Re: [Full-disclosure] Another exploit against apache or kernel
On Tue, 2005-05-10 at 17:04 -0500, Paul Schmehl wrote: SecFilterSelective THE_REQUEST ip-hide would stop this attack cold. Paul, I think Adrian put ip-hide in there to mask his server's IP address in the log. It's not part of the web request the external party made. Cheers, Frank signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-124-1] Mozilla and Firefox vulnerabilities
=== Ubuntu Security Notice USN-124-1 May 11, 2005 mozilla-firefox, mozilla vulnerabilities CAN-2005-1153, CAN-2005-1154, CAN-2005-1155, CAN-2005-1156, CAN-2005-1157, CAN-2005-1158, CAN-2005-1160 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: mozilla-browser mozilla-firefox The problem can be corrected by upgrading the affected package to version 1.0.2-0ubuntu5.1 (mozilla-firefox) and 2:1.7.6-1ubuntu2.1 (mozilla-browser). After a standard system upgrade you need to restart your browser to effect the necessary changes. Please note that Ubuntu 5.04 (Warty Warthog) is also affected; this release will be fixed soon in a separate advisory. Details follow: When a popup is blocked the user is given the ability to open that popup through the popup-blocking status bar icon and, in Firefox, through the information bar. Doron Rosenberg noticed that popups which are permitted by the user were executed with elevated privileges, which could be abused to automatically install and execute arbitrary code with the privileges of the user. (CAN-2005-1153) It was discovered that the browser did not start with a clean global JavaScript state for each new website. This allowed a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of that site (for example, sending web mail or automatic purchasing). (CAN-2005-1154) Michael Krax discovered a flaw in the favicon links handler. A malicious web page could define a favicon link tag as JavaScript, which could be exploited to execute arbitrary code with the privileges of the user. (CAN-2005-1155) Michael Krax found two flaws in the Search Plugin installation. This allowed malicious plugins to execute arbitrary code in the context of the current site. If the current page had elevated privileges (like about:plugins or about:config), the malicious plugin could even install malicious software when a search was performed. (CAN-2005-1156, CAN-2005-1157) Kohei Yoshino discovered two missing security checks when Firefox opens links in its sidebar. This allowed a malicious web page to construct a link that, when clicked on, could execute arbitrary JavaScript code with the privileges of the user. (CAN-2005-1158) Georgi Guninski discovered that the types of certain XPInstall related JavaScript objects were not sufficiently validated when they were called. This could be exploited by a malicious website to crash Firefox or even execute arbitrary code with the privileges of the user. (CAN-2005-1159) Firefox did not properly verify the values of XML DOM nodes of web pages. By tricking the user to perform a common action like clicking on a link or opening the context menu, a malicious page could exploit this to execute arbitrary JavaScript code with the full privileges of the user. (CAN-2005-1160) Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.2-0ubuntu5.1.diff.gz Size/MD5: 830197 4ce184fa78a64ea7b7080534b7bb4855 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.2-0ubuntu5.1.dsc Size/MD5: 1696 1d3777c903164f487f0f1b3710acfc93 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.2.orig.tar.gz Size/MD5: 41023585 7e98ce4aefc5ea9b5f1f35b7a0c58f60 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.6-1ubuntu2.1.diff.gz Size/MD5: 314103 47b87f40b60e80d62eaccf9760632dd2 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.6-1ubuntu2.1.dsc Size/MD5: 1767 1c1dde816d6772fd3e6d47334757c61b http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.6.orig.tar.gz Size/MD5: 30587697 800f8d3877193a5d786d9ce4e3d1e400 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.6-1ubuntu2.1_amd64.deb Size/MD5: 168060 ed2993df33ab89c2f256385cb8c29146 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr4_1.7.6-1ubuntu2.1_amd64.deb Size/MD5: 139634 30cabc7ee95013519fc0e96220a45265 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss-dev_1.7.6-1ubuntu2.1_amd64.deb Size/MD5: 184942 2915e105352efa7bedcf7de8f4c4d653 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss3_1.7.6-1ubuntu2.1_amd64.deb Size/MD5: 708458 47ff7e80d251d1c0bcb2b1bcdf5cefef http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-browser_1.7.6-1ubuntu2.1_amd64.deb Size/MD5: 10591978 a8cc6ec3a71921fa1daeeacbe8ec85dc http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-calendar_1.7.6-1ubuntu2.1_amd64.deb Size/MD5: 403262
[Full-disclosure] [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability
Product : Neteyes Nexusway (http://www.neteyes.com.tw) Description: Neteyes Nexusway multiple vulnerability Severity: Very High Description === The NexusWay is a Multiservice Border Gateway that provides the Multiaccess and Multiservice capabilities in the border segment of an enterprise network. Detail == Weak authentication in web module - By sending crafted http cookies, any user with access to port 443 on Neteyes Nexusway may use this vulnerability to become Neteyes Nexusway admin. This will allow user to change any configuration on this device. Example: # curl -k -b 'cyclone500_write=1; cyclone500_auth=1; client_ip1;client=0.0.0.0' https://192.168.1.135/index.cgi Escaping to Operating System shell in SSH module User with access to SSH module may able to access Shell or execute any command as root privileges on Neteyes Nexusway by sending crafted argument in certain command. This will allow user to do anything on this device. Example: ping ;sh traceroute ;sh Remote command execution in web module -- Any user with access to port 443 on Neteyes Nexusway is able to fully control Neteyes Nexusway device by sending special crafted packet to certain administration script. Web server is run as root on this devices. Example: https://192.168.1.135/nslookup.cgi?ip=localhost%26%26cat%20/stand/htdocs/config/admin https://192.168.1.135/ping.cgi?ip=localhost%26%26touch+/tmp/test Workaround == Disable Web Administration module ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)
:-Original Message- :From: [EMAIL PROTECTED] :[mailto:[EMAIL PROTECTED] On Behalf :Of Nick FitzGerald :Sent: Tuesday, May 10, 2005 6:17 PM :To: full-disclosure@lists.grok.org.uk :Subject: RE: [Full-disclosure] Useless tidbit (MS AntiSpyware) : : :_THAT_ is a far larger problem you should have considered long :before you discovered that one (or more) of the many :band-aid programs (like MS AntiSpyware, most other :anti-spywares, known virus scanning antivirus programs, :software firewalls, and so on) so commonly advocated by lame :(or hamstrung) system admins has this (and dozens of :other) trivial, stupid holes. : : :Regards, : :Nick FitzGerald : Nick, Would you please elaborate futhur on this? I read it to say we should have cleaned out the machines first by hand and we are lame or hamstrug for relying on anti-virus, anti-spyware programs to find them. RandallM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sendmail exploit
Of course, if you're still running 8.8, there's about 3 zillion OTHER issues you could exploit instead i think it's really a 8.8 (redhat6.2) and not a honeypot or thing like that ,if that waht you mean,and yes nessus give other critical warning about apache 1.3.12 ,the snag is there is no working exploit for thus vulerabilities (or at least i can't found any)and i have no time to make one by my self. so Valdis can you give me some examples of about 3 zillion OTHER issues you could exploit instead. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sendmail exploit
migalo digalo wrote: Of course, if you're still running 8.8, there's about 3 zillion OTHER issues you could exploit instead i think it's really a 8.8 (redhat6.2) and not a honeypot or thing like that , No. If it's a RH 6.2 box, the sendmail version is 8.11.6. Ralph pgp7hguc7SzBX.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sendmail exploit
Hi Migalo, migalo digalo wrote: Of course, if you're still running 8.8, there's about 3 zillion OTHER issues you could exploit instead i think it's really a 8.8 (redhat6.2) and not a honeypot or thing like that ,if that waht you mean,and yes nessus give other critical warning about apache 1.3.12 ,the snag is there is no working exploit for thus vulerabilities (or at least i can't found any)and i have no time to make one by my self. so Valdis can you give me some examples of about 3 zillion OTHER issues you could exploit instead. A good start would be: http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sendmail http://www.securityfocus.com/bid/keyword/ (search for sendmail) You'll have to review each vuln listed to see whether it affects your version. cheers Andrew Speaking for myself only -- Andrew Simmons Technical Security Consultant MessageLabs [EMAIL PROTECTED] www.messagelabs.com MessageLabs - Be certain __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] sendmail exploit
Redhat typically patches items such as sendmail without changing the version number (rpm -q sedmail to get the full redhat version). So, many of the exploits for 8.8 probably are not there, assuming the system was kept up2date while RedHat supported 6.2... Of course, RedHat hasn't supported 6.2 for a long time now, so some issues are likely unpatched... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of migalo digalo Sent: Wednesday, May 11, 2005 7:23 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] sendmail exploit Of course, if you're still running 8.8, there's about 3 zillion OTHER issues you could exploit instead i think it's really a 8.8 (redhat6.2) and not a honeypot or thing like that ,if that waht you mean,and yes nessus give other critical warning about apache 1.3.12 ,the snag is there is no working exploit for thus vulerabilities (or at least i can't found any)and i have no time to make one by my self. so Valdis can you give me some examples of about 3 zillion OTHER issues you could exploit instead. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BakBone NetVault last warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 As a recall, there is now two months, the Hat-Squad has published 2 high security risks still UNPATCHED for BakBone NetVault 6.x/7.x all versions. In an Open Letter: http://phx.corporate-ir.net/phoenix.zhtml?c=67723p=irol-newsArticlet=Regularid=704547; Bakbone announce a new NetVault Q4 2005, and a new MACOSX version. My suggestion to BakBone is to review their whole code because Im aware that another Heap overflow has been found by a friend without to be published. We won't republish this warning as soon as BakBone choosed to wake up, but we recommand to assest BakBone products if you are seeking for security bugs, this is a nice peace of cheese. BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow advisory class101.org/netv-remhbof.pdf BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow exploit class101.org/36/55/op.php BakBone NetVault 6.x/7.x Local Stack Buffer Overflow advisory class101.org/netv-locsbof.pdf BakBone NetVault 6.x/7.x Local Stack Buffer Overflow exploit class101.org/36/55/op.php -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCgf4vLyZ8K9aT7rARAqu3AJ411cU2YZkRcOwFfRlF1PMLWvFaRACdGAvo belmxbd7Z/peu5L154pS02k= =hHqE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BakBone NetVault last warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 btw: *http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1009 *class a écrit : As a recall, there is now two months, the Hat-Squad has published 2 high security risks still UNPATCHED for BakBone NetVault 6.x/7.x all versions. In an Open Letter: http://phx.corporate-ir.net/phoenix.zhtml?c=67723p=irol-newsArticlet=Regularid=704547; Bakbone announce a new NetVault Q4 2005, and a new MACOSX version. My suggestion to BakBone is to review their whole code because Im aware that another Heap overflow has been found by a friend without to be published. We won't republish this warning as soon as BakBone choosed to wake up, but we recommand to assest BakBone products if you are seeking for security bugs, this is a nice peace of cheese. BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow advisory class101.org/netv-remhbof.pdf BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow exploit class101.org/36/55/op.php BakBone NetVault 6.x/7.x Local Stack Buffer Overflow advisory class101.org/netv-locsbof.pdf BakBone NetVault 6.x/7.x Local Stack Buffer Overflow exploit class101.org/36/55/op.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCggDILyZ8K9aT7rARAqU3AJ9ipPItlpY0n8sJK4+n3gQxTFjHfQCfboh3 4Z12G6RNiKM6yfy924Vuomo= =664m -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BakBone NetVault last warning
when a man such as you reports a security hole we can not put all works on the ground and say yes: we are fixing it What kind of bullshit is that! I am glad I am not a customer of theirs. What kind of man must you be to make them say yes: we are fixing it. Perhaps you have to be a sexy woman instead. =] -KF class wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 As a recall, there is now two months, the Hat-Squad has published 2 high security risks still UNPATCHED for BakBone NetVault 6.x/7.x all versions. In an Open Letter: http://phx.corporate-ir.net/phoenix.zhtml?c=67723p=irol-newsArticlet=Regularid=704547; Bakbone announce a new NetVault Q4 2005, and a new MACOSX version. My suggestion to BakBone is to review their whole code because Im aware that another Heap overflow has been found by a friend without to be published. We won't republish this warning as soon as BakBone choosed to wake up, but we recommand to assest BakBone products if you are seeking for security bugs, this is a nice peace of cheese. BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow advisory class101.org/netv-remhbof.pdf BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow exploit class101.org/36/55/op.php BakBone NetVault 6.x/7.x Local Stack Buffer Overflow advisory class101.org/netv-locsbof.pdf BakBone NetVault 6.x/7.x Local Stack Buffer Overflow exploit class101.org/36/55/op.php -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCgf4vLyZ8K9aT7rARAqu3AJ411cU2YZkRcOwFfRlF1PMLWvFaRACdGAvo belmxbd7Z/peu5L154pS02k= =hHqE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BakBone NetVault last warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 have been also surprised to not see the word security in their open letter http://phx.corporate-ir.net/phoenix.zhtml?c=67723p=irol-newsArticlet=Regularid=704547; : KF (lists) a écrit : when a man such as you reports a security hole we can not put all works on the ground and say yes: we are fixing it What kind of bullshit is that! I am glad I am not a customer of theirs. What kind of man must you be to make them say yes: we are fixing it. Perhaps you have to be a sexy woman instead. =] -KF class wrote: As a recall, there is now two months, the Hat-Squad has published 2 high security risks still UNPATCHED for BakBone NetVault 6.x/7.x all versions. In an Open Letter: http://phx.corporate-ir.net/phoenix.zhtml?c=67723p=irol-newsArticlet=Regularid=704547; Bakbone announce a new NetVault Q4 2005, and a new MACOSX version. My suggestion to BakBone is to review their whole code because Im aware that another Heap overflow has been found by a friend without to be published. We won't republish this warning as soon as BakBone choosed to wake up, but we recommand to assest BakBone products if you are seeking for security bugs, this is a nice peace of cheese. BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow advisory class101.org/netv-remhbof.pdf BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow exploit class101.org/36/55/op.php BakBone NetVault 6.x/7.x Local Stack Buffer Overflow advisory class101.org/netv-locsbof.pdf BakBone NetVault 6.x/7.x Local Stack Buffer Overflow exploit class101.org/36/55/op.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCghRrLyZ8K9aT7rARAgDuAJ4tYTFK7wN3XCYjveXSxJ2NHda3DACfQ4RL yFuS6o9Ch70AvcCR6Hwo8fs= =CfAp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BakBone NetVault last warning
They do mention Progress continues toward making the required assessment under Section 404 of the Sarbanes-Oxley Act of 2002 and the related rules but of course this has nothing to do with the security of their products. =] -KF class wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 have been also surprised to not see the word security in their open letter http://phx.corporate-ir.net/phoenix.zhtml?c=67723p=irol-newsArticlet=Regularid=704547; : KF (lists) a écrit : when a man such as you reports a security hole we can not put all works on the ground and say yes: we are fixing it What kind of bullshit is that! I am glad I am not a customer of theirs. What kind of man must you be to make them say yes: we are fixing it. Perhaps you have to be a sexy woman instead. =] -KF class wrote: As a recall, there is now two months, the Hat-Squad has published 2 high security risks still UNPATCHED for BakBone NetVault 6.x/7.x all versions. In an Open Letter: http://phx.corporate-ir.net/phoenix.zhtml?c=67723p=irol-newsArticlet=Regularid=704547; Bakbone announce a new NetVault Q4 2005, and a new MACOSX version. My suggestion to BakBone is to review their whole code because Im aware that another Heap overflow has been found by a friend without to be published. We won't republish this warning as soon as BakBone choosed to wake up, but we recommand to assest BakBone products if you are seeking for security bugs, this is a nice peace of cheese. BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow advisory class101.org/netv-remhbof.pdf BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow exploit class101.org/36/55/op.php BakBone NetVault 6.x/7.x Local Stack Buffer Overflow advisory class101.org/netv-locsbof.pdf BakBone NetVault 6.x/7.x Local Stack Buffer Overflow exploit class101.org/36/55/op.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCghRrLyZ8K9aT7rARAgDuAJ4tYTFK7wN3XCYjveXSxJ2NHda3DACfQ4RL yFuS6o9Ch70AvcCR6Hwo8fs= =CfAp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Where's Slashdot.org???
Anyone know whats going on with /.org??? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Where's Slashdot.org???
Works for me at 9:58am Central US. Do you know what is up with your DNS server or your computer? =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coral Cook Sent: Wednesday, May 11, 2005 9:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Where's Slashdot.org??? Anyone know what's going on with /.org??? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Where's Slashdot.org???
does anyone give a shit? try a traceroute next time. -KF Coral Cook wrote: Anyone know whats going on with /.org??? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Where's Slashdot.org???
It is really necessary to be that rude?On 5/11/05, pretty vacant [EMAIL PROTECTED] wrote: Is it really fucking necessary to email a global mailing list when you can't get to you shitty website? Crawl back in your corner and shut the fuck up.___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Where's Slashdot.org???
/ \ \/\ :`:` | | \ | ||| | `. | | : || `| |\| ||---O \ | / / \\\ --__ \\ : :( \ \/ _--~~ ~--__| \ | |---.- \ \_-~~-_\| |( \_ \_..__\| |\.. \ \__// _ ___ _ (_(__ \ |_,-%/%|` \ . C ___) __ (_( | /_,-'\//%\ /\ | C )/ \ (_ |_/ _,-'\%/|% / /\| C_) | (___ / \ / / ) __,-- /%\ | ( _C_)\__/ // _/ / \ \_/_,-' (% ; %)% |\ |__ \\_// (__/ | %,_`_ %\ | \\) ` --' || | \_ ___\ /_ _/ | | | | /| | \| || | |/ \ \ | | | | / /| | \ | | | | / / \__/\___/| ||| | / /|| | || | | | || | || | Yes, it is. On Wed, 11 May 2005, [ISO-8859-1] Michael Calcaño wrote: It is really necessary to be that rude? On 5/11/05, pretty vacant [EMAIL PROTECTED] wrote: Is it really fucking necessary to email a global mailing list when you can't get to you shitty website? Crawl back in your corner and shut the fuck up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Where's Slashdot.org???
Michael Calcaño wrote: It is really necessary to be that rude? Obviously the inspiration for the I'm An Asshole song... :p ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KSpynix ::: the Unix version of KSpyware? (Proof Of Concept)
James Tucker wrote: Firefox was safe(r) for a time, now exposure has driven it to become a viable and timeworthy market for the spyware and malware communities. The same will come of operating systems and any other highly pervasive applications. Well, yeah, but I still wouldn't be throwing away GNU/Linux just yet on that front. I would argue that it's still entirely possible to build a GNU/Linux system that is more secure than a MS Windows system, relatively speaking. (Note: I am not saying that GNU/Linux doesn't have its share of security issues and I am not saying that one can't create a well-secured Windows server.) However, that's getting off track. That would be getting into system configuration and design as they relate to vulnerabilities. That's another discussion altogether. Going back on track, I wouldn't support the creation of packages such as this for any OS. I just don't think it's ethical. Like I said, there's a big difference between a POC and a worm. Coding POCs is just fine, if it's done ethically. Coding worms as an example, however, is where you cross the line from just creating a proof of concept and into turning that proof onto others in order to harm them. Also, I'm not getting into rights here, I'm just talking about the ethics of the situation. In the case of spyware, no proof of concept was needed because anyone with any knowledge of systems at all could tell you that it could be done. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KSpynix ::: the Unix version of KSpyware? (Proof Of Concept)
Hi, before sending me such emails, read Kspynix before: Firefox is not attacked by the POC, and such malware already exists for Unix systems although their code are not public... that's why I code this small malwares (if they can be called malware...) About the ethic, it's your problem if you think it's not ethical to publish such code, Besides don't be afraid Unix systems are always secure. And i waste my time with what I want !!! What's an ethical act for you? I wanted to publish a windows rootkit this week, is it ethical? On 5/11/05, khaalel [EMAIL PROTECTED] wrote: Hi, before sending me such emails, read Kspynix before: Firefox is not attacked by the POC, and such malware already exists for Unix systems although their code are not public... that's why I code this small malwares (if they can be called malware...) About the ethic, it's your problem if you think it's not ethical to publish such code, Besides don't be afraid Unix systems are always secure. And i waste my time with what I want !!! What's an ethical act for you? I wanted to publish a windows rootkit this week, is it ethical? On 5/11/05, bkfsec [EMAIL PROTECTED] wrote: James Tucker wrote: Firefox was safe(r) for a time, now exposure has driven it to become a viable and timeworthy market for the spyware and malware communities. The same will come of operating systems and any other highly pervasive applications. Well, yeah, but I still wouldn't be throwing away GNU/Linux just yet on that front. I would argue that it's still entirely possible to build a GNU/Linux system that is more secure than a MS Windows system, relatively speaking. (Note: I am not saying that GNU/Linux doesn't have its share of security issues and I am not saying that one can't create a well-secured Windows server.) However, that's getting off track. That would be getting into system configuration and design as they relate to vulnerabilities. That's another discussion altogether. Going back on track, I wouldn't support the creation of packages such as this for any OS. I just don't think it's ethical. Like I said, there's a big difference between a POC and a worm. Coding POCs is just fine, if it's done ethically. Coding worms as an example, however, is where you cross the line from just creating a proof of concept and into turning that proof onto others in order to harm them. Also, I'm not getting into rights here, I'm just talking about the ethics of the situation. In the case of spyware, no proof of concept was needed because anyone with any knowledge of systems at all could tell you that it could be done. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KSpynix ::: the Unix version of KSpyware? (Proof Of Concept)
Well, yeah, but I still wouldn't be throwing away GNU/Linux just yet on that front. I would argue that it's still entirely possible to build a GNU/Linux system that is more secure than a MS Windows system, relatively speaking. (Note: I am not saying that GNU/Linux doesn't have its share of security issues and I am not saying that one can't create a well-secured Windows server.) I can understand that this is drifting off track, but as part of the community, how can you relaibly justify this? I don't mean to be facetious, but I have never seen any such justification in existence, furthermore if other aspects are considered such as average required development time to a 'secure' system the argument can be easily swung. Such a comment may have been more acceptable if one were to use openbsd as an example, arguably. Again there are aspects which must be considered, but if we are refering to the operating system alone then should we consider the default install, the number of discrete settings which must be changed? the length of a script which performs these actions automatically? such judgements are hardly quantifiable - due to scalar issues. Remember, if the choice was clear, someone would have 'won' already. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
On Wed, 11 May 2005 [EMAIL PROTECTED] wrote: snip Has anyone ever wondered why SCO's mails come from [EMAIL PROTECTED] Why not just make them come from [EMAIL PROTECTED] Or at least set the Reply-To: field? Other than preventing spam, is there a greater purpose here that I'm missing? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Useless tidbit (MS AntiSpyware)
On 5/11/05, Randall M [EMAIL PROTECTED] wrote: :-Original Message- :From: [EMAIL PROTECTED] :[mailto:[EMAIL PROTECTED] On Behalf :Of Nick FitzGerald :Sent: Tuesday, May 10, 2005 6:17 PM :To: full-disclosure@lists.grok.org.uk :Subject: RE: [Full-disclosure] Useless tidbit (MS AntiSpyware) : : :_THAT_ is a far larger problem you should have considered long :before you discovered that one (or more) of the many :band-aid programs (like MS AntiSpyware, most other :anti-spywares, known virus scanning antivirus programs, :software firewalls, and so on) so commonly advocated by lame :(or hamstrung) system admins has this (and dozens of :other) trivial, stupid holes. : : :Regards, : :Nick FitzGerald : Nick, Would you please elaborate futhur on this? I read it to say we should have cleaned out the machines first by hand and we are lame or hamstrug for relying on anti-virus, anti-spyware programs to find them. RandallM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ If one [or more] of you on the list could be so kind to indicate a [many] resource[s] that lame hamstung admins would be wise to follow as guidlines to secure Windows systems.. it would be so much more productive. espcially for those lazy a$$ admins who may overlook the single [or multiple] missed step that lets them become owned, hacked, infected, unpatched, bugged, spewing, spamming, bots, rooted [I am sure to have skipped a few important ones] ;-P steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Useless tidbit (MS AntiSpyware)
If one [or more] of you on the list could be so kind to indicate a [many] resource[s] that lame hamstung admins would be wise to follow as guidlines to secure Windows systems.. it would be so much more productive. espcially for those lazy a$$ admins who may overlook the single [or multiple] missed step that lets them become owned, hacked, infected, unpatched, bugged, spewing, spamming, bots, rooted [I am sure to have skipped a few important ones] ;-P steve Google is your friend - start with 'NSA security guidelines windows'. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
Anyone ever wonder why all their security advisories come out for known issues two years after they have been found? Anyone ever wonder why they STILL use a vulnerble version of wu ftpd on one of their main servers? Connected to ftpput.sco.com. 220 artemis FTP server (Version 2.1WU(1)) ready. Name (ftpput.sco.com:doucheknob): Move along... nothing to see here but a decrepid OS that no one cares about. -KF James Longstreet wrote: On Wed, 11 May 2005 [EMAIL PROTECTED] wrote: snip Has anyone ever wondered why SCO's mails come from [EMAIL PROTECTED] Why not just make them come from [EMAIL PROTECTED] Or at least set the Reply-To: field? Other than preventing spam, is there a greater purpose here that I'm missing? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
On Wed, 11 May 2005 13:20:52 -0500 (CDT), James Longstreet [EMAIL PROTECTED] said: Has anyone ever wondered why SCO's mails come from [EMAIL PROTECTED] Why not just make them come from [EMAIL PROTECTED] Or at least set the Reply-To: field? Other than preventing spam, is there a greater purpose here that I'm missing? To keep their in-box clear of out-of-office replies from clueless lusers who don't know how to configure a vacation program? Google for site:lists.grok.org.uk out-of-office And just over a week ago: http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033717.html (He says, preparing to see how many idiot's mailers auto-reply to this: To anyone that does - you are doubly incompetent, once for your ineptness in running your e-mail software in the first place, and once for telling a security mailing list that your are away from your post). -- Alan J. Wylie http://www.wylie.me.uk/ Perfection [in design] is achieved not when there is nothing left to add, but rather when there is nothing left to take away. -- Antoine de Saint-Exupery ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KSpynix ::: the Unix version of KSpyware? (Proof Of Concept)
khaalel wrote: Hi, before sending me such emails, read Kspynix before: Firefox is not attacked by the POC, and such malware already exists for Unix systems although their code are not public... that's why I code this small malwares (if they can be called malware...) I'm quite well aware that such malware exists on Unix/Linux systems. Nor was I saying that firefox was attacked by your spyware. But then, that's even less of a reason to publish it, seeing as there really is nothing new here. About the ethic, it's your problem if you think it's not ethical to publish such code, Besides don't be afraid Unix systems are always secure. Sure... whatever you say... No fear here, buddy. But, seeing as this is an open list, I'm free to question the ethical nature of your release. I think that if you'll take the time to look through the archive, you'll see that I'm a staunch advocate of full disclosure, but if there's no real gain from publishing code that can assist in harming others, chances are pretty damn good that it's unethical to publish that code. And i waste my time with what I want !!! No argument there. What's an ethical act for you? I wanted to publish a (snip malware type) this week, is it ethical? That depends. What's the purpose of publishing the code? Is there any new or interesting technique used that hasn't been charted before? If so, then I'd say it might be ethical. If it's just because you could... then I'd say that it would most likely be unethical to publish that code. Not to mention illegal in certain countries (I'm not advocating that it should be illegal, it just could be considered illegal..) -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
On Wednesday 11 May 2005 20:44, KF (lists) wrote: Anyone ever wonder why all their security advisories come out for known issues two years after they have been found? Anyone ever wonder why they STILL use a vulnerble version of wu ftpd on one of their main servers? Connected to ftpput.sco.com. 220 artemis FTP server (Version 2.1WU(1)) ready. Name (ftpput.sco.com:doucheknob): Move along... nothing to see here but a decrepid OS that no one cares about. -KF Keep in mind that you shouldn't fully rely on service banners. These are easily faked to keep the script kiddies away. I know, that's security through obscurity, but not the whole world is Full Disclosure. - Vincent van Scherpenseel -- http://vincent.vanscherpenseel.nl/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
Vincent van Scherpenseel wrote: On Wednesday 11 May 2005 20:44, KF (lists) wrote: Anyone ever wonder why all their security advisories come out for known issues two years after they have been found? Anyone ever wonder why they STILL use a vulnerble version of wu ftpd on one of their main servers? Connected to ftpput.sco.com. 220 artemis FTP server (Version 2.1WU(1)) ready. Name (ftpput.sco.com:doucheknob): Move along... nothing to see here but a decrepid OS that no one cares about. -KF Keep in mind that you shouldn't fully rely on service banners. These are easily faked to keep the script kiddies away. I know, that's security through obscurity, but not the whole world is Full Disclosure. - Vincent van Scherpenseel keep in mind that this has been like this for *YEARS*. I highly doubt they have gone through the trouble of faking output for the format string vulnerability. Telnet to the port and test the site exec shit by hand yourself... although I have not checked I would almost bet you get memory addresses popping up. I actually spoke to previous sco admins about it when I used to work with them on security issues. At the time they could not track down the admin of the box... after the caldera merger I would imagine it just sat there. http://lists.grok.org.uk/pipermail/full-disclosure/2003-August/008577.html -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Which is the best anti-spyware cleaner?
That is just what I was wondering -- from a community perspective. We've been running a survey and after 5,414 unique votes, the tally is in: Source: http://castlecops.com/modules.php?name=Surveysop=resultspollID=30 1) Lavasoft Ad-Aware SE Personal 25.36% 2) Spybot Search Destroy 22.42% 3) Microsoft AntiSpyware 14.79% This is from a list of 19 choices: Adware Away Aluria Spyware Eliminator Intermute SpySubtract Lavasoft Ad-Aware SE Personal McAfee AntiSpyware Microsoft AntiSpyware NoAdware OmniQuad AntiSpy PC Tools Spyware Doctor Pest Patrol Spybot Search Destroy Spycop Spyware COP Sunbelt CounterSpy Tenebril SpyCatcher Webroot Spy Sweeper Xblock X-Cleaner XoftSpy ZeroSpyware Pollbooth http://castlecops.com/modules.php?name=SurveyspollID=30 This is very interesting for Lavasoft. Our previous poll with 2,605 unique votes on: Do you trust Lavasoft's Ad-Aware after they delisted WhenU as Spyware? Shows 60.31% said No. Src: http://castlecops.com/modules.php?name=Surveysop=resultspollID=29 The WhenU/Lavasoft survey ran right after WhenU was removed from their dictionaries. But we all know what happened afterwards. Since then, folks still trust Lavasoft as their number one choice. What is not surprising are the results from the Aluria survey we also ran, with 1,777 unique votes: Do you trust Aluria's Spyware Eliminator after the WhenU Deal? Src: http://castlecops.com/modules.php?name=Surveysop=resultspollID=28 86.04% said No. In our head-to-head survey above, 1.07% of voters picked Aluria as the best. Internet users still opt for Lavasoft's free spyware cleaner. -- Sincerely, Paul Laudanski .. Computer Cops, LLC. Microsoft MVP Windows-Security 2005 CastleCops(SM)... http://castlecops.com CC Blog . http://blog.castlecops.com Staff Blogs . http://busterbunny.castlecops.com Our Vision .. http://castlecops.com/postt63382.html http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com [This message is for the designated recipient(s) only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.] Information from Computer Cops, L.L.C. This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Which is the best anti-spyware cleaner?
On Wed, 11 May 2005, Paul Laudanski wrote: [This message is for the designated recipient(s) only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.] There I go forgetting to drop that bit again! :oops!: Information from Computer Cops, L.L.C. This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Which is the best anti-spyware cleaner?
I use a combination of Ad-aware, Spybot SD and Hijack This (when it is needed). Hijack this is the most thorough if you know what to look for. But any one tool usually will not clean completely in my experience. Ben Paul Laudanski wrote: That is just what I was wondering -- from a community perspective. We've been running a survey and after 5,414 unique votes, the tally is in: Source: http://castlecops.com/modules.php?name=Surveysop=resultspollID=30 1) Lavasoft Ad-Aware SE Personal 25.36% 2) Spybot Search Destroy 22.42% 3) Microsoft AntiSpyware 14.79% This is from a list of 19 choices: Adware Away Aluria Spyware Eliminator Intermute SpySubtract Lavasoft Ad-Aware SE Personal McAfee AntiSpyware Microsoft AntiSpyware NoAdware OmniQuad AntiSpy PC Tools Spyware Doctor Pest Patrol Spybot Search Destroy Spycop Spyware COP Sunbelt CounterSpy Tenebril SpyCatcher Webroot Spy Sweeper Xblock X-Cleaner XoftSpy ZeroSpyware Pollbooth http://castlecops.com/modules.php?name=SurveyspollID=30 This is very interesting for Lavasoft. Our previous poll with 2,605 unique votes on: Do you trust Lavasoft's Ad-Aware after they delisted WhenU as Spyware? Shows 60.31% said No. Src: http://castlecops.com/modules.php?name=Surveysop=resultspollID=29 The WhenU/Lavasoft survey ran right after WhenU was removed from their dictionaries. But we all know what happened afterwards. Since then, folks still trust Lavasoft as their number one choice. What is not surprising are the results from the Aluria survey we also ran, with 1,777 unique votes: Do you trust Aluria's Spyware Eliminator after the WhenU Deal? Src: http://castlecops.com/modules.php?name=Surveysop=resultspollID=28 86.04% said No. In our head-to-head survey above, 1.07% of voters picked Aluria as the best. Internet users still opt for Lavasoft's free spyware cleaner. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Which is the best anti-spyware cleaner?
Hi Ben, This survey only included those applications which use dictionaries to clean their systems. HJT is an involved tool that is best used with experts. Ad-Aware and SpybotSD can be used safely thanks to their reference files. This is why HJT and others like Winpatrol were left out of the poll. And for the last statement, you are right. Look at download.com and how they use three products today to test files on their site. On Wed, 11 May 2005, Ben Vaisvil wrote: I use a combination of Ad-aware, Spybot SD and Hijack This (when it is needed). Hijack this is the most thorough if you know what to look for. But any one tool usually will not clean completely in my experience. Ben -- Sincerely, Paul Laudanski .. Computer Cops, LLC. Microsoft MVP Windows-Security 2005 CastleCops(SM)... http://castlecops.com CC Blog . http://blog.castlecops.com Staff Blogs . http://busterbunny.castlecops.com Our Vision .. http://castlecops.com/postt63382.html http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com Information from Computer Cops, L.L.C. This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DR018] Quartz Composer / QuickTime 7 information leakage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The canonical URI of this advisory is http://remahl.se/david/vuln/ 018/. This advisory concerns an as-yet unpatched problem in QuickTime 7 on Mac OS X 10.4. The reason for disclosure before a vendor patch is that another person realized the potential problem independently and posted a message about it to the public mailing list quartzcomposer- dev (hosted by Apple). The suggested workaround is to disable the QuickTime browser plugin until a fix is available from the vendor. / Regards, David Remahl DR018: Quartz Composer / QuickTime 7 information leakage = Date of discovery: 2005-04-26 Date of publication: 2005-05-11 Discovered by: David Remahl [EMAIL PROTECTED] Advisory URL: http://remahl.se/david/vuln/018/ CVEs: n/a [as of this writing, the author is aware of no CVEs assigned to this vulnerability] Classification: information exposure; design error License: Public Domain AFFECTED PRODUCTS Verified vulnerable: * Apple Mac OS X 10.4 (QuickTime 7) Verified safe: * Apple Mac OS X 10.3.9 (QuickTime 6.5, 7) * QuickTime for Windows INTRODUCTION Quartz Composer files are created with the Quartz Composer application included with the developer tools. The compositions (QTZ files) it creates can be used as screen savers, viewed as they are in the application or embedded as QT atoms in a .mov container. As such, they can be viewed in a wide-ranging array of environments, including a web browser, Keynote 2 and the Finder. Compositions have access to a number of powerful tools (patches), each providing or acting-upon information, ultimately resulting in a graphic composition. The design assumption seems to be that these details should always be contained within the presentation. However, by combining patches that provide advanced system information with patches that load information from the Internet, a malicious .mov file (viewed for example by the QuickTime web plugin) can leak this information to an external host. This issue has not been addressed by Apple yet, and because details of the potential exploit appeard in a public forum shortly after I had notified the vendor, a fix may still be some time away. A temporary work-around is disabling the QuickTime plugin and treating Quartz Composer files with suspicion. IMPACT The information that can be leaked by this method includes (but may not be limited to): local user name (long and short) computer name local IP OS / kernel version CPU / RAM / GPU configuration names (human-readable) of Bonjour services on the local network local or system time volume of audio input lists of images (including pdfs) matching arbitrary spotlight queries lists of images (including pdfs) in specific directories (relative to / or ~) the existence of image and movie files can indicate the existance of certain software packages This information can be used for profiling of potential victims, for further use in attacks against the user's system or phising related social engineering. DEMONSTRATION A proof-of-concept in the form of a Quartz Composer composition embedded in a .mov file is avaiilable at the following link. Please see that document for more information. http://remahl.se/david/vuln/018/demo.html DETAILS The basic attack works as follows: 1. A patch providing the information (for example the Host Info patch) is created (A) 2. The output of (A) is connected to a JavaScript patch which uses encodeURIComponent() to URI encode the string (B). 3. The output of (B) is connected to a String Printer which results in a URI, for example (C) 4. The output of (C) is connected to the URL input connection of either the Image Downloader patch or the RSS Feed patch. (D) 5. The output of (D) must be used somehow, otherwise this part of the patch graph will not be used. Rendering the output (via a String to Image) to a 0-sized billboard is fine. 6. When the (D) patch is activated, it will access the URI (output of (C)), thus leaking the restricted information to an HTTP host of the attacker's choice. VENDOR CONTACT Apple Computer's security team was contacted with information about the issue on 2005-05-06. Following a discussion of this problem on the public quartzcomposer-dev mailinglist (initiated by a third- party), the full details of the problems were released on May 11. RESPONSE Apple Computer 2005-05-10, 04:50 UTC: Confirmed receipt of problem report (did not confirm issue). -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCgpysFlFiDoclYIURAucPAJ9CYHddNaBbv5DMf77FEQk4UIbOdwCdFERf /UINoKuuHPIrsMAKQVY4xbQ= =LKr3 -END PGP SIGNATURE-
[Full-disclosure] Firefox 1.0.4 released. Several critical vulnerabilities fixed
Well, it's official. Mozilla Firefox has been updated and can be downloaded from www.getfirefox.com. Many security vulnerabilities have been fixed in this version. Advisories will be made public soon... Regards, Paul Greyhats Security http://greyhatsecurity.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200505-09 ] Gaim: Denial of Service and buffer overflow vulnerabilties
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200505-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Gaim: Denial of Service and buffer overflow vulnerabilties Date: May 12, 2005 Bugs: #91862 ID: 200505-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Gaim contains two vulnerabilities, potentially resulting in the execution of arbitrary code or Denial of Service. Background == Gaim is a full featured instant messaging client which handles a variety of instant messaging protocols. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-im/gaim1.3.0= 1.3.0 Description === Stu Tomlinson discovered that Gaim is vulnerable to a remote stack based buffer overflow when receiving messages in certain protocols, like Jabber and SILC, with a very long URL (CAN-2005-1261). Siebe Tolsma discovered that Gaim is also vulnerable to a remote Denial of Service attack when receiving a specially crafted MSN message (CAN-2005-1262). Impact == A remote attacker could cause a buffer overflow by sending an instant message with a very long URL, potentially leading to the execution of malicious code. By sending a SLP message with an empty body, a remote attacker could cause a Denial of Service or crash of the Gaim client. Workaround == There are no known workarounds at this time. Resolution == All Gaim users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-im/gaim-1.3.0 References == [ 1 ] CAN-2005-1261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1261 [ 2 ] CAN-2005-1262 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1262 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200505-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpqRmEbkV9ys.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
