[Full-disclosure] ZRCAS-200502 - phpAdsNew SQL Injection Vulnerabilities

[Siegfried]

Zone-H Research Center Security Advisory 200502
http://www.zone-h.fr

Date of release: 11/11/2005
Software: phpAdsNew (www.phpadsnew.com)
Affected versions:
<= 2.0.6
2.0.7rc1 (latest CVS snapshot)
Risk: Medium
Discovered by: Kevin Fernandez "Siegfried" from the Zone-H Research Team

Background (from their web site)
--
phpAdsNew is an open-source ad server, with an integrated banner
management interface and tracking system for gathering statistics.
With phpAdsNew you can easily rotate paid banners and your own
in-house advertisements. You can even integrate banners from third
party advertising companies.

Details

Toni Koivunen has published an advisory yesterday regarding a
vulnerability exploitable via /admin/logout.php, that can be used to
delete arbitrary data (maybe more). However more sql injections are
present in this part of the code, all the functions in
/admin/lib-sessions.inc.php do not check the "sessionID" variable
coming from the cookie, the most interesting is
phpAds_SessionDataFetch() because it is called in config.php and makes
a simple SELECT query.

Snip:
[no previous check]
   if (isset($HTTP_COOKIE_VARS['sessionID']) &&
$HTTP_COOKIE_VARS['sessionID'] != '')
{
$result = phpAds_dbQuery("SELECT sessiondata FROM
".$phpAds_config['tbl_session']." WHERE
sessionid='".$HTTP_COOKIE_VARS['sessionID']."'" .
" AND UNIX_TIMESTAMP(NOW())-UNIX_TIMESTAMP(lastused) < 3600"); <-- ouch

Since /admin/config.php is included in /admin/index.php, we don't need
to be authenticated to exploit the vulnerability.

PoC (cookie):
sessionID=adsds'/**/UNION/**/SELECT admin_pw from phpads_config into
outfile "/var/www/blah.txt"/*;

Just "exploit" one of the many errors in the pages to get the path and
here you go, open /admin/index.php with that as cookie.

Solution
-
No patch.

Filter the variable in the affected functions.

Original advisories:
English version: http://www.zone-h.org/en/advisories/read/id=8413/
French: http://www.zone-h.fr/fr/advisories/read/id=674/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Meeting Room Names

[Native.Code]

My intention is really to get some cool ideas but seems like some people are not happy about it. Obviously I don't want to offend anyone but I hope that when people subscribe to any mailing list, they should understand that they may not like *everything* being posted to that list.

 
I don't like some stuff posted on this list too but I just delete those conversations instead of complaining.
 
Some of you have really given good ideas. I am ranking those and once we decide on Monday, will send a note of thanks. Till then if anyone of you have another idea, pls send it in :-)

 
Regards,
On 11/10/05, Jeanmougin, Mark <[EMAIL PROTECTED]> wrote:
> -Original Message-> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf OfNative.Code> Sent: Wednesday, November 09, 2005 23:35> To: 
full-disclosure@lists.grok.org.uk> Subject: Re: [Full-disclosure] Meeting Room Names>> Thanks all for cool ideas! I kind of like HTTP status codes and> Microsoft product codenames. But still did not get any perfect
> choices. Please keep the choices coming!>> How about names which sound in same rank of "Dungeon"? Feel free to> use your non-IT creativity as well!>> Thanks a lot again.
Native.Code,I know that you're getting some heat about having this discussion onlist, but I'm really enjoying it.  So, please continue to copy me on anylist ideas you're hearing.Thanks!
MJThis e-mail transmission contains information that is confidential and may be privileged.   It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: sugget a small pentest distro

[crazy frog crazy frog]

thanks every one for ur kind help.i wanted something which fits on my
uSB drive.so phla littile boy is just fine :)

On 11/11/05, Mike Allred <[EMAIL PROTECTED]> wrote:
> Not billed as ultra-secure necessarily, but Damn Small Linux is currently
> updated and has an extremely tiny footprint (50MB).
>
>  http://www.damnsmalllinux.org/
>
>
> On 11/9/05, crazy frog crazy frog < [EMAIL PROTECTED]> wrote:
> >
> > Hi,
> > can anyone suggest a small pentest liux distro.smallest means(under
> > 250 mb.),i seen one on whax site.has any one used it?
> > no google please
> > --
> > ting ding ting ding ting ding
> > ting ding ting ding ding
> > i m crazy frog :)
> > "oh yeah oh yeah...
> > another wannabe, in hackerland!!!"
> >
> >
> --
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on your
> > website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> > login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> > futile against web application hacking. Check your website for
> vulnerabilities
> > to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> >
> ---
> >
> >
>
>


--
ting ding ting ding ting ding
ting ding ting ding ding
i m crazy frog :)
"oh yeah oh yeah...
 another wannabe, in hackerland!!!"
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDEFENSE Security Advisory 11.10.05: Tikiwiki tiki-user_preferences Command Injection Vulnerability

[iDEFENSE Labs]

Tikiwiki tiki-user_preferences Command Injection Vulnerability

iDEFENSE Security Advisory 11.10.05
www.idefense.com/application/poi/display?id=335&type=vulnerabilities
November 10, 2005

I. BACKGROUND

Tikiwiki Community Portal is a full featured, freely available,
Wiki/CMS/Groupware system written in PHP. More information is available
at:

http://tikiwiki.org/

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in Tikiwiki
could allow attackers to gain access to arbitrary files on the
vulnerable system and execute arbitrary code under the privileges of the
underlying web-server.

The problem specifically exists in the following snippet of code from
tiki-user_preferences.php:

if (isset($_REQUEST["prefs"])) {
...
if ($change_language == 'y') {
if (isset($_REQUEST["language"])) {
$tikilib->set_user_preference($userwatch, 'language', \
$_REQUEST["language"]);

$smarty->assign('language', $_REQUEST["language"]);
include ('lang/' . $_REQUEST["language"] . \
'/language.php');
}
}

No sanity checking is done on the 'language' parameter prior to
utilizing it in a call to the PHP function include(). By specifying a
path with directory traversal modifiers, an attacker can request an
arbitrary file to load and render on the screen.

III. ANALYSIS

Exploitation could allow authenticated remote attackers to access
arbitrary files on the vulnerable system with the privileges of the
underlying web-server. If external database access is allowed,
exploitation can result in a full database compromise since database
credentials are easily exposed through this vulnerability.

Exploitation can result in arbitrary command execution with the
privileges of the underlying targeted web server. This is possible
because attackers can generate request URLs with arbitrary script
directives that are recorded in the web server log files. Attackers can
then utilize the path to the poisoned log file in the file inclusion,
resulting in the directives being parsed and executed.

IV. DETECTION

iDEFENSE has confirmed the existence of this issue in Tikiwiki versions
1.8.4 and 1.8.5. It is suspected that earlier versions are vulnerable as
well.

V. WORKAROUND

Restrict anonymous access to Tikiwiki. If remote database connectivity
is not required, configure the underlying database server to bind to
localhost only or firewall the listening port to accept trusted hosts
only. Restrict read access of log files from the web server user.

VI. VENDOR RESPONSE

This vulnerability has been addressed in Tikiwiki 1.9.1 which is
available for download at:

  http://tikiwiki.org/tiki-index.php?page=Download

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1925 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/07/2005  Initial vendor notification
08/21/2005  Initial vendor response
11/10/2005  Public disclosure

IX. CREDIT

This vulnerability was discovered by both Maciej Piotr Falkiewicz
(fingerout[at]gmail[dot]com) and an anonymous contributor.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright C 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDEFENSE Security Advisory 11.10.05: Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability

[iDEFENSE Labs]

Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability

iDEFENSE Security Advisory 11.10.05
www.idefense.com/application/poi/display?id=337&type=vulnerabilities
November 10, 2005

I. BACKGROUND

Tikiwiki Community Portal is a full featured, freely available,
Wiki/CMS/Groupware system written in PHP. More information is available
at:

http://tikiwiki.org/

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in Tikiwiki
allows attackers to gain access to arbitrary files on the vulnerable
system under the privileges of the underlying web-server.

The problem specifically exists in the following snippet of code from
tiki-editpage.php:

$sdta = @file_get_contents($suck_url);
...
$htmlparser = new HtmlParser($sdta, $grammar, '', 0);
$htmlparser->Parse();

No sanity checking is done on the 'suck_url' parameter prior to
utilizing it as the path to a file to read and parse. By specifying a
path with directory traversal modifiers an attacker can request an
arbitrary file to load and render on the screen.

III. ANALYSIS

Successful exploitation allows unauthenticated remote attackers to
access arbitrary files on the vulnerable system with the privileges of
the underlying web-server. If external database access is allowed, then
exploitation can result in a full database compromise as the database
credentials are easily exposed through this vulnerability.

IV. DETECTION

iDEFENSE has confirmed the existence of this issue in Tikiwiki versions
1.8.4 and 1.8.5. It is suspected that earlier versions are vulnerable as
well.

V. WORKAROUND

Restrict unnecessary access to Tikiwiki with firewall filters or HTTP
based authentication. If remote database connectivity is not required,
configure the underlying database server to bind to localhost only or
firewall the listening port to accept trusted hosts only.

VI. VENDOR RESPONSE

This vulnerability has been addressed in Tikiwiki 1.9.1 which is
available for download at:

  http://tikiwiki.org/tiki-index.php?page=Download

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1925 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/07/2005  Initial vendor notification
08/21/2005  Initial vendor response
11/10/2005  Public disclosure

IX. CREDIT

[EMAIL PROTECTED] is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright C 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDEFENSE Security Advisory 11.10.05: Stack Overflow in Veritas Netbackup Enterprise Server

[iDEFENSE Labs]

Stack Overflow in Veritas Netbackup Enterprise Server 

iDEFENSE Security Advisory 11.10.05
www.idefense.com/application/poi/display?id=336&type=vulnerabilities
November 10, 2005

I. BACKGROUND

VERITAS NetBackup Enterprise Server delivers mainframe-class data 
protection for the largest UNIX, Windows, Linux, and NetWare enterprise 
environments, especially for corporate data centers. 

http://veritas.com/Products/www?c=product&refId=2

VERITAS NetBackup Server software is cost-effective heterogeneous backup and
recovery solution designed for mid-size organizations, workgroups, and
remote
offices. 

II. DESCRIPTION

Exploitation of a buffer overflow vulnerability in Veritas Netbackup
could lead to a remote Denial Of Service or remote code execution. The
Veritas Netbackup Volume Manager keeps track of the location of volumes 
(tapes) needed for backup or restore. 

By sending a specially crafted packet to the Volume Manager stack overflow
occurs.
This is caused by improper bounds checking. 

III. ANALYSIS

Exploitation does not require authentication, thereby allowing any remote
attacker to take over the entire system or to disrupt the backup
capabilities. 

IV. DETECTION

The following versions are confirmed vulnerable:

- Veritas Netbackup 5.0 with MP1 (vmd.exe 5.0.0.370) 
- Veritas Netbackup 5.0 with MP2 (vmd.exe 5.0.0.372) 
- Veritas Netbackup 5.0 with MP3 (vmd.exe 5.0.0.377) 
- Veritas Netbackup 5.0 with MP4 (vmd.exe 5.0.0.382) 
- Veritas Netbackup 5.0 with MP5 (vmd.exe 5.0.0.387) 
- Veritas Netbackup 5.1 without MP (vmd.exe 5.1.0.135) 
- Veritas Netbackup 5.1 with MP1 (vmd.exe 5.1.0.140) 
- Veritas Netbackup 5.1 with MP2 (vmd.exe 5.1.0.146) 
- Veritas Netbackup 5.1 with MP3A (vmd.exe 5.1.0.150) 

V. WORKAROUND

Use a firewall to restrict incoming connections to trusted workstations
running the Backup Exec client software, which uses port 13701 TCP.
Latter details released by Symantec state that the vulnerable code may
be able to be exploited through other NetBackup ports/services.

VI. VENDOR RESPONSE

The vendor has released the following advisory to address this
vulnerability:

 http://seer.support.veritas.com/docs/279553.htm

Patches for NetBackup 5.0 and 5.1 are available from the following location:

 http://support.veritas.com/menu_ddProduct_NBUESVR_view_DOWNLOAD.htm

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3116 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/14/2005 Initial vendor notification
09/14/2005 Initial vendor response
11/10/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright C 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: WAS: Re: [Full-disclosure] RE: Spamcop automated reporting script...

[Bart Lansing]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Bob,

First...the knujon site clearly states: "Return forged email to
original sender", so yes, forgery most assuredly has a relationship
to this conversation since it's apparently what knujon does, at
least according to knujon. True, packet shaping is not involved
here...I said it's a better solution than this one...which, no
matter how much I read keeps coming back to "we'll fire emails at
the genuine sender of your spam...isn't that great?".
Anyway...

I think the biggest point missed here is this:  The sender you
identify...99 out of 100 times, is not the twit who is actually
doing the spamming.  Nowhere in the header will you be able to
parse out
"[EMAIL PROTECTED]'s_Box_I_really_run_This_Box.com".
The sender you identify is some poor end user or clueless sysadmin
who got their box/server owned.  At best, given what you just said,
you are doing no more than SpamCop already does, yes?

On we merrily go...

Bob, help me understand why it is you feel that ICANN will somehow
respond to you and shut down the domains where spam is comig from,
please.  Where it's coming from is NOT a mystery...hasn't been in
ages.  A quick trip to spamhaus will handle that for you.  I know
who those domains are, everyone on this list knows...or can know
with trivial effort...who those domains are, and ICANN sure as hell
knows who those domains are.


Why should any of us think that somehow this new service has more
cred with ICANN or the ISPs than spamhaus, spamcop, et al?  We who
get to try and stop this crap from flooding mail servers have been
reporting for quite some time now...and funny, I don't see ICANN
shutting down MCI, SBC, Comacast, level3, or any of the rest of the
top 10.  The simple fact is that ICANN's not going to shut them
down...and it wouldn't matter if they did.  That's right...would
not matter.  If one compromised machine that is being used as a
spam generator goes dark, do you really think they real spammer
won't just find a new one?

As I said in the first email, you are going to return mail to the
"actual sender" and I guess, the sender's ISP...who is in reality
not at all the actual sender.

Last but not least..I love the "if you don't agree that we know THE
WAY it's only because you don't get it...but that's ok, most people
don't...just trust us." bit.  You're right, none of us on this list
can grok "KnujOn has a special algorithm that finds out where the
email is
really coming from and then returns the email to the sender."  Yep,
that sure as hell is rocket science (ok, where is that guy from
nasa we had here...maybe he can help us out) Bob.

Anyway, I've burned enough cycles on this...

Cheers,

Bart

On Thu, 10 Nov 2005 12:51:24 -0800 [EMAIL PROTECTED] wrote:
>Hi Bart,
>
>  Sorry but you missed a few points. The mail you would forward
>will be
>sorted so that only one email goes back to the source. Next the
>source
>will lose its domain registration if they do not follow the ICANN
>rules,
>which is most spammers. In general, they do not tell the truth nor

>do they
>behave responsibly.
>
> Packet shaping and forgery have no relationship to this.
>
> The experience so far is that no one gets it the first time
>around and
>very few of them after some effort. It is not like any current
>approach,
>so don't feel bad. It is a very good idea, once it's understood.
>
> There is no real increase in mail from KnujOn, but the decrease
>in spam
>received has been proven in alpha testing. Your filter, we'll take

>it from
>there.
>
> cheers, bob
>
>On Thu, 10 Nov 2005, Bart Lansing wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
>> Bob,  took a little trip to KnujOn, and have a comment or two...
>>
>> >From the site, with comments parenthetically inserted inline:
>>
>> _
>>
>> I already have a spam filter/blocker, why do I need KnujOn?
>>
>> Filters and blockers stop spam from reaching mailboxes but do
>not
>> actually stop the flow of spam. The messages pile up and must be
>> reviewed and deleted. Would it not be nice to just dump all the
>> messages in a program and have them returned to the sender?
>> (Collecting and bouncing back all of the spam certainly does not
>> block the flow of Spam either...in fact, you just doubled the
>> traffic and if the actual sender is a bot'd machine, all you are
>> doing is needlessly conjesting the 'net and not doing anything
>to
>> the spammer.)
>>
>> How is KnujOn different from current anti-spam programs?
>>
>> Filters and blockers search emails for keywords and other
>content
>> that flag messages as possible junk mail and then divert the
>email
>> to a quarantine area for review or deletion. KnujOn takes junk
>> email and returns it to the sender.  (So, you have.a
>> bounceback routine when you find a forged sendersee
>> abovereturning to sender is bad, Bob.  A better app

Re: [Full-disclosure] Vuln scanner software choices

[Paul Schmehl]

--On Thursday, November 10, 2005 12:32:27 -0700 Tblinux <[EMAIL PROTECTED]> 
wrote:



I know that most if not all of you use or have used Nessus at some point.
I've been following the thread. Now that it appears that Nessus is
seriously ratcheting down support for independent consultants and
corporate / gov't users without a registered and paid for license what
scanning software are you considering? Has anyone done a *complete*
comparison of all of the scanning software out there and made a choice
based on the findings? If so what was it?

There's bound to be a comparison somewhere.  All I can tell you, from 
personal experience, is avoid ISS like the plague it is.


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: WAS: Re: [Full-disclosure] RE: Spamcop automated reporting script...

[VTLinux]

Hi Bart,

  Sorry but you missed a few points. The mail you would forward will be
sorted so that only one email goes back to the source. Next the source
will lose its domain registration if they do not follow the ICANN rules,
which is most spammers. In general, they do not tell the truth nor do they
behave responsibly.

 Packet shaping and forgery have no relationship to this. 

 The experience so far is that no one gets it the first time around and 
very few of them after some effort. It is not like any current approach, 
so don't feel bad. It is a very good idea, once it's understood.

 There is no real increase in mail from KnujOn, but the decrease in spam 
received has been proven in alpha testing. Your filter, we'll take it from 
there.

 cheers, bob

On Thu, 10 Nov 2005, Bart Lansing wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> Bob,  took a little trip to KnujOn, and have a comment or two...
> 
> >From the site, with comments parenthetically inserted inline:
> 
> _
> 
> I already have a spam filter/blocker, why do I need KnujOn?
> 
> Filters and blockers stop spam from reaching mailboxes but do not
> actually stop the flow of spam. The messages pile up and must be
> reviewed and deleted. Would it not be nice to just dump all the
> messages in a program and have them returned to the sender?
> (Collecting and bouncing back all of the spam certainly does not
> block the flow of Spam either...in fact, you just doubled the
> traffic and if the actual sender is a bot'd machine, all you are
> doing is needlessly conjesting the 'net and not doing anything to
> the spammer.)
> 
> How is KnujOn different from current anti-spam programs?
> 
> Filters and blockers search emails for keywords and other content
> that flag messages as possible junk mail and then divert the email
> to a quarantine area for review or deletion. KnujOn takes junk
> email and returns it to the sender.  (So, you have.a
> bounceback routine when you find a forged sendersee
> abovereturning to sender is bad, Bob.  A better approach would
> be traffic shaping, which of course is already being done elsewhere
> by others, which throttles the spam and forces it to time out.  Of
> course, just nuking the stuff before it hits the mail gateways is a
> tried and true approach as well)
> 
> What does KnujOn do?
> 
> KnujOn has a special algorithm that finds out where the email is
> really coming from and then returns the email to the sender. KunjOn
> also collects information about junk mailers and detects fraudulent
> Internet activity, alerting possible victims before damage is done.
> (So, you use the same [or similar] algortithm that has been
> employed by Spamcop and Co. for some time now to validate the
> header information and then, when you find a forged sender, you
> clog the internet with useless bouncebacks to machines that are
> likely not owned by the spammer you want to harm.)
> ___
> 
> Looks to me like a) nothing new from a technology perspective, b)
> something we would NOT want to see done vis-a-vis rampant
> bouncebacks, and c) something that does nothing like SpamCop does
> to inform ISPs and other interested parties of the spam that is
> occuring.  In short, IMHO, this is a bad idea.
> 
> Cheers
> 
> Bart
> 
> On Thu, 10 Nov 2005 06:35:23 -0800 [EMAIL PROTECTED] wrote:
> >If you would like an alternative, you can sign up for a beta test
> >at
> >www.KnujOn.com. All you will have to do is forward your spam to an
> 
> >email
> >address which you will be given. Everything else is taken care of.
> 
> >The
> >signup is free and easy but limited. Click the Personal tab...
> >
> >   cheers, bob
> >
> >On Thu, 10 Nov 2005, Aditya Deshmukh wrote:
> >
> >> > Has anyone got a automated spamcop reporting script?
> >> >
> >> >
> >> > Thanks in advance if you can send in .txt format
> >> > preferably offlist.
> >>
> >> I hit the send before I could explain what I wanted to do...
> >> I have a spamcop account - and I managed to get the spamcop
> >> Url with the reportID to a file using fetchmail + grep
> >> Combination.
> >>
> >> But there is some thing I cannot get working with the
> >> Spamcop spam submission form used to complete the spam
> >> Reporting. Has anyone made something like this before ?
> >>
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
> -BEGIN PGP SIGNATURE-
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.4
> 
> wkYEARECAAYFAkNzbocACgkQfw4CJpLBxON27ACfXqaV3eHVQaE7M6NfJAEmTeWLaMQA
> oLtdPV5aAyBILH77oJuTrKQuiFbE
> =34E4
> -END PGP SIGNATURE-
> 
> 
> 
> 
> Concerned about your privacy? Instantly send FREE secure email, no account 
> required
> http://www.hushmail.com/send?l=480
> 
> Get the be

[Full-disclosure] [EEYEB-20050701] - RealPlayer Zipped Skin File Buffer Overflow II

[Advisories]

RealPlayer Zipped Skin File Buffer Overflow II

Release Date:
November 10, 2005

Date Reported:
June 26, 2005

Severity:
High (Code Execution)

Vendor:
RealNetworks

Systems Affected:
Windows:
RealPlayer 10.5 (6.0.12.1040-1235)
RealPlayer 10
RealOne Player v2
RealOne Player v1
RealPlayer 8

Overview:
eEye Digital Security has discovered a vulnerability in RealPlayer that
allows a remote attacker to reliably overwrite the heap with arbitrary
data and execute arbitrary code in the context of the user under which
the player is running.

Technical Details:
A RealPlayer skin file (.rjs extension) can be downloaded and applied
automatically through a web browser without the user's permission. A
skin file is a bundle of graphics and a .ini file, stored together in
ZIP format. DUNZIP32.DLL, which is included with RealPlayer, is used to
extract the contents of the skin file. When RealPlayer processes a zip
file, it will allocate the field of the file but when it is copied it
will rely on real unzip content to copy. So an attacker can zip one file
that has hostile data and create a rjs file.  We can change the file
length field of rjs file so when it process this zip file it will cause
a heap overflow.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
RealNetworks has released a patch for this vulnerability. The patch is
available via the "Check for Update" menu item under Tools on the
RealPlayer menu bar or from http://service.real.com/realplayer/security/

Credit:
Fang Xing 

Related Links:
This vulnerability has been assigned the following ID numbers;

EEYEB-20050701
OSVDB ID: 18827
CVE ID: CAN-2005-2630

Greetings:
Thanks to Karl Lynn and the eeye guys for helping me analyze and write
the advisory, greets to xfocus and venus-tech lab guys.

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
[EMAIL PROTECTED] for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [EEYEB-20050510] - RealPlayer Data Packet Stack Overflow

[Advisories]

RealPlayer Data Packet Stack Overflow

Release Date:
November 10, 2005

Date Reported:
May 28, 2005

Severity:
High (Remote Code Execution)

Vendor:
RealNetworks

Systems Affected:
Windows:
RealPlayer 10.5 (6.0.12.1040-1235)
RealPlayer 10
RealOne Player v2
RealOne Player v1
RealPlayer 8
RealPlayer Enterprise
 
Mac:
RealPlayer 10
 
Linux:
RealPlayer 10 (10.0.0 - 5)
Helix Player (10.0.0 - 5)

Overview:
eEye Digital Security has discovered a critical vulnerability in
RealPlayer. The vulnerability allows a remote attacker to reliably
overwrite stack memory with arbitrary data and execute arbitrary code in
the context of the user who executed the player.

This specific flaw exists in the first data packet contained in a Real
Media file. By specially crafting a malformed .rm movie file, a direct
stack overwrite is triggered, and reliable code execution is then
possible.

Technical Details:
The vulnerability is triggered by setting the application specific
length field of the [data packet + 1] to 0x80 - 0xFF this will cause a
stack overflow.
The value is sign-extended and passed as the length to memcpy.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink End Point Protection proactively protects against this
vulnerability

Vendor Status:
RealNetworks has released a patch for this vulnerability. The patch is
available via the "Check for Update" menu item under Tools on the
RealPlayer menu bar or from
http://service.real.com/realplayer/security/.

Credit:
Karl Lynn

Related Links:
This advisory has been assigned the following ID numbers;

EEYEB-20050510
OSVDB ID: 18822
CVE ID: CAN-2005-2629

Greetings:
Brett Moore, Mark Dowd, Paul Gese @ RealNetworks, Mike Schiffman, AJREZ,
Luke, Derek "TEX" Soeder, Andre Audits, "The Claw", and Dug Song. 

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
[EMAIL PROTECTED] for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vuln scanner software choices

[Tblinux]

I know that most if not all of you use or have used Nessus at some 
point. I've been following the thread. Now that it appears that Nessus 
is seriously ratcheting down support for independent consultants and 
corporate / gov't users without a registered and paid for license what 
scanning software are you considering? Has anyone done a *complete* 
comparison of all of the scanning software out there and made a choice 
based on the findings? If so what was it?


I work for a fairly large company and the contract negotiations with 
Tenable are going poorly and the company I work for is looking at the 
options.


Any input would be greatly appreciated
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RE: sugget a small pentest distro

[Caleb]

If you are serious about a small distro you might want to build your own.
Check out www.linuxfromscratch.org, you can build a custom distro with all
the tools you want and nothing else to slow your machine down. Plus you will
learn tons about how Linux works from a security standpoint and what makes
it tick. Oh, and a note worthy item is that the author claims that he built
a fully functional distro to run Apache on 8mb, so size is not an issue. 

Cheers,
C S

-Original Message-
From: crazy frog crazy frog [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 08, 2005 10:51 PM
To: pen-test@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: sugget a small pentest distro

Hi,
can anyone suggest a small pentest liux distro.smallest means(under
250 mb.),i seen one on whax site.has any one used it?
no google please
--
ting ding ting ding ting ding
ting ding ting ding ding
i m crazy frog :)
"oh yeah oh yeah...
 another wannabe, in hackerland!!!"


--
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are

futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831

---


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] sugget a small pentest distro

[MadHat]

On Nov 8, 2005, at 11:51 PM, crazy frog crazy frog wrote:

Hi,
can anyone suggest a small pentest liux distro.smallest means(under
250 mb.),i seen one on whax site.has any one used it?
no google please


so why can't you do your own research?  What wrong with using Google  
to get a simple answer?


So for auditing, with live CDs...
Knoppix STD is not bad, except for the name... http://www.knoppix- 
std.org/
Whoppix was ok.  It has been renamed to whax  (http://www.iwhax.net/ 
modules/news/)

Phlak (http://www.phlak.org/modules/news/)
Auditor (http://new.remote-exploit.org/index.php/Auditor_main)
PLAC: http://sourceforge.net/projects/plac

if you want to look at forensics tools instead of auditing tools.
Fire: http://fire.dmzs.com/
Helix: http://www.e-fense.com/helix/
FCCU: http://www.d-fence.be/
SleuthKit: http://www.sleuthkit.org/sleuthkit/desc.php
Penguin Sleuth: http://www.linux-forensics.com/downloads.html
etc

You just want super small?
LMS:  http://linuxmobile.sourceforge.net/
Damn Small Linux:  http://www.damnsmalllinux.org/
FeatherLinux: http://featherlinux.berlios.de/
FlashLinux: http://flashlinux.org.uk/
CPX-Mini: http://www.informatik.hu-berlin.de/~bading/cpx-mini/
Knoopix-USB: http://rz-obrian.rz.uni-karlsruhe.de/knoppix-usb/
Puppy-Linux: http://www.goosee.com/puppy/
etc...

And of course if you don't know how to add and remove the tools you  
want from these, maybe you should do more research.


Everyone has different needs.  You don't state yours, so how can we  
answer?  I have used several of these, some were useful, others, not  
so much...  Will they work for you? who knows, since you don't say  
specifically what you want.  What is "pentest" exactly?  What are you  
testing?  What kind of environment?  Not that anyone here really  
cares, but if you are going to ask a question, you might try and  
research it first, then ask detailed questions.


--
MadHat (at) Unspecific.com, C²ISSP
E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98
gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

WAS: Re: [Full-disclosure] RE: Spamcop automated reporting script...

[Bart Lansing]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Bob,  took a little trip to KnujOn, and have a comment or two...

>From the site, with comments parenthetically inserted inline:

_

I already have a spam filter/blocker, why do I need KnujOn?

Filters and blockers stop spam from reaching mailboxes but do not
actually stop the flow of spam. The messages pile up and must be
reviewed and deleted. Would it not be nice to just dump all the
messages in a program and have them returned to the sender?
(Collecting and bouncing back all of the spam certainly does not
block the flow of Spam either...in fact, you just doubled the
traffic and if the actual sender is a bot'd machine, all you are
doing is needlessly conjesting the 'net and not doing anything to
the spammer.)

How is KnujOn different from current anti-spam programs?

Filters and blockers search emails for keywords and other content
that flag messages as possible junk mail and then divert the email
to a quarantine area for review or deletion. KnujOn takes junk
email and returns it to the sender.  (So, you have.a
bounceback routine when you find a forged sendersee
abovereturning to sender is bad, Bob.  A better approach would
be traffic shaping, which of course is already being done elsewhere
by others, which throttles the spam and forces it to time out.  Of
course, just nuking the stuff before it hits the mail gateways is a
tried and true approach as well)

What does KnujOn do?

KnujOn has a special algorithm that finds out where the email is
really coming from and then returns the email to the sender. KunjOn
also collects information about junk mailers and detects fraudulent
Internet activity, alerting possible victims before damage is done.
(So, you use the same [or similar] algortithm that has been
employed by Spamcop and Co. for some time now to validate the
header information and then, when you find a forged sender, you
clog the internet with useless bouncebacks to machines that are
likely not owned by the spammer you want to harm.)
___

Looks to me like a) nothing new from a technology perspective, b)
something we would NOT want to see done vis-a-vis rampant
bouncebacks, and c) something that does nothing like SpamCop does
to inform ISPs and other interested parties of the spam that is
occuring.  In short, IMHO, this is a bad idea.

Cheers

Bart

On Thu, 10 Nov 2005 06:35:23 -0800 [EMAIL PROTECTED] wrote:
>If you would like an alternative, you can sign up for a beta test
>at
>www.KnujOn.com. All you will have to do is forward your spam to an

>email
>address which you will be given. Everything else is taken care of.

>The
>signup is free and easy but limited. Click the Personal tab...
>
>   cheers, bob
>
>On Thu, 10 Nov 2005, Aditya Deshmukh wrote:
>
>> > Has anyone got a automated spamcop reporting script?
>> >
>> >
>> > Thanks in advance if you can send in .txt format
>> > preferably offlist.
>>
>> I hit the send before I could explain what I wanted to do...
>> I have a spamcop account - and I managed to get the spamcop
>> Url with the reportID to a file using fetchmail + grep
>> Combination.
>>
>> But there is some thing I cannot get working with the
>> Spamcop spam submission form used to complete the spam
>> Reporting. Has anyone made something like this before ?
>>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkNzbocACgkQfw4CJpLBxON27ACfXqaV3eHVQaE7M6NfJAEmTeWLaMQA
oLtdPV5aAyBILH77oJuTrKQuiFbE
=34E4
-END PGP SIGNATURE-




Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: Spamcop automated reporting script...

[bruen]

If you would like an alternative, you can sign up for a beta test at
www.KnujOn.com. All you will have to do is forward your spam to an email
address which you will be given. Everything else is taken care of. The 
signup is free and easy but limited. Click the Personal tab...

   cheers, bob 

On Thu, 10 Nov 2005, Aditya Deshmukh wrote:

> > Has anyone got a automated spamcop reporting script?
> > 
> > 
> > Thanks in advance if you can send in .txt format 
> > preferably offlist.
> 
> I hit the send before I could explain what I wanted to do... 
> I have a spamcop account - and I managed to get the spamcop
> Url with the reportID to a file using fetchmail + grep 
> Combination. 
> 
> But there is some thing I cannot get working with the 
> Spamcop spam submission form used to complete the spam
> Reporting. Has anyone made something like this before ?
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RE: sugget a small pentest distro

[Simpson, Brett]

Although this (System Auditor) isn't 250MB's in size it does run as a
live CD.

http://www.remote-exploit.org/index.php/Auditor_main 

-Original Message-
From: crazy frog crazy frog [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 09, 2005 12:51 AM
To: pen-test@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: sugget a small pentest distro

Hi,
can anyone suggest a small pentest liux distro.smallest means(under 250
mb.),i seen one on whax site.has any one used it?
no google please
--
ting ding ting ding ting ding
ting ding ting ding ding
i m crazy frog :)
"oh yeah oh yeah...
 another wannabe, in hackerland!!!"


--
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831

---



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Meeting Room Names

[Tom Meier]

use virus names for the rooms !

Melissa, Nimda, Sasser, NetSky, Bagle etc. (IT people dont forget this names 
for years).


- Original Message - 
From: "Paul" <[EMAIL PROTECTED]>
To: "'KF (lists)'" <[EMAIL PROTECTED]>; 

Sent: Thursday, November 10, 2005 6:48 AM
Subject: RE: [Full-disclosure] Meeting Room Names


Although some of the responses were quite humorous, and I love a good laugh,
it is a little annoying to see half of my security mailing list folder being
filled with chat about room names. I have to agree with KF (lists) on this
one. Let's keep that talk private now.

Kind regards,
Paul
Greyhats Security
http://greyhatsecurity.org

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of KF (lists)
Sent: Thursday, November 10, 2005 12:15 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Meeting Room Names

Native.Code wrote:

> Thanks all for cool ideas! I kind of like HTTP status codes and
> Microsoft product codenames. But still did not get any perfect
> choices. Please keep the choices coming!
>
Yeah please keep em comming to HIM off list...

> How about names which sound in same rank of "Dungeon"? Feel free to
> use your non-IT creativity as well!

Feel free to mail him directly at [EMAIL PROTECTED]

>
> Thanks a lot again.
>
No problem... thanks for playing.

-KF

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 11/8/2005


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 11/8/2005


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RE: Spamcop automated reporting script...

[Aditya Deshmukh]

> Has anyone got a automated spamcop reporting script?
> 
> 
> Thanks in advance if you can send in .txt format 
> preferably offlist.

I hit the send before I could explain what I wanted to do... 
I have a spamcop account - and I managed to get the spamcop
Url with the reportID to a file using fetchmail + grep 
Combination. 

But there is some thing I cannot get working with the 
Spamcop spam submission form used to complete the spam
Reporting. Has anyone made something like this before ?

If you can send me that script it would be great..
Anything that works is fine but wget or curl or perl
Script would be the best




Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Spamcop automated reporting script...

[Nigel Horne]

On Thu, 2005-11-10 at 09:55, Aditya Deshmukh wrote:
> Has anyone got a automated spamcop reporting script?

Yes

> 
> 
> Thanks in advance if you can send in .txt format 

No need - you can download most of it off the Spamcop web site then
write a trivial wrapper.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Spamcop automated reporting script...

[Aditya Deshmukh]

Has anyone got a automated spamcop reporting script?


Thanks in advance if you can send in .txt format 
preferably offlist.



Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/