[Full-disclosure] Mozilla Firefox Host: Buffer Overflow
Mozilla Firefox Host: Buffer Overflow Release Date: September 8, 2005 Date Reported: September 4, 2005 Severity: Critical Vendor: Mozilla Versions Affected: Firefox Win32 1.0.6 and prior Firefox Linux 1.0.6 and prior Firefox 1.5 Beta 1 (Deer Park Alpha 2) Overview: A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host. Technical Details: The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead. The following HTML code below will reproduce this issue: A HREF=https:- Simple, huh? ;-] Vendor Status: Mozilla was notified, and im guessing they are working on a patch. Who knows though? Discovered by: Tom Ferris Related Links: www.security-protocols.com/firefox-death.html www.security-protocols.com/advisory/sp-x17-advisory.txt www.security-protocols.com/modules.php?name=Newsfile=articlesid=2910 Greetings: chico, modify, ac1djazz, dmuz, aempirei, Daniel Sergile, tupac shakur, and the rest of the angrypacket krew. Copyright (c) 2005 Security-Protocols.com Thanks, Tom Ferris Researcher www.security-protocols.com Key fingerprint = 0DFA 6275 BA05 0380 DD91 34AD C909 A338 D1AF 5D78 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
Tom Ferris wrote: Vendor Status: Mozilla was notified, and im guessing they are working on a patch. Who knows though? That seems like a gross mischaracterization, at least by looking at the Bugzilla bug filed by you which I believe this corresponds to. The bug was reported two days ago (Sep 6), the first comment came less than an hour after that, and the first attempted fix was attached less than two hours after the bug was filed. Further comments explained how it was proving hard to find what and where was actually going wrong to put in the right fix. 10 replies total in less than two days. To me it seems obvious work is being done. -- Heikki Toivonen signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock
alert leg $RIGHT_FOOT any - any toe (msg: Suspect traffic - Sock hole exploit; content:%48%61%63%6b%69%6e%67%20%74%68%65%20%73%6f%63%6b%20%6d%61%6e%21; classtype: misc-activity; si d: 2001842; rev:4; ) alert leg $BOTH_LEGS any - any foot/toe/leg (msg: Attempted exploiting of the toe, sock or leg; content:%68%61%63%6b%69%6e%67%20%74%68%65%20%66%6f%6f%74%2c%20%74%6f%65%2c%20%6c%65%67%2e%2e%20%6f%68%20%6d%79%20%74%6f%65%20%74%68%65%79%20%68%61%76%65%20%61%20%63%72%65%61%6d%20%66%6f%72%20%74%68%61%74%20%6e%6f%77; Classtype: mis$: misc-activity; sid: 2001842; rev:4; ) Could this be related to socks disappearing? Anybody have signatures for snort? John -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Moderated
I agree.. also anyone who talks about Moderation needs to remember there is a reason its call Full-disclosure... its takes like 3 seconds to hit del on stuff you dont want to read.. Come on let us have a little bit of fun it will die down in a while.. SNIP You guy's need some cheese to go with that WHINE!, Life is short and there's nothing wrong with a good laugh now and then. Relax and smell the roses along the way. Glenn -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Moderated?
Nah I'm sorry, But I gotta agree with Enrico, this list has way to many kids on it now, fuck i dont even bother opening my full-disclosure folder half the time now cause i know its full of crap. some one does needa pull finger and do some cleaning in reguards to moderation. If it keeps going the way it does, The people who post valid shit will just walk. Is this a security mailing list or a teen irc channel? ps: flame all you want, sif i care, i know there will be a couple of you fucktards who will take this to much to heart and abuse me a little. - Original Message - From: Rachael Treu Gomes [EMAIL PROTECTED] To: Enrico Kern [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Friday, September 09, 2005 6:51 AM Subject: Re: [Full-disclosure] Moderated? If you've been lurking here for years, you should also be able to remember 2 things... 1. This list is is based on unmoderated communications. 2. This list is notorious for the colorful belligerence and of its posters and rampant barking of wild animals. Where have you been? ;) Searching the archives for the many previous suggestions that this list be moderated or complaints that its subscribers behave like cranky monkeys will yield multiple reasons for why things remain the same... --ra On Thu, Sep 08, 2005 at 07:35:08PM +0200, Enrico Kern said something to the effect of: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, i read this list now for a few years and a while ago it was (ok is still is...) a good information source for vulnerabilities and other security relevant informations. But since a while it seems like kids do a good job on taking over this list. Hello? there is no need to fight each other her, nor todo useless posts (AND REPLYS TO STUPID POSTS). Whats up with a few guys here? Maybe its no bad idea to get some dedicated guys to sort this bullshit out here. Just a suggestion. Greetings Enrico Kern - --- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. (Rich Cook) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDIHZPRBvleJUVuB8RArLrAKCBT6PYZ3VRaLi1I9W4WELVE1SjjgCglr/J LGHato8nOJVSR2F08UOHpns= =98bI -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- rachael treu gomes[EMAIL PROTECTED] ..quis custodiet ipsos custodes?.. (this email has been brought to you by the letters 'v' and 'i'.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
Two interesting points: 1) It took several minutes and more browsing elsewhere (in Bugzilla) before my browser blew up after testing the POC. 2) When you reported a Windows XP SP2 IE 6.0 Vulnerability (http://security-protocols.com/modules.php?name=Newsfile=articlesid=2891) and a Windows XP SP2 Remote Kernel DoS (http://security-protocols.com/modules.php?name=Newsfile=articlesid=2783) you left the details of the bug and the POC out. Personally, I generally approve of that, but why don't Mozilla users deserve as much consideration? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Ferris Sent: Friday, September 09, 2005 2:10 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow Mozilla Firefox Host: Buffer Overflow Release Date: September 8, 2005 Date Reported: September 4, 2005 Severity: Critical Vendor: Mozilla Versions Affected: Firefox Win32 1.0.6 and prior Firefox Linux 1.0.6 and prior Firefox 1.5 Beta 1 (Deer Park Alpha 2) Overview: A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host. Technical Details: The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead. The following HTML code below will reproduce this issue: A HREF=https:- Simple, huh? ;-] Vendor Status: Mozilla was notified, and im guessing they are working on a patch. Who knows though? Discovered by: Tom Ferris Related Links: www.security-protocols.com/firefox-death.html www.security-protocols.com/advisory/sp-x17-advisory.txt www.security-protocols.com/modules.php?name=Newsfile=articlesid=2910 Greetings: chico, modify, ac1djazz, dmuz, aempirei, Daniel Sergile, tupac shakur, and the rest of the angrypacket krew. Copyright (c) 2005 Security-Protocols.com Thanks, Tom Ferris Researcher www.security-protocols.com Key fingerprint = 0DFA 6275 BA05 0380 DD91 34AD C909 A338 D1AF 5D78 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Moderated?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 , fuck i dont even bother opening my full-disclosure folder half the time now cause i know its full of crap. And when you do open it, all you do is pick a thread and bitch about it, that really helps matters. I happen to love the way that FD is unmoderated, you get loads of really useful info, and a load of really funny crap as well. As others have said, if you don't like it, either del the posts that annoy you, or unsubscribe. xyberpix -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDIXM8cRMkOnlkwMERAvIsAJ4oqLprQztuX6Bmgz8kLWVc3/uInwCfYqxk 4zfmivGlDf65A/X4BlgE+8w= =05ij -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
btw Netscape is also affected... smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: GWAVA Sender Notification (Content filter)
It's nice to know that the NZ govt uses content filtering, but come- on, turn it off if you're subscribed to mailing lists. This is about as annoying as OOO auto replies. xyberpix Begin forwarded message: From: [EMAIL PROTECTED] Date: 9 September 2005 12:36:16 BDT To: undisclosed-recipients: ; Subject: GWAVA Sender Notification (Content filter) A message sent by you was blocked by GWAVA Content protection for Novell GroupWise The message was blocked for the following reason(s): • Content filter The message containted the following information: Subject: Re: [Full-disclosure] Moderated? From: [EMAIL PROTECTED].INTERNET.IRDOM Recipients(s): [No To Addresses] [No Cc Addresses] JBM1.clhpo.IRDOM The following information details the events that prevented delivery of this message: Event Details Content filtered Content within this message was disallowed. http://www.gwava.com • About GWAVA • Powered by GWAVA [EMAIL PROTECTED] Beginfinite, Inc. All rights reserved. Content may not be reproduced without permission. PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright [EMAIL PROTECTED] - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
It's not consideration to hide the actual risk from users of the product. That's just Microsoft hogwash. Right now, everyone knows they are at risk, and what to do about it - we can stop using Firefox if we think it's a high enough risk vulnerability to do so. This is definately better than just being in the dark for another week or so until they get the patch done. -dave Larry Seltzer wrote: Two interesting points: 1) It took several minutes and more browsing elsewhere (in Bugzilla) before my browser blew up after testing the POC. 2) When you reported a Windows XP SP2 IE 6.0 Vulnerability (http://security-protocols.com/modules.php?name=Newsfile=articlesid=2891) and a Windows XP SP2 Remote Kernel DoS (http://security-protocols.com/modules.php?name=Newsfile=articlesid=2783) you left the details of the bug and the POC out. Personally, I generally approve of that, but why don't Mozilla users deserve as much consideration? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Ferris Sent: Friday, September 09, 2005 2:10 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow Mozilla Firefox Host: Buffer Overflow Release Date: September 8, 2005 Date Reported: September 4, 2005 Severity: Critical Vendor: Mozilla Versions Affected: Firefox Win32 1.0.6 and prior Firefox Linux 1.0.6 and prior Firefox 1.5 Beta 1 (Deer Park Alpha 2) Overview: A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host. Technical Details: The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead. The following HTML code below will reproduce this issue: A HREF=https:- Simple, huh? ;-] Vendor Status: Mozilla was notified, and im guessing they are working on a patch. Who knows though? Discovered by: Tom Ferris Related Links: www.security-protocols.com/firefox-death.html www.security-protocols.com/advisory/sp-x17-advisory.txt www.security-protocols.com/modules.php?name=Newsfile=articlesid=2910 Greetings: chico, modify, ac1djazz, dmuz, aempirei, Daniel Sergile, tupac shakur, and the rest of the angrypacket krew. Copyright (c) 2005 Security-Protocols.com Thanks, Tom Ferris Researcher www.security-protocols.com Key fingerprint = 0DFA 6275 BA05 0380 DD91 34AD C909 A338 D1AF 5D78 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Moderated?
Original Message From: VeNoMouS Message-Id: [EMAIL PROTECTED] Nah I'm sorry, But I gotta agree with Enrico, this list has way to many kids on it now, fuck i dont even bother opening my full-disclosure folder half the time now cause i know its full of crap. Then you should unsubscribe. Why bother subscribing to a list that you don't want to be on? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Worldwide WEP vulnerability
Product:Remote Wireless Panties http://www.kissntellparties.com/wirelessremote.html Versions: All Bug:DoS vulnerability Impact: Attacker's can cause overflow. Date: Septmber 09, 2005 Author: Spinoza DesCartes Infiltrated dot Net Security Team Email: [EMAIL PROTECTED] ///-- Introduction ///-- Remote Wireless Panties are something of a novelty used by women for pleasure. Although this may not be the proper forum for it, it is nevertheless a security problem. At first I was reluctant to post this message for fear of ridicule, but I figured I would let the experts handle this one. Besides it is a wireless issue. ///-- The bug ///-- These wireless panties run off of a wireless frequency ranges of 2.400GHz to 2.500GHz which is typical of say a cordless phone wireless router, etal. When someone uses this product there seems to be some form of interference coming from multiple wireless products which causes the product to behave erratic and jack up its speed. ///-- The Fix ///-- Create a Wireless Tunnel between the product and the product's remote this helps ensure that only the intended product alone understands the transmitted signals. Tunnled signals are encrypted and unless using encryption - transmitted data may reach unintended recipients. Encrypting also ensures that it remains uncorrupted throughout the connection and allows the user to flexibility move about freely sending and receiving signals. Temporal Key Integrity Protocol (TKIP) and in 2004, Advanced Encryption Standard points can be used in the future as well depending on the need for high level encrption. ///-- The exploit ///-- No known exploits exist however cordless telephones, ham radios, and all other sorts of wireless products seem to interfere with the product which makes it somewhat of a danger (if viewed this way) to anyone using the product. Attacker can adjust speeds, and flicker with the power. This can lead to sensory overload for the client. ///-- The fix ///-- VPN's or WEPS can be used to secure the connection to the product but one might want to simply avoid using it near other wireless products ///-- Vendor Status ///-- Vendor notified =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x97B43D89 It is much easier to suggest solutions when you know nothing about the problem. -- Niklaus Wirth ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Fwd: MM - #$%@ Kill Google!]
First thought Atop or bottom hmmm sounds kinky;)if I tell this to a 14 year old does someone somewhere have to report it. Anyway my brief take is below. It is Yahoogroups who seeemed to have started the cult of top posting. They asked me to do it that way. I never used to do it. Note with all the Katrina Messagee relay stuff I hasve been doing I FELL ASLEEP ON MY BAD ARM and so hasve to rest to geet feunctionality back. So u folks will be spared much more on this subject P.S. AIt was on bcrants I was first asked to do it. ...but it seems to be the norm in yahooland. Have Fun, Sends Steve Gareth Davies wrote: Micheal Espinola Jr wrote: Ahem, but they still like the products, problems or not. Killing MS is not the answer. Contrary to uber-nerd beleif, there is no rule about top posting - but yea, I shoulda still trimmed. Answer: Usually below the question. Question: Where do you see answers in relation to the question? Isn't that the case? Same goes for points you are addressing, you don't read from the bottom up, you read the top down, so top-posting is just disturbing the natural reading order. Cheers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
Netscape 4.76 not affected. /str0ke On 9/9/05, Jerome Athias [EMAIL PROTECTED] wrote: btw Netscape is also affected... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Top posting [was: MM - #$%@ Kill Google!]
It's also quite a pain to inline post for those unfortunates stuck with BillCo's LookOut! The quote formatting in many versions tends to get confused when you try to insert new text and you often end up with a tangled mess. Although I do not suffer from this myself (I'm running FC3 and using KMail), I tend to top-post when writing a essay style reply (or diatribe) and the quoted message is included for reference only (or when sending anything to my wife at work since she's one of the afore mentioned unfortunates). If, OTOH, there is a list of questions to which separate replies are being made, then I reply inline below each question (or salient point). This style has served me well so far and most mailing lists I subscribe to tend to follow this style as well. Oh, and I keep my digital scissors handy too. Things could be worse -- you could have to type your replies on an IBM 029 punch and sort the cards... shudder Ciao, Lawrence Dee Holtsclaw P.S. BillCo and LookOut! are shamelessly stolen from an article by author Spider Robinson regarding Microsoft Outlook. He maintains [in the article] that the mail scripting capabilities which make email viruses possible is the ONLY innovation that Microsoft did not buy or steal. On Friday 09 September 2005 9:44 am, Steve Kudlak wrote: First thought Atop or bottom hmmm sounds kinky;)if I tell this to a 14 year old does someone somewhere have to report it. Anyway my brief take is below. It is Yahoogroups who seeemed to have started the cult of top posting. They asked me to do it that way. I never used to do it. Note with all the Katrina Messagee relay stuff I hasve been doing I FELL ASLEEP ON MY BAD ARM and so hasve to rest to geet feunctionality back. So u folks will be spared much more on this subject P.S. AIt was on bcrants I was first asked to do it. ...but it seems to be the norm in yahooland. Have Fun, Sends Steve Gareth Davies wrote: Micheal Espinola Jr wrote: Ahem, but they still like the products, problems or not. Killing MS is not the answer. Contrary to uber-nerd beleif, there is no rule about top posting - but yea, I shoulda still trimmed. Answer: Usually below the question. Question: Where do you see answers in relation to the question? Isn't that the case? Same goes for points you are addressing, you don't read from the bottom up, you read the top down, so top-posting is just disturbing the natural reading order. Cheers! SNIP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-179-1] openssl weak default configuration
=== Ubuntu Security Notice USN-179-1 September 09, 2005 openssl weak default configuration https://bugzilla.ubuntu.com/show_bug.cgi?id=13593 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: openssl The problem can be corrected by upgrading the affected package to version 0.9.7d-3ubuntu0.2 (for Ubuntu 4.10), or 0.9.7e-3ubuntu0.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The current default algorithm for creating message digests (electronic signatures) for certificates created by openssl is MD5. However, this algorithm is not deemed secure any more, and some practical attacks have been demonstrated which could allow an attacker to forge certificates with a valid certification authority signature even if he does not know the secret CA signing key. Therefore all Ubuntu versions of openssl have now been changed to use SHA-1 by default. This is a more appropriate default algorithm for the majority of use cases; however, if you still want to use MD5 as default, you can revert this change by changing the two instances of default_md = sha1 to default_md = md5 in /etc/ssl/openssl.cnf. A detailed explanation and further links can be found at http://www.cits.rub.de/MD5Collisions/ Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2.diff.gz Size/MD5:25934 e06a4ebe002f3a43dc492cee46149b45 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2.dsc Size/MD5: 636 e11f5f6231d05e17c11bac60c7765e94 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d.orig.tar.gz Size/MD5: 2799796 533b7f758325d74c1e01e67994e3ae59 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.2_amd64.deb Size/MD5: 2676640 3be830e4beb6e40089bcb5bbcffc2e07 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.2_amd64.deb Size/MD5: 696986 4acada3a47b8116c38beae46f1472888 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2_amd64.deb Size/MD5: 899782 9e728d2ced98a1b297fe5e5e70e2f501 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.2_i386.deb Size/MD5: 2477468 fc2944d39c6c5fb5117d4909b83cde83 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.2_i386.deb Size/MD5: 2152990 d09ac9e5901cc196da053c61a185e4ca http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2_i386.deb Size/MD5: 898444 ad35e5b298aee3479b9d4fdc209e3661 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.2_powerpc.deb Size/MD5: 2759030 283074e7ade479e381c7acf7e207bba1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.2_powerpc.deb Size/MD5: 700766 69ca323a46256db250d12f325e140d59 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2_powerpc.deb Size/MD5: 904396 10d8f1e257a00fba6b105391b4cd182f Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.1.diff.gz Size/MD5:28446 1aea4eb1e8ca811bac6bf974c88d86f6 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.1.dsc Size/MD5: 645 660479043ea6c45155d371594be8af24 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e.orig.tar.gz Size/MD5: 3043231 a8777164bca38d84e5eb2b1535223474 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.1_amd64.udeb Size/MD5: 495076 196e108273babe1ee2885ea5f18695eb http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.1_amd64.deb Size/MD5: 2693088 03204456f6f125c13d5b45bbf3135e1e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.1_amd64.deb Size/MD5: 769306 cee881a42108c488362de1eecf1162f6 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.1_amd64.deb Size/MD5: 903308 50489fa878601993667582ee18193bee i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.1_i386.udeb Size/MD5: 433188 f0f38c4de6accc33a458069eceac813a
[Full-disclosure] (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine
Hi, TAPiON engine was developed to avoid code detection (shellcode/whatever). The engine can create unical decryptor, encrypt original data and decrypt it on the fly (while code executes). MAIN FEATURES: # decryption key based on randomly generated decryptor (attacker breakpoint insertion will cause invalid decryption) # decryption based on CPU time (selected randomly) - anti emulator code. # RDTSC / coprocessor instructions usage - anit emulator code. # random step of block xoring # random step of key increasing # random registers usage # multiple instructions variants # block swapping # garbage engine (normal instructions / coprocessor instructions) # block swapping # random decryptor size # multiple decryptor layers generation DOWNLOAD AT: --- http://pb.specialised.info/all/tapion/ best regards, Piotr Bania -- Piotr Bania - [EMAIL PROTECTED] - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate - Dante, Inferno Canto III ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Fwd: MM - #$%@ Kill Google!]
Not sure if any of you saw this already , but while we are still on the topic http://www.breakfastmedia.com//epic/ regards, Ivaylo Zashev http://exploits.cx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
On Fri, 9 Sep 2005, Dave Aitel wrote: :It's not consideration to hide the actual risk from users of the product. :That's just Microsoft hogwash. : :Right now, everyone knows they are at risk, and what to do about it - we can :stop using Firefox if we think it's a high enough risk vulnerability to do so. :This is definately better than just being in the dark for another week or so :until they get the patch done. : :-dave What about all those poor mom's and dad's who were encouraged to use Firefox but have 0 clue as to what the heck Full-Disclosure is? Seems to me your idea of everyone is misguided. Cheers, : : :Larry Seltzer wrote: : : Two interesting points: : 1) It took several minutes and more browsing elsewhere (in Bugzilla) before : my browser blew up after testing the POC. : : 2) When you reported a Windows XP SP2 IE 6.0 Vulnerability : (http://security-protocols.com/modules.php?name=Newsfile=articlesid=2891) : and a Windows XP SP2 Remote Kernel DoS : (http://security-protocols.com/modules.php?name=Newsfile=articlesid=2783) : you left the details of the bug and the POC out. Personally, I generally : approve of that, but why don't Mozilla users deserve as much consideration? : : Larry Seltzer : eWEEK.com Security Center Editor : http://security.eweek.com/ : http://blog.ziffdavis.com/seltzer : Contributing Editor, PC Magazine : [EMAIL PROTECTED] : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Tom Ferris : Sent: Friday, September 09, 2005 2:10 AM : To: full-disclosure@lists.grok.org.uk : Subject: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow : : Mozilla Firefox Host: Buffer Overflow : : Release Date: : September 8, 2005 : : Date Reported: : September 4, 2005 : : Severity: : Critical : : Vendor: : Mozilla : : Versions Affected: : Firefox Win32 1.0.6 and prior : Firefox Linux 1.0.6 and prior : Firefox 1.5 Beta 1 (Deer Park Alpha 2) : : Overview: : : A buffer overflow vulnerability exists within Firefox version 1.0.6 and all : other prior versions which allows for an attacker to remotely execute : arbitrary code on an affected host. : : Technical Details: : The problem seems to be when a hostname which has all dashes causes the : NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but : is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen : and then appends the long string of dashes to the buffer instead. The : following HTML code below will reproduce this issue: : : A HREF=https:- : : Simple, huh? ;-] : : Vendor Status: : Mozilla was notified, and im guessing they are working on a patch. Who knows : though? : : Discovered by: : Tom Ferris : : Related Links: : www.security-protocols.com/firefox-death.html : www.security-protocols.com/advisory/sp-x17-advisory.txt : www.security-protocols.com/modules.php?name=Newsfile=articlesid=2910 : : Greetings: : chico, modify, ac1djazz, dmuz, aempirei, Daniel Sergile, tupac shakur, and : the rest of the angrypacket krew. : : Copyright (c) 2005 Security-Protocols.com : : Thanks, : : Tom Ferris : Researcher : www.security-protocols.com : Key fingerprint = 0DFA 6275 BA05 0380 DD91 34AD C909 A338 D1AF 5D78 : ___ : Full-Disclosure - We believe in it. : Charter: http://lists.grok.org.uk/full-disclosure-charter.html : Hosted and sponsored by Secunia - http://secunia.com/ : : : ___ : Full-Disclosure - We believe in it. : Charter: http://lists.grok.org.uk/full-disclosure-charter.html : Hosted and sponsored by Secunia - http://secunia.com/ : : :___ :Full-Disclosure - We believe in it. :Charter: http://lists.grok.org.uk/full-disclosure-charter.html :Hosted and sponsored by Secunia - http://secunia.com/ : : - Natural bridges on a clean west swell, Break over the reef like a bat of out hell. -- Sublime. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 3 minor vulnerabilities in IPSwitch products
The following 3 minor vulnerabilities were found in the products Whatsup Gold 8.04 and WhatsUp Small Business 2004 Ipswitch Whatsup Gold 8.04 - Access to view source code of all files(CIRT-34-advisory) Ipswitch Whatsup Gold 8.04 - Cross Site Scripting (CIRT-35-advisory) Ipswitch Whatsup small Business 2004 - Source code disclosure (CIRT-36-advisory) Read the full advisories at http://www.cirt.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
Andrew R. Reiter wrote: On Fri, 9 Sep 2005, Dave Aitel wrote: :It's not consideration to hide the actual risk from users of the product. :That's just Microsoft hogwash. : :Right now, everyone knows they are at risk, and what to do about it - we can :stop using Firefox if we think it's a high enough risk vulnerability to do so. :This is definately better than just being in the dark for another week or so :until they get the patch done. : :-dave What about all those poor mom's and dad's who were encouraged to use Firefox but have 0 clue as to what the heck Full-Disclosure is? Seems to me your idea of everyone is misguided. Cheers, : They can all now be helped by their more technically inclined family members. This isn't an option in vendor-monopoly disclosure models, where you just have to pray that only the vendor and a few other people know about the bug, and they're not bothering to exploit your poor mom or dad (or yourself). They're probably still better off using Firefox, of course, just not completely immune. Which you already assumed, right? -dave ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
A temporary workaround for this one: set network.enableIDN to false in about:config-- [00] xX Adam Polkosnik Xx [EMAIL PROTECTED],gmail}.como[O]o{AIM,YIM}:apolkosnik ICQ:11893943 GG:1194343[O][O] When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
On Fri, 9 Sep 2005, Dave Aitel wrote: :Andrew R. Reiter wrote: : : On Fri, 9 Sep 2005, Dave Aitel wrote: : : :It's not consideration to hide the actual risk from users of the product. : :That's just Microsoft hogwash. : : : :Right now, everyone knows they are at risk, and what to do about it - we can : :stop using Firefox if we think it's a high enough risk vulnerability to do : so. : :This is definately better than just being in the dark for another week or so : :until they get the patch done. : : : :-dave : : What about all those poor mom's and dad's who were encouraged to use Firefox : but have 0 clue as to what the heck Full-Disclosure is? Seems to me your : idea of everyone is misguided. : : Cheers, : : : : :They can all now be helped by their more technically inclined family members. :This isn't an option in vendor-monopoly disclosure models, where you just have :to pray that only the vendor and a few other people know about the bug, and :they're not bothering to exploit your poor mom or dad (or yourself). : True.. debatable, so I can't fully disagree with you. :They're probably still better off using Firefox, of course, just not completely :immune. Which you already assumed, right? I love assumptions .. of course I love pain too :P engineering pain. : :-dave : : - Natural bridges on a clean west swell, Break over the reef like a bat of out hell. -- Sublime. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
lt;A HREF=https:- gt; ... Those aren't actually straight ASCII 45 dashes, are they? They're AD characters, hence the IDN involvement. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDEFENSE Security Advisory 09.09.05: GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability
GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability iDEFENSE Security Advisory 09.09.05 www.idefense.com/application/poi/display?id=303type=vulnerabilities September 09, 2005 I. BACKGROUND The GNU mailutils package is a collection of mail-related utilities, including local and remote mailbox access services. More information is available at the following site: http://www.gnu.org/software/mailutils/mailutils.html II. DESCRIPTION Remote exploitation of a format string vulnerability in the imap4d server within version 0.6 of the GNU Project's Mailutils package could allow an authenticated attacker to execute arbitrary code. The imap4d server allows remote users to retrieve e-mail via the Internet Message Access Protocol, Version 4rev1 as specified in RFC3501. This is a client/server protocol supported by a large number of e-mail clients on multiple platforms. The vulnerability specifically exists in the handling of SEARCH commands supplied by the remote user. If a search is made containing format specifiers (such as %p or %s), these will be interpreted by the server, and returned to the user. The vulnerable code, search.c, lines 198-199, are shown below: rc = imap4d_search0 (arg, 0, buffer, sizeof buffer); return util_finish (command, rc, buffer); The vulnerability specifically occurs because the util_finish() function expects a format specifier in the 3rd argument, followed by any arguments to be formatted. Without a specifier, the function interprets the 3rd argument as a format specifier. III. ANALYSIS Exploitation could allow authenticated remote attackers to execute arbitrary commands on an affected system as the authenticated user. This may allow access to systems not intended to have interactive users, which could allow further compromise. Using format specifiers, it is possible to construct a sequence of commands that cause arbitrary values to be written to arbitrary locations, allowing arbitrary code execution. An example session demonstrating the vulnerability follows: sh-2.05b$ netcat 192.168.0.1 143 * OK IMAP4rev1 1 LOGIN user password 1 OK LOGIN Completed 2 SELECT inbox * 23 EXISTS * 0 RECENT * OK [UIDVALIDITY 1118516013] UID valididy status * OK [UIDNEXT 24] Predicted next uid * OK [UNSEEN 1] first unseen messsage * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS (\Answered \Deleted \Seen)] Permanent flags 2 OK [READ-WRITE] SELECT Completed 3 SEARCH TOPIC %08x.%08x.%08x.%08x 3 BAD SEARCH Unknown search criterion (near 0040.6e6b6e55.206e776f.72616573) 4 SEARCH TOPIC %s%s%s sh-2.05b$ The result of the 'SEARCH TOPIC %08x.%08x.%08x.%08x' command contains values from the error string supplied to the output function. (6e6b6e55 converts to 'Unkn', 206e776f converts to 'own ' and 72616573 converts to 'sear'.) By referencing the values after the fixed string in the error message, which are under control of the attacker, and using the '%n' format specifier, controllable values can be written to arbitrary memory locations, allowing execution of arbitrary code. The '%s%s%s' format specifier attempts to treat the first 3 values (0x0040, 0x6e6b6e55 and 0x206e776f) as strings, and causes an access violation error, terminating the server connection, dropping the user back into their shell. The main server is still active, as the server forks a new copy for each connection. This allows multiple exploitation attempts. IV. DETECTION iDEFENSE Labs has verified the existence of this vulnerability in versions 0.6 of the GNU Mailutils package. It is suspected that any previous versions that contain the imap4d server are also affected. V. WORKAROUND iDEFENSE is currently unaware of any effective workarounds for this issue. Access to the affected host should be filtered at the network boundary if global accessibility is not required. Restricting access to only trusted hosts and networks may reduce the likelihood of exploitation. VI. VENDOR RESPONSE A vendor advisory for this issue is available at: http://savannah.gnu.org/patch/index.php?func=detailitemitem_id=4407 A patch is available at: http://savannah.gnu.org/patch/download.php?item_id=4407item_file_id=516 0 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 09/08/2005 Initial vendor notification 09/09/2005 Initial vendor response 09/09/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other
RE: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
On Fri, 9 Sep 2005, Larry Seltzer wrote: Whatever. My point was that he treated the two situations differently. Why? Do you believe in Conspiracy Theories? Do you believe that certain media people, and indeed, many others get a certain Large Software Company's money for doing things for them? Well, MSFT is going to issue a critical patch next Tuesday. Maybe this is a shiny object, intended to divert some media pressure away from an MSFT design botch. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine
Hi, TAPiON engine was developed to avoid code detection (shellcode/whatever). Hi Piotr, I had a look at Tapion's code and I don't relly see any trully genuin polymorphism. Actually I did see some fixed patterns which could make Tapion's decryptors pretty detectable: The main problem is that you build the decryptor based on some blocks which can be made into patterns, specially because the block construction is always the same: 1) XOR block [optional with 50% of probabilities] 2) (mov block | get_eip block) or (get_eip block | anti_emu block [1/3 prob] | mov block) [50% prob] 3) anti_emu block [1/3 prob] 4) -- Decryptor loop -- (copy_reg block | mov_reg block) or (mov_reg block | copy_reg block | temp block ) [50% prob] ... As you see, there is nearly no randomnes in the process and the construction blocks are easy to detect. If you want some indepth on polymorphis I recomend you the 29a papers: http://vx.netlux.org/29a/ best regards, Piotr Bania Kindest regards :) -- Alejandro Barrera García-Orea RD Engineer c/ Alcala 268 28027 Madrid Office: +34 91 326 66 11 Fax: +34 91 326 66 11 e-mail: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine
Re, ... If you want some indepth on polymorphis I recomend you the 29a papers: http://vx.netlux.org/29a/ I'm not a master in this branch however let me citate one of the aritcles found on the server you sent me (i also recomend you to read it): - CUT -- There exists a system of division of polymorphic viruses into levels according to complexity of code in decryptors of those viruses. Such a system was introduced by Dr. Alan Solomon and then enhanced by Vesselin Bontchev. Level 1: Viruses having a set of decryptors with constant code, choosing one while infecting. Such viruses are called semi-polymorphic or oligomor phic. Examples: Cheeba, Slovakia, Whale. Level 2: Virus decryptor contains one or several constant instructions, the rest of it is changeable. Level 3: decryptor contains unused functions - junk like NOP, CLI, STI,etc Level 4: decryptor uses interchangeable instructions and changes their order (instructions mixing). Decryption algorithm remains unchanged. Level 5: all the above mentioned techniques are used, decryption algorithm is changeable, repeated encryption of virus code and even partial encryption of the decryptor code is possible. - CUT -- So appending to this source i got a level 3 or level 4, unless you fully understand the source. I'm not saying it is perfect, is was written in 5 days. Hope this helps you. best regards, Piotr Bania -- Piotr Bania - [EMAIL PROTECTED] - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate - Dante, Inferno Canto III ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re[2]: [Full-disclosure] (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine
Re, ... If you want some indepth on polymorphis I recomend you the 29a papers: http://vx.netlux.org/29a/ I'm not a master in this branch however let me citate one of the aritcles found on the server you sent me (i also recomend you to read it): I read it long ago thxs. Level 4: decryptor uses interchangeable instructions and changes their order (instructions mixing). Decryption algorithm remains unchanged. Level 5: all the above mentioned techniques are used, decryption algorithm is changeable, repeated encryption of virus code and even partial encryption of the decryptor code is possible. - CUT -- So appending to this source i got a level 3 or level 4, unless you fully understand the source. I'm not saying it is perfect, is was written in 5 days. Well, at least what I've seen is a level 3 polymorphism, due to the fact that you don't perform instrucction mixing, but block mixing which is quite different. Don't get me wrong, I love to see this kind of source and I'm a great fan of polymorphic engines :) Just making a note that your approach needs a little bit more of tweaking :) Hope this helps you. best regards, Piotr Bania Greets. -- Alejandro Barrera García-Orea RD Engineer c/ Alcala 268 28027 Madrid Office: +34 91 326 66 11 Fax: +34 91 326 66 11 e-mail: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
Whatever. My point was that he treated the two situations differently. Why? Do you believe in Conspiracy Theories? Do you believe that certain media people, and indeed, many others get a certain Large Software Company's money for doing things for them? Well, MSFT is going to issue a critical patch next Tuesday. Maybe this is a shiny object, intended to divert some media pressure away from an MSFT design botch. Allright, maybe I haven't listened to enough Air America lately, so help me out with how this conspiracy works. Are you saying that Tom Ferris is a Microsoft stooge and the fact that he only announced a critical IE vulnerability without providing details or a POC, whereas he provided both for a critical vulnerability in Firefox, was done because Microsoft paid him to do so? Because that seems to be the essence of what you're implying. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
I could neither find it but it appears same to https://bugzilla.mozilla.org/show_bug.cgi?id=267669. Maybe he uses mangleme also? Also I want to know from where he copied Technical Details? Maybe it just crash 0xadc2adc2 only is kernel space. It's Bugzilla Bug #307259 https://bugzilla.mozilla.org/show_bug.cgi?id=307259 Source: US-CERT Vulnerability Note VU#573857 released recently: http://www.kb.cert.org/vuls/id/573857 - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
It's Bugzilla Bug #307259 https://bugzilla.mozilla.org/show_bug.cgi?id=307259 According to the comments this bugzilla report was made public 2005-09-09 11:25 PDT. That's why nobody could find it earlier today. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
It's Bugzilla Bug #307259 https://bugzilla.mozilla.org/show_bug.cgi?id=307259 According to the comments this bugzilla report was made public 2005-09-09 11:25 PDT. That's why nobody could find it earlier today. Yes, US-CERT VU#573857 is very 'fresh'. Now Mozilla Foundation has this new Security Advisory What Mozilla users should know about the IDN buffer overflow security issue too: http://www.mozilla.org/security/idn.html - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Mozilla Firefox Host: Buffer Overflow
On Fri, 9 Sep 2005, Larry Seltzer wrote: Well, MSFT is going to issue a critical patch next Tuesday. Maybe this is a shiny object, intended to divert some media pressure away from an MSFT design botch. Allright, maybe I haven't listened to enough Air America lately, so help me out with how this conspiracy works. Are you saying that Tom Ferris is a Microsoft stooge and the fact that he only announced a critical IE vulnerability without providing details or a POC, whereas he provided both for a critical vulnerability in Firefox, was done because Microsoft paid him to do so? Because that seems to be the essence of what you're implying. Sure, that's exactly it. The IE vulnerability without POC doesn't get any days of exposure or whatever it is that MSFT uses to calculate how bad Mozilla and Firefox are vs IE. The Firefox details and POC causes instant exposure, and gets much worse bad press. Look at what else has turned up in the trade press lately (within the last 2 weeks): ZDNet Australia denigrates Mac security: http://zdnet.com.au/news/security/soa/Mac_community_must_wake_up_to_security/0,261744,39210762,00.htm Kaspersky beats the Linux is next! drum: http://www.linuxplanet.com/linuxplanet/reports/5997/1/ Shiny objects for the press to fixate on everywhere, I tell you! If you can get a hold of a copy of the now-defunt Brill's Content magazine for September of 1998, you can read a big expose' of the way MSFT deals with reporters and trade pressmen. I doubt that any money changes hands on these things. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Moderated?
How time flies...I didn't think it was yet time for our quarterly Hey-I've-got-a-great-idea-let's-clean-up-this-list- -there's-no-place-like-bugtraq! thread... Just to retain the proper balance between the question being asked and the previous reasoning being referenced... Our FD dedicated guys are: The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. /list_charter_IntroductionPurpose_snip Our expectations on FD moderation: The [Full-Disclosure] list is unmoderated. /list_charter_Moderation__Management_snip And our expectations of posting praxes on FD: Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. /list_charter_Acceptable_Content_snip (It's that wherever possible clause that gets us every time...for FD, it's rarely possible to duplicate the thrill of spanking your fellow subscribers in such an open flog forum, so trolling and roiling is thereby permissible and rarely ported off-list.) ;) Thus spake the FD Mailing List Charter, brought to you by http://lists.grok.org.uk/full-disclosure-charter.html No flame intended, --ra On Fri, Sep 09, 2005 at 10:11:43PM +1200, VeNoMouS said something to the effect of: Nah I'm sorry, But I gotta agree with Enrico, this list has way to many kids on it now, fuck i dont even bother opening my full-disclosure folder half the time now cause i know its full of crap. some one does needa pull finger and do some cleaning in reguards to moderation. If it keeps going the way it does, The people who post valid shit will just walk. Is this a security mailing list or a teen irc channel? ps: flame all you want, sif i care, i know there will be a couple of you fucktards who will take this to much to heart and abuse me a little. - Original Message - From: Rachael Treu Gomes [EMAIL PROTECTED] To: Enrico Kern [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Friday, September 09, 2005 6:51 AM Subject: Re: [Full-disclosure] Moderated? If you've been lurking here for years, you should also be able to remember 2 things... 1. This list is is based on unmoderated communications. 2. This list is notorious for the colorful belligerence and of its posters and rampant barking of wild animals. Where have you been? ;) Searching the archives for the many previous suggestions that this list be moderated or complaints that its subscribers behave like cranky monkeys will yield multiple reasons for why things remain the same... --ra On Thu, Sep 08, 2005 at 07:35:08PM +0200, Enrico Kern said something to the effect of: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, i read this list now for a few years and a while ago it was (ok is still is...) a good information source for vulnerabilities and other security relevant informations. But since a while it seems like kids do a good job on taking over this list. Hello? there is no need to fight each other her, nor todo useless posts (AND REPLYS TO STUPID POSTS). Whats up with a few guys here? Maybe its no bad idea to get some dedicated guys to sort this bullshit out here. Just a suggestion. Greetings Enrico Kern - --- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. (Rich Cook) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDIHZPRBvleJUVuB8RArLrAKCBT6PYZ3VRaLi1I9W4WELVE1SjjgCglr/J LGHato8nOJVSR2F08UOHpns= =98bI -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- rachael treu gomes[EMAIL PROTECTED] ..quis custodiet ipsos custodes?.. (this email has been brought to you by the letters 'v' and 'i'.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- rachael treu gomes[EMAIL PROTECTED] ..quis custodiet ipsos custodes?.. (this email has been brought to you by the letters 'v' and 'i'.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Top posting [was: MM - #$%@ Kill Google!]
Dee Holtsclaw wrote: It's also quite a pain to inline post for those unfortunates stuck with BillCo's LookOut! The quote formatting in many versions tends to get confused when you try to insert new text and you often end up with a tangled mess. So the rest of us should suffer to make life easier for people stupid enough to use about the crappiest MUA ever made? Gimme a break... If you have to use Outlook and thus properly quoting and trimming your messages is too hard, just go boil your head, or at least be polite enough to the rest of us to simply not post. The abortion that is message quoting and top-posting in Outlook is largely due to an over-zealous approach to its early design to make it even shittier than Lotus Notes was. Given that, it is outstandingly successful, but is utter rubbish for use in traditional threaded mailing list conversations which require an entirely different approach and mindset for _efficient_ information exchange and debate. Top-posted, non-inline replies are fine for typical corporate Email exchanges where it is commonly the case that a single, and usually simple, issue is at hand: To: Tom From: Mary Subject: Monthly sales figures? I need them by midday Thursday to work through on my flight to DC! To: Mary From: Tom Subject: Re: Monthly sales figures? No problems. Dick is helping and we'll have them done before that. [red] To: Tom From: Mary Subject: Monthly sales figures? I need them by midday Thursday to work through on my flight to DC! To: Tom From: Mary CC: Dick Subject: Re: Monthly sales figures? That's great, but HR has just bumped my DC flight to the red-eye so I can assist in interviewing the new regional sales manager there. I need the report to read on the flight so you'll have to get it to me by Email before 6:00am Thursday. [blue] To: Mary From: Tom Subject: Re: Monthly sales figures? No problems. Dick is helping and we'll have them done before that. [/blue] [red] To: Tom From: Mary Subject: Monthly sales figures? I need them by midday Thursday to work through on my flight to DC! ...ad nauseum. The point of such quoting is that at any point you can CC in someone not part of the conversation and they can see the whole story (so long as they don't mind reading backwards). In (most) public mailing lists, that function is provided by official archives of the list traffic. For those in the main thread of such top-posting conversations, all that matters is the latest addition, conveniently put at the top. Sadly for top-posters, that model simply does not apply to typical mailing list traffic. Many of us who read these lists simultaneously track _dozens_ of conversations PER LIST and do so for many lists. Top posting is thus very disruptive of the normal, very long-term historically institutionalized and thus EXPECTED conversational style of such lists. It is also totally contrary to normal logical thought and reading processes for Western languages. So, if anyone wants to take part in discussions in lists like this, don't be surprised if you are ignored, flamed or both, for breaking the rules because of your choice of top-posting and/or non-inline (where appropriate; it's not always) commentary style. You get that response not JUST because it's wrong but because you are significantly disrupting the ability of many who otherwise give their free time and often considerable expertise as free advice, to do so. Personally, it has got to the point where I often just delete top- posted replies to messages in threads I'm interested in following because the mental exercise of working out what the heck part or parts of what has gone before are being responded to is just not worth the effort. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
