[Full-disclosure] New Metacortex Released
What is Metacortex?: Metacortex -in not very reliable internet atmosphere- is a multifunctional management tool for OpenBSD system which is considered to be among the most trustworthy systems. Metacortex is designed for the use of firewall method on OpenBSD comfortably. It can be installed easily without coming across with some detailed adjustment instructions and administrating difficulties. Why Metacortex?: - Easy installation, managing. - Automatically detect and log. - Block intrusions automatically. - Protects your private information. - Powerful and easy-to-use interface. More Information: http://www.mcortex.com Best Regards, Tamer Sahin http://www.securityoffice.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 991-1] New zoo packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 991-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp March 10th, 2006http://www.debian.org/security/faq - -- Package: zoo Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-0855 BugTraq ID : 16790 Jean-Sébastien Guay-Leroux discovered a buffer overflow in zoo, a utility to manipulate zoo archives, that could lead to the execution of arbitrary code when unpacking a specially crafted zoo archive. For the old stable distribution (woody) this problem has been fixed in version 2.10-9woody0. For the stable distribution (sarge) this problem has been fixed in version 2.10-11sarge0. For the unstable distribution (sid) this problem has been fixed in version 2.10-17. We recommend that you upgrade your zoo package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0.dsc Size/MD5 checksum: 548 ef03c4ed23cd19e2b791305544ad7282 http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0.diff.gz Size/MD5 checksum: 7728 07d2db9edea11af77aad4e8d5c9b8874 http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10.orig.tar.gz Size/MD5 checksum: 172629 dca5f2cf71379a51ea1e66b25f1e0294 Alpha architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_alpha.deb Size/MD5 checksum:93250 aba6e78276c8e01a0925ab6f510ba338 ARM architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_arm.deb Size/MD5 checksum:75576 2580898865c3e4e33a24c858516e1126 Intel IA-32 architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_i386.deb Size/MD5 checksum:71756 132e994d1aa2e6b9afdbdc9080096c79 Intel IA-64 architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_ia64.deb Size/MD5 checksum: 101932 a38a4310f844c787336e25e60d68013f HP Precision architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_hppa.deb Size/MD5 checksum:82142 7e58124a7a5fe4f3484061760b7ae31d Motorola 680x0 architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_m68k.deb Size/MD5 checksum:69256 28c63fd4df6cef9f61107486833b2391 Big endian MIPS architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_mips.deb Size/MD5 checksum:81414 85b3b61aac7b519436b0807c74b6a454 Little endian MIPS architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_mipsel.deb Size/MD5 checksum:81482 fe95e1e25a38927bf8f0d00b96175002 PowerPC architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_powerpc.deb Size/MD5 checksum:77366 9b266ee5e580e116c8c8aac9c431c7d2 IBM S/390 architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_s390.deb Size/MD5 checksum:75504 0e6e36ba663fe90246be243887588b5f Sun Sparc architecture: http://security.debian.org/pool/updates/non-free/z/zoo/zoo_2.10-9woody0_sparc.deb Size/MD5 checksum:78076 723450123fbfce159e283fc050f1d648 Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/z/zoo/zoo_2.10-11sarge0.dsc Size/MD5 checksum: 559 18ceb7390f4c0b6585363fa766919740 http://security.debian.org/pool/updates/main/z/zoo/zoo_2.10-11sarge0.diff.gz Size/MD5 checksum: 8094 26b6614990ef9bb1148d3d21bdc6b8e9 http://security.debian.org/pool/updates/main/z/zoo/zoo_2.10.orig.tar.gz Size/MD5 checksum: 172629 dca5f2cf71379a51ea1e66b25f1e0294 Alpha architecture: http://security.debian.org/pool/updates/main/z/zoo/zoo_2.10-11sarge0_alpha.deb Size/MD5 checksum:77732 3a423d0fe79fba46773d9b0dc9297bc2 AMD64 architecture: http://security.debian.org/pool/updates/main/z/zoo/zoo_2.10-11sarge0_amd64.deb Size/MD5 checksum:64852 b6a03b631dac2c925c5a12d97ba4edf3 ARM
Re: [Full-disclosure] Promiscious Device Detection
You can't search for promisc devices, as they don't advertise them- selves in any way. Chkrootkit[1], though, will check the local machine for a promisc interface, as well as other signs of possible badness. Not entirely true .. you can use things like antisniff to spoof ARP packets and see what answers to ARP but not IP -- but that'll do you no good for a physically isolated tap -- like what happens when you use a passive fiber splitter and two cards utilizing the receive side only. Also .. a really well firewalled machine will appear no different than one running a promisc. interface. Generally though .. people up to no good on a switched network will have to do other things to get their promisc. interface to actually accomplish anything .. like ARP spoofing -- and *that's* detectable. As for 'global' taps, like Snort running on a whole network, best just assume it's there and react accordingly (eg: Fragrouter). ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] War Dialing, Spoofed(?) Phone Number [area code 786], and calls across the US
Caller-ID spoofing is trivial if you've got a digital (eg: T-1) line where you can send your own call signaling. It's also made much easier by several (mis)configured VoIP services -- if you have access to the SIP gateway of one, and run something like Asterisk, you can send any number you want along with your call. Caller-ID is like the return address on an envelope. Totally unimportant for call delivery, and you can write anything you want there. ~Mike. Steven wrote: I debated about posting this to FD but it seems about as good of a place as any to ask about this and perhaps someone can fill in the blanks. I got a call the other from the number 786-718-9058 and when I answered, it was a message in Spanish which I couldn't really hear and didn't understand. That was the end of it. Well then it called again 5 days later and got my voicemail and left the same message it had the other day when I answered the phone. The message says the following: Usted a agotado todas las opciones. Esta semana sera desconectada. Gracias. Which apparently translates to: You've terminated all the options. You'll be disconnected this weekend. Thanks Now I tried to call the number back only to find that it has been disconnected or so my cell provider says. At this point I took to the Internet and got your standard reverse search of: *The phone number (786) 718-9058 is based in **Miami**, **FL** and the registered carrier is Commpartners, Llc - Fl.* I then Googled the phone number to find out that this thing has been calling all across the US. Various people have reported that this number asks them to press one, or is some sort of other scam. This has lead me to think the number is spoofed and is perhaps someone's attack on a person's legitimate cell phone number. However, the calls have apparently been going on for months, back to a time when you could call the number back and get a voicemail belonging to someone named John. I am wondering if perhaps a VoIP box somewhere or something to this affect has been infected and is doing this. I am wondering if any of you have any insight on this or have any idea. Here is a page with some more info and testimonials from hundreds of other people across the country getting these calls: http://blogcritics.org/archives/2005/08/26/153054.php There does not appear to be any link between areas, phone providers, or even phone numbers. A few people have said that their phone number is one off from their family member's and they have not received a call. Other's have the same thing and report that their family member got the same call a few moments later. No idea what's up with this. Anyway -- if anyone knows or wants to find out and succeeds - please let me know what's up. Thanks Steven ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-261-1] PHP vulnerabilities
=== Ubuntu Security Notice USN-261-1 March 10, 2006 php4, php5 vulnerabilities CVE-2006-0207, CVE-2006-0208 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: libapache2-mod-php4 libapache2-mod-php5 The problem can be corrected by upgrading the affected package to version 4:4.3.8-3ubuntu7.15 (libapache2-mod-php4 for Ubuntu 4.10), 4:4.3.10-10ubuntu4.4 (libapache2-mod-php4 for Ubuntu 5.04), or 5.0.5-2ubuntu1.2 (libapache2-mod-php5 for Ubuntu 5.10). After a standard system upgrade you need to restart Apache with sudo apache2ctl restart to effect the necessary changes. Details follow: Stefan Esser discovered that the 'session' module did not sufficiently verify the validity of the user-supplied session ID. A remote attacker could exploit this to insert arbitrary HTTP headers into the response sent by the PHP application, which could lead to HTTP Response Splitting (forging of arbitrary responses on behalf the PHP application) and Cross Site Scripting (XSS) (execution of arbitrary web script code in the client's browser) attacks. (CVE-2006-0207) PHP applications were also vulnerable to several Cross Site Scripting (XSS) flaws if the options 'display_errors' and 'html_errors' were enabled. Please note that enabling 'html_errors' is not recommended for production systems. (CVE-2006-0208) Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.15.diff.gz Size/MD5: 628138 6d13c97dd5c273807d65e17194655c60 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.15.dsc Size/MD5: 1628 fa0855f0a47ac0da3ce2e0291efd53a8 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8.orig.tar.gz Size/MD5: 4832570 dd69f8c89281f088eadf4ade3dbd39ee Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.8-3ubuntu7.15_all.deb Size/MD5: 333536 a9cb4bfdff7175af25e3c43e1ca99e29 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-pear_4.3.8-3ubuntu7.15_all.deb Size/MD5: 335384 6482cb46c9928244e98f075827f6a617 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.15_amd64.deb Size/MD5: 1692324 9bca7af466e37a6e68f80cc104ec83c5 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.15_amd64.deb Size/MD5: 3201776 ad16f47eb8167d523ba5325854234134 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:17276 f1d347a6444fdb7761814d87175fbc1e http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:40432 76a417740ad35c0754aae3618fb46caa http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:33726 3f60b0940c13e49fd2e6167646a9f0a0 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:21242 8232a15a0f2057cd0d5aa7703523105e http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:18404 ab19760bfdd4d41a8334dd9674891968 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.15_amd64.deb Size/MD5: 7990 f36099f811a9c485239836efe4ea7b50 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:23112 af5b40fd3c8c248920632f2d16692377 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:28332 9098834c216639b980b186fa89c4b61c http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.15_amd64.deb Size/MD5: 7614 8609f8b3f0ea4fff235da1725ecb95a2 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:12972 939405ee34382b34d97ed3ab8a112202 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:21516 ef47b264b278f6ee28d1e22a28e5a4e2 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.15_amd64.deb Size/MD5:17254 e80ca496ea9ce09e2db49e120f430968 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.15_amd64.deb Size/MD5: 1707454 4b344c99f91702a34be20ac906e4a482 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.15_i386.deb Size/MD5: 1632646 bb3c45fc7c9fde958ed5fcb0e2dc5f95
Re: [Full-disclosure] War Dialing, Spoofed(?) Phone Number [area code 786], and calls across the US
I am familiar with how trivial it is to spoof (especially now a day), but that wasn't exactly the point. This activity is far from being limited to a few area codes or people -- it's literally thousands of people. I'd imagine people on this list have probably even received the calls or will soon. It is just so strange and I am wondering what the root cause for it is. - Original Message - From: Michael Holstein [EMAIL PROTECTED] To: Steven [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Friday, March 10, 2006 9:29 AM Subject: Re: [Full-disclosure] War Dialing, Spoofed(?) Phone Number [area code 786], and calls across the US Caller-ID spoofing is trivial if you've got a digital (eg: T-1) line where you can send your own call signaling. It's also made much easier by several (mis)configured VoIP services -- if you have access to the SIP gateway of one, and run something like Asterisk, you can send any number you want along with your call. Caller-ID is like the return address on an envelope. Totally unimportant for call delivery, and you can write anything you want there. ~Mike. Steven wrote: I debated about posting this to FD but it seems about as good of a place as any to ask about this and perhaps someone can fill in the blanks. I got a call the other from the number 786-718-9058 and when I answered, it was a message in Spanish which I couldn't really hear and didn't understand. That was the end of it. Well then it called again 5 days later and got my voicemail and left the same message it had the other day when I answered the phone. The message says the following: Usted a agotado todas las opciones. Esta semana sera desconectada. Gracias. Which apparently translates to: You've terminated all the options. You'll be disconnected this weekend. Thanks Now I tried to call the number back only to find that it has been disconnected or so my cell provider says. At this point I took to the Internet and got your standard reverse search of: *The phone number (786) 718-9058 is based in **Miami**, **FL** and the registered carrier is Commpartners, Llc - Fl.* I then Googled the phone number to find out that this thing has been calling all across the US. Various people have reported that this number asks them to press one, or is some sort of other scam. This has lead me to think the number is spoofed and is perhaps someone's attack on a person's legitimate cell phone number. However, the calls have apparently been going on for months, back to a time when you could call the number back and get a voicemail belonging to someone named John. I am wondering if perhaps a VoIP box somewhere or something to this affect has been infected and is doing this. I am wondering if any of you have any insight on this or have any idea. Here is a page with some more info and testimonials from hundreds of other people across the country getting these calls: http://blogcritics.org/archives/2005/08/26/153054.php There does not appear to be any link between areas, phone providers, or even phone numbers. A few people have said that their phone number is one off from their family member's and they have not received a call. Other's have the same thing and report that their family member got the same call a few moments later. No idea what's up with this. Anyway -- if anyone knows or wants to find out and succeeds - please let me know what's up. Thanks Steven ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] War Dialing, Spoofed(?) Phone Number [area code 786], and calls across the US
Just a better translation :) Steven escribió: Usted a agotado todas las opciones. Esta semana sera desconectada. Gracias. You've exhausted all options. This week will be disconnected. Thanks However, I think it would said: Esta llamada será desconectada which means: This call will be disconnected. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 992-1] New ffmpeg packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 992-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff March 10th, 2006http://www.debian.org/security/faq - -- Package: ffmpeg Vulnerability : buffer overflow Problem-Type : local (remote) Debian-specific: no CVE ID : CVE-2005-4048 Debian Bug : 342207 Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. The old stable distribution (woody) doesn't contain ffmpeg packages. For the stable distribution (sarge) this problem has been fixed in version 0.cvs20050313-2sarge1. For the unstable distribution (sid) this problem has been fixed in version 0.cvs20050918-5.1. We recommend that you upgrade your ffmpeg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20050313-2sarge1.dsc Size/MD5 checksum: 788 c342177de5cb29b6cbe7466913177eb5 http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20050313-2sarge1.diff.gz Size/MD5 checksum:10168 b166812b4f1a0a42958ab688a6a9b5c3 http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20050313.orig.tar.gz Size/MD5 checksum: 1826023 2ac646fe7c2788df7cd23c1149d08bfa Alpha architecture: http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20050313-2sarge1_alpha.deb Size/MD5 checksum: 6097254 20856c94289e94503cb81414bb46a757 http://security.debian.org/pool/updates/main/f/ffmpeg/libavcodec-dev_0.cvs20050313-2sarge1_alpha.deb Size/MD5 checksum: 3739640 de6bd06e0ad710a03003a0eed7f1530c http://security.debian.org/pool/updates/main/f/ffmpeg/libavformat-dev_0.cvs20050313-2sarge1_alpha.deb Size/MD5 checksum: 820960 535d69245a0c7904935e90b77b5797e3 http://security.debian.org/pool/updates/main/f/ffmpeg/libpostproc-dev_0.cvs20050313-2sarge1_alpha.deb Size/MD5 checksum:61272 57cb698be0ed4422adb8153cc6e2a319 AMD64 architecture: http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20050313-2sarge1_amd64.deb Size/MD5 checksum: 4213510 0b7bbdae2e98b397b35a33a73530d019 http://security.debian.org/pool/updates/main/f/ffmpeg/libavcodec-dev_0.cvs20050313-2sarge1_amd64.deb Size/MD5 checksum: 2535570 9982493d7b91176eacf42d68ede0c591 http://security.debian.org/pool/updates/main/f/ffmpeg/libavformat-dev_0.cvs20050313-2sarge1_amd64.deb Size/MD5 checksum: 525590 c53090241848ece8088c23f09bf00d4f http://security.debian.org/pool/updates/main/f/ffmpeg/libpostproc-dev_0.cvs20050313-2sarge1_amd64.deb Size/MD5 checksum:41602 169b0c469dae7dc2f20b64814c498b58 ARM architecture: http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20050313-2sarge1_arm.deb Size/MD5 checksum: 4342778 e59a13ed2b8432709040217e80dc04c6 http://security.debian.org/pool/updates/main/f/ffmpeg/libavcodec-dev_0.cvs20050313-2sarge1_arm.deb Size/MD5 checksum: 2712766 18f34fa3107d98c6accff0beeb83f0b1 http://security.debian.org/pool/updates/main/f/ffmpeg/libavformat-dev_0.cvs20050313-2sarge1_arm.deb Size/MD5 checksum: 573938 d624c3b038ff801d3cd23a47b263429d http://security.debian.org/pool/updates/main/f/ffmpeg/libpostproc-dev_0.cvs20050313-2sarge1_arm.deb Size/MD5 checksum:40930 6e6c30c4f8569f74d52b19951ea29b10 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20050313-2sarge1_i386.deb Size/MD5 checksum: 4087446 8f24fe8272e8e41f7a830d3a78027892 http://security.debian.org/pool/updates/main/f/ffmpeg/libavcodec-dev_0.cvs20050313-2sarge1_i386.deb Size/MD5 checksum: 2456904 ee10e407200d2d2cc02567206db224cb http://security.debian.org/pool/updates/main/f/ffmpeg/libavformat-dev_0.cvs20050313-2sarge1_i386.deb Size/MD5 checksum: 531312 979e39569bd3c0ad1f6921f5e69efec3 http://security.debian.org/pool/updates/main/f/ffmpeg/libpostproc-dev_0.cvs20050313-2sarge1_i386.deb Size/MD5 checksum:37704 2f2a6a8a4a2c147509cbfcd33cd445b9 Intel IA-64 architecture:
[Full-disclosure] SUSE Security Announcement: gpg signature checking problems (SUSE-SA:2006:014)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:gpg Announcement ID:SUSE-SA:2006:014 Date: Fri, 10 Mar 2006 18:00:00 + Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: remote code execution Severity (1-10):9 SUSE Default Package: yes Cross-References: CVE-2006-0049 Content of This Advisory: 1) Security Vulnerability Resolved: gpg signature verification problem Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The GNU Privacy Guard (GPG) allows crafting a message which could check out correct using --verify, but would extract a different, potentially malicious content when using -o --batch. The reason for this is that a .gpg or .asc file can contain multiple plain text and signature streams and the handling of these streams was only possible when correctly following the gpg state. The gpg --verify option has been changed to be way more strict than before and fail on files with multiple signatures/blocks to mitigate the problem of doing the common --verify checks and -o extraction. This problem could be used by an attacker to remotely execute code by using handcrafted YaST Online Patch files put onto a compromised YOU mirror server and waiting for the user to run YOU. This problem is tracked by the Mitre CVE ID CVE-2006-0049. This is a different issue than the gpg signature checking problem for which we released updates a week ago, tracked by SUSE-SA:2006:013 / CVE-2006-0455. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes None. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gpg-1.4.2-5.4.i586.rpm 17f4db7313fb81477d491cd1de3b4a7c SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gpg-1.4.0-4.4.i586.rpm 781a1f6ee507960c3b7f5ab7b09aae01 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/gpg-1.2.5-3.6.i586.rpm 0ac37c5097314b9d65fe3c00552991ba SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpg-1.2.4-68.13.i586.rpm 2436ccc119ac1af98928536d2b968a3a Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/gpg-1.4.2-5.4.ppc.rpm 7da97d12baf4aa28e307affa9ccaa2ad x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/gpg-1.4.2-5.4.x86_64.rpm 490728e89c6564ac1e0b679012a89a42 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/gpg-1.4.0-4.4.x86_64.rpm f258e8971ef2eb171907bbc426e15893 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/gpg-1.2.5-3.6.x86_64.rpm 3e59895b7bed858997bdbc49aece5644 SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpg-1.2.4-68.13.x86_64.rpm 6369420f068f5d935bbc01f4798f2f20 Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.4.src.rpm a4ee567384c8744bafc59c19ed89669e SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/gpg-1.4.0-4.4.src.rpm 2d392b6698c4a9bb5f2b54aa51b53405 SUSE LINUX 9.2:
[Full-disclosure] [ GLSA 200603-06 ] GNU tar: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200603-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNU tar: Buffer overflow Date: March 10, 2006 Bugs: #123038 ID: 200603-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A malicious tar archive could trigger a Buffer overflow in GNU tar, potentially resulting in the execution of arbitrary code. Background == GNU tar is the standard GNU utility for creating and manipulating tar archives, a common format used for creating backups and distributing files on UNIX-like systems. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-arch/tar 1.15.1-r1= 1.15.1-r1 Description === Jim Meyering discovered a flaw in the handling of certain header fields that could result in a buffer overflow when extracting or listing the contents of an archive. Impact == A remote attacker could construct a malicious tar archive that could potentially execute arbitrary code with the privileges of the user running GNU tar. Workaround == There is no known workaround at this time. Resolution == All GNU tar users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-arch/tar-1.15.1-r1 References == [ 1 ] CVE-2006-0300 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0300 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200603-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 993-1] New GnuPG packages fix broken signature check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 993-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 10th, 2006http://www.debian.org/security/faq - -- Package: gnupg Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-0049 Tavis Ormandy noticed that gnupg, the GNU privacy guard - a free PGP replacement, can be tricked to emit a good signature status message when a valid signature is included which does not belong to the data packet. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 1.4.1-1.sarge3. For the unstable distribution (sid) this problem has been fixed in version 1.4.2.2-1. We recommend that you upgrade your gnupg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3.dsc Size/MD5 checksum: 680 8f2f1848dcdfe9d143d8e9352ef918ca http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3.diff.gz Size/MD5 checksum:19639 9ffb89fa0a770568ddd80a11e3eada78 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5 checksum: 4059170 1cc77c6943baaa711222e954bbd785e5 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_alpha.deb Size/MD5 checksum: 2155538 07b4643bf4cd05639a261fa0b3fa6a89 AMD64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_amd64.deb Size/MD5 checksum: 1963222 52cdf1bb1a228427abd31abff411a946 ARM architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_arm.deb Size/MD5 checksum: 1899232 c52b0d652506e2384340d67f8126a1b2 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_i386.deb Size/MD5 checksum: 1908754 cd9c2257b8c7149a92131abbdaef498c Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_ia64.deb Size/MD5 checksum: 2324736 3553c75fac7cdc0a7d157c20aad4525c HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_hppa.deb Size/MD5 checksum: 2004042 2bb61f214979d403de8e3eab35c4ef00 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_m68k.deb Size/MD5 checksum: 1810978 8da1cbf5b8291ff54194010881832bf1 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_mips.deb Size/MD5 checksum: 2000618 dfcf0ab7c9f5b3aada55bc27c1f1119d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_mipsel.deb Size/MD5 checksum: 2007396 6d99bcd4559ef9a73d43cedd8b8d1680 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_powerpc.deb Size/MD5 checksum: 1957560 570ae516c68d6803aeafce048e0f978c IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_s390.deb Size/MD5 checksum: 1966774 2f4a27beba4ff1fc96ef11d9e77b7ec1 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_sparc.deb Size/MD5 checksum: 1897162 8520ccf5a05546d18a641a480b5926ac These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEEeOFW5ql+IAeqTIRAstQAKCvGE5kcoubd8uAZY6UkoZJbTWzjgCdHCZI q7HlIdlvCJKZH2Ztu0b4l94= =xtSc -END PGP SIGNATURE- ___ Full-Disclosure -
Re: [Full-disclosure] For Sale: Security Vulnerability Database Company
Greetings, GroundZero Security,I don't believe http://g-0.org is all that pioneering, infact its pretty much a boring website. The n3td3v group is at the cutting edge of bringing breaking news to the security community from various news sources throughout cyber space. We also work closely with our relationships within the security industry to bring about saftey and security to the major dot-com players globally. We believe in a free democratic web, where people can utilise our database and security news wire resource. We break the news thats happening around the world, as it happens, in one easy to use, fully functional professional global operation. We are responsible for diverting major attacks upon some of the biggest names in the corporate circuit, just because sad kiddo hiding behind a "GroundZero Security" name doesn't read about it on f-d doesn't mean its not happening. We have folks from around the cor
porate
and underground industry signed up to our members list, and we continue to power ahead and grow stronger with our public operation over at Google Groups, and further more, behind closed doors in the underground. You may have an opinion, but its trashed into our mail bin everytime. Keep the feedback coming. As for buying a domain, you're kidding right? "Buy" a domain? Tut tut, you're not upto date with things are you. I don't think any security group is about to buy a domain, and further more, allow everyone to investigate the source. While we're at Google, we're protected from the data protection law under Google, and if folks from the secret service want to get information into us, then they can go through the courts, have a nice day and stuff. ;-) We're globally massive right now, while http://g-0.org remains a wet fart on the sad side of life, yeah dude, eat your moms pussy out and have a nice life, arse hole. We might buy a domain if its wit
h your
credit card, he he. However that was a nice attempt to take our yahoo cookie a few months ago using a disclosed vulnerability you didn't find. You setup an embedded script into a legitimate f-d thread and sent it to [EMAIL PROTECTED] dot com, even tho that account isn't subscribed to f-d, it stuck out like a sore thumb and it was sent straight to our relationships over at security at yahoo-inc.com. Ha ha ha, keep your bullshit coming, theres more than enough of us to wipe you off the face of the earth. Keep your shit coming, its bound to give us entertainment, to laugh and point fingers at your pathetic lameness, and of course, http://g-0.org is the leetest site known to all the security communtiy. Yes, you're leading the way in security, not us, how could we forget. There you have it, plenty of quotes to keep the kiddie community of f-d entertained. I'm sure the certified security professionals will appreciate your
lame
ramblings against the international n3td3v security group. Lame ramblings, which are of course going to follow this message, because as history has proved in the past, you just can't help yourself, mr attention seeker. Keep the shit coming. And of course, we look towards http://g-0.org's source code for mad HTML tips! :):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):) Copy and paste quote snips from that, we'll be back with another chunk of data to bounce your opinion off ours. Dickhead...Best wishes and wet farts and stuff,n3td3vGroundZero Security [EMAIL PROTECTED] wrote: Noone takes a google group serious get a r
eal
domain. the n3td3v thing is just a site thrown together so they can put up adsense and make some cash. It looks totally unprofessional, yet they claim its build from "software developers, international hackers, security researchers, online media journalists, system administrators, incident response professionals, top thinkers and security aware peoples" and not even oneof them has skills in html or even 10 bucks to buy a domain? yeah right. :-)- Original Message - From: System Outage To: full-disclosure@lists.grok.org.uk Sent: Thursday, March 09, 2006 10:14 PM Subject: Re: [Full-disclosure] For Sale: Security Vulnerability DatabaseCompany Thats a complete exaduration actually, theres no query on the group that would come up with 5,000 results. The n3td3v group engine is pretty accurate, and displays perfect technical detail documentation, and additionally, (if required)can offer related and even off shoot background discussion intoa particular vulnerability at the time of its disclosure. To say an ntp search would come up with 5,00
0
unrelated results is completely barbaric. I think the source to your hatred is with the founder ('n3td3v') rather than the group its self which offers a great resource to anyone in the security field. Of course, if you can provide conclusive evidence to the contrary, do get in touch with the list, providing indepth audit information relating to your claim.[EMAIL PROTECTED] wrote:
[Full-disclosure] [ GLSA 200603-08 ] GnuPG: Incorrect signature verification
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200603-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GnuPG: Incorrect signature verification Date: March 10, 2006 Bugs: #125217 ID: 200603-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis GnuPG may erroneously report a modified or unsigned message has a valid digital signature. Background == The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software that may be used without restriction, as it does not rely on any patented algorithms. GnuPG can be used to digitally sign messages, a method of ensuring the authenticity of a message using public key cryptography. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-crypt/gnupg 1.4.2.2 = 1.4.2.2 Description === OpenPGP is the standard that defines the format of digital signatures supported by GnuPG. OpenPGP signatures consist of multiple sections, in a strictly defined order. Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that certain illegal signature formats could allow signed data to be modified without detection. GnuPG has previously attempted to be lenient when processing malformed or legacy signature formats, but this has now been found to be insecure. Impact == A remote attacker may be able to construct or modify a digitally-signed message, potentially allowing them to bypass authentication systems, or impersonate another user. Workaround == There is no known workaround at this time. Resolution == All GnuPG users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-crypt/gnupg-1.4.2.2 References == [ 1 ] CVE-2006-0049 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0049 [ 2 ] GnuPG Announcement http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200603-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] For Sale: Security Vulnerability Database Company
On 3/10/06, System Outage [EMAIL PROTECTED] wrote: snip I'm curious, is there a reason you always use a hax0red proxy to do your posting from? You weren't by chance the one who rooted them are you? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mambo Admin access.
I'm curious as to whether or not anyone has exploited mambo? if there's any mambo exploits available or if there's some sort of autoadmin priv. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Dropbear SSH server Denial of Service
On Fri, 10 Mar 2006, Matt Johnston wrote: Dropbear 0.48 mitigates this issue by having a per-IP limit as well as a global limit - this will at least prevent an IP-deprived attacker from denying service. It's worth noting that various other network services (such as netkit-inetd and OpenSSH) have the same design issues, at least in default configurations. OpenSSH has had connection-flood DoS mitigation since 2000, in the form of random early drop of connections so legitimate users have a probabalistic change of getting in. See the MaxStartups documentation in sshd_config(5) -d ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP
Having both secring and pubring, how can I get the passphrase ?.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
