Re: [Full-disclosure] Windows is very holy

2006-12-21 Thread Michele Cicciotti 
> > Windows is very very holy.
> Don't you mean hole'y?  ;-)

Time for a gratuitous Sluggy Freelance reference!



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [TOOL] untidy - XML Fuzzer

2006-12-21 Thread Andres Riancho 
List,

   I'm glad to release a beta version of untidy; untidy is general
purpose XML Fuzzer. It takes a string representation of a XML as input
and generates a set of modified, potentially invalid, XMLs based on
the input. It's released under GPL v2 and written in python.

   http://untidy.sourceforge.net/

Cheers,

-- 
Andres Riancho

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows is very holy

2006-12-21 Thread Jim Popovitch 
On Thu, 2006-12-21 at 20:37 -0500, Jim Popovitch wrote:
> On Thu, 2006-12-21 at 02:28 +, Aaron Gray wrote:
> > Windows is very very holy.
> 
> Don't you mean hole'y?  ;-)

OK, why do I get bounce messages from 

  [EMAIL PROTECTED] (sub: Posting error: Secure Computing)

  [EMAIL PROTECTED] (sub: Blogger post failed)

Seems to me that if you are smart enough to fwd email to a third place,
you would be smart enough to have it accept from everyone (not just
yourself).

-Jim P.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows is very holy

2006-12-21 Thread Jim Popovitch 
On Thu, 2006-12-21 at 02:28 +, Aaron Gray wrote:
> Windows is very very holy.

Don't you mean hole'y?  ;-)

-Jim P.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

2006-12-21 Thread Michele Cicciotti 
> Holy mackerel! Instances of this bug date back to 1999!

Different bug. That appears to be a trivial exhaustion of CSRSS worker threads 
through indiscriminate calls to MessageBox+MB_SERVICE_NOTIFICATION, which 
causes a DoS as no threads are available to serve kernel-mode requests from 
win32k, stalling GUI processes. I have done my fair share of CSRSS reversing in 
my better days, and I'm pretty sure that in Windows 2000 and later, a dedicated 
thread is used for such notifications, not just any thread, any time. Easily 
verifiable with local net sends and Spy++. It wasn't a "bug" either, more like 
a serious design flaw that ignored a very basic Win32 mantra ("don't do GUI in 
a worker thread") - not at all like this double-free


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows is very holy

2006-12-21 Thread Valdis . Kletnieks 
On Thu, 21 Dec 2006 23:15:41 GMT, Aaron Gray said:

> Sorry a dog not lions !

Of course, even the most bad-ass canine can be taken down by sufficient
strength:

"Herakles asked Pouton [Haides] for Kerberos, and was told to take the hound if
he could overpower it without using any of the weapons he had brought with him.
He found Kerberos at the gates of Akheron, and there, pressed inside his armour
and totally covered by the lion's skin, he threw his arms round its head and
hung on, despite bites from the serpent-tail, until he convinced the beast with
his choke-hold. Then, with it in tow, he made his ascent through Troizen. After
showing Kerberos to Eurystheus, he took it back to Haides' realm." -
Apollodorus, The Library 2.125

or cleverness:

"Huge Cerberus, monstrously couched in a cave confronting them, made the whole
region echo with this three-throated barking. The Sibyl, seeing the snakes
bristling upon his neck now, threw him for bait a cake for honey and wheat
infused with sedative drugs. The creature, crazy with hunger, opened its three
mouths, gobbled the bait; then its huge body relaxed and lay, sprawled out on
the ground, the whole length of its cave kennel. Aeneas, passing its entrance,
the watch-dog neutralize, strode rapidly from the bank of that river [Styx] of
no return." - Virgil, Aeneid 6.417

http://www.theoi.com/Ther/KuonKerberos.html

There's a security-related moral somewhere in there. :)


pgpjKpSSTdvW2.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

2006-12-21 Thread Pukhraj Singh 
Holy mackerel! Instances of this bug date back to 1999!

http://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5aff

--Pukhraj

On 12/21/06, Alexander Sotirov <[EMAIL PROTECTED]> wrote:
> 3APA3A wrote:
> > Killer{R}  assumes  the problem is in strcpy(), because it should not be
> > used for overlapping buffers, but at least ANSI implementation of strcpy
> > from  Visual  C  should be safe in this very situation (copying to lower
> > addresses).  May be code is different for Windows XP or vulnerability is
> > later in code.
>
> We discovered this bug some time ago and were preparing an advisory when it 
> was
> publicly disclosed. Since the exploit is already public, here's my analysis of
> the vulnerability:
>
> http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html
>
> It's a double free bug that leads to arbitrary code execution in the CSRSS 
> process.
>
> Alex
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows is very holy

2006-12-21 Thread Aaron Gray 
Sorry a dog not lions !
  - Original Message - 
  From: Aaron Gray 
  To: full-disclosure@lists.grok.org.uk 
  Sent: Thursday, December 21, 2006 2:28 AM
  Subject: [Full-disclosure] Windows is very holy


  Windows is very very holy.

  Microsoft may draw castles guarded by lions round PC's in adverts but we know 
better.

  Aaron



--


  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/


--


  No virus found in this incoming message.
  Checked by AVG Free Edition.
  Version: 7.1.409 / Virus Database: 268.15.25/593 - Release Date: 19/12/2006
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] comparing information security to other industries

2006-12-21 Thread Nick FitzGerald 
Jason Muskat, GCFA, GCUX, de VE3TSJ wrote:

> People, programmers, computers, software, design patterns, systems, and
> infrastructure are constantly changing, often being reinvented. As such,
> will never be stable.
> 
> Concrete of a type is always the same and therefore predictable. One can
> state with certainly that a concrete slab will perform to design. This will
> ever be possible in IT.
> 
> Many commercially produced software products don¹t have any warranty. Many
> even state that the software is not warranted for any function or purpose.

That's _because_ software makers argued long and hard for a special 
exemption from most standard producer liability regulations and laws, 
and in many cases also for protection from consumer protection laws.

They made this argument mainly along the lines you opened your comments 
with -- "everything is so complex and forever changing that if we had 
to do proper design, specification and testing we'd never produce 
anything and meeting those normal legal requirements would make 
everything ever so much less innovative and slower and only the very 
largest companies could ever afford to even think about writing 
software".

This -- particularly the "cost will bury us" part -- is _still_ the 
main argument the OSS folk make against any and all suggestions that 
software liability rules should be tightened up.

Thus, as NOT providing such guarantees is legally sanctioned, you 
cannot really use it as an argument supporting the "any old slop we put 
on the disk will do" approach we have sufferred from for far too long.

> ... The fact that the software does something that one thinks it should do
> is incidental. 

Yep.

Given you seem so strongly in favour of the current "couldn't really 
give a shit" view of software "quality", you'll be rushing to sign my 
petition requiriung all university and other educational courses in 
"computer science" to change their names to "computer art & craft" or 
"computer guesswork" or something similarly accurately describing their 
professional endorsement of hit-and-miss, slop it all in a bucket then 
pour it through a compiler we especially dumbed down to not give a rats 
arse about quality approach, and for "software engineering" courses to 
similarly remove their abuse use of the term "engineering"...


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

2006-12-21 Thread Alexander Sotirov 
3APA3A wrote:
> Killer{R}  assumes  the problem is in strcpy(), because it should not be
> used for overlapping buffers, but at least ANSI implementation of strcpy
> from  Visual  C  should be safe in this very situation (copying to lower
> addresses).  May be code is different for Windows XP or vulnerability is
> later in code.

We discovered this bug some time ago and were preparing an advisory when it was
publicly disclosed. Since the exploit is already public, here's my analysis of
the vulnerability:

http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

It's a double free bug that leads to arbitrary code execution in the CSRSS 
process.

Alex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fun with event logs (semi-offtopic)

2006-12-21 Thread Michele Cicciotti 
> Yes,  probably  this  bug  only  affects  event  viewer  itself. I don't
> understand  how  and why Microsoft achieved this effect in event viewer,
> which  is,  by  the  way,  security tool, and if it's hard for different
> vendor  to  make  same  mistake.

For what it's worth, the updated viewer in Windows Vista can show string 
inserts separately, in a list. IIRC its XML export function exports them 
separately, too


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [fuzzing] NOT a 0day! Re: OWASP Fuzzing page

2006-12-21 Thread Jerome Athias 
Gadi Evron a écrit :
> On Tue, 12 Dec 2006, Joxean Koret wrote:
>   
>> Wow! That's fun! The so called "Word 0 day" flaw also affects
>> OpenOffice.org! At least, 1.1.3. And, oh! Abiword does something cool
>> with the file:
>> 
>
> This is NOT a 0day. It is a disclosed vulnerability in full-disclosure
> mode, on a mailing list (fuzzing mailing list).
>
> I am not sure why I got this 10 times now, I thought the days of these
> bounces were over. But I am tired of seeing every full-disclosure
> vulnerability called a 0day anymore.
>
> A 0day, whatever definition you use, is used in the wild before people are
> aware of it.
It makes sense and I totally agree with you.
But the fact is that the things change (and not allways in the right 
direction :-()... due to the society, money, research of popularity...
Please remember us also the sense of the word "hacker" for instance, 
since nowadays it's often use to speak about "bad guy/blackhat/pirate" - 
i hope you'll agree that it's not the (our) sense

/JA

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [NETRAGARD-20061220 SECURITY ADVISORY] [EMAIL PROTECTED] WebMail Cross Site Scripting Vulnerabilitity]

2006-12-21 Thread Netragard Security Advisories 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Netragard,  L.L.C  Advisory* ***


 Strategic Reconnaissance Team

  
  http://www.netragard.com -- "We make I.T. Safe."





[POSTING NOTICE]
- --
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.

http://www.netragard.com/html/recent_research.html>
Netragard Research






[About Netragard]
- --
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals
and not those of automated scanners and tools.  This advisory is the
product of research done by the Strategic Reconnaissance Team.





[Advisory Information]
- --
Contact : Adriel T. Desautels
Researcher  : Philippe C. Caturegli
Advisory ID : NETRAGARD-20061206
Product Name: @ Mail
Product Version : 4.51
Vendor Name : Calacode
Type of Vulnerability   : XSS with filter evasion technique.
Effort  : Easy

- --
Netragard Security Note:

Source code obfuscation does not reduce the risk profile of any
application as it has no impact on vulnerabilities that might exist
within a particular application. @Mail code was obfuscated using basic
obfuscation techniques.





[Product Description]
- --
"@Mail is a feature rich Email Solution, providing a complete WebMail
interface for accessing email-resources via a web-browser or wireless
device."


- --http://www.atmail.com--





[Technical Summary]
- --
@Mail does not properly sanitize email. While @Mail does pre-append
a  tags. This failure makes @Mail vulnerable to Cross-site
Scripting Attacks ("XSS") via filter evasion.





[Technical Details]
- --
@Mail renders HTML emails by default. (Note: we did not find a way to
disable this feature.) The emails that are received are parsed by the
following code located in Global.pm which disarms basic XSS attacks.





- ---8<--- SNIP Global.pm line 626 -> 635 SNIP ---8<---
my ( $I1I11I11I11I, $I1I111III1II );$_ =
$III1II1II1II->II1II1I11111($I1I1II1II1I11II1);if (/)/ 635 SNIP ---8<---

The above code will replace  with , but the
security created by the filtering process can be defeated. This is
because most web browsers assume that non-alpha-non-digit characters
are invalid after an HTML keyword and as such they are treated as
white-space. An attacker can use this knowledge to attack @Mail users.

Example:

"\s" matches any white space character (space and tab, as
well as \n and \r characters). "