[Full-disclosure] [SECURITY] [DSA 845-1] New mason packages fix missing init script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 845-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 6th, 2005 http://www.debian.org/security/faq - -- Package: mason Vulnerability : programming error Problem type : remote Debian-specific: yes CVE ID : CAN-2005-3118 Debian Bug : 222384 Christoph Martin noticed that upon configuration mason, which interactively creates a Linux packet filtering firewall, does not install the init script to actually load the firewall during system boot. This will leave the machine without a firewall after a reboot. For the old stable distribution (woody) this problem has been fixed in version 0.13.0.92-2woody1. For the stable distribution (sarge) this problem has been fixed in version 1.0.0-2.2. For the unstable distribution (sid) this problem has been fixed in version 1.0.0-3. We recommend that you upgrade your mason package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92-2woody1.dsc Size/MD5 checksum: 541 ecb992ca78a35ca58a14eeab6cf4f15c http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92-2woody1.diff.gz Size/MD5 checksum: 3659 222ab145878984b9e181eea0046b6526 http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92.orig.tar.gz Size/MD5 checksum: 218789 e1de238f5adc99bdbd519c92513f96b4 Architecture independent components: http://security.debian.org/pool/updates/main/m/mason/mason_0.13.0.92-2woody1_all.deb Size/MD5 checksum: 184824 e32b3597c9bbf77624e205a6c4a8fdd2 Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2.dsc Size/MD5 checksum: 593 e899d7d290bdf85b37053613e0b4 http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2.diff.gz Size/MD5 checksum:47013 0a8b604f753b008eaf3a5f2cca030023 http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0.orig.tar.gz Size/MD5 checksum: 506940 62785d59e03df309fed8abe97e479af0 Architecture independent components: http://security.debian.org/pool/updates/main/m/mason/mason_1.0.0-2.2_all.deb Size/MD5 checksum: 423220 cc8e8f0ed22d2efdbb0e9d0e4cd61d8e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDRNreW5ql+IAeqTIRAhRVAJ9ltyqfa6P3QJ7eEmxzn0bksaApWwCdFMl3 JSwzwaIcBgDffjALeodL1MQ= =W0ha -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OScommerce: Additional Images Module SQL Injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Doing forensics in an hacked shop system we found the following vulnerability in the Additional Images Module of OScommerce from Author: zaenal zaenal AT paramartha.org. Find more detailed information here: http://www.oscommerce.com/community/contributions,1032 Description: If a anonymous remote user changes the value of 'products_id' when he gets product_info.php he is able to insert SQL Code in an SQL Query, if the module in question is installed. Impact: An attacker might read out parts or the whole of the database. Code: the following code on line 16 in SHOPROOT/catalog/includes/modules/ additional_images.php doesn't check the value of the products_id variable. $images_product = tep_db_query(SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM . TABLE_ADDITIONAL_IMAGES . WHERE products_id = ' . $HTTP_GET_VARS ['products_id'] . '); Solution: Contact the author/vendor. Workaround: Change line 16 in SHOPROOT/catalog/includes/modules/ additional_images.php to: $images_product = tep_db_query(SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM . TABLE_ADDITIONAL_IMAGES . WHERE products_id = ' . (int) $HTTP_GET_VARS['products_id'] . '); thanks to the guy who found the log entry in question. bye defa -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDRN/RLVkyr1ln0PsRAvq1AKCMsv4mUwkpBw4mWkeRsyuZ620U2wCfad4J UD8gpoM85ndrWcEeGz0tcZ8= =ifBl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Websites vulnerabilities disclosure
On Oct/06/2005, offtopic wrote: I want to know - is it ethical to use standard vulnerability disclosure policies to public websites? There's no list for what's ethical and what's not ... It's all up to your mind :) (of course your mind's been influenced by lots things, some of them that you'll never know) Or in other worlds - who should care about Web-sites security? I'd publish it in bugtraq and in FD full disclosure is the way :) -- Javier Polo @ Datagrama 902 136 126 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] sourcefire acquired by checkpoint
http://www.checkpoint.com/sourcefire/ ... checkpoint - back in the game ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] no-NX paper announcement
On Tue, 2005-10-04 at 13:43 +0200, Sebastian Krahmer wrote: Hi, A new paper describing NX technology and its limitations can be found at http://www.suse.de/~krahmer/no-nx.pdf It contains in depth discussion and sample code for the Hammer/Linux platform, analyzes the weaknesses and discusses countermeasures. An interesting paper; however I'm sort of missing some and how linux prevents these/makes these harder, now and in the future. Examples: *) glibc nowadays has a lot of checks in the malloc/free code that make the traditional double free exploit (and the heap exploits that use the same technique) not feasible. This is present in at least Fedora Core 3 and 4 and Red Hat Enterprise Linux 4; I'd be surprised if it also isn't in SLES9 since it has been in the upstream glibc for quite a while *) glibc nowadays prevents format string exploits (assuming you pass -D_FORTIFY_SOURCE=2 as preprocessor directive) (again present in FC3/FC4/RHEL4) *) The kernel.org kernel nowadays includes address space randomization by default. While not perfect and fully complete, it's there and better than nothing (FC3/FC4/RHEL4 randomize more aggressive than this) *) the glibc/gcc/binutils toolchain has support for PIE binaries, basically relocatable binaries so that the binary location can be randomized by the previous feature as well; this in order to make it harder to do ret2binary *) glibc/binutils have a feature to mark the GOT/PLT read only after linking (called relro), to make it harder for exploits to much with these (eg they need to first re-mprotect them, which means they need full code execution state first at which point the GOT/PLT are boring anyway) *) gcc cvs now has -fstack-protector; basically a gcc 4.x port of the propolice technique that tries hard to protect the return address on the stack *) gcc/glibc allow cheap static buffer checking with -D_FORTIFY_SOURCE=2 Greetings, Arjan van de Ven ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
Sometime ago I thought of the following idea for a covert channel. Although the idea of covert channels is *not* new at all, I couldn't find anything in Google related to the following method of implementing a covert channel. The scenario is the following. The victim is a host with a host-level firewall which is blocking *all* incoming traffic. Somehow the attacker still needs to communicate with a backdoor planted in this host. Use a reverse shell and job done, you might say. Actually, there is another way which I thought would be more creative (IMHO). It works like this: the backdoor enables logging in the host-level firewall for all dropped packets, say Windows XP SP2 Firewall. Then the backdoor receives commands from the attacker by interpreting the properties of the dropped packets which were logged by the firewall. In other words, the backdoor is constantly reading the logs and parsing commands which were sent by the attacker embedded in packets which are being dropped (but logged) by the firewall. attacker sends packets - packets are dropped by firewall - packets properties are captured in logs- backdoor reads logs and finds encoded commands - commands are executed Now, for the way the backdoor would reply back to the victim is really up to you. One method that comes to my mind is by posting the responses to a PHP script which is located in some free-hosting webpage. The attacker would then access this webpage. Please, if you know anything related to backdoors intercepting commands from log files send me some links. Ideas, comments and flames are more than welcome :-) . Regards, pagvac (Adrian Pastor)Earth, SOLAR SYSTEM www.adrianpv.comwww.ikwt.com (In Knowledge We Trust)___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Webroot Desktop Firewall Two Vulnerabilities
== Secunia Research 06/10/2005 - Webroot Desktop Firewall Two Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software Webroot Desktop Firewall Version 1.3.0 Build 43. Other versions may also be affected. == 2) Severity Rating: Less Critical Impact: Privilege escalation Security bypass Where: Local system == 3) Description of Vulnerability Secunia Research has discovered two vulnerabilities in Webroot Desktop Firewall, which can be exploited by malicious, local users to gain escalated privileges or bypass certain security restrictions. 1) A boundary error in PWIWrapper.dll when deleting a program from the list of allowed programs can cause a buffer overflow in FirewallNTService.exe. This can be exploited by sending a specially crafted application chain to the firewall driver via a DeviceIoControl() command, and then removing an allowed program from the firewall GUI. Successful exploitation allows non-privileged users to execute arbitrary code with SYSTEM privileges, but requires the the ability to add and remove programs from the firewall's permitted application list. 2) It is possible for non-privileged users to disable the firewall even when password protection has been enabled, by sending specific DeviceIoControl() commands to the firewall driver. == 4) Solution Update to version 1.3.0 build 52. == 5) Time Table 20/06/2005 - Initial vendor notification. 20/08/2005 - Initial vendor reply. 06/09/2005 - Vendor provided fixed version for testing. 06/10/2005 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References Webroot: http://support.webroot.com/ics/support/KBAnswer.asp?questionID=2332 == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-10/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: PHP-Fusion Two SQL Injection Vulnerabilities
== Secunia Research 06/10/2005 - PHP-Fusion Two SQL Injection Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerabilities...4 Solution.5 Time Table...6 Credits..7 About Secunia8 Verification.9 == 1) Affected Software PHP-Fusion 6.00.109 Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Manipulation of data Where: Remote == 3) Vendor's Description of Software A light-weight open-source content management system (CMS) written in PHP. Product link: http://www.php-fusion.co.uk/ == 4) Description of Vulnerabilities Secunia Research has discovered two vulnerabilities in PHP-Fusion, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the activate parameter in register.php and the cat_id parameter in faq.php isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is disabled. The vulnerabilities have been confirmed in version 6.00.109. Other versions may also be affected. == 5) Solution Update to version 6.00.110. http://www.php-fusion.co.uk/downloads.php?cat_id=3 == 6) Time Table 04/10/2005 - Vulnerabilities discovered. 05/10/2005 - Vendor notified. 05/10/2005 - Vendor confirms vulnerabilities. 06/10/2005 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-52/advisory/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
bit noisy i think -Original Message- From: PASTOR ADRIAN [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Date: Thu, 6 Oct 2005 10:06:24 +0100 Subject: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough? Sometime ago I thought of the following idea for a covert channel. Although the idea of covert channels is *not* new at all, I couldn't find anything in Google related to the following method of implementing a covert channel. The scenario is the following. The victim is a host with a host-level firewall which is blocking *all* incoming traffic. Somehow the attacker still needs to communicate with a backdoor planted in this host. Use a reverse shell and job done, you might say. Actually, there is another way which I thought would be more creative (IMHO). It works like this: the backdoor enables logging in the host-level firewall for all dropped packets, say Windows XP SP2 Firewall. Then the backdoor receives commands from the attacker by interpreting the properties of the dropped packets which were logged by the firewall. In other words, the backdoor is constantly reading the logs and parsing commands which were sent by the attacker embedded in packets which are being dropped (but logged) by the firewall. attacker sends packets - packets are dropped by firewall - packets properties are captured in logs - backdoor reads logs and finds encoded commands - commands are executed Now, for the way the backdoor would reply back to the victim is really up to you. One method that comes to my mind is by posting the responses to a PHP script which is located in some free-hosting webpage. The attacker would then access this webpage. Please, if you know anything related to backdoors intercepting commands from log files send me some links. Ideas, comments and flames are more than welcome :-) . Regards, pagvac (Adrian Pastor) Earth, SOLAR SYSTEM www.adrianpv.com www.ikwt.com (In Knowledge We Trust) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
if you have system access, why not capture packets at kernel level, BEFORE they reach the firewall. your approach seems to be very noisy ;) PASTOR ADRIAN wrote: Sometime ago I thought of the following idea for a covert channel.it would be better to intercept packets at kernel level BEFORE they Although the idea of covert channels is *not* new at all, I couldn't find anything in Google related to the following method of implementing a covert channel. The scenario is the following. The victim is a host with a host-level firewall which is blocking *all* incoming traffic. Somehow the attacker still needs to communicate with a backdoor planted in this host. Use a reverse shell and job done, you might say. Actually, there is another way which I thought would be more creative (IMHO). It works like this: the backdoor enables logging in the host-level firewall for all dropped packets, say Windows XP SP2 Firewall. Then the backdoor receives commands from the attacker by interpreting the properties of the dropped packets which were logged by the firewall. In other words, the backdoor is constantly reading the logs and parsing commands which were sent by the attacker embedded in packets which are being dropped (but logged) by the firewall. attacker sends packets - packets are dropped by firewall - packets properties are captured in logs - backdoor reads logs and finds encoded commands - commands are executed Now, for the way the backdoor would reply back to the victim is really up to you. One method that comes to my mind is by posting the responses to a PHP script which is located in some free-hosting webpage. The attacker would then access this webpage. Please, if you know anything related to backdoors intercepting commands from log files send me some links. Ideas, comments and flames are more than welcome :-) . Regards, pagvac (Adrian Pastor) Earth, SOLAR SYSTEM www.adrianpv.com http://www.adrianpv.com www.ikwt.com http://www.ikwt.com (In Knowledge We Trust) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- _ ~ DI (FH) Bernhard Mueller ~ IT Security Consultant ~ SEC-Consult Unternehmensberatung GmbH ~ www.sec-consult.com ~ A-1080 Wien Blindengasse 3 ~ Tel: +43/676/840301718 ~ Fax: +43/(0)1/4090307-590 __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Interesting idea for a covert channel or I just didn't research enough?
PASTOR ADRIAN [EMAIL PROTECTED] wrote: It works like this: the backdoor enables logging in the host-level = firewall for all dropped packets, say Windows XP SP2 Firewall. Then the = Well, if the backdoor is able to enable logging in the packet filter (i.e. configure the packet filter) it should also be able to add some (as qualified as needed) pass rule, shouldn't it? This should be far less noisy, far less performance consuming and not more noticeable than the modification of other settings. regards Mario -- As a rule, the more bizarre a thing is, the less mysterious it proves to be. -- Sherlock Holmes by Arthur Conan Doyle ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
attacker sends packets - packets are dropped by firewall - packets properties are captured in logs - backdoor reads logs and finds encoded commands - commands are executed As a covert channel? .. no, it's a waste. Once you have the access to set that up, you could establish any number of more efficient schemes. As a way to do a remote wake-up though .. it might have some promise .. but it still depends on too many other variables. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-194-1] texinfo vulnerability
=== Ubuntu Security Notice USN-194-1 October 06, 2005 texinfo vulnerability CAN-2005-3011 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: texinfo The problem can be corrected by upgrading the affected package to version 4.6-1ubuntu1.1 (for Ubuntu 4.10), or 4.7-2.2ubuntu1.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Frank Lichtenheld discovered that the texindex program created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running texindex. Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1.diff.gz Size/MD5: 125053 f97e652490198d27c6e29af9951cdc71 http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1.dsc Size/MD5: 625 f669384d1ae30bae7c70063d9a65d31e http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6.orig.tar.gz Size/MD5: 1892091 5730c8c0c7484494cca7a7e2d7459c64 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.6-1ubuntu1.1_amd64.deb Size/MD5: 280644 31eb0286bda40317d0e33553bf1dde59 http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1_amd64.deb Size/MD5: 875828 b1c85f8b941d67dac908f8d8c4edf483 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.6-1ubuntu1.1_i386.deb Size/MD5: 265932 7296ff8a26d8b7c720ffe7b28347e82f http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1_i386.deb Size/MD5: 858092 7e52b8db866cbbe2352217a03bc39b14 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.6-1ubuntu1.1_powerpc.deb Size/MD5: 279674 3ac6bc00d8742c696f7793aadc264ba1 http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1_powerpc.deb Size/MD5: 868758 f49ff63604c06a5077ce06f2ca64382b Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1.diff.gz Size/MD5:10615 b2a3812bcfe8f069e888170c2eaf73f8 http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1.dsc Size/MD5: 628 cee74cea6cd661b85c0f1038fa5fd0e3 http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7.orig.tar.gz Size/MD5: 1979183 72a57e378efb9898c9e41ca839554dae amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.7-2.2ubuntu1.1_amd64.deb Size/MD5: 191328 273d9d321578a301f46a7bd0712c54e6 http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1_amd64.deb Size/MD5: 488278 8da6138a72e9261433dc8d8d90e1b725 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.7-2.2ubuntu1.1_i386.deb Size/MD5: 177586 8c60d776b23d9ba81ee600805c38dbb5 http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1_i386.deb Size/MD5: 470502 82ebb862c685c13ced8a55c5ad0a6515 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.7-2.2ubuntu1.1_powerpc.deb Size/MD5: 190400 983de1de47c40a3f90e549ab875ba99b http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1_powerpc.deb Size/MD5: 483932 38e2d37a8d0ae17bd492e556e4d42dd0 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sourcefire acquired by checkpoint
http://www.checkpoint.com/sourcefire/ ... checkpoint - back in the game Damn ... and I've always respected Marty and his team .. guess we can all say goodbye to nice REGEX rules and the ability to look at alerts with syslog. Here comes the Windows-only propritary viewer for Snort ... ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RES: [Full-disclosure] sourcefire acquired by checkpoint
Humm.. My friend at sourfire told me that nothing will be changed and CheckPoint will continue with snort opensource project..] -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Michael Holstein Enviada em: quinta-feira, 6 de outubro de 2005 11:05 Para: full-disclosure@lists.grok.org.uk Assunto: Re: [Full-disclosure] sourcefire acquired by checkpoint http://www.checkpoint.com/sourcefire/ ... checkpoint - back in the game Damn ... and I've always respected Marty and his team .. guess we can all say goodbye to nice REGEX rules and the ability to look at alerts with syslog. Here comes the Windows-only propritary viewer for Snort ... ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
What you describe would be a variant of 'dead-drop' covert channels. Other examples would be: . The use of public message boards where one program/person initiates a connection out to the board and posts a message with particular words/phrases/passages and another program/person scans said message board looking for the 'encoded' messages. . Web servers that have readable log files where one end of the covert channel accesses certain web pages (existent or non-existent) in a particular order and the other end looks for this message (or alternatively has various combinations of request parameters in the query strings which encodes commands or messages). . etc. etc. This type of covert channel has long been used by various governments and organizations (think of clandestine messages being passed to or from agents via personal ads). So, this is not a novel idea but you are correct, there does not exist a tremendous amount of literature on the subject - particularly in the public infosec/comsec communities. A large percentage of 'dead-drop' covert channels will rely on a shared 'code-book' between both parties. cheers, .mudge On Oct 6, 2005, at 5:06 AM, PASTOR ADRIAN wrote: Sometime ago I thought of the following idea for a covert channel. Although the idea of covert channels is *not* new at all, I couldn't find anything in Google related to the following method of implementing a covert channel. The scenario is the following. The victim is a host with a host- level firewall which is blocking *all* incoming traffic. Somehow the attacker still needs to communicate with a backdoor planted in this host. Use a reverse shell and job done, you might say. Actually, there is another way which I thought would be more creative (IMHO). It works like this: the backdoor enables logging in the host-level firewall for all dropped packets, say Windows XP SP2 Firewall. Then the backdoor receives commands from the attacker by interpreting the properties of the dropped packets which were logged by the firewall. In other words, the backdoor is constantly reading the logs and parsing commands which were sent by the attacker embedded in packets which are being dropped (but logged) by the firewall. attacker sends packets - packets are dropped by firewall - packets properties are captured in logs - backdoor reads logs and finds encoded commands - commands are executed Now, for the way the backdoor would reply back to the victim is really up to you. One method that comes to my mind is by posting the responses to a PHP script which is located in some free-hosting webpage. The attacker would then access this webpage. Please, if you know anything related to backdoors intercepting commands from log files send me some links. Ideas, comments and flames are more than welcome :-) . Regards, pagvac (Adrian Pastor) Earth, SOLAR SYSTEM www.adrianpv.com www.ikwt.com (In Knowledge We Trust) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SecureW2 TLS security problem
Yvan Boily [EMAIL PROTECTED] writes: The default random number generator provided with Windows XP, 2003, and Longhorn, is RtlGenRandom(PVOID,ULONG) ; this is an undocumented API that is called by CryptGenRandom(HCRYPTPROV, DWORD, BYTE*). SecureW2 is using CryptGenRandom now. It uses significantly better sources of entropy than clock information and process thread ids. Are you aware of a quantification of the improvement? Having many entropy sources only inspire more confidence if the additional entropy sources provide any entropy. It is not clear to me that there is enough entropy in the listed sources to provide with good random numbers. Frankly, the list of entropy sources is so huge it appears as if it is meant to scare you away from scrutinizing each single entropy source. It is not clear whether the PRNG is ever re-seeded. Thanks, Simon ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Holstein wrote: attacker sends packets - packets are dropped by firewall - packets properties are captured in logs - backdoor reads logs and finds encoded commands - commands are executed As a covert channel? .. no, it's a waste. Once you have the access to set that up, you could establish any number of more efficient schemes. As a way to do a remote wake-up though .. it might have some promise .. but it still depends on too many other variables. SAdoor uses this general idea. device in promiscuous mode sits and listens, iptables can have all ports filtered and no services running on the machine, a particular sequence of events happens, a command gets executed. http://cmn.listprojects.darklab.org/ kw -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFDRTNN7XWNuvsOTiYRAqr5AKDQmgqdbBHSJrc2fuOzwx4SjekKlQCg3gFR JYDJjZo37FNF1XNjaejqamc= =8SzG -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] sourcefire acquired by checkpoint
Checkpoints core products run on Solaris, Linux, AIX and Windows. Not sure why you think that they are completely a windows centric company. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Holstein Sent: Thursday, October 06, 2005 10:05 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] sourcefire acquired by checkpoint http://www.checkpoint.com/sourcefire/ ... checkpoint - back in the game Damn ... and I've always respected Marty and his team .. guess we can all say goodbye to nice REGEX rules and the ability to look at alerts with syslog. Here comes the Windows-only propritary viewer for Snort ... ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200510-05 ] Ruby: Security bypass vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200510-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby: Security bypass vulnerability Date: October 06, 2005 Bugs: #106996 ID: 200510-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Ruby is vulnerable to a security bypass of the safe level mechanism. Background == Ruby is an interpreted scripting language for quick and easy object-oriented programming. Ruby supports the safe execution of untrusted code using a safe level and taint flag mechanism. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 dev-lang/ruby1.8.3 = 1.8.3 Description === Dr. Yutaka Oiwa discovered that Ruby fails to properly enforce safe level protections. Impact == An attacker could exploit this vulnerability to execute arbitrary code beyond the restrictions specified in each safe level. Workaround == There is no known workaround at this time. Resolution == All Ruby users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-lang/ruby-1.8.3 References == [ 1 ] CAN-2005-2337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2337 [ 2 ] Ruby release announcement http://www.ruby-lang.org/en/20051003.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200510-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgps0zRoeMpp9.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sourcefire acquired by checkpoint
Checkpoints core products run on Solaris, Linux, AIX and Windows. Not sure why you think that they are completely a windows centric company. Core product, yes. But you're still stuck with their GUI-based rule editor/viewer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sourcefire acquired by checkpoint
[EMAIL PROTECTED] wrote: Checkpoints core products run on Solaris, Linux, AIX and Windows. Not sure why you think that they are completely a windows centric company. With all due respect to their server solutions, would the fact that their VPN client only runs on linux kernels which were new before my grand-mother got married qualify for a valid response to why would one think that they are a windows ...? ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
On Thu, Oct 06, 2005 at 10:22:07AM -0400, mudge wrote: This type of covert channel has long been used by various governments and organizations (think of clandestine messages being passed to or from agents via personal ads). There's one potentially interesting wrinkle to this scheme, though, that's not mirrored in the generic hidden-messages-in-a-public-medium scenario: the sender can put things into the log, but not see them, and the recipient can read things from the log, but writing there might be of less interest. I bring this up because the logs generated by the firewall do not necessarily reside only on the device that received the sender's packets. With lots of organizations working on centralizing log events so that they can correlate findings from different platforms, the ability to control the content of portions of log messages (say, for example, the source address reported in a syslog message indicating a dropped packet) could provide a vector for communicating to highly trusted systems to which one has no direct network access. I can't send them a packet, in other words, but maybe I can ask someone on the edge of the network to send them a packet with some content of my choosing. I admit this seems like a somewhat farfetched avenue of attack (i.e., if I'm able to install an agent with access to this log data, I probably already have whatever level of access I might be after), but it seems like an interesting observation nevertheless, and somebody sooner or later will probably figure out a way to do something interesting with it. I look forward, at the very least, to the inevitable presentation on video over covert syslog by Dan Kaminsky. :) --Foofus. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200510-06 ] Dia: Arbitrary code execution through SVG import
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200510-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dia: Arbitrary code execution through SVG import Date: October 06, 2005 Bugs: #107916 ID: 200510-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Improperly sanitised data in Dia allows remote attackers to execute arbitrary code. Background == Dia is a gtk+ based diagram creation program released under the GPL license. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-office/dia 0.94-r3 = 0.94-r3 Description === Joxean Koret discovered that the SVG import plugin in Dia fails to properly sanitise data read from an SVG file. Impact == An attacker could create a specially crafted SVG file, which, when imported into Dia, could lead to the execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All Dia users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-office/dia-0.94-r3 References == [ 1 ] CAN-2005-2966 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2966 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200510-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpagvyXQFNFn.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bigger burger roll needed
Micheal Espinola Jr wrote: Bruce, I don't think you are going to find hard evidence for either conclusion. But Bruce's conclusion is consistent with my own experiences, and that of many other Administrators that I discuss issues like this with. Since its inception, supporting NT 3.0 beta and onward, I have been dealing with BSOD's. In total, there have been comparatively very few times were it was a direct fault of MS code. It has very commonly been in relation to 3rd party drivers that needed reworking or updating by the 3rd-party manufacturer. This is not PR spin (of which I don't think you could find any published PR spin for either side of this argument either). This is real world experience with the NT+ products across i386 and Alpha hardware platforms using peripheral devices from many different major manufactures. There are admins on both sides of the anti-MS fence that I communicate with that would agree with this conclusion. I agree, in general, that the vast majority of the BSODs I've seen on the NT line have been caused by bad drivers. On occassion, though, I have seen poorly written software that has BSOD'ed NT 4.0 before. However, the original topic was about users and their exposure to Microsoft products. User exposure to the NT line really began with Windows XP (aside from a smattering of Win2k installed desktops)... so the real initial exposure that users have had to Microsoft products is actually the DOS/Win9x line and those most certainly crashed frequently in situations where a driver wasn't necessarily the culprit. Not to mention the fact that a Windows XP or 2000 system can still crash without getting a BSOD, and that crashes of either the OS or applications can and do regularly occur. Further, the argument that third party drivers are always the cause and that merging code bases is not Microsoft's problem completely and totally ignores the fact that other OS' don't have the frequency of crashes experienced while using third party code that MS does. So, whether it be the shoddy coding that causes BSOD's in the DOS-dependant line of MS apps, or the shoddy coding that causes IE to freeze on Windows XP... or the shoddy coding that third parties carry out and that Microsoft allows to affect the system in such a way... nonetheless the net result is the same... the user's expectation has been lowered. -bkfsec ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bigger burger roll needed
Micheal Espinola Jr wrote: I'm not and have not been referring to hackers what-so-ever. I'm referring to poorly written drivers. You guys are all over the place. I'm done. On 10/4/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Tue, 04 Oct 2005 08:16:34 EDT, Micheal Espinola Jr said: Without getting into specifics that no longer matter, surely they could have did their part better to handle malformed input - but who was malform'ing the input in the first place? That's right. Blame the hackers. Sounds like a sound bite from a Ballmer keynote speech. :) But, Curmudgeon's right... you can't just say yeah, the OS can't handle malformed data, but that's not their problem. One of the primary rules of coding is never trust the input. And that is a very valid point. The same flaws in code that cause exploits also cause crashes by their very nature. It's not all over the place, it's a fact of system design. If they can't avoid mishandling input, then people's expectations will be low. See how it all comes together? -bkfsec ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: HAURI Anti-Virus ALZ Archive Handling Buffer Overflow
== Secunia Research 06/10/2005 - HAURI Anti-Virus ALZ Archive Handling Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software ViRobot Expert 4.0 ViRobot Advanced Server HAURI LiveCall With vrAZMain.dll version 5.8.22.137. Prior versions may also be affected. == 2) Severity Rating: Highly Critical Impact: System access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in various HAURI anti-virus products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the archive decompression library when reading the filename of a compressed file from an ALZ archive. This can be exploited to cause a stack-based buffer overflow when a malicious ALZ archive is scanned. Successful exploitation allows arbitrary code execution, but requires that compressed file scanning is enabled. == 4) Solution Apply updates. ViRobot Expert 4.0 / ViRobot Advanced Server: Update to the latest version via online update. (vrAZMain.dll version 5.9.22.154) HAURI LiveCall: Update to the latest version by visiting the vendor's LiveCall website. (vrAZMain.dll version 5.9.22.154) == 5) Time Table 19/09/2005 - Initial vendor notification. 19/09/2005 - Initial vendor reply. 04/10/2005 - Notified by vendor that fixed version is available via online update on 27/09/2005. 06/10/2005 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References No references available. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-47/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bigger burger roll needed
I do see how it all comes together, and I agree as a whole. I'm certainly not excusing MS of their responsibility to the matter. My comments only referred to legitimate use of the OS, using supporting software and drivers, in which case you should be able to depend on proper coding from every party involved. Running software/drivers that were properly written for the OS should provide a failure free platform, and it does. That was my only point to egregious comments to Windows being BSOD prone. It could be a balancing act at times, but it could be done if done right. Yes, absolutely, any OS should be able to handle bad data without crashing. I think its apparent that MS is no longer ignorant (or perhaps naive) about the issue, and I honestly can't remember the last BSOD I got. It's been years. On 10/6/05, bkfsec [EMAIL PROTECTED] wrote: But, Curmudgeon's right... you can't just say yeah, the OS can't handle malformed data, but that's not their problem. One of the primary rules of coding is never trust the input. And that is a very valid point. The same flaws in code that cause exploits also cause crashes by their very nature. It's not all over the place, it's a fact of system design. If they can't avoid mishandling input, then people's expectations will be low. See how it all comes together? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: PHP-Fusion Two SQL Injection Vulnerabilities
== Secunia Research 06/10/2005 - PHP-Fusion Two SQL Injection Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerabilities...4 Solution.5 Time Table...6 Credits..7 About Secunia8 Verification.9 == 1) Affected Software PHP-Fusion 6.00.109 Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Manipulation of data Where: Remote == 3) Vendor's Description of Software A light-weight open-source content management system (CMS) written in PHP. Product link: http://www.php-fusion.co.uk/ == 4) Description of Vulnerabilities Secunia Research has discovered two vulnerabilities in PHP-Fusion, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the activate parameter in register.php and the cat_id parameter in faq.php isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that magic_quotes_gpc is disabled. The vulnerabilities have been confirmed in version 6.00.109. Other versions may also be affected. == 5) Solution Update to version 6.00.110. http://www.php-fusion.co.uk/downloads.php?cat_id=3 == 6) Time Table 04/10/2005 - Vulnerabilities discovered. 05/10/2005 - Vendor notified. 05/10/2005 - Vendor confirms vulnerabilities. 06/10/2005 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-52/advisory/ == AdmID:FF2F5000F3D5E95515CF2F27CD81E211 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Realplayer security contact address ?
hey, fd guys anybody know security contact realplayer ? I have googled and looking for it on their website, but nothing founded thx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
On Thu, Oct 06, 2005 at 10:06:24AM +0100, PASTOR ADRIAN wrote: Please, if you know anything related to backdoors intercepting commands from log files send me some links. Ideas, comments and flames are more than welcome :-) . I myself use this method to open up the SSH port for a particular IP address. When you try to open a particular URL on my website, you get a 404 because that document doesn't exist. The webserver logs this. A script in the background sees in the log that this happened, and opens up port 22 to the IP address which requested the non-existant URL. -- Jurjen Oskam ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
-Original Message- I bring this up because the logs generated by the firewall do not necessarily reside only on the device that received the sender's packets. With lots of organizations working on centralizing log events so that they can correlate findings from different platforms, the ability to control the content of portions of log messages (say, for example, the source address reported in a syslog message indicating a dropped packet) could provide a vector for communicating to highly trusted systems to which one has no direct network access. The problem with this type of hiding-in-plain-sight covert channel is that it is subject to modification between sender and recipient, in this specific case making the victim the man in the middle. An aware victim could quickly become an attacker. The malware applications of this are moderately interesting but the implications of this type of communication model in espionage are extremely interesting. All sorts of implications and impacts (for instance, a double agent might intentionally use this type of communication because it's easily intercepted and modified). I would guess that if there is a book on covert channels for spies out there, this is in the chapter of things NOT to do. PaulM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Realplayer security contact address ?
No e-mail security contacts mentioned at http://www.osvdb.org/vendor_dict.php?section=vendorid=1696c=R and http://secunia.com/vendor/145/ There was some international phone numbers and Japanese support e-mail at http://service.real.com/realplayer/international/ , registration needed at http://service.real.com/realplayer/?logo=account Maybe you can try those phone numbers and mail to Japanese address with SECURITY ISSUE Title field. I'm sorry about posting these suggestions to the whole list. - Juha-Matti hey, fd guys anybody know security contact realplayer ? I have googled and looking for it on their website, but nothing founded thx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Websites vulnerabilities disclosure
On Thu, Oct 06, 2005 at 09:09:32AM +0400, offtopic wrote: snip Which fird-party can't be user as coordinator, like CERT/CC? i recommend you don't use coordinators - they are f*ck*d parasites. think about what they will coordinate - probably selling your info. cert* sux. -- where do you want bill gates to go today? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Realplayer security contact address ?
[EMAIL PROTECTED] On 06/10/05, Full Disclosure [EMAIL PROTECTED] wrote: hey, fd guys anybody know security contact realplayer ? I have googled and looking for it on their website, but nothing founded thx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
Please, if you know anything related to backdoors intercepting commands from log files send me some links. Ideas, comments and flames are more than welcome :-) . Webbugs, which use unique URLs under an IMG tag, are an excellent example of using logfiles to DO STUFF. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
On Thu, 2005-10-06 at 16:52 -0400, Michael Holstein wrote: Webbugs, which use unique URLs under an IMG tag, are an excellent example of using logfiles to DO STUFF. Except that vi, less or notepad don't import anything. You're not looking at your log files with a web browser, do you?? -Frank signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
Frank Knobbe([EMAIL PROTECTED])@Thu, Oct 06, 2005 at 04:53:19PM -0500: On Thu, 2005-10-06 at 16:52 -0400, Michael Holstein wrote: Webbugs, which use unique URLs under an IMG tag, are an excellent example of using logfiles to DO STUFF. Except that vi, less or notepad don't import anything. You're not looking at your log files with a web browser, do you?? He was referring not to the log viewer executing something, but transmission of data to the server containing the URL (stored in their logs). A common spammer trick, used also in more legit ways, is to send an email with an image in it. The image is actually a CGI script that takes a parameter, logs it, then kicks out an image. Webbugs tend to be 1px square, and possibly transparent. Using this can automate testing if email addresses are valid (by sending each address a different unique tracking URL). -- Bill Weiss ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2005:172 - Updated openssh packages fix GSSAPI credentials vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: openssh Advisory ID:MDKSA-2005:172 Date: October 6th, 2005 Affected versions: 10.2 __ Problem Description: Sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts. GSSAPI is only enabled in versions of openssh shipped in LE2005 and greater. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2798 __ Updated Packages: Mandrivalinux 10.2: 5b16f3323d58303c290bf4b8c4e2a4b3 10.2/RPMS/openssh-3.9p1-9.1.102mdk.i586.rpm 2a7fca4e1c99008a53cb9498c1bd9840 10.2/RPMS/openssh-askpass-3.9p1-9.1.102mdk.i586.rpm 65f397d175fb638d0e73912a7e9faa7d 10.2/RPMS/openssh-askpass-gnome-3.9p1-9.1.102mdk.i586.rpm 2733baa7c0258da37920d66a7f1ee9d3 10.2/RPMS/openssh-clients-3.9p1-9.1.102mdk.i586.rpm a93cd3020e41bd6b25c3fa57ca8586f8 10.2/RPMS/openssh-server-3.9p1-9.1.102mdk.i586.rpm f90cfc307f313e14ddd919fc729f1984 10.2/SRPMS/openssh-3.9p1-9.1.102mdk.src.rpm Mandrivalinux 10.2/X86_64: 545f0245578cee586f2ded4b3616061a x86_64/10.2/RPMS/openssh-3.9p1-9.1.102mdk.x86_64.rpm 98962ab477d7cc19338d04acdb462ec1 x86_64/10.2/RPMS/openssh-askpass-3.9p1-9.1.102mdk.x86_64.rpm 0935a8dd00cdb2604e6fd37a6913cb91 x86_64/10.2/RPMS/openssh-askpass-gnome-3.9p1-9.1.102mdk.x86_64.rpm 7c124895fc7fad47d1e88ee3ebe91daf x86_64/10.2/RPMS/openssh-clients-3.9p1-9.1.102mdk.x86_64.rpm 27bc59e934f3d196470611cc4e9dd430 x86_64/10.2/RPMS/openssh-server-3.9p1-9.1.102mdk.x86_64.rpm f90cfc307f313e14ddd919fc729f1984 x86_64/10.2/SRPMS/openssh-3.9p1-9.1.102mdk.src.rpm ___ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDReVGmqjQ0CJFipgRAgi7AJoDZK/7jx9vTmuREYGwbuuHWPZBpgCeM6Nu tKt935OPASf8jkciIGK6c2w= =ekrb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2005:174 - Updated mozilla-thunderbird packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: mozilla-thunderbird Advisory ID:MDKSA-2005:174 Date: October 6th, 2005 Affected versions: 10.2, 2006.0 __ Problem Description: Updated Mozilla Thunderbird packages fix various vulnerabilities: The run-mozilla.sh script, with debugging enabled, would allow local users to create or overwrite arbitrary files via a symlink attack on temporary files (CAN-2005-2353). A bug in the way Thunderbird processes XBM images could be used to execute arbitrary code via a specially crafted XBM image file (CAN-2005-2701). A bug in the way Thunderbird handles certain Unicode sequences could be used to execute arbitrary code via viewing a specially crafted Unicode sequence (CAN-2005-2702). A bug in the way Thunderbird makes XMLHttp requests could be abused by a malicious web page to exploit other proxy or server flaws from the victim's machine; however, the default behaviour of the browser is to disallow this (CAN-2005-2703). A bug in the way Thunderbird implemented its XBL interface could be abused by a malicious web page to create an XBL binding in such a way as to allow arbitrary JavaScript execution with chrome permissions (CAN-2005-2704). An integer overflow in Thunderbird's JavaScript engine could be manipulated in certain conditions to allow a malicious web page to execute arbitrary code (CAN-2005-2705). A bug in the way Thunderbird displays about: pages could be used to execute JavaScript with chrome privileges (CAN-2005-2706). A bug in the way Thunderbird opens new windows could be used by a malicious web page to construct a new window without any user interface elements (such as address bar and status bar) that could be used to potentially mislead the user (CAN-2005-2707). A bug in the way Thunderbird proceesed URLs on the command line could be used to execute arbitary commands as the user running Thunderbird; this could be abused by clicking on a supplied link, such as from an instant messaging client (CAN-2005-2968). Tom Ferris reported that Thunderbird would crash when processing a domain name consisting solely of soft-hyphen characters due to a heap overflow when IDN processing results in an empty string after removing non-wrapping chracters, such as soft-hyphens. This could be exploited to run or or install malware on the user's computer (CAN-2005-2871). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2701 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2705 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2707 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2353 http://www.mozilla.org/security/announce/mfsa2005-59.html http://www.mozilla.org/security/announce/mfsa2005-58.html http://www.mozilla.org/security/announce/mfsa2005-57.html __ Updated Packages: Mandrivalinux 10.2: f409c24fe8d4f732a99fff51f9223191 10.2/RPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.i586.rpm 18250e4ac4d580a595eaeb16fd3b0171 10.2/RPMS/mozilla-thunderbird-devel-1.0.2-5.1.102mdk.i586.rpm cbfb90b65746b4fbc0848ddbd01395bf 10.2/RPMS/mozilla-thunderbird-enigmail-1.0.2-5.1.102mdk.i586.rpm aa450bd7d1b82425eeef6506f90f5fb4 10.2/RPMS/mozilla-thunderbird-enigmime-1.0.2-5.1.102mdk.i586.rpm 5320178037176424f209415c3862d014 10.2/SRPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.src.rpm Mandrivalinux 10.2/X86_64: 07fa1df593b92831b9f6d1a32b0b3362 x86_64/10.2/RPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.x86_64.rpm ca26795c32146dd1ace798189588029f x86_64/10.2/RPMS/mozilla-thunderbird-devel-1.0.2-5.1.102mdk.x86_64.rpm 7757608ffe4e89d285bc001bdc8851cb x86_64/10.2/RPMS/mozilla-thunderbird-enigmail-1.0.2-5.1.102mdk.x86_64.rpm 8c386f18a449d78d3917dca387624933 x86_64/10.2/RPMS/mozilla-thunderbird-enigmime-1.0.2-5.1.102mdk.x86_64.rpm 5320178037176424f209415c3862d014 x86_64/10.2/SRPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.src.rpm Mandrivalinux 2006.0: af3330f345b3b92307550a57fb7efa80 2006.0/RPMS/mozilla-thunderbird-1.0.6-7.1.20060mdk.i586.rpm 9ad77bad0b6c6033e063ed21a8a2cb0b
