[Full-disclosure] [vuln.sg] Cool Messenger Server SQL Injection Vulnerability
[vuln.sg] Vulnerability Research Advisory Cool Messenger Server SQL Injection Vulnerability by Tan Chew Keong Release Date: 2006-08-23 Summary --- A vulnerability has been found in Cool Messenger Office/School Server. When exploited, the vulnerability allows any people to logon to the messenger server as any user without requiring knowledge of any passwords. Tested Versions --- Japanese Version: Cool Manager version 5.0 (5,60,90,27) with Cool_CoolD 5,60,90,7 Korean Version: Cool Messenger Office/School Server version 5.5 (5,65,12,12) with Cool_CoolD 5,65,12,11 Details --- http://vuln.sg/coolmessenger55-en.html http://vuln.sg/coolmessenger55-jp.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [vuln.sg] PowerZip Long Filename Handling Buffer Overflow Vulnerability
[vuln.sg] Vulnerability Research Advisory PowerZip Long Filename Handling Buffer Overflow Vulnerability by Tan Chew Keong Release Date: 2006-08-23 Summary --- A vulnerability has been found in PowerZip. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ZIP archive. Tested Version -- PowerZip version 7.06 Build 3895. Details --- http://vuln.sg/powerzip706-en.html http://vuln.sg/powerzip706-jp.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] md5 attack: brute force 1/3 time faster than traditional hash brute forcing
/*MD5 recomputation proof of conceptcoded by overdose[EMAIL PROTECTED]maybe need modification for big endianbcc32 -O2 -6 fuckmd5.cpp
E:\UnxUtils\usr\local\wbincat t.txt dcvgc E:\UnxUtils\usr\local\wbinmd5sum.exe t.txt1c66bd6cc55e538103360ae67e5291c9 *t.txt
E:\UnxUtils\usr\local\wbin E:\FUCKMD5bcc32 -O2 md5bf.cpp Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland md5bf.cpp
: Warning W8066 md5bf.cpp 350: Unreachable code in function main(int,char * *) Warning W8004 md5bf.cpp 351: 'compteur' is assigned a value that is never used i
n function main(int,char * *) Warning W8004 md5bf.cpp 330: 'ii' is assigned a value that is never used in function main(int,char * *)
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland E:\FUCKMD5md5bf.exe 1c66bd6cc55e538103360ae67e5291c9
MD5 recomputation proof of concept coded by overdose/[EMAIL PROTECTED] irc.worldnet.net #mwa
fuckmd5.exe hash pass de 5 lettres pass found : dcvgc
E:\FUCKMD5 */
#include iostream.h
#define CAR_CHAINE abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
static unsigned char PADDING[64] = { 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
#define UINT4 unsigned int/* F, G and H are basic MD5 functions: selection, majority, parity */#define F(x, y, z) (((x) (y)) | ((~x) (z)))#define G(x, y, z) (((x) (z)) | ((y) (~z)))
#define H(x, y, z) ((x) ^ (y) ^ (z))#define I(x, y, z) ((y) ^ ((x) | (~z)))
/* ROTATE_LEFT rotates x left n bits */#define ROTATE_LEFT(x, n) (((x) (n)) | ((x) (32-(n#define ROTATE_RIGHT(x, n) (((x) (n)) | ((x) (32-(n
/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4 *//* Rotation is separate from addition to prevent recomputation */#define FF(a, b, c, d, x, s, ac) \ {(a) += F ((b), (c), (d)) + (x) + (unsigned int)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ }#define GG(a, b, c, d, x, s, ac) \ {(a) += G ((b), (c), (d)) + (x) + (unsigned int)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \
}#define HH(a, b, c, d, x, s, ac) \ {(a) += H ((b), (c), (d)) + (x) + (unsigned int)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ }#define II(a, b, c, d, x, s, ac) \ {(a) += I ((b), (c), (d)) + (x) + (unsigned int)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } //hehe#define RHH(a, b, c, d, x, s, ac) \ {(a) -= b; \ (a) = ROTATE_RIGHT ((a), (s)); \ (a) -= H ((b), (c), (d)) + (x) + (unsigned int)(ac); \
}#define RII(a, b, c, d, x, s, ac) \ {(a) -= (b); \ (a) = ROTATE_RIGHT ((a), (s)); \ (a) -= I ((b), (c), (d)) + (x) + (unsigned int)(ac); \ }
/* Round 1 */#define S11 7#define S12 12#define S13 17#define S14 22
/* Round 2 */#define S21 5#define S22 9#define S23 14#define S24 20
/* Round 3 */#define S31 4#define S32 11#define S33 16#define S34 23
/* Round 4 */#define S41 6#define S42 10#define S43 15#define S44 21
inline unsigned int FastRecompute(UINT4 *buf, UINT4 *in){UINT4 a = 0x67452301, b = 0xefcdab89, c = 0x98badcfe, d = 0x10325476;d = buf[3] - d;c = buf[2] - c;b = buf[1] - b;a = buf[0] - a;
RII ( b, c, d, a, in[ 9], S44, 3951481745); /* 64 */RII ( c, d, a, b, in[ 2], S43, 718787259); /* 63 */RII ( d, a, b, c, in[11], S42, 3174756917); /* 62 */RII ( a, b, c, d, in[ 4], S41, 4149444226); /* 61 */
RII ( b, c, d, a, in[13], S44, 1309151649); /* 60 */RII ( c, d, a, b, in[ 6], S43, 2734768916); /* 59 */RII ( d, a, b, c, in[15], S42, 426432); /* 58 */RII ( a, b, c, d, in[ 8], S41, 1873313359); /* 57 */
RII ( b, c, d, a, in[ 1], S44, 2240044497); /* 56 */RII ( c, d, a, b, in[10], S43, 4293915773); /* 55 */RII ( d, a, b, c, in[ 3], S42, 2399980690); /* 54 */RII ( a, b, c, d, in[12], S41, 1700485571); /* 53 */
RII ( b, c, d, a, in[ 5], S44, 4237533241); /* 52 */RII ( c, d, a, b, in[14], S43, 2878612391); /* 51 */RII ( d, a, b, c, in[ 7], S42, 1126891415); /* 50 */RII ( a, b, c, d, in[ 0], S41, 4096336452); /* 49 */
RHH ( b, c, d, a, in[ 2], S34, 3299628645); /* 48 */RHH ( c, d, a, b, in[15], S33, 530742520); /* 47 */RHH ( d, a, b, c, in[12], S32, 3873151461); /* 46 */RHH ( a, b, c, d, in[ 9], S31, 3654602809); /* 45 */
return ((0x1fff a) | ( (0x1fff d) 16));}
inline bool FastTransform (UINT4 *buf, UINT4 *in, UINT4 lhash1,UINT4 lhash2){ UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
/* Round 1 */ FF ( a, b, c, d, in[ 0], S11, 3614090360); /* 1 */ FF ( d, a, b, c, in[ 1], S12, 3905402710); /* 2 */ FF ( c, d, a, b, in[ 2], S13, 606105819); /* 3 */ FF ( b, c, d, a, in[ 3], S14, 3250441966); /* 4 */
FF ( a, b, c, d, in[ 4], S11, 4118548399); /* 5 */ FF ( d, a, b, c, in[ 5], S12, 1200080426); /* 6 */ FF ( c, d, a, b, in[ 6], S13, 2821735955); /* 7 */ FF ( b, c, d, a, in[ 7], S14, 4249261313); /* 8 */
FF ( a, b,
[Full-disclosure] NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ]
On Aug 22, 2006, at 3:22 PM, K F wrote: the admin users on OS X can NOT become root at any time. Yes, they can. Um NO they can't. ANY is a pretty strong word. I already demonstrated it in my original post. without the admin password an admin user can not become root. I'm not sure why there is confusion here. By definition, an admin user is a user with an admin name and password. I am physically sitting on a mac that I do not know the admin password to right now Then you aren't an admin user. You're using someone else's admin account. This is not simply arguing over semantics. These concepts are well defined on Unix-based systems. Does it make a difference if it is someone that I DO trust? Of course it makes a difference. Security has everything to do with trust. If your argument is based primarily on allowing others to have access to an admin account which is not theirs (i.e., for which they do not have the password), then you really don't have much of an argument. In general, this is a VERY BAD IDEA, and is completely unnecessary on a multi-user system like OS X. Kind Regards, -jeff -- Jeff Holland http://propagandaprod.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ]
Alex wrote: Making system() calls without a full path from a suid root binary is just asking for trouble. Agreed. No argument. You should fix it. I neglected to mention that I have. It will be released shortly. Kind Regards, -jeff -- Jeff Holland http://propagandaprod.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-Disclosure] RE: Patching networks redux (fwd)
On 8/23/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Your time would be best spent figuring out what language will receive prominence after the likely inevitable collapse of the US hegemony into a fundamentalist dictatorship. My bets are on Japanese, Mandarin, or Arabic. I've been brushing up on Perl, but I guess the camel book doesn't quite count. Regards, Brian. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ]
Propaganda Support wrote: Then you aren't an admin user. You're using someone else's admin account. This is not simply arguing over semantics. These concepts are well defined on Unix-based systems. I must have missed that man page. I can't find the one that says if you don't have the password for user X then you are not user X. If your argument is based primarily on allowing others to have access to an admin account which is not theirs (i.e., for which they do not have the password), then you really don't have much of an argument. In general, this is a VERY BAD IDEA, and is completely unnecessary on a multi-user system like OS X. I assume you never considered that folks do gain access to peoples accounts from time to time... so just for the sake of argument say I take advantage of the latest lets say Bluetooth bug in OSX that allows me to obtain the privileges of the logged in user. I have caught you with your Bluetooth chip enabled and have managed to get a remote shell on your computer while you are logged in as an admin level user. I am now an admin level user regardless of having your password or not... (sure I can rm your home dir but I can't add a user or do anything else root level) By your understanding of an admin user it seems as if you have absolutely NO problem with me as an attacker simply making my self root at this point. You seem to hold no differentiation between someone that has gid=admin and root regardless of if they have a password or not. I am guessing that you also do not see an issue in the behavior of not re locking control panel (like OSX does by default) item as well? -KF Kind Regards, -jeff --Jeff Holland http://propagandaprod.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-Disclosure] RE: Patching networks redux (fwd)
fu(k 7|-|3 y4|\|k5. http://education.guardian.co.uk/tefl/story/0,,1355064,00.html || http://yaleglobal.yale.edu/display.article?id=4947 h0 h0 h0 h0 (0m3 b4(k n3tt3rs w3 10v3 j00 XxX ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 23 Aug 2006 08:13:07 -0500 K F [EMAIL PROTECTED] wrote: Propaganda Support wrote: Then you aren't an admin user. You're using someone else's admin account. This is not simply arguing over semantics. These concepts are well defined on Unix-based systems. I must have missed that man page. I can't find the one that says if you don't have the password for user X then you are not user X. If your argument is based primarily on allowing others to have access to an admin account which is not theirs (i.e., for which they do not have the password), then you really don't have much of an argument. In general, this is a VERY BAD IDEA, and is completely unnecessary on a multi-user system like OS X. I assume you never considered that folks do gain access to peoples accounts from time to time... so just for the sake of argument say I take advantage of the latest lets say Bluetooth bug in OSX that allows me to obtain the privileges of the logged in user. I have caught you with your Bluetooth chip enabled and have managed to get a remote shell on your computer while you are logged in as an admin level user. I am now an admin level user regardless of having your password or not... (sure I can rm your home dir but I can't add a user or do anything else root level) By your understanding of an admin user it seems as if you have absolutely NO problem with me as an attacker simply making my self root at this point. You seem to hold no differentiation between someone that has gid=admin and root regardless of if they have a password or not. I am guessing that you also do not see an issue in the behavior of not re locking control panel (like OSX does by default) item as well? -KF Kind Regards, -jeff --Jeff Holland http://propagandaprod.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Please take off topic discussions off list per the list charter. Thank you kf. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkTsgFUACgkQ3AEcWsxdEQ7JowP/VFm1qPN+F5Fvy4gsDjlwOz0247Gn NPLM5OFR1WfhoopfXgzAYlZ1awup2FNL7aR2EbZIzFtrkqVqKz4XcGOagThNGAbX37SN fqyfi4cQC6ZpgPyRxhcons7/5yaixaFgKt6yC+mwlNr3P21krjKZoBedbyDsm+7cSXyo t6stEFY= =MIdf -END PGP SIGNATURE- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Unintentional Password Modification in Cisco Firewall Products
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Unintentional Password Modification in Cisco Firewall Products Document ID: 70811 Advisory ID: cisco-sa-20060823-firewall http://www.cisco.com/warp/public/707/cisco-sa-20060823-firewall.shtml Revision 1.0 For Public Release 2006 August 23 1600 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === Certain versions of the software for the Cisco PIX 500 Series Security Appliances, the Cisco ASA 5500 Series Adaptive Security Appliances (ASA), and the Firewall Services Module (FWSM) are affected by a software bug that may cause the EXEC password, passwords of locally defined usernames, and the enable password in the startup configuration to be changed without user intervention. Unauthorized users can take advantage of this bug to try to gain access to a device that has been reloaded after passwords in its startup configuration have been changed. In addition, authorized users can be locked out and lose the ability to manage the affected device. Cisco has made free software available to address this issue for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060823-firewall.shtml. Affected Products = Cisco PIX 500 Series Security Appliances, the Cisco ASA 5500 Series Adaptive Security Appliances, and the Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Switches and Cisco 7600 Series Routers are impacted if they are running an affected software version. Vulnerable Products +-- The PIX 500 Series Security Appliances and the ASA 5500 Series Adaptive Security Appliances are affected when running any of the following software versions: * Any version (including interim versions) in the 7.0(x) train up to and including 7.0(5) * Any version (including interim versions) in the 7.1(x) train up to and including 7.1(2.4) The FWSM for the Cisco Catalyst 6500 Switches and Cisco 7600 Series Routers is affected when running the following software version: * Any version (including interim versions) in the 3.1(x) train up to and including 3.1(1.6) Products Confirmed Not Vulnerable + The PIX 500 Series Security Appliances and the ASA 5500 Series Adaptive Security Appliances are not affected when running any of the following software versions: * Any pre-7.x version (PIX only since the ASA does not run pre-7.x code) * 7.2(1) and later The FWSM for the Cisco Catalyst 6500 Switches and Cisco 7600 Series Routers is not affected when running any of the following software versions: * Any 1.x and 2.x version * 3.1(2) and later No other Cisco products are currently known to be affected by this issue. Details === The Cisco PIX 500 Series Security Appliances, the Cisco ASA 5500 Series Adaptive Security Appliances, and the Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Switches and Cisco 7600 Series Routers are part of Cisco's security portfolio. All of these products offer firewall services with stateful packet filtering and deep packet inspection. The PIX and ASA devices also offer other services like Virtual Private Networking (VPN), Content Filtering, and Intrusion Prevention. On these devices, authentication for both EXEC mode and enable mode can be performed based on Authentication, Authorization, and Accounting (AAA) methods (Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access Control System Plus [TACACS+], or LOCAL). If a device does not have any AAA method (i.e., RADIUS, TACACS+, or LOCAL) configured, authentication for EXEC mode is performed using the password configured with the passwd command, and authentication for enable mode is performed using the password configured with the enable password command. A software bug exists in certain versions of the software used by these devices that may cause, under some circumstances, the EXEC password, passwords of locally defined users, and the enable password that are stored in the startup configuration to be changed without user intervention. The startup configuration is stored in a non-volatile medium such as flash memory. The affected passwords are set using the following configuration commands: * passwd - configures the EXEC password. For example: pix(config)# passwd x * username - configures local users and their associated passwords. For example: pix(config)# username admin password * enable password - configures the password
[Full-disclosure] Cisco Security Advisory: Cisco VPN 3000 Concentrator FTP Management Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco VPN 3000 Concentrator FTP Management Vulnerabilities Document ID: 71141 Advisory ID: cisco-sa-20060823-vpn3k http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml Revision 1.0 For Public Release 2006 August 23 1600 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === The Cisco VPN 3000 series concentrators are affected by two vulnerabilities when file management via File Transfer Protocol (FTP) is enabled that could allow authenticated or unauthenticated attackers to execute certain FTP commands and delete files on the concentrator. None of the vulnerabilities allows unauthorized users to transfer files from or to the concentrator. Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate these vulnerabilities as well. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml. Affected Products = Vulnerable Products +-- Cisco VPN 3000 series concentrators 3005, 3015, 3020, 3030, 3060, and the 3080 are affected by these vulnerabilities if they are running a vulnerable software version and if the concentrator is configured to use FTP as a management protocol. FTP as a management protocol is enabled by default. Vulnerable software versions are: * Any version prior to 4.1 * Any 4.1.x version prior to, and including, 4.1(7)L * Any 4.7.x version prior to, and including, 4.7(2)F There are two ways to determine whether the FTP protocol is enabled as a file management protocol: using the web Graphical User Interface (GUI), or using a Command-Line Interface (CLI) via a console, telnet, or Secure Shell (SSH) connection. To use the GUI to determine whether the FTP protocol is enabled as a file management protocol, connect to the web administration interface of the concentrator via the URL: https://IP address of concentrator/admin/ Then log in to the concentrator using the device administrator credentials and go to the screen Configuration | System | Management Protocols | FTP. This screen will indicate whether the FTP server on the concentrator is enabled. To accomplish the same thing using the CLI, log in to the concentrator using the chosen access method (console, Telnet or SSH) and go to the same screen (Configuration - System Management - Management Protocols - Configure FTP). The prompt will indicate with a number whether the FTP server is enabled. Products Confirmed Not Vulnerable + The Cisco VPN 3002 Hardware Client is not affected by these vulnerabilities. Please note that Cisco VPN 3000 Series concentrators are not affected by these vulnerabilities if FTP is not configured as a management protocol. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco VPN 3000 series concentrators are a family of purpose-built, remote access Virtual Private Network (VPN) platforms for data encryption and authentication. The File Transfer Protocol is an application-layer protocol that allows transfer of files between TCP/IP hosts. It uses Transmission Control Protocol (TCP) as the transport protocol and supports user authentication. The Cisco VPN 3000 series concentrators can be configured to use the FTP protocol to manage files stored on the concentrator, like configuration files and certificates. Files can be uploaded to, or downloaded from, the concentrator for backup and configuration purposes. Two vulnerabilities affect the Cisco VPN 3000 series concentrators when FTP is enabled as a file management protocol. By exploiting these vulnerabilities, an attacker could execute the following FTP commands: * CWD - Change working directory * MKD - Create (make) a directory * CDUP - Change directory to the directory one level up * RNFR - Rename file * SIZE - Get file size * RMD - Remove directory These vulnerabilities are documented in Cisco Bug IDs CSCse10733 and CSCse10753. None of these vulnerabilities allows unauthorized users to download or upload files from/to the concentrator. Impact == Successful exploitation of these vulnerabilities may allow an attacker to: * Perform network reconnaissance via the CWD, CDUP, and SIZE FTP commands. * Change the configuration of the concentrator by renaming or deleting configuration and certificate files via the RNFR and RMD FTP commands. Please note that since none
[Full-disclosure] IBM to buy ISS
Sounds like IBM is going to buy out ISS. Having too much experience in dealing with IBM contractors and support, I don't think this is a good thing for ISS or their customers. http://www.iss.net/about/press_center/releases/us_ibm_08233006.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [MU-200608-01] Multiple Vulnerabilities in Asterisk 1.2.10
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Multiple Vulnerabilities in Asterisk 1.2.10 [MU-200608-01]
August 23, 2006
http://labs.musecurity.com/advisories.html
Affected Product/Versions:
Asterisk 1.0.0 through 1.2.10
Product Overview:
http://www.asterisk.org/features
Asterisk-based telephony solutions offer a rich and flexible feature set.
Asterisk offers both classical PBX functionality and advanced features, and
interoperates with traditional standards-based telephony systems and Voice
over IP systems. Asterisk offers the features one would expect of a large
proprietary PBX system such as Voicemail, Conference Bridging, Call Queuing,
and Call Detail Records.
Vulnerability Details:
A remote stack buffer overflow condition in Asterisk's MGCP implementation
could allow for arbitrary code execution. The vulnerable code is triggered
with the use of a malformed AUEP (audit endpoint) response message.
A second issue exists in the handling of file names sent to the Record()
application which could lead to arbitrary code execution via a format string
attack or arbitrary file-overwrite via directory traversal techniques. The
impact of this vulnerability is minimal, however, as it requires an
administrator to use a client-controlled variable as part of the filename.
Solution:
Mu Security would like to thank the Asterisk security team for their
timely response to these issues.
A patch for the buffer overflow is available from the following link:
http://ftp.digium.com/pub/asterisk/asterisk-1.2.11-patch.gz
To protect against the Record() vulnerability, do not use user-controlled
variables ( eg, ${CALLERIDNAME} ) as part of the the filename argument.
History:
08/10/06 - First contact with vendor
08/16/06 - Vendor acknowledges vulnerability
08/23/06 - Advisory released
Credit:
These vulnerabilities were discovered by the Mu Security research team.
http://labs.musecurity.com/pgpkkey.txt
Mu Security offers a new class of security analysis system, delivering a
rigorous and streamlined methodology for verifying the robustness and security
readiness of any IP-based product or application. Founded by the pioneers of
intrusion detection and prevention technology, Mu Security is backed by
preeminent venture capital firms that include Accel Partners, Benchmark
Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For
more information, visit the companys website at http://www.musecurity.com.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (Darwin)
iD8DBQFE7JuPMl+docYeP+YRAg7aAJ978dkk09dDG2P/CNRJkk3gWcMSAQCfXud0
ActeX5hrO9+B9rJzefxRkis=
=OXvK
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] full dis explicit content no good full disimportant reason
On 8/18/06, ... [EMAIL PROTECTED] wrote: i personally do not agree on this one... porno is definitely good. While pr0n is great, it isn't great to have that rubbish pop up on your screen while you're _AT WORK_!!! If I wanted to look at a pussycat's fagina (no, I did the spelling on purpose) I would not do it at work. I kind of need my job, as I am sure many others here do as well. Full Disclosure is a great resource for my job and I count and rely on it. But that kind of crap is the kind of crap that can make me have to get out onto a public bus, shaking a tin can, singing the I have no legs... song. I would rather not have things come to that. snip -- Rob ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New malware names and updates to PowerPoint FAQ document
Several names of related Trojan and dropper have been added to Microsoft PowerPoint Vulnerability FAQ - August 2006, CVE-2006-4274 document today. Changes to the document have been done too: It is known that the Trojan -generates a hidden iexplore.exe process, -executes as a thread of this process mentioned, -connects to Web sites at [removed].com.tw and 61.218.[removed]. Additionally, the specific vulnerability of MS06-012 update is Malformed Routing Slip Vulnerability, CVE-2006-0009: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0009 It appears that the vulnerable file used is Msroute.dll, which is not part of Office 2003 installation. Link to the FAQ: http://blogs.securiteam.com/?p=559 - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200608-21 ] Heimdal: Multiple local privilege escalation vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200608-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Heimdal: Multiple local privilege escalation vulnerabilities Date: August 23, 2006 Bugs: #143371 ID: 200608-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Certain Heimdal components, ftpd and rcp, are vulnerable to a local privilege escalation. Background == Heimdal is a free implementation of Kerberos 5. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-crypt/heimdal 0.7.2-r3 = 0.7.2-r3 Description === The ftpd and rcp applications provided by Heimdal fail to check the return value of calls to seteuid(). Impact == A local attacker could exploit this vulnerability to execute arbitrary code with elevated privileges. Workaround == There is no known workaround at this time. Resolution == All Heimdal users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-crypt/heimdal-0.7.2-r3 References == [ 1 ] Official advisory http://www.pdc.kth.se/heimdal/advisory/2006-08-08/ [ 2 ] CVE-2006-3083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083 [ 3 ] CVE-2006-3084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200608-21.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpftbiiSZ3Ll.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200608-22 ] fbida: Arbitrary command execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200608-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: fbida: Arbitrary command execution Date: August 23, 2006 Bugs: #141684 ID: 200608-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The fbgs script provided by fbida allows the execution of arbitrary code. Background == fbida is a collection of image viewers and editors for the framebuffer console and X11. fbgs is a PostScript and PDF viewer for the linux framebuffer console. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-gfx/fbida 2.03-r4 = 2.03-r4 Description === Toth Andras has discovered a typographic mistake in the fbgs script, shipped with fbida if the fbcon and pdf USE flags are both enabled. This script runs gs without the -dSAFER option, thus allowing a PostScript file to execute, delete or create any kind of file on the system. Impact == A remote attacker can entice a vulnerable user to view a malicious PostScript or PDF file with fbgs, which may result with the execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All fbida users with the fbcon and pdf USE flags both enabled should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-gfx/fbida-2.03-r4 References == [ 1 ] CVE-2006-3119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3119 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200608-22.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpQf4b5xLTMh.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
