[ MDVSA-2010:255 ] php-intl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:255 http://www.mandriva.com/security/ ___ Package : php-intl Date: December 15, 2010 Affected: Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in php-intl: Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol) function in PHP 5.3.3 and earlier allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument (CVE-2010-4409). The updated packages have been upgraded to php-intl-1.1.2 and patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4409 ___ Updated Packages: Mandriva Enterprise Server 5: e4150c29c342b12bf02f802692c3e9af mes5/i586/php-intl-1.1.2-0.1mdvmes5.1.i586.rpm cf1acac56b390efc3b731307a8d5b139 mes5/SRPMS/php-intl-1.1.2-0.1mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: 0c5c740e3a0596ba5223de67e4219f58 mes5/x86_64/php-intl-1.1.2-0.1mdvmes5.1.x86_64.rpm cf1acac56b390efc3b731307a8d5b139 mes5/SRPMS/php-intl-1.1.2-0.1mdvmes5.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNCLRJmqjQ0CJFipgRAlM9AKCZel2zsKCm/8uDytkhQLB6l9xRegCdH3i7 t6AZrhZgu20J+8l2wggMT6Y= =aPyA -END PGP SIGNATURE-
[security bulletin] HPSBMA02615 SSRT100228 rev.1 - HP Insight Diagnostics Online Edition Running on Linux and Windows, Remote Cross Site Scripting (XSS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02652463 Version: 1 HPSBMA02615 SSRT100228 rev.1 - HP Insight Diagnostics Online Edition Running on Linux and Windows, Remote Cross Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-12-14 Last Updated: 2010-12-14 Potential Security Impact: Remote cross site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Insight Diagnostics Online Edition running on Linux and Windows. The vulnerability could be exploited remotely resulting in cross site scripting (XSS). References: CVE-2010-4111 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Diagnostics Online Edition prior to v8.5.1.3712 Note: HP Insight Diagnostics Online Edition is provided in the Proliant Support Pack (PSP). BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-4111(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks ProCheckUp Ltd. for reporting this vulnerability to security-al...@hp.com. RESOLUTION HP has provided HP Insight Diagnostics Online Edition v8.5.1.3712 or subsequent to resolve this vulnerability. The vulnerability in HP Insight Diagnostics Online Edition can be resolved by installing HP Insight Diagnostics Online Edition v8.5.1.3712 from the HP ProLiant Support Pack 8.6. Note: The ProLiant Support Pack is available from www.hp.com by selecting 'Support & Drivers' , select 'Download drivers and software (and firmware)' and then enter 'Proliant Support Pack' for the product. HISTORY Version:1 (rev.1) - 14 December 2010 Initial Release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particul
[security bulletin] HPSBMA02616 SSRT100231 rev.1 - HP Insight Management Agents Running on Linux and Windows, Remote Full Path Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02653973 Version: 1 HPSBMA02616 SSRT100231 rev.1 - HP Insight Management Agents Running on Linux and Windows, Remote Full Path Disclosure NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-12-14 Last Updated: 2010-12-14 Potential Security Impact: Remote full path disclosure Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Insight Management Agents running on Linux and Windows. The vulnerability could be exploited remotely resulting in full path disclosure. References: CVE-2010-4112 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Management Agents prior to v8.6 Note: The HP Insight Management Agents product is provided in the Proliant Support Pack (PSP). BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-4112(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks ProCheckUp Ltd. for reporting this vulnerability to security-al...@hp.com. RESOLUTION HP has provided HP Insight Management Agents v8.6 or subsequent to resolve this vulnerability. The vulnerability in HP Insight Management Agents can be resolved by installing HP Insight Management Agents v8.6 from the HP ProLiant Support Pack 8.6. Note: The ProLiant Support Pack is available from www.hp.com by selecting 'Support & Drivers' , select 'Download drivers and software (and firmware)' and then enter 'Proliant Support Pack' for the product. HISTORY Version:1 (rev.1) - 14 December 2010 Initial Release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Compa
Re: OpenBSD Paradox
> We has OpenBSD tell us: > > "We have never allowed US citizens or foreign citizens working in the > US to hack on crypto code" > http://marc.info/?l=3Dopenbsd-tech&m=3D129237675106730&w=3D2 That statement remains true. IPSEC isn't 100% crypto; it is a complex layered subsystem with many other elements to it. In particular our IPSEC stack also supports the IPCOMP sub-protocol -- the same management framework moves compressed ip packets through the framework. This means that there are parts of the IPSEC stack that are 'dual use'. There are also many other parts of IPSEC which are related to non-encrypted encapsulations. Our project permitted American developers to work on any part of the tree which was not specifically cryptography; in this particular instance that includes the parts of IPSEC which are 'dual use' or 'not related to cryptography'. We did not permit them to work on the crypto-specific parts. > And is yes on the same thread, we have the presumed innocent until > proven is guilty party conflict with team OpenBSD: > > "I will state clearly that I did not add backdoors to the OpenBSD > operating system or the OpenBSD crypto framework (OCF)." > "The timeline for my involvement with IPSec can be clearly > demonstrated by looking at the revision history of: > src/sys/dev/pci/hifn7751.c (Dec 15, 1999) This is a driver for a crypto chip, but the driver itself does not do any cryptography. The driver moves things around so that the hardware can do the cryptography. > src/sys/crypto/cryptosoft.c (March 2000) revision 1.38 date: 2003/02/21 20:33:35; author: jason; state: Exp; lines: +1 -6 There's no cleaning necessary for deflate compression, so remove it from the switch. Note, the commit message talks about compression. > What is this time to stop the press! > > OpenBSD - "We is never allow Americans to work on crypto move is along" > Perp - "Is when I worked on OpenBSD crypto..." > > Is we here see Paradox? For to this we create the BSD Paradox: > > Paradox - A paradox is a true statement or group of statements that > leads to a contradiction or a situation which defies intuition. > > OpenBSD Paradox - There is no backdoor - that we knowingly admit to is > know of. Is That is a simplistic viewpoint held by your simplistic mind.
OpenBSD Paradox
использовать свой мозг! Is we think with our brain and ask: "how is team OpenBSD lying to is public" well then is the proof is in the каша! We has OpenBSD tell us: "We have never allowed US citizens or foreign citizens working in the US to hack on crypto code" http://marc.info/?l=openbsd-tech&m=129237675106730&w=2 And is yes on the same thread, we have the presumed innocent until proven is guilty party conflict with team OpenBSD: "I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF)." "The timeline for my involvement with IPSec can be clearly demonstrated by looking at the revision history of: src/sys/dev/pci/hifn7751.c (Dec 15, 1999) src/sys/crypto/cryptosoft.c (March 2000) http://marc.info/?a=9036790799&r=1&w=2 What is this time to stop the press! OpenBSD - "We is never allow Americans to work on crypto move is along" Perp - "Is when I worked on OpenBSD crypto..." Is we here see Paradox? For to this we create the BSD Paradox: Paradox - A paradox is a true statement or group of statements that leads to a contradiction or a situation which defies intuition. OpenBSD Paradox - There is no backdoor - that we knowingly admit to is know of. Is
Re: OpenBSD's IPSEC is Backdoored
On 12/14/10 8:35 PM, musnt live wrote: Original e-mail is from Theo DeRaadt http://marc.info/?l=openbsd-tech&m=129236621626462&w=2 Then also read Jason Wright's response and clear denial: http://marc.info/?l=openbsd-tech&m=129244045916861&w=2 -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
[ MDVSA-2010:254 ] php
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:254 http://www.mandriva.com/security/ ___ Package : php Date: December 15, 2010 Affected: 2010.0, 2010.1 ___ Problem Description: This is a maintenance and security update that upgrades php to 5.3.4 for 2010.0/2010.1. Security Enhancements and Fixes in PHP 5.3.4: * Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243). * Fixed bug #53512 (NumberFormatter::setSymbol crash on bogus values) (CVE-2010-4409) Please note that CVE-2010-4150, CVE-2010-3870, CVE-2010-3436, CVE-2010-3709, CVE-2010-3710 were fixed in previous advisories. Key Bug Fixes in PHP 5.3.4 include: * Added stat support for zip stream. * Added follow_location (enabled by default) option for the http stream support. * Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al. * Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime. * Multiple improvements to the FPM SAPI. * Over 100 other bug fixes. Additional post 5.3.4 fixes: * Fixed bug #53517 (segfault in pgsql_stmt_execute() when postgres is down). * Fixed bug #53541 (format string bug in ext/phar). Additionally some of the PECL extensions has been upgraded and/or rebuilt for the new php version. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4409 http://bugs.php.net/bug.php?id=53517 http://bugs.php.net/bug.php?id=53541 http://www.php.net/ChangeLog-5.php#5.3.4 ___ Updated Packages: Mandriva Linux 2010.0: 51c55ecb17d2210accdf613c976f59a4 2010.0/i586/apache-mod_php-5.3.4-0.1mdv2010.0.i586.rpm 97f7b521655ab6116cb6a234e6f80764 2010.0/i586/libphp5_common5-5.3.4-0.1mdv2010.0.i586.rpm 3774b11ee026427f852f70fa81d6bc36 2010.0/i586/php-apc-3.1.6-0.1mdv2010.0.i586.rpm 414a6e9803d674cab2c1bdd30192c2d4 2010.0/i586/php-apc-admin-3.1.6-0.1mdv2010.0.i586.rpm 9a9e5109e74403a5f27b201a485dd0f8 2010.0/i586/php-bcmath-5.3.4-0.1mdv2010.0.i586.rpm 82792da2e73d05fb1ac96dd01e7df327 2010.0/i586/php-bz2-5.3.4-0.1mdv2010.0.i586.rpm 4b1f8a025bc06bc77606972a120b624a 2010.0/i586/php-calendar-5.3.4-0.1mdv2010.0.i586.rpm 2a7742b6b850dc9c24c144819499796a 2010.0/i586/php-cgi-5.3.4-0.1mdv2010.0.i586.rpm d9921529289da226d002b0b54a163b43 2010.0/i586/php-cli-5.3.4-0.1mdv2010.0.i586.rpm 3cb0d17749a1eb0ec10fdd7198e42661 2010.0/i586/php-ctype-5.3.4-0.1mdv2010.0.i586.rpm 8b1d13671549660a8c26cd9c566cd311 2010.0/i586/php-curl-5.3.4-0.1mdv2010.0.i586.rpm cafdb1d2ad8557c824ab2ff5c5015942 2010.0/i586/php-dba-5.3.4-0.1mdv2010.0.i586.rpm fa714ef1db314bdb4b71904a408d83a2 2010.0/i586/php-devel-5.3.4-0.1mdv2010.0.i586.rpm be2c1c9f5a9ef55f2695215e28901e65 2010.0/i586/php-dio-0.0.2-6.3mdv2010.0.i586.rpm f00e6724d44f55fa7d4385fede50d8a4 2010.0/i586/php-doc-5.3.4-0.1mdv2010.0.i586.rpm fbbb222bfed3e3d14d7ef621439f32fe 2010.0/i586/php-dom-5.3.4-0.1mdv2010.0.i586.rpm f8bf3f1cfad6fc2491164d38249329e6 2010.0/i586/php-eaccelerator-0.9.6.1-0.3mdv2010.0.i586.rpm 89fddd11bb1a1b869350ed62640c4069 2010.0/i586/php-eaccelerator-admin-0.9.6.1-0.3mdv2010.0.i586.rpm 8291b82d95940b8dd55c2480edb0fc57 2010.0/i586/php-enchant-5.3.4-0.1mdv2010.0.i586.rpm 819bb39a1a77cff003a876e41d61565f 2010.0/i586/php-exif-5.3.4-0.1mdv2010.0.i586.rpm 3cdd26e27e3a903b582a36f9b53136cb 2010.0/i586/php-fam-5.0.1-10.3mdv2010.0.i586.rpm 8407e79c069e6c144c7707169e2040dc 2010.0/i586/php-fileinfo-5.3.4-0.1mdv2010.0.i586.rpm a3ef81335333a23a8569ed3d458651d5 2010.0/i586/php-filepro-5.1.6-20.3mdv2010.0.i586.rpm 9364cbed8fdc4a1baac2a669b6143f5c 2010.0/i586/php-filter-5.3.4-0.1mdv2010.0.i586.rpm baaf423a7512ae2b28e6792ef3b62ad7 2010.0/i586/php-fpm-5.3.4-0.1mdv2010.0.i586.rpm cb4df0245abd7cd9f24f63309a77d177 2010.0/i586/php-ftp-5.3.4-0.1mdv2010.0.i586.rpm 56cfaeef1babf985d74f9d17fc899e7d 2010.0/i586/php-gd-5.3.4-0.1mdv2010.0.i586.rpm 945e781f42c5b7a52876766de3cf68ea 2010.0/i586/php-gettext-5.3.4-0.1mdv2010.0.i586.rpm ab0c640ec4d5e6cfc23323a6ef549322 2010.0/i586/php-gmp-5.3.4-0.1mdv2010.0.i586.rpm 52ebab66ee7a55e0cf7ebe5124cf51e2 2010.0/i586/php-hash-5.3.4-0.1mdv2010.0.i586.rpm 880bc08442537c1d0260c927b631f96f 2010.0/i586/php-iconv-5.3.4-0.1mdv2010.0.i586.rpm 44e8cc3284a558be2ec51d9ba4f76e48 2010.0/i586/php-idn-1.2b-18.3mdv2010.0.i586.rpm 70c31ab8a9872c846b28987cf3890f46 2010.0/i586/php-imap-5.3.4-0.1mdv2010.0.i586.rpm 5f8e2ca2ca52c783bd5d5274b489f43f 2010.0/i586/ph
Re: hidden admin user on every HP MSA2000 G3
On Mon, 13 Dec 2010 hpdisclos...@anonmail.de wrote: > i just found out that there is a hidden user on every HP MSA2000 G3 > SAN out there: > > username: admin > password: !admin Confirmed on P2000 G3 (fw L100R013). (Please, HP, is it really necessary to give us *so many* different reasons to hate you?!) > this user doesnt show up in the user manager, and the password > cannot be changed - looks like the perfect backdoor for everybody. The user was invisible but I was able to change its password in CLI with "set password admin password ..." (the change was effective, the old password was not valid any longer). -- Pavel Kankovsky aka Peak / Jeremiah 9:21\ "For death is come up into our MS Windows(tm)..." \ 21st century edition /
www.eVuln.com : BBCode CSS XSS in slickMsg
www.eVuln.com advisory: BBCode CSS XSS in slickMsg Summary: http://evuln.com/vulns/162/summary.html Details: http://evuln.com/vulns/162/description.html ---Summary--- eVuln ID: EV0162 Software: slickMsg Vendor: n/a Version: 0.7-alpha Critical Level: low Type: Cross Site Scripting Status: Unpatched. No reply from developer(s) PoC: Available Solution: Not available Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ ) Description It is possible to inject XSS code (expression) into CSS style of size and color bbcodes. "size" and "color" values are not properly sanitized before being used in CSS code. Note: works in MS IE PoC/Exploit PoC code is available at: http://evuln.com/vulns/162/exploit.html -Solution-- Not available --Credit--- Vulnerability discovered by Aliaksandr Hartsuyeu http://evuln.com/xss/bbcode.html - recent bbcode xss advisories
www.eVuln.com : "post" - Non-persistent XSS in slickMsg
www.eVuln.com advisory: "post" - Non-persistent XSS in slickMsg Summary: http://evuln.com/vulns/161/summary.html Details: http://evuln.com/vulns/161/description.html ---Summary--- eVuln ID: EV0161 Software: slickMsg Vendor: n/a Version: 0.7-alpha Critical Level: low Type: Cross Site Scripting Status: Unpatched. No reply from developer(s) PoC: Available Solution: Not available Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ ) Description It is possible to inject xss code into "post" parameter in "views/Post/edit/form.php" script. Parameter "post" is not properly sanitized before being used in HTML code. Condition: register_globals: on PoC/Exploit PoC code is available at: http://evuln.com/vulns/161/exploit.html -Solution-- Not available --Credit--- Vulnerability discovered by Aliaksandr Hartsuyeu http://evuln.com/auth-bypass/ - recent Authentication Bypass vulns
OpenBSD's IPSEC is Backdoored
Original e-mail is from Theo DeRaadt http://marc.info/?l=openbsd-tech&m=129236621626462&w=2 I have received a mail regarding the early development of the OpenBSD IPSEC stack. It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack, in particular the IPSEC stack. Around 2000-2001. Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are. The mail came in privately from a person I have not talked to for nearly 10 years. I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves. Of course I don't like it when my private mail is forwarded. However the "little ethic" of a private mail being forwarded is much smaller than the "big ethic" of government paying companies to pay open source developers (a member of a community-of-friends) to insert privacy-invading holes in software. From: Gregory Perry To: "dera...@openbsd.org" Subject: OpenBSD Crypto Framework Thread-Topic: OpenBSD Crypto Framework Thread-Index: AcuZjuF6cT4gcSmqQv+Fo3/+2m80eg== Date: Sat, 11 Dec 2010 23:55:25 + Message-ID: <8d3222f9eb68474da381831a120b1023019ac...@mbx021-e2-nj-5.exch021.domain.local> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Status: RO Hello Theo, Long time no talk. If you will recall, a while back I was the CTO at NETSEC and arranged funding and donations for the OpenBSD Crypto Framework. At that same time I also did some consulting for the FBI, for their GSA Technical Support Center, which was a cryptologic reverse engineering project aimed at backdooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies. My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC. This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn't want to create any derivative products based upon the same. This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments. Merry Christmas... Gregory Perry Chief Executive Officer GoVirtual Education "VMware Training Products & Services" 540-645-6955 x111 (local) 866-354-7369 x111 (toll free) 540-931-9099 (mobile) 877-648-0555 (fax) http://www.facebook.com/GregoryVPerry http://www.facebook.com/GoVirtual
[USN-1024-2] OpenJDK regression
=== Ubuntu Security Notice USN-1024-2 December 13, 2010 openjdk-6 regression https://launchpad.net/bugs/688522 === A security issue affects the following Ubuntu releases: Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.10: openjdk-6-jdk 6b20-1.9.2-0ubuntu2 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: USN-1024-1 fixed vulnerabilities in OpenJDK. Some of the additional backported improvements could interfere with the compilation of certain Java software. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that certain system property information was being leaked, which could allow an attacker to obtain sensitive information. Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.2-0ubuntu2.diff.gz Size/MD5: 144304 adc24f6354df2a2a1ae1d024069f9cf7 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.2-0ubuntu2.dsc Size/MD5: 3004 b5b17735587556b44e8f661f56e2c912 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.2.orig.tar.gz Size/MD5: 73145170 16097f5b8d699fb72a7e9f4f40f7bc0a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.2-0ubuntu2_all.deb Size/MD5: 19975574 e86e54e0edcb1ee7572a2cb8310c1a21 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.2-0ubuntu2_all.deb Size/MD5: 6155244 1e592facd826f092e948eca45d199616 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.2-0ubuntu2_all.deb Size/MD5: 26839560 46684345135ee2f3444a4c08e204bafd amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.2-0ubuntu2_amd64.deb Size/MD5: 430828 ab0dd71c758c1c606c547566484fc7ab http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.2-0ubuntu2_amd64.deb Size/MD5:83390 d5e8d526e022c291f4c6c37fd54b665e http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.2-0ubuntu2_amd64.deb Size/MD5: 119310214 a331b97c32ebe934759dd4c879c2a798 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.2-0ubuntu2_amd64.deb Size/MD5: 2361192 d4046e2391f6bcf661bf4be219e01769 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.2-0ubuntu2_amd64.deb Size/MD5: 10856514 fb3b73f9c3c960594b60fee0bd31a283 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.2-0ubuntu2_amd64.deb Size/MD5: 25582314 92d0bcb779bfdc09ad79c26a03da4aa9 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.2-0ubuntu2_amd64.deb Size/MD5: 267252 93f44ba496f94ac2c8549e9db4099c07 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.2-0ubuntu2_amd64.deb Size/MD5: 2242408 0189fc3811c39f8769bd7908061e2beb i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.2-0ubuntu2_i386.deb Size/MD5: 416068 ae5cefb8d5fae5ef7ca2e71d5cc7eaaa http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.2-0ubuntu2_i386.deb Size/MD5:78702 64782c55d8ee34c7da7591669b4fd2b4 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.2-0ubuntu2_i386.deb Size/MD5: 172650414 3f7d938530597a3d53c7ab67933e703c http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.2-0ubuntu2_i386.deb Size/MD5: 2348234 d73243c82be1514173abc1574af64e40 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.2-0ubuntu2_i386.deb Size/MD5: 10858410 b228042cf914be243478f9eb8b836ccc http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.2-0ubuntu2_i386.deb Size/MD5: 27410392 44019332daa4e4d46d1fade7ccb8b02e http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.2-0ubuntu2_i386.deb Size/MD5: 251276 11804e5988e0ba558127ff8c516f6456 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.2-0ubuntu2_i386.deb Size/MD5: 1922634 a3f31a76ec31e6ee34fb8d8bc0335b7b powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/m
iDefense Security Advisory 12.14.10: Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability
iDefense Security Advisory 12.14.10 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 14, 2010 I. BACKGROUND Internet Explorer is a graphical web browser developed by Microsoft Corp. that has been included with Microsoft Windows since 1995. For more information about Internet Explorer, please the visit following website: http://www.microsoft.com/ie/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Internet Explorer could allow an attacker to execute arbitrary code with the privileges of the current user. T During the instantiation of multiple ActiveX Controls, a particular object is created along with multiple references that point to the object. The object can be destroyed and its associated references removed. However, a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the web page. To exploit this vulnerability, a targeted user must load a malicious webpage created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into a compromised, trusted site. IV. DETECTION Microsoft Internet Explorer 6, 7 and 8 are vulnerable. V. WORKAROUND Microsoft suggested workarounds can be found in Microsoft Security Bulletin MS10-090. VI. VENDOR RESPONSE Microsoft Corp. has released patches which address this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://www.microsoft.com/technet/security/Bulletin/MS10-090.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3340 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/24/2010 Initial Vendor Notification 03/24/2010 Initial Vendor Reply 12/14/2010 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by Aniway. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: [Full-disclosure] minor browser UI nitpicking
> 1) Yup, pretty unconvincing. Though one could separate window shadows, I'm guessing you have your window manager configured to render window shadows. In this case, this is less plausible, yup, unless you do the inverted gradient trick. > 2) Where is "here"? :) I tried to dig something up, but couldn't. But we definitely had these around 2001-2003, culminating in browsers removing the ability to do location=no in window.open(). /mz
[security bulletin] HPSBOV02618 SSRT100354 rev.1 - HP OpenVMS Integrity Servers, Local Denial of Service (DoS), Gain Privileged Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02656471 Version: 1 HPSBOV02618 SSRT100354 rev.1 - HP OpenVMS Integrity Servers, Local Denial of Service (DoS), Gain Privileged Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-12-14 Last Updated: 2010-12-14 Potential Security Impact: Local Denial of Service (DoS), gain privileged access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP OpenVMS Integrity Servers. The vulnerability could be locally exploited to create a Denial of Service (DoS) or to gain privileged access to system resources. References: CVE-2010-4110 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenVMS Itanium v 8.3, v 8.3-1H1, v 8.4. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-4110(AV:L/AC:L/Au:S/C:P/I:P/A:C) 5.7 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following patch kits available to resolve the vulnerability. Mandatory Update Patch (MUP) for OpenVMS Integrity customers is provided in kits to be downloaded from the ITRC. Patch kit information and installation instructions are provided with each kit. To download the MUP from the ITRC: - Go to http://itrc.hp.com/service/patch/mainPage.do - Login using ID/e-mail and password - Search from the below OpenVMS patches for the Patch Kit Image name HP OpenVMS VersionPlatformPatch kit Image v 8.3 Itanium VMS83I_SYS_MUP-V1600 v 8.3-1H1 Itanium VMS831H1I_SYS_MUP-V1300 v 8.4 Itanium VMS84I_MUP-V0200 PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 14 December 2010 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either
ASPR #2010-12-14-1: Remote Binary Planting in Windows Address Book
=[BEGIN-ACROS-REPORT]= PUBLIC = ACROS Security Problem Report #2010-12-14-1 - ASPR #2010-12-14-1: Remote Binary Planting in Windows Address Book = Document ID: ASPR #2010-12-14-1-PUB Vendor: Microsoft Corp. (http://www.microsoft.com) Target: Windows Address Book & Windows Contacts Impact: Remote execution of arbitrary code Severity:Very high Status: Official patch available, workarounds available Discovered by: Simon Raner of ACROS Security CVSS score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE ID: CVE-2010-3147 CWE ID: CWE-426: Untrusted Search Path Current version http://www.acrossecurity.com/aspr/ASPR-2010-12-14-1-PUB.txt Summary === A "binary planting" [1] vulnerability in Windows Address Book and Windows Contacts allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users. Product Coverage - Windows Server 2003 - Windows XP - Windows Vista - Windows 7 - Windows Server 2008 - Windows Server 2008 R2 Analysis As a result of an incorrect dynamic link library loading in Windows Address Book and Windows Contacts (wab.exe), an attacker can cause her malicious DLL to be loaded and executed from local drives, remote Windows shares, and even shares located on Internet. All a remote attacker has to do is plant a malicious DLL with a specific name (wab32res.dll) on a network share and get the user to open any .WAB, .VCF or .CONTACT file from this network location - which should require minimal social engineering. Once the user opens the file, wab.exe makes an unsafe call to LoadLibrary("wab32res.dll"). As this DLL is not present on the system, its malicious version gets loaded from the current working directory. Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV -, thus the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet. A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm. Visit http://www.binaryplanting.com/ for more information on binary planting vulnerabilities and attacks. Mitigating Factors == - A firewall blocking outbound WebDAV traffic (in addition to blocking all Windows Networking protocols) could stop an Internet-based attack. - Microsoft's CWDIllegalInDllSearch hotfix [2] can stop a network-based exploitation of this vulnerability. Solution Microsoft has issued a security bulletin [3] and published an update for Windows Address Book and Windows Contacts that fixes this issue. Workaround == - Stopping the Web Client service could stop Internet-based attacks as long as the network firewall stops outbound Microsoft Networking protocols. This would not, however, stop remote LAN-based attacks where the attacker is able to place a malicious DLL on a network share inside the target (e.g., corporate) network. - General recommendations for limiting or stopping binary planting attacks are available at http://www.binaryplanting.com/guidelinesAdministrators.htm Related Services ACROS is offering professional consulting on this issue to interested corporate and government customers. Typical questions we can help you answer are: 1) To what extent is your organization affected by this issue? 2) Is it possible to get remote code from the Internet launched inside your network? Can this be demonstrated? 3) Have you adequately applied the remedies to remove the vulnerability? 4) Are there circumstances in your environment that might prevent the effectiveness of this fix? 5) Are there other workarounds that you could implement to fix this issue more efficiently and/or inexpensively? 6) Are your systems or applications vulnerable to other similar issues? Interested parties are encouraged to ask for more information at secur...@acrossecurity.com. Background == ACROS Security has performed an extensive Binary Planting research project, focused on various types of vulnerabilities where an attacker with low privileges can place (i.e., "plant") a malicious executable file (i.e., "binary") to some possibly remote location and get it launched by some vulnerable application running on user's computer. The research found that binary planting vulnerabilities are affecting a large percentage of Windows applications and often allowing for trivial exploitation: it identified ~520 remotel
minor browser UI nitpicking
Hi folks, Two minor things that do not deserve a lengthy discussion, but are probably mildly interesting and worth mentioning for the record: 1) Chrome browser is an interesting example of the perils of using minimalistic window chrome, allowing multiple windows to be spliced seamlessly to confuse the user as to the origin of the displayed content. An unconvincing Windows-specific proof-of-concept: http://lcamtuf.coredump.cx/chsplice/ 2) I reported this to the vendor long time ago, and could not get them to commit to a specific fix: Safari allows windows without the address bar and other essential chrome, akin to the behavior of other browsers circa 10 years ago. This essentially makes all other address spoofing vulnerabilities redundant, as the attacker has the ability to decorate windows arbitrarily (you can look up ancient proof-of-concept exploits for Netscape or MSIE here). /mz
iDefense Security Advisory 12.14.10: Microsoft Internet Explorer CSS Style Table Layout Uninitialized Memory Vulnerability
iDefense Security Advisory 12.14.10 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 14, 2010 I. BACKGROUND Internet Explorer is a graphical web browser developed by Microsoft Corp. that has been included with Microsoft Windows since 1995. For more information about Internet Explorer, please the visit following website: http://www.microsoft.com/ie/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Internet Explorer could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability exists due to an uninitialized variable in the "CLayout::EnsureDispNode" method. This method is called to recalculate the location of various HTML elements within the page. This function passes a "CDispNodeInfo" object to another function, "CLayout::GetDispNodeInfo," which is supposed to initialize the object passed in; however, the function fails to properly initialize a flag's value that is used later to determine how many "extra" bytes to allocate for a heap buffer. This eventually leads to an undersized buffer being allocated to hold a "CDispClipNode" object in the "CLayout::EnsureDispNodeCore" function. The vulnerability manifests itself when the "CDispNode::SetUserClip" function attempts to use the invalid "extra size" to calculate an offset into the object and manipulate a bit at this location. This corrupts the objects VTABLE by setting the second bit to 1, which can lead to the execution of arbitrary code when this pointer is accessed later. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the Web page. To exploit this vulnerability, a targeted user must load a malicious Web page. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. After the user visits the malicious Web page, no further user interaction is needed. IV. DETECTION Microsoft Internet Explorer 6, 7 and 8 are vulnerable. V. WORKAROUND Microsoft suggested workarounds can be found in Microsoft Security Bulletin MS10-090. VI. VENDOR RESPONSE Microsoft Corp. has released patches which address this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://www.microsoft.com/technet/security/Bulletin/MS10-090.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3962 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/11/2010 Initial Vendor Notification 08/11/2010 Initial Vendor Reply 12/14/2010 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by José Antonio Vázquez González. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
OSSTMM 3 Now Available!
Hi, The OSSTMM has been released today at www.osstmm.org. It's a big document so you may want to check out first some of the reviews and commentary on it first. InfoSec Island is having an OSSTMM week to spread the word: https://www.infosecisland.com/osstmm.html Some of the articles available: * Security Benefit and Operational Impact or the "Illusion of Infinite Resources" https://www.infosecisland.com/blogview/10251-Security-Benefit-and-Operational-Impact-or-the-Illusion-of-Infinite-Resources.html * OSSTMM v3 From A Client's Perspective https://www.infosecisland.com/blogview/10214-OSSTMM-v3-From-A-Clients-Perspective.html * OSSTMM 2.2 to 3 - a long trail! https://www.infosecisland.com/blogview/10216-OSSTMM-22-to-3-a-long-trail.html * Tiempos de Cambio: OSSTMM 3 - Una Introducción https://www.infosecisland.com/blogview/10215-Tiempos-de-Cambio-OSSTMM-3-Una-Introduccin-.html * Security, Trust and How We Are Broken - SecTor 2010 https://www.infosecisland.com/security-videos-view/10197-Security-Trust-and-How-We-Are-Broken-SecTor-2010.html * Methodologies: Cleaning the Mental Gutters https://www.infosecisland.com/blogview/9138-Methodologies-Cleaning-the-Mental-Gutters.html * Implementing OSSTMM Strategies Creates Value https://www.infosecisland.com/blogview/8340-Implementing-OSSTMM-Strategies-Creates-Value.html * Better Security Through Sacrificing Maidens https://www.infosecisland.com/blogview/6646-Better-Security-Through-Sacrificing-Maidens.html And many more! Check it out! Sincerely, -pete. -- Pete Herzog - Managing Director - p...@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.badpeopleproject.org
www.eVuln.com : "post" - Non-persistent XSS in slickMsg
www.eVuln.com advisory: "post" - Non-persistent XSS in slickMsg Summary: http://evuln.com/vulns/161/summary.html Details: http://evuln.com/vulns/161/description.html ---Summary--- eVuln ID: EV0161 Software: slickMsg Vendor: n/a Version: 0.7-alpha Critical Level: low Type: Cross Site Scripting Status: Unpatched. No reply from developer(s) PoC: Available Solution: Not available Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ ) Description It is possible to inject xss code into "post" parameter in "views/Post/edit/form.php" script. Parameter "post" is not properly sanitized before being used in HTML code. Condition: register_globals: on PoC/Exploit PoC code is available at: http://evuln.com/vulns/161/exploit.html -Solution-- Not available --Credit--- Vulnerability discovered by Aliaksandr Hartsuyeu http://evuln.com/auth-bypass/ - recent Authentication Bypass vulns
Re: [Full-disclosure] Linux kernel exploit
But he said that RedHat (and thus CentOS) doesn't have Econet enabled by default. --Ariel fireb...@backtrack.com.br wrote: > I tested it on a VM with CentOS 5.5 i386 updated and did not work. > > Last login: Tue Dec 13 12:48:54 2010 > [r...@localhost~]#nano full-nelson.c > [r...@localhost~]#gcc-o full-nelson.c full-nelson > [r...@localhost~]#./full-nelson > [*] Failed to open file descriptors. > [r...@localhost~]# uname-a > Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9 12:54:40 > EST 2010 i686 i686 i386 GNU/Linux > [r...@localhost~]# > > My 10 cents:) > > @firebitsbr > > -- -- Ariel Biener e-mail: ar...@post.tau.ac.il PGP: http://www.tau.ac.il/~ariel/pgp.html
Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
On 12/13/2010 11:19 AM, Michael Bauer wrote: An administrator is very different there are many levels of administrative control in windows to say an admin is an admin is absurd. I disagree. There's only one level of pwned. There is a big difference between a local admin and a domain admin. Yes, local vs. network is sometimes a useful distinction. But joining a machine to the domain gives it a bit more power to attack other stuff on the domain. And how many domain-joined systems do not also include Domain Admins as Local Admins? There are many types of admin in windows and all of them have different levels of permission. I disagree. I would be very scared to have anyone taking care of any of my systems windows or NIX who thought an admin was an admin and root is root. You ought to be scared anyway. There's a new local exploit here every few days or weeks. Here is a reference showing the different SIDs for some common windows accounts. Http://support.microsoft.com/kb/24333 If you take time to read it you will see there are numerous types of windows administrator all with different permissions. I know MS set out to define all these different capabilities and so on. My impression is that much of that was suggested by Orange Book. But they supposedly obtained this Orange Book certification yet still installed notepad.exe as world-writable by default. In practice, those distinctions rarely hold up under scrutiny. Remember "Guest User" vs "User" vs "Power User"? MS has greatly de-emphasized the utility of boundaries between privileges them in the OS over time, preferring instead to invent new ones that were more relevant to the times. Witnesseth the recent discussions about the elevation token and IE protected mode. The best you can hope for is to maintain an effective boundary between normal users and root/admin. But usually as soon as you install a few off-the-shelf Windows or shareware apps, it's gone. Try this: install your favorite "productivity" app in a non-default directory, e.g. C:\, then look at the filesystem permissions on its executable folder (and everywhere it might load DLLs from). Then note that (just a wild guess) it probably runs some dll-preloader and system tray icon processes for everyone who logs in - even Admins. Even on a pristine OS install, the next local escalation bug is just a matter of time, and that's just the published ones. The bad guys likely have plenty already. If you're lucky, you might be able to maintain an effective security boundary between a local computer and the network. Don't waste your time trying to protect machines from users who have unsupervised physical access anyway. - Marsh
Re: [Full-disclosure] Linux kernel exploit
Hey Dan, Freaking THANK YOU first and foremost. I've been waiting for someone to say that for days now, and was just about to myself. Just because everyone and their brother want's to show off that they can compile & run some software (herp a derp, good job) DOESN'T mean they should immediately post it here. I tested it against an OLDER KERNEL on purpose because I actually read the headers and the exploit worked as expected. I knew that this was responsibly disclosed, so it was already patched on any system that I updated. If you don't have the proper symbols, then the exploit doesn't have the proper offsets, and the exploit will fail. Plain and simple. *THEN* there's people who don't even bother to read that "Red Hat does not support Econet by default". DOES NOT. As in the exploit WON'T WORK! It's pathetic that the original exploit dev has to waste his time saying the same thing 5 times. Ryan Sears - Original Message - From: "dan j rosenberg" To: "Cal Leeming [Simplicity Media Ltd]" , full-disclosure-boun...@lists.grok.org.uk, "Ariel Biener" Cc: "leandro lista" , fireb...@backtrack.com.br, bugtraq@securityfocus.com, full-disclos...@lists.grok.org.uk Sent: Monday, December 13, 2010 4:08:05 PM GMT -05:00 US/Canada Eastern Subject: Re: [Full-disclosure] Linux kernel exploit Please don't inundate me with e-mail because none of you bothered to read the exploit header. The exploit so far has a 100% success rate on the systems it was designed to work on. I don't think this is rocket science. If your distribution does not compile Econet, then the exploit obviously won't be able to open an Econet socket. This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS, Slackware, and more. This doesn't mean you're not vulnerable, it just means this particular exploit won't work. If your distro doesn't export the relevant symbols (Debian), ditto above. If your distro has patched the Econet vulnerabilities I used to trigger this (Ubuntu), ditto above. This was done on purpose, to avoid giving a weaponized exploit to people who shouldn't have one. -Dan Sent from my Verizon Wireless BlackBerry -Original Message- From: "Cal Leeming [Simplicity Media Ltd]" Sender: full-disclosure-boun...@lists.grok.org.uk Date: Mon, 13 Dec 2010 20:40:45 To: Ariel Biener Cc: ; ; ; Subject: Re: [Full-disclosure] Linux kernel exploit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
>The attack has some academically interesting details about how cached >credentials work, but I agree with Stefan. If you own the machine, you own >the machine. What's to stop you from, say, simply installing a rootkit? Exactly. More importantly, even if you must make users local admins, there is never *any* reason why the domain administrator should interactively log onto a workstation as the domain administrator anyway. Service personnel log on with support accounts, not the domain admin accounts. If they do, well, then you've got other problems. But in this case even if a domain admin logs in interactively (or via RDP), it's not an issue. Cached credentials can't be used for anything other than to log on to the local machine if there is no DC available. After a domain account logs on to a local system, after AD authenticates the request, then *another* hash is made of the hashed password with *a different salt* each time, for each user cached. As far as the academic interest, cached account behavior is a documented process which has been around for years, local admin overwrite capabilities included. t
Re: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
Everyone. Please read my original post. I never claimed to gain access to networked resources using the masqueraded account. My method merely shows that you can modify the SAM and SECURITY hives without using DLL injection or any other advanced technique that security Admins are currently looking for when it comes to advanced persistent threats. On Dec 13, 2010 11:54 AM, "Kurt Dillard" wrote: > So far I agree with Thor. Did I miss something? Has anyone demonstrated > using the locally cached credentials to access resources across the network? > So far I haven't seen anything new or interesting in this thread: > > 1. StenoPlasma claims that a local admin can access and reuse the cached > credentials of other users. > 2. Stefan, Thor, et al yawn. > 3. Joyce, Andrea, and perhaps others seem to be conflating local access > (what StenoPlasma was talking about) with gaining domain admin privileges on > domain controllers and other resources on separate machines (which nobody > appears to have shown is possible using locally cached credentials). > > If I've missed something obvious please educate me. > > Regards, > > Kurt Dillard > > > > > -Original Message- > From: katt...@gmail.com [mailto:katt...@gmail.com] On Behalf Of Andrea Lee > Sent: Monday, December 13, 2010 2:12 PM > To: Thor (Hammer of God) > Cc: George Carlson; bugtraq@securityfocus.com; > full-disclos...@lists.grok.org.uk > Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching > Allows Local Workstation Admins to Temporarily Escalate Privileges and Login > as Cached Domain Admin Accounts (2010-M$-002) > > I hope I'm not just feeding the troll... > > A local admin is an admin on one system. The domain admin is an admin on all > systems in the domain, including mission critical Windows servers. With > temporary domain admin privs, the local admin could log into the AD and > change permissions / passwords for another user or another user, thus > getting full admin rights on all systems for a long period of time. Plus > whatever havoc might be caused by having the ability to change rights on > fileshares to allow the new domain admin to see confidential files.. > > I would expect that the intent is to use another flaw for a normal user to > become a local admin, and then jump to domain admin via this. > > So yes. In an enterprise environment, the "domain administrator" is > "bigger". > > Cheers, > > On Fri, Dec 10, 2010 at 4:15 PM, Thor (Hammer of God) > wrote: >> Wow. I guess you didn't read the post either. I'm a bit surprised that a > Sr. Network Engineer thinks that Group Policies "differentiate between local > and Domain administrators." You're making it sound like you think Group > Policy application has some "magic permissions" or something, or that a > "domain administrator" is a "bigger" administrator than the local > administrator. >> >> Group Policy loads from the client via the Group Policy Client service. > If I'm a local admin, I can just set my local system to not process group > policy via the GPExtensions hive. Done. If I take the domain admin out of > my local administrators, they can't do anything. Done. >> >> How exactly do you think this is problematic for "shops that differentiate > between desktop support and AD support"? (whatever that means). >> >> t >> >>>-Original Message- >>>From: full-disclosure-boun...@lists.grok.org.uk >>>[mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of >>>George Carlson >>>Sent: Friday, December 10, 2010 10:12 AM >>>To: bugtraq@securityfocus.com; full-disclos...@lists.grok.org.uk >>>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account >>>Caching Allows Local Workstation Admins to Temporarily Escalate >>>Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) >>> >>>Your objections are mostly true in a normal sense. However, it is not >>>true when Group Policy is taken into account. Group Policies >>>differentiate between local and Domain administrators and so this >>>vulnerability is problematic for shops that differentiate between >>>desktop support and AD support. >>> >>> >>>George Carlson >>>Sr. Network Engineer >>>(804) 423-7430 >>> >>> >>>-Original Message- >>>From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de] >>>Sent: Friday, December 10, 2010 11:30 AM >>>To: bugtraq@securityfocus.com; full-disclos...@lists.grok.org.uk >>>Cc: stenopla...@exploitdevelopment.com >>>Subject: Re: Flaw in Microsoft Domain Account Caching Allows Local >>>Workstation Admins to Temporarily Escalate Privileges and Login as >>>Cached Domain Admin Accounts (2010-M$-002) >>> >>>"StenoPlasma @ www.ExploitDevelopment.com" wrote: >>> >>>Much ado about nothing! >>> TITLE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts >>> >>>There is NO privilege escalation. A local administrator is an >>>admistrator is an administ
Re: hidden admin user on every HP MSA2000 G3
Can anyone confirm this vulnerabilty? I don't have a MSA for testing at the moment. > Hi, > > i just found out that there is a hidden user on every HP MSA2000 G3 > SAN out there: > > username: admin > password: !admin > > this user doesnt show up in the user manager, and the password > cannot be changed - looks like the perfect backdoor for everybody. > > >
Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002)
Maybe what some of us need to learn from this is that we should never think in absolutes such as local VS domain users. There are numerous account types and the overrides to take into account with any OS and they change. This is more of a wakeup call to brush up on our understanding of permissions. I know this is not a vulnerability but it was a great posting to wake some of us up and remind us that things are never absolute when it comes to permissions. We learn about things in such a manner that we forget to think outside the box. Even if controls are designed to work a specific way that doesn't mean they will. This is not directed at anyone rather an observation that might help other with similar thought on the subject. Mike Sent from my iPhone On Dec 13, 2010, at 1:15 PM, "David Gillett" wrote: >> If I take the domain admin out of my local administrators, they can't do > anything. Done. > > Back when I did AD/domain support, all domain user accounts got a profile > that included a trivial script to re-add Domain Admins to the Local Admins > group. So this kind of local removal shenanigans lasted only until the user > next logged into the domain. > > David Gillett >
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
"Andrea Lee" wrote: > I hope I'm not just feeding the troll... No. You just made a complete fool of yourself.-P Read the initial post again. CAREFULLY. Especially that part about unplugging from the network. > A local admin is an admin on one system. The domain admin is an admin > on all systems in the domain, including mission critical Windows > servers. Correct so far. > With temporary domain admin privs, What are "temporary domain admin privs"? If you meant to say "cached credentials", just use "cached credentials". > the local admin could log into the AD A local admin (or better: a local user account) CAN'T log into the AD. Only domain user accounts can. Cached credentials are stored for domain accounts only, and are only used when the AD is NOT available during login. They are NEVER used to login to another computer! > and change permissions / passwords for another user or > another user, thus getting full admin rights on all systems for a long > period of time. Plus whatever havoc might be caused by having the > ability to change rights on fileshares to allow the new domain admin > to see confidential files.. > > I would expect that the intent is to use another flaw for a normal > user to become a local admin, and then jump to domain admin via this. You got wrong expectations. And: there is no "jump"! > So yes. In an enterprise environment, the "domain administrator" is "bigger". GIGO! Stefan [ braindead fullquote removed ]
Re: Flaw in Microsoft Domain AccountCachingAllows Local Workstation Admins to TemporarilyEscalatePrivileges and Login as Cached Domain Admin Accounts(2010-M$-002)
"StenoPlasma @ ExploitDevelopment" wrote: Your MUA is defective, it strips the "References:" header! > Stefan, > > For you information: > > Cached domain accounts on a local system are not stored in the SAM. They > are stored in the SECURITY registry hive. When a cached domain user logs > in to the system, they do not authenticate against the SAM (As you can see > in my article, I am not editing the SAM). OUCH! Obviously you have NOT understand a single word! It is COMPLETELY irrelevant where cached credentials are stored on the local computer, and I haven't written anything about that. Logins with local user accounts are authenticated against the resp. SAM, whereas logins with domain user accounts are authenticated against the resp. AD. Only if the latter is not available cached credentials are used. Stefan [ another braindead fullquote removed]