Re: [Full-disclosure] Orkut Phishing Attack
Old bug in old bottle This is an often discussed bug in FD - Pranay Kanwar [EMAIL PROTECTED] wrote: orkut is an on line community that connects people through a network of trusted friends. The login url looks like this https://www.orkut.com/GLogin.aspx?done=http://www.orkut.com/ After successfully logging in the user is redirected to http://www.orkut.com The url in the done argument can be changed to redirect to arbitrary website. for example https://www.orkut.com/GLogin.aspx?done=http://www.metaeye.org after logging in the user will be directed to metaeye.org -- Sincerely Ajay Pal Singh Atwal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [scip_Advisory 2555] Sun Secure Global Desktop prior 4.3 multiple remote vulnerabilities
Sun Secure Global Desktop prior 4.3 multiple remote vulnerabilities scip AG Vulnerability ID 2555 (09/21/2006) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2555 I. INTRODUCTION Sun Secure Global Desktop (SSGD, formerly known as Tarantella[1]) is an open-source remote desktop solution with a basic amount of security. More information is available at the official product demo web site at the following URL: https://sgddemo.sun.com/ II. DESCRIPTION Marc Ruef at scip AG found six undisclosed web-based vulnerabilities in Sun Secure Global Desktop prior 4.3. These can be divided into two classes: 1. Cross site scripting Some scripts that are not protected by any authentication procedure can be used to run arbitrary script code within a cross site scripting attack. 2. Revealing of sensitive information Some scripts that are not protected by any authentication procedure can be accessed to reveal sensitive information (e.g. internal hostnames, applied software version, details about settings) about the target host. III. EXPLOITATION Classic script injection techniques and unexpected input data within a browser session can be used to exploit these vulnerabilities. A plugin for the open-source exploiting framework Attack Tool Kit (ATK) will be published in the near future. [2] We are not going to publish any further technical details or an exploit suite due to Sun has not published any patches as far as we know. See vendor response and disclosure timeline for further details. IV. IMPACT Because non-authenticated parts of the software are affected, this vulnerabilities are serious for every secure environment. Non-authenticated users might be able to exploit the flaws to gain elevated privileges (e.g. extracting sensitive cookie information or launch a buffer overflow attack against another web browser). V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement. VI. SOLUTION We have informed sun on a very early stage. They said that the problems will be addressed with a bugfix for the currently shipping version 4.2 and will no longer be existing in the upcoming version 4.3. We were told that the public release for the patch is at the end of August 2006. Due to no public release was made and our last emails were not answered, we do not know what kind of official solution is available. This is why we are not going to publish any technical details or exploits at the moment. De-activate the following scripts to gain a higher level of security: - ttaarchives.cgi - ttaAuthentication.jsp - ttalicense.cgi - ttawlogin.cgi - ttawebtop.cgi - ttaabout.cgi - test-cgi VII. VENDOR RESPONSE Sun Microsystems Inc. has been informed a first time at 07/04/2006 via email to contactus-at-sun.com. Because no reply came back we decided to send a forwarding at 07/18/2006 to security-alert-at-sun.com. A first response came back on the same day. Several email messages were exchanged to discuss the vulnerabilities and to co-ordinate the disclosure of this advisory. However, the last emails since 09/15/2006 have not been answered. VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2555 computec.ch document data base (german) http://www.computec.ch/download.php?list.26 IX. DISCLOSURE TIMELINE 06/06/06 Identification of the vulnerabilities 07/04/06 First information to contactus-at-sun.com 07/18/06 Second information to security-alert-at-sun.com 09/15/06 Sending the last email which is still unanswered 09/21/06 Public disclosure of this advisory IX. CREDITS The vulnerabilities were discovered by Marc Ruef. Marc Ruef, scip AG, Zuerich, Switzerland maru-at-scip.ch http://www.scip.ch A1. BIBLIOGRAPHY [1] http://news.com.com/Sun+to+buy+Tarantella/2100-1012_3-5701487.html [2] http://www.computec.ch/projekte/atk/ A2. LEGAL NOTICES Copyright (c) 2006 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RSA Keyon Log verification bypass vulnerability
Arhont Ltd.- Information Security Arhont Advisory by: Andrei Mikhailovsky Advisory: RSA Keon Manager log verification bypass Product release:Versions 6.6 and 6.5.1 Arhont ref: arh200605-1 Class: Design flaw Model Specific: Other versions of RSA Keon are likely to be vulnerable DETAILS: During the analysis of RSA Keon Certificate Authority Manager, Arhont Ltd consultants have discovered several vulnerabilities in the Log Verification function. A rogue CA (Certificate Authority) administrator or any local administrative user with the access to the CA server could manipulate the secure logging process to disguise his/her activities. The RSA Keon product has a designed role separation capability to enable the specific role of the CA Auditor, separate from the role of the CA Administrator. The CA Auditor is responsible for looking over the activity of the CA, including CA reconfiguration, certificate vetting, signing, revocation, suspension, etc. The Auditor relies on the logging facility of the Keon software, which has a Log verification function. This option checks the cryptographic hash signatures embedded in the log file against the contents of the log file to prevent log modification. The log files generated by the Keon software are signed and stored for the purpose of verification and are designed to be temper proof. However, Arhont consultants have found at least two ways to bypass the Log verification functionality of the RSA Keon software. Vulnerability 1 The default installation of the Keon stores xml logs in a «C:\Program Files\ RSA Security\ RSA_KeonCA\LogServer\logs\filename.xml» file. The logs are stored in the following format: LOG BLOCK 1 SIG BLOCK LOG ENTRY 1 .. /LOG ENTRY 1 LOG ENTRY 2 .. /LOG ENTRY 2 .. .. .. .. /SIG BLOCK SIGNATUREHASH /LOG BLOCK 1 LOG BLOCK 2 SIG BLOCK LOG ENTRY 1 .. /LOG ENTRY 1 LOG ENTRY 2 .. /LOG ENTRY 2 .. .. .. .. /SIG BLOCK SIGNATUREHASH /LOG BLOCK 2 .. .. .. Depending on the activity cycle of the Keon CA, each log file usually contains a number of blocks as shown above. It is possible to delete the entire LOG BLOCK with its signature from the log file without failing the verification process of the Log verification functionality of the Keon Software. Therefore, it would be possible to hide a malicious activity from the CA Auditor. The log verification function seems to lack the capability to store a cryptographic checksum of the entire LOG BLOCK pool in each of the log files. Instead, it only stores the cryptographic checksum for each of the LOG BLOCK. During the RSA Keon analysis Arhont consultants have found the following methods of deleting logs to be effective against the Log Verification function: 1.It is possible to swap, duplicate, or add the first and the last LOG BLOCK from each of the files in the log directory. 2.It is possible to swap, duplicate, add or delete the LOG BLOCK located anywhere in the file. However, deleting the first and the last LOG BLOCK from the log file gives an integrity failure message in the verification function. Vulnerability 2 The local system administrator of the CA server or any user having a read/write access to the RSA Keon LogServer directory can delete, add and modify any entries in the live log file. Once the file has been tempered, it will remain on the server until the next log rotation schedule. Once the log file is rotated, the cryptographic hashing and signing is performed and the log entries are grouped and signed. The log files are then available for the CA Auditor to monitor and verify. As you can see, there is an opportunity for a rogue or disgruntled CA administrator to perform malicious activities and remove the corresponding logs before they are cryptographically signed by the LogServer. Once the signing is made, the Auditor can successfully verify the log files that has been tempered. RISK FACTOR: The risk factor of Vulnerability 1 and 2 highly depends on the organisation and the use of the RSA Keon CA. In organisations where the CA functionality is not highly critical to the business activities and continuity, the Risk factor is moderate. However, in the organisations where the Certificate Authority use is paramount to the security and business continuity and where the Logging activities should be closely monitored and audited, vulnerabilities present a high risk factor. Therefore, this could present a threat to the organisational compliance with
Re: [Full-disclosure] SQL Injection In MSN
Aditya Sood wrote: Hi Everyone A very crafty SQL injection found in the MSN Website. Sending u the details Attachment:pdf ZeroKnock MetaEye Security http://zeroknock.metaeye.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Yeah you crazy man looks more like this document is trying to load JavaScript there is NO need to make it PDF instead of the new found vulnerabilities in Adobe PDF viewer... I did not test what the JavaScript starts, but at least post useful information and not try to fool this list ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-350-1] Thunderbird vulnerabilities
=== Ubuntu Security Notice USN-350-1 September 21, 2006 mozilla-thunderbird vulnerabilities CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812, CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566, CVE-2006-4567, CVE-2006-4570, CVE-2006-4571 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: mozilla-thunderbird 1.5.0.7-0ubuntu0.5.10 mozilla-thunderbird-locale-ca1.5-ubuntu5.10 mozilla-thunderbird-locale-de1.5-ubuntu5.10 mozilla-thunderbird-locale-fr1.5-ubuntu5.10 mozilla-thunderbird-locale-it1.5-ubuntu5.10 mozilla-thunderbird-locale-nl1.5-ubuntu5.10 mozilla-thunderbird-locale-pl1.5-ubuntu5.10 mozilla-thunderbird-locale-uk1.5-ubuntu5.10 mozilla-thunderbird-enigmail 2:0.94-0ubuntu0.5.10 mozilla-thunderbird-inspector1.5.0.7-0ubuntu0.5.10 mozilla-thunderbird-typeaheadfind1.5.0.7-0ubuntu0.5.10 After a standard system upgrade you need to restart Thunderbird to effect the necessary changes. Please note that Thunderbird 1.0.8 in Ubuntu 5.04 is also affected by these problems. An update will be provided shortly. Details follow: This update upgrades Thunderbird from 1.0.8 to 1.5.0.7. This step was necessary since the 1.0.x series is not supported by upstream any more. Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious email containing JavaScript. Please note that JavaScript is disabled by default for emails, and it is not recommended to enable it. (CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812, CVE-2006-4253, CVE-2006-4565, CVE-2006-4566, CVE-2006-4571) A buffer overflow has been discovered in the handling of .vcard files. By tricking a user into importing a malicious vcard into his contacts, this could be exploited to execute arbitrary code with the user's privileges. (CVE-2006-3804) The NSS library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge valid signatures without the need of the secret key. (CVE-2006-4340) Jon Oberheide reported a way how a remote attacker could trick users into downloading arbitrary extensions with circumventing the normal SSL certificate check. The attacker would have to be in a position to spoof the victim's DNS, causing them to connect to sites of the attacker's choosing rather than the sites intended by the victim. If they gained that control and the victim accepted the attacker's cert for the Mozilla update site, then the next update check could be hijacked and redirected to the attacker's site without detection. (CVE-2006-4567) Georgi Guninski discovered that even with JavaScript disabled, a malicous email could still execute JavaScript when the message is viewed, replied to, or forwarded by putting the script in a remote XBL file loaded by the message. (CVE-2006-4570) The enigmail plugin and the translation packages have been updated to work with the new Thunderbird version. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.7-0ubuntu0.5.10.diff.gz Size/MD5: 451765 f226c2d1fb27ff7d1901563c0e7ae6aa http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.7-0ubuntu0.5.10.dsc Size/MD5: 960 33f4c6cf8f964b3bbf0cb7bf2a9b3a41 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.7.orig.tar.gz Size/MD5: 35412353 4e43a174c53adf09382a4f959b86abe6 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu0.5.10.diff.gz Size/MD5:20864 3aee73c8c9d639372dc3f28a5f145324 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu0.5.10.dsc Size/MD5: 785 25206240fb199da5bbb5ab080600b0d5 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94.orig.tar.gz Size/MD5: 3126659 7e34cbe51f5a1faca2e26fa0edfd6a06 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird-locale-ca/mozilla-thunderbird-locale-ca_1.5-ubuntu5.10.dsc Size/MD5: 598 1d99f1f9e4dee5e65e3783a5f97dd263
[Full-disclosure] [CAID 34616, 34617, 34618]: CA eSCC and eTrust Audit vulnerabilities
Title: CAID 34616, 34617, 34618: CA eTrust Security Command Center and eTrust Audit vulnerabilities CA Vulnerability ID (CAID): 34616, 34617, 34618 CA Advisory Date: 2006-09-20 Discovered By: Patrick Webster of aushack.com Impact: Remote attacker can read/delete files, or potentially execute replay attacks. Summary: CA eTrust Security Command Center (eSCC) and eTrust Audit contain multiple remotely exploitable vulnerabilities. o The first vulnerability allows attackers to discover the web server path on Windows platforms. This vulnerability affects eTrust Security Command Center Server component versions 1.0, r8, r8 SP1 CR1, and r8 SP1 CR2. o The second vulnerability allows attackers to read and delete arbitrary files from the host server with permissions of the service account. This vulnerability affects eTrust Security Command Center Server component versions r8, r8 SP1 CR1, and r8 SP1 CR2. o The third vulnerability allows attackers to potentially execute external replay attacks. To mitigate this vulnerability, users should utilize perimeter firewalls to block access to the event system. This vulnerability affects eTrust Security Command Center Server component versions 1.0, r8, r8 SP1 CR1, and r8 SP1 CR2, and eTrust Audit versions 1.5 and r8. Mitigating Factors: Attacker must have valid authentication credentials to read or delete files, as described in the second vulnerability above. Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA eTrust Security Command Center 1.0 CA eTrust Security Command Center r8 CA eTrust Security Command Center r8 SP1 CR1 CA eTrust Security Command Center r8 SP1 CR2 CA eTrust Audit 1.5 CA eTrust Audit r8 Affected platforms: Microsoft Windows Status and Recommendation: Apply the appropriate patch to eTrust Security Command Center to address the first and second vulnerabilities described above. Patch URL (note that URL may wrap): http://supportconnectw.ca.com/public/etrust/etrust_scc/downloads/etrusts cc_updates.asp For the third vulnerability, utilize perimeter firewalls to block access to the event system. Determining if you are affected: Check the registry version key. HKEY_LOCAL_MACHINE\SOFTWARE \ComputerAssociates\eTrust Security Command Center Look for Version key: Version 1.0.15 (eTrust Security Command Center 1.0) Version 8.0.11 (eTrust Security Command Center r8) Version 8.0.25 (eTrust Security Command Center r8 SP1 CR1) Version 8.0.25.8 (eTrust Security Command Center r8 SP1 CR2) References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for these vulnerabilities: http://supportconnectw.ca.com/public/etrust/etrust_scc/infodocs/etrustsc c_notice.asp CAID: 34616, 34617, 34618 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34616 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34617 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34618 Discoverer (Patrick Webster from aushack.com): http://users.tpg.com.au/adsl2dvp/advisories/200608-computerassociates.tx t CVE References: CVE-2006-4899, CVE-2006-4900, CVE-2006-4901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4901 OSVDB References: OSVDB IDs: 29009, 29010, 29011 http://osvdb.org/29009 http://osvdb.org/29010 http://osvdb.org/29011 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2006 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New virus - possible rootkit
This appears to be an IRC bot that encrypts its traffic to fly beneath the radar. What makes it more interesting is that the directories it creates have SYSTEM ownership and only system and creator/owner can access the files. Changing permissions on the files or directorys will only be changed back. It also appears that if you remove the file, it will start revoking permissions on all files and will remove everyones but SYSTEM's permission to all files. i've been talking abt this for abt a year now... Sometimes BEFORE there was a worm who exploited the features of EFS in NTFS, winxp now this threat. http://72.14.203.104/search?hl=zh-TWq=cache%3Ahttp%3A%2F%2Fbipin.securityhead.com%2Fall.html -- Bipin Gautam http://bipin.tk Zeroth law of security: The possibility of poking a system from lower privilege is zero unless until there is possibility of direct, indirect or consequential communication between the two... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Call for Papers and Tutorials for the 19th Annual FIRST Conference, June 17– 22, 2007
-BEGIN PGP SIGNED MESSAGE- FIRST 19th Annual Conference, June 17 - 22, 2007, Melia Seville hotel, Seville, Spain Private Lives and Corporate Risk: Digital Privacy - Hazards and Responsibilities. Call for Papers - - - - - --- This is a call for papers and tutorials for the 19th Annual FIRST Conference. This text is also available at: http://www.first.org/conference/2007/call_for_papers.html Overview - - - - - - The Forum of Incident Response and Security Teams (FIRST, http://www.first.org/) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRT's) and includes response teams from 180 corporations, government bodies, universities and other institutions spread across the Americas, Asia, Europe and Oceania. The annual FIRST conference not only provides a setting for participants to attend tutorials and hear presentations by leading experts in the CSIRT community, it also creates opportunities for networking, collaboration, and sharing technical information. Just as importantly, the conference enables attendees to meet their peers and build confidential relationships across corporate disciplines and geographical boundaries. FIRST conference participants include not only CSIRT staff, but also IT managers, network and system administrators, software and hardware vendors, law enforcement representatives, security solutions providers, telecommunications organizations, ISPs, and general computer and network security personnel. FIRST conferences cover a broad range of security related topics such as (but not limited to): . Advanced techniques in security incident prevention, detection and response. . Latest advances in computer and network security tools . Shared views, experiences, and resolutions in the computer security incident response field. The Conference - - - - The conference is a five-day event, comprised of two days of Tutorials, three days of Plenary Sessions focused on either Business or Technical issues. These include paper presentations, keynote speeches, Panel discussions and Birds-of-a-Feather Sessions. New features planned for this year's conference include: . Geek Zone - Presentations with a Hands On Format aimed at smaller, more technical audiences of up to 30 people, . Lightning Talks - short presentations or speeches by any attendee on any topic, which can be scheduled into conference proceedings with the approval of the organisers. . SIG (Special Interest Group) meetings . Beer 'n Gear where vendors demonstrate their equipment . Vendor Booths . Security Challenge . Entertainment at Conference Dinner The theme for the 2007 conference is 'Private Lives and Corporate Risk: Digital Privacy - Hazards and Responsibilities'. The conference language is English. Call for Papers - - - - --- The FIRST program committee solicits original contributions for this conference, which are broadly based on the theme of 'Digital Privacy'. All submissions must reflect original work and must adequately document any overlap with previously published or simultaneously submitted papers from any of the authors. If authors have any doubts regarding whether such overlap exists, they should contact the program chairs prior to submission. Papers will be scheduled as part of the Main Conference. Timeslots are available in three lengths: a) 50 Minutes, with 10 minutes question time b) 40 minutes, with 10 minutes question time c) 25 Minutes, with 5 minutes question time. The program committee is also looking for contributions to the 'Geek Zone', where presentations last for three hours and which are aimed at a smaller more technical audience of up to 30 people. These presentations are intended to include live demos and involve their audiences in active participation. It is important that your presentation/class is: . Topical . Unique You should not present with the aim of gaining the audience's interest in any commercial application or product, in other words: NO MARKETING PAPERS. All submission must be in English in MS Office, OpenOffice or PDF format. Process of Selection - - - - - All paper submissions will be handled electronically thru the web Conference Manager at: https://www.softconf.com/starts/FIRST2007/ The program committee will evaluate all submissions based on quality and relevance. All submissions are held in confidence prior to publication in the proceedings. Submissions received after the deadline (see Important Dates below) will not be considered unless the program chair has granted an extension. Where employer, client, or government authorization is needed, it is the responsibility of the author(s) to obtain such authorization prior to submitting the final materials. Accepted papers will be presented by their author(s) and will be published in the conference proceedings with associated Speaker Biographies and Photographs. The proceedings are