Brad, Can you provide the details and the menu based exploit :) of the two vulnerabilities discovered by you last year.. It would be really helpful in doing the security assessments...
Thnx, Abhilash On Tue, 11 May 2004 [EMAIL PROTECTED] wrote : >Send Full-Disclosure mailing list submissions to > [EMAIL PROTECTED] > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.netsys.com/mailman/listinfo/full-disclosure >or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > >You can reach the person managing the list at > [EMAIL PROTECTED] > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of Full-Disclosure digest..." > > >Today's Topics: > > 1. Re: Advisory 04/2004: Net(Free)BSD Systrace local root vulnerability ([EMAIL > PROTECTED]) > 2. RE: Learn from history? (Steffen Kluge) > 3. Re: Registry Watcher (Troy Solo) > 4. Vulnerabilites on a network (Daniele Carlucci) > 5. Re: Learn from history? (Calum) > 6. Re: Vulnerabilites on a network (Oliver Kellermann) > 7. RE: Learn from history? (Jos Osborne) > 8. Calcuating Loss (Michael Schaefer) > 9. RE: Calcuating Loss (Jos Osborne) > 10. Re: msxml3.dll Parsing Error Crashes Internet Explorer Remotely Upon Refresh > (3APA3A) > 11. Re: Calcuating Loss (Harlan Carvey) > 12. [SECURITY] [DSA 502-1] New exim-tls packages fix buffer overflows ([EMAIL > PROTECTED]) > 13. Re: iDEFENSE: Security Whitepaper on Trusted Computing Platforms (Nico Golde) > 14. Re: Victory day - Sasser surrenders (Rob Clark) > 15. Re: Calcuating Loss (Clint Bodungen) > 16. RE: Calcuating Loss (Jos Osborne) > 17. Re: Victory day - Sasser surrenders ([EMAIL PROTECTED]) > 18. info on JRE < 1.4.2_04 vulnerability (Mark W. Webb) > 19. RE: Victory day - Sasser surrenders (Alerta Redsegura) > 20. JRE < 1.4.2_04 vulnerability (Dolphsec) > 21. Re: Calcuating Loss (Harlan Carvey) > 22. Re: Victory day - Sasser surrenders (Maxime Ducharme) > 23. PING: Outlook 2003 Spam ([EMAIL PROTECTED]) > 24. JRE < 1.4.2_02 vulnerability (Dolphsec) > >--__--__-- > >Message: 1 >Date: Tue, 11 May 2004 00:26:38 -0400 >To: [EMAIL PROTECTED] > From: [EMAIL PROTECTED] >Subject: [Full-Disclosure] Re: Advisory 04/2004: Net(Free)BSD Systrace local root >vulnerability > >Just to clarify, this advisory does not involve either of the two >vulnerabilities that I discovered over a year ago now that still remain >unpatched. The one bug is a local root on Linux, NetBSD, FreeBSD, >OpenBSD, and Mac OS X, and any other OS systrace is ported to in the >future. The other bug is a complete bypass of systrace's "security" on >Linux. > >Maybe keep looking Stefan ;) >If you can find them, I'll release my fulling working MENU-BASED >exploit. Actually, I was quite upset at first that someone had killed >my bug but then I read the advisory closer and realized it was a >different local root, imagine that ;) It amazes me that Niels has known >a local root vulnerability has existed in his code for over a year and >yet he hasn't even bothered to audit his own code, but instead continues >to promote it. > >http://monkey.org/openbsd/archive/misc/0304/msg01400.html >"I am looking forward to his local root exploit for systrace." >Sorry Niels, no such luck today :( >It was close! > >-Brad > > >--__--__-- > >Message: 2 > From: Steffen Kluge <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Date: Tue, 11 May 2004 17:23:25 +1000 >Subject: RE: [Full-Disclosure] Learn from history? > > >----=_NextPart_ST_17_23_28_Tuesday_May_11_2004_24174 >Content-Type: text/plain >Content-Transfer-Encoding: quoted-printable > >On Tue, 2004-05-11 at 00:50, Michal Zalewski wrote: > > > R =3D E x p > > > > > > R =3D Risk > > > E =3D event > > > p =3D probability of the event happening > >=20 > > If we must toy with bogus marketspeak "equations", shouldn't E - at the > > very least - numerically correspond to the consequences (loss?) caused by > > an event, rather than being an event itself? > >Of course. Prevalent risk management standards put "impact" in the place >of "event" (which isn't quantifiable anyway). And they don't use an >arithmetic product to combine impact and likelihood, but rather a >matrix, which is not linear but more close to reality. > > > Otherwise, my risk R of getting a bar of chocolate from a stranger is > > 0.001 * getting_chocolate_bar_from_stranger. > >Having avoided carbs for quite a while I can't really comment... > >Cheers >Steffen. > > >----=_NextPart_ST_17_23_28_Tuesday_May_11_2004_24174 >Content-Type: application/pgp-signature; name=signature.asc >Content-Description: This is a digitally signed message part > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.2 (GNU/Linux) > >iD8DBQBAoH9tUmpSA4kzHnARAqKXAJ48SuIz+e3Yy/BOQnpAVBed8WHxugCZAT2n >RtME3Nyfdy0FEi/2uBxtlnA= >=h/s6 >-----END PGP SIGNATURE----- > >----=_NextPart_ST_17_23_28_Tuesday_May_11_2004_24174-- > > >--__--__-- > >Message: 3 >Date: Mon, 10 May 2004 23:09:57 -0500 > From: Troy Solo <[EMAIL PROTECTED]> >Organization: DoK Heavy Industries >To: undisclosed-recipients:; >Subject: Re: [Full-Disclosure] Registry Watcher > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Pardon if list readers feel this application is 'unworthy' but AdAware >Pro (the pay-for version) has a TSR called AdWatch, that will alert to >ANY changes in the registry, no matter how trivial. Any time a registry >entry is changed or created or deleted, AdWatch will alert you and give >you the option to Accept or Deny. > >The only drawback is that, as far as I know, it is PC-specific. There >is no distributed management of registry changes with AdWatch. > >You can check out AdAware (and AdWatch) at http://www.lavasoft.de > >Sorry if I have mis-read this thread, there has been so much >signal:noise ratio in here that it's hard to keep up. Hope I didn't >waste anyone's time (of course, if you've read this far, I must have >kept your attention for SOME reason.) > >- -- >/**************************/ >/* Troy Solo */ >/* <[EMAIL PROTECTED]> */ >/* Ignotum per Ignotius */ >/**************************/ >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.4 (MingW32) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFAoFIVmaXTPtvAkS0RAgbCAJ4s4rCSMdaZ+Bms9CgQMbyhGXeQlgCffYLN >LbAUWB5YLehteB9S2aobVSQ= >=Gyr/ >-----END PGP SIGNATURE----- > > >--__--__-- > >Message: 4 >Date: Tue, 11 May 2004 10:25:25 +0200 > From: Daniele Carlucci <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [Full-Disclosure] Vulnerabilites on a network > >Hi, >My name is Daniele. >I'm a student of Informatic Engineering at Politecnico of Torino in Italy. >I make a study about the network's security, can you tell me a link >where I can find an index of the possible lack of a network, for >example, DDOS, worm, congestion, ecc ecc. > >Thanks for your time and for your interest. > >Daniele Carlucci > > >--__--__-- > >Message: 5 > From: Calum <[EMAIL PROTECTED]> >Reply-To: Calum <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: [Full-Disclosure] Learn from history? >Date: Tue, 11 May 2004 10:21:33 +0100 > >On Monday 10 May 2004 22:46, Gwendolynn ferch Elydyr wrote: > > > ... or you may gain glass splinters or razor blades. Do -you- trust > > everything that random strangers give you? > >Maybe we should all stay indoors in case we get hit on the head by a meteor, >or get knocked over by a car. > >It's all about judgement, and evaluating risks. > >-- > >Random russian saying: An indispensable thing never has much value. > >jabber: [EMAIL PROTECTED] >pgp: http://gk.umtstrial.co.uk/~calum/keys.php >Linux 2.6.5-gentoo 10:19:12 up 11 days, 16 min, 1 user, load average: 0.26, >0.31, 0.19 > > >--__--__-- > >Message: 6 > From: "Oliver Kellermann" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: Re: [Full-Disclosure] Vulnerabilites on a network >Date: Tue, 11 May 2004 11:52:36 +0200 > >Hi! > >Try www.google.com. This should usually be the best start for every >informatics engineering student. > >Cheers, >Oliver > > > > > Hi, > > My name is Daniele. > > I'm a student of Informatic Engineering at Politecnico of Torino in Italy. > > I make a study about the network's security, can you tell me a link > > where I can find an index of the possible lack of a network, for > > example, DDOS, worm, congestion, ecc ecc. > > > > Thanks for your time and for your interest. > > > > Daniele Carlucci > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > >--__--__-- > >Message: 7 >Subject: RE: [Full-Disclosure] Learn from history? >Date: Tue, 11 May 2004 11:11:33 +0100 > From: "Jos Osborne" <[EMAIL PROTECTED]> >To: "Full-Disclosure" <[EMAIL PROTECTED]> > >Michal Zalewski wrote: > > > If we must toy with bogus marketspeak "equations", shouldn't E - at the > > very least - numerically correspond to the consequences (loss?) caused by > > an event, rather than being an event itself? > > > > Otherwise, my risk R of getting a bar of chocolate from a stranger is > > 0.001 * getting_chocolate_bar_from_stranger. > > > >Or ten times that if you're prepared to give them your administrator password... > > >--__--__-- > >Message: 8 >Date: Tue, 11 May 2004 08:57:48 -0400 > From: Michael Schaefer <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: Full-Disclosure <[EMAIL PROTECTED]> >Subject: [Full-Disclosure] Calcuating Loss > >Loss? > >One of my biggest complaints is the way the industry "loses billions" >whenever a virus or worm breaks out. > >I mean, securing and maintain your server is not a loss. Installing and >updating your anti virus or IDS package is not a loss. All of these >things should have been done anyway. > >If a server goes off line, I guess you could measure the revenue it may >have produced as a loss, but technically, that is lack of income, not >true loss. > >If you see someone complaining about all the money they lost doing what >they should have been doing all along, I just see spin. And politics. > >M > > > > > >Michal Zalewski wrote: > > > > > > > >>If we must toy with bogus marketspeak "equations", shouldn't E - at the > >>very least - numerically correspond to the consequences (loss?) caused by > >>an event, rather than being an event itself? > >> > >> > > >--__--__-- > >Message: 9 >Subject: RE: [Full-Disclosure] Calcuating Loss >Date: Tue, 11 May 2004 14:24:31 +0100 > From: "Jos Osborne" <[EMAIL PROTECTED]> >To: "Full-Disclosure" <[EMAIL PROTECTED]> > > > > >If you see someone complaining about all the money they lost doing what > >they should have been doing all along, I just see spin. And politics. > > > >M > >Especially when it's an AV vendor saying "Look, the IT business lost $2.8 gazillion >due to their being hit by this worm. If only they'd protected their systems with a >reliable anti-virus product we'd all be that much richer. Oh, by the way, wanna buy a >reliable anti-virus package...?" > >90% Self-serving hype >9% Overblown fear >0.9% "Statistical maths" >0.1% Reality > > >--__--__-- > >Message: 10 >Date: Tue, 11 May 2004 17:29:44 +0400 > From: 3APA3A <[EMAIL PROTECTED]> >Reply-To: 3APA3A <[EMAIL PROTECTED]> >Organization: http://www.security.nnov.ru >To: "Rafel Ivgi, The-Insider" <[EMAIL PROTECTED]> >Cc: "bugtraq" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: Re: [Full-Disclosure] msxml3.dll Parsing Error Crashes Internet Explorer >Remotely Upon Refresh > >Dear Rafel Ivgi, The-Insider, > >No crash on 6.0.2800. > >--Monday, May 10, 2004, 10:27:40 PM, you wrote to [EMAIL PROTECTED]: > >RITI> msxml3.dll crashes after refreshing a page which contains & inside a >RITI> link/value >RITI> For Example : <Ref href = "&"/> >RITI> This is due to a parsing error in msxml3.dll. > >RITI> Version Details: >RITI> --------------------- >RITI> I.E Version: 6.0.2600.0 >RITI> ModVer: 8.10.8308.0 >RITI> Module name: msxml3.dll >RITI> Offset: 000b8c10 > >RITI> Stack Dump: >RITI> ----------------- >RITI> EAX=01CEE800 >RITI> EDI=01D02580 >RITI> EBX=00000000 >RITI> EBP=02C3F3E4 >RITI> ECX=00000000 >RITI> ESP=02C3FC74 >RITI> EDX=02D91364 >RITI> EIP=02E18C10 >RITI> ESI=00000000 >RITI> DS:00000004 GS:0000 ES:0023 SS:0023 CS:001B > >RITI> Live Example: >RITI> http://theinsider.deep-ice.com/xmlcrash.xml >RITI> AND REFRESH... > >RITI> _______________________________________________ >RITI> Full-Disclosure - We believe in it. >RITI> Charter: http://lists.netsys.com/full-disclosure-charter.html > > >-- >~/ZARAZA >Особую проблему составл
