[Full-disclosure] [USN-139-1] Gaim vulnerability
=== Ubuntu Security Notice USN-139-1 June 10, 2005 gaim vulnerability CAN-2005-1269 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: gaim The problem can be corrected by upgrading the affected package to version 1:1.0.0-1ubuntu1.5 (for Ubuntu 4.10) and 1:1.1.4-1ubuntu4.2 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A remote Denial of Service vulnerability was discovered in Gaim. By initiating a file transfer with a file name containing certain international characters (like an accented "a"), a remote attacker could crash the Gaim client of an arbitrary Yahoo IM member. Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.5.diff.gz Size/MD5:47643 dae420c8c466ef187f9157cca2644eec http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.5.dsc Size/MD5: 853 47fdb16c0a0e882036108edd8a2f03e7 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0.orig.tar.gz Size/MD5: 6985979 7dde686aace751a49dce734fd0cb7ace amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.5_amd64.deb Size/MD5: 3444822 5ef2a8e1516059da8e7d2f76df0bdaeb i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.5_i386.deb Size/MD5: 3355122 243f3280dbe47787fa3f7d52f4a92f22 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.5_powerpc.deb Size/MD5: 3418440 92f51377d4697f86dbc3babb9e09f62f Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.2.diff.gz Size/MD5: 107381 e824b45c92bb542fa8718aea91373821 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.2.dsc Size/MD5: 991 0f10bb82a3d164e646c8c2e83c671545 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4.orig.tar.gz Size/MD5: 5188552 b55bf3217b271918384f3f015a6e5b62 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-data_1.1.4-1ubuntu4.2_all.deb Size/MD5: 603616 decd1eb5ccee08a36a563693d11e058b amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.1.4-1ubuntu4.2_amd64.deb Size/MD5: 101628 1a329b4b2983721dc9eac369149699b6 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.2_amd64.deb Size/MD5: 934132 b1a096fa77f086863ea918e1e71af883 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.1.4-1ubuntu4.2_i386.deb Size/MD5: 101616 7883d1e21d5f89c728926532a259565d http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.2_i386.deb Size/MD5: 845452 684351d1487e8d83df77a196ab146e8e powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.1.4-1ubuntu4.2_powerpc.deb Size/MD5: 101626 06cf77c8a05c61c563bbf1e5b224d133 http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.2_powerpc.deb Size/MD5: 910300 47df8e404e6fa3c72a38bc18345f69ce signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FBI San Diego, Drug Investigations and 9/11
Hello, Kelly. I'm writing in response to your article from today in the San Diego Union-Tribune: San Diego FBI Officials Call 9/11 Criticism 'Dead Horse' http://www.signonsandiego.com/news/nation/terror/20050609-2002-terrorfolo.html I work as an expert witness in civil and criminal court cases involving computer forensics and information security. In 2003 I became involved as expert witness on behalf of a defendant in a Federal criminal drug prosecution case in San Diego county. In the course of the law enforcement investigation, which occurred prior to the PATRIOT Act, the FBI computer forensics lab in San Diego assisted the DEA with Internet wiretaps of the suspects' computers, possibly in violation of wiretap laws, which at the time had no reference to Internet type data communications electronic intercepts. The defendant was tried and convicted, and the case is now pending appeal. During my review of the case on behalf of the defendant, I was shocked to see how far and how long law enforcement allowed the suspects to operate their drug operation in San Diego. Instead of arresting the suspects when the FBI and DEA had conclusive proof of crimes, law enforcement seems to have toyed with the suspects, dragging out the investigation and making it absurdly complicated and costly. Law enforcement had proof sufficient to convict several months before the first drug sale occurred in the case, and they sat and watched, as though they were more interested in playing with their shiny new computer surveillance toys than in putting an end to the drug crimes in progress so they could move on to more important things, like the terrorists known to the CIA to be inside our country, who by coincidence lived virtually next-door to these drug offenders in San Diego. Law enforcement delayed making arrests in this drug case until their priorities were changed after 9/11. Meanwhile, drugs were being manufactured and sold in San Diego within full video surveillance and other plain view of the FBI and DEA. I'm certain that I'm allowed to talk about the case now that it is over, and the defendant on whose behalf I did my work previously expressed a willingness to have his case publicized. If you're interested in this story, let me know and I can put you in contact with the defendant in the case. He and his criminal associates appeared to be non-violent drug offenders who became guinea pigs for the development of the FBI and DEA's electronic intercept investigations techniques, which paved the way for parts of the PATRIOT Act which subsequently granted authorities additional capabilities to use computer surveillance technology in ways that I believe are inappropriate. Computer electronic intercepts allow automated intelligence gathering according to sophisticated automated rules, in effect allowing computers to do, through the use of secret law enforcement software, what human law enforcement would never be allowed by law to do themselves. For this and other reasons, all electronic intercepts that use computer software to analyze data (including voice recognition processing of digital audio) may be a violation of our various Constitutional protections. They certainly create opportunity for systematic abuses, and in the absence of a cultural bias toward full disclosure there is very real possibility of harm to the public interest. We all know by now how little effort anyone in the law enforcement community put into overcoming institutional and case management barriers that made it culturally, politically, and in some respects legally impossible within our country to take proactive and imaginative yet constitutionally-correct actions to advance the early detection of serious violent crime like 9/11. What I find amazing about the case I worked on was the extent to which the system that we still have today continues to create unproductive barriers that make law enforcement mistakes and courtroom rules completely unresponsive to, and disinterested in, positive change and procedural enlightenment. The idea that law enforcement is entitled to have and hold secrets, and have their transgressions covered up by cooperative judges -- in effect granting law enforcement the flexibility to make up the rules whenever they like, which is essentially what the PATRIOT Act has granted free license to do, and what the Bush administration is now requesting by way of extensions to PATRIOT -- the idea that these extra powers somehow solve the underlying systemic problems that allowed the 9/11 conspiracy to unfold is just wrong. It is systemic flaws that cause law enforcement and the courts to invest huge sums of money into extremely complex and lengthy drug investigations instead of quickly and efficiently prosecuting small offenses before they grow into larger ones. And it is systemic flaws that allow otherwise-good people who have drug, de
Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port Number Argument Obfuscation
Atte Peltomäki wrote: > I enjoyed reading this posting very much, because it was new information > to me, and to many others on this list it seems. That's nice for you all, I'm sure... I enjoy chocolate cake -- not just eating them, and _making_ chocolate cakes (there goes my rep as a mean techno-geek...). However, reading chocolate cake recipes here -- and pretty much any other chocolate cake discussion than this -- would not be "enjoyable", as there is a time and place for everthing, as F-D is not the place for chocolate cake, nor for the bleeding obvious anyone out of nappies should know. > I did not enjoy at all reading mr. FitzGerald's abusive flame. Cough, plutter... "flame"? "abusive"? You must be just a child... > > \ __// Atte Peltomäki - [EMAIL PROTECTED] > \ \\IT Engineer - IT Server Team >\ __//F-Secure Corp. PL 24, FIN-00181 Helsinki, Finland > \ \\ Tel: +358 9 2520 0700, direct: +358 9 2520 5423 > \ // http://www.F-Secure.com > \/ Integrated Solutions for Enterprise Security ...yet I thought Finland had strong child-exploitation protection laws? Hmm... Go ask Mikko and Katrin about me, flaming and "abuse"... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Microsoft Windows and *nix Telnet Port Number Argument Obfuscation
Richard John L Contractor 611 ACF/SCO to Arjan van der Velde: [restructured to fix non-quoted, top-postingitis] > > I like reading posts in here to learn from. It would be good not to be too > > hostile against people asking questions you already know the answer for or > > even have known it for ages already. If I were to ask a question I would > > like to be educated or at least pointed in the right direction. Some replies > > really discourage people from asking. > > I agree with the individual below...some of us are still new to this > vulnerability thing (I for one) and appreciate lurking hear and taking it > all in... ["below" == "above" due to aforementioned top-postingitis] Lurking and reading and "listening" and learning are all good things and I applaud you all for doing them (in fact, that is mostly what I get from F-D too). However, note that this is a vulnerability (and exploit) disclosure list, not a "I just came across something vaguely interesting I thought some of you may also be interested in" list (there are, of course, FD-relevant discoveries that may fall from such moulds, but most that do are not FD-relevant...). > ... as a matter of fact, I'd love to have the original poster, > re-post...I was talking to a few others who had no idea about this and > they'd love to see the article (which I'd deleted - for some reason???) As it seems to be noob week, I'll try to learn y'all sumfin... [To be red in a bad Southern drawl...] 1. Full-Disclosure iz won of them thar _mailin list_ thangs. 2. It's reel commin for mailin lists to _archive_ all messages posted thru 'em. 3. It's just 'bout as commin for them thar archives to be on tha web (tho you may hav to be a subscribed list membar to login an see 'em). 4. Many mailin lists are run by software what putz all manna of useful mailin list-related infoz in tha heddaz of theer messages, commonly in the form "List-*:". 5. Most list subscribaz wil have MUAz (no, not cowz) wot ar able to display such special heddaz. 6. Compitint list subscribaz wil no what button to click to uz those feechurz... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows and *nix Telnet PortNumber Argument Obfuscation
On Thu, 2005-06-09 at 08:06 -0700, Etaoin Shrdlu wrote: > For those of us actually looking at it as an > early warning system, think of Nick as being a vocal representative of the > majority of more senior security people on the list. OK. Fair enough, but at least some people found it "informative". The technique described probably does affect many networking tools, as you stated, but one should ask if this is a proper coding technique or not (think secure code). The input does not map to the expected output -- and the user should have been told that the port number is out of range. Otherwise, what if he thinks 65571 is a valid port after executing that command? He may be naive, but shouldn't the telnet programmer let him know that he is mistaken in his port choice? As an analogy, it is also true that a C programmer could pull some nice tricks to optimize his code, but that code may confuse another programmer trying to understand it. This is a system, like anything else, and things are based on give/take. I don't see why allowing this to happen actually helps anyone but the telnet programmer -- because it could confuse many users. That's my rant and I'm done -- the users who did not know about this have been informed and that was the point of the original notice. My apologies to the "elite", who sit so highly upon their horses and throw flames down from above ;-) -- Kristian Hermansen <[EMAIL PROTECTED]> Cisco Systems, Inc. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Off topic rant to my friends
Quite right too, and IMO it is not completely off topic. I might point out that (certainly on windows platforms) teaching users the F1 key is also a damn good start, as the modern documentation is now quite mature. On 6/5/05, Randall M <[EMAIL PROTECTED]> wrote: > Sorry to rant to this list. This list though has the only people on it who > totally understand this ranting. > > Every morning before heading for work I read all my security alert emails > and website collections about possible Trojans, worms and viruses found. > Being a faithful worker I do this on the Weekends too. > > Once at work I check my web appliances, gateway, Exchange boxes and data > servers for dat updates and check log files. I spend the first two-three > hours of my work day doing this every day. > > Why do I do this? I do it to protect my company's investment. To ensure that > the employee's have a job that day. To make sure that customers will have on > time delivery and so new customers can make orders, etc., etc. > > Today I read this article: > http://www.eweek.com/article2/0,1759,1823633,00.asp?kc=EWRSS03129TX1K614 > > For some reason, maybe the coffee, I sat there thinking what the hell am I > doing all this for? Am I being paid by my company to set up and protect only > for some future use as a botnet for some organized crime boss!! > > I continually spend time, money and research on ways to protect. All of my > mechanisms I use are actually as helpless as I am!! It's the blind leading > the blind!! > > Then, like a message from God, a memory of a phone call from one of our > users came to me: > > "Hey, I received this email about my account being suspended for security > reasons, I immediately deleted it but just wanted to let you know". > > My small employee awareness program was slowly paying off. A year ago that > same phone call would have been the "I think I did something bad" type. I > now realize that my investments and my time have been spent MORE in the > wrong place. I'm turning that around and heading back to the user. They are > MY PROACTIVE, PREEMPTIVE protection!! I am no longer depending on the > Anti-Virus dats or the front-end Appliances or the Gateways because a simple > "Click" by the user makes them all useless. And it looks as though I can't > depend on them to keep that "click" opportunity from the user. > > Praise be to God for the User! They are powerful! They are trainable! They > are my BEST defense! > > There. I fell better now. > > > thank you > Randall M > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2005:098 - Updated wget packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Update Advisory
___
Package name: wget
Advisory ID:MDKSA-2005:098
Date: June 9th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
__
Problem Description:
Two vulnerabilities were found in wget. The first is that an HTTP
redirect statement could be used to do a directory traversal and
write to files outside of the current directory. The second is that
HTTP redirect statements could be used to overwrite dot ('.') files,
potentially overwriting the user's configuration files (such as
.bashrc, etc.).
The updated packages have been patched to help address these problems
by replacing dangerous directories and filenames containing the dot ('.')
character with an underscore ('_') character.
___
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1488
__
Updated Packages:
Mandrakelinux 10.0:
e61a21190da94a75eaaf083eb894dd3e 10.0/RPMS/wget-1.9.1-4.1.100mdk.i586.rpm
368f43f3ff9dbbe4502e84a38bac5786 10.0/SRPMS/wget-1.9.1-4.1.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
cf379f576b75dee53b747897bfe89c03
amd64/10.0/RPMS/wget-1.9.1-4.1.100mdk.amd64.rpm
368f43f3ff9dbbe4502e84a38bac5786
amd64/10.0/SRPMS/wget-1.9.1-4.1.100mdk.src.rpm
Mandrakelinux 10.1:
d182df118b7e9ade64b77983dff47fc4 10.1/RPMS/wget-1.9.1-4.2.101mdk.i586.rpm
91f8cbb93a4453a68c13bd12620e3e4e 10.1/SRPMS/wget-1.9.1-4.2.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
64827a4a355d106a477cb4b5bcf882cb
x86_64/10.1/RPMS/wget-1.9.1-4.2.101mdk.x86_64.rpm
91f8cbb93a4453a68c13bd12620e3e4e
x86_64/10.1/SRPMS/wget-1.9.1-4.2.101mdk.src.rpm
Mandrakelinux 10.2:
99aa2d3e18afa3e7ef1d3b746b70e431 10.2/RPMS/wget-1.9.1-5.1.102mdk.i586.rpm
fdf0fdde2c0d220c7b9cf755c3a28a98 10.2/SRPMS/wget-1.9.1-5.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
d6793d9ab06478949aa9bb75aa216138
x86_64/10.2/RPMS/wget-1.9.1-5.1.102mdk.x86_64.rpm
fdf0fdde2c0d220c7b9cf755c3a28a98
x86_64/10.2/SRPMS/wget-1.9.1-5.1.102mdk.src.rpm
Corporate Server 2.1:
e058c63a097aadc247458e54e092c03a
corporate/2.1/RPMS/wget-1.8.2-3.2.C21mdk.i586.rpm
f45e8a97e6d535fc27d0053813959145
corporate/2.1/SRPMS/wget-1.8.2-3.2.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
89ae60b0b75411c6abb5774795f09af0
x86_64/corporate/2.1/RPMS/wget-1.8.2-3.2.C21mdk.x86_64.rpm
f45e8a97e6d535fc27d0053813959145
x86_64/corporate/2.1/SRPMS/wget-1.8.2-3.2.C21mdk.src.rpm
Corporate 3.0:
bcf947efa32f9ce531077faf5e470e98
corporate/3.0/RPMS/wget-1.9.1-4.2.C30mdk.i586.rpm
ab34a60ca4ebf44d2e02988e19df5929
corporate/3.0/SRPMS/wget-1.9.1-4.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
66190c6d61c180ec8a3bc8592ca55da6
x86_64/corporate/3.0/RPMS/wget-1.9.1-4.2.C30mdk.x86_64.rpm
ab34a60ca4ebf44d2e02988e19df5929
x86_64/corporate/3.0/SRPMS/wget-1.9.1-4.2.C30mdk.src.rpm
___
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
___
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCqJ6gmqjQ0CJFipgRAlg6AKDkBBuwiP9H+OJIXwYGC0mLbyO0GgCdEvJY
kr610c8omeAtLtN+YLKS6C0=
=8PPd
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Circumventing SSSS Screening and No-Fly List
Original Message >From: Jason Coombs >Message-Id: [EMAIL PROTECTED] > So, upon finding a way to circumvent the no-fly list that requires extra > passenger screening at security prior to boarding a flight in the U.S., > who exactly does one report the vulnerability to? OBL! cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200506-06 ] libextractor: Multiple overflow vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200506-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libextractor: Multiple overflow vulnerabilities Date: June 09, 2005 Bugs: #79704 ID: 200506-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis libextractor is affected by several overflow vulnerabilities in the PDF, Real and PNG extractors, making it vulnerable to execution of arbitrary code. Background == libextractor is a library used to extract meta-data from files. It makes use of Xpdf code to extract information from PDF files. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/libextractor < 0.5.0>= 0.5.0 Description === Xpdf is vulnerable to multiple overflows, as described in GLSA 200501-28. Also, integer overflows were discovered in Real and PNG extractors. Impact == An attacker could design malicious PDF, PNG or Real files which, when processed by an application making use of libextractor, would result in the execution of arbitrary code with the rights of the user running the application. Workaround == There is no known workaround at this time. Resolution == All libextractor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libextractor-0.5.0" References == [ 1 ] CAN-2005-0064 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064 [ 2 ] GLSA 200501-28 http://www.gentoo.org/security/en/glsa/glsa-200501-28.xml [ 3 ] libextractor security announcement http://gnunet.org/libextractor/ Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200506-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: End users as security devices
Praise be to God for the User! They are powerful! They are trainable! They >>are my BEST defense! >> >>There. I fell better now. >> You are onto a good thing and make a good point. At my last job the organizatios CAO insisted that security not block ANYTHIHG any user wanted, IM, HTML mail, streaming audio, flash, even desktop SMTP servers (no, I am not making this up). He also wanted NO passwords (hard to remember, don't you know) but I talked him into at least requiring weak ones. What a mess, viruses everywhere, keystroke loggers, malware sucking up bandwidth and of course crash craah crash, why is my app runnning slow? Naturally this mess was MY fault, had nothing to do with the policy. Fast forward, I now work at a telephone company, discplined work practices are ingrained and a MUST. Management believes in security and allows my boss, the IS manager to set policies that everyone up to, and including the owner, religously adheres to. My boss is dedicated to providing full end user functionality but doing it securely. Result, our machines hum, we are NEVER down, there is no spam and I can barely remember the last virus I saw. This all works ONLY because end users know and RESPECT the rules and actively support keeping our WAN secure. Don't lose faith, don't give up, keep explaining, and training. You CAN make end users proactive participants in enterprise security. Just remember, there will always be a few intellectually challenged folks who need a bit of extra mentoring. Try to be patient, and NO, you can't put handicap placards on computers used by those with IQs below 90, sorry. Dan Sichel Network Engineer Ponderosa Telephone [EMAIL PROTECTED] (559) 868-6367 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Circumventing SSSS Screening and No-Fly List
> On 6/8/05, Jason Coombs <[EMAIL PROTECTED]> wrote: On 6/9/05, Michael Holstein <[EMAIL PROTECTED]> wrote: > Why not just post it anonymously here and let the TSA eat their crow? Too late. -- Andy ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Circumventing SSSS Screening and No-Fly List
Would you suggest debriefing TSA at the airport at one's destination upon arrival? Equally unwise, unless you don't mind never arriving at your destination. You'd probably end up on the next flight to Cuba, branded a "grave threat to national security" Why not just post it anonymously here and let the TSA eat their crow? ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows and *nix Telnet PortNumber Argument Obfuscation
Kristian Hermansen wrote: > > On Wed, 2005-06-08 at 15:04 +1200, Nick FitzGerald wrote: > > This has been known since Adam was a cowboy. He's right, you know. > Although I don't believe that your claim is unlikely, it would have been > nice to post a link to the original discovery to back it up. This is just foolishness. > Everyone > that I have showed this to, personally, has not seen it before. And, > after some google searching, I could not locate anyone else either that > talked about this -- the closest thing was an old Microsoft telnet > advisory that didn't mention this behavior specifically. Link? Why would there be a "link" to show where the "original advisory" was? You have just got to be kidding. > With that said, I would like to ask anyone who has info about the > original discovery to please post it here (Nick didn't respond to my > email). I am interested to know more about it, and maybe the original > discoverer found other things as well...thanks Original discovery??? Don't you work for Cisco? Try either the Stevenson or Doug Comer 3-volume set on networking. That'd probably help. I realize that there seem to be a *whole* bunch of folk that feel that FD is a playground and learning environment. For those of us actually looking at it as an early warning system, think of Nick as being a vocal representative of the majority of more senior security people on the list. Please, if your objective is to learn about the basics, do it *elsewhere*. -- The command line is useful for people who like to communicate with their computers with a *language*, GUIs are for people who like to to communicate by *pointing and grunting* So who's the Neanderthal? (J. J. Green) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port Number Argument Obfuscation
Kristian Hermansen wrote: > > This has been known since Adam was a cowboy. > > Although I don't believe that your claim is unlikely, it would have been > nice to post a link to the original discovery to back it up. ... It was never "originally discovered". All manner of commandline parsing of text to numbers has been doing this in many places for quite some time. I did not post a URL to back it up as I have no idea where I first came across this and it was so long ago that the odds of that source still being available to cite are probably pretty low and I have better things to do with my time. > ... Everyone > that I have showed this to, personally, has not seen it before. ... Maybe that says that something about the "everyones" you know, rather than saying anything about this minor factoid? > ... And, > after some google searching, I could not locate anyone else either that > talked about this -- the closest thing was an old Microsoft telnet > advisory that didn't mention this behavior specifically. I just did a few minutes Googling onlikely phrases and turned up hundreds of hits. Haven't got time to wade through them to find which are most relevant, but it seems many people have come across similar issues in commandline parsing code "wrapping" when they parse strings representing values larger than 65535 that are supposed to be unsigned 16-bit integers and many of those are in the context of specifying port numbers for TCP/IP networking. > With that said, I would like to ask anyone who has info about the > original discovery to please post it here (Nick didn't respond to my > email). ... Sorry -- been busy but I intended to (I'll write separately and explain those idiomatic and possibly anachronistic expressions you couldn't parse...). > ... I am interested to know more about it, and maybe the original > discoverer found other things as well...thanks This stuff goes back to the ark -- I doubt those guys give a toss about this list and what is discussed here... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port Number Argument Obfuscation
On Wed, 2005-06-08 at 15:04 +1200, Nick FitzGerald wrote: > This has been known since Adam was a cowboy. Although I don't believe that your claim is unlikely, it would have been nice to post a link to the original discovery to back it up. Everyone that I have showed this to, personally, has not seen it before. And, after some google searching, I could not locate anyone else either that talked about this -- the closest thing was an old Microsoft telnet advisory that didn't mention this behavior specifically. With that said, I would like to ask anyone who has info about the original discovery to please post it here (Nick didn't respond to my email). I am interested to know more about it, and maybe the original discoverer found other things as well...thanks -- Kristian Hermansen <[EMAIL PROTECTED]> Cisco Systems, Inc. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-138-1] gedit vulnerability
=== Ubuntu Security Notice USN-138-1 June 09, 2005 gedit vulnerability CAN-2005-1686 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: gedit The problem can be corrected by upgrading the affected package to version 2.8.1-0ubuntu1.1 (for Ubuntu 4.10) and 2.10.2-0ubuntu2 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user. This becomes security relevant if e. g. your web browser is configued to open URLs in gedit. If you never open untrusted file names or URLs in gedit, this flaw does not affect you. Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1.diff.gz Size/MD5: 9414 605064f69529dfef55e811a14c482c44 http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1.dsc Size/MD5: 1751 ef7f5d4ec7adf77d7fe0eca3df751456 http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1.orig.tar.gz Size/MD5: 4082500 38447bcce215ddc90205e60deee1f49a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit-common_2.8.1-0ubuntu1.1_all.deb Size/MD5: 1814036 1d7f5fc1152f90b902830602d7a1ae20 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1_amd64.deb Size/MD5: 501052 a58ebb5a3914c37a1f3cc7a339a3eecc i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1_i386.deb Size/MD5: 464902 7e5dc6f7a66976b530b0891c22a52a22 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1_powerpc.deb Size/MD5: 478494 b7b389f80fa6c37871d782e9bc368156 Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2.diff.gz Size/MD5:51287 b163e88c7caf983d1f863533c0d10e54 http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2.dsc Size/MD5: 1862 ae8f61880a855ec21f9419b8dcd513b5 http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2.orig.tar.gz Size/MD5: 5148694 9469c2605ff2bcff589312bc0227a79d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit-common_2.10.2-0ubuntu2_all.deb Size/MD5: 834914 56aa2aee8546e88d451c432378d6ef07 http://security.ubuntu.com/ubuntu/pool/universe/g/gedit/gedit-dev_2.10.2-0ubuntu2_all.deb Size/MD5:41476 db0cb15d872dd629174d383c93aa8af5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2_amd64.deb Size/MD5: 494800 e0479c5e0e71065b7f38efcd715c4c0b i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2_i386.deb Size/MD5: 463338 3aa98938e1a77e3c047d1f45eb895776 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2_powerpc.deb Size/MD5: 478466 3fd8cc7bcc5145dcd8d4c44a1885ffd1 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] xmysqladmin insecure temporary file creation
#
xmysqladmin insecure temporary file creation
Vendor: Gilbert Therrien [EMAIL PROTECTED] or mysql@tcx.se
Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#
xmysqladmin contain a security flaw wich could allow a malicious
local user to delete arbitrary files with the right off the user
how use xmysqladmin or to get sensible informations
(content off a database)
During the drop off a database, xmysqladmin drop the database and create
a tar.gz
inside /tmp without checking if the file exist already.
The exploitation require that the malicious local user no wich database
gonna be deleted.
##
Versions:
##
xmysqladmin <= 1.0
##
Solution:
##
In Makefile :
BACKUPDIR = .
I think that upstream should check if the file already exist or not
before creating it.
To prevent symlink attack use kernel patch such as grsecurity
#
Timeline:
#
Discovered : 2005-05-24
Vendor notified : 2005-05-29
Vendor response : no reponse
Vendor fix : no fix
Disclosure : 2005-05-29
#
Technical details :
#
Vulnerable code :
-
In Makefile :
BACKUPDIR = /tmp
In createDropDB.c : begin line 94
void dropdb_drop(FL_OBJECT *obj, long data)
{
char *cmd;
if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo
you want to continue?", 0))
return;
if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre
you sure?", 0))
return;
cmd = (char *) malloc(2048);
if(!cmd) return;
sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR,
g_dropdb_dbfname,
BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);
fl_show_command_log(FL_TRANSIENT);
fl_exe_command(cmd, 1);
free(cmd);
{
MYSQL connection;
if(g_mysql_connect(&connection, Setup.host, Setup.user,
Setup.password))
{
if(mysql_drop_db(&connection, g_dropdb_dbfname))
{
fl_show_alert(mysql_error(&connection),"","",0);
}
else
{
fl_show_message("The database",g_dropdb_dbfname,"has been
destroyed");
}
mysql_close(&connection);
}
else
{
fl_show_alert("Cannot connect to server","","",0);
}
}
#
Related :
#
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792
#
Credits :
#
Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Off topic rant to my friends
I dunno if this is any worse than the many, many replies one sees to some hot topic about Microsoft and stuff like that.. Overall everytime I went to a security conference users got insulted. They were stupid, they fell for things, hook line and sinker etc. etc. etc. Of course sometimes the "professionals" never mentioned that the poor users are bombarded by a bunch of directives that are not explained and are hard to follow and seem like another stupid directive handed down from on-high that ask them to do something difficult without explaining how, for example how to pick passwords that are not in the dictionary. The take a phrase and take the first letter technique is something that does not intuitively spring to mind to everyone. It took a lecture to explain that "F*CK SUSAN and BOB" were not good passwords. N.B. I have been around for awhile and on the old TOPS-20 Systems passwords were not intially encrypted. So it was easy to find actual passwords and tell people not to use those. Now things are encrypted and all that but still a weakpassword doesn't work and other small things that people could do to be just reasonably careful they don't. Dunno how much verbage to waste on random issues. Have Fun, Sends Steve I read the article and it was interesting. I don't quite know how much of it to believe. It is clear some people are up to something questionable. Whether it fits the model the authors have of well coordinated effort to deliver services to organized crime maybe a bit much on the conspiracy side for me tyo swallow. Security experts often miss that they use FUD without knowing it. But it is still to be careful because there are people who don't realise one's machine might be for something important and not just a plaything for others to mess with and ruin if they had a bad day or wanted to play weird "process war games". Have Fun, Sends Steve J.A. Terranson wrote: You don't have a blogspot account you could have posted this to? On Sun, 5 Jun 2005, Randall M wrote: Date: Sun, 5 Jun 2005 10:32:20 -0500 From: Randall M <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Off topic rant to my friends Sorry to rant to this list. This list though has the only people on it who totally understand this ranting. Every morning before heading for work I read all my security alert emails and website collections about possible Trojans, worms and viruses found. Being a faithful worker I do this on the Weekends too. Once at work I check my web appliances, gateway, Exchange boxes and data servers for dat updates and check log files. I spend the first two-three hours of my work day doing this every day. Why do I do this? I do it to protect my company's investment. To ensure that the employee's have a job that day. To make sure that customers will have on time delivery and so new customers can make orders, etc., etc. Today I read this article: http://www.eweek.com/article2/0,1759,1823633,00.asp?kc=EWRSS03129TX1K614 For some reason, maybe the coffee, I sat there thinking what the hell am I doing all this for? Am I being paid by my company to set up and protect only for some future use as a botnet for some organized crime boss!! I continually spend time, money and research on ways to protect. All of my mechanisms I use are actually as helpless as I am!! It's the blind leading the blind!! Then, like a message from God, a memory of a phone call from one of our users came to me: "Hey, I received this email about my account being suspended for security reasons, I immediately deleted it but just wanted to let you know". My small employee awareness program was slowly paying off. A year ago that same phone call would have been the "I think I did something bad" type. I now realize that my investments and my time have been spent MORE in the wrong place. I'm turning that around and heading back to the user. They are MY PROACTIVE, PREEMPTIVE protection!! I am no longer depending on the Anti-Virus dats or the front-end Appliances or the Gateways because a simple "Click" by the user makes them all useless. And it looks as though I can't depend on them to keep that "click" opportunity from the user. Praise be to God for the User! They are powerful! They are trainable! They are my BEST defense! There. I fell better now. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port Number Argument Obfuscation
>From the charter: "Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information." Clearly this thread started as "useful information" as many people pointed out. Also from the charter: "Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs." So Nick maybe you should read the charter before flaming someone who posted useful information? -sb On 6/7/05, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > Kristian Hermansen wrote: > > > The second argument to the telnet executable, the port number, does not > > need to conform to the standard available port conventions (ie. > > 0-65535). It is actually possible to specify a port number very far out > > of the effective range, and still be able to connect to the "wrapped" > > port value. On Windows, it is even possible to specify negative port > > values. Following is a short demonstration: > > Did you come down in the last shower? > > This has been known since Adam was a cowboy. > > On some OSes and depending on the tool parsing the cmdline, you can > also do similar things with octets within dotted IPs and other similar, > funky stuff. > > Oh, and did you think to play around with expressing some of the values > in hex? Or even weirder, octal? > > At least you note it is not a vulnerability -- I guess there is some > hope after all... > > > Regards, > > Nick FitzGerald > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port NumberArgument Obfuscation
> That you can connect to a mail host on port 25 by typing telnet > mailhost 65561 is either interesting or unsettling depending on your > point of view. In either case it is probably worth understanding if > you're the security guru on site or you write network code. > > On 6/7/05, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > > This has been known since Adam was a cowboy. > Well, this /is/ full-disclosure, no? Best to tell than to withhold. I enjoyed reading this posting very much, because it was new information to me, and to many others on this list it seems. I did not enjoy at all reading mr. FitzGerald's abusive flame. -- \ __// Atte Peltomäki - [EMAIL PROTECTED] \ \\ IT Engineer - IT Server Team \ __//F-Secure Corp. PL 24, FIN-00181 Helsinki, Finland \ \\ Tel: +358 9 2520 0700, direct: +358 9 2520 5423 \ // http://www.F-Secure.com \/ Integrated Solutions for Enterprise Security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright <[EMAIL PROTECTED]> - Introduction & Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. - Moderation & Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Exploits Selling / Buying
> Space, flight and errors to boot! > http://opensource.arc.nasa.gov/project.jsp?id=* That's hardly something have "exploitable" nature. It's a plain ol' Number Format exception. At least this way the only way it'll get past there is by parsing a number. Stuart ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
