From jf at danglingpointers.net Thu Nov 1 06:04:42 2007 From: jf at danglingpointers.net (jf) Date: Thu, 1 Nov 2007 06:04:42 +0000 (UTC) Subject: [Full-disclosure] Flash that simulates virus scan In-Reply-To: References: Message-ID: must be on one of the .gov red teams ;] On Wed, 31 Oct 2007, reepex wrote: > Date: Wed, 31 Oct 2007 16:56:20 -0500 > From: reepex > To: Joshua Tagnore , > full-disclosure at lists.grok.org.uk > Subject: Re: [Full-disclosure] Flash that simulates virus scan > > resulting to se in a pen test cuz you cant break any of the actual machines? > > lulz > > On 10/31/07, Joshua Tagnore wrote: > > List, > > > > Some time ago I remember that someone posted a PoC of a small site that > > had a really nice looking flash animation that "performed a virus scan" and > > after the "virus scan" was finished, the user was prompted for a "Download > > virus fix?" question. After that, of course, a file is sent to the user and > > he got infected with some malware. Right now I'm performing a penetration > > test, and I would like to target some of the users of the corporate LAN, so > > I think this approach is the best in order to penetrate to the LAN. > > > > I searched google but failed to find the URL, could someone send it to > > me ? Thanks! > > > > Cheers, > > -- > > Joshua Tagnore > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From stuart at cyberdelix.net Thu Nov 1 03:16:04 2007 From: stuart at cyberdelix.net (lsi) Date: Thu, 01 Nov 2007 03:16:04 -0000 Subject: [Full-disclosure] spammer wades into US Presidential race In-Reply-To: <21bcc0400710302014m3ae37a84m8a8c5a27053b9936@mail.gmail.com> References: <4724A926.18246.81C01CD@stuart.cyberdelix.net>, <4727EFC9.9262.A5628D@stuart.cyberdelix.net> , <21bcc0400710302014m3ae37a84m8a8c5a27053b9936@mail.gmail.com> Message-ID: <472944F4.12751.2DAB5F2@stuart.cyberdelix.net> > Did you try contacting his campaign, and asking them if it was theres? > While they may not fess up, it wouldn't hurt. Actually, it would hurt my wallet, and waste my time, compounding the loss already incurred by receiving the spam in the first place. > Also, if you really believed that it might come from his campaign, I didn't say that. > wouldn't it be worth trying to find out if No. > Simply postulating that it's his (considering spamming is not a nice I didn't do that. But now you mention it - why would a spammer divert precious bandwidth from sending profitable spam? That's gonna cost him money. Either the spammer donated his resources for free, or someone paid - and who is that most likely to be? You? Me? Ron Paul? Hilary Clinton? You decide. > thing) without even checking his record on such a topic, and claiming > "newsworthy" isn't quite... nice. Check out Wired's take on it here: http://www.wired.com/politics/security/news/2007/10/paul_bot It seems the net is somewhat overrun with his apologists. Stu > On 10/30/07, lsi wrote: > > I didn't do much in the way of research, cos this is surely spam, and > > we know spammers forge as much as possible. So, I presume Derk > > Gaston doesn't exist (I note his email address is > > janek at stswithxxx.com, unlikely). > > > > I note the mail is coming from .cn, a quick ping and traceroute > > confirm this, again, it's unlikely Mr Paul is posting his newsletter > > via China. > > > > I also note the forged Received: line containing the hostname > > dns02e.hants.gov.uk (this must be forged since it claims that host > > has the IP 59.52.247.195, yet my own mailserver has resolved > > 59.52.247.195 to 195.247.52.59.broad.nc.jx.dynamic.163data.com.cn, > > and besides, there's no reason for Hampshire Council to be forwarding > > my mail, especially when it's concerning an American politican and > > it's sent from China by a guy named Derk with an email address that > > starts with Jane ... > > > > Finally I note the randomness inserted and the end of the subject > > line and body. > > > > That looks like professionally-produced spam, if its possible for > > spam to be professional, which is why I forwarded it, because I don't > > recall seeing spammers take much of an interest in politics before. > > Unless of course Ron Paul commissioned the spam, which is unlikely > > but certainly newsworthy if so. All of these unlikelies got me > > curious... > > > > Stu > > > > On 28 Oct 2007 at 12:04, Aaron Katz wrote: > > > > Date sent: Sun, 28 Oct 2007 12:04:13 -0400 > > From: "Aaron Katz" > > To: stuart at cyberdelix.net > > Subject: Re: [Full-disclosure] spammer wades into US > > Presidential race > > Copies to: full-disclosure at lists.grok.org.uk > > > > > Could you provide a little more information/investigation (I'm too > > > lazy, at this very moment, to do the background investigation that you > > > should have provided, like who derk gaston is)? According to the > > > headers, this looks like it might be forged (not just the little "may > > > be forged" notice, but the source locations, and even the name of the > > > person sending the mail - what association do they have to Ron Paul?) > > > > > > On 10/28/07, lsi wrote: > > > > [Well, it could be worse. Spam that wants to end the Iraq war, > > > > great! - Stu] > > > > > > > > Return-Path: > > > > Received: from 195.247.52.59.broad.nc.jx.dynamic.163data.com.cn > > > > (195.247.52.59.broad.nc.jx.dynamic.163data.com.cn [59.52.247.195] > > > > (may be forged)) > > > > by x.y.net (8.13.1/8.13.1) with ESMTP id l9S5irW8004442 > > > > for ; Sun, 28 Oct 2007 05:44:54 GMT > > > > Received: from [59.52.247.195] by dns02e.hants.gov.uk; Sun, 28 Oct > > > > 2007 05:44:51 +0000 > > > > Message-ID: <000701c81925$02a66001$93e966b1 at qgddwrot> > > > > From: "derk gaston" > > > > To: > > > > Subject: Government Wasteful Spending Eliminated By Ron Paul yGVed > > > > Date: Sun, 28 Oct 2007 03:57:28 +0000 > > > > > > > > [...] > > > > > > > > Hello Scott, > > > > > > > > Ron Paul is for the people, unless you want your children to > > > > have human implant RFID chips, a National ID card and create > > > > a North American Union and see an economic collapse far worse > > > > than the great depression. Vote for Ron Paul he speaks the > > > > truth and the media and government is afraid of him. This is > > > > the last honest politican left to bring this country out of > > > > this rut from the War Profiteers and bush Administration has > > > > created. Get motivated America, don't believe the lies of the > > > > media he has also WON the GOP Debate On Sunday! Value Freedom > > > > and Liberty instead of corporate lies and corruption. Bypass > > > > this media blackout they are doing to Ron Paul, tell your family > > > > and friends and get involved in a local group at meetup.com make > > > > your voice heard! He will end the War In Iraq immediately, > > > > He will eliminate the IRS and wasteful government spending, and > > > > eliminate the Federal Reserve and restore power to the people > > > > and the only person not a member on the CFR. Can any other runner > > > > make these claims or give Americans the true freedom we were all > > > > raised to believe? We are all economic slaves to the banks and the > > > > illegal federal Reserve. This is why our currency is worth nothing > > > > because of Hidden Inflation Tax and the IRS taking everything > > > > you make! > > > > > > > > ** RON PAUL WILL STOP THE IRAQ WAR IMMEDIATELY! ** > > > > > > > > He has NEVER voted: > > > > * to raise taxes > > > > * for an unbalanced budget > > > > * to raise congressional pay > > > > * for a federal restriction on gun ownership > > > > * to increase the power of the executive branch > > > > > > > > He HAS voted: > > > > * against the Iraq war > > > > * against the inappropriately named USA PATRIOT act > > > > * against regulating the internet > > > > * against the Military Commissions Act > > > > > > > > He will eliminate the IRS, Wasteful Government Spending & > > > > Stop The Iraq War Immediately! > > > > > > > > Most importantly, he voted NO on anything in Congress that > > > > is not allowed by the Constitution. And he Despises any > > > > politican that does not do their job for the people and lives > > > > up to the constitution! > > > > > > > > Google.com & Youtube.com Search: "Ron Paul" > > > > Join The Revolution! > > > > > > > > *************************************** > > > > We Need A Real President That Will Restore And Protect > > > > Americans! Stop The War! Protect Our Borders! > > > > *********VOTE RON PAUL 2008************ > > > > rIQdkb > > > > > > > > > > > > -- End -- > > > > > > > > > > > > --- > > > > Stuart Udall > > > > stuart at at cyberdelix.dot net - http://www.cyberdelix.net/ > > > > > > > > --- > > > > * Origin: lsi: revolution through evolution (192:168/0.2) > > > > > > > > _______________________________________________ > > > > Full-Disclosure - We believe in it. > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > > > --- > > Stuart Udall > > stuart at at cyberdelix.dot net - http://www.cyberdelix.net/ > > > > --- > > * Origin: lsi: revolution through evolution (192:168/0.2) > > > > --- Stuart Udall stuart at at cyberdelix.dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) From reepex at gmail.com Thu Nov 1 03:40:22 2007 From: reepex at gmail.com (reepex) Date: Wed, 31 Oct 2007 22:40:22 -0500 Subject: [Full-disclosure] Flash that simulates virus scan In-Reply-To: References: Message-ID: dont you listen to pdp ever? the government uses xss and bruteforces remote desktop logins http://seclists.org/fulldisclosure/2007/Oct/0417.html pdp: "military grade exploits? :) dude, I am sorry man.. but you are living in some kind of a dream world. get real, most of the military hacks are as simple as bruteforcing the login prompt.. or trying something as simple as XSS." ------ pdp is an hero and a computer security expert and based on his fans from the list he is the greatest researched since lcamtuf. his word = gold On 11/1/07, jf wrote: > must be on one of the .gov red teams ;] > > > On Wed, 31 Oct 2007, reepex wrote: > > > Date: Wed, 31 Oct 2007 16:56:20 -0500 > > From: reepex > > To: Joshua Tagnore , > > full-disclosure at lists.grok.org.uk > > Subject: Re: [Full-disclosure] Flash that simulates virus scan > > > > resulting to se in a pen test cuz you cant break any of the actual machines? > > > > lulz > > > > On 10/31/07, Joshua Tagnore wrote: > > > List, > > > > > > Some time ago I remember that someone posted a PoC of a small site that > > > had a really nice looking flash animation that "performed a virus scan" and > > > after the "virus scan" was finished, the user was prompted for a "Download > > > virus fix?" question. After that, of course, a file is sent to the user and > > > he got infected with some malware. Right now I'm performing a penetration > > > test, and I would like to target some of the users of the corporate LAN, so > > > I think this approach is the best in order to penetrate to the LAN. > > > > > > I searched google but failed to find the URL, could someone send it to > > > me ? Thanks! > > > > > > Cheers, > > > -- > > > Joshua Tagnore > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: > > > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > From reepex at gmail.com Thu Nov 1 03:55:36 2007 From: reepex at gmail.com (reepex) Date: Wed, 31 Oct 2007 22:55:36 -0500 Subject: [Full-disclosure] ZDI-07-058: Oracle E-Business Suite SQL Injection Vulnerability In-Reply-To: References: Message-ID: post auth sql injection in random admin console - lulz On 10/31/07, zdi-disclosures at 3com.com wrote: > The specific flaw exists in the okxLOV.jsp page in the Administration > console. From reepex at gmail.com Thu Nov 1 03:57:36 2007 From: reepex at gmail.com (reepex) Date: Wed, 31 Oct 2007 22:57:36 -0500 Subject: [Full-disclosure] ZDI-07-063: RealPlayer RA Field Size File Processing Heap Oveflow Vulnerability In-Reply-To: References: Message-ID: user interaction on a random file format? haven't we been over this types of bugs? This pool of zdi bugs is almost more laughable then idefense's aix spam flood On 10/31/07, zdi-disclosures at 3com.com wrote: > This vulnerability allows remote attackers to execute code on vulnerable > installations of RealPlayer. User interaction is required in that a > user must open a malicious .ra/.ram file or visit a malicious web > site. From atkatz at gmail.com Thu Nov 1 04:11:22 2007 From: atkatz at gmail.com (Aaron Katz) Date: Thu, 1 Nov 2007 00:11:22 -0400 Subject: [Full-disclosure] spammer wades into US Presidential race In-Reply-To: <472944F4.12751.2DAB5F2@stuart.cyberdelix.net> References: <4724A926.18246.81C01CD@stuart.cyberdelix.net> <4727EFC9.9262.A5628D@stuart.cyberdelix.net> <21bcc0400710302014m3ae37a84m8a8c5a27053b9936@mail.gmail.com> <472944F4.12751.2DAB5F2@stuart.cyberdelix.net> Message-ID: <21bcc0400710312111x4ca34f6docdccdbdd80b92dd6@mail.gmail.com> > Actually, it would hurt my wallet, and waste my time, compounding the > loss > already incurred by receiving the spam in the first place. But it's worth your time to forward spam to everyone on the full-disclosure mailing list. > > Also, if you really believed that it might come from his campaign, > I didn't say that. Then what benefit was there to forwarding it along? > > Simply postulating that it's his (considering spamming is not a nice > I didn't do that. Then I apologize if I read too much into your email. > But now you mention it - why would a spammer > divert precious bandwidth from sending profitable spam? That's gonna > cost him money. Either the spammer donated his resources for free, > or someone paid - and who is that most likely to be? You? Me? Ron > Paul? Hilary Clinton? You decide. I'd rather wait for some form of evidence. Right now all that is available is gossip. > > thing) without even checking his record on such a topic, and claiming > > "newsworthy" isn't quite... nice. > Check out Wired's take on it here: > http://www.wired.com/politics/security/news/2007/10/paul_bot If you read the article from Wired, *they* contacted Paul's campaign, and performed some basic investigation. That's rather different from forwarding a spam message on to a mailing list. > It seems the net is somewhat overrun with his apologists. At what point has anyone acted as his apologist (recently, on this thread)? I've see others clarifying positions he's taken on particular issues/votes, and I've questioned your lack of investigation before forwarding the message on to everyone. From redhowlingwolves at bellsouth.net Thu Nov 1 04:09:06 2007 From: redhowlingwolves at bellsouth.net (scott) Date: Thu, 01 Nov 2007 00:09:06 -0400 Subject: [Full-disclosure] Flash that simulates virus scan In-Reply-To: References: Message-ID: <47295162.3060207@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It would be nice if the people who ridicule pdp would actually do some research in the field of JS exploits before passing judgement. Two places I can think of are RSnake's blog at http://ha.ckers.org/ and also the forum: http://sla.ckers.org/forum/ You might learn something regarding the dangers of XSS. Cheers, Scott reepex wrote: > dont you listen to pdp ever? the government uses xss and bruteforces > remote desktop logins > > http://seclists.org/fulldisclosure/2007/Oct/0417.html > > pdp: "military grade exploits? :) dude, I am sorry man.. but you are living > in some kind of a dream world. get real, most of the military hacks > are as simple as bruteforcing the login prompt.. or trying something > as simple as XSS." > > ------ > > pdp is an hero and a computer security expert and based on his fans > from the list he is the greatest researched since lcamtuf. his word = > gold > > > > On 11/1/07, jf wrote: >> must be on one of the .gov red teams ;] >> >> >> On Wed, 31 Oct 2007, reepex wrote: >> >>> Date: Wed, 31 Oct 2007 16:56:20 -0500 >>> From: reepex >>> To: Joshua Tagnore , >>> full-disclosure at lists.grok.org.uk >>> Subject: Re: [Full-disclosure] Flash that simulates virus scan >>> >>> resulting to se in a pen test cuz you cant break any of the actual machines? >>> >>> lulz >>> >>> On 10/31/07, Joshua Tagnore wrote: >>>> List, >>>> >>>> Some time ago I remember that someone posted a PoC of a small site that >>>> had a really nice looking flash animation that "performed a virus scan" and >>>> after the "virus scan" was finished, the user was prompted for a "Download >>>> virus fix?" question. After that, of course, a file is sent to the user and >>>> he got infected with some malware. Right now I'm performing a penetration >>>> test, and I would like to target some of the users of the corporate LAN, so >>>> I think this approach is the best in order to penetrate to the LAN. >>>> >>>> I searched google but failed to find the URL, could someone send it to >>>> me ? Thanks! >>>> >>>> Cheers, >>>> -- >>>> Joshua Tagnore >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: >>>> http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHKVFfxajqy/aNaRsRAtfEAKC8sRWj8i4IQGQ0jEnjFveg0T9SLACfeykj ptS9bqw+XU+R9KQaSkcVdpM= =+wFb -----END PGP SIGNATURE----- From nick at virus-l.demon.co.uk Thu Nov 1 04:32:49 2007 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Thu, 01 Nov 2007 17:32:49 +1300 Subject: [Full-disclosure] Flash that simulates virus scan In-Reply-To: References: Message-ID: <472A0DC1.16186.2FF59226@nick.virus-l.demon.co.uk> Joshua Tagnore wrote: > Some time ago I remember that someone posted a PoC of a small site that > had a really nice looking flash animation that "performed a virus scan" and > after the "virus scan" was finished, the user was prompted for a "Download > virus fix?" question. After that, of course, a file is sent to the user andu > he got infected with some malware. Right now I'm performing a penetration > test, and I would like to target some of the users of the corporate LAN, so > I think this approach is the best in order to penetrate to the LAN. That approach is dying/has kinda died... > I searched google but failed to find the URL, could someone send it to > me ? Thanks! ...I mean, why arse around with authoring such large, complex SWFs when you can achieve about as compelling an effect with JavaScript? Regards, Nick FitzGerald From michaelslists at gmail.com Thu Nov 1 11:45:06 2007 From: michaelslists at gmail.com (silky) Date: Thu, 1 Nov 2007 22:45:06 +1100 Subject: [Full-disclosure] an open letter to kevin bacon: hello, how's it going? Message-ID: <5e01c29a0711010445i25975a52t61ef3039adc946b7@mail.gmail.com> please, if you know kevin bacon, can you forward this mail to him, and have him reply to me? or at least if you know someone who you think might then know him, please send it on. i'm testing something. thanks. ========================================================== hi kevin! it's mike! how are you? doing any new movies? i hope so. keep up the good work. all the best. -- mike From research at sec-consult.com Thu Nov 1 12:06:37 2007 From: research at sec-consult.com (Bernhard Mueller) Date: Thu, 1 Nov 2007 13:06:37 +0100 Subject: [Full-disclosure] SEC Consult SA-20071101-0 :: Multiple Vulnerabilities in SonicWALL SSL-VPN Client Message-ID: <1193918797.23574.1.camel@b4byl0n> SEC Consult Security Advisory < 20071101-0 > ===================================================================================== title: Multiple vulnerabilities in SonicWALL SSL-VPN Client * Deletion of arbitrary files on the client * Arbitrary code execution thru various buffer overflows program: SonicWALL SSL-VPN vulnerable version: SonicWALL SSL-VPN 1.3.0.3 WebCacheCleaner ActiveX Control 1.3.0.3 NeLaunchCtrl ActiveX Control 2.1.0.49 homepage: www.sonicwall.com found: 04-23-2007 by: lofi42 perm. link: http://www.sec-consult.com/303.html ===================================================================================== Vendor description: --------------- SonicWALL SSL-VPN solutions can be configured to provide users with easy-to-use, secure and clientless remote access to a broad range of resources on the corporate network. Vulnerabilty overview: --------------- The SonicWALL SSL-VPN solution comes with various ActiveX Controls which allows users to access the VPN with Internet Explorer. These controls contain various vulnerabilities. An attacker could take control of the affected clients by placing exploit code on a webserver. He would then have to entice VPN users to visit the website, e.g. by conducting a phishing attack. Various other attack vectors exist (DNS redirection, owning an intranet website, ...). Vulnerability details: --------------- 1.) Deletion of arbitrary files The WebCacheCleaner ActiveX Control provides the method FileDelete() which, working as advertised, allows the attacker to delete arbitrary files on the client. === Proof of Concept 1 (VBScript) === dim o Set o = CreateObject("MLWebCacheCleaner.WebCacheCleaner.1") o.FileDelete("c:\bla\bla") === /Proof of Concept 1 === 2.) Multiple buffer overflows A stack-based buffer overflow exists in the AddRouteEntry() method of the NELaunchCtrl ActiveX Control. Specifically, the second paramter to this method is copied to into a stack buffer without length validiation. Use the following to make the process jump into UVWX-land: o.AddRouteEntry ("", "ABCDEFGHIJKLMNOPQRSTUVWX"); Additionally, the following properties suffer from Unicode overflows: serverAddress sessionId clientIPLower clientIPHigher userName domainName dnsSuffix === Proof of Concept 2 === A code execution exploit will not be released to the public. However, as exploitation is trivial, we strongly advise to perform an update. vendor status: --------------- vendor notified: 2007-05-21 vendor response: 2007-05-21 patch available: September 2007 The issues have been fixed with version 2.1 of SSL-VPN 200 and version 2.5 of SSL-VPN 2000/4000. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The vulnerabilities described above have been purchased by SEC Consult from an independent security researcher. In the research bonus programme, SEC Consult is looking for security vulnerabilities in common software products. For more information, contact research [at] sec-consult [dot] com EOF Bernhard Mueller / SEC Consult From joxeankoret at yahoo.es Thu Nov 1 14:36:32 2007 From: joxeankoret at yahoo.es (Joxean Koret) Date: Thu, 01 Nov 2007 15:36:32 +0100 Subject: [Full-disclosure] Full-Disclosure Digest, Vol 33, Issue 1 In-Reply-To: References: Message-ID: <1193927792.27541.4.camel@localhost> Hi, You're wrong. First of all, yes, is a preauth sql injection in an "admin console" but, if you have privileges to connect to the Oracle Financials instance, even as a normal unprivileged user, you have sufficient privileges to access it. You don't need to have assigned the SYSADMIN responsability. And second, there are many ways to bypass authentication in Oracle E-Business Suite, at least in version 11i, I'm not sure if the same problems applies to R12. I can't release more details right now. Thanks, Joxean Koret On jue, 2007-11-01 at 12:00 +0000, full-disclosure-request at lists.grok.org.uk wrote: > > Message: 8 > Date: Wed, 31 Oct 2007 22:55:36 -0500 > From: reepex > Subject: Re: [Full-disclosure] ZDI-07-058: Oracle E-Business Suite SQL > Injection Vulnerability > To: "zdi-disclosures at 3com.com" , > full-disclosure at lists.grok.org.uk > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > post auth sql injection in random admin console - lulz > > On 10/31/07, zdi-disclosures at 3com.com > wrote: > > The specific flaw exists in the okxLOV.jsp page in the > Administration > > console. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/63f35565/attachment.bin From simon at snosoft.com Thu Nov 1 16:18:32 2007 From: simon at snosoft.com (Simon Smith) Date: Thu, 01 Nov 2007 12:18:32 -0400 Subject: [Full-disclosure] Flash that simulates virus scan In-Reply-To: References: Message-ID: <4729FC58.8070201@snosoft.com> Heh... not sure what government you're referring to... btw, you going to answer my earlier question or not? reepex wrote: > dont you listen to pdp ever? the government uses xss and bruteforces > remote desktop logins > > http://seclists.org/fulldisclosure/2007/Oct/0417.html > > pdp: "military grade exploits? :) dude, I am sorry man.. but you are living > in some kind of a dream world. get real, most of the military hacks > are as simple as bruteforcing the login prompt.. or trying something > as simple as XSS." > > ------ > > pdp is an hero and a computer security expert and based on his fans > from the list he is the greatest researched since lcamtuf. his word = > gold > > > > On 11/1/07, jf wrote: >> must be on one of the .gov red teams ;] >> >> >> On Wed, 31 Oct 2007, reepex wrote: >> >>> Date: Wed, 31 Oct 2007 16:56:20 -0500 >>> From: reepex >>> To: Joshua Tagnore , >>> full-disclosure at lists.grok.org.uk >>> Subject: Re: [Full-disclosure] Flash that simulates virus scan >>> >>> resulting to se in a pen test cuz you cant break any of the actual machines? >>> >>> lulz >>> >>> On 10/31/07, Joshua Tagnore wrote: >>>> List, >>>> >>>> Some time ago I remember that someone posted a PoC of a small site that >>>> had a really nice looking flash animation that "performed a virus scan" and >>>> after the "virus scan" was finished, the user was prompted for a "Download >>>> virus fix?" question. After that, of course, a file is sent to the user and >>>> he got infected with some malware. Right now I'm performing a penetration >>>> test, and I would like to target some of the users of the corporate LAN, so >>>> I think this approach is the best in order to penetrate to the LAN. >>>> >>>> I searched google but failed to find the URL, could someone send it to >>>> me ? Thanks! >>>> >>>> Cheers, >>>> -- >>>> Joshua Tagnore >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: >>>> http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- - simon ---------------------- http://www.snosoft.com From Dirk_Kollberg at avertlabs.com Thu Nov 1 11:48:17 2007 From: Dirk_Kollberg at avertlabs.com (Kollberg, Dirk) Date: Thu, 1 Nov 2007 11:48:17 -0000 Subject: [Full-disclosure] an open letter to kevin bacon: hello, how's it going? In-Reply-To: <5e01c29a0711010445i25975a52t61ef3039adc946b7@mail.gmail.com> Message-ID: What did your last slave die of? Dirk -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of silky Sent: Donnerstag, 1. November 2007 12:45 To: Full-Disclosure Subject: [Full-disclosure] an open letter to kevin bacon: hello,how's it going? please, if you know kevin bacon, can you forward this mail to him, and have him reply to me? or at least if you know someone who you think might then know him, please send it on. i'm testing something. thanks. ========================================================== hi kevin! it's mike! how are you? doing any new movies? i hope so. keep up the good work. all the best. -- mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From security at mandriva.com Thu Nov 1 17:52:44 2007 From: security at mandriva.com (security at mandriva.com) Date: Thu, 01 Nov 2007 11:52:44 -0600 Subject: [Full-disclosure] [ MDKSA-2007:203 ] - Updated xen packages fix multiple vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:203 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xen Date : November 1, 2007 Affected: 2007.0, 2007.1, Corporate 4.0 _______________________________________________________________________ Problem Description: Tavis Ormandy discovered a heap overflow flaw during video-to-video copy operations in the Cirrus VGA extension code that is used in Xen. A malicious local administrator of a guest domain could potentially trigger this flaw and execute arbitrary code outside of the domain (CVE-2007-1320). Tavis Ormandy also discovered insufficient input validation leading to a heap overflow in the NE2000 network driver in Xen. If the driver is in use, a malicious local administrator of a guest domain could potentially trigger this flaw and execute arbitrary code outside of the domain (CVE-2007-1321, CVE-2007-5729, CVE-2007-5730). Steve Kemp found that xen-utils used insecure temporary files within the xenmon tool that could allow local users to truncate arbitrary files (CVE-2007-3919). Joris van Rantwijk discovered a flaw in Pygrub, which is used as a boot loader for guest domains. A malicious local administrator of a guest domain could create a carefully-crafted grub.conf file which could trigger the execution of arbitrary code outside of that domain (CVE-2007-4993). Updated packages have been patched to prevent these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1320 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1321 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3919 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4993 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5730 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 70b7495f9eb6597b8dcff92a6a698a28 2007.0/i586/xen-3.0.3-0.20060703.3.1mdv2007.0.i586.rpm c939b93cb67251235a9c8f2824609702 2007.0/SRPMS/xen-3.0.3-0.20060703.3.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: f35d3563e67a0a887c439657b2e29afb 2007.0/x86_64/xen-3.0.3-0.20060703.3.1mdv2007.0.x86_64.rpm c939b93cb67251235a9c8f2824609702 2007.0/SRPMS/xen-3.0.3-0.20060703.3.1mdv2007.0.src.rpm Mandriva Linux 2007.1: 183ef09d8ed8171adc894cbb606f922f 2007.1/i586/xen-3.0.3-0.20060703.5.1mdv2007.1.i586.rpm f4a0bfc9c6d5ae01664c8a906580b873 2007.1/SRPMS/xen-3.0.3-0.20060703.5.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: c05336d0eef357b2b2c191286c4d679e 2007.1/x86_64/xen-3.0.3-0.20060703.5.1mdv2007.1.x86_64.rpm f4a0bfc9c6d5ae01664c8a906580b873 2007.1/SRPMS/xen-3.0.3-0.20060703.5.1mdv2007.1.src.rpm Corporate 4.0: ec6876abb87e57d61257f3b3c6659c22 corporate/4.0/i586/xen-3.0.1-3.1.20060mlcs4.i586.rpm 72a302b77a88766cc43276e431dabf79 corporate/4.0/SRPMS/xen-3.0.1-3.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 894c37bcf10d4ec8973ed11a5613aeb5 corporate/4.0/x86_64/xen-3.0.1-3.1.20060mlcs4.x86_64.rpm 72a302b77a88766cc43276e431dabf79 corporate/4.0/SRPMS/xen-3.0.1-3.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHKedgmqjQ0CJFipgRAmTXAKCAEm6z1c2R/ytIvaOMgo5E4b1DjQCg45Al 0O2pCKezAKoxA9mnUnefN7k= =z8ZQ -----END PGP SIGNATURE----- From version5 at gmail.com Thu Nov 1 20:10:38 2007 From: version5 at gmail.com (nnp) Date: Thu, 1 Nov 2007 13:10:38 -0700 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: Message-ID: <28749c0e0711011310y5563e1arf97f173f6563b8e1@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oh don't be so bloody sensationalist. You're worse than the journalists because you should know better. - -nnp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: http://firegpg.tuxfamily.org iD8DBQFHKpQRbP10WPHfgnQRAtZ9AKDIydXWUjKGq4OboanGyxHXFMYdWACfUGvX hky9nDk4BKs4MdK+htgIGv0= =k7Xe -----END PGP SIGNATURE----- On 10/31/07, Gadi Evron wrote: > For whoever didn't hear, there is a Macintosh trojan in-the-wild being > dropped, infecting mac users. > Yes, it is being done by a regular online gang--itw--it is not yet another > proof of concept. The same gang infects Windows machines as well, just > that now they also target macs. > > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html > > This means one thing: Apple's day has finally come and Apple users are > going to get hit hard. All those unpatched vulnerabilities from years past > are going to bite them in the behind. > > I can sum it up in one sentence: OS X is the new Windows 98. Investing in > security ONLY as a last resort losses money, but everyone has to learn it > for themselves. > > Gadi Evron. > -- http://www.smashthestack.org http://www.unprotectedhex.com From reepex at gmail.com Thu Nov 1 20:11:11 2007 From: reepex at gmail.com (reepex) Date: Thu, 1 Nov 2007 15:11:11 -0500 Subject: [Full-disclosure] Full-Disclosure Digest, Vol 33, Issue 1 In-Reply-To: <1193927792.27541.4.camel@localhost> References: <1193927792.27541.4.camel@localhost> Message-ID: On Nov 1, 2007 9:36 AM, Joxean Koret wrote: > First of all, yes, is a preauth sql injection in an "admin > console" but, if you have privileges to connect to the Oracle Financials > instance, So as I said its 'post auth' sql injection but thanks for clarifying. > And second, there are many ways to bypass authentication in Oracle > E-Business Suite, at least in version 11i, I'm not sure if the same > problems applies to R12. I can't release more details right now. hasn't this list been over people who 'have bugs' but 'cant release them for fear/fame/drama purposes' Do you *really* *want* *to* *be* in the same category as pdp and drraid. ( Notice how I sound smart by using alot of **** like the great valdis ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/6ca16af6/attachment.html From reepex at gmail.com Thu Nov 1 20:25:44 2007 From: reepex at gmail.com (reepex) Date: Thu, 1 Nov 2007 15:25:44 -0500 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <28749c0e0711011310y5563e1arf97f173f6563b8e1@mail.gmail.com> References: <28749c0e0711011310y5563e1arf97f173f6563b8e1@mail.gmail.com> Message-ID: It is funny that gadi does not post to this list anymore.. maybe its because he knows people here can actually express their opinion against his retarded posts without being moderated? anyway of course gadi is going to jump over stuff like this because it takes no technical knowledge to write about. If you want another example of this try "sun's /8" in google and you will find gadi's low level technical research about the solaris telnet vulnerability or look up his crap about the no auth vnc bugs. These are the only bugs known to date that gadi evron could comprehend so he has to make many posts about them to keep his name high on google rankings for when he searches for his name daily [1]. [1] http://seclists.org/fulldisclosure/2007/Sep/0058.html On Nov 1, 2007 3:10 PM, nnp wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Oh don't be so bloody sensationalist. You're worse than the > journalists because you should know better. > > - -nnp > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (Darwin) > Comment: http://firegpg.tuxfamily.org > > iD8DBQFHKpQRbP10WPHfgnQRAtZ9AKDIydXWUjKGq4OboanGyxHXFMYdWACfUGvX > hky9nDk4BKs4MdK+htgIGv0= > =k7Xe > -----END PGP SIGNATURE----- > > On 10/31/07, Gadi Evron wrote: > > For whoever didn't hear, there is a Macintosh trojan in-the-wild being > > dropped, infecting mac users. > > Yes, it is being done by a regular online gang--itw--it is not yet > another > > proof of concept. The same gang infects Windows machines as well, just > > that now they also target macs. > > > > > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html > > > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html > > > > This means one thing: Apple's day has finally come and Apple users are > > going to get hit hard. All those unpatched vulnerabilities from years > past > > are going to bite them in the behind. > > > > I can sum it up in one sentence: OS X is the new Windows 98. Investing > in > > security ONLY as a last resort losses money, but everyone has to learn > it > > for themselves. > > > > Gadi Evron. > > > > > -- > http://www.smashthestack.org > http://www.unprotectedhex.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/9293adc7/attachment.html From security at mandriva.com Thu Nov 1 20:36:52 2007 From: security at mandriva.com (security at mandriva.com) Date: Thu, 01 Nov 2007 14:36:52 -0600 Subject: [Full-disclosure] [ MDKSA-2007:204 ] - Updated cups packages fix vulnerability Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:204 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cups Date : November 1, 2007 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Alin Rad Pop of Secunia Research discovered a vulnerability in CUPS that can be exploited by malicious individuals to execute arbitrary code. This flaw is due to a boundary error when processing IPP (Internet Printing Protocol) tags. Updated packages have been patched to prevent these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: e23b399fd831bdd8c603c9e3b4c48ffc 2007.0/i586/cups-1.2.4-1.4mdv2007.0.i586.rpm 7c4e0384b1a191627b7f8e9a4ae9d4a6 2007.0/i586/cups-common-1.2.4-1.4mdv2007.0.i586.rpm ce4b32b8af4fd0977deaafc74441c014 2007.0/i586/cups-serial-1.2.4-1.4mdv2007.0.i586.rpm d06368c9caa68f936a5e6dda6e7fb5c6 2007.0/i586/libcups2-1.2.4-1.4mdv2007.0.i586.rpm a244f21ce09342e9c315a344cf596d85 2007.0/i586/libcups2-devel-1.2.4-1.4mdv2007.0.i586.rpm dc41bf3eb0d83fd03fcc34f289f8eb6c 2007.0/i586/php-cups-1.2.4-1.4mdv2007.0.i586.rpm 3b2e000cc3b936c3a8b7094f31a09397 2007.0/SRPMS/cups-1.2.4-1.4mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: a6628ec9ac0cbe200e088eda57a9c5bc 2007.0/x86_64/cups-1.2.4-1.4mdv2007.0.x86_64.rpm 2e58f927d087a003e00812d825ee22f5 2007.0/x86_64/cups-common-1.2.4-1.4mdv2007.0.x86_64.rpm af7e07631f23b72dd253b1c577fd80ba 2007.0/x86_64/cups-serial-1.2.4-1.4mdv2007.0.x86_64.rpm 297711478022026dedc25fb7aafaf780 2007.0/x86_64/lib64cups2-1.2.4-1.4mdv2007.0.x86_64.rpm c7d7c450464a5b4ce987b873374d7672 2007.0/x86_64/lib64cups2-devel-1.2.4-1.4mdv2007.0.x86_64.rpm 2f9d2f0042ec013c8f7a1bb6ee400165 2007.0/x86_64/php-cups-1.2.4-1.4mdv2007.0.x86_64.rpm 3b2e000cc3b936c3a8b7094f31a09397 2007.0/SRPMS/cups-1.2.4-1.4mdv2007.0.src.rpm Mandriva Linux 2007.1: b62822552fe48abaeced97000b1645a5 2007.1/i586/cups-1.2.10-2.2mdv2007.1.i586.rpm 4786bd22d5d34e824e06e28a3d1c2c39 2007.1/i586/cups-common-1.2.10-2.2mdv2007.1.i586.rpm f97ec418e42340268ffd3f525b0bedbe 2007.1/i586/cups-serial-1.2.10-2.2mdv2007.1.i586.rpm c70082109a3447dc47b873062d0d5a7d 2007.1/i586/libcups2-1.2.10-2.2mdv2007.1.i586.rpm 5ccaf6cc0d42c4d3c6c39fc7a5d1aa47 2007.1/i586/libcups2-devel-1.2.10-2.2mdv2007.1.i586.rpm ea9bfd729bfeb62ec3abade783056406 2007.1/i586/php-cups-1.2.10-2.2mdv2007.1.i586.rpm 939f5648ef070af9f2280b0dc127e2fd 2007.1/SRPMS/cups-1.2.10-2.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 76efedcbae8bb5d6bba0b53831b0c2a0 2007.1/x86_64/cups-1.2.10-2.2mdv2007.1.x86_64.rpm a6391bf0397645a1d7c624b65dc4b5e6 2007.1/x86_64/cups-common-1.2.10-2.2mdv2007.1.x86_64.rpm 26fbf6292b5c24aa357485d6739a030b 2007.1/x86_64/cups-serial-1.2.10-2.2mdv2007.1.x86_64.rpm 055ae27cc25345cfe93f672b3f3d3dea 2007.1/x86_64/lib64cups2-1.2.10-2.2mdv2007.1.x86_64.rpm 8c46ae6621d662416c6fd48eb900c3fa 2007.1/x86_64/lib64cups2-devel-1.2.10-2.2mdv2007.1.x86_64.rpm 5bf659a25b401d796a8107e61f71d824 2007.1/x86_64/php-cups-1.2.10-2.2mdv2007.1.x86_64.rpm 939f5648ef070af9f2280b0dc127e2fd 2007.1/SRPMS/cups-1.2.10-2.2mdv2007.1.src.rpm Mandriva Linux 2008.0: a2953f5265fb935eb21b2395bd5e48a5 2008.0/i586/cups-1.3.0-3.1mdv2008.0.i586.rpm 8d2ee10edb681cffab4bf1b63d327857 2008.0/i586/cups-common-1.3.0-3.1mdv2008.0.i586.rpm f2487ba24e5f4281892a8295377b9bd7 2008.0/i586/cups-serial-1.3.0-3.1mdv2008.0.i586.rpm 3de803df9e94fb17280953ab8e3e43cc 2008.0/i586/libcups2-1.3.0-3.1mdv2008.0.i586.rpm 27ac1ea66b531ebec1b5c8cfc16e782a 2008.0/i586/libcups2-devel-1.3.0-3.1mdv2008.0.i586.rpm f1ea38b7d9d6e840fc94b9b6abe1e302 2008.0/i586/php-cups-1.3.0-3.1mdv2008.0.i586.rpm 6fc544ca63eecd0baaae2235d46c31b4 2008.0/SRPMS/cups-1.3.0-3.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: e50c2e551dddb674dddd69ac6eb92c8a 2008.0/x86_64/cups-1.3.0-3.1mdv2008.0.x86_64.rpm 45a3a9b26a88c9a218390535bbc07a5c 2008.0/x86_64/cups-common-1.3.0-3.1mdv2008.0.x86_64.rpm ef765e8642ed2a2bfb3ff2d48f6ccff6 2008.0/x86_64/cups-serial-1.3.0-3.1mdv2008.0.x86_64.rpm de91abd87fba62eccf56f6297afde42b 2008.0/x86_64/lib64cups2-1.3.0-3.1mdv2008.0.x86_64.rpm b6668430e0d7de9409a4944183017c77 2008.0/x86_64/lib64cups2-devel-1.3.0-3.1mdv2008.0.x86_64.rpm 5b2387f00099aa746837651648e1ad86 2008.0/x86_64/php-cups-1.3.0-3.1mdv2008.0.x86_64.rpm 6fc544ca63eecd0baaae2235d46c31b4 2008.0/SRPMS/cups-1.3.0-3.1mdv2008.0.src.rpm Corporate 3.0: 15d47f4a424509184dd470da0367e4d7 corporate/3.0/i586/cups-1.1.20-5.13.C30mdk.i586.rpm 919fcbbbaf3d98be034b99c8557ca077 corporate/3.0/i586/cups-common-1.1.20-5.13.C30mdk.i586.rpm 4afd975f1d917bdc4295efeff6da7b59 corporate/3.0/i586/cups-serial-1.1.20-5.13.C30mdk.i586.rpm 73cc314ecb9ad5667521b0c25c4bde6b corporate/3.0/i586/libcups2-1.1.20-5.13.C30mdk.i586.rpm f735244992f18a5edcf6911b7a755072 corporate/3.0/i586/libcups2-devel-1.1.20-5.13.C30mdk.i586.rpm 6e7caebc791076f1b7be6e01feb32843 corporate/3.0/SRPMS/cups-1.1.20-5.13.C30mdk.src.rpm Corporate 3.0/X86_64: 8ac0fa6a86ad44b1542ed2a6917058f0 corporate/3.0/x86_64/cups-1.1.20-5.13.C30mdk.x86_64.rpm 592aa5849264c2e83973b9e0025e6686 corporate/3.0/x86_64/cups-common-1.1.20-5.13.C30mdk.x86_64.rpm d57eb8c52fd2caacebacf5374915fa3d corporate/3.0/x86_64/cups-serial-1.1.20-5.13.C30mdk.x86_64.rpm f96e95f4c460456c4e7fc939245e2c92 corporate/3.0/x86_64/lib64cups2-1.1.20-5.13.C30mdk.x86_64.rpm a10a7345e5d8854d51cfd3f8b1ace568 corporate/3.0/x86_64/lib64cups2-devel-1.1.20-5.13.C30mdk.x86_64.rpm 6e7caebc791076f1b7be6e01feb32843 corporate/3.0/SRPMS/cups-1.1.20-5.13.C30mdk.src.rpm Corporate 4.0: a0f3d078a74b2c53e4584bb38cce9a3c corporate/4.0/i586/cups-1.2.4-0.4.20060mlcs4.i586.rpm d6d6ad7ccc2a10e2afef7c4df1ff356f corporate/4.0/i586/cups-common-1.2.4-0.4.20060mlcs4.i586.rpm acdb601c9b45c6c3aac33a8c35511df1 corporate/4.0/i586/cups-serial-1.2.4-0.4.20060mlcs4.i586.rpm 92dbd07ab275e28ef5e9389b0ba41044 corporate/4.0/i586/libcups2-1.2.4-0.4.20060mlcs4.i586.rpm 5d785917c935e1be68259d6ddcc39c34 corporate/4.0/i586/libcups2-devel-1.2.4-0.4.20060mlcs4.i586.rpm 30178e2b49f94797265f8bd5521f4feb corporate/4.0/i586/php-cups-1.2.4-0.4.20060mlcs4.i586.rpm c69b9cb3c9cc0195754ad0abbba86909 corporate/4.0/SRPMS/cups-1.2.4-0.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 94a66b9c5c857dac0608740b59d3c7d3 corporate/4.0/x86_64/cups-1.2.4-0.4.20060mlcs4.x86_64.rpm 8b85a0601a5140a2124f6f4a226636ab corporate/4.0/x86_64/cups-common-1.2.4-0.4.20060mlcs4.x86_64.rpm 626e94c62eb6a8542218add3acf5643d corporate/4.0/x86_64/cups-serial-1.2.4-0.4.20060mlcs4.x86_64.rpm 8981312a07b0073590a0a9fe47d84fa4 corporate/4.0/x86_64/lib64cups2-1.2.4-0.4.20060mlcs4.x86_64.rpm 52c5bcce946a258be2961cfc0aeac04c corporate/4.0/x86_64/lib64cups2-devel-1.2.4-0.4.20060mlcs4.x86_64.rpm b93fee3d490982b27af59c547c82ea26 corporate/4.0/x86_64/php-cups-1.2.4-0.4.20060mlcs4.x86_64.rpm c69b9cb3c9cc0195754ad0abbba86909 corporate/4.0/SRPMS/cups-1.2.4-0.4.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHKg0pmqjQ0CJFipgRAm7rAJ9DbE0ifwt++PgAsGkZubl7/XMpPgCeJmnH Lbv+H8gJvXS25ZSt2Bi04gk= =7SuA -----END PGP SIGNATURE----- From scblock at ev-15.com Thu Nov 1 19:27:07 2007 From: scblock at ev-15.com (Steven Block) Date: Thu, 1 Nov 2007 13:27:07 -0600 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: Message-ID: You're an idiot. Save this as a script and run it, it will give you unlimited power: #!/bin/sh sudo rm -rf / Enter your password if you are prompted. Oh look, malware. On Oct 31, 2007, at 5:21 PM, Gadi Evron wrote: > For whoever didn't hear, there is a Macintosh trojan in-the-wild > being dropped, infecting mac users. > Yes, it is being done by a regular online gang--itw--it is not yet > another proof of concept. The same gang infects Windows machines as > well, just that now they also target macs. > > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html > > This means one thing: Apple's day has finally come and Apple users > are going to get hit hard. All those unpatched vulnerabilities from > years past are going to bite them in the behind. > > I can sum it up in one sentence: OS X is the new Windows 98. > Investing in > security ONLY as a last resort losses money, but everyone has to > learn it for themselves. > > Gadi Evron. From thor at hammerofgod.com Fri Nov 2 00:14:43 2007 From: thor at hammerofgod.com (Thor (Hammer of God)) Date: Thu, 1 Nov 2007 17:14:43 -0700 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: Message-ID: > For whoever didn't hear, there is a Macintosh trojan in-the-wild being > dropped, infecting mac users. > Yes, it is being done by a regular online gang--itw--it is not yet > another > proof of concept. The same gang infects Windows machines as well, just > that now they also target macs. > > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac- > trojan.html > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel- > pain-of.html > > This means one thing: Apple's day has finally come and Apple users are > going to get hit hard. All those unpatched vulnerabilities from years > past > are going to bite them in the behind. Let's not over-hype this-- while "Apple's day" has been coming, saying that users will be "hit hard" on something the user has to manually download, manually execute, and explicitly grant administrative privileges to is *way* over the top. > I can sum it up in one sentence: OS X is the new Windows 98. Investing > in > security ONLY as a last resort losses money, but everyone has to learn > it > for themselves. Not "the new Windows 98" by a long shot - saying that is just irresponsible. While Apple is not used to dealing with security in the same way that other companies are, comparing OSX to Windows 98 is not only a huge technical inaccuracy, but you also insult MAC users out there. OSX had "UAC-like unprivileged user controls" way before Vista did - let's not try to start some holy-war on this like people have tried to do with Windows vs Linux in the past. If you want to report this, then report it-- but say what it is, a totally lame user-must-be-drunk "exploit" that requires that all manner of things go wrong before it works -- otherwise people will think that you've dressed up as Steve Gibson for Halloween. t From nick at virus-l.demon.co.uk Thu Nov 1 21:34:26 2007 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 02 Nov 2007 10:34:26 +1300 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References:

Message-ID: <472AFD32.6546.339CE0EF@nick.virus-l.demon.co.uk> Steven Block to Gadi Evron: > You're an idiot. > > Save this as a script and run it, it will give you unlimited power: > > #!/bin/sh > sudo rm -rf / > > Enter your password if you are prompted. > > Oh look, malware. Were you looking in a mirror while writing that? If you think there are not "roughly similar" proportions of Mac and Windows users who will do more or less that, then I know who the idiot is here and it's not Gadi... Yes, today, the average level of clue among Mac users is probably a shade higher than amongst Windows users, and yes in its default or typical configurations Windows XP (and earlier) does make it a little easier for the terminally clueless to shoot themselves in the feet, but if you need an introduction to the basics of population statistics to understand the flaw in your "argument" I'm surprised you managed to get yourself subscribed to these lists in the first place. ... Now, if you wish to discuss the wisdom of predicting that this specific instance of Mac malware will be the real "sky is falling" moment, I think we may agree about the advisability (or otherwise) of making such predictions as loudly and publicly as Gadi did, but to dismiss this kind of malware out of hand because of your ignorance of typical user behaviour is less than clever. Regards, Nick FitzGerald From pauls at utdallas.edu Thu Nov 1 21:10:49 2007 From: pauls at utdallas.edu (Paul Schmehl) Date: Thu, 01 Nov 2007 16:10:49 -0500 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References:

Message-ID: <27F60BA59939F4A0A19FACD5@utd59514.utdallas.edu> --On Thursday, November 01, 2007 13:27:07 -0600 Steven Block wrote: > You're an idiot. > > Save this as a script and run it, it will give you unlimited power: > ># !/bin/sh > sudo rm -rf / > > Enter your password if you are prompted. > > Oh look, malware. If you don't think this is an issue, you're not very aware of what's going on these days. The vast majority of present successful attacks on Windows are not exploiting vulnerabilities in Windows but taking advantage of the gullibility of users. There is no reason to believe that Mac users will be any less gullible than Windows users and plenty of reason to believe they will be less aware of the potential pitfalls of social engineering, because, until now, they haven't been targeted. This attack is real and will be successful to the degree that Mac users fall for the fake codec scam. This same scam has worked quite well on Windows users and patch level, etc. is irrelevant. The only chance a gullible person has is *if* they are running anti-virus software and *if* that software detects this malware and *if* they pay attention to the warnings and do not install the "codec". How many people who own/use Macs even have anti-virus software installed, much less up to date? Yes, *you* might not fall for it. Plenty of people have and will continue to do so, just as they fall for 419 scams and all the other crap the bad guys inundate them with. Judging by the reactions of Mac (and some security) "experts", this attack should be wildly successful. -- Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ From reepex at gmail.com Thu Nov 1 21:42:51 2007 From: reepex at gmail.com (reepex) Date: Thu, 1 Nov 2007 16:42:51 -0500 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <472AFD32.6546.339CE0EF@nick.virus-l.demon.co.uk> References:

<472AFD32.6546.339CE0EF@nick.virus-l.demon.co.uk> Message-ID: On Nov 1, 2007 4:34 PM, Nick FitzGerald wrote: > Yes, today, the average level of clue among Mac users is probably a > shade higher than amongst Windows users, Is this a joke? The reason people switch to macs is because they cannot handle simple tasks. Isnt the main thing said by new mac users is 'it just works' meaning 'I couldnt figure out windows' . The main users of macs are liberal arts students and hippies .. and we all know the technical level of these people. > > think we may agree about the advisability (or otherwise) of making such > predictions as loudly and publicly as Gadi did, this page [1] has been dedicated to gadi evron because of events like these [1] http://www.encyclopediadramatica.com/index.php/Attention_whore -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/2fd454f9/attachment.html From pauls at utdallas.edu Thu Nov 1 21:50:59 2007 From: pauls at utdallas.edu (Paul Schmehl) Date: Thu, 01 Nov 2007 16:50:59 -0500 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References:

<472AFD32.6546.339CE0EF@nick.virus-l.demon.co.uk> Message-ID: <103220157A72332B29797238@utd59514.utdallas.edu> --On Thursday, November 01, 2007 16:42:51 -0500 reepex wrote: > On Nov 1, 2007 4:34 PM, Nick FitzGerald wrote: > > > Yes, today, the average level of clue among Mac users is probably a > shade higher than amongst Windows users, > > > > Is this a joke? The reason people switch to macs is because they cannot > handle simple tasks. Isnt the main thing said by new mac users is 'it > just works' meaning 'I couldnt figure out windows' . The main users of > macs are liberal arts students and hippies .. and we all know the > technical level of these people. > You apparently haven't been around Macs recently. *Many* technical people, *especially* Unix and security admins, have started using Macs because they provide all the functionality of Unix with a beautiful GUI on top. Besides, I'll put the technical prowess of a liberal arts major up against the technical prowess of a computer science major *any* day, and spot them two full months to study. CS majors can code like monkeys, but they don't have a clue how a computer works. :-) -- Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ From reepex at gmail.com Thu Nov 1 21:59:38 2007 From: reepex at gmail.com (reepex) Date: Thu, 1 Nov 2007 16:59:38 -0500 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <103220157A72332B29797238@utd59514.utdallas.edu> References:

<472AFD32.6546.339CE0EF@nick.virus-l.demon.co.uk> <103220157A72332B29797238@utd59514.utdallas.edu> Message-ID: I will take that pepsi challenge... what is at stake ;) On Nov 1, 2007 4:50 PM, Paul Schmehl wrote: > --On Thursday, November 01, 2007 16:42:51 -0500 reepex > wrote: > > > On Nov 1, 2007 4:34 PM, Nick FitzGerald > wrote: > > > > > > Yes, today, the average level of clue among Mac users is probably a > > shade higher than amongst Windows users, > > > > > > > > Is this a joke? The reason people switch to macs is because they > cannot > > handle simple tasks. Isnt the main thing said by new mac users is 'it > > just works' meaning 'I couldnt figure out windows' . The main users of > > macs are liberal arts students and hippies .. and we all know the > > technical level of these people. > > > You apparently haven't been around Macs recently. *Many* technical > people, > *especially* Unix and security admins, have started using Macs because > they > provide all the functionality of Unix with a beautiful GUI on top. > > Besides, I'll put the technical prowess of a liberal arts major up against > the technical prowess of a computer science major *any* day, and spot them > two full months to study. CS majors can code like monkeys, but they don't > have a clue how a computer works. :-) > > -- > Paul Schmehl (pauls at utdallas.edu) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/55e9f335/attachment.html From version5 at gmail.com Thu Nov 1 22:27:55 2007 From: version5 at gmail.com (nnp) Date: Thu, 1 Nov 2007 15:27:55 -0700 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> Message-ID: <28749c0e0711011527m70a6e537j4b75d18e24dd5a22@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There's a difference between ignoring something and making a statement like 'OS X is the new Windows 98.' Its sensationalist and of no use, especially when posted to lists that are supposedly populated with security experts. Everyone here is aware of the consequences of malware and the manipulation of end users to spread it. Of course its interesting that a criminal group has taken to spreading this but hyping up the consequences of it do nobody any good and is just spreading FUD. To me it seems like the original poster is trying to get a quote in some tech/security/computer magazine. No one is suggesting that this the propogation of this malware amoung macs isn't a threat and that its supposed mass spreading by a criminal group is of course a cause for worry. What we have an issue with is the manner in which it is reported and the hyberbole thats is becoming more and more prevalent amoung security experts seeking to promote themselves and their companies. A useful post on this matter would be one that includes an analysis of the malware itself, perhaps some statistics on its prevalence etc. i.e hard facts Some people would do well to remember that we are supposedly engineers and scientists, not journalists and fiction writers. - --nnp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: http://firegpg.tuxfamily.org iD8DBQFHKrQ9bP10WPHfgnQRArr1AKDOCfTdsrq6X7HtkG7qTfmaqVoGpwCcDmtp HvyAAKhouMDUKBe0VHAabMM= =GzY/ -----END PGP SIGNATURE----- On 11/1/07, Alex Eckelberry wrote: > > Let's not over-hype this-- while "Apple's day" has been coming, saying > that users will be "hit hard" on something the user has to > > manually download, manually execute, and explicitly grant > administrative privileges to is *way* over the top. > > The future of malware is going to be largely through social engineering. > Does that mean we ignore every threat that comes out because it requires > user interaction? Seems like whistling past the graveyard to me. > > Alex > > > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor at hammerofgod.com] > Sent: Thursday, November 01, 2007 8:15 PM > To: Gadi Evron; bugtraq at securityfocus.com; > full-disclosure at lists.grok.org.uk > Subject: RE: mac trojan in-the-wild > > > For whoever didn't hear, there is a Macintosh trojan in-the-wild being > > > dropped, infecting mac users. > > Yes, it is being done by a regular online gang--itw--it is not yet > > another proof of concept. The same gang infects Windows machines as > > well, just that now they also target macs. > > > > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac- > > trojan.html > > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel- > > pain-of.html > > > > This means one thing: Apple's day has finally come and Apple users are > > > going to get hit hard. All those unpatched vulnerabilities from years > > past are going to bite them in the behind. > > Let's not over-hype this-- while "Apple's day" has been coming, saying > that users will be "hit hard" on something the user has to manually > download, manually execute, and explicitly grant administrative > privileges to is *way* over the top. > > > > > I can sum it up in one sentence: OS X is the new Windows 98. Investing > > > in security ONLY as a last resort losses money, but everyone has to > > learn it for themselves. > > Not "the new Windows 98" by a long shot - saying that is just > irresponsible. While Apple is not used to dealing with security in the > same way that other companies are, comparing OSX to Windows 98 is not > only a huge technical inaccuracy, but you also insult MAC users out > there. OSX had "UAC-like unprivileged user controls" way before Vista > did - let's not try to start some holy-war on this like people have > tried to do with Windows vs Linux in the past. > > If you want to report this, then report it-- but say what it is, a > totally lame user-must-be-drunk "exploit" that requires that all manner > of things go wrong before it works -- otherwise people will think that > you've dressed up as Steve Gibson for Halloween. > > t > -- http://www.smashthestack.org http://www.unprotectedhex.com From nick at virus-l.demon.co.uk Thu Nov 1 22:18:04 2007 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Date: Fri, 02 Nov 2007 11:18:04 +1300 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: <472AFD32.6546.339CE0EF@nick.virus-l.demon.co.uk> Message-ID: <472B076C.21067.33C4D32A@nick.virus-l.demon.co.uk> reepex to me: > > Yes, today, the average level of clue among Mac users is probably a > > shade higher than amongst Windows users, > > Is this a joke? The reason people switch to macs is because they cannot > handle simple tasks. Isnt the main thing said by new mac users is 'it just > works' meaning 'I couldnt figure out windows' . The main users of macs are > liberal arts students and hippies .. and we all know the technical level of > these people. No, it's not a joke. First, a lot of very clueful security folk, CompSci academics and so on will "only" (or, at least, "only for my real work") use Macs. They may well just be heavy-duty-security-clueful enough to drag the average graphic artist, liberal arts, etc level above the Windows waterline. Second, in fact, I don't even care if it is badly wrong. I'm happy to concede to the Mac fanboyz that their buddies may, in fact, have a slight edge in the security clue arena _across the whole population of Mac users_. I will quickly point out things just like what you said if they seriously try to claim they have a significant edge, but my point still holds up allowing them what they perceive as the "but we're smarter" high-ground. The point is, as I thought I was making clear, even if it's true it doesn't actually help them because we are still talking about two seriously overlapping _population distributions_ (but if they continue to insist it does, all they do is show their "debate" is driven by ideology rather than facts and logic...). You've just seen the redoubtable Dr Neal K messing this up big time, so even the seriously security clueful are not necessarily on top of this. Regards, Nick FitzGerald From worriedsecurity at googlemail.com Thu Nov 1 22:34:39 2007 From: worriedsecurity at googlemail.com (worried security) Date: Thu, 1 Nov 2007 22:34:39 +0000 Subject: [Full-disclosure] N3TD3V INTERNET SECURITY THREAT CENTER Message-ID: <67ea64530711011534x68377f3dube2e181ad40bc46f@mail.gmail.com> *CYBER TERRORISM* *Talk about the current threat level.* *Discuss the internet terror threat* ** *SOFTWARE FLAWS* *Post your own research or talk about other peoples.* *Discuss technical vulnerabilities* ** *SECURITY NEWS * *Talk about news hitting the tv,radio and internet.* *Discuss whats making the news* *SECURITY HELP* *Are you looking to tighten your security? Ask here.* *Discuss security related questions* http://groups.google.com/group/n3td3v -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/d40378b7/attachment.html From py at gentoo.org Thu Nov 1 23:58:03 2007 From: py at gentoo.org (Pierre-Yves Rofes) Date: Fri, 02 Nov 2007 00:58:03 +0100 Subject: [Full-disclosure] [ GLSA 200711-01 ] gFTP: Multiple vulnerabilities Message-ID: <472A680B.8020207@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gFTP: Multiple vulnerabilities Date: November 01, 2007 Bugs: #188252 ID: 200711-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Two buffer overflow vulnerabilities have been discovered in fsplib code used in gFTP. Background ========== gFTP is an FTP client for the GNOME desktop environment. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-ftp/gftp < 2.0.18-r6 >= 2.0.18-r6 Description =========== Kalle Olavi Niemitalo discovered two boundary errors in fsplib code included in gFTP when processing overly long directory or file names. Impact ====== A remote attacker could trigger these vulnerabilities by enticing a user to download a file with a specially crafted directory or file name, possibly resulting in the execution of arbitrary code (CVE-2007-3962) or a Denial of Service (CVE-2007-3961). Workaround ========== There is no known workaround at this time. Resolution ========== All gFTP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-ftp/gftp-2.0.18-r6" References ========== [ 1 ] CVE-2007-3961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3961 [ 2 ] CVE-2007-3962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3962 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHKmgLuhJ+ozIKI5gRAkHDAJ0bKesCCZXTosLIHdxRbEMF0qG1kgCeN+cX +YXc0ftTGX5B5cD1DrdrrtU= =n1oZ -----END PGP SIGNATURE----- From dudevanwinkle at gmail.com Thu Nov 1 23:10:10 2007 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Thu, 1 Nov 2007 19:10:10 -0400 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <28749c0e0711011527m70a6e537j4b75d18e24dd5a22@mail.gmail.com> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> <28749c0e0711011527m70a6e537j4b75d18e24dd5a22@mail.gmail.com> Message-ID: On 11/1/07, nnp wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > There's a difference between ignoring something and making a statement like > > 'OS X is the new Windows 98.' OK How about "iPhone is the new Win9x"? It is running a type of OSX, one that is configured to use root for everything. I repeatedly hear that OSX is secure because BSD is a well picked through OS. Developers have had 30 some odd years to work out the bugs/vulns. What people are not taking into consideration is that if you install a single insecure app, (I.E: IE for Mac or Safari) and then use it to update your myspace profile and browse pr0n; you have to take additional preventative measures or will no longer have a secure system. This will be compounded by the fact that most corporations don't see a need to shell out the bucks for AV/AS for Macs. AV/AS by itself is not a great defense, but at least its something. Anyhoo, to reiterate: OSX !BSD. Windows had a hell of a time securing its OS in part due to all the bells and whistles and also in part because they would release an insecure product with the semi-intention of patching later. The iPhone's configuration proves that Apple will release products that do not conform to well known security best practices as well (the least of which is don't run everything as root). This makes me think that Apple is 1990's-M$-like in its pursuit of functionality over security . BTW: Did anyone test out whether the Mac AV/AS products detected this trojan? -JP From py at gentoo.org Fri Nov 2 00:15:30 2007 From: py at gentoo.org (Pierre-Yves Rofes) Date: Fri, 02 Nov 2007 01:15:30 +0100 Subject: [Full-disclosure] [ GLSA 200711-02 ] OpenSSH: Security bypass Message-ID: <472A6C22.6010705@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: OpenSSH: Security bypass Date: November 01, 2007 Bugs: #191321 ID: 200711-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A flaw has been discovered in OpenSSH which could allow a local attacker to bypass security restrictions. Background ========== OpenSSH is a complete SSH protocol implementation that includes an SFTP client and server support. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/openssh < 4.7 >= 4.7 Description =========== Jan Pechanec discovered that OpenSSH uses a trusted X11 cookie when it cannot create an untrusted one. Impact ====== An attacker could bypass the SSH client security policy and gain privileges by causing an X client to be treated as trusted. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.7" References ========== [ 1 ] CVE-2007-4752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHKmwiuhJ+ozIKI5gRAoclAJ9nPm04js/sV/NleiRb3LAKnMUdmgCgnnw1 w0PBnuiQ6LA1pnroWHgenfA= =Cq+b -----END PGP SIGNATURE----- From version5 at gmail.com Thu Nov 1 23:19:12 2007 From: version5 at gmail.com (nnp) Date: Thu, 1 Nov 2007 16:19:12 -0700 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> <28749c0e0711011527m70a6e537j4b75d18e24dd5a22@mail.gmail.com> Message-ID: <28749c0e0711011619x3baf9715k586c7cd2deddeb8c@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not sure if you accidentally quoted my reply or not there, because if you did you're completely missing my point. My issue is with the format and content (or lack thereof) of the first post, I don't think I mentioned the iPhone, *BSD, MS or at any stage said anything at all that would indicate I was taking any side in the 'which OS sucks more balls than any other' debate. Again, my issue is with the hyperbole, FUD and complete lack of use of the initial post when posted to the type of lists that FD and Bugtraq are supposed to be. It rings of the kind of thing you see in bold letters and quotation marks beside some stupid tech magazines analysis of an issue they know little about. - --nnp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: http://firegpg.tuxfamily.org iD8DBQFHKsBCbP10WPHfgnQRAsrZAKCj4LxCQ6y7qZpKVno14kJGzsk5XQCgxQ3V P9nPWcDpgbKfSdky+3TNhbw= =3K5G -----END PGP SIGNATURE----- On 11/1/07, Dude VanWinkle wrote: > On 11/1/07, nnp wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > There's a difference between ignoring something and making a statement like > > > > 'OS X is the new Windows 98.' > > OK How about "iPhone is the new Win9x"? It is running a type of OSX, > one that is configured to use root for everything. > > I repeatedly hear that OSX is secure because BSD is a well picked > through OS. Developers have had 30 some odd years to work out the > bugs/vulns. What people are not taking into consideration is that if > you install a single insecure app, (I.E: IE for Mac or Safari) and > then use it to update your myspace profile and browse pr0n; you have > to take additional preventative measures or will no longer have a > secure system. > > This will be compounded by the fact that most corporations don't see a > need to shell out the bucks for AV/AS for Macs. AV/AS by itself is not > a great defense, but at least its something. > > Anyhoo, to reiterate: OSX !BSD. Windows had a hell of a time securing > its OS in part due to all the bells and whistles and also in part > because they would release an insecure product with the semi-intention > of patching later. The iPhone's configuration proves that Apple will > release products that do not conform to well known security best > practices as well (the least of which is don't run everything as > root). This makes me think that Apple is 1990's-M$-like in its pursuit > of functionality over security . > > BTW: Did anyone test out whether the Mac AV/AS products detected this trojan? > > -JP > -- http://www.smashthestack.org http://www.unprotectedhex.com From py at gentoo.org Fri Nov 2 00:32:22 2007 From: py at gentoo.org (Pierre-Yves Rofes) Date: Fri, 02 Nov 2007 01:32:22 +0100 Subject: [Full-disclosure] [ GLSA 200711-03 ] Gallery: Multiple vulnerabilities Message-ID: <472A7016.1030304@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Gallery: Multiple vulnerabilities Date: November 01, 2007 Bugs: #191587 ID: 200711-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The WebDAV and Reupload modules of Gallery contain multiple unspecified vulnerabilities. Background ========== Gallery is a PHP based photo album manager. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-apps/gallery < 2.2.3 >= 2.2.3 Description =========== Merrick Manalastas and Nicklous Roberts have discovered multiple vulnerabilities in the WebDAV and Reupload modules. Impact ====== A remote attacker could exploit these vulnerabilities to bypass security restrictions and rename, replace and change properties of items, or edit item data using WebDAV. Workaround ========== There is no known workaround at this time. Resolution ========== All Gallery users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/gallery-2.2.3" References ========== [ 1 ] CVE-2007-4650 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4650 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHKnAWuhJ+ozIKI5gRAqGnAKCKzgiyzZZXPxkTkWyR3TPjjjXrkQCfT7TS s7zfZErUBINg8TgVkkrC9FY= =nzXL -----END PGP SIGNATURE----- From prb at lava.net Thu Nov 1 23:44:05 2007 From: prb at lava.net (Peter Besenbruch) Date: Thu, 1 Nov 2007 13:44:05 -1000 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: Message-ID: <200711011344.05590.prb@lava.net> On Wednesday 31 October 2007 13:21:00 Gadi Evron wrote: > This means one thing: Apple's day has finally come and Apple users are > going to get hit hard. All those unpatched vulnerabilities from years past > are going to bite them in the behind. > > I can sum it up in one sentence: OS X is the new Windows 98. Windows 98 has no way to isolate administrative functions. Everyone has full access to all aspects of the operating system. I should know, I still use it for certain functions. Windows 98 may benefit from security by obscurity, but I would still hesitate to take it out onto the big, bad Internet. The Mac OS is far better designed, but the option automatically to execute trusted file formats on download should never have been put there. Other things I wish Apple would do better: Have their security updates approach the speed achieved in many Linux distributions. Share a bit more, heck, have them share anything at all when it comes serious, reported vulnerabilities. Finally, from a security perspective, they should banish Quicktime. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky From worriedsecurity at googlemail.com Fri Nov 2 00:10:22 2007 From: worriedsecurity at googlemail.com (worried security) Date: Fri, 2 Nov 2007 00:10:22 +0000 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: Message-ID: <67ea64530711011710w4c9f4756m6d28d54c160440e4@mail.gmail.com> On 10/31/07, Gadi Evron wrote: > > For whoever didn't hear, there is a Macintosh trojan in-the-wild being > dropped, infecting mac users. > Yes, it is being done by a regular online gang--itw--it is not yet another > proof of concept. The same gang infects Windows machines as well, just > that now they also target macs. Gadi you tit, haven't you got better things to do? I'm waiting for you to come out on a night out with me and njan in Glasgow or Edinburgh you light weight. Get your priorities in check you dick and sort out a meeting time, my MI5 links shouldn't deter you since Glasgow and Edinburgh doesn't have a terror threat. In the mean time, haven't you got a name for this "gang"? Its very un professional of you!!! Btw Gadi, if you're coming to Scotland in the next few days by train watch out!!! You'll be arrested before you get off the train you fat fuck... http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/7072882.stm All the terrorists are scared to come to Scotland because its where n3td3v hangs out and they know if they come near me they get their cunts kicked in. Happy days. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071102/dbe1d610/attachment.html From AlexE at sunbelt-software.com Thu Nov 1 21:49:09 2007 From: AlexE at sunbelt-software.com (Alex Eckelberry) Date: Thu, 1 Nov 2007 17:49:09 -0400 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: Message-ID: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> > Let's not over-hype this-- while "Apple's day" has been coming, saying that users will be "hit hard" on something the user has to > manually download, manually execute, and explicitly grant administrative privileges to is *way* over the top. The future of malware is going to be largely through social engineering. Does that mean we ignore every threat that comes out because it requires user interaction? Seems like whistling past the graveyard to me. Alex -----Original Message----- From: Thor (Hammer of God) [mailto:thor at hammerofgod.com] Sent: Thursday, November 01, 2007 8:15 PM To: Gadi Evron; bugtraq at securityfocus.com; full-disclosure at lists.grok.org.uk Subject: RE: mac trojan in-the-wild > For whoever didn't hear, there is a Macintosh trojan in-the-wild being > dropped, infecting mac users. > Yes, it is being done by a regular online gang--itw--it is not yet > another proof of concept. The same gang infects Windows machines as > well, just that now they also target macs. > > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac- > trojan.html > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel- > pain-of.html > > This means one thing: Apple's day has finally come and Apple users are > going to get hit hard. All those unpatched vulnerabilities from years > past are going to bite them in the behind. Let's not over-hype this-- while "Apple's day" has been coming, saying that users will be "hit hard" on something the user has to manually download, manually execute, and explicitly grant administrative privileges to is *way* over the top. > I can sum it up in one sentence: OS X is the new Windows 98. Investing > in security ONLY as a last resort losses money, but everyone has to > learn it for themselves. Not "the new Windows 98" by a long shot - saying that is just irresponsible. While Apple is not used to dealing with security in the same way that other companies are, comparing OSX to Windows 98 is not only a huge technical inaccuracy, but you also insult MAC users out there. OSX had "UAC-like unprivileged user controls" way before Vista did - let's not try to start some holy-war on this like people have tried to do with Windows vs Linux in the past. If you want to report this, then report it-- but say what it is, a totally lame user-must-be-drunk "exploit" that requires that all manner of things go wrong before it works -- otherwise people will think that you've dressed up as Steve Gibson for Halloween. t From emmanouilgavriil at gmail.com Thu Nov 1 21:58:02 2007 From: emmanouilgavriil at gmail.com (Emmanouil Gavriil) Date: Thu, 1 Nov 2007 23:58:02 +0200 Subject: [Full-disclosure] XSS - www.howtoforge.com Message-ID: <00da01c81cd2$4793d640$0c00a8c0@EmmanouilGavriil> Cross Site Scripting at howtoforge.. http://www.howtoforge.com/trip_search?keys= Emmanouil Gavriil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/8095e518/attachment.html From adamst.onge at gmail.com Thu Nov 1 22:31:39 2007 From: adamst.onge at gmail.com (Adam St. Onge) Date: Thu, 1 Nov 2007 18:31:39 -0400 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> Message-ID: <740f642c0711011531r41d5a435t8eda53f28c180da6@mail.gmail.com> So if i put a picture of a naked girl on a website and said to see more you must open a terminal and enter "rm -rf". Would we consider this a trojan...or just stupidity? On 11/1/07, Alex Eckelberry wrote: > > > Let's not over-hype this-- while "Apple's day" has been coming, saying > that users will be "hit hard" on something the user has to > > manually download, manually execute, and explicitly grant > administrative privileges to is *way* over the top. > > The future of malware is going to be largely through social engineering. > Does that mean we ignore every threat that comes out because it requires > user interaction? Seems like whistling past the graveyard to me. > > Alex > > > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor at hammerofgod.com] > Sent: Thursday, November 01, 2007 8:15 PM > To: Gadi Evron; bugtraq at securityfocus.com; > full-disclosure at lists.grok.org.uk > Subject: RE: mac trojan in-the-wild > > > For whoever didn't hear, there is a Macintosh trojan in-the-wild being > > > dropped, infecting mac users. > > Yes, it is being done by a regular online gang--itw--it is not yet > > another proof of concept. The same gang infects Windows machines as > > well, just that now they also target macs. > > > > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac- > > trojan.html > > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel- > > pain-of.html > > > > This means one thing: Apple's day has finally come and Apple users are > > > going to get hit hard. All those unpatched vulnerabilities from years > > past are going to bite them in the behind. > > Let's not over-hype this-- while "Apple's day" has been coming, saying > that users will be "hit hard" on something the user has to manually > download, manually execute, and explicitly grant administrative > privileges to is *way* over the top. > > > > > I can sum it up in one sentence: OS X is the new Windows 98. Investing > > > in security ONLY as a last resort losses money, but everyone has to > > learn it for themselves. > > Not "the new Windows 98" by a long shot - saying that is just > irresponsible. While Apple is not used to dealing with security in the > same way that other companies are, comparing OSX to Windows 98 is not > only a huge technical inaccuracy, but you also insult MAC users out > there. OSX had "UAC-like unprivileged user controls" way before Vista > did - let's not try to start some holy-war on this like people have > tried to do with Windows vs Linux in the past. > > If you want to report this, then report it-- but say what it is, a > totally lame user-must-be-drunk "exploit" that requires that all manner > of things go wrong before it works -- otherwise people will think that > you've dressed up as Steve Gibson for Halloween. > > t > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/a442de41/attachment.html From roger at banneretcs.com Fri Nov 2 00:37:00 2007 From: roger at banneretcs.com (Roger A. Grimes) Date: Thu, 1 Nov 2007 20:37:00 -0400 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> Message-ID: <096A04F511B7FD4995AE55F13824B8332131F5@contoso> Actually, on that same note, I recently did an analysis of the last three years of published Windows vulnerabilities. 86% required local end-user interaction (i.e. social engineering) to be pulled off. http://www.infoworld.com/article/07/10/19/42OPsecadvise-insider-threats_ 1.html I didn't analyze Linux or BSD threats, but my gut feeling puts them at the same level or even higher. With 86% or more of the past threats requiring social engineering to pull off, we can safely say the "future" you state below is here now. Now, what is interesting is that any exploit requiring social engineering to work has so far been less of a problem than the vast majority of "remote buffer overflow" exploits like the Blaster and SQL worms. Social engineering-required malware still works, and works well, but not with the same success of remote buffer overflow malware. There is very little we in the security space can point to as a success...but the overall decrease in remote buffer overflows is one. Unfortunately, the social engineering malware is getting better day-by-day. We can no longer count on mispellings (sic) and bad grammar to be malware indicators. Our users, regardless of the OS, are ready as ever to click on interesting content, malicious or not. We've got to design our defenses to pay more attention to client-side attacks, but it is the weak point now, not in the future. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada... *email: roger_grimes at infoworld.com or roger at banneretcs.com *Author of Windows Vista Security: Securing Vista Against Malicious Attacks (Wiley) *http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470 101555 ***************************************************************** -----Original Message----- From: Alex Eckelberry [mailto:AlexE at sunbelt-software.com] Sent: Thursday, November 01, 2007 5:49 PM To: Thor (Hammer of God); Gadi Evron; bugtraq at securityfocus.com; full-disclosure at lists.grok.org.uk Subject: RE: mac trojan in-the-wild The future of malware is going to be largely through social engineering. Does that mean we ignore every threat that comes out because it requires user interaction? Seems like whistling past the graveyard to me. Alex From Jim at isatools.org Fri Nov 2 00:52:10 2007 From: Jim at isatools.org (Jim Harrison) Date: Thu, 1 Nov 2007 17:52:10 -0700 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: Message-ID: <097B1E4792366344925A4B6B99C00A8218488990DB@zaphod.home.jalojash.org> Heh-heh; he said "Steve Gibson"; heh-heh-heh Seriously; Tim is right. While Apple-oriented threats may not get either the validation or the publicity (on hardly equals the other) that Windows attacks do, it's hardly accurate (much less fair) to make those comparisons. For all those comparative points, my Kaypro-4 running ZCPR is more secure than any Apple OS. Jim -----Original Message----- From: Thor (Hammer of God) [mailto:thor at hammerofgod.com] Sent: Thursday, November 01, 2007 5:15 PM To: Gadi Evron; bugtraq at securityfocus.com; full-disclosure at lists.grok.org.uk Subject: RE: mac trojan in-the-wild > For whoever didn't hear, there is a Macintosh trojan in-the-wild being > dropped, infecting mac users. > Yes, it is being done by a regular online gang--itw--it is not yet > another > proof of concept. The same gang infects Windows machines as well, just > that now they also target macs. > > http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac- > trojan.html > http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel- > pain-of.html > > This means one thing: Apple's day has finally come and Apple users are > going to get hit hard. All those unpatched vulnerabilities from years > past > are going to bite them in the behind. Let's not over-hype this-- while "Apple's day" has been coming, saying that users will be "hit hard" on something the user has to manually download, manually execute, and explicitly grant administrative privileges to is *way* over the top. > I can sum it up in one sentence: OS X is the new Windows 98. Investing > in > security ONLY as a last resort losses money, but everyone has to learn > it > for themselves. Not "the new Windows 98" by a long shot - saying that is just irresponsible. While Apple is not used to dealing with security in the same way that other companies are, comparing OSX to Windows 98 is not only a huge technical inaccuracy, but you also insult MAC users out there. OSX had "UAC-like unprivileged user controls" way before Vista did - let's not try to start some holy-war on this like people have tried to do with Windows vs Linux in the past. If you want to report this, then report it-- but say what it is, a totally lame user-must-be-drunk "exploit" that requires that all manner of things go wrong before it works -- otherwise people will think that you've dressed up as Steve Gibson for Halloween. t From ge at linuxbox.org Fri Nov 2 00:55:44 2007 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 1 Nov 2007 19:55:44 -0500 (CDT) Subject: [Full-disclosure] [botnets] re MAC trojan (fwd) Message-ID: There have been many threads on this subject, but I believe this post below covers what some of us are trying to say on why this issue is significant. Obviously some people are far more articulate than me. ---------- Forwarded message ---------- Date: Thu, 1 Nov 2007 16:47:17 -0400 From: PinkFreud To: Gary Flynn Cc: botnets at whitestar.linuxbox.org Subject: Re: [botnets] re MAC trojan To report a botnet PRIVATELY please email: c2report at isotf.org ---------- [My apologies if this has already been covered - I started this email a few hours ago, and haven't had a chance to finish it until now.] I think the point Gadi (and Alex of Sunbelt Software, in his original blog entry) is trying to make is that professional malware authors have begun to take notice of Apple. As a piece of malware goes, this trojan is nothing remarkable in itself, other than the fact that it's aimed at Mac users. As Gadi mentioned, there are a number of known issues that Apple has yet to address. If the professional malware authors are now taking aim at Mac users, Apple appears to be making it easy for them. There are a few comments that I've seen in this thread that are rather worrisome: ::: Interspace System Department > Relax. MAC users are not that stupid as MS users... Are you a Mac user? If so, you just proved yourself wrong with that statement. :) Users are users, and their knowledge of computers varies greatly from one to the next. I've supported a number of Mac users who tend to be clueless when it comes to computers, and I've supported Mac users who know quite a bit about the machines they use. Like any Windows or *nix user, Mac users can - and will - fall prey to this kind of scheme. Again, the trojan is not what's important here. The fact that it was written for Macs is particularly noteworthy, however. ::: Jeremy Chatfield > InfoSec is there to make sure that I can run my business, not as an end in > itself. It *prevents* profit making activity by having effort expended on > internal needs. So if the Mac hasn't *needed* higher level of security > hoops, previously, that's good. So long as weaknesses are fixed *when > needed*, I'm a happy bunny. If there's a Day Zero attack that hits a Mac, > I'll be disappointed, but it's not a uniquely Mac situation to be in... If > the failure was an obvious weakness, I'm actually still pretty sanguine, > because it hasn't yet been exploited, despite being "well known". Security issues should be fixed as soon as feasable, not 'when needed'. If all security vulnerabilities were fixed 'when needed', the malware authors would be having a field day (which, of course, implies they're not already... hmmmm.). Apple has a history of badly-written software. As far as recent examples go, take a look at tar and rsync on Tiger (10.4) - they've been modified to support extended attributes like ACLs and resource forks, and they're quite broken - extended attribute support introduces a serious memory leak. If that doesn't quite hit home, you can get a further idea of how their software is written by taking a look at the man page for sharing(1), on OS X Server (for those of you without access to OS X Server, take a look at http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man1/sharing.1.html ). Pay particular attention to the description for the -s, -g, and -i options - do their developers (or tech writers) know the difference between AND and OR? :) On Thu, Nov 01, 2007 at 08:56:22AM -0400, Gary Flynn babbled thus: > This is nothing more than simple downloadable malware exacerbated > somewhat by permissive configuration settings. It exploits no > security defects. > > As I understand it, the operator is given multiple opportunities > to refuse the program: > > http://www.jmu.edu/computing/security/#macmalware > > (I'm only subscribed to the archive so I apologize if this > has been already pointed out or already proven incorrect > today) > > -- > Gary Flynn > Security Engineer > James Madison University > www.jmu.edu/computing/security -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. _______________________________________________ To report a botnet PRIVATELY please email: c2report at isotf.org All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets From ge at linuxbox.org Fri Nov 2 01:04:44 2007 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 1 Nov 2007 20:04:44 -0500 (CDT) Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <097B1E4792366344925A4B6B99C00A8218488990DB@zaphod.home.jalojash.org> References: <097B1E4792366344925A4B6B99C00A8218488990DB@zaphod.home.jalojash.org> Message-ID: On Thu, 1 Nov 2007, Jim Harrison wrote: > While Apple-oriented threats may not get either the validation or the publicity (on hardly equals the other) that Windows attacks do, it's hardly accurate (much less fair) to make those comparisons. > For all those comparative points, my Kaypro-4 running ZCPR is more secure than any Apple OS. > The comparison is of the Microsoft eco-system in the security realm when Windows 98 was out. Whether by lack of visibility, unpatched exploits or organized criminal interest. That is the significant part. Gadi. From prb at lava.net Fri Nov 2 01:36:00 2007 From: prb at lava.net (Peter Besenbruch) Date: Thu, 1 Nov 2007 15:36:00 -1000 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> Message-ID: <200711011536.00961.prb@lava.net> On Thursday 01 November 2007 11:49:09 Alex Eckelberry wrote: > The future of malware is going to be largely through social engineering. > Does that mean we ignore every threat that comes out because it requires > user interaction? Seems like whistling past the graveyard to me. Alex, no-one is saying we should ignore it. I would say we downgrade the level of threat if it requires user interaction. If it requires a lot of interaction to launch the threat, we downgrade it some more. Apple is faced with a significant design flaw in OS-X: You can have trusted file types auto-execute when downloaded in Safari. This is an old problem, partially mitigated by Apple in later versions of the OS. This has been coupled with the ancient scam of the fake CODEC. The one unique aspect of this attack is the target, Apple users. I suppose Linux users are next. When they get targeted, I will be ready. I don't typically browse porn sites, so I see a greater danger in targeted attacks from third party advertisers. Of course, these tend to target drive by download flaws in Windows, but I'll be ready. I suppose, though, that other Linux users browse porn. I can see it now... Firefox throws up a download dialog, asking what I should do with "prettyyoungthing.rpm," while a Javascript pop-up explains that to see these great images, I need to save the file, and type "rpm -i prettyyoungthing.rpm," and that I need to do it as root. If running Suse or Mandriva, this may not work. If I run Debian or Ubuntu, I should run "alien -dci prettyyoungthing.rpm" as root. If this doesn't quite work, please find a Deb file with "prettyyoungthing" in its name, using "find prettyyoungthing*.deb" and issue the command "dpkg -i prettyyoungthing*.deb. Regardless of installation method, please have the following dependencies installed... Oh yes, I'll be ready. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky From pauls at utdallas.edu Fri Nov 2 02:00:32 2007 From: pauls at utdallas.edu (Paul Schmehl) Date: Thu, 01 Nov 2007 21:00:32 -0500 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <740f642c0711011531r41d5a435t8eda53f28c180da6@mail.gmail.com> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> <740f642c0711011531r41d5a435t8eda53f28c180da6@mail.gmail.com> Message-ID: <1D1FB9A996727B194F7E000E@paul-schmehls-powerbook59.local> --On November 1, 2007 6:31:39 PM -0400 "Adam St. Onge" wrote: > So if i put a picture of a naked girl on a website and said to see more > you must open a terminal and enter "rm -rf". > > > Would we consider this a trojan...or just stupidity? > I would consider it stupidity to think that that is comparable to a trojan. Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3701 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/4e5baffe/attachment.bin From jays at panix.com Fri Nov 2 02:03:50 2007 From: jays at panix.com (Jay Sulzberger) Date: Thu, 1 Nov 2007 22:03:50 -0400 (EDT) Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <740f642c0711011531r41d5a435t8eda53f28c180da6@mail.gmail.com> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> <740f642c0711011531r41d5a435t8eda53f28c180da6@mail.gmail.com> Message-ID: On Thu, 1 Nov 2007, Adam St. Onge wrote: > So if i put a picture of a naked girl on a website and said to see more you > must open a terminal and enter "rm -rf". > Would we consider this a trojan...or just stupidity? Yes, a Trojan. Yes, stupidity on the part of the designer of the home system. There should be no way to destroy so much user data by the user just typing six characters into a terminal window. oo--JS. > > On 11/1/07, Alex Eckelberry wrote: >> >>> Let's not over-hype this-- while "Apple's day" has been coming, saying >> that users will be "hit hard" on something the user has to >>> manually download, manually execute, and explicitly grant >> administrative privileges to is *way* over the top. >> >> The future of malware is going to be largely through social engineering. >> Does that mean we ignore every threat that comes out because it requires >> user interaction? Seems like whistling past the graveyard to me. >> >> Alex >> >> >> -----Original Message----- >> From: Thor (Hammer of God) [mailto:thor at hammerofgod.com] >> Sent: Thursday, November 01, 2007 8:15 PM >> To: Gadi Evron; bugtraq at securityfocus.com; >> full-disclosure at lists.grok.org.uk >> Subject: RE: mac trojan in-the-wild >> >>> For whoever didn't hear, there is a Macintosh trojan in-the-wild being >> >>> dropped, infecting mac users. >>> Yes, it is being done by a regular online gang--itw--it is not yet >>> another proof of concept. The same gang infects Windows machines as >>> well, just that now they also target macs. >>> >>> http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac- >>> trojan.html >>> http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel- >>> pain-of.html >>> >>> This means one thing: Apple's day has finally come and Apple users are >> >>> going to get hit hard. All those unpatched vulnerabilities from years >>> past are going to bite them in the behind. >> >> Let's not over-hype this-- while "Apple's day" has been coming, saying >> that users will be "hit hard" on something the user has to manually >> download, manually execute, and explicitly grant administrative >> privileges to is *way* over the top. >> >> >> >>> I can sum it up in one sentence: OS X is the new Windows 98. Investing >> >>> in security ONLY as a last resort losses money, but everyone has to >>> learn it for themselves. >> >> Not "the new Windows 98" by a long shot - saying that is just >> irresponsible. While Apple is not used to dealing with security in the >> same way that other companies are, comparing OSX to Windows 98 is not >> only a huge technical inaccuracy, but you also insult MAC users out >> there. OSX had "UAC-like unprivileged user controls" way before Vista >> did - let's not try to start some holy-war on this like people have >> tried to do with Windows vs Linux in the past. >> >> If you want to report this, then report it-- but say what it is, a >> totally lame user-must-be-drunk "exploit" that requires that all manner >> of things go wrong before it works -- otherwise people will think that >> you've dressed up as Steve Gibson for Halloween. >> >> t >> > From pauls at utdallas.edu Fri Nov 2 02:13:10 2007 From: pauls at utdallas.edu (Paul Schmehl) Date: Thu, 01 Nov 2007 21:13:10 -0500 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <200711011536.00961.prb@lava.net> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> <200711011536.00961.prb@lava.net> Message-ID: <7F5FABC626E215102ECE0966@paul-schmehls-powerbook59.local> --On November 1, 2007 3:36:00 PM -1000 Peter Besenbruch wrote: > > Firefox throws up a download dialog, asking what I should do > with "prettyyoungthing.rpm," while a Javascript pop-up explains that to > see these great images, I need to save the file, and type "rpm -i > prettyyoungthing.rpm," and that I need to do it as root. There is no need to do that. In both Macs and Gnome or KDE on Unix, if you try to run rpm -i (of whatever the install paradigm is on your flavor of OS), you'll be *prompted* for the root password, not asked to run it as root. Big difference, and one that many users do not appreciate at all. The direction computing is heading is toward ease of use and obscuration of details. Given that, and the human tendency to act without thinking, socially engineered exploits will continue to enjoy success. No, they won't be as successful as self-propagating code that takes advantage of flaws in OSes and applications, but as the Storm bot creators if social engineering can successfully build a botnet of several hundred thousand machines. When an internationally recognized Ph.D psychologist can lose $3 million US to the 419 scam and be prepared to lose more, is it really a stretch to think that a fake codec trojan will make inroads on the Mac? Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3701 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/b0243d93/attachment.bin From jays at panix.com Fri Nov 2 02:14:50 2007 From: jays at panix.com (Jay Sulzberger) Date: Thu, 1 Nov 2007 22:14:50 -0400 (EDT) Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <1D1FB9A996727B194F7E000E@paul-schmehls-powerbook59.local> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> <740f642c0711011531r41d5a435t8eda53f28c180da6@mail.gmail.com> <1D1FB9A996727B194F7E000E@paul-schmehls-powerbook59.local> Message-ID: On Thu, 1 Nov 2007, Paul Schmehl wrote: > --On November 1, 2007 6:31:39 PM -0400 "Adam St. Onge" > wrote: > >> So if i put a picture of a naked girl on a website and said to see more >> you must open a terminal and enter "rm -rf". >> >> >> Would we consider this a trojan...or just stupidity? >> > I would consider it stupidity to think that that is comparable to a trojan. > > Paul Schmehl (pauls at utdallas.edu) I think, under the standard Unix system of permissions, this is a Trojan. Under the standard Unix system of permissions, every application running in my home directory can issue an 'rm -rf /home/me' and, without proper near in time backup, cause me much annoyance. The defect lies in the system of permissions. There exist systems of rolling off-machine backups and minimum privilege permissions systems, but they are not yet standard. oo--JS. > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > From thor at hammerofgod.com Fri Nov 2 05:18:55 2007 From: thor at hammerofgod.com (Thor (Hammer of God)) Date: Thu, 1 Nov 2007 22:18:55 -0700 Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: <096A04F511B7FD4995AE55F13824B8332131F5@contoso> References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> <096A04F511B7FD4995AE55F13824B8332131F5@contoso> Message-ID: That's an interesting figure (86% that is). Can you give us some insight into what you define as "user interaction"? If it is clicking a link or reading an HTML email, then OK. If it is opening an .exe from an email, I'd like to see what client you are talking about and what environment (meaning, what OS/email client and what did they have to do to get it to run). But specifically, how many were exploits where a user had to visit an untrusted site, download an executable, run it, and explicitly give it administrative credentials to run? Not just people running as administrator, but typing in the admin account credentials to run it as administrator as one has to do on OSX? My guess (and I'd really like to see details on your findings) is that most "interactive" issues are the more "trivial" interactive issues (like clicking a link and launching a vulnerable version of IE). But more importantly, let's look at things from the other side. Let's say I'm wrong, and that Gadi is right on target with his "hit hard" prediction and that we should be very concerned with this. Given the requirements here, that again being flagrant ignorance where all the above steps are executed (including the explicit admin part)-- what exactly are we supposed to do? If people are willing and able to go through the motions above what can we as security people do to prevent it? Far too many people in this industry are far too quick to point out how desperate the situation is at all turns, but I don't see many people offering real solutions. But you know, I have to say... If we are really going to consider this "serious," and we are really going to define part of our jobs as being responsible for stopping people who have absolutely no concerns for what they do and are willing to enter their admin credentials into any box that asks for it, then I'd say that there is a *serious* misunderstanding about what security is, and what can be done about it-- either that, or I'm just in the wrong business. t > -----Original Message----- > From: Roger A. Grimes [mailto:roger at banneretcs.com] > Sent: Thursday, November 01, 2007 5:37 PM > To: Alex Eckelberry; Thor (Hammer of God); Gadi Evron; > bugtraq at securityfocus.com; full-disclosure at lists.grok.org.uk > Subject: RE: mac trojan in-the-wild > > Actually, on that same note, I recently did an analysis of the last > three years of published Windows vulnerabilities. > > 86% required local end-user interaction (i.e. social engineering) to be > pulled off. > http://www.infoworld.com/article/07/10/19/42OPsecadvise-insider- > threats_ > 1.html > > I didn't analyze Linux or BSD threats, but my gut feeling puts them at > the same level or even higher. > > With 86% or more of the past threats requiring social engineering to > pull off, we can safely say the "future" you state below is here now. > > Now, what is interesting is that any exploit requiring social > engineering to work has so far been less of a problem than the vast > majority of "remote buffer overflow" exploits like the Blaster and SQL > worms. Social engineering-required malware still works, and works > well, > but not with the same success of remote buffer overflow malware. There > is very little we in the security space can point to as a success...but > the overall decrease in remote buffer overflows is one. Unfortunately, > the social engineering malware is getting better day-by-day. We can no > longer count on mispellings (sic) and bad grammar to be malware > indicators. Our users, regardless of the OS, are ready as ever to click > on interesting content, malicious or not. We've got to design our > defenses to pay more attention to client-side attacks, but it is the > weak point now, not in the future. > > Roger > > ***************************************************************** > *Roger A. Grimes, InfoWorld, Security Columnist > *CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada... > *email: roger_grimes at infoworld.com or roger at banneretcs.com > *Author of Windows Vista Security: Securing Vista Against Malicious > Attacks (Wiley) > *http://www.amazon.com/Windows-Vista-Security-Securing- > Malicious/dp/0470 > 101555 > ***************************************************************** > > > -----Original Message----- > From: Alex Eckelberry [mailto:AlexE at sunbelt-software.com] > Sent: Thursday, November 01, 2007 5:49 PM > To: Thor (Hammer of God); Gadi Evron; bugtraq at securityfocus.com; > full-disclosure at lists.grok.org.uk > Subject: RE: mac trojan in-the-wild > > The future of malware is going to be largely through social > engineering. > Does that mean we ignore every threat that comes out because it > requires > user interaction? Seems like whistling past the graveyard to me. > > Alex From dr at kyx.net Fri Nov 2 03:21:39 2007 From: dr at kyx.net (Dragos Ruiu) Date: Thu, 1 Nov 2007 19:21:39 -0800 Subject: [Full-disclosure] Skype IM upgrade/repair automated social engineering attack Message-ID: <200711011921.40079.dr@kyx.net> With all the proliferation of phone home for update systems in even trivial software packages these days, neophyte users can easily get confused about legitimate upgrades and imposters. So someone is trying to take advantage of this with an automated version of an old school social engineering attack via Skype spam. Someone/something/.someone's-botnet on skype last night contacted users who reported it to me. The messages were formatted to resemble Microsoft update messages or an AV scan with a link to click to update and/or repair malware in a number of Microsoft products. None of the users who reported it to me clicked on the link so it's not clear what the installed malware was after. A series of users with the name "Scan Alert" followed by the registered trade mark sign originating from a numeric range of skype userids following the form: scan.alert.o ...have been sending these unsolicited messages. These id's seem to be registered in the US. Please warn your users to ignore and be wary of social engineering attacks purporting to be upgrades or AV via IM, because without doubt the persons behind this will try other variants. A little bit of googling indicates these spammers have been active for at least two weeks. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 29/30 - 2007 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp From jays at panix.com Fri Nov 2 02:29:14 2007 From: jays at panix.com (Jay Sulzberger) Date: Thu, 1 Nov 2007 22:29:14 -0400 (EDT) Subject: [Full-disclosure] mac trojan in-the-wild In-Reply-To: References: <27C4CD168204684589EC07B2BCFA9CFE0723C760@hurricane.ssdcorp.net> <096A04F511B7FD4995AE55F13824B8332131F5@contoso> Message-ID: On Thu, 1 Nov 2007, Thor (Hammer of God) wrote: > That's an interesting figure (86% that is). Can you give us some > insight into what you define as "user interaction"? > > If it is clicking a link or reading an HTML email, then OK. If it is > opening an .exe from an email, I'd like to see what client you are > talking about and what environment (meaning, what OS/email client and > what did they have to do to get it to run). But specifically, how many > were exploits where a user had to visit an untrusted site, download an > executable, run it, and explicitly give it administrative credentials to > run? Not just people running as administrator, but typing in the admin > account credentials to run it as administrator as one has to do on OSX? > My guess (and I'd really like to see details on your findings) is that > most "interactive" issues are the more "trivial" interactive issues > (like clicking a link and launching a vulnerable version of IE