Re: [Full-disclosure] repeated port 21 attempts
On 6/12/06, Jacob Wu [EMAIL PROTECTED] wrote: I'm getting port 21 connection attempts every 5 minutes from about half a dozen of my network users. These attempts are repeating regularly with one computer sending out 1500+ attempts a day. I have not seen this before and I'm wondering if anyone else here has seen a client behave this way before? snip Send me your source IP's. Anyone got anything? Is this something new or just new to me? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pwnd.security.pwnd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: FW: [Full-disclosure] PassMark?
On 6/13/06, Josh L. Perrymon [EMAIL PROTECTED] wrote: I'm mean-- the more hoops you have to jump through will make it harder to attack or replicate from a phishing view.. but also making it much more cumbersome on users. Ironic, considering one of the main goals of these systems is to make web site verification less cumbersome. SSL certificates are great from a cryptographic point of view, but are useless for most end users. Here's an article from May describing some of the issues with BofA and SiteKey: http://www.baselinemag.com/print_article2/0,1217,a=178262,00.asp ...after the bank made SiteKey mandatory, customers who had trouble using it—for example, by failing to follow directions when they registered—boosted calls to the bank's customer service centers by 25%... ...Even though SiteKey is not fully installed, it has already cut the number of successful phishing attacks against the bank, according to Claypool, although she won't say by how many. Attempted phishing attacks have not decreased... Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Immunity: Word 0-day issue is problem in Smart Tags
Microsoft will release a fix to code execution vulnerability in MS Word today ( http://www.microsoft.com/technet/security/advisory/919637.mspx CVE-2006-2492 etc.) Major sources say this vulnerability affecting Word 2003 and Word 2002 is problem in object handling. But it appears that one vendor (Immunity Inc.) had their non-public PoC in late May, already. After some hours we know more details about the vulnerability. Especially I'm interested what was the reason to recommend using Office Viewers as a workaround. Maybe these viewers don't support Smart Tags. MS has instruction to switch this feature off as well: http://office.microsoft.com/en-gb/assistance/HP030832781033.aspx I have written a detailed story to http://blogs.securiteam.com/index.php/archives/436 - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Possible DOS issue in OpenSSH ssh client
During some testing I found a possible bug/issue with OpenSSH ssh client. MachineA # cat /dev/zero | nc l p 3000 MachineB# ssh [EMAIL PROTECTED] p 3000 I have tested on OpenBSD 3.9, CentOS 4.3, Debian 3.1 and Solaris 9. This consumes 50-100% of available CPU time on MachineB ( depending on the bandwith between them ). This could be used in a denial of service attack or could be used to stop ( or at least annoy ) ssh bruteforcers J But of course it would also consume my upstream bandwith. Espen http://espen.mine.nu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Re: [Full-disclosure] repeated port 21 attempts
They are all non routable 10.x.x.x IPs. This is for a residence hall at my University. Residents, when they first turn on their computers, are given a 10.x.x.x IP and made to register and agree with the network use policy. Once they do that they are given a real IP and thus access to the internet. I'm seeing these messages in /var/log/messages when the firewall drops the connections. Example: Jun 13 06:10:48 www kernel: REJECTED INCOMING PACKET IN=eth0 OUT= MAC=00:14:22:0e:a5:21:00:d0:01:4e:c7:fc:08:00 SRC=""> DST=X.X.X.X LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=43812 DF PROTO=TCP SPT=4388 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0 I'll get 6 of these and then nothing. Then 5 minutes later 6 more. This behavior is repeated by less than half a dozen other computers. Each computer sends 6, waits 5 min and repeat. I only allow ftp connections from a small number of IPs, if it's not in my list I send a reset connection packet and disconnect from the client. Someone sent me this link: Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04 But it gives me less information than iptables does. -Original Message- From: pwnd.security.pwnd [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 13, 2006 7:48 AM To: Jacob Wu Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] repeated port 21 attempts On 6/12/06, Jacob Wu [EMAIL PROTECTED] wrote: I'm getting port 21 connection attempts every 5 minutes from about half a dozen of my network users. These attempts are repeating regularly with one computer sending out 1500+ attempts a day. I have not seen this before and I'm wondering if anyone else here has seen a client behave this way before? snip Send me your source IP's. Anyone got anything? Is this something new or just new to me? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pwnd.security.pwnd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible DOS issue in OpenSSH ssh client
Espen Grøndahl wrote: During some testing I found a possible bug/issue with OpenSSH ssh client. MachineA # cat /dev/zero | nc –l –p 3000 MachineB# ssh [EMAIL PROTECTED] –p 3000 I have tested on OpenBSD 3.9, CentOS 4.3, Debian 3.1 and Solaris 9. This consumes 50-100% of available CPU time on MachineB ( depending on the bandwith between them ). What did the ssh client do? Did it eventually time out (as you would expect)? Or did it hang and never disconnect? -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible DOS issue in OpenSSH ssh client
On 6/13/06, Espen Grøndahl [EMAIL PROTECTED] wrote: This could be used in a denial of service attack – or could be used to stop ( or at least annoy ) ssh bruteforcers J no, the bruteforcers don't use ssh, but other programs that can be not affected by this ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] new offensivecomputing site features
Hey there,Just wanted to let you all know about the latest OffensiveComputing developments.The OC team has been hard at work and our automated malware analysis engine is up and running. If you log into the site you can see two new tools. One is the malware upload and one is the malware search. The malware upload allows you to upload a windows PE file and have it processed by our engine. The malware search will let you enter a checksum, name or other information and search our database for reports on malware. The autoanalysis provides the following functionality: - File type- Packer detection- various AV detection- strings- disassembly- PE info (sections, headers, imports)- checksums (md5, sha1, sha256)And when searching you can also download a zipped / password protected sample of the malware. All of these features are as possible meaning that some malware can't be automatically analyzed in all ways. The site is still free for all to use and we are continuing to add more automation and features. Feedback is always welcome. http://www.offensivecomputing.net V. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Re: [Full-disclosure] repeated port 21 attempts
On 6/13/06, Jacob Wu [EMAIL PROTECTED] wrote: They are all non routable 10.x.x.x IPs. This is for a residence hall at my University. Residents, when they first turn on their computers, are given a 10.x.x.x IP and made to register and agree with the network use policy. Once they do that they are given a real IP and thus access to the internet. Are you doing something weird with DNS that's making this one machine's address to show up on lookups, or messing with routing so that everything gets redirected to this box? If so, I'd wonder if this is some sort of bot that you're seeing that's trying to call home with FTP. It might behoove you to (kindly) ask the owner of one of the machines to let you take a look at their machine to see what it's doing. Someone sent me this link: Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04 But it gives me less information than iptables does. You may have to modify it to better imitate an FTP server - it was written for use as a faux HTTP server. In particular, the client may be waiting for a banner and/or greeting before it makes a request. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZoneEdit.com Forcing Pop-Unders on WebForward-Configured Domains
On 6/12/06, Jason Coombs [EMAIL PROTECTED] wrote: Problem: DNS service ZoneEdit.com now owned by MyDomains.com has started forcing JavaScript pop-Unders onto users' browsers when the domain owner uses the ZoneEdit WebForward feature. I had been waiting for some reply or other to this, and am still interested to know whether someone who actually uses the service (besides Jason) has noted or verified the problem. I asked other people I know that use zoneedit, including one who uses the WebForward feature, and they did not experience this problem. I would expect that there are a few possible explanations: o This problem only occurred for Jason, and was discontinued immediately after his post to FD o Something else caused this problem, and Jason has confused the issue o Everyone here who might refute or concur this statement has Jason killfiled (and this is a legitimate possibility) o No one else cares -- NO CARRIER ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.13.06: Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow
Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow iDefense Security Advisory 06.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities June 13, 2006 I. BACKGROUND Windows Media Player is a video and audio file player for Windows based systems. It supports multiple file formats and allows playing files from either the local filesystem or the network. More information can be found at: http://www.microsoft.com/windows/windowsmedia/mp10/default.aspx II. DESCRIPTION Remote exploitation of a stack-based buffer overflow in the handling of PNG image file chunks by Microsoft Corp.'s Windows Media Player could allow attackers to execute arbitrary code. The Portable Network Graphics (PNG) specification defines an extensible, portable image format that gives lossless compression and allows transparency masking of various types. The format was developed as a patent-free alternative to GIF and TIFF format images, and the official specification is published on the W3C website. It should be noted that it is possible to cause Windows Media Player to be called as a 'helper application' in Internet Explorer and Mozilla browsers thus increasing the likelihood of exploitation. Windows Media Player uses a fixed-sized buffer in a function used when processing certain chunk types and no validation is performed on the length of the chunks this function is is passed. Therefore, a stack based buffer overflow can occur when WMP interprets a PNG file with an excessive chunk size. III. ANALYSIS Exploitation could allow a remote attacker to execute code in the context of the currently logged in user. In order to exploit this vulnerability, the victim must open a maliciously constructed file in Windows Media Player or follow a link in their browser to a website hosting such a file. No further user interaction is required for exploitation. In order to trigger this vulnerability, an attacker could construct a maliciously formed PNG file and link to it via an OBJECT tag on a website under their control. iDefense Labs has constructed a proof of concept exploit which achieved reliable code execution in both Internet Explorer and Mozilla Firefox. IV. DETECTION iDefense Labs has verified the existence of this vulnerability in version 10 of Microsoft Windows Media Player on Windows XP SP2 with all security patches installed as of May 23, 2006. Microsoft has reported that the following versions are affected: Windows Media Player 7.1 Windows Media Player for XP Windows Media Player 9 Microsoft Windows Media Player 10 V. WORKAROUND Any of the last three workarounds listed in the advisory for MS06-005 can be used to prevent exploitation. * Modify the Access Control List on the DirectX Filter Graph no thread registry key. * Backup and remove the DirectX Filter Graph no thread registry key. * Unregister Quartz.dll. Implementing these workarounds might prevent applications that use DirectX from functioning properly. This vulnerability is not the same as MS06-005, and the MS06-005 patches do not fix this vulnerability. The workarounds for that vulnerability are applicable here only because the vulnerability is in the same application and called in a similar manner. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-0025 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/22/2006 Initial vendor notification 02/22/2006 Initial vendor response 06/13/2006 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus, iDefense Labs. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter:
[Full-disclosure] iDefense Security Advisory 06.13.06: Microsoft Internet Explorer ART File Heap Corruption Vulnerability
Microsoft Internet Explorer ART File Heap Corruption Vulnerability iDefense Security Advisory 06.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities June 13, 2006 I. BACKGROUND Internet Explorer is the web browser included in Microsoft Corp.'s Windows products. II. DESCRIPTION Remote exploitation of a heap corruption vulnerability in Microsoft Corp.'s Internet Explorer allows attackers to execute arbitrary code. Internet Explorer supports Johnson-Grace compressed images, or .art files. Johnson-Grace developed this technology in 1991. In 1994, American Online Inc. began using the technology and, in 1996, purchased the company to secure rights to it. It is now licensed to Microsoft for usage in Internet Explorer by way of the jgdw400.dll dynamically linked library, which is copyrighted by AOL. The vulnerability specifically exists due to improper parsing of a malformed .art file during rendering. With a carefully crafted .art file, it is possible to overwrite portions of the heap with static values from a file independent table in memory. Although this typically would be somewhat limiting from an exploitation standpoint, in this case an attacker can utilize large images or JavaScript to fill the heap so that these static values reliably point into controlled regions. Because there are an abundance of function pointers on the heap that an attacker may smash, heap integrity checks are not effective in preventing exploitation. III. ANALYSIS Successful exploitation of this vulnerability allows attackers to execute arbitrary code with the privileges of the currently logged-on user. iDefense Labs analysis has shown that exploitation can be as reliable as 75 percent with the current exploitation method. Upon failed exploitation attempts, the system may become slow or unresponsive due to the method employed by the exploit to fill memory in order to facilitate an exploitable memory state. It should be noted that hardware data execution prevention (DEP) will prevent exploitation from occurring by the iDefense Labs-maintained exploit code. This is a result of the payload executing on the heap, which is marked writable and thus not executable. It should also be noted that the file does NOT need to have an .art extension to be rendered by the vulnerable library. Any extension can be used, provided the image is loaded via an IMG SRC tag in an HTML document in Internet Explorer. IV. DETECTION iDefense has confirmed that the following Microsoft products are affected in default configurations: Windows XP Windows XP SP1 Windows XP SP2 Windows 2003 Windows 2003 SP1 iDefense has confirmed that the following Microsoft products are affected when recommended Windows feature updates have been installed: Windows 2000 SP4 To determine if a Windows 2000 system is affected, check for the existence of the file jgdw400.dll on the system. If the file exists, the system is affected. V. WORKAROUND iDefense has developed the following workaround, which has not demonstrated any impairment to the system in testing. However, as this is not a vendor-supplied workaround, it should be tested thoroughly before being applied to a production environment. Remove the following dynamically linked libraries from: C:\windows\system32\jgpl400.dll C:\windows\system32\jgdw400.dll C:\windows\system32\jgaw400.dll C:\windows\system32\jgsd400.dll C:\windows\system32\jgmd400.dll C:\windows\system32\jgsh400.dll This will effectively disable the viewing of all .ART files on the system. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS06-022.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-2378 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/07/2006 Initial vendor notification 02/07/2006 Initial vendor response 06/13/2006 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor
[Full-disclosure] iDefense Security Advisory 06.13.06: Windows MRXSMB.SYS MrxSmbCscIoctlCloseForCopyChunk DoS
Windows MRXSMB.SYS MrxSmbCscIoctlCloseForCopyChunk DoS iDefense Security Advisory 06.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities June 13, 2006 I. BACKGROUND Microsoft Windows Operating System is system software for Intel based PCs. More information can be found at the vendor website: http://www.microsoft.com II. DESCRIPTION Local exploitation of an access validation error in Microsoft Corp.'s Windows Operating System could allow attackers to cause a denial of service (DoS) condition. The vulnerability specifically exists due to a logic error in the Microsoft Client Side Caching (CSCDLL.DLL) and Microsoft Server Message Block Redirector Driver (MRXSMB.SYS) code. The Microsoft Client Side Caching infrastructure provides the user-mode portion of the offline files subsystem that allows interaction with network files while offline and preserves file system permissions. The Microsoft Server Message Block Redirector Driver is the kernel-mode file system driver that provides the network redirector functionality utilized by CSC. MRXSMB.SYS functions are exposed via IOCTL commands. An access validation error exists in the MrxSmbCscIoctlCloseForCopyChunk() function. In order to establish communication with the MRXSMB subsystem, a file handle to a shadow device is created. If the MrxSmbCscIoctlCloseForCopyChunk() function is passed the file handle to the shadow device, a deadlock occurs, resulting in an unkillable process. III. ANALYSIS Exploitation could result in the creation of unkillable processes. This attack can be used as protection against anti-virus or other host-based intrusion prevention systems. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Microsoft Windows XP SP2. It is suspected that all versions of Microsoft Windows are vulnerable. V. WORKAROUND iDefense is unaware of any effective workaround for this issue. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS06-030.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-2374 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/07/2006 Initial vendor notification 02/07/2006 Initial vendor response 06/13/2006 Coordinated public disclosure IX. CREDIT iDefense credits Rubén Santamarta with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.13.06: Windows MRXSMB.SYS MRxSmbCscIoctlOpenForCopyChunk Overflow
Windows MRXSMB.SYS MRxSmbCscIoctlOpenForCopyChunk Overflow iDefense Security Advisory 06.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities June 13, 2006 I. BACKGROUND Microsoft Windows Operating System is system software for Intel based PCs. More information can be found at the vendor website: http://www.microsoft.com II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in Microsoft Corp.'s Windows Operating System could allow attackers to gain SYSTEM privileges. The vulnerability specifically exists due to a logic error in the Microsoft Client Side Caching (CSCDLL.DLL) and Microsoft Server Message Block Redirector Driver (MRXSMB.SYS) code. The Microsoft Client Side Caching infrastructure provides the user-mode portion of the offline files subsystem, which allows interaction with network files while offline and preserves file system permissions. The Microsoft Server Message Block Redirector Driver is the kernel-mode file system driver that provides the network redirector functionality utilized by CSC. MRXSMB.SYS functions are exposed via IOCTL commands. An access validation error exists in the MrxSmbCscIoctlOpenForCopyChunk() function. In order to establish communication with the MRXSMB subsystem, a file handle to a shadow device is created and DeviceIoControl() is used to issue commands. If an attacker utilizes the METHOD_NEITHER method flag, the address will be unchecked and an overwrite of kernel memory can occur resulting in ring0 code execution. III. ANALYSIS Successful exploitation of this vulnerability could result in elevation to SYSTEM privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Microsoft Windows XP SP2. It is suspected that all versions of Microsoft Windows are vulnerable. V. WORKAROUND iDefense is unaware of any effective workaround for this issue. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS06-030.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2006-2373 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/09/2005 Initial vendor notification 12/13/2005 Initial vendor response 06/13/2006 Coordinated public disclosure IX. CREDIT iDefense credits Rubén Santamarta with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-06-018: Microsoft Internet Explorer DXImageTransform ActiveX Memory Corruption Vulnerability
ZDI-06-018: Microsoft Internet Explorer DXImageTransform ActiveX Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-018.html June 13, 2006 -- CVE ID: CVE-2006-1303 -- Affected Vendor: Microsoft -- Affected Products: Internet Explorer 6 All Versions Internet Explorer 5 SP4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since June 13, 2006 by Digital Vaccine protection filter ID 4461. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. Successful exploitation requires that the target user browse to a malicious web page. The specific flaw exists in the Microsoft ActiveX object DXImageTransform.Microsoft.MMSpecialEffect1Input. Due to improper garbage collection when another object is assigned to any property, code execution is possible. This object implements the IObjectSafety interface and thus the default Internet Explorer settings allow for arbitrary code execution without any further user interaction. Several related ActiveX objects suffer from the same problem including: * DXImageTransform.Microsoft.MMSpecialEffect1Input.1 * DXImageTransform.Microsoft.MMSpecialEffect2Inputs * DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1 * DXImageTransform.Microsoft.MMSpecialEffectInplace1Input * DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1 -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-021.mspx. -- Disclosure Timeline: 2006.04.27 - Vulnerability reported to vendor 2006.06.13 - Digital Vaccine released to TippingPoint customers 2006.06.13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-06-017: Microsoft Internet Explorer UTF-8 Decoding Heap Overflow Vulnerability
ZDI-06-017: Microsoft Internet Explorer UTF-8 Decoding Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-017.html June 13, 2006 -- CVE ID: CVE-2006-2382 -- Affected Vendor: Microsoft -- Affected Products: Internet Explorer 6 All Versions Internet Explorer 5 SP4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since June 13, 2006 by Digital Vaccine protection filter ID 4440. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. Successful exploitation requires that the target user browse to a malicious web page. Exploitaton does not require JavaScript, Java or ActiveX to be enabled. The specific vulnerability is due to a miscalculation of memory sizes when translating UTF-8 characters to Unicode. A size mismatch between a heap allocation and memory copy results in an exploitable heap corruption. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-021.mspx. -- Disclosure Timeline: 2006.01.20 - Vulnerability reported to vendor 2006.06.13 - Digital Vaccine released to TippingPoint customers 2006.06.13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] repeated port 21 attempts
A lot of modern Windows apps call home for updates or license checks. Unless you have a very restric policy of installed software, your network will see a lot of calls like that. Also some programs scan the local network searching for peers or servers, iTunes does it, I think. On Tue, 13 Jun 2006 13:26:20 -0500 Jacob Wu [EMAIL PROTECTED] wrote: JW I have received the suggestion that these attempts to connect to our ftp JW server are actually attempts to connect to some anti-virus ftp server for JW updates. This is quite probable given that: JW JW 1.) When our client has a 10.x.x.x address all dns requests resolve to the JW IP number of my server. JW 2.) After they register and have a real IP we switch them to a real DNS JW server. JW JW It is also possible that it could be a bot calling home, but when we have JW brought the computers down to our office and scanned them ourselves we can't JW find anything on them. JW JW I'm going to call this one done since the attacks seem to go away once we JW give them a real IP. Thanks to all. JW JW -Original Message- JW From: Andrew Farmer [mailto:[EMAIL PROTECTED] JW Sent: Tuesday, June 13, 2006 12:49 PM JW To: Jacob Wu JW Cc: full-disclosure@lists.grok.org.uk JW Subject: Re: Re: [Full-disclosure] repeated port 21 attempts JW JW On 6/13/06, Jacob Wu [EMAIL PROTECTED] wrote: JW They are all non routable 10.x.x.x IPs. This is for a residence hall at JW my JW University. Residents, when they first turn on their computers, are given JW a JW 10.x.x.x IP and made to register and agree with the network use policy. JW Once they do that they are given a real IP and thus access to the JW internet. JW JW Are you doing something weird with DNS that's making this one machine's JW address to show up on lookups, or messing with routing so that everything JW gets redirected to this box? JW JW If so, I'd wonder if this is some sort of bot that you're seeing JW that's trying to JW call home with FTP. It might behoove you to (kindly) ask the owner of one JW of the machines to let you take a look at their machine to see what it's JW doing. JW JW Someone sent me this link: JW Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04 JW But it gives me less information than iptables does. JW JW You may have to modify it to better imitate an FTP server - it was written JW for JW use as a faux HTTP server. In particular, the client may be waiting for a JW banner JW and/or greeting before it makes a request. JW JW ___ JW Full-Disclosure - We believe in it. JW Charter: http://lists.grok.org.uk/full-disclosure-charter.html JW Hosted and sponsored by Secunia - http://secunia.com/ JW Allgemeinen Anschulterlaubnis Cardoso [EMAIL PROTECTED] - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Some thoughts about MS06-027 Winword.exe timestamps
After examining new MS advisories the time stamps of executables included to MS06-027 http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx are interesting. First warnings about this 0-day vulnerability in Word were published on 19th May, referring to Internet Storm Center Diary entry. ISC made a great job during these weeks. When looking into Security Update Information section - Manual Client Installation Information - Client Installation File Information) we have the following Winword.exe information: Word 2003 - 15-May-2006 Word 2002 - 12-May-2006 Word 2000 - 16-May-2006 The updated, non-affected Winword.exe for Word version 2002 was ready (and passed some MS release tests) exactly a week before first public warnings. Like we know some targeted attacks to companies in China area has been reported. After updating my Word installation file information of C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE says 11.5 Mb, 15th May 2006, revision 11.0.8026.0. Localized, Finnish update package was used. New security advisory lists Shih-hao Weng of Information Communication Security Technology Center, Taiwan (http://www.icst.org.tw/ ) as reporter of this issue. He was mentioned at Credit section of Windows Color Management Module advisory MS05-036 too. Big thanks goes to him as well. BTW: MS06-027 lists Word Viewer 2003 (newest available) as affected too. Using viewer utilities was mentioned as one of the workarounds in May. I'm not saying Microsoft was hiding something, I believe that attacks has been limited. Additionally, possibly Microsoft recommended target organizations not to use Word until fix is available. - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
Why do I keep reading that IPSec provides full network connectivity? SC Magazine just repeated this nonsense. It only does that if you have it configured that way. Even Microsoft's PPTP L2TP free stuff can be limited. And you can configure an SSL VPN to do likewise. Ray From: Q-Ball [EMAIL PROTECTED] To: Tim [EMAIL PROTECTED] CC: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] SSL VPNs and security Date: Tue, 13 Jun 2006 15:13:45 +1000 SSL VPNs have their legitimate place as does IPSec. Personally, I'd rather that travelling exec's who need to log on from a public Internet terminal, dont have full IP connectivity into the network, but maybe that's just me. Q-Ball On 6/10/06, Tim [EMAIL PROTECTED] wrote: That depends on whether the solution tries to solve single-sign-on problems as well. If the vendor is trying to handle SSO in such an environment, then they are probably using domain cookies. The problems are exactly the same as the ones Michal listed, plus some additional ones specific to domain cookies. Right, that does make it difficult. There's probably work arounds, but they may be browser-specific. Wildcard cookies, cookies set to other origins, or somehow setting document.domain back to the base domain after the initial page load might help, but some would probably present the same problem. The web was never designed for complex application development. At least, web standards aren't. Use a real VPN. cheers, tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Black Hat Speakers + 2005 Content on-line
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Full Disclosure Readers, I want to make a quick announcement, then back to the 0day for you! The speaker selection for Black Hat USA 2006 is now complete. We have a fantastic line up of Briefings presentations and our largest selection of Training this year. Briefings: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-schedule.html Training: http://www.blackhat.com/html/bh-usa-06/train-bh-usa-06-index.html For the first time in four years, we have been able to expand our speaking line. This is due to Caesars Palace has expanded their conference space, and Black Hat will be getting the entire fourth floor to ourselves! This means that for the first time in four years, we were able to expand the number of presentation tracks, panels as well as offer more opportunities for networking in our Human Network area. Some notes from the schedule: *A Root-kit focused track draws attention to the amount of work, and the speed of advancement, going into this field. *Ajax to Fuzzers--web app sec is taken to a new level. The largest number of talks dealing with web application security ever delivered at a Black Hat. As the web moves to a more interactive web 2.0 model of participation it is only natural for there to be more risks involved. *A Windows Vista Security track which has been garnering a lot of press lately... this will be an unprecedented first comprehensive look at Vista security issues *Jim Christie is bringing his Meet the Fed panel over from DEF CON, and the Hacker Court is back along with panels on Disclosure, a Public Forum on Corporate Spyware Threats hosted by The Center for Democracy and Technology Anti-Spyware Coalition, and a new challenge will be presented by the Jericho Forum. Remember, prices increase July 1st for both the Briefings and Trainings. Register now to get the best rates! http://www.blackhat.com/html/bh-registration/bh-registration.html#us Other News: Black Hat is pleased to release the presentations from last years Black Hat 2005 Briefings in both audio and video format. Also a first they will be available for download in both H.264 .mp4 format (iPod compatible) as well as .mp3 audio. Currently you have to subscribe to the Black Hat .rss feed to get them, but in the coming weeks we will make them available through the past conventions archive page. http://www.blackhat.com/BlackHatRSS.xml Black Hat would like to welcome the ISSA as a world wide supporting association. http://www.issa.org/ Thank you, Jeff Moss -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBRI9PPEqsDNqTZ/G1AQLOeAf/fvvRmIEUI7txeih+RJBONmTQRjEfyIEh 1A+85KGiWel8P6qBqdJgu2a7XsVH11YBDLiWGW+KNxqsaHNjGzOwCft5vSirJER2 XJ4jZ5VuxxKONFBwcRK8aRTwZfsYOG7Ml2UHegZej7YTAEVCkowYHtKTZi7uoVND DIoP401/wwO5maYTCLLa9AyIDipI2QRDDdNsg1A5F0/WkrGnCIapAto4ImAjLEJk 5pxRD6W9U6rDrWh30EVfWqcMCPdaWd69plGi+TdvsWHEyzm7sdYuAAlJQt9ab3PK /1Tcc4gEReHfJkFdxXhHyf8/YDX0TzXxTXgj/p7sNdAGzTFcAtq3og== =x1GB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
Sure traffic can be filtered, but the point is that the layer 7 connection is terminated at the network perimiter rather than the internatl network which is typically much less protected. On 6/14/06, Ray P [EMAIL PROTECTED] wrote: Why do I keep reading that IPSec provides full network connectivity? SCMagazine just repeated this nonsense.It only does that if you have it configured that way. Even Microsoft's PPTP L2TP free stuff can be limited. And you can configure an SSL VPN to do likewise.RayFrom: Q-Ball [EMAIL PROTECTED]To: Tim [EMAIL PROTECTED] CC: full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] SSL VPNs and securityDate: Tue, 13 Jun 2006 15:13:45 +1000SSL VPNs have their legitimate place as does IPSec. Personally, I'd rather that travelling exec's who need to log on from a public Internet terminal,dont have full IP connectivity into the network, but maybe that's just me.Q-BallOn 6/10/06, Tim [EMAIL PROTECTED] wrote: That depends on whether the solution tries to solve single-sign-on problems as well.If the vendor is trying to handle SSO in such an environment, then they are probably using domain cookies.The problems are exactly the same as the ones Michal listed, plus some additional ones specific to domain cookies. Right, that does make it difficult.There's probably work arounds, butthey may be browser-specific.Wildcard cookies, cookies set to otherorigins, or somehow setting document.domain back to the base domainafter the initial page load might help, but some would probably presentthe same problem.The web was never designed for complex application development.At least, web standards aren't.Use a real VPN.cheers,tim___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SSL VPNs and security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Michal, On Thu, Jun 08, 2006 at 10:48:18PM +0200, Michal Zalewski wrote: [...] Commercial SSL VPNs are a fairly recent technology that has a considerable appeal to various corporations. Because of its novelty, however, in a typical setup it may be subject to several serious security flaws, unless very carefully designed. [...] Some commonly used corporate applications may indeed serve attacker-supplied contents, making these attacks virtually inherent to most SSL VPN deployments: [...] - Trivial cross-site scripting bug in SSL VPNs themselves may endanger the entire system. Impossible? Cisco SSL VPN has this: https://vpnhost/webvpn/dnserror.html?domain=ufoo/u (and yes, they seem to be aware of this, but have no specific timeline for fixing it - so I suppose it's OK to report it; hi Larry Seltzer). Cisco confirms the existence of a Cross-Site Scripting (XSS) vulnerability in the clientless mode of the WebVPN feature of the Cisco VPN 3000 Series Concentrators and the Cisco ASA 5500 Series Adaptive Security Appliances (ASA). Please note that the technology affected by the XSS vulnerability is what Cisco calls WebVPN clientless mode and not WebVPN full-network-access mode, which is a different encrypted tunnel technology that is more similar to IPSec and that requires the installation of the Cisco SSL VPN Client. For a description of the differences between the clientless and full-network-access modes of Cisco WebVPN please refer to: http://www.cisco.com/en/US/products/ps6635/products_data_sheet0900aecd80405e25.html Cisco is tracking this issue using the following Cisco bug IDs: * CSCsd81095 - VPN3k vulnerable to cross-site scripting when using WebVPN * CSCse48193 - ASA vulnerable to cross-site scripting when using WebVPN The vulnerability happens when certain error conditions occur and the device tries to make the user aware of the problem. Under these error conditions the WebVPN feature presents the user with an HTML page that indicates the error and the URL the user was trying to access. Because the pages displayed also output the URL where the problem occurred, it is possible to embed scripting code in the URL that can then be executed by the user's web browser. You provided the example https://vpnhost/webvpn/dnserror.html?domain=ufoo/u. In this example, the vulnerability is triggered when the device displays a DNS resolution problem (dnserror.html). The other possible page where this problem can happen is connecterror.html, which is displayed when the device has trouble connecting to the URL specified by the user. Cisco bugs CSCsd81095 and CSCse48193 will address the issue for all WebVPN error conditions. To exploit these issues an attacker would have to entice authenticated users to follow a specially crafted, malicious URL. A successful attack would result in the execution of arbitrary script code in the user's web browser. As you point out, SSL VPN technologies have their own set of challenges. The whitepaper on SSL VPN Security that is mentioned in your original posting is a good resource on this topic that attempts to address the nature of these challenges and increase awareness. This whitepaper is located at: http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html This issue was independently reported to Cisco by yourself, Michal Zalewski, and two other customers. We would like to thank all of them for bringing this issue to our attention. This response will also be posted to http://www.cisco.com/warp/public/707/cisco-sr-20060613-webvpn-xss.shtml. Cheers, Eloy Paris.- Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEj0YQagjTfAtNY9gRAhH8AKCcaw+gzqS3T3ew6W6GHMrquUl2iwCfQ2tS EFbbgrjvpgSKD52OtYXgViI= =u8We -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Possible DOS issue in OpenSSH ssh client
The client did just hang I dont know for how long, but I sent a break after an hour J I didnt have the time to test this issue more. kaosone wrote: This could be used in a denial of service attack or could be used to stop ( or at least annoy ) ssh bruteforcers Jno, the bruteforcers don't use ssh, but other programs that can be notaffected by this It is good to see that someone knows all the bruteforcers J ( could you please ask them to stop ) I do not know if this issue affects Hydra, Guess-who and so on. I have only tested this issue with OpenSSH client and putty. Putty seems to be less affected ( cpu usage 25-40% ). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:099-1 ] - Updated freetype2 packages fixes multiple vulnerabilities.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:099-1 http://www.mandriva.com/security/ ___ Package : freetype2 Date: June 13, 2006 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. (CVE-2006-0747) Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. (CVE-2006-1861) Ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference. (CVE-2006-2661) In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a serious bug in ttkern.c that caused some programs to go into an infinite loop when dealing with fonts that don't have a properly sorted kerning sub-table. This patch is not applicable to the earlier Mandriva releases. Update: The previous update introduced some issues with other applications and libraries linked to libfreetype, that were missed in testing for the vulnerabilty issues. The new packages correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1861 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2661 ___ Updated Packages: Mandriva Linux 10.2: 949b5fe10b3ca151f322aab6ee6cee62 10.2/RPMS/libfreetype6-2.1.9-6.2.102mdk.i586.rpm f53e709c24ad45202f6ec522c306fc11 10.2/RPMS/libfreetype6-devel-2.1.9-6.2.102mdk.i586.rpm 832a3cd9ca44d7a213aa796ebb9a3f2b 10.2/RPMS/libfreetype6-static-devel-2.1.9-6.2.102mdk.i586.rpm 38715d000c516d130d0c31bbd3f4b921 10.2/SRPMS/freetype2-2.1.9-6.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 68f25173c28838a13334086598a0437a x86_64/10.2/RPMS/lib64freetype6-2.1.9-6.2.102mdk.x86_64.rpm baaa0977a07f3dfc14edd3effb80fcb2 x86_64/10.2/RPMS/lib64freetype6-devel-2.1.9-6.2.102mdk.x86_64.rpm 8d7a8160ff6057c3f526e41e4f2856b5 x86_64/10.2/RPMS/lib64freetype6-static-devel-2.1.9-6.2.102mdk.x86_64.rpm 949b5fe10b3ca151f322aab6ee6cee62 x86_64/10.2/RPMS/libfreetype6-2.1.9-6.2.102mdk.i586.rpm f53e709c24ad45202f6ec522c306fc11 x86_64/10.2/RPMS/libfreetype6-devel-2.1.9-6.2.102mdk.i586.rpm 832a3cd9ca44d7a213aa796ebb9a3f2b x86_64/10.2/RPMS/libfreetype6-static-devel-2.1.9-6.2.102mdk.i586.rpm 38715d000c516d130d0c31bbd3f4b921 x86_64/10.2/SRPMS/freetype2-2.1.9-6.2.102mdk.src.rpm Mandriva Linux 2006.0: 619ca319a2d61959baa1cd53f4474aad 2006.0/RPMS/libfreetype6-2.1.10-9.3.20060mdk.i586.rpm 742c36c115164007bed1fb9fa2ee5441 2006.0/RPMS/libfreetype6-devel-2.1.10-9.3.20060mdk.i586.rpm f5b80947791fc228b306e538b25176a0 2006.0/RPMS/libfreetype6-static-devel-2.1.10-9.3.20060mdk.i586.rpm dec7a1fac7ce8f8d7e0c8e1319eef82e 2006.0/SRPMS/freetype2-2.1.10-9.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 4cefd19d4c7186bb0112e1ad0dc0b845 x86_64/2006.0/RPMS/lib64freetype6-2.1.10-9.3.20060mdk.x86_64.rpm 9e6d8e0703e0d9dc0218f9ea7f814cde x86_64/2006.0/RPMS/lib64freetype6-devel-2.1.10-9.3.20060mdk.x86_64.rpm 410cc94730e090a6eb19d7a70acbb662 x86_64/2006.0/RPMS/lib64freetype6-static-devel-2.1.10-9.3.20060mdk.x86_64.rpm 619ca319a2d61959baa1cd53f4474aad x86_64/2006.0/RPMS/libfreetype6-2.1.10-9.3.20060mdk.i586.rpm 742c36c115164007bed1fb9fa2ee5441 x86_64/2006.0/RPMS/libfreetype6-devel-2.1.10-9.3.20060mdk.i586.rpm f5b80947791fc228b306e538b25176a0 x86_64/2006.0/RPMS/libfreetype6-static-devel-2.1.10-9.3.20060mdk.i586.rpm dec7a1fac7ce8f8d7e0c8e1319eef82e x86_64/2006.0/SRPMS/freetype2-2.1.10-9.3.20060mdk.src.rpm Corporate 3.0: 130af6a75a80501338f5436db5ebff82 corporate/3.0/RPMS/libfreetype6-2.1.7-4.2.C30mdk.i586.rpm 02882e26f161dbbccf720109940541e0 corporate/3.0/RPMS/libfreetype6-devel-2.1.7-4.2.C30mdk.i586.rpm 6380581650ff8872236e66c2b1fa29dc corporate/3.0/RPMS/libfreetype6-static-devel-2.1.7-4.2.C30mdk.i586.rpm 3c00567f0cef7635b4a07a68fe511070 corporate/3.0/SRPMS/freetype2-2.1.7-4.2.C30mdk.src.rpm Corporate 3.0/X86_64: e1df2ddb0a864644581d18c912bcde36 x86_64/corporate/3.0/RPMS/lib64freetype6-2.1.7-4.2.C30mdk.x86_64.rpm
[Full-disclosure] [ MDKSA-2006:100 ] - Updated gdm packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:100 http://www.mandriva.com/security/ ___ Package : gdm Date: June 13, 2006 Affected: 2006.0 ___ Problem Description: A vulnerability in gdm could allow a user to activate the gdm setup program if the administrator configured a gdm theme that provided a user list. The user could do so by choosing the setup option from the menu, clicking the user list, then entering his own password instead of root's. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2452 ___ Updated Packages: Mandriva Linux 2006.0: 52484787cbd6245c3b8a60933d04b0c4 2006.0/RPMS/gdm-2.8.0.4-1.3.20060mdk.i586.rpm 647524fa758a38e234970d1c08bd6737 2006.0/RPMS/gdm-Xnest-2.8.0.4-1.3.20060mdk.i586.rpm e464e85b60fcfb39e178e94f268e6698 2006.0/SRPMS/gdm-2.8.0.4-1.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: c3a140acd7b4a1275c810ddd587e8d3a x86_64/2006.0/RPMS/gdm-2.8.0.4-1.3.20060mdk.x86_64.rpm 27b79ebf1a55d018041f63b3069174af x86_64/2006.0/RPMS/gdm-Xnest-2.8.0.4-1.3.20060mdk.x86_64.rpm e464e85b60fcfb39e178e94f268e6698 x86_64/2006.0/SRPMS/gdm-2.8.0.4-1.3.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEj2AbmqjQ0CJFipgRAgLCAJ9+ekZSRSi5TXiKewM6s3gHCvHfAgCgwq2H 4g/fKZ9vsTZ/+Kf1gOA0BkY= =tuBA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OpenOffice.org XSS
Author:XiON Date: JUN1406 Type: XSS Product: http://www.openoffice.org/ Patch: N/A Link : http://securitydot.net/xpl/exploits/vulnerabilities/articles/1060/exploit.html -- Best Regards, Aleksander Hristov root at securitydot.net http://securitydot.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] repeated port 21 attempts
I'm getting port 21 connection attempts every 5 minutes from about half a dozen of my network users. These attempts are repeating regularly with one computer sending out 1500+ attempts a day. I have not seen this before and I'm wondering if anyone else here has seen a client behave this way before? Hi, Sounds like FTP and SSH attacks that are opportunistically launched by Romanian attackers to date, simple brute force and a few other hacking exploits. It's a consistent issue we've seen globally for many months now. Cheers, Ken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/