[Full-disclosure] RE: Cisco IOS GRE issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, This is a Cisco response to an advisory published by FX of Phenoelit posted as of September 06, 2006 at http://www.securityfocus.com/archive/1/445322/30/0/threaded, and entitled Cisco Systems IOS GRE decapsulation fault. An official response is located at: http://www.cisco.com/warp/public/707/cisco-sr-20060906-gre.shtml This issue is being tracked by the following Cisco bug IDs: * CSCuk27655 -- GRE: make implementation RFC 2784 and RFC 2890 compliant * CSCea22552 -- GRE: implementation of Reserved0 field not RFC2784 compliant * CSCei62762 -- GRE: IP GRE Tunnel with Routing Present Bit not dropped We would like to thank FX from Phenoelit for reporting this issue to Cisco. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. Additional Information == Generic Routing Encapsulation (GRE) is a generic packet encapsulation protocol. GRE is documented in RFC1701 and RFC2784. Vulnerable Products +-- * Cisco IOS 12.0, 12.1 and 12.2 based trains * All devices running affected versions of Cisco IOS software and configured with GRE IP or GRE IP multipoint tunnels. Products not affected by this vulnerability +-- * Cisco IOS 12.3 and 12.4. * Cisco IOS 12.0S release train, with a revision later than 12.0(23)S, with CEF enabled (Default behaviour) In RFC1701, the GRE Header field (described in RFC2784 as Reserved0) contains a number of flag bits which RFC2784 deprecates. In particular, the Routing Present and Strict Source Route bits along with Routing Information fields have been deprecated. All versions of Cisco IOS software that support RFC2784 will not be affected by this vulnerability, as any packet where any of the bits 1-5 are non-zero will be discarded. Cisco IOS versions that contain ANY of the following three fixes are RFC2784 compliant and are not affected by this vulnerability: * CSCuk27655 -- GRE: make implementation RFC 2784 and RFC 2890 compliant * CSCea22552 -- GRE: implementation of Reserved0 field not RFC2784 compliant * CSCei62762 -- GRE: IP GRE Tunnel with Routing Present Bit not dropped Vulnerability Impact Overview + Upon receiving a specially crafted GRE packet, depending on the data within a specific packet memory location, the GRE code will decapsulate a packet using the contents of referenced memory buffers. With debug tunnel enabled, output similar as shown below will be produced: GRE decapsulated IP 0.3.74.0-0.0.1.30 (len=65407, ttl=39) GRE decapsulated IP 176.94.8.0-0.0.0.0 (len=64904, ttl=0) GRE decapsulated IP 0.15.31.193-176.94.8.0 (len=64894, ttl=237) GRE decapsulated IP 128.42.131.220-128.0.3.74 (len=64884, ttl=128) Only if the referenced memory buffers data decapsulates to a valid IPv4 packet, will this packet be forwarded. Invalid IPv4 packets will be dropped at the router. This potentially could be used to bypass ACLs on the router. Workarounds and Mitigations === The following workaround is applicable to 12.0S based trains only: * Cisco Express Forwarding (CEF) If running Cisco IOS 12.0S release train, with a revision later than 12.0(23)S, with CEF enabled will mitigate this vulnerability. CEF is enabled by default for 12.0S releases. To check the status of CEF on the router issue the CLI command sh ip cef or sh ip cef interface. Refer to: http://www.ciscosystems.ro/univercd/cc/td/doc/product/ software/ios122/122cgcr/fswtch_c/swprt1/xcfcefc.htm for further information on CEF. The following mitigations may be applied to vulnerable Cisco IOS versions: * Anti-spoofing mechanisms of the tunnel source and destination end points. Refer to: http://www.cisco.com/warp/public/707/21.html#sec_ip and http://www.ietf.org/rfc/rfc2827.txt for further further information on deploying anti-spoofing mechanisms. * Encrypt the GRE tunnel with IPSec: Refer to: http://www.cisco.com/univercd/cc/td/doc/product/ software/ios123/123tcr/123tir/int_t1gt.htm#wp1161892 for further information. Regards Paul Oxman Cisco Systems PSIRT - -Original Message- From: FX [mailto:[EMAIL PROTECTED] Sent: Thursday, 7 September 2006 12:34 AM To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Cisco IOS GRE issue Phenoelit Advisory wir-haben-auch-mal-was-gefunden #0815 + [ Title ] Cisco Systems IOS GRE decapsulation fault [ Authors ] FX [EMAIL PROTECTED] Phenoelit Group (http://www.phenoelit.de) Advisoryhttp://www.phenoelit.de/stuff/CiscoGRE.txt [ Affected Products ] Cisco IOS
[Full-disclosure] Orkut URL Redirection Vulnerability
Hi All,I have found url redirection vulnerability on www.orkut.com.If a user clicks on a malicious link he/she will redirect to an attackers website. The attacker can capture the valid username,password and then redirect a user to original orkut website. Proof Of Concept:Original Link:https://www.orkut.com/GLogin.aspx?done=http%3A%2F%2Fwww.orkut.com%2FMaliciously Crafted Link: https://www.orkut.com/GLogin.aspx?done=http%3A%2F%2Fattackers_website.com--Kishor Sonawane [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SECURITY.NNOV: Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities
Noise: We have more and more application to secure our networks. Does it means network becomes more and more secure? No, there is a limit. Because _any_ application has vulnerabilities. For in much security is much grief: and he that increaseth code increaseth bugs [1]. Title: Panda Platinum Internet Security 2006/2007 privilege escalation and bayesian filter control security vulnerabilities Author: 3APA3A [EMAIL PROTECTED] http://www.security.nnov.ru/ Vendor: Panda Software Product: Panda Platinum Internet Security 2006 10.02.01 Panda Platinum Internet Security 2007 11.00.00 Panda Antivirus was not tested Category: 1. Local, privilege escalation (insecure file permissions) 2. Remote, against client (bayesian filter control) Rating: High (privilege escalation) Low (bayesian filter control) Advisory:http://www.security.nnov.ru/advisories/pandais.asp Intro: Panda Platinum Internet Security 2006/2007 is Internet security suite (Antivirus, Personal Firewall, Antispam) from Panda Software. Vulnerability: 1. Insecure file permissions allow unprivileged local user to obtain system-level access or access to account of another logged on user. 2. Insecure design of SPAM filtering control engine allows remote attacker to control bayesian self leaning SPAM filtering process from malicious Web page. Details: 1. During installation of Panda Platinum Internet Security 2006/2007 permissions for installation folder %ProgramFiles%\Panda Software\Panda Platinum 2006 Internet Security\ or %ProgramFiles%\Panda Software\Panda Platinum 2007 Internet Security\ by default are set to Everyone:Full Control without any warning. Few services (e.g. WebProxy.exe for Platinum 2006 or PAVSRV51.EXE for Platinum 2007) are started from this folder. Services are started under LocalSystem account. There is no protection of service files. It's possible for unprivileged user to replace service executable with the file of his choice to get full access with LocalSystem privileges. Or to get privileges or any user (including system administrator) who logons to vulnerable host. This can be exploited as easy as: a. Rename WebProxy.exe (for Platinum 2006 or another service for Platinum 2007, because under 2007 WebProxy.exe is not executed as a service) to WebProxy.old in Panda folder b. Copy any application to WebProxy.exe c. Reboot Upon reboot trojaned application will be executed with LocalSystem account. 2. To manage SPAM filtering for messages received with POP3, Panda starts Web server on the interface 127.0.0.1 with port 6083 and adds text like --- Text inserted by Platinum 2007: This message has NOT been classified as spam. If it is unsolicited mail (spam), click on the following link to reclassify it: http://127.0.0.1:6083/Panda?ID=pav_8SPAM=true --- By clicking the link user can classify message as a spam or not. ID=pav_XXX parameters contains ID of the message, where XXX is sequential message number. On reply, this message is not filtered or erased. First, it leaks information about correspondence flow user has. Second, it's possible for malicious Web page to use something like [IMG SRC=http://127.0.0.1:6083/Panda?ID=pav_8SPAM=true;] [IMG SRC=http://127.0.0.1:6083/Panda?ID=pav_9SPAM=true;] [IMG SRC=http://127.0.0.1:6083/Panda?ID=pav_10SPAM=true;] It will cause incorrect message classification as a SPAM and will lead to unpredictable filter behavior. There is no way to flush bayesian filter state. Vendor: 11.08.2006 Panda Software was contacted via [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] 15.08.2006 [EMAIL PROTECTED] (Panda Software Russia) was contacted in Russian 16.08.2006 Response from Panda Software Russia 16.08.2006 Additional details sent to Panda Software Russia 17.08.2006 Panda Software launches Panda Internet Security 2007 which suffers from the same vulnerabilities References: 1. Ecc 1:18 -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-o66o--+ / |/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Orkut URL Redirection Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did you notify orkut? keyshor wrote: Hi All, I have found url redirection vulnerability on www.orkut.com http://www.orkut.com. If a user clicks on a malicious link he/she will redirect to an attackers website. The attacker can capture the valid username,password and then redirect a user to original orkut website. Proof Of Concept: Original Link: https://www.orkut.com/GLogin.aspx?done=http%3A%2F%2Fwww.orkut.com%2F Maliciously Crafted Link: https://www.orkut.com/GLogin.aspx?done=http%3A%2F%2Fattackers_website.com -- Kishor Sonawane [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFACCQf3Elv1PhzXgRAjlbAJ9Joc/B5a0n8rYqsGp8uIjpYFDiqgCfaDYS L4ojR/ypgyLSdcmhtXQQ6KU= =tqUD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-342-1] PHP vulnerabilities
=== Ubuntu Security Notice USN-342-1 September 07, 2006 php4, php5 vulnerabilities CVE-2006-4020, CVE-2006-4481, CVE-2006-4482, CVE-2006-4484 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: libapache2-mod-php4 4:4.3.10-10ubuntu4.7 php4-cgi 4:4.3.10-10ubuntu4.7 php4-cli 4:4.3.10-10ubuntu4.7 Ubuntu 5.10: libapache2-mod-php5 5.0.5-2ubuntu1.4 php5-cgi 5.0.5-2ubuntu1.4 php5-cli 5.0.5-2ubuntu1.4 php5-curl5.0.5-2ubuntu1.4 Ubuntu 6.06 LTS: libapache2-mod-php5 5.1.2-1ubuntu3.2 php5-cgi 5.1.2-1ubuntu3.2 php5-cli 5.1.2-1ubuntu3.2 php5-curl5.1.2-1ubuntu3.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The sscanf() function did not properly check array boundaries. In applications which use sscanf() with argument swapping, a remote attacker could potentially exploit this to crash the affected web application or even execute arbitrary code with the application's privileges. (CVE-2006-4020) The file_exists() and imap_reopen() functions did not perform proper open_basedir and safe_mode checks which could allow local scripts to bypass intended restrictions. (CVE-2006-4481) On 64 bit systems the str_repeat() and wordwrap() functions did not properly check buffer boundaries. Depending on the application, this could potentially be exploited to execute arbitrary code with the applications' privileges. This only affects the amd64 and sparc platforms. (CVE-2006-4482) A buffer overflow was discovered in the LWZReadByte_() function of the GIF image file parser. By tricking a PHP application into processing a specially crafted GIF image, a remote attacker could exploit this to execute arbitrary code with the application's privileges. (CVE-2006-4484) Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10-10ubuntu4.7.diff.gz Size/MD5: 284126 0abdbfaeed1f2c13a2b7d66318f8703e http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10-10ubuntu4.7.dsc Size/MD5: 1469 d060d1a71470dc0d1f0f54fe7b9f836d http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10.orig.tar.gz Size/MD5: 4892209 73f5d1f42e34efa534a09c6091b5a21e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10-10ubuntu4.7_all.deb Size/MD5: 1124 c51c049492e127ade6ec92dec791 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.10-10ubuntu4.7_amd64.deb Size/MD5: 1657512 98172a9808c72714a7c8ad832fdc82b0 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.10-10ubuntu4.7_amd64.deb Size/MD5: 3275218 bb27229bdc5a1179a0c1ecc549e5b461 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cli_4.3.10-10ubuntu4.7_amd64.deb Size/MD5: 1647578 cb7a09583ae5c004b5ff7defe600adec http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-common_4.3.10-10ubuntu4.7_amd64.deb Size/MD5: 168454 a37eeae412e43bf6c9eda82ee20c70bb http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.10-10ubuntu4.7_amd64.deb Size/MD5: 348246 e7d0e27e3a31610a5c0bc1c9b3e2ca2e i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.10-10ubuntu4.7_i386.deb Size/MD5: 1592874 3bf1f15c699a11ab5279808aa524bc70 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.10-10ubuntu4.7_i386.deb Size/MD5: 3170090 7d826eb3a251de6595e0008e3d3bb55f http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cli_4.3.10-10ubuntu4.7_i386.deb Size/MD5: 1592906 2cf679da9f5c2835bda27c8729298f28 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-common_4.3.10-10ubuntu4.7_i386.deb Size/MD5: 168450 245550bad855327f4c004b2708a1568f http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.10-10ubuntu4.7_i386.deb Size/MD5: 348246 091cc5ce8e015e9346140bd4bbfca1ae powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.10-10ubuntu4.7_powerpc.deb Size/MD5: 1658826 f4827b80ee504110f0ec0865f9a985fc
[Full-disclosure] release uhooker v1.2
uhooker v1.2 out. What's new?: http://oss.coresecurity.com/uhooker/release/1.2/WHATSNEW_1.2.txt gzip'd tarball: http://oss.coresecurity.com/uhooker/release/1.2/uhooker_v1.2.tgz zip file: http://oss.coresecurity.com/uhooker/release/1.2/uhooker_v1.2.zip documentation: http://oss.coresecurity.com/uhooker/doc/index.html What is uhooker? The Universal Hooker is a tool to intercept execution of programs. It enables the user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory. Why is it 'Universal'? There are different ways of hooking functions in a program, for example, it can be done by setting software breakpoints (int 3h), hardware breakpoints (cpu regs), or overwriting the prologue of a function to jump to a 'stub', etc. All the methods mentioned required above, specially the latter, require the programmer of the code creating the hook to have certain knowledge of the function it is intercepting. If the code is written in a programming language like C/C++, the code will normally need to be recompiled for every function one wants to intercept, etc. The Universal Hooker tries to create very simple abstractions that allow a user of the tool to write hooks for different API and non-API functions using an interpreted language (python), without the need to compile anything, and with the possibility of changing the code that gets executed whent the hooked function is called in run-time. The Universal Hooker builds on the idea that the function handling the hook is the one with the knowledge about the parameters type of the function it is handling. The Universal Hooker only knows the number of parameters of the function, and obtains them from the stack (all DWORDS). The hook handler is the one that will interpret those DWORDS as the types received by the function. The hook handlers are written in python, what eliminates the need for recompiling the handlers when a modification is required. And also, the hook handlers (executed by the server) are reloaded from disk every time a hook handler is called, this means that one can change the behavior of the hook handler without the need to recompile the code, or having to restart the application being analyzed. Thanks, Hernan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Orkut URL Redirection Vulnerability
I have found url redirection vulnerability on www.orkut.com. Man, I don't want to disappoint you but this redirection vulnerability is pretty old and has been being used in Brazil for sometime. This vulnerability was noticed in the begining of the year, maybe, when orkut had changed its authentication scheme. I'm sure orkut was already notified by other people but they hadn't patched it yet and the phishing keeps going on :) Sorry about any gramatical errors. Regards, Julio Cesar Fort Recife, PE, Brazil www.rfdslabs.com.br - computers, sex, human mind, music and more. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Orkut URL Redirection Vulnerability
Well, so now TWO countries care about orkut stuff, Brazil and Finland ;) I think its creator, Orkut Büyükkökten, had a hell of a childhood, with such name. On Thu, 7 Sep 2006 20:53:53 +0300 Olli Haukkovaara [EMAIL PROTECTED] wrote: Sorry guys, but this particular URL, www.orkut.com , makes us Finns smile... Orkut means in our language orgasms. I just had to share this with you, please forgive me, it's almost friday night ;-) Regards, Olli On 9/7/06, Julio Cesar Fort [EMAIL PROTECTED] wrote: I have found url redirection vulnerability on www.orkut.com. Man, I don't want to disappoint you but this redirection vulnerability is pretty old and has been being used in Brazil for sometime. This vulnerability was noticed in the begining of the year, maybe, when orkut had changed its authentication scheme. I'm sure orkut was already notified by other people but they hadn't patched it yet and the phishing keeps going on :) Sorry about any gramatical errors. Regards, Julio Cesar Fort Recife, PE, Brazil www.rfdslabs.com.br - computers, sex, human mind, music and more. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- terveisin, Olli - Carlos Cardoso - Blogueiro Inconformado^ http://www.carloscardoso.com == sacanagem http://www.contraditorium.com == ProBlogging e cultura digital ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] r57shell hidden feature
HelloDoing some forensics I found that R57shell(version 1.31) a widely used php shell by RST/GHC, has some "hidden features", it will log any usage to some russian stats counters. If those counters log the ip, and the script is not protected by a password, they cand 0wn everything you 0wned. Starting from line 1469 we have 2 base64 encoded variables $c1 and $c2, at line 1592 the script will check if the variables are empty and die() if true, then they are decoded and appended to $f, which is echo-ed at line 2204. $f contains only the counters scripts. Trust no one(especialy commies), write your own tools. Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Orkut URL Redirection Vulnerability
Sorry guys, but this particular URL, www.orkut.com , makes usFinns smile... Orkut means in our language orgasms.I just had to share this with you, please forgive me, it's almost friday night ;-)Regards, OlliOn 9/7/06, Julio Cesar Fort [EMAIL PROTECTED] wrote: I have found url redirection vulnerability on www.orkut.com .Man, I don't want to disappoint you but this redirection vulnerabilityis pretty old and has been being used in Brazil for sometime.This vulnerability was noticed in the begining of the year, maybe, when orkut had changed its authentication scheme. I'm sure orkut was alreadynotified by other people but they hadn't patched it yet and the phishingkeeps going on :)Sorry about any gramatical errors. Regards,Julio Cesar FortRecife, PE, Brazilwww.rfdslabs.com.br - computers, sex, human mind, music and more.___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ -- terveisin, Olli ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RSA SecurID SID800 Token vulnerable by design
Hi, I recently tested an RSA SecurID SID800 Token http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf The token is bundled with some windows software designed to make user's life easier. Interestingly, this software provides a function which directly copies the current token code into the cut-and-paste buffer, when the token is plugged in into USB. This is weak by design. The security of these tokens is based on what RSA calls two-factor user authentication: It takes both a secret (PIN) and the time-dependend Token-Code to authenticate. The security of the Token-Code depends on the assumption that the token is resistant against malware or intruders on the computer used for communication (web browser, VPN client,...). However, if the Token Code can be read over the USB bus, this assumption does not hold. A single attack on the PC where the token is plugged in would compromise both the PIN (e.g. with a keylogger) and the token itself (e.g. writing a daemon which continuously polls the token and forwards the token in real time to a remote attacker. Ironically this could make an attack even easier: If some malware simultaneously monitors the token and the keyboard, it is much easier to detect that the keystrokes are actually related to some login procedure: Whenever the 6-digit token code appears in the keyboard or cut-and-paste input stream, you can be pretty sure that in a sliding window of about the last 100-200 keystrokes both the PIN and the address of the server to login is contained. Makes it really easy to automatically detect secrets in the input stream. Thus, two different authentication methods are together weaker than each single one. regards Hadmut ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Linux kernel source archive vulnerable
Hi, there's a severe vulnerability in the Linux kernel source code archives: The Linux kernel is distributed as tar archives in the form of linux-2.6.17.11.tar.bz2 from kernel.org. It is usually unpacked, configured and compiled under /usr/src. Since installing a new kernel requires root privileges, this is usually done as root. When unpacking such an archive, tar also sets the uid, gid, and file permissions given in the tar archive. Unfortunately, plenty of files and directories in that archive are world writable. E.g. in the 2.6.17.11 archive, there are 1201 world writable directories and 19554 world writable files. This opens the door for at least three kinds of attacks: 1. Whoever manages to exploit any server (e.g. PHP on a webserver) has world writable directories at a well defined place, perfect to hide any malware, bot, rootkit,... 2. Any user or intruder can modify the kernel source and thus compromise the kernel to be compiled. 3. any user or intruder could modify the build or installation system/Makefiles in order to have any kind of malware executed by root the next time a kernel is built or installed, or any other kernel module making use of the kernel tree. Solution: Ensure that the file ownership and permissions are set properly before distributing the tar archive. regards Hadmut ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux kernel source archive vulnerable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hadmut == Hadmut Danisch [EMAIL PROTECTED] writes: Hadmut [snip] Hadmut When unpacking such an archive, tar also sets the uid, Hadmut gid, and file permissions given in the tar Hadmut archive. Unfortunately, plenty of files and directories in Hadmut that archive are world writable. E.g. in the 2.6.17.11 Hadmut archive, there are 1201 world writable directories and Hadmut 19554 world writable files. I wouldn't know if something has changed drastically between 2.6.16 and 2.6.17.11, but: [EMAIL PROTECTED]:~$ find /usr/src/linux-2.6.16/ -perm -666 ! -type l [EMAIL PROTECTED]:~$ Not a single world-writable file or directory. Perhaps pre-release kernel tarballs are more lax? Regards, - -- Raju - -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 http://mailcrypt.sourceforge.net/ iD8DBQFFAHFdyWjQ78xo0X8RAuEhAJ48uNVz51ERZQ3WKC5Zfj+VhsO6yACfU3Yr O8H74/jbBOyfB4ftdxTvhhI= =c3/3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux kernel source archive vulnerable
On Fri, Sep 08, 2006 at 12:52:22AM +0530, Raj Mathur wrote: I wouldn't know if something has changed drastically between 2.6.16 and 2.6.17.11, but: [EMAIL PROTECTED]:~$ find /usr/src/linux-2.6.16/ -perm -666 ! -type l [EMAIL PROTECTED]:~$ Not a single world-writable file or directory. Perhaps pre-release kernel tarballs are more lax? On my machine (I also have a 2.6.16): # find /usr/src/linux-2.6.16/ -perm -666 ! -type l | wc -l 20434 Just to doublecheck I wrote a script which parses the kernel tar: pax_global_header 52 b mode=666 uid=0 gid=0 linux-2.6.17.11/ 0 b mode=777 uid=0 gid=0 linux-2.6.17.11/.gitignore 462 b mode=666 uid=0 gid=0 linux-2.6.17.11/COPYING 18693 b mode=666 uid=0 gid=0 linux-2.6.17.11/CREDITS 89536 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/ 0 b mode=777 uid=0 gid=0 linux-2.6.17.11/Documentation/00-INDEX 10581 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/BUG-HUNTING 7249 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/Changes 11655 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/CodingStyle 17843 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/DMA-API.txt 21291 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/DMA-ISA-LPC.txt 5332 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/DMA-mapping.txt 32801 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/DocBook/ 0 b mode=777 uid=0 gid=0 linux-2.6.17.11/Documentation/DocBook/.gitignore 35 b mode=666 uid=0 gid=0 ... A friend of mine confirmed to also have world writable dirs and files. regards Hadmut ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200609-05 ] OpenSSL, AMD64 x86 emulation base libraries: RSA signature forgery
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200609-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL, AMD64 x86 emulation base libraries: RSA signature forgery Date: September 07, 2006 Bugs: #146375, #146438 ID: 200609-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis OpenSSL fails to properly validate PKCS #1 v1.5 signatures. Background == OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport Layer Security protocols and a general-purpose cryptography library. The x86 emulation base libraries for AMD64 contain a vulnerable version of OpenSSL. Affected packages = --- Package / Vulnerable / Unaffected --- 1 openssl 0.9.7k = 0.9.7k 2 emul-x86-linux-baselibs2.5.2= 2.5.2 --- # Package 2 [app-emulation/emul-x86-linux-baselibs] only applies to AMD64 users. NOTE: Any packages listed without architecture tags apply to all architectures... --- 2 affected packages --- Description === Daniel Bleichenbacher discovered that it might be possible to forge signatures signed by RSA keys with the exponent of 3. Impact == Since several CAs are using an exponent of 3 it might be possible for an attacker to create a key with a false CA signature. Workaround == There is no known workaround at this time. Resolution == All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-libs/openssl-0.9.7k All AMD64 x86 emulation base libraries users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-emulation/emul-x86-linux-baselibs-2.5.2 References == [ 1 ] CVE-2006-4339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200609-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpgmS5z8sdqf.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hustle -- alwil Anti-Virus Kernel -- Remote Local Vulnerability
As of 07-September-2006, Hustle Labs has released an advisory detailing a vulnerability in alwil's anti-virus kernel. This vulnerability occurs when processing specially crafted LHA files, and can be triggered through multiple attack vectors. For more information please visit http://www.hustlelabs.com/advisories.html and click on the alwil link. -Ryan Smith ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:162 ] - Updated php packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:162 http://www.mandriva.com/security/ ___ Package : php Date: September 7, 2006 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: The (1) file_exists and (2) imap_reopen functions in PHP before 5.1.5 do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings (CVE-2006-4481). Buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array (CVE-2006-4484). The stripos function in PHP before 5.1.5 has unknown impact and attack vectors related to an out-of-bounds read (CVE-2006-4485). CVE-2006-4485 does not affect the Corporate3 or MNF2 versions of PHP. Updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4481 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4485 ___ Updated Packages: Mandriva Linux 2006.0: 146279492bdd9a03694778e265582d65 2006.0/RPMS/libphp5_common5-5.0.4-9.14.20060mdk.i586.rpm ca99a7740c1b47df847a56cbb25a8e80 2006.0/RPMS/php-cgi-5.0.4-9.14.20060mdk.i586.rpm 665f72c14d5c2d485047c8c288946227 2006.0/RPMS/php-cli-5.0.4-9.14.20060mdk.i586.rpm ddb6f8354c06c2f7bd78823dc846b2b5 2006.0/RPMS/php-devel-5.0.4-9.14.20060mdk.i586.rpm a8ba6ed38bb91aa170882a2c0ad32e32 2006.0/RPMS/php-fcgi-5.0.4-9.14.20060mdk.i586.rpm ddc3fc12907892012c0db9df119edaab 2006.0/RPMS/php-imap-5.0.4-2.4.20060mdk.i586.rpm 7231862a27ba9135e9cfcce3c455af3a 2006.0/SRPMS/php-5.0.4-9.14.20060mdk.src.rpm 69d5c165b33b00454cc56b27bb21eba7 2006.0/SRPMS/php-imap-5.0.4-2.4.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 4ba33ec1fd91fdad05aaffb2d8dc766a x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.14.20060mdk.x86_64.rpm 023e44a6bc50c5edaa3abfe85a888ec3 x86_64/2006.0/RPMS/php-cgi-5.0.4-9.14.20060mdk.x86_64.rpm 29e82f10dba8da27a73e57df3ffc198b x86_64/2006.0/RPMS/php-cli-5.0.4-9.14.20060mdk.x86_64.rpm 69fd9d2282d1bc50c19078f8537e4084 x86_64/2006.0/RPMS/php-devel-5.0.4-9.14.20060mdk.x86_64.rpm a849151feb32d3bcca9f5d175289fce5 x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.14.20060mdk.x86_64.rpm 1551e3c19dde54eaa19dabe5fe8a31db x86_64/2006.0/RPMS/php-imap-5.0.4-2.4.20060mdk.x86_64.rpm 7231862a27ba9135e9cfcce3c455af3a x86_64/2006.0/SRPMS/php-5.0.4-9.14.20060mdk.src.rpm 69d5c165b33b00454cc56b27bb21eba7 x86_64/2006.0/SRPMS/php-imap-5.0.4-2.4.20060mdk.src.rpm Corporate 3.0: 3eb436590e289bc53b5bf6560ba04b02 corporate/3.0/RPMS/libphp_common432-4.3.4-4.20.C30mdk.i586.rpm 25e55ccb44fe52f3a2dbbded0463c344 corporate/3.0/RPMS/php432-devel-4.3.4-4.20.C30mdk.i586.rpm b970a8c32bc44c3736173d90dc251141 corporate/3.0/RPMS/php-cgi-4.3.4-4.20.C30mdk.i586.rpm 90098a78f8376e8abc5cad6d6eab75f9 corporate/3.0/RPMS/php-cli-4.3.4-4.20.C30mdk.i586.rpm 65ec1dc0a8da743bbc8c31b02b2e0463 corporate/3.0/RPMS/php-gd-4.3.4-1.4.C30mdk.i586.rpm f301535d5f0f4eab5b0d6a1d9b231ef8 corporate/3.0/RPMS/php-imap-4.3.4-1.4.C30mdk.i586.rpm e7eb6f56b39b5c72b3a2dbb602ab8d46 corporate/3.0/SRPMS/php-4.3.4-4.20.C30mdk.src.rpm 55da5f48aa9e2851b88377d436fc154b corporate/3.0/SRPMS/php-gd-4.3.4-1.4.C30mdk.src.rpm 3133219ccf7cd83aec8f03823b6bcf48 corporate/3.0/SRPMS/php-imap-4.3.4-1.4.C30mdk.src.rpm Corporate 3.0/X86_64: c5213371e2b3ff49c18bcb7eea366b86 x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.20.C30mdk.x86_64.rpm 48206012e77a6949d36188f3b2743afc x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.20.C30mdk.x86_64.rpm e37a90b7ba3b52fce6bbecd6ec8960bf x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.20.C30mdk.x86_64.rpm 24ce234e4d366125e4a13ca5ac2d0bf6 x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.20.C30mdk.x86_64.rpm 60dd687ca2f9fc7b1aa8717533d1ed81 x86_64/corporate/3.0/RPMS/php-gd-4.3.4-1.4.C30mdk.x86_64.rpm 86ff3c6e121b52fd6a092c7f8e35885c x86_64/corporate/3.0/RPMS/php-imap-4.3.4-1.4.C30mdk.x86_64.rpm e7eb6f56b39b5c72b3a2dbb602ab8d46 x86_64/corporate/3.0/SRPMS/php-4.3.4-4.20.C30mdk.src.rpm 55da5f48aa9e2851b88377d436fc154b x86_64/corporate/3.0/SRPMS/php-gd-4.3.4-1.4.C30mdk.src.rpm 3133219ccf7cd83aec8f03823b6bcf48 x86_64/corporate/3.0/SRPMS/php-imap-4.3.4-1.4.C30mdk.src.rpm Multi Network Firewall 2.0: 90ed06dbf0316651afc4d8990477ca7d
[Full-disclosure] Active Directory accounts
Hello, I have a question regarding some data I pulled off a customers AD. We recently ran AD scan to identify several user accoutn violation types using AD Inspector (www.obtuse.net/software/adinspector). Basically the search contained filters for users who dont have password expirations enabled and also users who havent logged in in the last 90 days (stale accounts). Anyways, the results were quite suprising and I'd like to validate them. My question is this. Is the lastLogon AD account property updated any time a user authenticates to AD regardless of the service? Like, if I login to a 3rd party application which uses LDAP integration with AD for authentication, will that update the users lastLogon property in AD? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-06-028: Ipswitch Collaboration Suite SMTP Server Stack Overflow
ZDI-06-028: Ipswitch Collaboration Suite SMTP Server Stack Overflow http://www.zerodayinitiative.com/advisories/ZDI-06-028.html September 7, 2006 -- CVE ID: CVE-2006-4379 -- Affected Vendor: Ipswitch -- Affected Products: ICS/IMail Server 2006 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 31, 2006 by Digital Vaccine protection filter ID 4496. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ipswitch Collaboration Suite and IMail. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SMTP daemon. A lack of bounds checking during the parsing of long strings contained within the characters '@' and ':' leads to a stack overflow vulnerability. Exploitation can result in code execution or a denial of service. -- Vendor Response: Ipswitch has issued an update, version 2006.1, to correct this vulnerability. More details can be found at: http://www.ipswitch.com/support/imail/releases/im20061.asp -- Disclosure Timeline: 2006.06.22 - Vulnerability reported to vendor 2006.08.31 - Digital Vaccine released to TippingPoint customers 2006.09.07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1171-1] New ethereal packages fix execution of arbitrary code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1171-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff September 7th, 2006 http://www.debian.org/security/faq - -- Package: ethereal Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-4333 CVE-2005-3241 CVE-2005-3242 CVE-2005-3243 CVE-2005-3244 CVE-2005-3246 CVE-2005-3248 Debian Bug : 384528 334880 Several remote vulnerabilities have been discovered in the Ethereal network scanner, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-4333 It was discovered that the Q.2391 dissector is vulnerable to denial of service caused by memory exhaustion. CVE-2005-3241 It was discovered that the FC-FCS, RSVP and ISIS-LSP dissectors are vulnerable to denial of service caused by memory exhaustion. CVE-2005-3242 It was discovered that the IrDA and SMB dissectors are vulnerable to denial of service caused by memory corruption. CVE-2005-3243 It was discovered that the SLIMP3 and AgentX dissectors are vulnerable to code injection caused by buffer overflows. CVE-2005-3244 It was discovered that the BER dissector is vulnerable to denial of service caused by an infinite loop. CVE-2005-3246 It was discovered that the NCP and RTnet dissectors are vulnerable to denial of service caused by a null pointer dereference. CVE-2005-3248 It was discovered that the X11 dissector is vulnerable denial of service caused by a division through zero. This update also fixes a 64 bit-specific regression in the ASN.1 decoder, which has been introduced in a previous DSA. For the stable distribution (sarge) these problems have been fixed in version 0.10.10-2sarge8. For the unstable distribution (sid) these problems have been fixed in version 0.99.2-5.1 of wireshark, the network sniffer formerly known as ethereal. We recommend that you upgrade your ethereal packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge8.dsc Size/MD5 checksum: 855 159309d848ffa90cb5ae336582a8e7d4 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10.orig.tar.gz Size/MD5 checksum: 7411510 e6b74468412c17bb66cd459bfb61471c http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge8.diff.gz Size/MD5 checksum: 177921 ee1ce43eb48106f1fc0b75bc9ff3c241 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge8_alpha.deb Size/MD5 checksum: 5476146 cf5b01f923e68a3f07d0080ef69f2b57 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge8_alpha.deb Size/MD5 checksum: 154566 615069b5905d6c2aec9a357eb0dd1306 http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge8_alpha.deb Size/MD5 checksum: 106250 cfe9461049fc5e1997d68cbd1a6d6b78 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge8_alpha.deb Size/MD5 checksum: 543034 5c9eaadae44224a002902c4196847aa0 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.10.10-2sarge8_amd64.deb Size/MD5 checksum: 154556 67cfc697c120e54c489e1552b1a58b6e http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge8_amd64.deb Size/MD5 checksum:99542 09093de7c28ec1741106dac694ffcae3 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.10.10-2sarge8_amd64.deb Size/MD5 checksum: 486502 addeab1c3d70537c088574f9f68e6e6d http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.10.10-2sarge8_amd64.deb Size/MD5 checksum: 5334616 1700b3e18c2b45594cbb80ef2ea58019 arm architecture (ARM) http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.10.10-2sarge8_arm.deb Size/MD5 checksum:95616 39dbfe3ac08048f95b19d74c644b780c
Re: [Full-disclosure] Linux kernel source archive vulnerable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 kernel-2.6.17-gentoo-r7 seems OK. $ find /usr/src/linux-2.6.17-gentoo-r7/ -perm -666 ! -type l | wc -l 0 $ Hadmut Danisch wrote: On Fri, Sep 08, 2006 at 12:52:22AM +0530, Raj Mathur wrote: I wouldn't know if something has changed drastically between 2.6.16 and 2.6.17.11, but: [EMAIL PROTECTED]:~$ find /usr/src/linux-2.6.16/ -perm -666 ! -type l [EMAIL PROTECTED]:~$ Not a single world-writable file or directory. Perhaps pre-release kernel tarballs are more lax? On my machine (I also have a 2.6.16): # find /usr/src/linux-2.6.16/ -perm -666 ! -type l | wc -l 20434 Just to doublecheck I wrote a script which parses the kernel tar: pax_global_header 52 b mode=666 uid=0 gid=0 linux-2.6.17.11/ 0 b mode=777 uid=0 gid=0 linux-2.6.17.11/.gitignore 462 b mode=666 uid=0 gid=0 linux-2.6.17.11/COPYING 18693 b mode=666 uid=0 gid=0 linux-2.6.17.11/CREDITS 89536 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/ 0 b mode=777 uid=0 gid=0 linux-2.6.17.11/Documentation/00-INDEX 10581 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/BUG-HUNTING 7249 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/Changes 11655 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/CodingStyle 17843 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/DMA-API.txt 21291 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/DMA-ISA-LPC.txt 5332 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/DMA-mapping.txt 32801 b mode=666 uid=0 gid=0 linux-2.6.17.11/Documentation/DocBook/ 0 b mode=777 uid=0 gid=0 linux-2.6.17.11/Documentation/DocBook/.gitignore 35 b mode=666 uid=0 gid=0 ... A friend of mine confirmed to also have world writable dirs and files. regards Hadmut ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Troy Cregger Lead Developer, Technical Products. Kennedy Information, Inc One Phoenix Mill Ln, Fl 3 Peterborough, NH 03458 (603)924-0900 ext 662 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFAIlnnBEWLrrYRl8RAv6aAJ9A7zDWEpLBsyoXUSL58VD+JB/GNACdHp8i m2gBFN3sKtntK01fzKoByIQ= =s/NR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Orkut URL Redirection Vulnerability
add another country ..:)- In Turkish, Orkut means the holy meeting place. and yes, Googles Orkut was built by a Turkish Google engineer – Orkut Buyukkokten On 9/7/06, cardoso [EMAIL PROTECTED] wrote: Well, so now TWO countries care about orkut stuff, Brazil and Finland ;)I think its creator, Orkut Büyükkökten, had a hell of a childhood, with such name.On Thu, 7 Sep 2006 20:53:53 +0300Olli Haukkovaara [EMAIL PROTECTED] wrote: Sorry guys, but this particular URL, www.orkut.com , makes us Finns smile... Orkut means in our language orgasms. I just had to share this with you, please forgive me, it's almost friday night ;-) Regards, Olli On 9/7/06, Julio Cesar Fort [EMAIL PROTECTED] wrote:I have found url redirection vulnerability on www.orkut.com. Man, I don't want to disappoint you but this redirection vulnerability is pretty old and has been being used in Brazil for sometime. This vulnerability was noticed in the begining of the year, maybe, when orkut had changed its authentication scheme. I'm sure orkut was already notified by other people but they hadn't patched it yet and the phishing keeps going on :) Sorry about any gramatical errors. Regards, Julio Cesar Fort Recife, PE, Brazil www.rfdslabs.com.br - computers, sex, human mind, music and more. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- terveisin, Olli- Carlos Cardoso - Blogueiro Inconformado^http://www.carloscardoso.com == sacanagemhttp://www.contraditorium.com == ProBlogging e cultura digital ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- http://peterdawson.typepad.com PeterDawson Home of ThoughtFlickr's This message is printed on Recycled Electrons. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-343-1] bind9 vulnerabilities
=== Ubuntu Security Notice USN-343-1 September 07, 2006 bind9 vulnerabilities CVE-2006-4095, CVE-2006-4096 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: bind91:9.2.4-1ubuntu1.1 Ubuntu 5.10: bind91:9.3.1-2ubuntu1.1 Ubuntu 6.06 LTS: bind91:9.3.2-2ubuntu1.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: bind did not sufficiently verify particular requests and responses from other name servers and users. By sending a specially crafted packet, a remote attacker could exploit this to crash the name server. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.2.4-1ubuntu1.1.diff.gz Size/MD5:91339 974f57903aa0403bc7973699848820de http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.2.4-1ubuntu1.1.dsc Size/MD5: 746 196a4a6177368697c5bae6cd688ec40a http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.2.4.orig.tar.gz Size/MD5: 4564219 2ccbddbab59aedd6b8711b628b5472bd Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-doc_9.2.4-1ubuntu1.1_all.deb Size/MD5: 157054 9de9c53dd907c72093eb3cac4cb58e57 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-host_9.2.4-1ubuntu1.1_amd64.deb Size/MD5:96056 063da23c4db0704ea30230bc6acac904 http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.2.4-1ubuntu1.1_amd64.deb Size/MD5: 288708 6de568eb1a0129b9ec03272f046daa79 http://security.ubuntu.com/ubuntu/pool/main/b/bind9/dnsutils_9.2.4-1ubuntu1.1_amd64.deb Size/MD5: 165266 fe32e19fb1131a10d0c76fa24a5d52a5 http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind-dev_9.2.4-1ubuntu1.1_amd64.deb Size/MD5: 1011062 01a15e46983f70d7a6c97feb0fcba428 http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libdns16_9.2.4-1ubuntu1.1_amd64.deb Size/MD5: 487588 297bdf5ac093517afc675ba96936543b http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisc7_9.2.4-1ubuntu1.1_amd64.deb Size/MD5: 164744 b42d44fcf6a6ccc25be7dc46dd780598 http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccc0_9.2.4-1ubuntu1.1_amd64.deb Size/MD5:77878 3ecf75a5abf534c0030fd0df1dcbd43d http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccfg0_9.2.4-1ubuntu1.1_amd64.deb Size/MD5:93042 996063073313792e3f4fe3bcc457010a http://security.ubuntu.com/ubuntu/pool/main/b/bind9/liblwres1_9.2.4-1ubuntu1.1_amd64.deb Size/MD5:94182 309b54b2b1fa1090a590aeefa09da062 http://security.ubuntu.com/ubuntu/pool/universe/b/bind9/lwresd_9.2.4-1ubuntu1.1_amd64.deb Size/MD5: 189226 1d3523ecf7d91c2eebe9a79d0dd5fd66 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-host_9.2.4-1ubuntu1.1_i386.deb Size/MD5:93288 4663e7341c739204ae08f9fef6429c4d http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.2.4-1ubuntu1.1_i386.deb Size/MD5: 272172 41032ad3488940d189b9de8411073431 http://security.ubuntu.com/ubuntu/pool/main/b/bind9/dnsutils_9.2.4-1ubuntu1.1_i386.deb Size/MD5: 156730 3c61b149b30b6d28d0e064523ba3e61b http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind-dev_9.2.4-1ubuntu1.1_i386.deb Size/MD5: 916978 409adc88bdad0659003dc8bba6d5e4fd http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libdns16_9.2.4-1ubuntu1.1_i386.deb Size/MD5: 439798 0e1b4183357f48d428f24ec20d66f23f http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisc7_9.2.4-1ubuntu1.1_i386.deb Size/MD5: 149958 6080eeb1f250fa666070de7b401e9921 http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccc0_9.2.4-1ubuntu1.1_i386.deb Size/MD5:75924 09ebe034eb5164159666a1df11c6d28d http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccfg0_9.2.4-1ubuntu1.1_i386.deb Size/MD5:88108 6230b87f8460a264a0e47828e1a0a2b2 http://security.ubuntu.com/ubuntu/pool/main/b/bind9/liblwres1_9.2.4-1ubuntu1.1_i386.deb Size/MD5:91150 ea258471da1cddba1bafb58a1002d800 http://security.ubuntu.com/ubuntu/pool/universe/b/bind9/lwresd_9.2.4-1ubuntu1.1_i386.deb Size/MD5: 179088 188ed5d72fc3bbbe8551a9a7448b4f98 powerpc architecture (Apple Macintosh G3/G4/G5)
[Full-disclosure] Black Hat Briefings Japan Speakers Selected!
Hello Full Disclosure readers, The Black Hat Briefings Japan '06 speakers have been selected. We received many presentations this year and we have chosen a broad sampling of topics facing security professionals today, with an emphasis on issues facing Asian Pacific region . The http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-schedule.htmlschedule is on line now and available on ourhttp://www.blackhat.com/html/bh-japan-06/bh-jp-06-main.html Black Hat Japan site in both English and Japanese. There will be 2 tracks, over 2 days comprised of renowned information and computer security professionals. We have a wide selection of topics this year from http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-speakers.html#WicherskiCatching Malware to an updated http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-speakers.html#RutkowskaSubverting Vista Kernel Alex Stamos Zane Lackey - Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0 Jeremiah Grossman -Hacking Intranet websites from the outside: Malware just got a lot more dangerous Dan Moniz - Six Degrees of XSSploitation Paul Bohm -Taming Bugs: The art and science of writing secure code Joanna Rutkowska - Subverting Vista Kernel For Fun And Profit Kenneth Geers Alexander Eisen - IPv6 World Update Strategy Tactics Heikki Kortti - Input Attack Trees Mr. Sugiura - Winny P2P security Darren Bilby - Low Down and Dirty: Anti-Forensic Rootkits Thorsten Holz Georg Wicherski - Catching Malware to Detect, Track and Mitigate Botnets Yuji Hoshizawa - TBD Scott Stender - Attacking Internationalized Software Please check out the speakers page for updates http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-speakers.htmlhttp://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-speakers.html There you will find Abstracts for the upcoming presentations and get background information on our speakers. To register visit us on-line at: http://www.blackhat.com/html/bh-registration/bh-registration.html#Japan.http://www.blackhat.com/html/bh-registration/bh-registration.html#Japan. Act fast our early bird discount will end September 15th. We look forward to seeing you at Tokyo, Keio Plaza Hotel, October 3-6th, 2006. More information on this years venue is available at: http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-venue.html . Thank you, Jeff Moss ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Debian perl old, perlmagick uninstallable
[Wrote to the Debian perl and perlmagick maintainers a couple of days ago, but no response. Maybe unrelated, but also no response to the ftpd bug http://bugs.debian.org/384454 in a couple of weeks; and of course Debian default permissions are broken as per policy after a couple of years, http://bugs.debian.org/299007 and http://bugs.debian.org/384922. Is Debian response going the way of Microsoft?] Currently package perlmagick is uninstallable on stable/sarge, because perl is old: I guess perl should be updated to 5.8.4-8sarge5 everywhere. The file http://security.debian.org/dists/sarge/updates/main/binary-i386/Packages.gz contains Package: perlmagick Version: 6:6.0.6.2-2.7 Depends: perl (= 5.8.4-8sarge4) ... though it only contains Package: perl Version: 5.8.4-8sarge3 I also note that http://packages.debian.org/stable/perl/perl shows just Package: perl (5.8.4-8sarge5), whereas http://packages.debian.org/cgi-bin/search_packages.pl?keywords=perlsearchon=namesversion=stablerelease=all shows both 5.8.4-8sarge5 and 5.8.4-8sarge3. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Active Directory accounts
I'm sorry for the people who let you pull off data from their AD. If you don't know how or when lastlogon is touched, you have no business doing what you are doing. Deji From: Steven Rakick Sent: Thu 9/7/2006 1:36 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Active Directory accounts Hello, I have a question regarding some data I pulled off a customers AD. We recently ran AD scan to identify several user accoutn violation types using AD Inspector (www.obtuse.net/software/adinspector). Basically the search contained filters for users who dont have password expirations enabled and also users who havent logged in in the last 90 days (stale accounts). Anyways, the results were quite suprising and I'd like to validate them. My question is this. Is the lastLogon AD account property updated any time a user authenticates to AD regardless of the service? Like, if I login to a 3rd party application which uses LDAP integration with AD for authentication, will that update the users lastLogon property in AD? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New Azwalaro project, is a French Open Source Nids project
Hi, Im happy to announce starting the new project: Azwalaro Nids Open Source project This project is under developpement (pre alpha version) because not find on another nids open source product easy to exte nd, and work with very good ethereal/wireshark dissector library ! It's time to work with new nids parser ! - fix uri content - work with ssl session - search on mime attachement - reduce false alerte there is still much work but it is next rules standard of network intrusion detection http://www.crusoe-researches.com/azwalaro/ you can find example on http://www.crusoe-researches.com/azwalaro/parser.html Any comments, developpement, testing, are welcome ! Azwalaro is distributed with GPL license. Happy Detect ! Rmkml email: [EMAIL PROTECTED]___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Debian perl old, perlmagick uninstallable
Sheepish retraction: was all my fault. The Debian perl maintainer got in contact with me: ... [5.8.4-8sarge5 has] been included in a point release of stable (3.1r3). ... If you have deb http://mirror/debian sarge main deb http://security.debian.org/ sarge/updates main ... and my problem was that I have kept up-to-date on security, but have not updated the release part. (I wonder if it was just a coincidence that I got the message a few hours after whingeing on FD...) Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1159-2] New Mozilla Thunderbird packages fix several problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1159-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 8th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-thunderbird Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CERT advisories: VU#466673 VU#655892 VU#687396 VU#876420 VU#911004 BugTraq IDs: 18228 19181 The latest security updates of Mozilla Thunderbird introduced a regression that led to a disfunctional attachment panel which warrants a correction to fix this issue. For reference please find below the original advisory text: Several security related problems have been discovered in Mozilla and derived products such as Mozilla Thunderbird. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2779 Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption which may also lead to the execution of arbitrary code. The last bit of this problem will be corrected with the next update. You can prevent any trouble by disabling Javascript. [MFSA-2006-32] CVE-2006-3805 The Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3806 Multiple integer overflows in the Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3807 Specially crafted Javascript allows remote attackers to execute arbitrary code. [MFSA-2006-51] CVE-2006-3808 Remote AutoConfig (PAC) servers could execute code with elevated privileges via a specially crafted PAC script. [MFSA-2006-52] CVE-2006-3809 Scripts with the UniversalBrowserRead privilege could gain UniversalXPConnect privileges and possibly execute code or obtain sensitive data. [MFSA-2006-53] CVE-2006-3810 A cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML. [MFSA-2006-54] For the stable distribution (sarge) these problems have been fixed in version 1.0.2-2.sarge1.0.8b.2. For the unstable distribution (sid) these problems have been fixed in version 1.5.0.5-1. We recommend that you upgrade your mozilla-thunderbird package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2.dsc Size/MD5 checksum: 1003 359853df29b29253164e9aef34d18066 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2.diff.gz Size/MD5 checksum: 486593 3759fe23473ecb6cee532cb47cdd4e63 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4 Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum: 12849016 fdf32dcb741195378d9079231aba21cd http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum: 3279426 879ae924d100517f98ee7f39a84e1bb2 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum: 151696 dd6911608eb54bebc7fbcdb58e5d63bb http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum:33138 9581f8f0be21162692672e55d5f00640 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum:89106 06a2f4752c619fb6a80d15d8fd1741de AMD64 architecture: