[Full-disclosure] Devil Linux 1.2.10 has an IRC bot onboard
Hi! While building and testing a customized version of DevilLinux router distro I found an IRC bot onboard. As far as I understood, it was EnergyMech compiled from source right there plus some executable named TODO (for camouflage purposes). The stuff unfolds at /shm/sshd/ and runs somehow. Sadly, I had no time for detailed investigation. It leaves an overall impression of script kiddie's work. Last days DevilLinux website seems to be dead. Victor Grishchenko Digital Channels Network Yekaterinburg, Russia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joe Job - to blue pill
On Wed, 18 Oct 2006 13:40:32 CDT, vile said: guess what, losers? i'm god. Since English is not a heavily inflected language, word order is vitally important for the reader as they try to parse your sentence. As a result, it's generally considered good nettiquete to not post stuff on the net when you're too drunk to get the words God, I'm such a loser in the correct order pgpDsoANNWkFJ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows XP SP2 .manifest file BSOD
Microsoft mentions a fix at: http://support.microsoft.com/kb/921337 (haven't tested it though ...) regards, Tiago Halm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of /dev/null Sent: terça-feira, 17 de Outubro de 2006 19:10 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Windows XP SP2 .manifest file BSOD Hi list, simple PoC for known (four years old) .manifest file local DoS. Tested on Windows XP SP2, no crashdump generated. You can use manifest file on *any* GUI application. http://users.volja.net/database/manifest.zip Cheers, E. http://www.email.si/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory 11/2006: Serendipity Weblog XSS Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Serendipity Weblog XSS Vulnerabilities Release Date: 2006/10/19 Last Modified: 2006/10/19 Author: Stefan Esser [EMAIL PROTECTED] Application: Serendipity = 1.0.1 Severity: Multiple XSS vulnerabilities within the administration interface allow Cross Site Scripting attacks against the blog admin Risk: Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_112006.136.html Overview: Quote from http://www.s9y.org Serendipity is a PHP-powered weblog application which gives the user an easy way to maintain an online diary, weblog or even a complete homepage. While the default package is designed for the casual blogger, Serendipity offers a flexible, expandable and easy-to-use framework with the power for professional applications. During an quick audit of Serendipity it was discovered that multiple XSS vulnerabilities exist in the administration area. Because of this vulnerabilities it is possible for an attacker that tricks an admin into visiting a special prepared website to perform any administrative action in the blog. This includes posting entries or adding additional admin users. Tricking a blog admin to visit a certain website is usually as simple as mentioning an URL in the comments of his blog. Details: Serendipity failed to correctly sanitize user input on the media manager administration page. The content of GET variables were written into JavaScript strings. By using standard string evasion techniques it was possible to execute arbitrary JavaScript. Additionally Serendipity dynamically created a HTML form on the media manager administration page that contained all variables found in the URL as hidden fields. While the variable values were correctly escaped it was possible to break out by specifying strange variable names. Proof of Concept: The Hardened-PHP Project is not going to release exploits for this vulnerability to the public. Disclosure Timeline: 05. October 2006 - Contacted Serendipity developers by email 18. October 2006 - Updated Serendipity was released 19. October 2006 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the newest version of Serendipity 1.0.2 which you can download at: http://prdownloads.sourceforge.net/php-blog/serendipity-1.0.2.tar.gz?download GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFN6xcRDkUzAqGSqERAjoGAJ9coU5lI5WOMrFCsGylRpOtwX0ifACg3TZ0 074k4shsfTsLA6aXBQc72uY= =Ognk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Devil Linux 1.2.10 has an IRC bot onboard
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Victor, Victor Grishchenko gritzko at plotinka.ru writes: While building and testing a customized version of DevilLinux router distro I found an IRC bot onboard. As far as I understood, it was EnergyMech compiled from source right there plus some executable named TODO (for camouflage purposes). The stuff unfolds at /shm/sshd/ and runs somehow. Sadly, I had no time for detailed investigation. It leaves an overall impression of script kiddie's work. Last days DevilLinux website seems to be dead. I am the project leader of Devil-Linux. First of all our website is up and was not down at any time. I don't know how this bot got on your system, but what you're writing does not make any sense. 1. There's no bot included in the DL sources 2. I can never have been compiled on a running DL system, because there are no compilers included. 3. It can only have been introduced (compiled from source as you say) if the machine you compiled DL on, was compromised. 4. The location you specify (/shm) is a ramdisk. So it must be copied onto the system after it boots up. This can only be the case if you have the system wide open and somebody can log in easily. 5. I verified the official 1.2.10 release and there's no bot to be seen. So it seems the problem does not like with Devil-Linux, but rather with your own system. Please stop spreading accusations like this, especially without properly analyzing the issue first. Regards Heiko Zuerker http://www.devil-linux.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iEYEARECAAYFAkU3suQACgkQUcytMSbs+YX8RgCgkxOwclrtMFfp95/cPet0qvef J1wAnAyRX9HXEspUD16YsMBkdFfA5bwE =dRcY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DRUPAL-SA-2006-025] Drupal 4.6.10 / 4.7.4 fixes CRF issue
Drupal security advisory DRUPAL-SA-2006-025 Project: Drupal core Date: 2006-Oct-18 Security risk:Highly critical Exploitable from: Remote Vulnerability:Cross site request forgeries Description --- Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a website created by an attacker. This website will now be able to submit any form to the Drupal site with the privileges of user 1, either by enticing the user to submit a form or by automated means. An attacker can exploit this vulnerability by changing passwords, posting PHP code or creating new users, for example. The attack is only limited by the privileges of the session it executes in. Versions affected - - Drupal 4.6.x versions before Drupal 4.6.10 - Drupal 4.7.x versions before Drupal 4.7.4 Solution - If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz - If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz - To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-025/4.6.9.patch. - To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-025/4.7.3.patch. Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4. Important note for Drupal 4.6.10 Any custom forms that do not use the proper form API functions, such as raw HTML forms, will break for authenticated users and need to be updated. The easiest way to do so is to add the output of form_token() before the closing form tag. For phptemplate themes, add the following code before the closing form tag: ?php print form_token() ? A number of modules and themes generate raw HTML forms. Check the list of modules and themes, to see if that is an issue for your site. We advise you test modules and themes in use before committing to an upgrade. Important note for Drupal 4.7.4 --- Drupal 4.7.4 adds a new form field to all forms. Contributed modules and themes that assume only specific, known form fields to be present, may break on Drupal 4.7.4. We advise you test modules and themes in use before committing to an upgrade. Reported by --- Garvin Hicking. Contact --- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DRUPAL-SA-2006-024] Drupal 4.6.10 / 4.7.4 fixes multiple XSS issues
Drupal security advisory DRUPAL-SA-2006-024 Project: Drupal core Date: 2006-Oct-18 Security risk:Moderately critical Exploitable from: Remote Vulnerability:Cross site scripting Description --- Multiple XSS (cross site scripting) vulnerabilities have been discovered. A bug in input validation and lack of output validation allows HTML and script insertion on several pages. Drupal's XML parser passes unescaped data to watchdog under certain circumstances. A malicious user may execute an XSS attack via a specially crafted RSS feed. This vulnerability exists on systems that do not use PHP's mb_string extension (to check if mb_string is being used, navigate to admin/settings and look under String handling). Disabling the aggregator module provides an immediate workaround. The aggregator module, profile module, and forum module do not properly escape output of certain fields. Note: XSS attacks may lead to administrator access if certain conditions are met. Versions affected - - Drupal 4.6.x versions before Drupal 4.6.10 - Drupal 4.7.x versions before Drupal 4.7.4 Solution - If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz - If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz - To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-024/4.6.9.patch. - To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-024/4.7.3.patch. Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4. Reported by --- - The XML parser vulnerability was reported by Erdem Köse. - The forum module vulnerability was reported by Jim Phlew. - The other vulnerabilities were found by members of the Drupal security team. Contact --- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DRUPAL-SA-2006-026] Drupal 4.6.10 / 4.7.4 fixes HTML attribute injection issue
Drupal security advisory DRUPAL-SA-2006-026 Project: Drupal core Date: 2006-Oct-18 Security risk:Less critical Exploitable from: Remote Vulnerability:HTML attribute injection Description --- A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site. Versions affected - - Drupal 4.6.x versions before Drupal 4.6.10 - Drupal 4.7.x versions before Drupal 4.7.4 Solution - If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz - If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz - To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-026/4.6.9.patch. - To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-026/4.7.3.patch. Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4. Reported by --- Frederic Marand. Contact --- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Genetic method to detect the presence of any virtual machine
Microsoft Virtual Machine VMWARE information disclosure Vulnerability Note: Though not limited to these two products, this trick can be used as an genetic method to detect the presence of any virtual machine regardless of the OS used at this date. But (from a friendly source) i came to know these all represent design decisions by the software makers. Isnt THAT RIDICULAS!!!? Tested on: Microsoft Virtual PC 5.3.582.27 VMware Workstation 4.5.2 build-8848 Virtual Machines are very often used in new virus/trojan analysis, honeypot, IDS etc But an attacker or malicious code can easily figure out if its inside a Virtual Machine or a Real System by quering various hardware parameters features from the OS. If the virtual machine responds back too much, too little, UNKNOWN or suspecious hardware information on ANY SYSTEM HARDWARE (virtual) it can always be clearely guessed the user/code is inside the virtual machine. Moreover the emulated BIOS in the virtual Machine are almost same for the version release which can be detected form the virtual OS. Below are my Findings (which is obviously not a complete list but is enough to draw conclusions for a software/person that it is inside a virtual machine. I was surprised to get even the information of the PRIVATE LICENSED PRODUCT KEY while i was quering query Motherboard System Information inside the virtual machine. So here are the data: System Query outputs inside virtual machine that will clearely demonstrate the presence of Virtual Machine which are obviously uniq fake doesnt resemble the real hardware information. --- (Query Output inside Microsoft Virtual Machine) Hdd Model: Virtual HD Firmware version : 1. 1 Serial number: Buffer size : 64 KB Standard : When queried for the informations; Ram Memory speed, Manafacturer, Serial No. Voltage CPU clock ratio Max allowed frequency --- The information is unknown to the system Motherboard: Company Brnad Name: Vmware, Inc VMware Video Chipset Video Memory information System Manufacturer : VMware, Inc Product Name: VMware Virtual Platform Product Version ( Output inside VMWARE ) HDD Model: VMware Virtual IDE Hard Drive Firmware version : 0001 Serial number: 0001 Buffer size : 64 KB Standard : Company Brnad Name: Microsoft Corporation Virtual Machine When queried for the informations; CPU clock ratio Max allowed frequency not displayed Motherboard Modal: Microsoft Corporation Virtual Machine The L1, L2, L3 catche size information unknown The device name for hdd CD were Virtual HD, Virtual CD And for ATA security mode other ATA features (in both virtual machines) S.M.A.R.T: no 48-bit Address : no Read Look-Ahead : no Write Cache : no Host Protected Area : no Device Configuration Overlay : no Automatic Acoustic Management: no Power Management : no Advanced Power Management: no Power-up in Standby : no Security Mode: no Firmware Upgradable : no --- Quering just few of the above mentioned information from inside the virtual machine can IMMIDIATELY PROVE the presense of virtual machine, not the actual system. A virus/worm MAY (can?) effectively bypass detection while being executed/detected in a sandbox if the same principle is applied in the coding/execution cycle if it by doing a actual hardware detect. ( could you please test the principle with NORMAN sandbox ( similar sandbox technology which is based on behavior detection) as its license clauses dont fit me as a tester. (encrypt a known virus/worm with a key file... with the condition below using hardware detect on any of the above parameters PLEASEE let us know about the results over here) say, if sandbox_detected(say_hello_world); else start_code_decryption(); best regards, -bipin --- http://groups.google.com/group/AntiForensics -Where you will learn to PROTECT your DIGITAL PRIVECY. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Genetic method to detect the presence of anyvirtual machine
Microsoft Virtual Machine VMWARE information disclosure Vulnerability This is not a vulnerability. Microsoft even document the motherboard method themselves. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:186 ] - Updated kdelibs packages fix KHTML vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:186 http://www.mandriva.com/security/ ___ Package : kdelibs Date: October 19, 2006 Affected: 2007.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: A vulnerability was discovered in the way that Qt handled pixmap images and the KDE khtml library used Qt in such a way that untrusted parameters could be passed to Qt, resulting in an integer overflow. This flaw could be exploited by a remote attacker in a malicious website that, when viewed by an individual using Konqueror, would cause Konqueror to crash or possibly execute arbitrary code with the privileges of the user. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4811 ___ Updated Packages: Mandriva Linux 2007.0: 0468fedc69128d4967771b9132b756f4 2007.0/i586/kdelibs-common-3.5.4-19.1mdv2007.0.i586.rpm 2dc30948c1fdce7e25d9b7a8a9379e51 2007.0/i586/kdelibs-devel-doc-3.5.4-19.1mdv2007.0.i586.rpm 7c637c18db5254991e86662b4d0a3dbd 2007.0/i586/libkdecore4-3.5.4-19.1mdv2007.0.i586.rpm 2990a2078b4971d5b3fff5a8282834aa 2007.0/i586/libkdecore4-devel-3.5.4-19.1mdv2007.0.i586.rpm de92b184fd62a8aa54278c0a7aeb5f43 2007.0/SRPMS/kdelibs-3.5.4-19.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: e067573bb458b0606e19c8950fedb860 2007.0/x86_64/kdelibs-common-3.5.4-19.1mdv2007.0.x86_64.rpm 5143af28520ea05d50bc07a92523bf5a 2007.0/x86_64/kdelibs-devel-doc-3.5.4-19.1mdv2007.0.x86_64.rpm 452cd5fe9b000d31911cc8b19dbed9ca 2007.0/x86_64/lib64kdecore4-3.5.4-19.1mdv2007.0.x86_64.rpm 22e66d820ad6e94c332df514e756b06c 2007.0/x86_64/lib64kdecore4-devel-3.5.4-19.1mdv2007.0.x86_64.rpm de92b184fd62a8aa54278c0a7aeb5f43 2007.0/SRPMS/kdelibs-3.5.4-19.1mdv2007.0.src.rpm Corporate 3.0: 692f918e3e7acbe933684d973261ca0c corporate/3.0/i586/kdelibs-common-3.2-36.16.C30mdk.i586.rpm 8537e316e30762eb2420e0c2412ffaf8 corporate/3.0/i586/libkdecore4-3.2-36.16.C30mdk.i586.rpm 37d09cd7b937ac25e98b87fe4161bfe1 corporate/3.0/i586/libkdecore4-devel-3.2-36.16.C30mdk.i586.rpm 815b64f8f6d1309414fa128ff049fa8a corporate/3.0/SRPMS/kdelibs-3.2-36.16.C30mdk.src.rpm Corporate 3.0/X86_64: 80f41ba7cab5c29812574b255487ff75 corporate/3.0/x86_64/kdelibs-common-3.2-36.16.C30mdk.x86_64.rpm 690b32020e45a8f1e1d7cff8dc3d342b corporate/3.0/x86_64/lib64kdecore4-3.2-36.16.C30mdk.x86_64.rpm 39f37ea645b542dfd872b015d7b2db53 corporate/3.0/x86_64/lib64kdecore4-devel-3.2-36.16.C30mdk.x86_64.rpm 8537e316e30762eb2420e0c2412ffaf8 corporate/3.0/x86_64/libkdecore4-3.2-36.16.C30mdk.i586.rpm 815b64f8f6d1309414fa128ff049fa8a corporate/3.0/SRPMS/kdelibs-3.2-36.16.C30mdk.src.rpm Corporate 4.0: 3561f4ec95d79ede9284cb1ff897681b corporate/4.0/i586/kdelibs-arts-3.5.4-1.2.20060mlcs4.i586.rpm 3e19560491f720fd9034a95dfb4f529d corporate/4.0/i586/kdelibs-common-3.5.4-1.2.20060mlcs4.i586.rpm 633e83e144a3a0daa1057ecae48a0991 corporate/4.0/i586/kdelibs-devel-doc-3.5.4-1.2.20060mlcs4.i586.rpm 853c0d7af1b8515c9226eb3ff1ae0e52 corporate/4.0/i586/libkdecore4-3.5.4-1.2.20060mlcs4.i586.rpm ffe121c5ed1528769d981a5b5d526b81 corporate/4.0/i586/libkdecore4-devel-3.5.4-1.2.20060mlcs4.i586.rpm 52f9f74e64bf4da50df95c02d350fa11 corporate/4.0/SRPMS/kdelibs-3.5.4-1.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 6ad107993dc8ba3726eb47bb087393e4 corporate/4.0/x86_64/kdelibs-arts-3.5.4-1.2.20060mlcs4.x86_64.rpm 4be667bf1d745fedc81314d697e3320a corporate/4.0/x86_64/kdelibs-common-3.5.4-1.2.20060mlcs4.x86_64.rpm a1480b53dcf74c2af2c044c0da4b45d7 corporate/4.0/x86_64/kdelibs-devel-doc-3.5.4-1.2.20060mlcs4.x86_64.rpm e40a8bb434849c3976ba57f1e52ba78e corporate/4.0/x86_64/lib64kdecore4-3.5.4-1.2.20060mlcs4.x86_64.rpm 4e488a23bad70524ef7d731b834cbe50 corporate/4.0/x86_64/lib64kdecore4-devel-3.5.4-1.2.20060mlcs4.x86_64.rpm 52f9f74e64bf4da50df95c02d350fa11 corporate/4.0/SRPMS/kdelibs-3.5.4-1.2.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com
Re: [Full-disclosure] Genetic method to detect the presence of any virtual machine
Hmm, When looking PC keyboard *T* and *R* are just located side by side... - Juha-Matti Note: Though not limited to these two products, this trick can be used as an genetic method to detect the presence of any virtual machine Gene*R*ic. The word you're looking for is generic. Genetic means to do with DNA and stuff. Generic means universal, widespread, non-branded. --clip-- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Genetic method to detect the presence of anyvirtual machine
Bipin Gautam wrote: Microsoft Virtual Machine VMWARE information disclosure Vulnerability Note: Though not limited to these two products, this trick can be used as an genetic method to detect the presence of any virtual machine Gene*R*ic. The word you're looking for is generic. Genetic means to do with DNA and stuff. Generic means universal, widespread, non-branded. (Query Output inside Microsoft Virtual Machine) Motherboard: Company Brnad Name: Vmware, Inc VMware Video Chipset Video Memory information System Manufacturer : VMware, Inc Product Name: VMware Virtual Platform ( Output inside VMWARE ) Company Brnad Name: Microsoft Corporation Virtual Machine Motherboard Modal: Microsoft Corporation Virtual Machine I think you got the two sets of query outputs mixed up as well. Quering just few of the above mentioned information from inside the virtual machine can IMMIDIATELY PROVE the presense of virtual machine, not the actual system. True. Is it possible to change them, short of binary patching the vm executable? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.19.06: Kaspersky Labs Anti-Virus IOCTL Local Privilege Escalation Vulnerability
Kaspersky Labs Anti-Virus IOCTL Local Privilege Escalation Vulnerability iDefense Security Advisory 10.19.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 19, 2006 I. BACKGROUND Kaspersky Anti-Virus provides virus and spyware protection. More information about Kaspersky Labs Anti-Virus can be found by visiting http://www.kaspersky.com/ II. DESCRIPTION Local exploitation of a design error vulnerability in Kaspersky Labs Anti-Virus allows an attacker to execute arbitrary code with kernel privileges. The vulnerability specifically exists due to improper address space validation when the KLIN and KLICK device drivers processes IOCTL 0x80052110. By passing a specially crafted Irp structure to the affected IOCTL handler, attackers can cause the driver to execute arbitrary code via a CALL instruction using user supplied data. Execution of data stored in user-land buffers is trivial. III. ANALYSIS Exploitation allows attackers to gain elevated privileges by executing code within kernel context. This allows attackers to gain control of the affected system. However, local access is required for exploitation to be successful. IV. DETECTION iDefense has confirmed the existence of this vulnerability within version 2.0.0.281 of the KLICK and KLIN device drivers as shipped with 6.0.0.303 of Kaspersky Labs Anti-Virus. Previous versions are suspected to be vulnerable as well. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE Kaspersky Labs has addressed this vulnerability with version 2.0.0.333 of the KLIN.sys and KLICK.sys device drivers. These drivers can be obtained by utilizing Kaspersky's Update update service. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4926 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/18/2006 Initial vendor notification 09/19/2006 Initial vendor response 10/19/2006 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Rubén Santamarta of reversemode.com. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Source Code Bug Finder - Automated Version
An Automated version of The google source code Bug finder http://www.cipher.org.uk/projects/bugle/BugleAutomated.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Genetic method to detect the presence of any virtual machine
as an genetic method to detect the presence of any virtual machine Gene*R*ic. The word you're looking for is generic. Genetic means to do with DNA and stuff. Generic means universal, widespread, non-branded. ( Output inside VMWARE ) Company Brnad Name: Microsoft Corporation Virtual Machine Motherboard Modal: Microsoft Corporation Virtual Machine YA )O; And I got the two sets of query outputs mixed up as well. Querying just few of the above mentioned information from inside the virtual machine can IMMIDIATELY PROVE the presence of virtual machine, not the actual system. True. Is it possible to change them, short of binary patching the vm Executable? NO NOT POSSIBLE I SUPPOSE WITH PATCHING BECAUSE ITS A COMPLETELY BIG ISSUE HERE. I already told, If the virtual machine responds back too much, too Little, UNKNOWN or suspicious hardware information on ANY SYSTEM HARDWARE (virtual) it can always be clearly guessed the user/code is Inside the virtual machine. Let me explain... Changing information like Ram Memory speed, Manufacturer, Serial No. Voltage CPU clock ratio Max allowed frequency, L1, L2, L3 cache size information (which VM has no idea right now ) all other minor details in all hardware peripherals make VM respond like if it was real hardware is another mountainous task even VMWARE developers decide to fix it. Doing it with just reverse engineering, i would be really really impressed! moreover... say if all version of virtual machine finally can respond back with info like; motherboard intel ??? , processor p4, hdd samsung, monitor philips etc EVEN when they show such legitimate info. these all combination of the hardware type will be a type of uniqueness, a fingerprint of presence of VM unless VM support several hardware types is able to RESPOND BACK WITH VALID LOOKING INFORMATION have hardware DIFFERENT virtual hardware profile that user can choose that looks like a common hardware combination from the machine which is common in the market. but you see... but using say names like samsung, sygate, intel, phylips,ADM emulating its hardwareproperty would require $$$ royalties contract with all the companies (for using emulating their product as well as name) and yet still its another big task to get cooperation from the companies to let them do so. WHY do you think these all issue were represent design decisions by the software makers (ok let us all stop playing fool) BECAUSE this is why! Its not just a technical problem. This way it becomes strategic political between companies too. so the VM makers pretend being oOo these were all design decisions all (semi?) documented hahah do we look soo fool?.. THIS ISSUE IS THERE TO STAY. Suppose even if they manage partial permission to emulate hardware BUT THAT WOULD REQUIRE say... even when the attacker tries to firmware upgrade on particular hardware the PC should let him do it if he/she has system privilege (which is most of the case, most hardware support firmware upgrade as you know ) failure to do so could again be a UNIQUE/SUSPECIOUS FINGERPRINT. I can already imagine DORZONS of possibilities issues because just a simple path isn't going to fix this issue by any way unless the VM becomes OSS (we already have OSS alternates) some third party decides to write a ILLIGAL patch to fix the issue during compile time of the binary itself (but which would again require VERY SERIOUS REVERSE ENGINEERING TO LET THE HARDWARE EMULATION TO HAPPEN) a Person argued with me... no this cant be taken as a issue once the compromise has happen the VM has served its purpose but you see if the attacker (say automated or manual) when detects a VM will immediately cocoon away instead of doing anything further would seriously hinder the purpose for what the HONEYPOT was made for. Like these days we have SPAM filters which also blocks spam on email IP (say black list) i wouldn't be surprised if in next worm outbreak a attacker decides to map all the IP address in the internet for few hours create his/her own blacklist of NEVER_VISIT_THE_IP_AGAIN_which_runs_VIRTUAL_MACHINE.. its very possible. What do you think guys? Sow some support, write to the companies! -bipin ** http://groups.google.com/group/AntiForensics -Where you will learn to PROTECT your DIGITAL PRIVECY. ^^ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] trouble in milwaukee?
Trying to access from Philadelphia to Wilwaukee, I get erratic network drops going through Time Warner Telecom. Anyone aware of any issue? This apparently started around 7:30p EDT. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] trouble in milwaukee?
On Thu, 19 Oct 2006 21:59:05 EDT, Edward F. Klimowicz said: Trying to access from Philadelphia to Wilwaukee, I get erratic network drops going through Time Warner Telecom. Anyone aware of any issue? This apparently started around 7:30p EDT. Yeah, some skript kiddies with an IOS exploit were causing BGP flaps. Not really - but if there were, that would be almost the only way it could be on-topic for full-disclosure. I don't suppose you have anything more specific to go on, like an actual traceroute or something? Or other data that explains why you think it's Time Warner rather than their up/downstream? pgpadq8C2w0ue.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34693, 34694]: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities (UPDATED)
Our original fixes for the BrightStor ARCserve Backup vulnerabilities that we publicly disclosed on 2006-10-05 (http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744pid=93775date=2006/10) did not completely resolve one of the vulnerabilities. Consequently, we have released new fixes that need to be applied. Please note that these do not replace the original fixes. Both fixes (each release needs two fixes) need to be applied. A revised advisory can be found below, and at this link. http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744pid=94397date=2006/10 Title: CAID 34693, 34694: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities (UPDATED) CA Vulnerability ID (CAID): 34693, 34694 CA Advisory Date: 2006-10-05 CA Revised Advisory Date: 2006-10-19 Discovered By: TippingPoint, www.zerodayinitiative.com Impact: Remote attacker can execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains multiple buffer overflow conditions that allow remote attackers to execute arbitrary code with local SYSTEM privileges on Windows. These issues affect the BrightStor Backup Agent Service, the Job Engine Service, and the Discovery Service in multiple BrightStor ARCserve Backup application agents and the Base product. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: BrightStor Products: - BrightStor ARCserve Backup r11.5 SP1 and below (SP2 does not have this vulnerability) - BrightStor ARCserve Backup r11.1 - BrightStor ARCserve Backup for Windows r11 - BrightStor Enterprise Backup 10.5 - BrightStor ARCserve Backup v9.01 CA Protection Suites r2: - CA Server Protection Suite r2 - CA Business Protection Suite r2 - CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 - CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected platforms: Microsoft Windows Status and Recommendation: Customers with vulnerable versions of the BrightStor ARCserve Backup products should upgrade to the latest versions which are available for download from http://supportconnect.ca.com. Solution Document Reference APARs: QO82860, QO82863, QO82917, QO82856, QO82858 The original fixes did not completely resolve one of the vulnerabilities. Consequently, an additional fix needs to be applied. Please note that these do not replace the original fixes. Both fixes (each release needs two fixes) need to be applied. Solution Document Reference APARs: QO83306, QO83307, QO83308, QO83309 Determining if you are affected: For a list of updated files, and instructions on how to verify that the security update was fully applied, please review the Informational Solution referenced in the appropriate Solution Document. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for BrightStor ARCserve Backup (Buffer Overrun) http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp Solution Document Reference APARs: QO82860, QO82863, QO82917, QO82856, QO82858, QO83306, QO83307, QO83308, QO83309 CA Security Advisor Research Blog postings: http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744pid=93775date=2006/10 http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744pid=94397date=2006/10 CAID: 34693, 34694 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693 http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34694 Discoverer: TippingPoint http://www.tippingpoint.com/security/advisories/TSRT-06-11.html http://www.tippingpoint.com/security/advisories/TSRT-06-12.html http://www.zerodayinitiative.com/advisories/ZDI-06-030.html http://www.zerodayinitiative.com/advisories/ZDI-06-031.html CVE Reference: CVE-2006-5142, CVE-2006-5143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143 OSVDB References: OSVDB IDs: 29580, 29533, 29534, 29535 http://osvdb.org/29580 http://osvdb.org/29533 http://osvdb.org/29534 http://osvdb.org/29535 Changelog for this advisory: v1.0 - Initial Release v2.0 - Advisory updated: new fixes available that must be installed, IN ADDITION TO the original fixes, to properly resolve all of the vulnerability issues. Fixed incorrect blog link. Added OSVDB references. Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability