[Full-disclosure] Web Application Security Analyzer for PHP-Nuke/phpBB CMS

[Paul Laudanski]

With all the discussions surrounding the PHP-Nuke CMS wrapping phpBB2 as 
its forums, I've released an application called Analyzer (version 2.0) 
available from Download.com.

It checks the following versions and reports if newer versions exist:

mysql
php
apache
phpnuke
phpbb

It also checks certain settings in the php.ini file such as 
register_globals and provides the full path.

Also assists in debugging the installation of the application.

Available here:
http://www.download.com/Analyzer/3000-2648_4-10397073.html

The script itself is written in PHP.

ref: http://en.wikipedia.org/wiki/Php-nuke

-- 
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops(SM), http://castlecops.com



 Information from Computer Cops, L.L.C. 
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Ethics and ramblins on Full DissClosure

[J. Oquendo]

Youo know I was thinking about how ironic it is that one should mention
"Full Disclosure" and "responsibility" in the same paragraph. How many
more redundant threads will one have to parse through regarding the
irresponsibilities of vendors who won't release a fix in a timely manner.
Then read more threads on how irresponsible people are for disclosing
vulnerabilities without contacting a vendor, or not waiting long enough
before releasing their disclosure.

Look it does not take a rocket scientist to figure out that vendors need
at least one or two years to fix their problems. Far too many times
though, people in the computer security industry wrongfully think that
corporations like Microsloth, Scam-mantec, Crisco, Oralckle, Crapafee and
others are solely after something as trivial as money or investments via
stock markets.

Let's be honest and forthright about the whole security industry nowadays.
It has not become a multibillion dollar industry filled with companies
gobbling up other companies, injecting FUD into the market to sell an
insecure product and make millions. Nope. The real answer is that
companies are creating wonderful products that are "powered by the
systems that take you where you want to go today". Those products often
don't have real issues its those god awful hackers, crackers, slackers and
open source people who are the real problem in this industry.

Someone should create a consortium to eradicate those who tinker and break
these wonderful products. Perhaps a "clean up squad" to ensure that no one
maliciously posts information that could break the Interweb and leak out
the kind of information that could lead to my indentity from being stolen.
I mean, its not like I have to worry about anyone outside of those
companies in the technology field to do something stupid like leak my
information [1][2][3][4].

The perfect consortium would consist of trustworthy companies like
Microsloth, Oralckle, Crisco, Scam-mantec, Crapafee. Their task would be
to ensure enough money and resources are available to bury someone in the
legal system with lawsuits, threats, even military-like "wet ops" to
ensure nothing is ever broken in the technology field again.

[1] http://www.msnbc.msn.com/id/8119720/
[2] 
http://news.com.com/Bank+of+America+loses+a+million+customer+records/2100-1029_3-5590989.html
[3] http://www.vnunet.com/vnunet/news/2138274/credit-card-hack-sets-record
[4] 
http://www.infoworld.com/articles/hn/xml/01/03/06/010306hnbiblio.html?0306alert
[5] http://www.cbc.ca/story/business/national/2005/06/17/equifax-050617.html

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

"Just one more time for the sake of sanity tell me why
 explain the gravity that drove you to this..." Assemblage
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Search Results w/Trojan?

[fd]

On Fri, 16 Sep 2005, 'FoR ReaLz' E. Balansay wrote:

> On Fri, 16 Sep 2005, Madison, Marc wrote:
> 
> > What Trojan does McAfee report?
> 
> Exploit-URLSpoof.gen

See the %00? That is probably wat mcafee calls a Exploit-URLSpoof.gen.  I 
would hardly call it a trojan ... still, it is interesting to see this 
show up in a googling.

[EMAIL PROTECTED]/zforen/sec/m/sec-112130-8756.html 

-Eric

> 
> McAfee link:
> http://vil.nai.com/vil/content/v_100927.htm
> 
> Goodbye!
> Edgardo
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Search Results w/ Trojan?

[craig]

This is an accurate detection.  Google returns results that contain a 
hyperlink that contains the exploit. 

I've verified both the detection and exploit. 

Craig 


==
Using XP SP2s Internet Explorer, in Google, i used the following search
query: 

mcafee "driver packet received from the i/o subsystem" "patch 11" 


When the results return from google a trojan comes along as well, as
detected by McAfee AV. 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Search Results w/ Trojan?

['FoR ReaLz' E. Balansay]

Hello!

I noticed the same message as well =), we're not using the ebay toolbar.

I have just verified these results from a Win2k3 fully patched machine 
with no additional applications installed, except for McAfee 7.1.


Would someone else like to search google for those terms and verify as 
well?  Search terms:


mcafee "driver packet received from the i/o subsystem" "patch 11"

Goodbye!
Edgardo

On Fri, 16 Sep 2005, Dyke, Tim wrote:


I Noticed the following on the McAffee site

-- Update July 16, 2004 --
An Incorrect Identification of Exploit-URLSpoof.gen has been found when
scanning files associated with the eBay Toolbar. The file being detected
as Exploit-URLSpoof.gen is wsasc.xml. If you are seeing this specific
detection, please download the extra.dat files below which will correct
the Incorrect Identification.

Could this be a similar issue with your google search

Thanks



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Search Results w/ Trojan?

[Dyke, Tim]

Title: Re: Search Results w/  Trojan?






I Noticed the following on the McAffee site


-- Update July 16, 2004 -- 

An Incorrect Identification of Exploit-URLSpoof.gen has been found when scanning files associated with the eBay Toolbar. The file being detected as Exploit-URLSpoof.gen is wsasc.xml. If you are seeing this specific detection, please download the extra.dat files below which will correct the Incorrect Identification.

Could this be a similar issue with your google search


Thanks



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Greyhats Security fixed

[Paul]

Firefox navigation bug fixed (sorry about 
that)
 
Paul
Greyhats Security
http://greyhatsecurity.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Search Results w/Trojan?

['FoR ReaLz' E. Balansay]

On Fri, 16 Sep 2005, Madison, Marc wrote:


What Trojan does McAfee report?


Exploit-URLSpoof.gen

McAfee link:
http://vil.nai.com/vil/content/v_100927.htm

Goodbye!
Edgardo
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Search Results w/Trojan?

[Madison, Marc]

What Trojan does McAfee report? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 'FoR
ReaLz' E. Balansay
Sent: Friday, September 16, 2005 2:40 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Search Results w/Trojan?

Hello all!

My systems relevant info:
Windows XP SP2 fully patched
Mcafee VirusScan 7.1 Engine 4.4 Definition 4581


Using XP SP2s Internet Explorer, in Google, i used the following search
query:

mcafee "driver packet received from the i/o subsystem" "patch 11"

When the results return from google a trojan comes along as well, as
detected by McAfee AV.

I'm aware that browsing to malicious sites can pass malware to users who
visit those sites, but this is new to me:  Trojans being passed through
google results.

Are passing of malicious programs through search engine results common?

Goodbye!
Edgardo
(not the same newbie "Edgardo" from a couple threads ago  =) )
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] PGPNet Upgrade path ?

[Gary E. Miller]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yo Aditya!

On Fri, 16 Sep 2005, Aditya Deshmukh wrote:

> > > What alternatives are there to pgpnet ?
> >
> > Have a look at OpenVPN.
>
> Thanks Martijn, but isn`t that a SSL vpn ? And from what I
> have read about PGPnet I need a IPSEC VPN that uses
> PGP keys to do the auth.

IPSEC has nothing to do with PGP.  Also there is really no such thing
as a PGP key.  PGP uses what ever key scheme you ask it to use.  IPSEC
is the same way.  Both use keys, but are not themselves key standards.

OpenVPN similarly can use what ever key scheme you wish.  Since it is
based on the OpenSSL crupto libs it is very flexible that way.  For
simple setups you can use pre-shared keys.  For more complex setups
you can use public/private key pairs of any type that OpenSSL understands.

On top of that you can layer on other aith schemes like username/passwords
and such.

IMHO, if OpenVPN does not do what you want then you misunderstand the
problem.


RGDS
GARY
- ---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDKyni8KZibdeR3qURAv9tAJ9YxZiCL/QUCpM2ciZV2apCuj8MSgCffY1s
qOCCYwH7H5Ts0B2iL525tm4=
=+8Dj
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Greyhats Security back online

[Paul]

It's been a while, but I have decided that because 
a lot of valuable information is hosted on greyhatsecurity.org, that it is 
within everyone's best interest to share the material.
 
Some things that have changed:
- The layout. The navigation system looks a lot 
cooler now (IMHO) and is easier to follow/more categorical.
- Bias is gone. No more criticism to either 
Microsoft nor Mozilla will be found on my website unless I deem it necissary for 
the progress of computer security.
 
You can find Greyhats Security at its old address, 
http://greyhatsecurity.org.
 
Kind regards,
Paul
Greyhats Security
http://greyhatsecurity.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Search Results w/Trojan?

[Fergie (Paul Ferguson)]

Get in line:

 http://www.eeye.com/html/research/upcoming/20050915.html

More:

 http://www.eeye.com/html/research/upcoming/index.html

- ferg


-- "'FoR ReaLz' E. Balansay" <[EMAIL PROTECTED]> wrote:

Hello all!

My systems relevant info:
Windows XP SP2 fully patched
Mcafee VirusScan 7.1 Engine 4.4 Definition 4581


Using XP SP2s Internet Explorer, in Google, i used the following search 
query:

mcafee "driver packet received from the i/o subsystem" "patch 11"

When the results return from google a trojan comes along as well, as 
detected by McAfee AV.

I'm aware that browsing to malicious sites can pass malware to users who 
visit those sites, but this is new to me:  Trojans being passed through 
google results.

Are passing of malicious programs through search engine results common?

Goodbye!
Edgardo
(not the same newbie "Edgardo" from a couple threads ago  =) )

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 [EMAIL PROTECTED] or [EMAIL PROTECTED]
 ferg's tech blog: http://fergdawg.blogspot.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Search Results w/Trojan?

['FoR ReaLz' E. Balansay]

Hello all!

My systems relevant info:
Windows XP SP2 fully patched
Mcafee VirusScan 7.1 Engine 4.4 Definition 4581


Using XP SP2s Internet Explorer, in Google, i used the following search 
query:


mcafee "driver packet received from the i/o subsystem" "patch 11"

When the results return from google a trojan comes along as well, as 
detected by McAfee AV.


I'm aware that browsing to malicious sites can pass malware to users who 
visit those sites, but this is new to me:  Trojans being passed through 
google results.


Are passing of malicious programs through search engine results common?

Goodbye!
Edgardo
(not the same newbie "Edgardo" from a couple threads ago  =) )
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FireFox Host: Buffer Overflow is not just exploitable on FireFox

[Juha-Matti Laurio]

This problem also effects Thunderbird (tested) and im guessing
Netscape's Mail client (untested) which it really can't do much except
cause Thunderbird/Netscape to crash without javascript.

Include the linked source in an email for your testing.

http://www.milw0rm.com/down.php?id=1204

/str0ke


Only the newest 7.x version 7.2 has an internal Mail client. Version 
8.0.3.3 is browser-only version. Version 7.2 has unpatched, confirmed 
vulnerabilities due to older codebase like we know. Version 8 was 
released to fix them.
Your report will never reach Netscape due to non-working security [at] 
netscape.org (please read instructions to contact the vendor below).



On 9/13/05, Juha-Matti Laurio <[EMAIL PROTECTED]> wrote:
> >Hi all,
> >Research and development has let to a ~90% reliable working exploit 

for the

> >IDN Heap Buffer overrun in FireFox on WinXP and Win2k3 as long as DEP is
> >turned off and JavaScript is enabled. Some tweaking might yield an even
> >higher success ratio. It has also revealed that not only FireFox is
> >vulnerable to this vulnerability, but the exact same exploit works on the
> >latest releases of all these products based on the Mozilla engine:
> >- Mozilla FireFox 1.0.6 and 1.5beta,
> >- Mozilla Browser 1.7.11,
> >- Netscape 8.0.3.3 .
> >Recommendations for this vulnerability:
> >- FireFox and Mozilla: Install the workaround for (
> https://addons.mozilla.org/messages/307259.html).
> >- Netscape: hope they'll respond to this email and release a workaround.
> >- Wait for a patch and install it asap.
> >Recommendations to make it harder to exploit any FireFox vulnerability:
> >- Turn on DEP (Data Execution Prevention),
> >- Turn off JavaScript,
> >- Switch to another browser,
> >- Do not browse untrusted sites,
> >- Do not browse the web at all,
> >- Unplug your machine from the web,
> >- Wear a tinfoil hat.
> >Cheers,
> >SkyLined
> 
> BTW: From where is that security [at] netscape.org address?

> 1)
> An official security URL to Netscape is "Netscape Browser Bug Submission
> Form" at
> http://browser.netscape.com/ns8/support/bugreport.jsp
> (www.netscape.org redirects to home.netscape.com/ , of course they have
> netscape.org, netscape.net etc.)
> 
> For version 7.2 (and 7.x?) it is the following:

> http://wp.netscape.com/browsers/7/feedback/problem.html
> Two separate addresses due to different developer teams, according to
> my knowledge. Is there any new information?


---clip---

Please report your Netscape Mail client test results to Netscape with 
submission forms mentioned above.


- Juha-Matti

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [CIRT.DK - Advisory 37] TAC Vista Webstation 3.0 Directory Traversal bug in webinterface

[CIRT.DK Advisory]

TAC Vista is based on open technologies, TAC VistaR is one of the most
advanced software solutions for building automation. 
TAC Vista efficiently and economically controls, checks and analyzes all
building operations, allowing system operators to control and monitor entire
systems on site or from remote locations. 

The Web application is running on a Microsoft IIS 5.0 Server in this case. 

The problem is occurring in the input field of where the Template is called,
resulting in the possibility to traverse into other parts of the system.

Read the full Advisory at http://www.cirt.dk

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FileZilla (client) public credentials vulnerability

[Tobias Ulmer]

PASTOR ADRIAN wrote:
> Title:FileZilla (client) public credentials vulnerability
> Risk:Medium
> Versions affected: <=2.2.15
> Credits:  pagvac (Adrian Pastor)
> Date found:  10th September, 2005
> Homepage:  www.ikwt.com  www.adrianpv.com
> E-mail:   m123303 [ - a t - ] richmond.ac.uk
> 

[...]

> Regards,
> pagvac (Adrian Pastor)
> Earth, SOLAR SYSTEM
> 

I don't know why I even reply... But anyway, I attached a screen shot
especially for you. Please read it.

a) FileZilla Users most probably are the only user of the computer. This
is why the default makes sense (They "work" as administrator anyways).

b) There is a "secure mode" witch prevents you from saving any password
at all witch is the best solution if you want to be on the safe side.

c) There is an option to save the settings in the registry and ignore
the xml file. Settings are stored in HKEY_CURRENT_USER witch is in fact
under X:\%homepath%\username\NTUSER.DAT and is protected by the
filesytem ACL.

Tobias





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Forensic help?

[Paul Robertson]

On 9/12/05, Nick FitzGerald <[EMAIL PROTECTED]> wrote:
> Anyway, much as I am an _only very occasional_ user of Ghost, I don't
> think I've ever used it NOT to make a sector-level, or raw disk image,
> style drive copy.  However, as I last used it so long ago, I decided to
> check I was not mis-remembering -- two seconds at Google turned up this
> URL discussing "...the Ghost switches to use for forensic imaging or
> for creating raw images (sector copies)..." (URL may wrap):
> 
> http://service1.symantec.com/SUPPORT/ghost.nsf/docid/200413481325?Op
> en&src=&docid=19

G'day Nick,

While you *can* use Ghost to get a complete image, the switches change
from version to version and it's really a PITA to test what does what
when.  Most folks I know if the field have decided there's too much
room for error with Ghost.  Also, it means more to document, which is
bad for the lazy ;).

Paul
-- 
www.compuwar.net
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] PGPNet Upgrade path ?

[Aditya Deshmukh]

> > What alternatives are there to pgpnet ?
> 
> Have a look at OpenVPN.

Thanks Martijn, but isn`t that a SSL vpn ? And from what I 
have read about PGPnet I need a IPSEC VPN that uses 
PGP keys to do the auth.

I know for ipsec VPNs I could use the winxp's builtin 
But that would require moving all the PGP keys to 
X.509 certs.



Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FireFox Host: Buffer Overflow is not just exploitable on FireFox

[milw0rm Inc.]

This problem also effects Thunderbird (tested) and im guessing
Netscape's Mail client (untested) which it really can't do much except
cause Thunderbird/Netscape to crash without javascript.

Include the linked source in an email for your testing.

http://www.milw0rm.com/down.php?id=1204

/str0ke

On 9/13/05, Juha-Matti Laurio <[EMAIL PROTECTED]> wrote:
> >Hi all,
> >Research and development has let to a ~90% reliable working exploit for the
> >IDN Heap Buffer overrun in FireFox on WinXP and Win2k3 as long as DEP is
> >turned off and JavaScript is enabled. Some tweaking might yield an even
> >higher success ratio. It has also revealed that not only FireFox is
> >vulnerable to this vulnerability, but the exact same exploit works on the
> >latest releases of all these products based on the Mozilla engine:
> >- Mozilla FireFox 1.0.6 and 1.5beta,
> >- Mozilla Browser 1.7.11,
> >- Netscape 8.0.3.3 .
> >Recommendations for this vulnerability:
> >- FireFox and Mozilla: Install the workaround for (
> https://addons.mozilla.org/messages/307259.html).
> >- Netscape: hope they'll respond to this email and release a workaround.
> >- Wait for a patch and install it asap.
> >Recommendations to make it harder to exploit any FireFox vulnerability:
> >- Turn on DEP (Data Execution Prevention),
> >- Turn off JavaScript,
> >- Switch to another browser,
> >- Do not browse untrusted sites,
> >- Do not browse the web at all,
> >- Unplug your machine from the web,
> >- Wear a tinfoil hat.
> >Cheers,
> >SkyLined
> 
> BTW: From where is that security [at] netscape.org address?
> 1)
> An official security URL to Netscape is "Netscape Browser Bug Submission
> Form" at
> http://browser.netscape.com/ns8/support/bugreport.jsp
> (www.netscape.org redirects to home.netscape.com/ , of course they have
> netscape.org, netscape.net etc.)
> 
> For version 7.2 (and 7.x?) it is the following:
> http://wp.netscape.com/browsers/7/feedback/problem.html
> Two separate addresses due to different developer teams, according to
> my knowledge. Is there any new information?
> 
> I have informed the vendor Netscape being affected on 9th September 2005.
> 
> 2)
> Disabling IDN support via about:config (or prefs.js file) is possible in
> Netscape Browser 8 too. Xpi file for Firefox and Mozilla Suite works in
> Netscape 8.0.3.3 too. Test was successful and even UA was changed to
> include Gecko/20050729 (No IDN) Netscape/8.0.3.3.
> However, the manual method is recommended.
> I.e. there is a workaround for Netscape. Vendor developer team contacted
> during a weekend, no reply yet.
> 
> 3)
> When an updated version of Netscape Browser 8 is available the download
> link is http://browser.netscape.com/ns8/download/default.jsp
> 
> - Juha-Matti
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NUL Character Evasion

[Williams, James K]

> List:   full-disclosure
> Subject:Re: [Full-disclosure] NUL Character Evasion
> From:   fd () ew ! nsci ! us
> Date:   2005-09-15 19:57:30
>
> > > On Thu, 15 Sep 2005, Williams, James K wrote:
> > > List:   full-disclosure
> > > Subject:[Full-disclosure] NUL Character Evasion
> > > From:   ju () heisec ! de
> > > Date:   2005-09-13 21:24:42
> >
> > Thank you for the report.  Computer Associates is currently 
> > investigating the issue (as it relates to CA products).
> > 
> > Regards,
> > kw
> 
> Ken,  
>
> How long until this update hits your product?
>
> -Eric
>
> -- 
> Eric Wheeler

As initially suspected, from the AV signature perspective, this
is not a critical issue until and unless something specific 
shows up in the wild or is reported to a vendor. The NUL char 
insertion concept is similar in theory to, for example, K2's 
classic ADMmutate[1] polymorphic shellcode engine for NIDS 
evasion, or simply adding NOPs to an executable. Alex and 
Neel[2] discussed this class of AV vulns at core05 and Blackhat.

Regards,
kw

[1] http://www.ktwo.ca/security.html
[2] http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-wheeler.pdf

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Message for D1g1t4lLeech ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech you are a true Leecher ; )

[Siegfried]

If it's on your site, then it's released.. security sites publish
advisories as soon as they are online.
put an index or just put your advisories there when you wanna release
them if you don't want to annoy us and to be annoyed by leechers
i didn't find any reference about the D1g1t4lLeech mentioned in their
advisories though, they'll probably correct them

--
>Hello Mister D1g1t4lLeech,
>
>You are not able to find by yourself security holes ;)
>
>So you leech other people research.
>
>Go back to you kazaa leech.
>
>Secunia you continu to don't respect vendor release date ;)
>
>Bye
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PGPNet Upgrade path ?

[Martijn Lievaart]

Aditya Deshmukh zei:

> What alternatives are there to pgpnet ?

Have a look at OpenVPN.

M4



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] LSADump2 Crashing Windows

[Nicolas RUFF]

> This is a bug in lsadump2 - there's a type mismatch in one of the
> functions, although I forget which one. Something is a pointer which
> shouldn't be, or vice versa. Once you fix that, it'll be good to go.

Are you sure about that ?
After investigating deeper, I found several problems in LSADUMP2 :
- Buffers too small (300 bytes for the smallest)
- Allocated memory not flagged as executable (that is why LSADUMP2 is
not compatible with the NX flag)
- Reuse of freed memory

Here is a small patch that has been tested sucessfully on Windows XP SP2
with DEP "AlwaysOn" enabled (where LSADUMP2 failed).

Regards,
- Nicolas RUFF
Security researcher @ EADS-CCR

---

diff lsadump2/dumplsa.c lsadump3/dumplsa.c
34a35
> #define BUF_SIZE 1024
110c111
< char szBuffer[1000];
---
> char szBuffer[BUF_SIZE];
137c138
< TCHAR szBuffer[300];
---
> TCHAR szBuffer[BUF_SIZE];
189c190
< WCHAR wszSecret[500];
---
> WCHAR wszSecret[BUF_SIZE];
230c231
< char szSecret[500];
---
> char szSecret[BUF_SIZE];
242a244
>   lsaData = NULL;

diff lsadump2/lsadump2.c lsadump3/lsadump2.c
261c261
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Message for D1g1t4lLeech ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech you are a true Leecher ;)

[ZATAZ Audits]

Hello Mister D1g1t4lLeech,

You are not able to find by yourself security holes ;)

So you leech other people research.

Go back to you kazaa leech.

Secunia you continu to don't respect vendor release date ;)

Bye
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] arc insecure temporary file creation

[ZATAZ Audits]

#

arc insecure temporary file creation

Vendor:  http://arc.sourceforge.net/
Advisory: http://www.zataz.net/adviso/arc-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#

The vulnerability is caused due to temporary file being created insecurely.
The temporary file used for archive creation could be read by untrusted 
users.


Secunia has reported that D1g1t4lLeech has discovered this bug the 
2005-09-16.


ZATAZ Audit has discovered this bug the 2005-09-05

D1g1t4lLeech you are a true Leecher ;)

##
Versions:
##

arc <= 5.21j

##
Solution:
##

No solutions

#
Timeline:
#

Discovered : 2005-09-05
Vendor notified : no time to report (Leech powa)
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report ([EMAIL PROTECTED]) :
Disclosure : 2005-09-19

#
Technical details :
#

Vulnerable code :
-

In arc.c :

210 /* see where temp files go */
211 #if !_MTS
212 arctemp = calloc(1, STRLEN);
213 if (!(arctemp2 = envfind("ARCTEMP")))
214 arctemp2 = envfind("TMPDIR");
215 if (arctemp2) {
216 strcpy(arctemp, arctemp2);
217 n = strlen(arctemp);
218 if (arctemp[n - 1] != CUTOFF)
219 arctemp[n] = CUTOFF;
220 }
221 #if UNIX
222 elsestrcpy(arctemp, "/tmp/");
223 #endif
224 #if !MSDOS
225 {
226 static char tempname[] = "AXX";
227 strcat(arctemp, mktemp(tempname));
228 }
229 #else
230 strcat(arctemp, "$ARCTEMP");
231 #endif
232 #else
233 guinfo("SHFSEP  ", gotinf);
234 sepchr[0] = gotinf[0];
235 guinfo("SCRFCHAR", gotinf);
236 tmpchr[0] = gotinf[0];
237 arctemp = "-$$$";
238 arctemp[0] = tmpchr[0];
239 #endif
240 arctemp2 = NULL;
241
242 #if !UNIX
243 /* avoid any case problems with arguments */
244
245 for (n = 1; n < num; n++)   /* for each argument */
246 upper(arg[n]);  /* convert it to uppercase */
247 #else
248 /* avoid case problems with command options */
249 upper(arg[1]);  /* convert to uppercase */
250 #endif
251
252 /* create archive names, supplying defaults */
253 #if UNIX
254 if (!stat(arg[2],&sbuf)) {
255 if ((sbuf.st_mode & S_IFMT) == S_IFDIR)
256 makefnam(arg[2],".arc",arcname);
257 else
258 strcpy(arcname,arg[2]);
259 } else
260 makefnam(arg[2],".arc",arcname);
261 #else
262 makefnam(arg[2], ".ARC", arcname);
263 #endif

Take a look on a the right off temporary files in /tmp :

-rw-r--r--   1 root root   1564 Sep  5 10:28 A3C6Zs4.arc

The file should not be world readable.

The same problem for marc.c


#
Related :
#

Bug report :
CVE :

#
Credits :
#

Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ncompress insecure temporary file creation

[ZATAZ Audits]

#

ncompress insecure temporary file creation

Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination with a race
condition to create and overwrite arbitrary files
with the privileges of the user running the affected script.

Secunia has reported that D1g1t4lLeech has discovered this bug
the 2005-09-16

ZATAZ Audit has discovered this bug the 2005-09-05

D1g1t4lLeech is a true Leecher :)

Gentoo Security take care on your IRC Channel, spy everywhere.

##
Versions:
##

ncompress <= 4.2.4-r1

##
Solution:
##

To prevent symlink attack use kernel patch such as grsecurity

#
Timeline:
#

Discovered : 2005-09-05
Vendor notified : 2005-09-05
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report ([EMAIL PROTECTED]) :
Disclosure :

#
Technical details :
#

ncompress use vulnerable version off zdiff and zcmp.

#
Related :
#

Secunia : http://secunia.com/advisories/13131/
CVE : CAN-2004-0970

#
Credits :
#

Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] gwcc insecure temporary file creation

[ZATAZ Audits]

#

gwcc insecure temporary file creation

Vendor: http://gwcc.sourceforge.net/
Advisory: http://www.zataz.net/adviso/gwcc-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks to create and overwrite 
arbitrary files

with the privileges of the user running the affected script.

Secunia report that this bug was discovered by D1g1t4lLeech the 2005-09-16.

ZATAZ Audit has discovered this bug the 2005-09-02

So I think that D1g1t4lLeech is a true leecher ;)

##
Versions:
##

gwcc <= 0.9.6-r2

##
Solution:
##

To prevent symlink attack use kernel patch such as grsecurity
Gentoo Patch : http://bugs.gentoo.org/attachment.cgi?id=67477

#
Timeline:
#

Discovered : 2005-09-02
Vendor notified : 2005-09-05
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report ([EMAIL PROTECTED]) : 2005-09-13
Disclosure : 2005-09-16

#
Technical details :
#

Vulnerable code :
-

Take a look at : src/callbacks.c

1702 // Pipe print command and voila!, the doc is printed.
1703 strcat(print_command, " /tmp/gwcc_out.txt");

And also into : src/utils.c

94 else if (strcmp(operation, "temp") == 0) {
95 strcat(file_name, "/tmp/gwcc_out.txt");

#
Related :
#

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=104566
CVE : NONE

#
Credits :
#

Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] (TOOL) TAPiON ver 0.1c

[Piotr Bania]

Hi,

For those who are interrested, new version (0.1c) of TAPiON (polymorphic 
decryptor generator) is now available. The package can be downloaded at:


http://pb.specialised.info/all/tapion/

- the list of changes in 0.1c version is also stored at this url.

best regards,
Piotr Bania


--

Piotr Bania - <[EMAIL PROTECTED]> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info  - Key ID: 0xBE43AC33


  " Dinanzi a me non fuor cose create
se non etterne, e io etterno duro.
Lasciate ogne speranza, voi ch'intrate "
  - Dante, Inferno Canto III
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 815-1] New kdebase packages fix local root vulnerability

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 815-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
September 16th, 2005http://www.debian.org/security/faq
- --

Package: kdebase
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE ID : CAN-2005-2494

Ilja van Sprundel discovered a serious lock file handling error in
kcheckpass that can, in some configurations, be used to gain root
access.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 3.3.2-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 3.4.2-3.

We recommend that you upgrade your kdebase-bin package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.3.2-1sarge1.dsc
  Size/MD5 checksum: 1470 1bba89e478ef850d4c634ffae067075c

http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.3.2-1sarge1.diff.gz
  Size/MD5 checksum:   881169 8a0ca94aa8607a134af2a24b70cee92e

http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.3.2.orig.tar.gz
  Size/MD5 checksum: 23750520 32d59e3bcb972a9a29414935c7f72481

  Architecture independent components:


http://security.debian.org/pool/updates/main/k/kdebase/kdebase-data_3.3.2-1sarge1_all.deb
  Size/MD5 checksum:  3700050 3f9bb57f5450e969ba7c452ddf00ac29

http://security.debian.org/pool/updates/main/k/kdebase/kdebase-doc_3.3.2-1sarge1_all.deb
  Size/MD5 checksum:   997006 732bf896c5b9aadd33076f9f4e8ec4da

http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.3.2-1sarge1_all.deb
  Size/MD5 checksum:20134 f10a0a9e1caa782849bdb382d113560b

http://security.debian.org/pool/updates/main/k/kdebase/xfonts-konsole_3.3.2-1sarge1_all.deb
  Size/MD5 checksum:35902 99ff8f2a1e66d2859f834849a1b8271a

  Alpha architecture:


http://security.debian.org/pool/updates/main/k/kdebase/kappfinder_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:   239726 a0e08c50e0c1b1cb9ce06e5a66d4a6d6

http://security.debian.org/pool/updates/main/k/kdebase/kate_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:   616324 0d2ced176c43b6faeb49b8c1ee1d37ef

http://security.debian.org/pool/updates/main/k/kdebase/kcontrol_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:  7894868 8f7f1c1828fa32ccecbf6b569da97ffe

http://security.debian.org/pool/updates/main/k/kdebase/kdebase-bin_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:  1069856 88ddfa12596abd67c09f2b4e2f52ebfd

http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:57148 5f98cf718508a919f0ee4de5e4ede454

http://security.debian.org/pool/updates/main/k/kdebase/kdebase-kio-plugins_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:   764278 52ff79d25d60992e2589cc7477784a4b

http://security.debian.org/pool/updates/main/k/kdebase/kdepasswd_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:   226854 ac66583eb58c1a4333f5e1d13d2b5311

http://security.debian.org/pool/updates/main/k/kdebase/kdeprint_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:  1084162 fd991547e74d735258311034dda4a3ef

http://security.debian.org/pool/updates/main/k/kdebase/kdesktop_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:   707074 95f79ef7d4d369d1a59f8b26db758f8a

http://security.debian.org/pool/updates/main/k/kdebase/kdm_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:   467958 cbb23ae0f9b7e6149abc081605deee02

http://security.debian.org/pool/updates/main/k/kdebase/kfind_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:   189660 8cb7206bd4136fafa379f3b0d3f2ef86

http://security.debian.org/pool/updates/main/k/kdebase/khelpcenter_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:   723122 70278a68402600b0530fa5e6aa1188c0

http://security.debian.org/pool/updates/main/k/kdebase/kicker_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:  2378516 5e6b80aca64040d76afcee88b608aeed

http://security.debian.org/pool/updates/main/k/kdebase/klipper_3.3.2-1sarge1_alpha.deb
  Size/MD5 checksum:   219954 3732a2e0c4c1f2ffb5a0047ac394af2b

http://security.deb

Re[2]: [Full-disclosure] NUL Character Evasion

[3APA3A]

Dear Steffen Kluge,

This is old news reported long time ago by ben moeckel (ben.moeckel at
online.de), see http://www.security.nnov.ru/advisories/content.asp

9. Bypassing filters with special characters

  There  are some characters client application may ignore silently. For
  Example, for HTML browsers:

  0, 9, 10, 13, 173 for Opera
  13, 10, 9, 0 for Internet Explorer

  by inserting characters with this codes into document it's possible to
  hide some dangerous tags from content filter.

  Reported by ben.moeckel at online.de

--Friday, September 16, 2005, 10:25:06 AM, you wrote to 
full-disclosure@lists.grok.org.uk:

SK> On Tue, 2005-09-13 at 23:24 +0200, [EMAIL PROTECTED] wrote:
>> Internet Explorer ignores NUL characters
>> -- i.e. ascii characters with the value 0x00 -- most
>> security software does not.

SK> Interesting. Did you test this with Outlook as well?

SK> Cheers
SK> Steffen.



-- 
~/ZARAZA
Есть там версии Отелло, где Дездемона душит Мавра. (Лем)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] FileZilla (client) public credentials vulnerability

[PASTOR ADRIAN]

Title: 
   FileZilla (client) public credentials vulnerabilityRisk: 
   MediumVersions 
affected: <=2.2.15Credits:  pagvac (Adrian Pastor)Date 
found:  10th September, 2005Homepage:  www.ikwt.com  www.adrianpv.comE-mail:   m123303 
[ - a t - ] richmond.ac.uk
Background--FileZilla client is an open source Windows 
FTP/SFTP client.
Vulnerability Description-FileZilla 
client stores all users' credentials (including passwords) in a globally 
public directory under Windows which allows all users with local access 
(including restricted users) to dump the credentials of all users and 
decrypt their passwords.
 
The directory is %programfiles%\FileZilla\
where %programfiles% is usually "C:\program files".
 
The default Windows ACLs grants *read* access to %programfiles% to all 
users. This means that even restricted accounts can dump any user 
credentials (including the administrators' credentials) from 
"FileZilla.xml"
 
This would *not* be possible if the developers had programmed the FileZilla 
client to save the config file under %homepath% which would be 
"C:\Documents and Settings\username\FileZilla.xml" by default.
 
The advantage of the %homepath% directory is that, by default, only its 
owner and users within the "administrators" group have read access (rather 
than all users).
Disclaimer--If I get a response from the project 
developers arguing that the previous security flaw is not a vulnerability 
but rather a feature, I will simply *not* answer. 
 
No offence, but I'm not willing to waste my time with the common "insecure 
by design" debate. In my humble opinion applications should *never* store 
user credentials in locations in the file system that are readable by 
allusers (unless you want all users to steal your passwords).
PoC---I coded a small tool which dumps all users' credentials 
from "FileZilla.xml" and the registry and decrypts all passwords 
found.
 
In order to exploit this vulnerability the credentials need to be saved 
in "FileZilla.xml" (rather than the registry). Luckily, the XML 
file is the default location used to save the credentials :-)
 
In case the credentials were stored in the registry, then you would 
need to run this tool as the user you want to dump the credentials 
from(this is because the credentials are saved under 
"HKEY_CURRENT_USER"rather than HKEY_LOCAL_MACHINE).
 
Executable and source code along with Visual Studio project file:
 
http://www.ikwt.com/projects/filezilla-pwdump.ziphttp://www.adrianpv.com/projects/filezilla-pwdump.zip
 
I tested this tool in Windows XP SP1 by running it with restricted accounts 
from the "Users" and "Guests" groups and it successfully dumped all 
userscredentials (including admins'). 
 
This is possible because the default Windows ACLS of the 
%programfiles%directory grants *read* access to all users. As far as I know 
this istrue in Windows 2000 SPX and Windows XP SPX as well (please correct 
meif I'm wrong as I'm *not* a computer security guru).
SolutionChoose to save user settings in the Windows 
registry or select"Use secure mode" during the installation (this 
disablesFileZilla client from saving passwords at all), lockdown your client 
machines where the FileZilla client is installed.
 
Alternitavely you can try convincing the FileZilla developers to modify 
the application so that each user's credentials are stored in 
his/herhome folder.
 
Regards,
pagvac (Adrian Pastor)Earth, SOLAR SYSTEM___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/