Re: [Full-disclosure] NUL Character Evasion
On Tue, 2005-09-13 at 23:24 +0200, [EMAIL PROTECTED] wrote: Internet Explorer ignores NUL characters -- i.e. ascii characters with the value 0x00 -- most security software does not. Interesting. Did you test this with Outlook as well? Cheers Steffen. signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FileZilla (client) public credentials vulnerability
Title: FileZilla (client) public credentials vulnerabilityRisk: MediumVersions affected:=2.2.15Credits:pagvac (Adrian Pastor)Date found:10th September, 2005Homepage:www.ikwt.comwww.adrianpv.comE-mail:m123303 [ - a t - ] richmond.ac.uk Background--FileZilla client is an open source Windows FTP/SFTP client. Vulnerability Description-FileZilla client stores all users' credentials (including passwords) in a globally public directory under Windows which allows all users with local access (including restricted users) to dump the credentials of all users and decrypt their passwords. The directory is %programfiles%\FileZilla\ where %programfiles% is usually "C:\program files". The default Windows ACLs grants *read* access to %programfiles% to all users. This means that even restricted accounts can dump any user credentials (including the administrators' credentials) from "FileZilla.xml" This would *not* be possible if the developers had programmed the FileZilla client to save the config file under %homepath% which would be "C:\Documents and Settings\username\FileZilla.xml" by default. The advantage of the %homepath% directory is that, by default, only its owner and users within the "administrators" group have read access (rather than all users). Disclaimer--If I get a response from the project developers arguing that the previous security flaw is not a vulnerability but rather a feature, I will simply *not* answer. No offence, but I'm not willing to waste my time with the common "insecure by design" debate. In my humble opinion applications should *never* store user credentials in locations in the file system that are readable by allusers (unless you want all users to steal your passwords). PoC---I coded a small tool which dumps all users' credentials from "FileZilla.xml" and the registry and decrypts all passwords found. In order to exploit this vulnerability the credentials need to be saved in "FileZilla.xml" (rather than the registry). Luckily, the XML file is the default location used to save the credentials :-) In case the credentials were stored in the registry, then you would need to run this tool as the user you want to dump the credentials from(this is because the credentials are saved under "HKEY_CURRENT_USER"rather than HKEY_LOCAL_MACHINE). Executable and source code along with Visual Studio project file: http://www.ikwt.com/projects/filezilla-pwdump.ziphttp://www.adrianpv.com/projects/filezilla-pwdump.zip I tested this tool in Windows XP SP1 by running it with restricted accounts from the "Users" and "Guests" groups and it successfully dumped all userscredentials (including admins'). This is possible because the default Windows ACLS of the %programfiles%directory grants *read* access to all users. As far as I know this istrue in Windows 2000 SPX and Windows XP SPX as well (please correct meif I'm wrong as I'm *not* a computer security guru). SolutionChoose to save user settings in the Windows registry or select"Use secure mode" during the installation (this disablesFileZilla client from saving passwords at all), lockdown your client machines where the FileZilla client is installed. Alternitavely you can try convincing the FileZilla developers to modify the application so that each user's credentials are stored in his/herhome folder. Regards, pagvac (Adrian Pastor)Earth, SOLAR SYSTEM___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re[2]: [Full-disclosure] NUL Character Evasion
Dear Steffen Kluge, This is old news reported long time ago by ben moeckel (ben.moeckel at online.de), see http://www.security.nnov.ru/advisories/content.asp 9. Bypassing filters with special characters There are some characters client application may ignore silently. For Example, for HTML browsers: 0, 9, 10, 13, 173 for Opera 13, 10, 9, 0 for Internet Explorer by inserting characters with this codes into document it's possible to hide some dangerous tags from content filter. Reported by ben.moeckel at online.de --Friday, September 16, 2005, 10:25:06 AM, you wrote to full-disclosure@lists.grok.org.uk: SK On Tue, 2005-09-13 at 23:24 +0200, [EMAIL PROTECTED] wrote: Internet Explorer ignores NUL characters -- i.e. ascii characters with the value 0x00 -- most security software does not. SK Interesting. Did you test this with Outlook as well? SK Cheers SK Steffen. -- ~/ZARAZA Есть там версии Отелло, где Дездемона душит Мавра. (Лем) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 815-1] New kdebase packages fix local root vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 815-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 16th, 2005http://www.debian.org/security/faq - -- Package: kdebase Vulnerability : programming error Problem type : local Debian-specific: no CVE ID : CAN-2005-2494 Ilja van Sprundel discovered a serious lock file handling error in kcheckpass that can, in some configurations, be used to gain root access. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 3.3.2-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 3.4.2-3. We recommend that you upgrade your kdebase-bin package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.3.2-1sarge1.dsc Size/MD5 checksum: 1470 1bba89e478ef850d4c634ffae067075c http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.3.2-1sarge1.diff.gz Size/MD5 checksum: 881169 8a0ca94aa8607a134af2a24b70cee92e http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.3.2.orig.tar.gz Size/MD5 checksum: 23750520 32d59e3bcb972a9a29414935c7f72481 Architecture independent components: http://security.debian.org/pool/updates/main/k/kdebase/kdebase-data_3.3.2-1sarge1_all.deb Size/MD5 checksum: 3700050 3f9bb57f5450e969ba7c452ddf00ac29 http://security.debian.org/pool/updates/main/k/kdebase/kdebase-doc_3.3.2-1sarge1_all.deb Size/MD5 checksum: 997006 732bf896c5b9aadd33076f9f4e8ec4da http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.3.2-1sarge1_all.deb Size/MD5 checksum:20134 f10a0a9e1caa782849bdb382d113560b http://security.debian.org/pool/updates/main/k/kdebase/xfonts-konsole_3.3.2-1sarge1_all.deb Size/MD5 checksum:35902 99ff8f2a1e66d2859f834849a1b8271a Alpha architecture: http://security.debian.org/pool/updates/main/k/kdebase/kappfinder_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 239726 a0e08c50e0c1b1cb9ce06e5a66d4a6d6 http://security.debian.org/pool/updates/main/k/kdebase/kate_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 616324 0d2ced176c43b6faeb49b8c1ee1d37ef http://security.debian.org/pool/updates/main/k/kdebase/kcontrol_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 7894868 8f7f1c1828fa32ccecbf6b569da97ffe http://security.debian.org/pool/updates/main/k/kdebase/kdebase-bin_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 1069856 88ddfa12596abd67c09f2b4e2f52ebfd http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_3.3.2-1sarge1_alpha.deb Size/MD5 checksum:57148 5f98cf718508a919f0ee4de5e4ede454 http://security.debian.org/pool/updates/main/k/kdebase/kdebase-kio-plugins_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 764278 52ff79d25d60992e2589cc7477784a4b http://security.debian.org/pool/updates/main/k/kdebase/kdepasswd_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 226854 ac66583eb58c1a4333f5e1d13d2b5311 http://security.debian.org/pool/updates/main/k/kdebase/kdeprint_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 1084162 fd991547e74d735258311034dda4a3ef http://security.debian.org/pool/updates/main/k/kdebase/kdesktop_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 707074 95f79ef7d4d369d1a59f8b26db758f8a http://security.debian.org/pool/updates/main/k/kdebase/kdm_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 467958 cbb23ae0f9b7e6149abc081605deee02 http://security.debian.org/pool/updates/main/k/kdebase/kfind_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 189660 8cb7206bd4136fafa379f3b0d3f2ef86 http://security.debian.org/pool/updates/main/k/kdebase/khelpcenter_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 723122 70278a68402600b0530fa5e6aa1188c0 http://security.debian.org/pool/updates/main/k/kdebase/kicker_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 2378516 5e6b80aca64040d76afcee88b608aeed http://security.debian.org/pool/updates/main/k/kdebase/klipper_3.3.2-1sarge1_alpha.deb Size/MD5 checksum: 219954 3732a2e0c4c1f2ffb5a0047ac394af2b
[Full-disclosure] (TOOL) TAPiON ver 0.1c
Hi, For those who are interrested, new version (0.1c) of TAPiON (polymorphic decryptor generator) is now available. The package can be downloaded at: http://pb.specialised.info/all/tapion/ - the list of changes in 0.1c version is also stored at this url. best regards, Piotr Bania -- Piotr Bania - [EMAIL PROTECTED] - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate - Dante, Inferno Canto III ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ncompress insecure temporary file creation
# ncompress insecure temporary file creation Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/ Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low # The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination with a race condition to create and overwrite arbitrary files with the privileges of the user running the affected script. Secunia has reported that D1g1t4lLeech has discovered this bug the 2005-09-16 ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech is a true Leecher :) Gentoo Security take care on your IRC Channel, spy everywhere. ## Versions: ## ncompress = 4.2.4-r1 ## Solution: ## To prevent symlink attack use kernel patch such as grsecurity # Timeline: # Discovered : 2005-09-05 Vendor notified : 2005-09-05 Vendor response : no reponse Vendor fix : no patch Vendor Sec report ([EMAIL PROTECTED]) : Disclosure : # Technical details : # ncompress use vulnerable version off zdiff and zcmp. # Related : # Secunia : http://secunia.com/advisories/13131/ CVE : CAN-2004-0970 # Credits : # Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Message for D1g1t4lLeech ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech you are a true Leecher ;)
Hello Mister D1g1t4lLeech, You are not able to find by yourself security holes ;) So you leech other people research. Go back to you kazaa leech. Secunia you continu to don't respect vendor release date ;) Bye ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LSADump2 Crashing Windows
This is a bug in lsadump2 - there's a type mismatch in one of the functions, although I forget which one. Something is a pointer which shouldn't be, or vice versa. Once you fix that, it'll be good to go. Are you sure about that ? After investigating deeper, I found several problems in LSADUMP2 : - Buffers too small (300 bytes for the smallest) - Allocated memory not flagged as executable (that is why LSADUMP2 is not compatible with the NX flag) - Reuse of freed memory Here is a small patch that has been tested sucessfully on Windows XP SP2 with DEP AlwaysOn enabled (where LSADUMP2 failed). Regards, - Nicolas RUFF Security researcher @ EADS-CCR --- diff lsadump2/dumplsa.c lsadump3/dumplsa.c 34a35 #define BUF_SIZE 1024 110c111 char szBuffer[1000]; --- char szBuffer[BUF_SIZE]; 137c138 TCHAR szBuffer[300]; --- TCHAR szBuffer[BUF_SIZE]; 189c190 WCHAR wszSecret[500]; --- WCHAR wszSecret[BUF_SIZE]; 230c231 char szSecret[500]; --- char szSecret[BUF_SIZE]; 242a244 lsaData = NULL; diff lsadump2/lsadump2.c lsadump3/lsadump2.c 261c261 MEM_COMMIT, PAGE_READWRITE); --- MEM_COMMIT, PAGE_EXECUTE_READWRITE); ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PGPNet Upgrade path ?
Aditya Deshmukh zei: What alternatives are there to pgpnet ? Have a look at OpenVPN. M4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Message for D1g1t4lLeech ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech you are a true Leecher ; )
If it's on your site, then it's released.. security sites publish advisories as soon as they are online. put an index or just put your advisories there when you wanna release them if you don't want to annoy us and to be annoyed by leechers i didn't find any reference about the D1g1t4lLeech mentioned in their advisories though, they'll probably correct them -- Hello Mister D1g1t4lLeech, You are not able to find by yourself security holes ;) So you leech other people research. Go back to you kazaa leech. Secunia you continu to don't respect vendor release date ;) Bye ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NUL Character Evasion
List: full-disclosure Subject:Re: [Full-disclosure] NUL Character Evasion From: fd () ew ! nsci ! us Date: 2005-09-15 19:57:30 On Thu, 15 Sep 2005, Williams, James K wrote: List: full-disclosure Subject:[Full-disclosure] NUL Character Evasion From: ju () heisec ! de Date: 2005-09-13 21:24:42 Thank you for the report. Computer Associates is currently investigating the issue (as it relates to CA products). Regards, kw Ken, How long until this update hits your product? -Eric -- Eric Wheeler As initially suspected, from the AV signature perspective, this is not a critical issue until and unless something specific shows up in the wild or is reported to a vendor. The NUL char insertion concept is similar in theory to, for example, K2's classic ADMmutate[1] polymorphic shellcode engine for NIDS evasion, or simply adding NOPs to an executable. Alex and Neel[2] discussed this class of AV vulns at core05 and Blackhat. Regards, kw [1] http://www.ktwo.ca/security.html [2] http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-wheeler.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] PGPNet Upgrade path ?
What alternatives are there to pgpnet ? Have a look at OpenVPN. Thanks Martijn, but isn`t that a SSL vpn ? And from what I have read about PGPnet I need a IPSEC VPN that uses PGP keys to do the auth. I know for ipsec VPNs I could use the winxp's builtin But that would require moving all the PGP keys to X.509 certs. Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FileZilla (client) public credentials vulnerability
PASTOR ADRIAN wrote: Title:FileZilla (client) public credentials vulnerability Risk:Medium Versions affected: =2.2.15 Credits: pagvac (Adrian Pastor) Date found: 10th September, 2005 Homepage: www.ikwt.com www.adrianpv.com E-mail: m123303 [ - a t - ] richmond.ac.uk [...] Regards, pagvac (Adrian Pastor) Earth, SOLAR SYSTEM I don't know why I even reply... But anyway, I attached a screen shot especially for you. Please read it. a) FileZilla Users most probably are the only user of the computer. This is why the default makes sense (They work as administrator anyways). b) There is a secure mode witch prevents you from saving any password at all witch is the best solution if you want to be on the safe side. c) There is an option to save the settings in the registry and ignore the xml file. Settings are stored in HKEY_CURRENT_USER witch is in fact under X:\%homepath%\username\NTUSER.DAT and is protected by the filesytem ACL. Tobias ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CIRT.DK - Advisory 37] TAC Vista Webstation 3.0 Directory Traversal bug in webinterface
TAC Vista is based on open technologies, TAC VistaR is one of the most advanced software solutions for building automation. TAC Vista efficiently and economically controls, checks and analyzes all building operations, allowing system operators to control and monitor entire systems on site or from remote locations. The Web application is running on a Microsoft IIS 5.0 Server in this case. The problem is occurring in the input field of where the Template is called, resulting in the possibility to traverse into other parts of the system. Read the full Advisory at http://www.cirt.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Search Results w/Trojan?
Hello all! My systems relevant info: Windows XP SP2 fully patched Mcafee VirusScan 7.1 Engine 4.4 Definition 4581 Using XP SP2s Internet Explorer, in Google, i used the following search query: mcafee driver packet received from the i/o subsystem patch 11 When the results return from google a trojan comes along as well, as detected by McAfee AV. I'm aware that browsing to malicious sites can pass malware to users who visit those sites, but this is new to me: Trojans being passed through google results. Are passing of malicious programs through search engine results common? Goodbye! Edgardo (not the same newbie Edgardo from a couple threads ago =) ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Search Results w/Trojan?
Get in line: http://www.eeye.com/html/research/upcoming/20050915.html More: http://www.eeye.com/html/research/upcoming/index.html - ferg -- 'FoR ReaLz' E. Balansay [EMAIL PROTECTED] wrote: Hello all! My systems relevant info: Windows XP SP2 fully patched Mcafee VirusScan 7.1 Engine 4.4 Definition 4581 Using XP SP2s Internet Explorer, in Google, i used the following search query: mcafee driver packet received from the i/o subsystem patch 11 When the results return from google a trojan comes along as well, as detected by McAfee AV. I'm aware that browsing to malicious sites can pass malware to users who visit those sites, but this is new to me: Trojans being passed through google results. Are passing of malicious programs through search engine results common? Goodbye! Edgardo (not the same newbie Edgardo from a couple threads ago =) ) -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Greyhats Security back online
It's been a while, but I have decided that because a lot of valuable information is hosted on greyhatsecurity.org, that it is within everyone's best interest to share the material. Some things that have changed: - The layout. The navigation system looks a lot cooler now (IMHO) and is easier to follow/more categorical. - Bias is gone. No more criticism to either Microsoft nor Mozilla will be found on my website unless I deem it necissary for the progress of computer security. You can find Greyhats Security at its old address, http://greyhatsecurity.org. Kind regards, Paul Greyhats Security http://greyhatsecurity.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] PGPNet Upgrade path ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Aditya! On Fri, 16 Sep 2005, Aditya Deshmukh wrote: What alternatives are there to pgpnet ? Have a look at OpenVPN. Thanks Martijn, but isn`t that a SSL vpn ? And from what I have read about PGPnet I need a IPSEC VPN that uses PGP keys to do the auth. IPSEC has nothing to do with PGP. Also there is really no such thing as a PGP key. PGP uses what ever key scheme you ask it to use. IPSEC is the same way. Both use keys, but are not themselves key standards. OpenVPN similarly can use what ever key scheme you wish. Since it is based on the OpenSSL crupto libs it is very flexible that way. For simple setups you can use pre-shared keys. For more complex setups you can use public/private key pairs of any type that OpenSSL understands. On top of that you can layer on other aith schemes like username/passwords and such. IMHO, if OpenVPN does not do what you want then you misunderstand the problem. RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDKyni8KZibdeR3qURAv9tAJ9YxZiCL/QUCpM2ciZV2apCuj8MSgCffY1s qOCCYwH7H5Ts0B2iL525tm4= =+8Dj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Search Results w/Trojan?
What Trojan does McAfee report? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 'FoR ReaLz' E. Balansay Sent: Friday, September 16, 2005 2:40 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Search Results w/Trojan? Hello all! My systems relevant info: Windows XP SP2 fully patched Mcafee VirusScan 7.1 Engine 4.4 Definition 4581 Using XP SP2s Internet Explorer, in Google, i used the following search query: mcafee driver packet received from the i/o subsystem patch 11 When the results return from google a trojan comes along as well, as detected by McAfee AV. I'm aware that browsing to malicious sites can pass malware to users who visit those sites, but this is new to me: Trojans being passed through google results. Are passing of malicious programs through search engine results common? Goodbye! Edgardo (not the same newbie Edgardo from a couple threads ago =) ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Search Results w/ Trojan?
Hello! I noticed the same message as well =), we're not using the ebay toolbar. I have just verified these results from a Win2k3 fully patched machine with no additional applications installed, except for McAfee 7.1. Would someone else like to search google for those terms and verify as well? Search terms: mcafee driver packet received from the i/o subsystem patch 11 Goodbye! Edgardo On Fri, 16 Sep 2005, Dyke, Tim wrote: I Noticed the following on the McAffee site -- Update July 16, 2004 -- An Incorrect Identification of Exploit-URLSpoof.gen has been found when scanning files associated with the eBay Toolbar. The file being detected as Exploit-URLSpoof.gen is wsasc.xml. If you are seeing this specific detection, please download the extra.dat files below which will correct the Incorrect Identification. Could this be a similar issue with your google search Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Search Results w/ Trojan?
This is an accurate detection. Google returns results that contain a hyperlink that contains the exploit. I've verified both the detection and exploit. Craig == Using XP SP2s Internet Explorer, in Google, i used the following search query: mcafee driver packet received from the i/o subsystem patch 11 When the results return from google a trojan comes along as well, as detected by McAfee AV. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Search Results w/Trojan?
On Fri, 16 Sep 2005, 'FoR ReaLz' E. Balansay wrote: On Fri, 16 Sep 2005, Madison, Marc wrote: What Trojan does McAfee report? Exploit-URLSpoof.gen See the %00? That is probably wat mcafee calls a Exploit-URLSpoof.gen. I would hardly call it a trojan ... still, it is interesting to see this show up in a googling. [EMAIL PROTECTED]/zforen/sec/m/sec-112130-8756.html -Eric McAfee link: http://vil.nai.com/vil/content/v_100927.htm Goodbye! Edgardo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Web Application Security Analyzer for PHP-Nuke/phpBB CMS
With all the discussions surrounding the PHP-Nuke CMS wrapping phpBB2 as its forums, I've released an application called Analyzer (version 2.0) available from Download.com. It checks the following versions and reports if newer versions exist: mysql php apache phpnuke phpbb It also checks certain settings in the php.ini file such as register_globals and provides the full path. Also assists in debugging the installation of the application. Available here: http://www.download.com/Analyzer/3000-2648_4-10397073.html The script itself is written in PHP. ref: http://en.wikipedia.org/wiki/Php-nuke -- Paul Laudanski, Microsoft MVP Windows-Security CastleCops(SM), http://castlecops.com Information from Computer Cops, L.L.C. This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
