[Full-disclosure] MDKSA-2005:163 - Updated MySQL packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: MySQL Advisory ID:MDKSA-2005:163 Date: September 12th, 2005 Affected versions: 10.1, 10.2, Corporate 3.0 __ Problem Description: A stack-based buffer overflow was discovered in the init_syms function in MySQL that allows authenticated users that can create user-defined functions to execute arbitrary code via a long function_name field. The updated packages have been patched to address these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2558 __ Updated Packages: Mandrakelinux 10.1: c0ca77359461d6e4503d040f657405cc 10.1/RPMS/libmysql12-4.0.20-3.5.101mdk.i586.rpm 3ee6767c39b4e24e7ff178479fff4da4 10.1/RPMS/libmysql12-devel-4.0.20-3.5.101mdk.i586.rpm 5fff82de496c98638c91b3b20fcc0be1 10.1/RPMS/MySQL-4.0.20-3.5.101mdk.i586.rpm c47820ad3f2568279a8854a59a5ca6c4 10.1/RPMS/MySQL-Max-4.0.20-3.5.101mdk.i586.rpm 2ca25895290ff3e717ea4fb21b25beec 10.1/RPMS/MySQL-bench-4.0.20-3.5.101mdk.i586.rpm 5dde3104a02b283dd4ea53255be6e28c 10.1/RPMS/MySQL-client-4.0.20-3.5.101mdk.i586.rpm d7d411a693de4e757f6bd87c3d3e8228 10.1/RPMS/MySQL-common-4.0.20-3.5.101mdk.i586.rpm 147a03a204620f68094e327236d8569a 10.1/SRPMS/MySQL-4.0.20-3.5.101mdk.src.rpm Mandrakelinux 10.1/X86_64: 6efbf74429938fe12d67e724975669f7 x86_64/10.1/RPMS/lib64mysql12-4.0.20-3.5.101mdk.x86_64.rpm e8ea787e503f420646d0ab1aeb7fd7bd x86_64/10.1/RPMS/lib64mysql12-devel-4.0.20-3.5.101mdk.x86_64.rpm e1c87e33304d7c5dece5a0bfed367f41 x86_64/10.1/RPMS/MySQL-4.0.20-3.5.101mdk.x86_64.rpm c02df0a16db0f3440afedd53c9bd5510 x86_64/10.1/RPMS/MySQL-Max-4.0.20-3.5.101mdk.x86_64.rpm 886d53b2b08d334209fda4e14920b075 x86_64/10.1/RPMS/MySQL-bench-4.0.20-3.5.101mdk.x86_64.rpm cb934efc4a61c0ec2dca9c6f6e8d56a5 x86_64/10.1/RPMS/MySQL-client-4.0.20-3.5.101mdk.x86_64.rpm fc6b5c2cad48ee84c2dda8094b504874 x86_64/10.1/RPMS/MySQL-common-4.0.20-3.5.101mdk.x86_64.rpm 147a03a204620f68094e327236d8569a x86_64/10.1/SRPMS/MySQL-4.0.20-3.5.101mdk.src.rpm Mandrakelinux 10.2: 672a98dc051b64e6a5efee02cdc163d8 10.2/RPMS/libmysql14-4.1.11-1.1.102mdk.i586.rpm 07a736279b7623325c2f2fde828886e3 10.2/RPMS/libmysql14-devel-4.1.11-1.1.102mdk.i586.rpm cb2fb817c72a88d905a0875694ec8b7f 10.2/RPMS/MySQL-4.1.11-1.1.102mdk.i586.rpm 8a2e42d756032bc400bc1d10170e6f46 10.2/RPMS/MySQL-Max-4.1.11-1.1.102mdk.i586.rpm d008f499f18cef6c9d92cade794a765c 10.2/RPMS/MySQL-NDB-4.1.11-1.1.102mdk.i586.rpm 2d3a54a41b82cff0c9d22a442a5df6af 10.2/RPMS/MySQL-bench-4.1.11-1.1.102mdk.i586.rpm 47185384cc46fbb7651dd220a63cfd9c 10.2/RPMS/MySQL-client-4.1.11-1.1.102mdk.i586.rpm 3a434ce8c27ebb6979c350c551815939 10.2/RPMS/MySQL-common-4.1.11-1.1.102mdk.i586.rpm ec76c46c73c9c4a2b454026c98e9e37a 10.2/SRPMS/MySQL-4.1.11-1.1.102mdk.src.rpm Mandrakelinux 10.2/X86_64: 45058361222d0099c5b76e0fff9106e1 x86_64/10.2/RPMS/lib64mysql14-4.1.11-1.1.102mdk.x86_64.rpm 2dd5dbdf223f5200c032e8f3f6feb525 x86_64/10.2/RPMS/lib64mysql14-devel-4.1.11-1.1.102mdk.x86_64.rpm 4c2c5755a8f887aec086edef890de8ab x86_64/10.2/RPMS/MySQL-4.1.11-1.1.102mdk.x86_64.rpm 892005b80148274b24279a159c14ea84 x86_64/10.2/RPMS/MySQL-Max-4.1.11-1.1.102mdk.x86_64.rpm 9c99ebde5888ac68543aad8db0bfbbf1 x86_64/10.2/RPMS/MySQL-NDB-4.1.11-1.1.102mdk.x86_64.rpm a69e37c9949a9def639560ad6c51b387 x86_64/10.2/RPMS/MySQL-bench-4.1.11-1.1.102mdk.x86_64.rpm 9b036b241347c113e971d2006baf0d3c x86_64/10.2/RPMS/MySQL-client-4.1.11-1.1.102mdk.x86_64.rpm 81faea0e3ed95a1e62d912f24e98aa65 x86_64/10.2/RPMS/MySQL-common-4.1.11-1.1.102mdk.x86_64.rpm ec76c46c73c9c4a2b454026c98e9e37a x86_64/10.2/SRPMS/MySQL-4.1.11-1.1.102mdk.src.rpm Corporate 3.0: 04d4151eae7ed878c21f2e279c859a2a corporate/3.0/RPMS/libmysql12-4.0.18-1.6.C30mdk.i586.rpm f6c6fe9dc10a247ac1ea20b3bf7cbaaa corporate/3.0/RPMS/libmysql12-devel-4.0.18-1.6.C30mdk.i586.rpm 516d015085f8877d4a10492053c74133 corporate/3.0/RPMS/MySQL-4.0.18-1.6.C30mdk.i586.rpm 52176303aa9e6915f34446a2575bcfa1 corporate/3.0/RPMS/MySQL-Max-4.0.18-1.6.C30mdk.i586.rpm 4c19bb8b4a2c3a731d056ce39b84fd26 corporate/3.0/RPMS/MySQL-bench-4.0.18-1.6.C30mdk.i586.rpm 5a84ae1d8c37fe41271f9797a90921b6 corporate/3.0/RPMS/MySQL-client-4.0.18-1.6.C30mdk.i586.rpm fe50c3c3380f386064c9c580e8468677 corporate/3.0/RPMS/MySQL-common-4.0.18-1.6.C30mdk.i586.rpm 76fc1db6495adc321fc2d0952a27bb91 corporate/3.0/SRPMS/MySQL-4.0.18-1.6.C30mdk.src.rpm Corporate 3.0/X86_64: 02c3a2e98692e6c71e5497a536b30d4e x86_64/corporate/3.0/RPMS/lib6
[Full-disclosure] MDKSA-2005:162 - Updated squid packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: squid Advisory ID:MDKSA-2005:162 Date: September 12th, 2005 Affected versions: 10.1, 10.2, Corporate 3.0, Corporate Server 2.1, Multi Network Firewall 2.0 __ Problem Description: Two vulnerabilities were recently discovered in squid: The first is a DoS possible via certain aborted requests that trigger an assertion error related to "STOP_PENDING" (CAN-2005-2794). The second is a DoS caused by certain crafted requests and SSL timeouts (CAN-2005-2796). The updated packages have been patched to address these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2796 __ Updated Packages: Mandrakelinux 10.1: fc6ae27559810d7cb00916683bb96091 10.1/RPMS/squid-2.5.STABLE9-1.3.101mdk.i586.rpm 4c76043826e02d944f752fa5b65df065 10.1/SRPMS/squid-2.5.STABLE9-1.3.101mdk.src.rpm Mandrakelinux 10.1/X86_64: 27e142d3fe10a00f53e1b81908623c9d x86_64/10.1/RPMS/squid-2.5.STABLE9-1.3.101mdk.x86_64.rpm 4c76043826e02d944f752fa5b65df065 x86_64/10.1/SRPMS/squid-2.5.STABLE9-1.3.101mdk.src.rpm Mandrakelinux 10.2: 1f1cd358e0c3d5f299310cc0c978bfcc 10.2/RPMS/squid-2.5.STABLE9-1.3.102mdk.i586.rpm fac7af713eab60a0162f1f9db6db59a9 10.2/SRPMS/squid-2.5.STABLE9-1.3.102mdk.src.rpm Mandrakelinux 10.2/X86_64: 961517306d7678b0f708f24d79431246 x86_64/10.2/RPMS/squid-2.5.STABLE9-1.3.102mdk.x86_64.rpm fac7af713eab60a0162f1f9db6db59a9 x86_64/10.2/SRPMS/squid-2.5.STABLE9-1.3.102mdk.src.rpm Multi Network Firewall 2.0: 2ce290ea1cd8daa631bb5e7adcde4bc2 mnf/2.0/RPMS/squid-2.5.STABLE9-1.3.M20mdk.i586.rpm 46b958e5ef7c7ead62bb216ea474ae5b mnf/2.0/SRPMS/squid-2.5.STABLE9-1.3.M20mdk.src.rpm Corporate Server 2.1: 3d77f46d83d5f4059801d5cef8619cd0 corporate/2.1/RPMS/squid-2.4.STABLE7-2.8.C21mdk.i586.rpm 86621b440fd1545b3de520d812a2ad84 corporate/2.1/SRPMS/squid-2.4.STABLE7-2.8.C21mdk.src.rpm Corporate Server 2.1/X86_64: a7e76046c6cbdf2096ee0981b873a684 x86_64/corporate/2.1/RPMS/squid-2.4.STABLE7-2.8.C21mdk.x86_64.rpm 86621b440fd1545b3de520d812a2ad84 x86_64/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.8.C21mdk.src.rpm Corporate 3.0: e25ada5ae035fcc193afe90b5b977588 corporate/3.0/RPMS/squid-2.5.STABLE9-1.3.C30mdk.i586.rpm f47e0db9289695e0d1ac8ca80ed4d5a1 corporate/3.0/SRPMS/squid-2.5.STABLE9-1.3.C30mdk.src.rpm Corporate 3.0/X86_64: 75553a5ca63867a16bfbb8d58621e328 x86_64/corporate/3.0/RPMS/squid-2.5.STABLE9-1.3.C30mdk.x86_64.rpm f47e0db9289695e0d1ac8ca80ed4d5a1 x86_64/corporate/3.0/SRPMS/squid-2.5.STABLE9-1.3.C30mdk.src.rpm ___ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDJmwNmqjQ0CJFipgRAopxAJ9oq3Kxmclch173mRHahrAxSi048gCgoUuY Uvnav2q4Ib6qbfdDJ4LVyto= =1NpH -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Full-Disclosure Digest, Vol 7, Issue 25
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Druid! On Mon, 12 Sep 2005 [EMAIL PROTECTED] wrote: > Purchase? no. You can dd the drive and use a utility to recognize files > within the unallocated space, I just had to do this a couple nights ago > so: > > (on system you want to copy) > dd if=/dev/hda | nc otherhost 5000 If you are running bash, then you do not even need netcat: dd if=/dev/hda > /dev/tcp/otherhost/5000 RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDJmv78KZibdeR3qURApNCAJ98ozObSKwBCjujBlOIF9Tl06UJDQCfSFTx wK8fYh/NxkBUhrXq3UaBpWQ= =/WaT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Forensics help?
On Mon, 12 Sep 2005 [EMAIL PROTECTED] wrote: > > > On Mon, 12 Sep 2005, Red Leg wrote: > >5) forensically analyze the restored copy for deleted files. > > This I do not know how to do outside of norton unerase, you will need a > product http://linux-ntfs.sourceforge.net/ has a great set of tools like undelete for ntfs on block devices (and loopbacks?). The undelete works especially well with a little bit of shellfoo. -Eric > > > > On 9/12/05 1:29 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > > > >> Purchase? no. You can dd the drive and use a utility to recognize files > >> within the unallocated space, I just had to do this a couple nights ago > >> so: > >> > >> (on system you want to copy) > >> dd if=/dev/hda | nc otherhost 5000 > >> > >> (on your lappy or whatever) > >> nc -l -p 5000 | dd of=./blah > >> > >> I was copying from one partition on an old disk to an unpartitioned space > >> on another disk in another machine, there are a bunch of ways of doing > >> this but that is a quick and dirty way of copying the readable data on a > >> drive to another location. You are on your own as far as finding deleted > >> files, but there are programs available. BTW you can mount that file like > >> a drive! Read the dd man page and remember "-" == stdin/stdout. I hope > >> this was useful, I just remembered you asked for a commercial solution for > >> this implying a lack of linux foo so if this is totally greek I appologize. > >> > >> BTW: nc == netcat, and you can use a similar trick with tar if you have no > >> need to find deleted files later. Useful for the sys admins out there, OR > >> use with ssh for a cheap and dirty crypted file transfer solution (but why > >> not just use scp..) > >> > >> --druid > >> > >> P.S. I am only sharing this because I just had to use this trick (and > >> failed with the dd btw but thats another issue entirely) and it is pretty > >> handy for moving data around using a boot cd and a NIC. > >> > >>> > >>> Message: 11 > >>> Date: Sun, 11 Sep 2005 18:33:43 -0400 > >>> From: Red Leg <[EMAIL PROTECTED]> > >>> Subject: [Full-disclosure] Forensic help? > >>> To: > >>> Message-ID: <[EMAIL PROTECTED]> > >>> Content-Type: text/plain; charset="US-ASCII" > >>> > >>> > >>> Hi all. > >>> > >>> I was wondering if anyone knows of a program/system that I can purchase, > >>> as > >>> a private individual, that will allow me to > >>> > >>> 1) mirror a hard drive on location and > >>> > >>> 2) take that mirror and restore it to another drive. And > >>> > >>> 3) Find any CONVENTIONALLY erased files? > >>> > >>> -- This would be either a Windows NTFS or FAT32 drive. > >>> > >>> Anyone have first hand experience? Please let me know, if you do. In ANY > >>> case, please suggest whatever you might have learned even without first > >>> hand > >>> experience. > >>> > >>> Thanks! > >>> > >>> Redleg18 > >>> > >>> > >>> > >>> > >>> -- > >>> > >>> ___ > >>> Full-Disclosure - We believe in it. > >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >>> Hosted and sponsored by Secunia - http://secunia.com/ > >>> > >>> End of Full-Disclosure Digest, Vol 7, Issue 25 > >>> ** > >>> > >> ___ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Automated mass abuse of form mailers
> > Another address they use is [EMAIL PROTECTED] > > (noticed aol abuse about this, but I guess that's /dev/null) > > I'm going to start putting both those addresses into all > the unsubscribe > links I get in all my spam... >:-> > This might be someones' 0wned email address. Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 809-1] New squid packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 809-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 13th, 2005http://www.debian.org/security/faq - -- Package: squid Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CAN-2005-2794 CAN-2005-2796 Several vulnerabilities have been discovered in Squid, the popular WWW proxy cache. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2005-2794 Certain aborted requests that trigger an assert may allow remote attackers to cause a denial of service. CAN-2005-2796 Specially crafted requests can cause a denial of service. For the stable distribution (sarge) these problems have been fixed in version 2.5.9-10sarge1. For the unstable distribution (sid) these problems have been fixed in version 2.5.10-5. We recommend that you upgrade your squid package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1.dsc Size/MD5 checksum: 659 a9c5f2cb50c8cc0615d80ddd3448 http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1.diff.gz Size/MD5 checksum: 343051 07af4fe1887f8f06c7f0b0181e8bd043 http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9.orig.tar.gz Size/MD5 checksum: 1384772 7290aa52ade1b5d5d3812e9089be13a9 Architecture independent components: http://security.debian.org/pool/updates/main/s/squid/squid-common_2.5.9-10sarge1_all.deb Size/MD5 checksum: 194914 8f884932fab62702c206a919f9813317 Alpha architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_alpha.deb Size/MD5 checksum: 942860 fe03705e82a8256f01358e01fc78fe64 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_alpha.deb Size/MD5 checksum: 100082 d1b15a432028108e7ac9ae3ef6fd24fc http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_alpha.deb Size/MD5 checksum:78152 01b9a4741926e2e1a61ac9caf8f662c4 AMD64 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_amd64.deb Size/MD5 checksum: 822334 49fe562667b4a6c2b3df23e265f7fdd8 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_amd64.deb Size/MD5 checksum:98258 d3b723da7377f459fcd4d37ddea4217c http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_amd64.deb Size/MD5 checksum:76260 72d7e696587e731366226843b4a5fffe ARM architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_arm.deb Size/MD5 checksum: 783042 8cfe92643e527f26a2126a3c21fb1ee9 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_arm.deb Size/MD5 checksum:95782 cdd3b3c1f97b4434fb9a75fe0cb59823 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_arm.deb Size/MD5 checksum:75208 a6c59bf6c3ab810a3a3ad2d767d886e0 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_i386.deb Size/MD5 checksum: 767454 854dfa14c6218c7ad87351acc0700904 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_i386.deb Size/MD5 checksum:96866 26460703415667d9ffb2cf7ae7d90526 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_i386.deb Size/MD5 checksum:75338 92dff139a14d41741f4d4bf1c0c561c9 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_ia64.deb Size/MD5 checksum: 1073800 5311d3c87c80f6255e684a47b202ed1a http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.5.9-10sarge1_ia64.deb Size/MD5 checksum: 103576 7bb8d9c943e38da9dc4f7711bfc81403 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.5.9-10sarge1_ia64.deb Size/MD5 checksum:80660 0d9fde10362da3ace34e8a64479b7cef HP Precision architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.5.9-10sarge1_hp
Re: [Full-disclosure] Forensic help?
We generally categorize files with something like find /mnt/repair | while read f; do F=`file $f | cut -f2- -d:` mkdir "/tmp/r/$F" ln -sv "$f" "/tmp/r/$F" done It will nicely sort your files into directories by file-type (ignore errors). Its not the best, but certainly a good start. Also note that if somewhere in /mnt/repair two files with the same type have the same name, you will have a name collision. Hopefully your preliminary restore software gave unique names to the files. Without additional knowledge of /what/ you are looking for, I'm not sure what to suggest. If the dentry system is indeed completely(!?) gone, then I would give up on finding names and start looking for content. If its really important, the name can be changed ;) -Eric == Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 At least then you end up with directories like On Mon, 12 Sep 2005, Ragone_Andrew wrote: > > > > I recently destroyed my file structure due to mistakenly writing a > > partition table to the wrong hard disk drive on my machine while > > installing an experimental version of OS X. The saving factor is that > > the partition that may have formatted was only 20GB out of 200GB and > > the rest was unallocated free space. I have installed a temporary > > instance of WinXP to use data recovery software and recover the > > majority of files from the drive (it is installed on the non-corrupted > > drive). I ran a scan with R-Studio's awesome NTFS recovery tool and can > > only find some of my recognized files here and there with system files > > in between. The folders are present as something such as > > $$$Folder1546$$ but there is absolutly no file system structure > > present. (some is on different "found" under different cluster settings, > > etc. using the IntelligiScan). Is there a way to reconstruct the file > > system > > with another > > utility using a data forensics linux livecd or other utility? I REALLY > > need to get this data recovered and would like to learn how on my own > > as first resort. > > I have used iRecover which restructed the file system almost perfectly > > but it freezes during the recover (or seems to hang). Are there any other > > choices out there? It seems none of the data was truely formatted ... > > -Andrew > > > > > > On 9/12/05, Red Leg <[EMAIL PROTECTED]> wrote: > > > > > > On 9/11/05 8:21 PM, "Paul Schmehl" <[EMAIL PROTECTED] > wrote: > > > > > > > > > > Download the knoppix std distro and burn it to a cd. Use dcfldd for > > > drive > > > > imaging and the forensics tools for recovery of erased files and the > > > like. > > > > > > > > > > Paul. > > > > > > Does dcfldd allow me to mirror the disk in such a manner as to include > > > deleted files? I can not swap drives. I need to obtain an image with > > > which I > > > can "undelete" files that were conventionally erased. > > > > > > Will dcfldd provide such an image? > > > > > > > > > Thanks! > > > > > > > > > ___ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > > -- > > ___ > > -Andrew Ragone > > BCA ATCS 2006 > > [ Project Moonwell ] > > Kc2LTO > > http://kc2lto.com > > > > > > -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Full-Disclosure Digest, Vol 7, Issue 25
On Mon, 12 Sep 2005 [EMAIL PROTECTED] wrote: > Purchase? no. You can dd the drive and use a utility to recognize files > within the unallocated space, I just had to do this a couple nights ago > so: > > (on system you want to copy) > dd if=/dev/hda | nc otherhost 5000 > > (on your lappy or whatever) > nc -l -p 5000 | dd of=./blah That's a cool way to do it! We always use ssh pipes but the crypto overhead is sometimes unnecessarily slow. A great piece of *nixfoo. -Eric > > I was copying from one partition on an old disk to an unpartitioned space > on another disk in another machine, there are a bunch of ways of doing > this but that is a quick and dirty way of copying the readable data on a > drive to another location. You are on your own as far as finding deleted > files, but there are programs available. BTW you can mount that file like > a drive! Read the dd man page and remember "-" == stdin/stdout. I hope > this was useful, I just remembered you asked for a commercial solution for > this implying a lack of linux foo so if this is totally greek I appologize. > > BTW: nc == netcat, and you can use a similar trick with tar if you have no > need to find deleted files later. Useful for the sys admins out there, OR > use with ssh for a cheap and dirty crypted file transfer solution (but why > not just use scp..) > > --druid > > P.S. I am only sharing this because I just had to use this trick (and > failed with the dd btw but thats another issue entirely) and it is pretty > handy for moving data around using a boot cd and a NIC. > > > > > Message: 11 > > Date: Sun, 11 Sep 2005 18:33:43 -0400 > > From: Red Leg <[EMAIL PROTECTED]> > > Subject: [Full-disclosure] Forensic help? > > To: > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset="US-ASCII" > > > > > > Hi all. > > > > I was wondering if anyone knows of a program/system that I can purchase, as > > a private individual, that will allow me to > > > > 1) mirror a hard drive on location and > > > > 2) take that mirror and restore it to another drive. And > > > > 3) Find any CONVENTIONALLY erased files? > > > > -- This would be either a Windows NTFS or FAT32 drive. > > > > Anyone have first hand experience? Please let me know, if you do. In ANY > > case, please suggest whatever you might have learned even without first hand > > experience. > > > > Thanks! > > > > Redleg18 > > > > > > > > > > -- > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > End of Full-Disclosure Digest, Vol 7, Issue 25 > > ** > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow
Larry Seltzer wrote:>>And how exactly do you propose to "leave out the details and PoC" when the >>presence of the bug and the steps taken to fix it can not be concelaed from>>public view given that the source code and the entire CVS entries are freely>>available for anyone to browse? >You really don't think it woudl slow them down?who is "them" ?And you want to slow "them" down from doing... what?Maybe it is not evident to you that a source code diff between vulnerable and non-vulnerable versions of a software package is enough information to figureout all the details needed to identify and trigger the bug and to write an exploitfor it it. After all, you are not suppossed to know this right? You're the security center editor for eWeek not some hardcore software developer or security expert.Hell, not even a source code diff is necessary anymore, a binary patch issufficient to identify the bug and develop an exploit for it. So there! Thats some newsworthy information for your prestigious magazine maybeyou should seek clearance from your sponsors to write about it. It will sell a bunch more copies.Trust me! THIS IS HOT NEWS Meanwhile, I am still waiting for your proposal for a way to leave out details and PoC for vulnerabilities found in open source projects.>>The proposal for obscurity serves well closed-source innitiatives and >>development processes that have limited or no public visibility but it fails>>in the presence of OSS. The "responsible disclosure" advocates act as if>>Linux,*BSD,Mozilla and a zillion other open source projects did not exist in >>reality.>The Mozilla team obviously disagrees with you, since they do try to hide>unresolved security problems, at least until (as in this case) the beans get>spilled in some other way. Hmm may be... but then again how is that different from MSRC then?In any case, I can not say how the Mozilla or other OSS developmentteams work and if they do try to hide security vulnerabilities or not but what I can do is browse their CVS tree and bug tracking system:https://bugzilla.mozilla.org/show_bug.cgi?id=307259So what I read in the publicly available bug entry above does not support your theory, perhaps you have some secret 3l337 knowledge about how the teamreally works WRT security flaws that you want to share with the list?uhm no wait I forgot...not talking about this will slow THEM down ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Forensics help?
On Mon, 12 Sep 2005, Red Leg wrote: Hey Thanks! Can I use the copy made by dd for the analysis? Specifically... 1)I want to go to the site, This is outside the scope of my response, hehe 2)copy the drive, This will allow you to make a copy of the hard drive 3)take the copy made back to my location, yes 4) restore the data to another drive and mount it to an existing system and then you should not need to restore to another drive, but rather mount the image, there are windows tools to do this and unixy ways to do this. 5) forensically analyze the restored copy for deleted files. This I do not know how to do outside of norton unerase, you will need a product Can I use your directions to accomplish that? My directions will allow you to copy a drive and move that image off site for analysis. --Druid On 9/12/05 1:29 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: Purchase? no. You can dd the drive and use a utility to recognize files within the unallocated space, I just had to do this a couple nights ago so: (on system you want to copy) dd if=/dev/hda | nc otherhost 5000 (on your lappy or whatever) nc -l -p 5000 | dd of=./blah I was copying from one partition on an old disk to an unpartitioned space on another disk in another machine, there are a bunch of ways of doing this but that is a quick and dirty way of copying the readable data on a drive to another location. You are on your own as far as finding deleted files, but there are programs available. BTW you can mount that file like a drive! Read the dd man page and remember "-" == stdin/stdout. I hope this was useful, I just remembered you asked for a commercial solution for this implying a lack of linux foo so if this is totally greek I appologize. BTW: nc == netcat, and you can use a similar trick with tar if you have no need to find deleted files later. Useful for the sys admins out there, OR use with ssh for a cheap and dirty crypted file transfer solution (but why not just use scp..) --druid P.S. I am only sharing this because I just had to use this trick (and failed with the dd btw but thats another issue entirely) and it is pretty handy for moving data around using a boot cd and a NIC. Message: 11 Date: Sun, 11 Sep 2005 18:33:43 -0400 From: Red Leg <[EMAIL PROTECTED]> Subject: [Full-disclosure] Forensic help? To: Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="US-ASCII" Hi all. I was wondering if anyone knows of a program/system that I can purchase, as a private individual, that will allow me to 1) mirror a hard drive on location and 2) take that mirror and restore it to another drive. And 3) Find any CONVENTIONALLY erased files? -- This would be either a Windows NTFS or FAT32 drive. Anyone have first hand experience? Please let me know, if you do. In ANY case, please suggest whatever you might have learned even without first hand experience. Thanks! Redleg18 -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 7, Issue 25 ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fun, Misc and OT posts - a new mailing list
Being tired of OT security posts everywhere, and looking to MAKE them without cross-posting to a hundred lists, we created a new mailing list which is already very active called funsec. Check out the archives for just ONE day of activity, and subscribe if you like: https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Gadi. -- Available for consulting: +972-50-5428610 / [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Automated mass abuse of form mailers
On Mon, 12 Sep 2005, n3td3v wrote: > You're missing the point, as i've tried to outline. This is an active > project, and written code for such an outbreak is already within the > hands of *underground hacker communities*. > > If you look at my background posts, as posted earlier on the threat, > you'll see the lead up. > Perhaps, and perhaps you danced about mine and missed them as well. 9 of 10 websites use off the freeshelf code, and most used dated code that was never written with a mind towards secure. So if folks are going to use tools in existence rather then create their own hammers and drills they should go for other then perhaps the first click in a google search and find something that was coded with security in mind, rather then the first link that likely pops up in a google search. If the code is good that they incorporate into their designs, then it kinda devalues the current tools that nasty boys are using, does it not? If their tools reply upon poorly written code, then replacing it with far better code makes their efforts kinda nill, yes? Thanks, Ron DuFresne > Thanks.. > > On 9/12/05, Ron DuFresne <[EMAIL PROTECTED]> wrote: > > On Mon, 12 Sep 2005, Michael Holzt wrote: > > > > > Automated mass abuse of form mailers > > > > > > >[smip] > > > > > > > > Nothing new really, this has been an issue for many years now. And often > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200509-08 ] Python: Heap overflow in the included PCRE library
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200509-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Python: Heap overflow in the included PCRE library Date: September 12, 2005 Bugs: #104009 ID: 200509-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The "re" Python module is vulnerable to a heap overflow, possibly leading to the execution of arbitrary code. Background == Python is an interpreted, interactive, object-oriented, cross-platform programming language. The "re" Python module provides regular expression functions. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-lang/python < 2.3.5-r2>= 2.3.5-r2 Description === The "re" Python module makes use of a private copy of libpcre which is subject to an integer overflow leading to a heap overflow (see GLSA 200508-17). Impact == An attacker could target a Python-based web application (or SUID application) that would use untrusted data as regular expressions, potentially resulting in the execution of arbitrary code (or privilege escalation). Workaround == Python users that don't run any Python web application or SUID application (or that run one that wouldn't use untrusted inputs as regular expressions) are not affected by this issue. Resolution == All Python users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.5-r2" References == [ 1 ] CAN-2005-2491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 [ 2 ] GLSA 200508-17 http://www.gentoo.org/security/en/glsa/glsa-200508-17.xml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200509-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock
misiu wrote: > Yo guys are sick! :-) > I found a hole in my pants, is this a possible "information disclosure" > vulnerability Not given the size of the "information" that would be disclosed. ... Now can we finally kill this overworn thread by ignoring it??? Please Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Automated mass abuse of form mailers
You're missing the point, as i've tried to outline. This is an active project, and written code for such an outbreak is already within the hands of *underground hacker communities*. If you look at my background posts, as posted earlier on the threat, you'll see the lead up. Thanks.. On 9/12/05, Ron DuFresne <[EMAIL PROTECTED]> wrote: > On Mon, 12 Sep 2005, Michael Holzt wrote: > > > Automated mass abuse of form mailers > > > >[smip] > > > > Nothing new really, this has been an issue for many years now. And often ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Forensic help?
Red Leg wrote: I was wondering if anyone knows of a program/system that I can purchase, as a private individual, that will allow me to 1) mirror a hard drive on location and 2) take that mirror and restore it to another drive. And 3) Find any CONVENTIONALLY erased files? Why not give a try to g4l (Ghost for Linux)? http://freshmeat.net/projects/g4l/ -- Christophe Garault ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Automated mass abuse of form mailers
On Mon, 12 Sep 2005, Michael Holzt wrote: > Automated mass abuse of form mailers > [smip] Nothing new really, this has been an issue for many years now. And often the result of folks still using matt's cgi scripts , despite his referecnes and links to the moere secured version of his and other web based scripts that can be gotten from: http://nms-cgi.sourceforge.net/scripts.shtml Unless one is carefull they often get what they paid for Thanks, Ron DuFresne -- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 808-1] New tdiary packages fix Cross Site Request Forgery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 808-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 12th, 2005http://www.debian.org/security/faq - -- Package: tdiary Vulnerability : design error Problem type : remote Debian-specific: no CVE ID : CAN-2005-2411 The tdiary Development Team has discovered a Cross-Site Request Forgery (CSRF) vulnerability in tdiary, a new generation weblog that can be exploited by remote attackers to alter the users information. The old stable distribution (woody) does not contain tdiary packages. For the stable distribution (sarge) this problem has been fixed in version 2.0.1-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.0.2-1. We recommend that you upgrade your tdiary packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/t/tdiary/tdiary_2.0.1-1sarge1.dsc Size/MD5 checksum: 698 725575945a14b3ff9ff776e4254b6e54 http://security.debian.org/pool/updates/main/t/tdiary/tdiary_2.0.1-1sarge1.diff.gz Size/MD5 checksum:24611 df8afbbc86e0f1a9f365a1b8271e7a12 http://security.debian.org/pool/updates/main/t/tdiary/tdiary_2.0.1.orig.tar.gz Size/MD5 checksum: 1840990 eaec0d3c00e1605d5cefad4119718183 Architecture independent components: http://security.debian.org/pool/updates/main/t/tdiary/tdiary-contrib_2.0.1-1sarge1_all.deb Size/MD5 checksum: 109264 b3de14edff72c292002d68b4f6c5234c http://security.debian.org/pool/updates/main/t/tdiary/tdiary-mode_2.0.1-1sarge1_all.deb Size/MD5 checksum:27768 632e5ed6bb82fce0d1f787aea0b25cf4 http://security.debian.org/pool/updates/main/t/tdiary/tdiary-plugin_2.0.1-1sarge1_all.deb Size/MD5 checksum: 155066 6100fce2dbe0a8acc5a365766b2b8b84 http://security.debian.org/pool/updates/main/t/tdiary/tdiary-theme_2.0.1-1sarge1_all.deb Size/MD5 checksum: 1506732 6a77d569ef301bc299ee4fe8e4f929f5 http://security.debian.org/pool/updates/main/t/tdiary/tdiary_2.0.1-1sarge1_all.deb Size/MD5 checksum: 171434 b31846dc0632acdb13787a5ec28e8bc5 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDJb2/W5ql+IAeqTIRAkd/AJ9ghWPbULhaB5wPWUA+CSJZTHEmZwCfaTBG F3pzMxB+FpIFHJ0//gDy5N0= =jamR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Forensic help?
James Wicks top-posting to someone: > Symantec Ghost was not presented as a means of getting a forensic duplicate. > As stated in my first response, the Ghost image is to be added to the new > drive and that drive is placed in the suspect desktop so that it can be > placed back into production. That would leave the suspect drive available > for any type of forensic investigation, whether it is done internally or > sent out to another company. I normally do not want to leave a user without > a desktop just because I need to investigate something. Since this is a case > of data deletion/recovery and not an investigation of suspected > torjan/rootkit, getting the system back into production using a Ghosted > drive is (in my opinion) a business-practical course of action. > --- > Ghost will not give you a forensically sound image. Unless something > changes recently, Ghost won't image unallocated space, so you won't be able > to recover any deleted files. I'd recommend using the Helix Live CD at > http://www.e-fense.com/helix/, which based on Knoppix, but will never > automatically mount any disks found, as Knoppix will. <> I understand forensic analysis was not part of James' intention in the suggested use of Ghost, and I believe the OP used the term "forensic" incorrectly in the Subject: line, so there is not necessarily a mismatch there, though James' suggested approach allows for the preservation of the original drive... Anyway, much as I am an _only very occasional_ user of Ghost, I don't think I've ever used it NOT to make a sector-level, or raw disk image, style drive copy. However, as I last used it so long ago, I decided to check I was not mis-remembering -- two seconds at Google turned up this URL discussing "...the Ghost switches to use for forensic imaging or for creating raw images (sector copies)..." (URL may wrap): http://service1.symantec.com/SUPPORT/ghost.nsf/docid/200413481325?Op en&src=&docid=19 Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BulkSMS flow?
Hi, I have heard about a security flow in bulksms.net. Someone know a vulnerability that give free unlimited credits on a account? Regards, Carlos ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Automated mass abuse of form mailers
On Mon, 12 Sep 2005 21:59:21 +0545, Bipin Gautam said: > but i find it really strange... a spammer intelligent enough to abuse > a server don't even bother to tweak-tune his spam mail can make sure > it passes through most* spam filters & criteria. What's so strange about a spammer using a tool that's smarter than they are, and silly things happen when they don't use the tool to full advantage? Spammers have their script kiddies too, you know pgp6pJrDhqWth.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Automated mass abuse of form mailers
The VXer on the project I speak of doesn't require that the user reads the message, however for added exploit code, this would be useful that the mail is opened. The likeliness of the mail being opened from a sender as "[EMAIL PROTECTED] is strong. The Yahoo thing -did- bypass filters, however, it doesn't matter where the data goes. The VXer (evil hacker) just wants to slow down the *Branded network* and internet backbones. The result the VXer is after isn't that of disruption to individual inboxes, as specified in Yahoo's case. VXers in this case, would be targeting the wider affect on e-communications. The ideal for the VXer would be to cause a delay/ denial [of service] to many networks and users. A major slow down in e-communications however would be the most realistic affect from such an attack, than a [denial]. International hackers have been working on this since 2004. Cyber security peoples should be reading this and not taking it as a funny, but looking at the real possibilities posed by determined Vxers, hackers, variant authors to slow down back bone carrriers, by sending unsolicited bytes of data from zombified machines. # End -- http://www.geocities.com/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Automated mass abuse of form mailers
>as if this was the first time this would happen... >spammers exploit that vulnerability since years and its also >public knowledge since years. but i find it really strange... a spammer intelligent enough to abuse a server don't even bother to tweak-tune his spam mail can make sure it passes through most* spam filters & criteria. its gonna end in junk anyways... & will most* likely go unread! --- Bipin Gautam http://bipin.tk Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sawmill XSS vuln
This has been delayed until the vendor had released a new version: <<< Date: Fri, 26 Aug 2005 11:48:48 -0700 From: Greg Ferrar <[EMAIL PROTECTED]> User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: FW: XSS vulnerability X-Scanned-By: MIMEDefang 2.48 on 192.168.124.1 Terence, Thank you for reporting this vulerability in Sawmill. We have researched this, and verified this vulnerability. This vulnerability exists in Sawmill version 7.0.0 through 7.1.13. All platforms, including Windows, are vulerable to this attack. We have fixed this in the latest internal version, by replacing < and < and > with >, and & with &, in the error message. You can get a pre-release with the fix from http://sawmill.net/prerelease.html . We plan to ship Sawmill 7.1.14 next week, probably next Friday. It is possible it will be delayed by as much as a week. So as a tentative timeline, can we aim for release in two weeks, or earlier if 7.1.14 becomes available before then? Greg >> Sawmill XSS Vulnerability [Overview] The web administration page for the Sawmil log analysis software is vulnerable to an XSS attack. The attacker does not need to be authenticated to perform this attack [Vulnerability Details] Sawmill's built in webserver assumes that any query string appended to a GET request is a configuration command. This query string is not validated correctly for HTML tags so an attacker can use
[Full-disclosure] [ GLSA 200509-07 ] X.Org: Heap overflow in pixmap allocation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200509-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: X.Org: Heap overflow in pixmap allocation Date: September 12, 2005 Bugs: #105688 ID: 200509-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An integer overflow in pixmap memory allocation potentially allows any X.Org user to execute arbitrary code with elevated privileges. Background == X.Org is X.Org Foundation's Public Implementation of the X Window System. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 x11-base/xorg-x11 < 6.8.2-r3 >= 6.8.2-r3 Description === X.Org is missing an integer overflow check during pixmap memory allocation. Impact == An X.Org user could exploit this issue to make the X server execute arbitrary code with elevated privileges. Workaround == There is no known workaround at this time. Resolution == All X.org users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-base/xorg-x11-6.8.2-r3" References == [ 1 ] CAN-2005-2495 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200509-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-83-2] LessTif 1 vulnerabilities
=== Ubuntu Security Notice USN-83-2 September 12, 2005 lesstif1-1 vulnerabilities CAN-2004-0914 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: lesstif1 The problem can be corrected by upgrading the affected package to version 1:0.93.94-4ubuntu1.4. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-83-1 fixed some vulnerabilities in the "lesstif2" library. The older "lesstif1" library was also affected, however, a fix was not yet available at that time. This USN fixes the flaws for lesstif1. Please note that there are no supported applications that use this library, so this only affects you if you use third-party applications which use lesstif1. For your convenience, here is the relevant part of the USN-83-1 description: Several vulnerabilities have been found in the XPM image decoding functions of the LessTif library. If an attacker tricked a user into loading a malicious XPM image with an application that uses LessTif, he could exploit this to execute arbitrary code in the context of the user opening the image. Ubuntu does not contain any server applications using LessTif, so there is no possibility of privilege escalation. Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1-1_0.93.94-4ubuntu1.4.diff.gz Size/MD5: 120384 728cea45df73cfac025aab648667ba26 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1-1_0.93.94-4ubuntu1.4.dsc Size/MD5: 864 f7a77c6d69d735c64e480407bc744b6b http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1-1_0.93.94.orig.tar.gz Size/MD5: 4862623 9eb87b5470333ccb31425a47d24f5a96 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif-doc_0.93.94-4ubuntu1.4_all.deb Size/MD5: 342270 0c35f7bdddb569d91eb28399e266ba79 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/l/lesstif1-1/lesstif-bin_0.93.94-4ubuntu1.4_amd64.deb Size/MD5: 176996 d5ad4f18af977e3e6fda8aff1f8b5942 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif-dev_0.93.94-4ubuntu1.4_amd64.deb Size/MD5: 919372 b15bc0f2b55e10ccf92cb0d3dd01f52d http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1_0.93.94-4ubuntu1.4_amd64.deb Size/MD5: 662418 985665bdc0a646fa21538a2b64801271 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif2-dev_0.93.94-4ubuntu1.4_amd64.deb Size/MD5: 1068818 48621de47a78ad4561e216d0ee20fa56 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif2_0.93.94-4ubuntu1.4_amd64.deb Size/MD5: 743454 8ea85ba224c678b5052aa8fe8535bae9 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/l/lesstif1-1/lesstif-bin_0.93.94-4ubuntu1.4_i386.deb Size/MD5: 159652 ca7bc02a28b971ad8c5aab26213bba88 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif-dev_0.93.94-4ubuntu1.4_i386.deb Size/MD5: 805232 89e719ca3265064bc7bf4614766d7407 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1_0.93.94-4ubuntu1.4_i386.deb Size/MD5: 599756 860536eae168c35c97ef6f5a880bf002 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif2-dev_0.93.94-4ubuntu1.4_i386.deb Size/MD5: 934130 0ac40da1c5dc9e774df200bf51eedbf7 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif2_0.93.94-4ubuntu1.4_i386.deb Size/MD5: 674398 44dd744e49359462acddb071c2dde808 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/l/lesstif1-1/lesstif-bin_0.93.94-4ubuntu1.4_powerpc.deb Size/MD5: 171920 180a779c3eb2783dfc4b882af996b8e5 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif-dev_0.93.94-4ubuntu1.4_powerpc.deb Size/MD5: 947886 e29147ec36b74014861eeb90a85f19c6 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1_0.93.94-4ubuntu1.4_powerpc.deb Size/MD5: 627706 fa9045896ab981aaf4b71759978d9129 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif2-dev_0.93.94-4ubuntu1.4_powerpc.deb Size/MD5: 1094798 4112aa0f5cb26adc74430a8a6fe17343 http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif2_0.93.94-4ubuntu1.4_powerpc.deb Size/MD5: 706780 2fa548597283134ba0f7dd400f6c298e signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Forensic help?
much love to mactelbase.rar -KF Todd Towles wrote: Nah, you went out and grabbed a copy of OS X that will run on x86 hardware with Windows XP. What do you think? Should have used Vmware if you ask me ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Forensic help?
Nah, you went out and grabbed a copy of OS X that will run on x86 hardware with Windows XP. What do you think? Should have used Vmware if you ask me > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of KF (lists) > Sent: Monday, September 12, 2005 10:19 AM > To: [EMAIL PROTECTED] > Cc: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Forensic help? > > By experimental I assume you mean stolen? > > > > > installing an experimental version of OS X. > > > -KF > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Forensic help?
On Mon, Sep 12, 2005 at 10:11:24AM -0400, Red Leg wrote: > On 9/11/05 8:21 PM, "Paul Schmehl" <[EMAIL PROTECTED]> wrote: > > > > Download the knoppix std distro and burn it to a cd. Use dcfldd for drive > > imaging and the forensics tools for recovery of erased files and the like. > > > > Paul. > > Does dcfldd allow me to mirror the disk in such a manner as to include > deleted files? I can not swap drives. I need to obtain an image with which I > can "undelete" files that were conventionally erased. > > Will dcfldd provide such an image? I haven't used dcfldd, but it seems to be a modified version of the standard UNIX tool dd. As such it should produce a block level image of the disk - which includes everything on the disk, deleted or not. Regards, Alex. -- "Opportunity is missed by most people because it is dressed in overalls and looks like work." -- Thomas A. Edison ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Forensic help?
By experimental I assume you mean stolen? installing an experimental version of OS X. -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Forensic help?
--On Monday, September 12, 2005 10:11:24 -0400 Red Leg <[EMAIL PROTECTED]> wrote: Does dcfldd allow me to mirror the disk in such a manner as to include deleted files? I can not swap drives. I need to obtain an image with which I can "undelete" files that were conventionally erased. Will dcfldd provide such an image? Yes. dcfldd is a bit for bit copy of the drive. All bits, including deleted files, etc., are included. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Forensic help?
I recently destroyed my file structure due to mistakenly writing a partition table to the wrong hard disk drive on my machine while installing an experimental version of OS X. The saving factor is that the partition that may have formatted was only 20GB out of 200GB and the rest was unallocated free space. I have installed a temporary instance of WinXP to use data recovery software and recover the majority of files from the drive (it is installed on the non-corrupted drive). I ran a scan with R-Studio's awesome NTFS recovery tool and can only find some of my recognized files here and there with system files in between. The folders are present as something such as $$$Folder1546$$ but there is absolutly no file system structure present. (some is on different "found" under different cluster settings, etc. using the IntelligiScan). Is there a way to reconstruct the file system with another utility using a data forensics linux livecd or other utility? I REALLY need to get this data recovered and would like to learn how on my own as first resort. I have used iRecover which restructed the file system almost perfectly but it freezes during the recover (or seems to hang). Are there any other choices out there? It seems none of the data was truely formatted ... -Andrew On 9/12/05, Red Leg <[EMAIL PROTECTED]> wrote: On 9/11/05 8:21 PM, "Paul Schmehl" < [EMAIL PROTECTED] > wrote:> Download the knoppix std distro and burn it to a cd. Use dcfldd for drive> imaging and the forensics tools for recovery of erased files and the like.> Paul.Does dcfldd allow me to mirror the disk in such a manner as to include deleted files? I can not swap drives. I need to obtain an image with which Ican "undelete" files that were conventionally erased. Will dcfldd provide such an image?Thanks!___ Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ -- ___ -Andrew RagoneBCA ATCS 2006[ Project Moonwell ]Kc2LTO http://kc2lto.com -- ___-Andrew RagoneBCA ATCS 2006[ Project Moonwell ]Kc2LTOhttp://kc2lto.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Automated mass abuse of form mailers
A worm/virus code is in the underground, where the malicious code searches for: http://groups.google.com/group/n3td3v/browse_thread/thread/74395c44ef94c107/729603543ed1379e?q=vxer+vectors&rnum=1#729603543ed1379e And then sends whatever the service is invite/article or web link, depending on what the form's function is, this will bring carriers to a crawl, as the mass amount of mail being sent. This is nothing new, and the most high profile offender was Yahoo Inc, as reported by me on F-D a while back. Yahoo now have (unconfirmed) patched their mailers and forms for invites to Yahoo services. I have been researching the potential of VXers using the mass amount of vulnerable webforms on the web for a long time. The most common offender are online media news outlets, offering you to send an article link to a friend. The VXer wouldn't worry what the content of the mail being sent is, weather it be a random invite to a service or a link/ news story, to the VXer, all he cares about is the data being sent, to slow down networks/ internet. Funnily tho, many web forms for invites and news stories, allow the user to add their own message, so this can be filled with garbage data, or include executable exploit code, for a particular software flaw. Regradless of this, its the fact that these web forms are accessable, with no word verification, to stop bots/zombies/worm/virii code from exploiting these mailers. CNET News is the _only_ media outlet or site generally that has bothered to protect its send this article web form and functionality. The rest from my observations are wide open, millions of them across the web. Thats alot of data, that could be sent across web. To me its a ticking time bomb. The Yahoo thingy I just mentioned had an added twist that the invites sent, by-passed Yahoo Mail's spam technology, sending all mail straight to the inbox of the user, instead of the bulk folder. This was because the mailers were trusted by Yahoo's anti-spam, thinking the invites were coming from a trusted corporate source, but they weren't. http://seclists.org/lists/fulldisclosure/2004/Oct/0151.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032128.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-September/026967.html http://readlist.com/lists/lists.netsys.com/full-disclosure/1/8435.html And so on. Way back in 2004 was when I realised the threat to the wider web and not just Yahoo's network. You're talking about spammers using mailers to advertise a product, their connected with, however the threat of infected computers sending wanted invites, web links, news articles from websites to consumer and corporate networks, is just as great, if not greater. Thats all for now. Thanks... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 807-1] New mod_ssl packages fix acl restriction bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 807-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 12th, 2005http://www.debian.org/security/faq - -- Package: libapache-mod-ssl Vulnerability : acl restriction bypass Problem type : remote Debian-specific: no CVE ID : CAN-2005-2700 CERT advisory : VU#744929 BugTraq ID : 14721 A problem has been discovered in mod_ssl, which provides strong cryptography (HTTPS support) for Apache that allows remote attackers to bypass access restrictions. For the old stable distribution (woody) this problem has been fixed in version 2.8.9-2.5. For the stable distribution (sarge) this problem has been fixed in version 2.8.22-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.8.24-1. We recommend that you upgrade your libapache-mod-ssl package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5.dsc Size/MD5 checksum: 678 42c9d0a0f14e44ba466f2bf07aa91a2f http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5.diff.gz Size/MD5 checksum:18176 ae891738b92b0ba9f59723818f994240 http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9.orig.tar.gz Size/MD5 checksum: 752613 aad438a4ea29ae74483f7afe9db0 Architecture independent components: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.9-2.5_all.deb Size/MD5 checksum: 288148 c1ac22c913e960e5b3e62360d3486aa3 Alpha architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_alpha.deb Size/MD5 checksum: 248124 e011a4adbdf97b724ab8a8162217c9a9 ARM architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_arm.deb Size/MD5 checksum: 240264 bf3f0f685d7d207a17d39e2181ba989e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_i386.deb Size/MD5 checksum: 239404 eca68ce8bf3e2247e0279c1b3628e60c Intel IA-64 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_ia64.deb Size/MD5 checksum: 268944 1ede24bd30b8ea77e0fce6a49010033e HP Precision architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_hppa.deb Size/MD5 checksum: 248308 a56a68fb2b0a7ab063602e8c8f3f2538 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_m68k.deb Size/MD5 checksum: 241318 2fbeb081aef69c28e5f8fc2ecd7db836 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_mips.deb Size/MD5 checksum: 236352 fbd352506975b03aef5f6e4086774709 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_mipsel.deb Size/MD5 checksum: 236222 e9961d0c726dda2043871299fa025c06 PowerPC architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_powerpc.deb Size/MD5 checksum: 242200 3bc5c820ed9d3b1809d155849503ef62 IBM S/390 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_s390.deb Size/MD5 checksum: 242268 7904cf59c3721ea30e81ef459779ff61 Sun Sparc architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.5_sparc.deb Size/MD5 checksum: 244344 482824082ae26b56d7c11a1097594c10 Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1sarge1.dsc Size/MD5 checksum: 777 aec67b282ab592d34db203410ef5cde6 http://security.debian.org/pool/
[Full-disclosure] Re: Automated mass abuse of form mailers
Original Message >From: Luc Stroobant >Message-Id: [EMAIL PROTECTED] >>The abusers also try to track sucessfull attempts. In a number of >>cases a bcc to an aol email address ([EMAIL PROTECTED]) was inserted >>into the message as well. Other internet users reported such abuse as >>well. Google shows nearly 72.000 hits when searching for this mail >> address. > > Another address they use is [EMAIL PROTECTED] > (noticed aol abuse about this, but I guess that's /dev/null) I'm going to start putting both those addresses into all the unsubscribe links I get in all my spam... >:-> cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Automated mass abuse of form mailers
A worm/virus code is in the underground, where the malicious code searches for: http://groups.google.com/group/n3td3v/browse_thread/thread/74395c44ef94c107/729603543ed1379e?q=vxer+vectors&rnum=1#729603543ed1379e And then sends whatever the service is invite/article or web link, depending on what the form's function is, this will bring carriers to a crawl, as the mass amount of mail being sent. This is nothing new, and the most high profile offender was Yahoo Inc, as reported by me on F-D a while back. Yahoo now have (unconfirmed) patched their mailers and forms for invites to Yahoo services. I have been researching the potential of VXers using the mass amount of vulnerable webforms on the web for a long time. The most common offender are online media news outlets, offering you to send an article link to a friend. The VXer wouldn't worry what the content of the mail being sent is, weather it be a random invite to a service or a link/ news story, to the VXer, all he cares about is the data being sent, to slow down networks/ internet. Funnily tho, many web forms for invites and news stories, allow the user to add their own message, so this can be filled with garbage data, or include executable exploit code, for a particular software flaw. Regradless of this, its the fact that these web forms are accessable, with no word verification, to stop bots/zombies/worm/virii code from exploiting these mailers. CNET News is the _only_ media outlet or site generally that has bothered to protect its send this article web form and functionality. The rest from my observations are wide open, millions of them across the web. Thats alot of data, that could be sent across web. To me its a ticking time bomb. The Yahoo thingy I just mentioned had an added twist that the invites sent, by-passed Yahoo Mail's spam technology, sending all mail straight to the inbox of the user, instead of the bulk folder. This was because the mailers were trusted by Yahoo's anti-spam, thinking the invites were coming from a trusted corporate source, but they weren't. http://seclists.org/lists/fulldisclosure/2004/Oct/0151.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032128.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-September/026967.html http://readlist.com/lists/lists.netsys.com/full-disclosure/1/8435.html And so on. Way back in 2004 was when I realised the threat to the wider web and not just Yahoo's network. You're talking about spammers using mailers to advertise a product, their connected with, however the threat of infected computers sending wanted invites, web links, news articles from websites to consumer and corporate networks, is just as great, if not greater. Thats all for now. Thanks... On 9/12/05, Michael Holzt <[EMAIL PROTECTED]> wrote: > Automated mass abuse of form mailers > -- http://www.geocities.com/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Forensics help?
Hey Thanks! Can I use the copy made by dd for the analysis? Specifically... 1)I want to go to the site, 2)copy the drive, 3)take the copy made back to my location, 4) restore the data to another drive and mount it to an existing system and then 5) forensically analyze the restored copy for deleted files. Can I use your directions to accomplish that? On 9/12/05 1:29 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > Purchase? no. You can dd the drive and use a utility to recognize files > within the unallocated space, I just had to do this a couple nights ago > so: > > (on system you want to copy) > dd if=/dev/hda | nc otherhost 5000 > > (on your lappy or whatever) > nc -l -p 5000 | dd of=./blah > > I was copying from one partition on an old disk to an unpartitioned space > on another disk in another machine, there are a bunch of ways of doing > this but that is a quick and dirty way of copying the readable data on a > drive to another location. You are on your own as far as finding deleted > files, but there are programs available. BTW you can mount that file like > a drive! Read the dd man page and remember "-" == stdin/stdout. I hope > this was useful, I just remembered you asked for a commercial solution for > this implying a lack of linux foo so if this is totally greek I appologize. > > BTW: nc == netcat, and you can use a similar trick with tar if you have no > need to find deleted files later. Useful for the sys admins out there, OR > use with ssh for a cheap and dirty crypted file transfer solution (but why > not just use scp..) > > --druid > > P.S. I am only sharing this because I just had to use this trick (and > failed with the dd btw but thats another issue entirely) and it is pretty > handy for moving data around using a boot cd and a NIC. > >> >> Message: 11 >> Date: Sun, 11 Sep 2005 18:33:43 -0400 >> From: Red Leg <[EMAIL PROTECTED]> >> Subject: [Full-disclosure] Forensic help? >> To: >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset="US-ASCII" >> >> >> Hi all. >> >> I was wondering if anyone knows of a program/system that I can purchase, as >> a private individual, that will allow me to >> >> 1) mirror a hard drive on location and >> >> 2) take that mirror and restore it to another drive. And >> >> 3) Find any CONVENTIONALLY erased files? >> >> -- This would be either a Windows NTFS or FAT32 drive. >> >> Anyone have first hand experience? Please let me know, if you do. In ANY >> case, please suggest whatever you might have learned even without first hand >> experience. >> >> Thanks! >> >> Redleg18 >> >> >> >> >> -- >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> End of Full-Disclosure Digest, Vol 7, Issue 25 >> ** >> > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-181-1] Mozilla products vulnerability
=== Ubuntu Security Notice USN-181-1 September 12, 2005 mozilla, mozilla-thunderbird, mozilla-firefox vulnerabilities CAN-2005-2871 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: mozilla-browser mozilla-firefox mozilla-thunderbird On Ubuntu 4.10, the problem can be corrected by upgrading the affected packages to version 1.7.10-0ubuntu04.10.1 (mozilla-browser), 1.0.6-0ubuntu04.10.1 (mozilla-thunderbird), and 1.0.6-0ubuntu0.0.2 (mozilla-firefox). On Ubuntu 5.04, the problem can be corrected by upgrading the affected packages to version 1.7.10-0ubuntu05.04.1 (mozilla-browser), 1.0.6-0ubuntu05.04.1 (mozilla-thunderbird), and 1.0.6-0ubuntu0.2 (mozilla-firefox). After a standard system upgrade you need to restart all running Firefox, Mozilla, and Thunderbird instances to effect the necessary changes. Details follow: Tom Ferris discovered a buffer overflow in the Mozilla products (Mozilla browser, Firefox, Thunderbird). By tricking an user to click on a Hyperlink with a specially crafted destination URL, a remote attacker could crash the application. It might even be possible to exploit this vulnerability to execute arbitrary code, but this has not yet been confirmed. Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.6-0ubuntu0.0.2.diff.gz Size/MD5: 235010 e2afe6794d5205c2f0155a858eeb55e7 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.6-0ubuntu0.0.2.dsc Size/MD5: 987 7b149423aacd068e1e76dcc2be39ed45 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.6.orig.tar.gz Size/MD5: 40214302 5b3ad16b600896478d8ba6fe9321e4e1 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu04.10.1.diff.gz Size/MD5:73414 f0d7601a6f0127e457c522bbff303b43 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu04.10.1.dsc Size/MD5: 946 fa8b6ea81ec6323240df787129424262 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6.orig.tar.gz Size/MD5: 32933620 c28fc1fd78785b5264e9830b7be6f8ea http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.10-0ubuntu04.10.1.diff.gz Size/MD5: 788486 191d68169c7a73b8b7f08a863ed2616b http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.10-0ubuntu04.10.1.dsc Size/MD5: 1118 2aa26a278b0a4e65e9c77506f9263230 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.10.orig.tar.gz Size/MD5: 30583956 46d33c8977831c434759f1f8be8349b9 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 168070 76762800eee2faf75f0d69399028f8b0 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr4_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 139784 b6904c8e9e501b7fa51de7e40bc99224 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss-dev_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 184944 6458849899c41566cfa1adf2bae59043 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss3_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 708486 0829fa528ffd3b8ddb4765c61886f70a http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-browser_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 11419026 7061ad12be48afed5fd7c7f6c6e02d79 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-calendar_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 403268 a86fa9d043e8e03d80e7f6ebf40f943f http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-chatzilla_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 158332 3d8f35a7469fce33523636b85f032a82 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-dev_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 3350360 aede1793ad83214f6680979538eda0b0 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-dom-inspector_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 121130 c94bb614688a8a140439fc59db0e5952 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.6-0ubuntu0.0.2_amd64.deb Size/MD5: 147690 9562e7c70dbc548c8c21f566d73ec54f http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.6-0ubuntu0.0.2_amd64.deb Size/MD5: 10673602 8dfdf05c1db17b46c4b46ea2cb36abb4 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-js-debugger_1.7.10-0ubuntu04.10.1_amd64.deb Size/MD5: 204148 494720c201ab6e9b4727
Re: [Full-disclosure] Forensic help?
On 9/11/05 8:21 PM, "Paul Schmehl" <[EMAIL PROTECTED]> wrote: > Download the knoppix std distro and burn it to a cd. Use dcfldd for drive > imaging and the forensics tools for recovery of erased files and the like. > Paul. Does dcfldd allow me to mirror the disk in such a manner as to include deleted files? I can not swap drives. I need to obtain an image with which I can "undelete" files that were conventionally erased. Will dcfldd provide such an image? Thanks! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Automated mass abuse of form mailers
Hi, On Mon, 2005-09-12 at 11:33 +0200, Michael Holzt wrote: > Automated mass abuse of form mailers [...] > It is therefore advised to check the relevant data fields for newlines >inserted and deny sending the mail if any are found. For example the >vulnerable script shown above could be added by a check like this: > >| if ( eregi("\n",$_POST["email"]) || eregi("\r",$_POST["email"]) ) >| { >| header("HTTP/1.0 403 Forbidden"); >| die("Spam attempt denied"); >| } > I am blocking these attempts using the following POC in PHP: (it's not too nice but it works) It uses an unique ID stored in the session for input validation. [...more form code] Matthias -- Matthias Kestenholz http://blog.irregular.ch/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Releasing vulnerability information in blogs - a new trend?
Hi, well, it's not new that some vulns are reported on personal websites and public/private forums. Blog is quite the same as a little forum... But many guys also send their researches to full-disclosure lists. And that, often before to post them on their sites. Another question that i'm asking to myself is what about a standardization of the vulns reports. In fact we often find the same sections in a vuln report, but the reports don't have the same design... I think it'll be usefull to could have reports written in a specific way. Just an idea... Sorry for bad english /JA Juha-Matti Laurio a écrit : > This happened with IIS 5.1 Source Disclosure Under FAT/FAT32 Volumes > Using WebDAV issue > http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037019.html > > > Is this a new trend or something, this IIS vulnerability release was > similar as a previous IIS 5/6 500-100.asp "SERVER_NAME" issue > published via (same) Norwegian blog. > Some possible problems: > -report format used in blogs > -possible unofficial blog comments (anonymous exploit codes published > etc.) > -vendors has no time to look for new blog entries > > Regards, > Juha-Matti > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re:[Full-disclosure] Automated mass abuse of form mailers
as if this was the first time this would happen... spammers exploit that vulnerability since years and its also public knowledge since years. -sk GroundZero Security Research and Software Developmenthttp://www.groundzero-security.com Wir widersprechen der Nutzung oder Übermittlung unserer Daten für Werbezwecke oder für die Markt- oder Meinungsforschung (§ 28 Abs. 4 BDSG). pub 1024D/69928CB8 2004-09-27 Stefan Klaas <[EMAIL PROTECTED]>sub 2048g/2A3C7800 2004-09-27 Key fingerprint = A93E 41F8 7E82 5F2C 3E76 41F1 4BCF 3096 6992 8CB8 -BEGIN PGP PUBLIC KEY BLOCK-Version: GnuPG v1.0.6 (GNU/Linux)Comment: For info see http://www.gnupg.org mQGiBEFX440RBADGTKOgZR9Y9VA/cfNLWTIN/OmXe9l6UZJ6pY8Hqcv6DFE//Kt9UfQMU470i+I7SvIHZN066Kl4ts4r90sLxXrE4r5VQCLTsJM68cliatrM8MbbZZs+xf3ldelZrHNvHkXDk4I/n3O56F9M6tZ/S71AIj++raIbFX57fn8Z8NNOnwCgwDr6LDVP+5N4DML1/+uvXNtoL30D/A/GUXd6lJ8i7MoZMzwKk1uwDsgWwP+Wm0hMwJMrfR/di9K55pGdlGFNO5P2L3qOl2BaC8raNkLcXaweW+bao3P66nzpdtmecsjCMWq2tQWgu/O7S1FgzlUAKJSOc2Th5PY9Raum8bXnSv4gnHZCKjNskIdrz8WDxCzEoPtZeCssA/9ydHRvNIPjOTmzjXoE+UbJrB/U//u3dpAsLkzclKeSgjV2eYUgHGcqYn+HcFoubD78yFWqZqYtxfiyjBlItsIn9ls0gAZFKDFHd1XfOLFSa0/NHNpHLxCZGFIAtQ0Gp47VRmTPkWJ7lB505w0XioNs1H/1K1RSp++7+t1SNkBlobQpU3RlZmFuIEtsYWFzIDxza0Bncm91bmR6ZXJvLXNlY3VyaXR5LmNvbT6IVwQTEQIAFwUCQVfjjQULBwoDBAMVAwIDFgIBAheAAAoJEEvPMJZpkoy4AnYAmwTot1PMUty1YoCuMVg6cpr7HKy1AJ98jyzD365YkIQAEiihXlQJ4zrxBLkCDQRBV+OvEAgAiu75prsTQZdNijtYeMQhl4tEL8qi8JOFluYGnvPYjDzU0PY9E4mNx/w2BgYcM3lTVzSmaiLEJ1AzeOHnw+pLDWsorRZuVI9q3+ExW3s2yFX4ppdHAVBMuYsQyVJRkbobCkcwTbUYXr23pKzhD8WRAJ991k2lNcQHxMgixAN+55XBFLhwLB0Yz7XmhFYLid5dLxdPllLIV3ZHDeY0SEqMSpw96+gV0QpX7YH9U2VBr3Wz7Ss6qNZkcgHQw1xmk6Yy24QnT4a9oZD06YjrcCocXnyI/YLW1wXo/6Hh44UH3b9mKUX6eh8ybn7QCnZDG7AdxbglLiPTkdcx0YoTNANZBwADBwf8CrjVKiXSzyhUsdH1es1KQCZ/zH6PvPzdxqYuGuVVMzgaJeeOMS2G4rLfw2ILahAS0fjng6zX2c1ndPVJ6oAq3IygWsqJH6Uh23NmKTlyx3KtSgyW7YsBRn/4wobuojArTHTl+X3U4JZTUEb9E4osB9bFjdsgXcxNSwXghQMh1x5eS5/fcjLdtACNq0x2/zh8zTJFHK+oNCLY2+iBjTUn7K03rEhQo6HqbPYwyc3LUCwBuFHFDVWpbZqa4knO0H5BBmbiI09kaVPOs0qRLXCAf1oy9PxK5ZBJ4WfQAnMAU+TuNrTuW2SUNMh92TCELdDpl/pMDbbBGeJdMvXZmY99HIhGBBgRAgAGBQJBV+OvAAoJEEvPMJZpkoy4p1QAoIaYw3VxA0/mixUsMO4R13sXIL/pAJ9zodR+A9+bLqCRlVusG8JhItv1Ow===E0o1-END PGP PUBLIC KEY BLOCK- Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht derrichtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informierenSie bitte sofort den Absender und vernichten Sie diese E-Mail.Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail oder vonTeilen dieser E-Mail ist nicht gestattet. This E-mail might contain confidential information. If you are not the right addresseeor you have recived this Mail in error, please inform the Sender as soon as possibleand delete this E-Mail immediately. You are not allowed to make any copies orrelay this E-Mail. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock
Yo guys are sick! :-) I found a hole in my pants, is this a possible "information disclosure" vulnerability misiu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Forensic help?
Symantec Ghost was not presented as a means of getting a forensic duplicate. As stated in my first response, the Ghost image is to be added to the new drive and that drive is placed in the suspect desktop so that it can be placed back into production. That would leave the suspect drive available for any type of forensic investigation, whether it is done internally or sent out to another company. I normally do not want to leave a user without a desktop just because I need to investigate something. Since this is a case of data deletion/recovery and not an investigation of suspected torjan/rootkit, getting the system back into production using a Ghosted drive is (in my opinion) a business-practical course of action. --- Ghost will not give you a forensically sound image. Unless something changes recently, Ghost won't image unallocated space, so you won't be able to recover any deleted files. I'd recommend using the Helix Live CD at http://www.e-fense.com/helix/, which based on Knoppix, but will never automatically mount any disks found, as Knoppix will. It contains all the tools previously mentioned - dcfldd for imaging, which you can pipe to netcat to create an image over the network. The Sleuthkit for analysis, which is basically just a front-end to other tools also included. However, the learning curve can bit a bit steep. -Original Message- From: Red Leg [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 11, 2005 8:37 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Forensic help? On 9/11/05 6:33 PM, "Red Leg" <[EMAIL PROTECTED]> wrote: > Hi all. > > I was wondering if anyone knows of a program/system that I can > purchase, as > a private individual, that will allow me to > > 1) mirror a hard drive on location and > > 2) take that mirror and restore it to another drive. And > > 3) Find any CONVENTIONALLY erased files? > > -- This would be either a Windows NTFS or FAT32 drive. Wow! Thanks all. I really appreciate the education! I wish that I could keep the target drive, and change it out. However, this is a Freedom of Information Act issue. I don't think they'll let me keep the original/target. I knew about Drive Image, but I didn't know it or Symantec Ghost would be able to get the erased data (as in using the "Delete Key" or right click delete). Thanks! Redleg18 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Full-Disclosure Digest, Vol 7, Issue 25
Purchase? no. You can dd the drive and use a utility to recognize files within the unallocated space, I just had to do this a couple nights ago so: (on system you want to copy) dd if=/dev/hda | nc otherhost 5000 (on your lappy or whatever) nc -l -p 5000 | dd of=./blah I was copying from one partition on an old disk to an unpartitioned space on another disk in another machine, there are a bunch of ways of doing this but that is a quick and dirty way of copying the readable data on a drive to another location. You are on your own as far as finding deleted files, but there are programs available. BTW you can mount that file like a drive! Read the dd man page and remember "-" == stdin/stdout. I hope this was useful, I just remembered you asked for a commercial solution for this implying a lack of linux foo so if this is totally greek I appologize. BTW: nc == netcat, and you can use a similar trick with tar if you have no need to find deleted files later. Useful for the sys admins out there, OR use with ssh for a cheap and dirty crypted file transfer solution (but why not just use scp..) --druid P.S. I am only sharing this because I just had to use this trick (and failed with the dd btw but thats another issue entirely) and it is pretty handy for moving data around using a boot cd and a NIC. Message: 11 Date: Sun, 11 Sep 2005 18:33:43 -0400 From: Red Leg <[EMAIL PROTECTED]> Subject: [Full-disclosure] Forensic help? To: Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="US-ASCII" Hi all. I was wondering if anyone knows of a program/system that I can purchase, as a private individual, that will allow me to 1) mirror a hard drive on location and 2) take that mirror and restore it to another drive. And 3) Find any CONVENTIONALLY erased files? -- This would be either a Windows NTFS or FAT32 drive. Anyone have first hand experience? Please let me know, if you do. In ANY case, please suggest whatever you might have learned even without first hand experience. Thanks! Redleg18 -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 7, Issue 25 ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Automated mass abuse of form mailers
Michael Holzt wrote: Automated mass abuse of form mailers 2005/09/12, Michael Holzt, kju -at- fqdn.org 1. Summary Lately webpage mail forms has become a target of spammers. The attacks seems to be automated and try to exploit the use of untrusted input data in a lot of these form mailers. The attacks inserts newlines into data fields which are used unchecked in header lines of the mail generated. These newlines allow the attacker to add own header lines and message content. I noticed this too. They started testing our forms few weeks ago and it's still going on. They're using zombies, so IP-blocking is pointless. The victim has managed to add his own Cc line (which will be the spam target), a own subject and a own body. The original subject (and other header lines) as well as the original content have been moved into the body of the mail. Examples of real abuse witnessed have shown that the attackers even try to create multipart messages to hide the original content generated by the form mailer. I used some mod_security filters (To\:, Cc\:, Bcc\: etc...) to analyse their POST requests. The multipart tric is in all their tests in our case. This is an example: Content-Type: multipart/mixed; boundary="===1269369969==" MIME-Version: 1.0 Subject: e2dae455 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===1269369969== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding:+7bit dzrgpjy --===1269369969==-- The abusers also try to track sucessfull attempts. In a number of cases a bcc to an aol email address ([EMAIL PROTECTED]) was inserted into the message as well. Other internet users reported such abuse as well. Google shows nearly 72.000 hits when searching for this mail address. Another address they use is [EMAIL PROTECTED] (noticed aol abuse about this, but I guess that's /dev/null) It is therefore advised to check the relevant data fields for newlines inserted and deny sending the mail if any are found. For example the vulnerable script shown above could be added by a check like this: In my opinion, part of this filtering should be done by the php mail() function. Disallowing the insertion of recipients via additional_headers and moving cc: bcc: and from: to an own variable -just as they do with "to"- would make it much more abuse-proof. Luc ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Forensic help?
Ghost will not give you a forensically sound image. Unless something changes recently, Ghost won't image unallocated space, so you won't be able to recover any deleted files. I'd recommend using the Helix Live CD at http://www.e-fense.com/helix/, which based on Knoppix, but will never automatically mount any disks found, as Knoppix will. It contains all the tools previously mentioned - dcfldd for imaging, which you can pipe to netcat to create an image over the network. The Sleuthkit for analysis, which is basically just a front-end to other tools also included. However, the learning curve can bit a bit steep. -Original Message- From: Red Leg [mailto:[EMAIL PROTECTED] Sent: Sunday, September 11, 2005 8:37 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Forensic help? On 9/11/05 6:33 PM, "Red Leg" <[EMAIL PROTECTED]> wrote: > Hi all. > > I was wondering if anyone knows of a program/system that I can purchase, as > a private individual, that will allow me to > > 1) mirror a hard drive on location and > > 2) take that mirror and restore it to another drive. And > > 3) Find any CONVENTIONALLY erased files? > > -- This would be either a Windows NTFS or FAT32 drive. Wow! Thanks all. I really appreciate the education! I wish that I could keep the target drive, and change it out. However, this is a Freedom of Information Act issue. I don't think they'll let me keep the original/target. I knew about Drive Image, but I didn't know it or Symantec Ghost would be able to get the erased data (as in using the "Delete Key" or right click delete). Thanks! Redleg18 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Automated mass abuse of form mailers
Automated mass abuse of form mailers 2005/09/12, Michael Holzt, kju -at- fqdn.org 1. Summary Lately webpage mail forms has become a target of spammers. The attacks seems to be automated and try to exploit the use of untrusted input data in a lot of these form mailers. The attacks inserts newlines into data fields which are used unchecked in header lines of the mail generated. These newlines allow the attacker to add own header lines and message content. 2. Attack vector Example of a vulnerable script (shortened) in PHP: | $header = "From: " . $_POST["email"]; | mail("[EMAIL PROTECTED]", "subject", | "This is the original content", $header); This script can be exploited by using e.g. the following value in the 'email' field of the http post request (line break inserted only for display purposes): | [EMAIL PROTECTED]:[EMAIL PROTECTED] | Subject: Buy Viagra now!\n\nText As this content is inserted unchecked into the header, this will result in a mail generated which looks like this: | From: [EMAIL PROTECTED] | Cc: [EMAIL PROTECTED] | Subject: Buy Viagra now! | | Text | Subject: subject | | This is the original content The victim has managed to add his own Cc line (which will be the spam target), a own subject and a own body. The original subject (and other header lines) as well as the original content have been moved into the body of the mail. Examples of real abuse witnessed have shown that the attackers even try to create multipart messages to hide the original content generated by the form mailer. Also these attacks seems to be automated. For a test i renamed the name of the form mailer skript. However the attacks continued without major delay. In the log files of the web server i could see the abusers to first fetch the html page containing the mail form. This page seems to be parsed automatically, and the names of the form fields and the script extracted. Between the fetch of the html page and the first abuse attempt on the renamed script only 4 seconds elapsed. The abusers also try to track sucessfull attempts. In a number of cases a bcc to an aol email address ([EMAIL PROTECTED]) was inserted into the message as well. Other internet users reported such abuse as well. Google shows nearly 72.000 hits when searching for this mail address. 3. Recommendations Never use untrusted input data without proper filtering. If special characters like newlines are filtered from the input data, this type of attack would no longer work. The automated exploitation attempts will however likely not be affected by this. If your form mailer does not have any type of sanity check on the input data (might even not be possible depending on type of usage), this will lead to lots of email generated to the "normal" recipient of the form mails. It is therefore advised to check the relevant data fields for newlines inserted and deny sending the mail if any are found. For example the vulnerable script shown above could be added by a check like this: | if ( eregi("\n",$_POST["email"]) || eregi("\r",$_POST["email"]) ) | { | header("HTTP/1.0 403 Forbidden"); | die("Spam attempt denied"); | } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/