmail.com> On 4/30/07, scott wrote: > I just came across this: > > http://www.abovetopsecret.com/pages/echelon.html > > > Want to know what everyone makes of it. > > True or crap? You're kidding, right? You must have been hiding under a rock for the past decade or so. Please note that the canonical source for information about Echelon is Cryptome (John Young). -- It's Full Disclosure. Post the disclosure here, not on your website. You may not have a web site tomorrow. From Larry at larryseltzer.com Tue May 1 17:24:47 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Tue, 1 May 2007 12:24:47 -0400 Subject: [Full-disclosure] Month of ActiveX Bug In-Reply-To: <20070501154735.96161.qmail@cgisecurity.net> References: <0273B67044957C41BD71D12EBA2E00AE0FD59D@becca.LarrySeltzer.local> <20070501154735.96161.qmail@cgisecurity.net> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD5A6@becca.LarrySeltzer.local> >>Consider that most often a bug filed as DOS can actually be exploitable, but the person who discovered it can't get the POC working or is even aware it is. While command execution is the ideal goal it doesn't mean other types of issues are *completely* worthless. Most often? How do you know that? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.eweek.com/cheap_hack/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com From Valdis.Kletnieks at vt.edu Tue May 1 17:45:24 2007 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 01 May 2007 12:45:24 -0400 Subject: [Full-disclosure] Month of ActiveX Bug In-Reply-To: Your message of "Tue, 01 May 2007 12:24:47 EDT." <0273B67044957C41BD71D12EBA2E00AE0FD5A6@becca.LarrySeltzer.local> References: <0273B67044957C41BD71D12EBA2E00AE0FD59D@becca.LarrySeltzer.local> <20070501154735.96161.qmail@cgisecurity.net> <0273B67044957C41BD71D12EBA2E00AE0FD5A6@becca.LarrySeltzer.local> Message-ID: <11016.1178037924@turing-police.cc.vt.edu> On Tue, 01 May 2007 12:24:47 EDT, Larry Seltzer said: > >>Consider that most often a bug filed as DOS can actually be > exploitable, but the person who discovered it can't get the POC working > or is even aware it is. While command execution is the ideal goal it > doesn't mean other types of issues are *completely* worthless. > > Most often? How do you know that? Given the number of programs I've filed "Version XYZ segfaults under conditions A, B, and C" bug reports, compared to the number of things that were obviously exploitable, I have to conclude that either I'm a lot worse than Joe Programmer at identifying what's exploitable, or that a lot of *other* programmers are filing "Version XYZ segfaults" bug reports without understanding if they're exploitable - and quite often the segfault gets *fixed* as "just a segfault" rather than as a security-level bug. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070501/a5ca15dc/attachment.bin From Larry at larryseltzer.com Tue May 1 17:56:02 2007 From: Larry at larryseltzer.com (Larry Seltzer) Date: Tue, 1 May 2007 12:56:02 -0400 Subject: [Full-disclosure] Month of ActiveX Bug In-Reply-To: <11016.1178037924@turing-police.cc.vt.edu> References: <0273B67044957C41BD71D12EBA2E00AE0FD59D@becca.LarrySeltzer.local> <20070501154735.96161.qmail@cgisecurity.net> <0273B67044957C41BD71D12EBA2E00AE0FD5A6@becca.LarrySeltzer.local> <11016.1178037924@turing-police.cc.vt.edu> Message-ID: <0273B67044957C41BD71D12EBA2E00AE0FD5A8@becca.LarrySeltzer.local> >>"just a segfault" Remember back when there were crash bugs? Now all we have are DoS's. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.eweek.com/cheap_hack/ Contributing Editor, PC Magazine larryseltzer at ziffdavis.com From bugtraq at cgisecurity.net Tue May 1 16:47:35 2007 From: bugtraq at cgisecurity.net (bugtraq at cgisecurity.net) Date: Tue, 1 May 2007 11:47:35 -0400 (EDT) Subject: [Full-disclosure] Month of ActiveX Bug In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD59D@becca.LarrySeltzer.local> Message-ID: <20070501154735.96161.qmail@cgisecurity.net> > >>http://moaxb.blogspot.com/=20 > =20 > Wow, a DoS in a 3rd-party Poiwerpoint viewer. This ought to bring the > Internet to its knees. I wonder if he'll have any actual ActiveX bugs= > or > if they'll just be DoS's in controls. Consider that most often a bug filed as DOS can actually be exploitable, but the person who discovered it can't get the POC working or is even aware it is. While command execution is the ideal goal it doesn't mean other types of issues are *completely* worthless. - Robert http://www.cgisecurity.com/ From bugtraq at cgisecurity.net Tue May 1 17:46:41 2007 From: bugtraq at cgisecurity.net (bugtraq at cgisecurity.net) Date: Tue, 1 May 2007 12:46:41 -0400 (EDT) Subject: [Full-disclosure] Month of ActiveX Bug In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE0FD5A6@becca.LarrySeltzer.local> Message-ID: <20070501164641.1603.qmail@cgisecurity.net> Ok 'most' is probably bad wording on my part how does 'often enough' sound :). "Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code" http://www.securityspace.com/smysecure/catid.html?id=57643 "Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a finger request from an IP address with a long hostname that is obtained via a reverse DNS lookup." http://cve.mitre.org/board/archives/2003-03/msg00013.html "A BrightStor ARCserve Backup contains four vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code." http://packetstorm.linuxsecurity.com/0703-advisories/CAID-McAfee.txt Note the use of 'possibly'. If it was possible then 'possibly' wouldn't be used. I'm not going to debate the validity of the month of activex bugs because frankly I don't care, merely that a DOS can turn out to be more and that at times either the researcher hasn't spent enough time on it, can't get the POC working, or lacks the skill to fully understand the problem. There have been multiple instances on the securityfocus lists throughout the years where a DOS suddenly became promoted to a remotely exploitable bug (i.e another person found it was actually exploitable). I'm not going to find them and post them here, but a little googling can yield results. - Robert http://www.cgisecurity.com/ > >>Consider that most often a bug filed as DOS can actually be > exploitable, but the person who discovered it can't get the POC working > or is even aware it is. While command execution is the ideal goal it > doesn't mean other types of issues are *completely* worthless. =20 > > Most often? How do you know that? > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blogs.eweek.com/cheap_hack/ > Contributing Editor, PC Magazine > larryseltzer at ziffdavis.com=20 > From steven at securityzone.org Tue May 1 18:49:49 2007 From: steven at securityzone.org (Steven Adair) Date: Tue, 1 May 2007 12:49:49 -0500 (EST) Subject: [Full-disclosure] Month of ActiveX Bug In-Reply-To: <20070501164641.1603.qmail@cgisecurity.net> References: <20070501164641.1603.qmail@cgisecurity.net> Message-ID: <5937.131.182.179.153.1178041789.squirrel@slashmail.org> I think a good share of the time when someone states that the DoS may "possibly" lead to remote code execution are making such a statement for a couple different reasons: 1) They found a DoS and truly have no idea whether or not it can cause remote code execution due to not having the knowledge/skills necessary to check for it and/or lack of time to make such a determination. 2) They have seen characteristics that would indicate that remote code execution is possible but have not quite been able to nail down a working exploit "should" one be possible. I do not think the evidence quickly available to us would bring us to conclude most DoS's end up resulting in remote code execution -- or even have the ability to. I would agree saying "often enough" would be better than "most." However, regardless of whether it results in remote code execution, I don't think a DoS should necessarily be discounted as frivolous or irrelevant. It might not rank up there with critical or high vulnerabilities, but it is a vulnerability nonetheless. Steven securityzone.org > Ok 'most' is probably bad wording on my part how does 'often enough' sound > :). > > "Buffer overflow in the png_decompress_chunk function in pngrutil.c in > libpng before 1.2.12 allows context-dependent attackers to cause a > denial of service and possibly execute arbitrary code" > http://www.securityspace.com/smysecure/catid.html?id=57643 > > "Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, > allows remote attackers to cause a denial of service and possibly > execute arbitrary code via a finger request from an IP address with a > long hostname that is obtained via a reverse DNS lookup." > http://cve.mitre.org/board/archives/2003-03/msg00013.html > > "A BrightStor ARCserve Backup contains four > vulnerabilities that can allow a remote attacker to cause a denial > of service or possibly execute arbitrary code." > http://packetstorm.linuxsecurity.com/0703-advisories/CAID-McAfee.txt > > > Note the use of 'possibly'. If it was possible then 'possibly' wouldn't be > used. > > I'm not going to debate the validity of the month of activex bugs because > frankly I don't care, merely > that a DOS can turn out to be more and that at times either the researcher > hasn't spent enough time on it, can't get the POC working, or lacks the > skill to fully understand the problem. > > There have been multiple instances on the securityfocus lists throughout > the years where a DOS suddenly > became promoted to a remotely exploitable bug (i.e another person found it > was actually exploitable). I'm not going > to find them and post them here, but a little googling can yield > results. > > - Robert > http://www.cgisecurity.com/ > >> >>Consider that most often a bug filed as DOS can actually be >> exploitable, but the person who discovered it can't get the POC working >> or is even aware it is. While command execution is the ideal goal it >> doesn't mean other types of issues are *completely* worthless. =20 >> >> Most often? How do you know that? >> >> Larry Seltzer >> eWEEK.com Security Center Editor >> http://security.eweek.com/ >> http://blogs.eweek.com/cheap_hack/ >> Contributing Editor, PC Magazine >> larryseltzer at ziffdavis.com=20 >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From falco at gentoo.org Tue May 1 19:32:13 2007 From: falco at gentoo.org (Raphael Marichez) Date: Tue, 1 May 2007 20:32:13 +0200 Subject: [Full-disclosure] [ GLSA 200705-01 ] Ktorrent: Multiple vulnerabilities Message-ID: <20070501183213.GA426@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ktorrent: Multiple vulnerabilities Date: May 01, 2007 Bugs: #170303 ID: 200705-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in Ktorrent allowing for the remote execution of arbitrary code and a Denial of Service. Background ========== Ktorrent is a Bittorrent client for KDE. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-p2p/ktorrent < 2.1.3 >= 2.1.3 Description =========== Bryan Burns of Juniper Networks discovered a vulnerability in chunkcounter.cpp when processing large or negative idx values, and a directory traversal vulnerability in torrent.cpp. Impact ====== A remote attacker could entice a user to download a specially crafted torrent file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running Ktorrent. Workaround ========== There is no known workaround at this time. Resolution ========== All Ktorrent users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-p2p/ktorrent-2.1.3" References ========== [ 1 ] CVE-2007-1384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1384 [ 2 ] CVE-2007-1385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1385 [ 3 ] CVE-2007-1799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1799 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070501/f505d114/attachment.bin From falco at gentoo.org Tue May 1 19:35:03 2007 From: falco at gentoo.org (Raphael Marichez) Date: Tue, 1 May 2007 20:35:03 +0200 Subject: [Full-disclosure] [ GLSA 200705-02 ] FreeType: User-assisted execution of arbitrary code Message-ID: <20070501183503.GC426@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FreeType: User-assisted execution of arbitrary code Date: May 01, 2007 Bugs: #172577 ID: 200705-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in FreeType allowing for user-assisted remote execution of arbitrary code. Background ========== FreeType is a True Type Font rendering library. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/freetype < 2.1.10-r3 >= 2.1.10-r3 Description =========== Greg MacManus of iDefense Labs has discovered an integer overflow in the function bdfReadCharacters() when parsing BDF fonts. Impact ====== A remote attacker could entice a user to use a specially crafted BDF font, possibly resulting in a heap-based buffer overflow and the remote execution of arbitrary code. Workaround ========== There is no known workaround at this time. Resolution ========== All FreeType users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.1.10-r3" References ========== [ 1 ] CVE-2007-1351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070501/efe0726b/attachment.bin From falco at gentoo.org Tue May 1 19:53:47 2007 From: falco at gentoo.org (Raphael Marichez) Date: Tue, 1 May 2007 20:53:47 +0200 Subject: [Full-disclosure] [ GLSA 200705-03 ] Tomcat: Information disclosure Message-ID: <20070501185347.GE426@falco.falcal.net> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Tomcat: Information disclosure Date: May 01, 2007 Bugs: #173122 ID: 200705-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in Tomcat that allows for the disclosure of sensitive information. Background ========== Tomcat is the Apache Jakarta Project's official implementation of Java Servlets and Java Server Pages. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/tomcat < 5.5.22 >= 5.5.22 Description =========== Tomcat allows special characters like slash, backslash or URL-encoded backslash as a separator, while Apache does not. Impact ====== A remote attacker could send a specially crafted URL to the vulnerable Tomcat server, possibly resulting in a directory traversal and read access to arbitrary files with the privileges of the user running Tomcat. Note that this vulnerability can only be exploited when using apache proxy modules like mod_proxy, mod_rewrite or mod_jk. Workaround ========== There is no known workaround at this time. Resolution ========== All Tomcat users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-5.5.22" References ========== [ 1 ] CVE-2007-0450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070501/59d4e122/attachment.bin From no-reply at radware.com Tue May 1 18:52:51 2007 From: no-reply at radware.com (no-reply at radware.com) Date: Tue, 1 May 2007 20:52:51 +0300 Subject: [Full-disclosure] Radware Security Advisory - Yate 1.1.0 Denial of Service Vulnerability Message-ID: <20070501_175251_010093.no-reply@radware.com> Yate 1.1.0 Denial of Service Vulnerability Risk: Medium Background: Yate (Yet Another Telephony Engine) is a production-ready next-generation telephony engine. More information about this application could be obtained from the following site: http://yate.null.ro/ Description: The SIP channel module of Yate contains a denial of service vulnerability, introduced by a null pointer dereference, which could be provoked by having the SIP module process SIP messages containing the "Call-Info" header, without the "purpose" parameter as part of its value. The flaw can be seen in the following source code snippet: File: yate/modules/ysipchan.cpp Lines: 1585 - 1594 1: const SIPHeaderLine* hl = m_tr->initialMessage()->getHeader("Call-Info"); 2: if (hl) { 3: const NamedString* type = hl->getParam("purpose"); 4: if (!type || *type == "info") 5: mp type->addParam("caller_info_uri",*type); 6: else if (*type == "icon") 7: m->addParam("caller_icon_uri",*type); 8: else if (*type == "card") 9: m->addParam("caller_card_uri",*type); 10: } Once the "Call-Info" header is found in the SIP message (line 1), there is an attempt to extract the "purpose" parameter (line 3). Afterwards, a decision is made to set the "caller_info_uri" parameter (line 5) to the value of the "Call-Info" header, though due to a programming error, instead of assigning the parameter with the header value, it is being assigned with the value of the "purpose" parameter - allowing for a null pointer dereference, when the call to getParam() (line 3) returns 0 in case of a missing "purpose" parameter. Analysis: Exploiting this vulnerability could allow for denial of service to Yate and disruption of the VoIP infrastructure. By default no authentication is required to exploit this vulnerability, allowing for spoofed UDP SIP messages to trigger the flaw. Radware DefensePro IPS Solution: Radware DefensePro customers are protected against this vulnerability since the release of signature database version 0006.0030.00 by RWID's 7334,7338 and 7342. Detection: Radware Security Operations Center has confirmed the existence of this vulnerability in Yate 1.1.0. Previous versions are also suspected to be vulnerable. Workaround: A workaround for this vulnerability is currently not known. Vendor Response: The maintainers of Yate addressed this vulnerability with the release of Yate 1.2.0. CVE Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1693 to this issue. Disclosure Timeline: March 25, 2007 - Initial vendor notification March 25, 2007 - Initial vendor response March 26, 2007 - Vendor fixes flaw in CVS April 16, 2007 - Vendor releases fixed version April 30, 2007 - Attack database release May 1, 2007 - Advisory release Credit: Yuri Gushin, Radware Security Operations Center Legal Information: Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From noahm at debian.org Tue May 1 19:03:33 2007 From: noahm at debian.org (Noah Meyerhans) Date: Tue, 01 May 2007 20:03:33 +0200 Subject: [Full-disclosure] [SECURITY] [DSA 1285-1] New wordpress packages fix multiple vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1285-1 security at debian.org http://www.debian.org/security/ Noah Meyerhans May 01, 2007 - ------------------------------------------------------------------------ Package : wordpress Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-1622 CVE-2007-1893 CVE-2007-1894 CVE-2007-1897 CVE-2007-1622 Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF. CVE-2007-1893 WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." CVE-2007-1894 Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function. CVE-2007-1897 SQL injection vulnerability in xmlrpc.php in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable. For the stable distribution (etch) these issues have been fixed in version 2.0.10-1. For the testing and unstable distributions (lenny and etch, respectively), these issues have been fixed in version 2.1.3-1 We recommend that you upgrade your wordpress package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1.diff.gz Size/MD5 checksum: 8967 a9975366a65611eb333557603ca18b00 http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz Size/MD5 checksum: 520314 e9d5373b3c6413791f864d56b473dd54 http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1.dsc Size/MD5 checksum: 561 baaa9fd3c5e532e30043b8a2a11be6aa Architecture independent packages: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1_all.deb Size/MD5 checksum: 529582 369bb4778790a5b3aa79584bcc7ea8ec These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGN4CZYrVLjBFATsMRAlJzAJ9HIb9tpJ6Sid9eIRytA5gBsvRuXQCfQ+Rw /lDGH8WS6Jd/lwTCdkhfUnY= =ep3v -----END PGP SIGNATURE----- From stan.bubrouski at gmail.com Tue May 1 21:15:46 2007 From: stan.bubrouski at gmail.com (Stan Bubrouski) Date: Tue, 1 May 2007 16:15:46 -0400 Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file In-Reply-To: References: Message-ID: <122827b90705011315q73fa748cg63b325c1e78ab562@mail.gmail.com> On FF 2.0.0.3 on WinXP SP2+hotfixes clicking the link loads up the server not found page then CPU shoots up to 100% for ~1 minute and then everything goes back to normal... not too exciting... -sb On 5/1/07, carl hardwick wrote: > Product: Firefox 2.0.0.3 > Description: Out-of-bounds memory access via specialy crafted html file > Type: Remote > > Vulnerability can be exploited by using a large value in a href tag to > create an out-of-bounds memory access. > > Proof Of Concept exploit: > http://www.critical.lt/research/opera_die_happy.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From aredman at education.ucsb.edu Tue May 1 22:29:26 2007 From: aredman at education.ucsb.edu (Andrew Redman) Date: Tue, 01 May 2007 14:29:26 -0700 Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file In-Reply-To: References: Message-ID: <4637B136.3060700@education.ucsb.edu> Nothing exciting to report on OS X 10.4 / fully patched / PPC. Kind of broke the properties dialog for the link, and used some cpu, but definitely caused no crashing. On WinXP Norton real time protection detected the file in cache as a 'hack tool.' I disabled that, but Firefox refused to return to the page afterward. - Andrew carl hardwick wrote: > Product: Firefox 2.0.0.3 > Description: Out-of-bounds memory access via specialy crafted html file > Type: Remote > > Vulnerability can be exploited by using a large value in a href tag to > create an out-of-bounds memory access. > > Proof Of Concept exploit: > http://www.critical.lt/research/opera_die_happy.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From zdi-disclosures at 3com.com Tue May 1 22:40:38 2007 From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com) Date: Tue, 1 May 2007 14:40:38 -0700 Subject: [Full-disclosure] ZDI-07-023: Apple QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability Message-ID: ZDI-07-023: Apple QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-023.html May 1, 2007 -- CVE ID: CVE-2007-2175 -- Affected Vendor: Apple -- Affected Products: Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 23, 2007 by Digital Vaccine protection filter ID 5310, 5311. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on systems with vulnerable installations of Apple's QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The flaw exists within the QuickTime Java extensions (QTJava.dll), specifically the routine toQTPointer() exposed through quicktime.util.QTHandleRef. A lack of sanity checking on the parameters passed to this routine, through the Java Virtual Machine (JVM), allows an attacker to write arbitrary values to memory. This can be leveraged to execute arbitrary code under the context of the current user. Example code execution vectors include Microsoft Internet Explorer, Mozilla Firefox and Apple Safari. This vulnerability affects the latest versions of both the MacOS and Windows operating systems, including MacOS 10.4.9 and Windows Vista. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://docs.info.apple.com/article.html?artnum=305446 -- Disclosure Timeline: 2007.04.23 - Vulnerability reported to vendor 2007.04.23 - Digital Vaccine released to TippingPoint customers 2007.05.01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Dino A. Dai Zovi. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. From security at mandriva.com Wed May 2 01:55:10 2007 From: security at mandriva.com (security at mandriva.com) Date: Tue, 01 May 2007 18:55:10 -0600 Subject: [Full-disclosure] [ MDKSA-2007:095 ] - Updated ktorrent packages fix vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:095 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ktorrent Date : May 1, 2007 Affected: 2007.1 _______________________________________________________________________ Problem Description: A directory traversal vulnerability was found in KTorrent prior to 2.1.2, due to an incomplete fix for a prior directory traversal vulnerability that was corrected in version 2.1.2. Previously, KTorrent would only check for the string .., which could permit strings such as ../. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1799 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: b95f63a9b094263407b5edd9fe7ee6e2 2007.1/i586/ktorrent-2.1.2-2.1mdv2007.1.i586.rpm 32512bebd21d579d2fa762c387e8efda 2007.1/i586/libktorrent2.1.2-2.1.2-2.1mdv2007.1.i586.rpm 151fe82f8fa9c1a3bb568d96ee098e08 2007.1/SRPMS/ktorrent-2.1.2-2.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 545b1f969612aa961e48133c18cbb12f 2007.1/x86_64/ktorrent-2.1.2-2.1mdv2007.1.x86_64.rpm 5fa55787f9f581f79ade2254613222dd 2007.1/x86_64/lib64ktorrent2.1.2-2.1.2-2.1mdv2007.1.x86_64.rpm 151fe82f8fa9c1a3bb568d96ee098e08 2007.1/SRPMS/ktorrent-2.1.2-2.1mdv2007.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGN7c5mqjQ0CJFipgRAkY2AJ48jJB5PXsV8NIceC7oIfg1HXj4TACeL1Vl UzHP4k6ff8EBveLVBVzQ7Uw= =wLFJ -----END PGP SIGNATURE----- From nytrokiss at gmail.com Wed May 2 03:08:37 2007 From: nytrokiss at gmail.com (James Matthews) Date: Tue, 1 May 2007 22:08:37 -0400 Subject: [Full-disclosure] Month of ActiveX Bug In-Reply-To: <5937.131.182.179.153.1178041789.squirrel@slashmail.org> References: <20070501164641.1603.qmail@cgisecurity.net> <5937.131.182.179.153.1178041789.squirrel@slashmail.org> Message-ID: <8a6b8e350705011908j447d8085n6b0ea8ac75158c99@mail.gmail.com> I think all in all That it should be considered! On 5/1/07, Steven Adair wrote: > I think a good share of the time when someone states that the DoS may > "possibly" lead to remote code execution are making such a statement for a > couple different reasons: > > 1) They found a DoS and truly have no idea whether or not it can cause > remote code execution due to not having the knowledge/skills necessary to > check for it and/or lack of time to make such a determination. > > 2) They have seen characteristics that would indicate that remote code > execution is possible but have not quite been able to nail down a working > exploit "should" one be possible. > > I do not think the evidence quickly available to us would bring us to > conclude most DoS's end up resulting in remote code execution -- or even > have the ability to. I would agree saying "often enough" would be better > than "most." > > However, regardless of whether it results in remote code execution, I > don't think a DoS should necessarily be discounted as frivolous or > irrelevant. It might not rank up there with critical or high > vulnerabilities, but it is a vulnerability nonetheless. > > Steven > securityzone.org > > > Ok 'most' is probably bad wording on my part how does 'often enough' sound > > :). > > > > "Buffer overflow in the png_decompress_chunk function in pngrutil.c in > > libpng before 1.2.12 allows context-dependent attackers to cause a > > denial of service and possibly execute arbitrary code" > > http://www.securityspace.com/smysecure/catid.html?id=57643 > > > > "Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, > > allows remote attackers to cause a denial of service and possibly > > execute arbitrary code via a finger request from an IP address with a > > long hostname that is obtained via a reverse DNS lookup." > > http://cve.mitre.org/board/archives/2003-03/msg00013.html > > > > "A BrightStor ARCserve Backup contains four > > vulnerabilities that can allow a remote attacker to cause a denial > > of service or possibly execute arbitrary code." > > http://packetstorm.linuxsecurity.com/0703-advisories/CAID-McAfee.txt > > > > > > Note the use of 'possibly'. If it was possible then 'possibly' wouldn't be > > used. > > > > I'm not going to debate the validity of the month of activex bugs because > > frankly I don't care, merely > > that a DOS can turn out to be more and that at times either the researcher > > hasn't spent enough time on it, can't get the POC working, or lacks the > > skill to fully understand the problem. > > > > There have been multiple instances on the securityfocus lists throughout > > the years where a DOS suddenly > > became promoted to a remotely exploitable bug (i.e another person found it > > was actually exploitable). I'm not going > > to find them and post them here, but a little googling can yield > > results. > > > > - Robert > > http://www.cgisecurity.com/ > > > >> >>Consider that most often a bug filed as DOS can actually be > >> exploitable, but the person who discovered it can't get the POC working > >> or is even aware it is. While command execution is the ideal goal it > >> doesn't mean other types of issues are *completely* worthless. =20 > >> > >> Most often? How do you know that? > >> > >> Larry Seltzer > >> eWEEK.com Security Center Editor > >> http://security.eweek.com/ > >> http://blogs.eweek.com/cheap_hack/ > >> Contributing Editor, PC Magazine > >> larryseltzer at ziffdavis.com=20 > >> > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070501/528e5b36/attachment.html From measl at mfn.org Wed May 2 03:10:23 2007 From: measl at mfn.org (J.A. Terranson) Date: Tue, 1 May 2007 21:10:23 -0500 (CDT) Subject: [Full-disclosure] Cryptome is dead (at least for now) In-Reply-To: <739e7bb20704291120vc1fff39r2766dd86fb571cd4@mail.gmail.com> References: <739e7bb20704291120vc1fff39r2766dd86fb571cd4@mail.gmail.com> Message-ID: <20070501210809.J85146@ubzr.zsa.bet> On Sun, 29 Apr 2007, Line Noise wrote: > As a friend of mine said elsewhere, John Young must have said something bad. Yeah - speaking Truth in the Fascist United States. > Verio caved. It's really too bad, for us all. Yes it is. And who's next, huh? Bush's machine can just do whatever the hell it wants, and "we the people" just sit here botching about "its too bad John got shut down, isnt it"? Please, someone just nuke the US and get it over with already - we (TINW - read: USA) has long since forfeit our right to exist. -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "The real point is that you cannot harbor malice toward others and then cry foul when someone displays intolerance against you. Prejudice tolerated is intolerance encouraged. Rise up in righteousness when you witness the words and deeds of hate, but only if you are willing to rise up against them all, including your own. Otherwise suffer the slings and arrows of disrespect silently." Harvey Fierstein is an actor and playwright. From virus at nolog.org Wed May 2 07:31:23 2007 From: virus at nolog.org (virus at nolog.org) Date: Wed, 02 May 2007 08:31:23 +0200 Subject: [Full-disclosure] Rapid integer factorization = end of RSA? In-Reply-To: References: <463079E3.1030504@infoline.su> <4630A53D.1090001@nolog.org> <589e556c0704260826p69d0a880k66d8ef1e90a61266@mail.gmail.com> <4630E4A7.8030009@nolog.org> Message-ID: <4638303B.1090808@nolog.org> Hello, Peter Kosinar wrote: > Providing the factorization of a particular number (whose factorization is > considered to be not known by anyone) is definitely a proof that you know > the factorization of that number and that you had a method for finding it. of course agreed. > Of course, it doesn't say anything about this method -- whether it is a > general one or whether you were able to find the factors based on graph of > temperature at the top of Elbrus :-) Right, giving an example doesn't proof the method. That's what I was talking about. But it seems some participants of the list don't understand how to proof something in mathematics and take an example as a proof for a method. GTi From announce-noreply at rpath.com Wed May 2 00:28:54 2007 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Tue, 01 May 2007 19:28:54 -0400 Subject: [Full-disclosure] rPSA-2007-0084-1 kernel Message-ID: <4637cd36.0sSSxlDpC0omg9N7%announce-noreply@rpath.com> rPath Security Advisory: 2007-0084-1 Published: 2007-05-01 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: kernel=/conary.rpath.com at rpl:devel//1/2.6.19.7-0.4-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1861 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2242 https://issues.rpath.com/browse/RPL-1309 https://issues.rpath.com/browse/RPL-1310 Description: Previous versions of the kernel package are vulnerable to one local user Denial of Service attack in which local users can trigger a kernel stack overflow using the netlink layer, and to one remote Denial of Service attack in which if IPv6 routing has been configured, a remote user can cause the system to use all available network bandwidth by sending a specially-crafted IPv6 packet. In addition, several issues have been resolved that caused some systems to have difficulty booting: attempting to initialize the Intel random number generator caused some recent systems to hang during boot, and NUMA capability was also causing some systems to hang during boot and so has been disabled on x86, where it is generally not needed. A system reboot is required to resolve these issues. From steven.mcgrath at chigeek.com Wed May 2 05:58:52 2007 From: steven.mcgrath at chigeek.com (Steven McGrath) Date: Tue, 1 May 2007 23:58:52 -0500 Subject: [Full-disclosure] May Chicago 2600/DefCon 312 Meeting Information Message-ID: <28326b7c0705012158o1123c79uf3dc5ad4ba8248c1@mail.gmail.com> The May Chicago 2600 Meeting is near! The meeting will be Friday, May 4th at the Neighborhood Boys and Girls Club and will feature much of the same usual fun that all of you have grown to expect! [Chi2600 Crypto Challange] The second crypto challenge for Chicago 2600 will proceed with the same rules. You have until midnight of the knight of the meeting. Contact Steven McGrath (or Maniac if you prefer) with the answer to the final part of the challenge. A prize will be awarded to the winner. If you complete the challenge before the meeting begins, please send an email to me personally (not to the list) with the answer in plain text (no crypto please) and then make sure to contact me during the meeting to be awarded your prize. Phase1: http://[12/20/35/38/56/76/111/132/134/135/142///175/192/214/220/244/272/295/318/347/366] [Presentation Information] - 8:00pm - Unicode (Forrester) - 9:00pm - Hax by Jaku (Jaku, Alk) - 10.00pm - Chicago2600 Website Panel (Maniac, Darkstorm, Battery, et. al.) - After hours - Wii, Music, Socializing, etc. [General Information] - Meeting Time: 7.00pm - Approx. 3-5am - Meeting Date: Friday, May. 4th - Place : 2501 W Irving Park Road, Chicago - More Info : http://chicago2600.net From daniel at scanit.be Wed May 2 10:02:03 2007 From: daniel at scanit.be (Daniel Lucq) Date: Wed, 02 May 2007 11:02:03 +0200 Subject: [Full-disclosure] CMS Made Simple: SQL injection Message-ID: <4638538B.5000407@scanit.be> 1) Summary Affected software CMS Made Simple 1.05 Vendor URL http://www.cmsmadesimple.org/ Severity High 2) Vulnerability Description The affected software is vulnerable to SQL injection via the templateid parameter of the stylesheet.php page (the value of this parameter is used directly in an SQL query, without any form of escaping or sanitation). This vulnerability is remotely exploitable, and does not require authentication prior to remote exploitation (since the page is normally part of the publicly accessible part of the package). The impact is dependent on the database back-end type (and the subset of the SQL language supported by this back-end). E.g. a MySQL 5 back-end will allow disclosure of the CMS usernames (including administrators) and their password hashes. 3) Verification http://www.example.com/stylesheet.php?templateid=16+AND+1=1 http://www.example.com/stylesheet.php?templateid=16+AND+1=0 4) Solution Update to version 1.06 of the affected software. 5) Time Table 2007/04/24 Vendor was informed 2007/04/24 Vendor releases version 1.06 which fixes the issue 2007/05/02 Scanit publishes advisory 6) Additional Information The original advisory can be found here: http://www.scanit.be/advisory-2007-05-02.html 7) About Scanit Scanit is a security company located in Brussels, Belgium. We specialise in security assessments, offering services such as penetration tests, application source code reviews, and risk assessments. More information can be found at http://www.scanit.be/. From jaervosz at gentoo.org Wed May 2 11:47:42 2007 From: jaervosz at gentoo.org (Sune Kloppenborg Jeppesen) Date: Wed, 2 May 2007 12:47:42 +0200 Subject: [Full-disclosure] [ GLSA 200705-04 ] Apache mod_perl: Denial of Service Message-ID: <200705021247.48283.jaervosz@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache mod_perl: Denial of Service Date: May 02, 2007 Bugs: #172676 ID: 200705-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The mod_perl Apache module is vulnerable to a Denial of Service when processing regular expressions. Background ========== Mod_perl is an Apache module that embeds the Perl interpreter within the server, allowing Perl-based web-applications to be created. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-apache/mod_perl < 1.30 >= 1.30 >= 2.0.3-r1 www-apache/mod_perl < 2.0.3-r1 >= 1.30 >= 2.0.3-r1 Description =========== Alex Solvey discovered that the "path_info" variable used in file RegistryCooker.pm (mod_perl 2.x) or file PerlRun.pm (mod_perl 1.x), is not properly escaped before being processed. Impact ====== A remote attacker could send a specially crafted URL to the vulnerable server, possibly resulting in a massive resource consumption. Workaround ========== There is no known workaround at this time. Resolution ========== All mod_perl 1.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apache/mod_perl-1.30" All mod_perl 2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apache/mod_perl-2.0.3-r1" References ========== [ 1 ] CVE-2007-1349 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1349 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070502/df35c91a/attachment.bin From jaervosz at gentoo.org Wed May 2 12:04:05 2007 From: jaervosz at gentoo.org (Sune Kloppenborg Jeppesen) Date: Wed, 2 May 2007 13:04:05 +0200 Subject: [Full-disclosure] [ GLSA 200705-05 ] Quagga: Denial of Service Message-ID: <200705021304.10113.jaervosz@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Quagga: Denial of Service Date: May 02, 2007 Bugs: #174206 ID: 200705-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in Quagga allowing for a Denial of Service. Background ========== Quagga is a free routing daemon, supporting RIP, OSPF and BGP protocols. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/quagga < 0.98.6-r2 >= 0.98.6-r2 Description =========== The Quagga development team reported a vulnerability in the BGP routing deamon when processing NLRI attributes inside UPDATE messages. Impact ====== A malicious peer inside a BGP area could send a specially crafted packet to a Quagga instance, possibly resulting in a crash of the Quagga daemon. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.98.6-r2" References ========== [ 1 ] CVE-2007-1995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1995 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070502/c8c3b89c/attachment.bin From evilrabbi at gmail.com Wed May 2 13:37:48 2007 From: evilrabbi at gmail.com (evilrabbi) Date: Wed, 2 May 2007 07:37:48 -0500 Subject: [Full-disclosure] Cryptome is dead (at least for now) In-Reply-To: <20070501210809.J85146@ubzr.zsa.bet> References: <739e7bb20704291120vc1fff39r2766dd86fb571cd4@mail.gmail.com> <20070501210809.J85146@ubzr.zsa.bet> Message-ID: Yeah my dog died last night and my parrot died last week. I blame Bush's machine for it. GOD DAMN BUSH OMFG ZOMG EVERYTHING IS HIS FAULT. On 5/1/07, J.A. Terranson wrote: > > > On Sun, 29 Apr 2007, Line Noise wrote: > > > As a friend of mine said elsewhere, John Young must have said something > bad. > > Yeah - speaking Truth in the Fascist United States. > > > Verio caved. It's really too bad, for us all. > > Yes it is. And who's next, huh? Bush's machine can just do whatever the > hell it wants, and "we the people" just sit here botching about "its too > bad John got shut down, isnt it"? > > Please, someone just nuke the US and get it over with already - we (TINW - > read: USA) has long since forfeit our right to exist. > > -- > Yours, > > J.A. Terranson > sysadmin at mfn.org > 0xBD4A95BF > > "The real point is that you cannot harbor malice toward others and then > cry foul when someone displays intolerance against you. Prejudice > tolerated is intolerance encouraged. Rise up in righteousness when you > witness the words and deeds of hate, but only if you are willing to rise > up against them all, including your own. Otherwise suffer the slings and > arrows of disrespect silently." > > Harvey Fierstein is an actor and playwright. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- -- h0 h0 h0 -- www.nopsled.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070502/3fe09bb1/attachment.html From b.hines at comcast.net Wed May 2 13:57:13 2007 From: b.hines at comcast.net (b.hines at comcast.net) Date: Wed, 02 May 2007 12:57:13 +0000 Subject: [Full-disclosure] Cryptome is dead (at least for now) Message-ID: <050220071257.21252.46388AA9000590160000530422007507849C0A020708D20D@comcast.net> Mr. T is back on his soap-box, Why does not he just GTFO of the BIG BAD EVIL US if it is so restrictive to his vocal sensibilities. I would be happy to purchase a one way ticket First Class back to his beloved IRAN. BTW AL GORE is responsible for the INTERNET ( Free Pornography for all) and now Global Warming so at least Ol'e W is just stepping on our freedom not trying to kill us. -------------- Original message -------------- From: evilrabbi Yeah my dog died last night and my parrot died last week. I blame Bush's machine for it. GOD DAMN BUSH OMFG ZOMG EVERYTHING IS HIS FAULT. On 5/1/07, J.A . Terranson wrote: On Sun, 29 Apr 2007, Line Noise wrote: > As a friend of mine said elsewhere, John Young must have said something bad. Yeah - speaking Truth in the Fascist United States. > Verio caved. It's really too bad, for us all. Yes it is. And who's next, huh? Bush's machine can just do whatever the hell it wants, and "we the people" just sit here botching about "its too bad John got shut down, isnt it"? Please, someone just nuke the US and get it over with already - we (TINW - read: USA) has long since forfeit our right to exist. -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "The real point is that you cannot harbor malice toward others and then cry foul when someone displays intolerance against you. Prejudice tolerated is intolerance encouraged. Rise up in righteousness when you witness the words and deeds of hate, but only if you are willing to rise up against them all, including your own. Otherwise suffer the slings and arrows of disrespect silently." Harvey Fierstein is an actor and playwright. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- h0 h0 h0 -- www.nopsled.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070502/6090db83/attachment.html -------------- next part -------------- An embedded message was scrubbed... From: evilrabbi Subject: Re: [Full-disclosure] Cryptome is dead (at least for now) Date: Wed, 2 May 2007 12:38:18 +0000 Size: 748 Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070502/6090db83/attachment.mht From Waldemar.Schroeer at de.TTIInc.com Wed May 2 15:57:58 2007 From: Waldemar.Schroeer at de.TTIInc.com (Schroeer, Waldemar) Date: Wed, 2 May 2007 16:57:58 +0200 Subject: [Full-disclosure] Cryptome is dead (at least for now) References: <739e7bb20704291120vc1fff39r2766dd86fb571cd4@mail.gmail.com> <20070501210809.J85146@ubzr.zsa.bet> Message-ID: <9DA14DAF17101B49B5F4DD591033820E0429589F@euexc101.de.ttiinc.com> Each country gets the government it deserves. ct, -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of J.A. Terranson Sent: Wednesday, May 02, 2007 4:10 AM To: Full-Disclosure Subject: Re: [Full-disclosure] Cryptome is dead (at least for now) On Sun, 29 Apr 2007, Line Noise wrote: > As a friend of mine said elsewhere, John Young must have said something bad. Yeah - speaking Truth in the Fascist United States. > Verio caved. It's really too bad, for us all. Yes it is. And who's next, huh? Bush's machine can just do whatever the hell it wants, and "we the people" just sit here botching about "its too bad John got shut down, isnt it"? Please, someone just nuke the US and get it over with already - we (TINW - read: USA) has long since forfeit our right to exist. -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "The real point is that you cannot harbor malice toward others and then cry foul when someone displays intolerance against you. Prejudice tolerated is intolerance encouraged. Rise up in righteousness when you witness the words and deeds of hate, but only if you are willing to rise up against them all, including your own. Otherwise suffer the slings and arrows of disrespect silently." Harvey Fierstein is an actor and playwright. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From kees at ubuntu.com Wed May 2 16:36:59 2007 From: kees at ubuntu.com (Kees Cook) Date: Wed, 2 May 2007 08:36:59 -0700 Subject: [Full-disclosure] [USN-456-1] net-snmp vulnerability Message-ID: <20070502153659.GE20826@outflux.net> =========================================================== Ubuntu Security Notice USN-456-1 May 02, 2007 net-snmp vulnerability CVE-2005-4837 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: snmpd 5.2.1.2-4ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The SNMP service did not correctly handle TCP disconnects. Remote subagents could cause a denial of service if they dropped a connection at a specific time. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.2.1.2-4ubuntu2.1.diff.gz Size/MD5: 71936 2a4cb9c1f800080e5e2374f3f84b8d7a http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.2.1.2-4ubuntu2.1.dsc Size/MD5: 792 2855b4bf1c6d5fdda432999b3e7c7533 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.2.1.2.orig.tar.gz Size/MD5: 3869893 34159770a7fe418d99fdd416a75358b1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-base_5.2.1.2-4ubuntu2.1_all.deb Size/MD5: 1151640 e40129b2a40d0efe2644207776152c98 http://security.ubuntu.com/ubuntu/pool/universe/n/net-snmp/tkmib_5.2.1.2-4ubuntu2.1_all.deb Size/MD5: 822598 b768bdd2b9f4417925b4b3efb3d4edcb amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.2.1.2-4ubuntu2.1_amd64.deb Size/MD5: 896164 855871a700bfa3655ac3a10118cb69e6 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9-dev_5.2.1.2-4ubuntu2.1_amd64.deb Size/MD5: 1496678 398e8f61079aff0fba54135322812d36 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9_5.2.1.2-4ubuntu2.1_amd64.deb Size/MD5: 1825690 fb3b45a844420bc93c0c1ea7aec1b6c8 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.2.1.2-4ubuntu2.1_amd64.deb Size/MD5: 888946 2ddf1fd336891d925c05c093620c6755 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.2.1.2-4ubuntu2.1_amd64.deb Size/MD5: 796756 90b141201184e1f01ab9ff0e1b4f3612 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.2.1.2-4ubuntu2.1_i386.deb Size/MD5: 896372 eac0a7df274971ba80b1dd669c0f0ec8 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9-dev_5.2.1.2-4ubuntu2.1_i386.deb Size/MD5: 1267600 b52a5f612636a6d2ba77efe7da2fb864 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9_5.2.1.2-4ubuntu2.1_i386.deb Size/MD5: 1709432 cb84264a9581bcbb2093280924d2036f http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.2.1.2-4ubuntu2.1_i386.deb Size/MD5: 881478 4d9bc662c8ecab47b484c33765b24a55 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.2.1.2-4ubuntu2.1_i386.deb Size/MD5: 794300 aeaf12afa90adbe6466e1f14ac3a81e7 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.2.1.2-4ubuntu2.1_powerpc.deb Size/MD5: 912514 2af054816148762b77a561655944b2b8 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9-dev_5.2.1.2-4ubuntu2.1_powerpc.deb Size/MD5: 1589090 f00c4b7f21855f7862864bf51b898569 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9_5.2.1.2-4ubuntu2.1_powerpc.deb Size/MD5: 1727216 7a982cc48199b22df04cb84f1fc5f217 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.2.1.2-4ubuntu2.1_powerpc.deb Size/MD5: 898250 75a7b6278614c10ab1967a689f00a6e1 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.2.1.2-4ubuntu2.1_powerpc.deb Size/MD5: 795666 449405c93bf2c822694c51c09112cf6c sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.2.1.2-4ubuntu2.1_sparc.deb Size/MD5: 896380 8d9bced826d6097c92b056fba5651cec http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9-dev_5.2.1.2-4ubuntu2.1_sparc.deb Size/MD5: 1485066 fff34136dd9ef3ccb9fa43d58cb8f31c http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9_5.2.1.2-4ubuntu2.1_sparc.deb Size/MD5: 1705908 95015429b477368287651682622c12ff http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.2.1.2-4ubuntu2.1_sparc.deb Size/MD5: 882846 223f74ba12b6374e8c79c9b05b3f7a9e http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.2.1.2-4ubuntu2.1_sparc.deb Size/MD5: 796020 af0197bc714b9a1bf0ad240d208ee497 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070502/e86cb05a/attachment.bin From lists73 at skilltube.com Wed May 2 17:24:03 2007 From: lists73 at skilltube.com (skillTube.com) Date: Wed, 2 May 2007 18:24:03 +0200 Subject: [Full-disclosure] Vulnerability in InterVations' MailCopa Message-ID: <20070502182403.pchr6dagow08sccs@webmail.skilltube.com> While developing one of our advanced security training movies, we identified an exploitable vulnerability in the latest release of InterVetions' MailCopa. Successful exploitation of this vulnerability allows an attacker to execute arbitrary code in the context of the user executing MailCopa. In a web-based attack scenario, an attacker can insert a link in the following way: If the user can be tricked into clicking on such a malicious link, an overflow occurs, leading to code execution on the victim's system. Countermeasures: The vendor was informed on April 30, 2007 and published a patched version just a few hours later. Amazing response time! Credits: skilltube.com If you are interested in learning more about vulnerability research and exploitation techniques, check out our advanced security training movies on www.skillTube.com. From openphugu at gmail.com Wed May 2 17:57:13 2007 From: openphugu at gmail.com (Open Phugu) Date: Wed, 2 May 2007 10:57:13 -0600 Subject: [Full-disclosure] Cryptome is dead (at least for now) In-Reply-To: <739e7bb20704291120vc1fff39r2766dd86fb571cd4@mail.gmail.com> References: <739e7bb20704291120vc1fff39r2766dd86fb571cd4@mail.gmail.com> Message-ID: On 4/29/07, Line Noise <300baud at gmail.com> wrote: > http://cryptome.org/cryptome-shut.htm > > It may be difficult to reach. > > Google cache at > > http://209.85.165.104/search?q=cache:CnmiZp3pFhgJ:cryptome.org/cryptome-shut.htm > > As a friend of mine said elsewhere, John Young must have said something bad. John Young should set up cryptome as a tor hidden service. From psirt at cisco.com Wed May 2 18:30:00 2007 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 02 May 2007 17:30:00 -0000 Subject: [Full-disclosure] Cisco Security Advisory: LDAP and VPN Vulnerabilities in PIX and ASA Appliances Message-ID: <20070502.asa@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: LDAP and VPN Vulnerabilities in PIX and ASA Appliances Advisory ID: cisco-sa-20070502-asa http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml Revision 1.0 Last Updated 2007 May 02 1600 UTC (GMT) For Public Release 2007 May 02 1600 UTC (GMT) - - --------------------------------------------------------------------- Contents ======== Summary Affected Products Details Vulnerability Scoring Details Impact Software Version Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - - --------------------------------------------------------------------- Summary ======= Multiple vulnerabilities exist in the Cisco Adaptive Security Appliance (ASA) and PIX security appliances. These vulnerabilities include two Lightweight Directory Access Protocol (LDAP) authentication bypass vulnerabilities and two denial of service (DoS) vulnerabilities. The Lightweight Directory Access Protocol (LDAP) authentication bypass vulnerabilities are caused by a specific processing path followed when the device is setup to use a Lightweight Directory Access Protocol (LDAP) authentication server. These vulnerabilities may allow unauthenticated users to access either the internal network or the device itself. The two DoS vulnerabilities may be triggered when devices are terminating Virtual Private Networks (VPN). These denial of service vulnerabilities may allow an attacker to disconnect VPN users, prevent new connections, or prevent the device from transmitting traffic. These vulnerabilities are distributed in the authentication, IPSec VPN, and SSL VPN code. They are categorized in this advisory by their Cisco bug descriptions: * LDAP Authentication Bypass * Denial of Service in VPNs with Password Expiry * Denial of Service in SSL VPNs Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml Affected Products ================= Vulnerable Products +------------------ Cisco ASA and PIX security appliances that are running software versions 7.1 and 7.2 may be vulnerable. To identify the vulnerable versions for a specific issue, please consult the table below. +---------------------------------------+ | | Affected | | Vulnerability | Software | | | Version | |-----------------------+---------------| | LDAP Authentication | 7.2 versions | | bypass | prior to | | | 7.2(2)8 | |-----------------------+---------------| | | 7.1 versions | | Denial of Service in | prior to | | VPNs with password | 7.1(2)49 | | expiry | 7.2 versions | | | prior to | | | 7.2(2)17 | |-----------------------+---------------| | | 7.1 versions | | | prior to | | Denial of Service in | 7.1(2)49 | | SSL VPNs | 7.2 versions | | | prior to | | | 7.2(2)19 | +---------------------------------------+ To determine the version of Cisco ASA or PIX system software your device is running, log into command line interface (CLI) of the device and issue the show version command. This example shows an ASA that runs software release 7.2(2)10: ciscoasa# show version Cisco Adaptive Security Appliance Software Version 7.2(2)10 For customers that manage their devices through the Cisco Adaptive Security Device Manager (ASDM), log into the application, and the version can be found either in the table in the login window or in the upper left hand corner of the ASDM window indicated by a label similar to: PIX Version 7.2(2)10 Cisco ASA and PIX security appliances running affected software version are only vulnerable if they are running one of the following configurations: LDAP Authentication Bypass Vulnerability +--------------------------------------- Two configuration scenarios exist where Cisco PIX or ASA devices are vulnerable: * Layer 2 Tunneling Protocol (L2TP) Devices configured to use a LDAP authentication server and use an authentication protocol other than PAP may be vulnerable. The LDAP server is specified in the configuration via the aaa-server ldap server host command line interface (CLI) configuration command. The authentication protocol is specified via the authentication command within the tunnel-group ppp-attributes section of the configuration. Relevant configuration segments of a vulnerable device are shown below. In the following example configuration, the authentication server is specified as LDAP and the authentication protocol is specified as ms-chap-v2: aaa-server ldap_server protocol ldap aaa-server ldap_server host 192.168.1.100 timeout 5 ldap-scope onelevel tunnel-group example_l2tp_group general-attributes address-pool inside_addresses authentication-server-group ldap_server tunnel-group example_l2tp_group ppp-attributes authentication ms-chap-v2 * Remote Management Access Devices configured to allow remote management access (telnet, SSH, HTTP) and use LDAP authentication, authorization, accounting (AAA) server for credential validation may be vulnerable. In the configuration file, the server_group is defined as a LDAP server with the command aaa-server protocol ldap. The LDAP authentication server for remote management access is defined via the command, aaa authentication {telnet | ssh | http | serial} console server_group. Relevant configuration segments of a vulnerable device are shown below. The authentication server is specified as LDAP, and remote management access for SSH is permitted and credentials checked by the defined LDAP AAA server: ssh 192.168.1.2 255.255.255.255 inside aaa-server ldap_server protocol ldap aaa-server ldap_server host 192.168.1.100 timeout 5 ldap-scope onelevel aaa authentication ssh console ldap_server Denial of Service in VPNs with Password Expiry +--------------------------------------------- A device may be affected by this vulnerability if the password-management command is present in the tunnel-group section, as shown in the following examples: tunnel-group example_group general-attributes address-pool inside_addresses default-group-policy example_group password-management tunnel-group example_group general-attributes address-pool inside_addresses default-group-policy example_group password-management password-expire-in-days 30 Denial of Service in SSL VPNs +---------------------------- Clientless SSL VPNs must be enabled on an interface in order for the device to be affected by this vulnerability. Devices with clientless SSL VPNs enabled have a webvpn section in the running configuration. This will be similar to the following entry: webvpn enable outside url-list ServerList "WSHAWLAP" cifs://10.2.2.2 1 url-list ServerList "FOCUS_SRV_1" https://10.2.2.3 2 url-list ServerList "FOCUS_SRV_2" http://10.2.2.4 3 Products Confirmed Not Vulnerable +-------------------------------- The Firewall Services Module (FWSM) is not affected by any of the vulnerabilities disclosed in this advisory. Cisco ASA and PIX security appliances are not affected by these vulnerabilities under the following conditions: LDAP Authentication Bypass for L2TP Sessions +------------------------------------------- ASA and PIX security appliances with the following configurations are not affected by this vulnerability: * Devices configured for L2TP over IPSec and using an authentication server other than LDAP * Devices configured for L2TP over IPSec and using a LDAP authentication server with PAP * Devices using AAA server other than LDAP or a local database for authentication of remote management sessions Denial of Service in VPNs with Password Expiry +--------------------------------------------- Device without remote access tunnel groups configured with password expiry are not susceptible to this vulnerability. Denial of Service in SSL VPNs +---------------------------- Devices not configured to support clientless SSL VPN connections are not susceptible to this vulnerability. PIX Security Appliances do not support clientless SSL VPN connections and are not vulnerable. Details ======= The PIX is a firewall appliance that delivers user and application policy enforcement, multi-vector attack protection, and secure connectivity services. The Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. The ASA offers firewall, intrusion prevention (IPS), anti-X, and VPN services. LDAP Authentication Bypass +------------------------- Cisco ASA and PIX devices leveraging LDAP AAA servers for authentication of terminating L2TP IPSec tunnels or remote management sessions may be vulnerable to an authentication bypass attack. See the following bullets for more details: * Layer 2 Tunneling Protocol (L2TP) Devices terminating L2TP IPSec tunnels must be configured to use LDAP in conjunction with CHAP, MS-CHAPv1, or MS-CHAPv2 authentication protocols to be vulnerable. If LDAP authentication is used in conjunction with PAP, the device is not vulnerable to the LDAP L2TP authentication bypass. * Remote Management Access Cisco ASA and PIX devices leveraging LDAP AAA servers for authentication of management sessions (telnet, SSH and HTTP) may be vulnerable to an authentication bypass attack. Access for management sessions must be explicitly enabled and is limited to the defined source IP address within the device configuration. This vulnerability is documented as bug ID CSCsh42793. Denial of Service in VPNs with Password Expiry +--------------------------------------------- Cisco ASA and PIX devices terminating remote access VPN connections may be vulnerable to a DoS attack if the tunnel group is configured with password expiry. To exploit this vulnerability for IPSec VPN connections, an attacker would need to know the group name and group password. An attacker would not need this information for SSL VPN connections. A successful attack results in a reload of the device. This vulnerability is documented as software bug CSCsh81111. Denial of Service in SSL VPNs +---------------------------- Cisco ASAs using clientless SSL VPNs are vulnerable to a denial of service attack via the SSL VPN HTTP server. A successful attack must exploit a race condition in the processing non-standard SSL sessions and results in a reload of the device. More details are available in bug CSCsi16248. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss Cisco Bug IDs: CSCsh42793 - LDAP Authentication Bypass for L2TP Sessions CVSS Base Score: 8.0 Access Vector: Remote Access Complexity: High Authentication: Not Required Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 6.6 Exploitability: Functional Remediation Level: Official-Fix Report Confidence: Confirmed CSCsh42793 - LDAP Authentication Bypass for L2TP Sessions CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official-Fix Report Confidence: Confirmed CSCsi16248 - Denial of Service in SSL VPNs CVSS Base Score: 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score: 2.7 Exploitability: Functional Remediation Level: Official-Fix Report Confidence: Confirmed Impact ====== Successful exploitation of the LDAP Authentication bypass vulnerability may allow unauthorized users to access the device or internal resources. The DoS vulnerability in VPN password expiry and the DoS vulnerability in clientless SSL VPNs could be repeatedly exploited to cause an extended DoS condition. Software Version Fixes ====================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. +--------------------------------------------+ | | First Fixed | | Vulnerability | Release | | |---------------------| | | 7.1 | 7.2 | |----------------------+----------+----------| | LDAP Authentication | Not | | | Bypass | affected | 7.2(2)8 | | | | | |----------------------+----------+----------| | Denial of Service in | | | | VPNs with Password | 7.1(2)49 | 7.2(2)17 | | Expiry | | | |----------------------+----------+----------| | Denial of Service in | | | | SSL VPNs | 7.1(2)49 | 7.2(2)17 | | | | | +--------------------------------------------+ More information on how and where to obtain fixed software can be found in the Obtaining Fixed Software section of this advisory. Workarounds =========== This section of the advisory describes workarounds that may be useful in some environments. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory at the following link: http://www.cisco.com/warp/public/707/cisco-air-20070502-asa.shtml LDAP Authentication bypass +------------------------- The following workarounds may be a useful reference for some customers to mitigate the LDAP authentication bypass vulnerabilities. * L2TP For Cisco ASA or PIX devices configured to use a LDAP authentication server for L2TP over IPSec connections, configuring the device to use PAP as an authentication protocol may mitigate this vulnerability. It is important to note that PAP transmits passwords in clear-text. PAP authentication is encrypted via IPSec when it is used for the L2TP connection. Communications between the security appliance and the LDAP server are not encrypted by default and can be secured with SSL using the ldap-over-ssl command. Configuration of PAP authentication can be done using the following example as a guide or by referring to the security appliance configuration guides listed: ciscoasa# config t ciscoasa(config)# tunnel-group l2tp_group ppp-attributes ciscoasa(config-ppp)# authentication pap ciscoasa(config-ppp)# no authentication ms-chap-v1 ciscoasa(config-ppp)# no authentication ms-chap-v2 ciscoasa(config-ppp)# no authentication chap Information on configuring L2TP over IPSEC using the CLI is available at the following link: http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a008066ebb6.html Information on configuring L2TP over IPSEC using the ADSM can be found at: http://www.cisco.com/en/US/partner/products/ps6121/products_configuration_guide_chapter09186a00806a81bc.html * Remote Management Cisco ASA or PIX devices that authenticate remote management sessions with either the local database or an AAA server other than a LDAP server are not affected by this vulnerability. More information on changing the AAA server protocol used with remote management sessions is available at the following link: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/sysadmin/mgaccess.htm. Remote management sessions must be explicitly enabled before the Cisco ASA or PIX will accept sessions. The source IP addresses are defined within the command that enables remote management access. Below are examples of enabling remote management sessions (Note that other commands are required, but these commands control the source IP address of the device that is allowed access to the Cisco ASA or PIX device): For remote telnet, ssh and http access: ciscoasa# config t ciscoasa(config)# telnet source_IP_address mask source_interface ciscoasa(config)# ssh source_IP_address mask source_interface ciscoasa(config)# http source_IP_address mask source_interface Denial of Service in VPNs with Password Expiry +--------------------------------------------- Disabling password expiry for remote access users until a device can be updated with non-vulnerable code can prevent the exposure of this vulnerability. This can be accomplished by removing the password management entry in the general attributes of the tunnel group, as shown in the following example: ciscoasa# config t ciscoasa(config)# tunnel-group remote_access_group general-attributes ciscoasa(config-tunnel-general)# no password-management Implementing this workaround will disable the password expiry feature, and users will not be forced to change their passwords. More information on the password-management command is available in the Security Appliance Command reference at the following link: http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f0f8.html#wp1725278 Denial of Service in SSL VPNs +---------------------------- If clientless SSL VPNs are used, there is no workaround for the SSL VPN vulnerability. Client-based VPNs are not affected, and may be used as an alternative to the clientless VPN connections. More information on configuring clientless SSL VPNs on the ASA is available in the configuration example at the following link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Registered users can download the latest ASA and PIX releases at: http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim http://www.cisco.com/cgi-bin/tablebuild.pl/pix-interim Do not contact either "psirt at cisco.com" or "security-alert at cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were reported to Cisco by customers that experienced these issues during normal operation of their equipment. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2007-May-02 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFGOMmZ8NUAbBmDaxQRAgR0AKCtxa3JeoALzIadeyj6QLqEJD/PmwCcCioq zvjxRFP1pvkbGTR29LKFzI4= =358u -----END PGP SIGNATURE----- From eaton.lists at gmail.com Wed May 2 19:26:19 2007 From: eaton.lists at gmail.com (Brian Eaton) Date: Wed, 2 May 2007 14:26:19 -0400 Subject: [Full-disclosure] Cryptome is dead (at least for now) In-Reply-To: References: <739e7bb20704291120vc1fff39r2766dd86fb571cd4@mail.gmail.com> Message-ID: <242a0a8f0705021126j2d08b51bt2f775de2fefeb3e6@mail.gmail.com> On 5/2/07, Open Phugu wrote: > John Young should set up cryptome as a tor hidden service. If Chinese dissidents can figure out how to blog, John Young should be able to figure out how to stay on the web one way or another. Regards, Brian From labs-no-reply at idefense.com Wed May 2 19:53:22 2007 From: labs-no-reply at idefense.com (iDefense Labs) Date: Wed, 02 May 2007 14:53:22 -0400 Subject: [Full-disclosure] iDefense Security Advisory 05.02.07: LiveData Protocol Server Heap Overflow Vulnerability Message-ID: <4638DE22.1010507@idefense.com> LiveData Protocol Server Heap Overflow Vulnerability iDefense Security Advisory 05.02.07 http://labs.idefense.com/intelligence/vulnerabilities/ May 02, 2007 I. BACKGROUND LiveData is a provider of real-time data acquisition and processing software. LiveData Protocol Server is used in SCADA environments to record and transmit data to other control points in process control networks. The LiveData server includes a HTTP server that offers a SOAP interface to the product. More information is available at the vendor's web site at the following URL. http://www.livedata.com/ II. DESCRIPTION Remote exploitation of a heap overflow vulnerability within LiveData's Protocol Server could allow an attacker to cause the service to crash or potentially execute arbitrary code with SYSTEM privileges. The vulnerability specifically exists due to the the handling of requests for WSDL files. By supplying a specially crafted request to the service on port 8080, an attacker is able to supply a negative length value to a strncpy call. This value is interpreted by strncpy as a very large positive value. As a result, a memory access violation occurs when attempting to write data past the end of the heap memory segment. III. ANALYSIS Exploitation allows an attacker to crash the LiveDataServer service or potentially execute arbitrary code. Arbitrary code execution would depend on overwriting heap data that is used within a different thread. A race condition would have to exist where the flow of execution would be diverted before the application terminated from the memory access violation. IV. DETECTION iDefense has confirmed the existence of this vulnerability in LiveData Protocol Server version 5.00.045 which was the current release as of September 13th 2006. V. WORKAROUND In order to mitigate potential exploitation, iDefense recommends blocking access to port 8080 by using a firewall. VI. VENDOR RESPONSE LiveData has addressed this vulnerability with updated versions of their software. The following versions are reported to be fixed. RTI update 500062 Protocol Server update 500062 Maintenance Server update 500062 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 01/02/2007 Initial vendor notification 01/03/2007 Initial vendor response 05/02/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From security at mandriva.com Wed May 2 22:04:21 2007 From: security at mandriva.com (security at mandriva.com) Date: Wed, 02 May 2007 15:04:21 -0600 Subject: [Full-disclosure] [ MDKSA-2007:096 ] - Updated quagga packages fix DoS vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:096 http://www.mandriva.com/security/ _______________________________________________________________________ Package : quagga Date : May 2, 2007 Affected: Corporate 4.0 _______________________________________________________________________ Problem Description: The BGP routing daemon in Quagga did not properly validate length values in NLRI attributes which could allow a remote attacker to cause a denial of service via a crafted UPDATE message that triggered an assertion error or out of bounds read. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1995 _______________________________________________________________________ Updated Packages: Corporate 4.0: becaf6ded7283c9c6021b225cdf4610a corporate/4.0/i586/libquagga0-0.99.3-1.1.20060mlcs4.i586.rpm 71834dab731b65e7a35a9fdd9732a889 corporate/4.0/i586/libquagga0-devel-0.99.3-1.1.20060mlcs4.i586.rpm cfbeb9e74071ffac712e5162f2613ac9 corporate/4.0/i586/quagga-0.99.3-1.1.20060mlcs4.i586.rpm 7cde7b9c156b90b8dcc960bfc1e32cbe corporate/4.0/i586/quagga-contrib-0.99.3-1.1.20060mlcs4.i586.rpm 725cf792adafc90d58a34178e4066771 corporate/4.0/SRPMS/quagga-0.99.3-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 92d1d28d06eb4eaff483882a41a5d31b corporate/4.0/x86_64/lib64quagga0-0.99.3-1.1.20060mlcs4.x86_64.rpm ccfa5e5665423f19b0c36ff13db53164 corporate/4.0/x86_64/lib64quagga0-devel-0.99.3-1.1.20060mlcs4.x86_64.rpm a9af90e11e1b9f0485718d4762b1f8fd corporate/4.0/x86_64/quagga-0.99.3-1.1.20060mlcs4.x86_64.rpm 596581e4051d2e02ae2b476e3aa83f74 corporate/4.0/x86_64/quagga-contrib-0.99.3-1.1.20060mlcs4.x86_64.rpm 725cf792adafc90d58a34178e4066771 corporate/4.0/SRPMS/quagga-0.99.3-1.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGONI7mqjQ0CJFipgRAhmXAKCr1iOp0SaSv1WdD2EsWJjqR3ZF4ACfZ2FP 56VBScMSKds3eiA29koFg5w= =IS+w -----END PGP SIGNATURE----- From TSRT at 3com.com Wed May 2 22:40:51 2007 From: TSRT at 3com.com (TSRT at 3com.com) Date: Wed, 2 May 2007 14:40:51 -0700 Subject: [Full-disclosure] TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities Message-ID: TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-07-05 May 2, 2007 -- CVE ID: CVE-2007-1868 -- Affected Vendor: IBM -- Affected Products: Tivol