[Full-disclosure] Advisory : Redirection And Phishing Vulnerability In AOL My.ScreeName.com
Advisory : Severe Phishing And Redirection Attacks In AOL ScreenName Website By : Zeroknock [at] Metaeye.Org Dated : 23 November 2006 Severity : Critical Explanation : The screenname AOL website is subjected to phishing attacks as the redirection is possible with manipulation in URL.This flaw occur in the way when ever user registered to the screenname website with login page specified as: URL : my.screenname.aol.com/_cqr/login/aimPrelogin.psp? After the successfull login with the desired username and password , the traffic is redirected to the destination The attacker exploit the URL parameters by redirecting as : my.screenname.aol.com/_cqr/login/aimPrelogin.psp?siteState=redirect@Website Name Example : my.screenname.aol.com/_cqr/login/[EMAIL PROTECTED]://www.slashdot.org The whole site with this URL paradigm is vulnerable to these attacks. Vendor Status : Reported.Patched. The security parameters are changed. Aditya K Sood Handle : Zeroknock http://zeroknock.metaeye.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser
I think this depends a lot the size of the school. Take for example the school I work with, a parochial school of about 700 students and about 50 staff members, one campus with three buildings. We've got about 300 computers and 8 servers, one large core switch and a few access/distribution combined switches. In this environment I'm basically the one man show--I'm sysadmin, second level help desk, I run a student technology club that meets every week (which I would say is similar to the guy teaching a networking class, yet mine is only once a week) and I do all of the hardware troubleshooting, new equip. installation. I've got two helping me, one on the software side and and one on the hardware side but most things end up coming to me. In this situation we are not part of a district and run our own network. I think when you get out to much bigger networks like with multi-school district networks then it gets much more complicated. With being close to the source locally it would be much easier for me to pull of a project like this guy is asking about wheras in a large campus like a college or something it would be more problematic as there are a lot more aspects involved and things that could go wrong. Though I'm in an entirly novell based server environment so I may be biased in regards to viruses since my servers never get bothered by them--its kinda like macs and all of my windows pc's wipe all changes at shutdown except for staff machines which are isolated into a separate VLAN from the student machines (also separated via ACLs preventing traffic from crossing between the vlans, all vlans are only allowed to directly access the server and interenet gateway vlans in my setup). David. Matthew Flaschen [EMAIL PROTECTED] 11/29/06 1:42 AM I'm in the U.S. too, but the only networking class I've been in definitely wasn't taught by the sysadmin. Matt Jim Popovitch wrote: On Tue, 2006-11-28 at 23:22 -0500, Matthew Flaschen wrote: I also don't think it would be the sysadmin's job to help with a networking class. Here in the states it's usually the networking class teacher that stays late and doubles as the sysadmin. :-) -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Founded in Faith - Preserved with Pride - Sustained by Spirit __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow
Hi
Can i get this straight, vendor was notified on the 16th of November,
but this vulnerability has been part of VulnDisco since Jan 2006? Is
that actually correct? This was known about ten months ago but not
disclosed until now?
Mark
[EMAIL PROTECTED] wrote:
Name: ProFTPD mod_tls pre-authentication buffer overflow
Vendor: http://www.proftpd.org
Release date: 28 Nov, 2006
Author: Evgeny Legerov [EMAIL PROTECTED]
I. DESCRIPTION
A remote buffer overflow vulnerability has been found in mod_tls module of
ProFTPD server.
The vulnerability could allow a remote un-authenticated attacker to gain root
privileges.
II. DETAILS
Let's have a look at the code (ProFTPD version 1.3.0):
contrib/mod_tls.c:
static char *tls_x509_name_oneline(X509_NAME *x509_name) {
static char buf[256] = {'\0'};
/* If we are using OpenSSL 0.9.6 or newer, we want to use
* X509_NAME_print_ex()
* instead of X509_NAME_oneline().
*/
#if OPENSSL_VERSION_NUMBER 0x000906000L
memset(buf, '\0', sizeof(buf));
return X509_NAME_oneline(x509_name, buf, sizeof(buf));
#else
/* Sigh...do it the hard way. */
BIO *mem = BIO_new(BIO_s_mem());
char *data = NULL;
long datalen = 0;
int ok;
if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
[1] datalen = BIO_get_mem_data(mem, data);
if (data) {
memset(buf, '\0', sizeof(buf));
[2] memcpy(buf, data, datalen);
buf[datalen] = '\0';
buf[sizeof(buf)-1] = '\0';
BIO_free(mem);
return buf;
}
BIO_free(mem);
return NULL;
#endif /* OPENSSL_VERSION_NUMBER = 0x000906000 */
}
The value of 'datalen' parameter is fully controlled by us (see [1]).
On line [2] we will be able to overflow the 'buf' buffer with our data.
III. VENDOR RESPONSE
Vendor has been notified on Nov 16, 2006 but ProFTPD 1.3.0a is still
vulnerable.
IV. CREDIT
Discovered by Evgeny Legerov.
The vulnerability is a part of VulnDisco Pack Professional since Jan, 2006.
--
Mark Wadham
e: [EMAIL PROTECTED] t: +44 (0)20 8315 5800 f: +44 (0)20 8315 5801
Areti Internet Ltd., http://www.areti.net/
===
Areti Internet Ltd: BS EN ISO 9001:2000
Providing corporate Internet solutions for more than 10 years.
===
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Borland Products idsql32.dll Buffer Overflow Vulnerability
== Secunia Research 29/11/2006 - Borland Products idsql32.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software Borland idsql32.dll versions 5.1.0.4 (as used by RevilloC MailServer) and 5.2.0.2 as included with Borland Developer Studio 2006. NOTE: Other versions may also be affected. Furthermore, any application using the vulnerable library and passing (partially) user-controlled arguments to the affected function may also be vulnerable. == 2) Severity Rating: Moderately critical Impact: System Access Where: From Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Borland products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in idsql32.dll when processing SQL statements using the DbiQExec() function. This can be exploited to cause a heap-based buffer overflow via an overly long SQL statement (more than 4000 bytes). == 4) Solution Restrict access to applications and services using the vulnerable library. Applications using the vulnerable function should check the length of the user input before creating an SQL statement and using it in a query. == 5) Time Table 15/11/2006 - Vendor notified. 27/11/2006 - Vendor reminder sent. 29/11/2006 - Public disclosure. == 6) Credits Discovered by JJ Reyes, Secunia Research. == 7) References SA22559: http://secunia.com/advisories/22559 == 8) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-70/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow
Hi,
Hi
Can i get this straight, vendor was notified on the 16th of November,
but this vulnerability has been part of VulnDisco since Jan 2006? Is
that actually correct? This was known about ten months ago but not
disclosed until now?
Absolutely correct.
ProFTPD sreplace bug has been part of VulnDisco since Dec, 2005.
Mark
[EMAIL PROTECTED] wrote:
Name: ProFTPD mod_tls pre-authentication buffer overflow
Vendor: http://www.proftpd.org
Release date: 28 Nov, 2006
Author: Evgeny Legerov [EMAIL PROTECTED]
I. DESCRIPTION
A remote buffer overflow vulnerability has been found in mod_tls module of
ProFTPD server.
The vulnerability could allow a remote un-authenticated attacker to gain
root
privileges.
II. DETAILS
Let's have a look at the code (ProFTPD version 1.3.0):
contrib/mod_tls.c:
static char *tls_x509_name_oneline(X509_NAME *x509_name) {
static char buf[256] = {'\0'};
/* If we are using OpenSSL 0.9.6 or newer, we want to use
* X509_NAME_print_ex()
* instead of X509_NAME_oneline().
*/
#if OPENSSL_VERSION_NUMBER 0x000906000L
memset(buf, '\0', sizeof(buf));
return X509_NAME_oneline(x509_name, buf, sizeof(buf));
#else
/* Sigh...do it the hard way. */
BIO *mem = BIO_new(BIO_s_mem());
char *data = NULL;
long datalen = 0;
int ok;
if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
[1] datalen = BIO_get_mem_data(mem, data);
if (data) {
memset(buf, '\0', sizeof(buf));
[2] memcpy(buf, data, datalen);
buf[datalen] = '\0';
buf[sizeof(buf)-1] = '\0';
BIO_free(mem);
return buf;
}
BIO_free(mem);
return NULL;
#endif /* OPENSSL_VERSION_NUMBER = 0x000906000 */
}
The value of 'datalen' parameter is fully controlled by us (see [1]).
On line [2] we will be able to overflow the 'buf' buffer with our data.
III. VENDOR RESPONSE
Vendor has been notified on Nov 16, 2006 but ProFTPD 1.3.0a is still
vulnerable.
IV. CREDIT
Discovered by Evgeny Legerov.
The vulnerability is a part of VulnDisco Pack Professional since Jan, 2006.
--
Mark Wadham
e: [EMAIL PROTECTED] t: +44 (0)20 8315 5800 f: +44 (0)20 8315 5801
Areti Internet Ltd., http://www.areti.net/
===
Areti Internet Ltd: BS EN ISO 9001:2000
Providing corporate Internet solutions for more than 10 years.
===
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Regards,
Evgeny Legerov
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability
ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-043.html November 29, 2006 -- CVE ID: CVE-2006-5854 -- Affected Vendor: Novell -- Affected Products: Novell Netware Client 4.91 Novell Netware Client 4.91 SP1 Novell Netware Client 4.91 SP2 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 7, 2005 by Digital Vaccine protection filter ID 3583. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of the Novell Netware Client. Authentication is not required to exploit this vulnerability. The specific flaw exists in a print provider installed by the Netware Client. The nwspool.dll library does not properly handle long arguments to the Win32 EnumPrinters() and OpenPrinter() functions. Exceeding 458 bytes in the first argument to OpenPrinter() or 524 bytes in the second argument to EnumPrinters() results in an exploitable buffer overflow within the Spooler service. This vulnerability can be exploited remotely via Remote Procedure Call (RPC) requests to the Spooler service. The Spooler exposes the spoolss named pipe, which allows an anonymous user to issue certain spooler commands. These include the OpenPrinter() and EnumPrinters() calls required to exploit this vulnerability. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/search.do?cmd=displayKCexternalId=3125538sliceId=SAL_Public -- Disclosure Timeline: 2005.07.07 - Digital Vaccine released to TippingPoint customers 2006.10.02 - Vulnerability reported to vendor 2006.11.29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PayPal acount removal: bug or feature?
Dear full-disclosure@lists.grok.org.uk,
I was trying to remember the password for my older PayPal account in
order to close it. After a couple of unsuccessful attempts I've got an
offer to close this account if I don't remember the password. I
clicked the link. It showed me current state (actually 0) and warned,
because it less than $1.5 it will not be funded. OK. I click close.
Now, guess what?
account was closed (NO confirmation by e-mail, only We are sorry that
you have decided to close your PayPal account.).
I'm quite unexperienced with PayPal, becase it's service for Russia is
new and very limited. But it makes me wonder: is this Feature known?
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo-{ ^ }-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defeating Image-Based Virtual Keyboards and Phishing Banks (fwd)
If anyone's interested, a while ago I made a greasemonkey user script that bypasses the virtual keyboard on ING Direct (http://userscripts.org/scripts/show/3998) Matt Flaschen Gadi Evron wrote: Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following up a post by HispaSec. This is about breaking virtual keyboards implementations signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-388-1] KOffice vulnerability
=== Ubuntu Security Notice USN-388-1 November 29, 2006 koffice vulnerability CVE-2006-6120 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: koffice-libs 1:1.4.1-0ubuntu7.4 After a standard system upgrade you need to restart your Desktop session to effect the necessary changes. Details follow: An integer overflow was discovered in KOffice's filtering code. By tricking a user into opening a specially crafted PPT file, attackers could crash KOffice or possibly execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice_1.4.1-0ubuntu7.4.diff.gz Size/MD5:68701 00932ef9fcfa1d04bdcd3d02399e6b54 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice_1.4.1-0ubuntu7.4.dsc Size/MD5: 1048 9afa7821978d0a695ccdac7db1eb3e58 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice_1.4.1.orig.tar.gz Size/MD5: 21026614 9e214aef83d2a9a6485a831a67b7bcfa Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kivio-data_1.4.1-0ubuntu7.4_all.deb Size/MD5: 634772 7fd40e05783a3d9546534195c66648f8 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-data_1.4.1-0ubuntu7.4_all.deb Size/MD5: 688372 19dbb2fc1879c35b5a059d53313946ce http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-doc-html_1.4.1-0ubuntu7.4_all.deb Size/MD5: 326300 2c25ae3bd2059a0df6f70bf548b29454 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice_1.4.1-0ubuntu7.4_all.deb Size/MD5:22892 d68438ea3a5948dc30dd595abc4bc323 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/k/koffice/karbon_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 433004 93fa7fdb2ccdf62436a0a3ffc30d4653 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kchart_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 960898 eddbfe366d1fff0c5d3d57746a6a3d36 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kformula_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 707762 f21e7cc05b1362495dc4205de91836a1 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kivio_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 167020 e547f4cd0296e704d21a655ed6c70ed0 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-dev_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 178454 6885ee6e6db8568fe2e2a31cb24de2f1 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-libs_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 5552572 9c517913e9b7767472927543bf94bf3c http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koshell_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 106670 c17f47264ec277cfab98591612f58d48 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kpresenter_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 2895504 256232cc7b38ded14892ae87315c5009 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/krita_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 2574826 de98505de6899025707ae849633adc3f http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kspread_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 1034992 1c21071eeaca6a441de4a045785e64ed http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kthesaurus_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 327320 e88c8aac476d63ed0bc9e9ce4b2c1e0a http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kugar_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 481400 9160377c8719abe32abb55cbbfe8d2f5 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kword_1.4.1-0ubuntu7.4_amd64.deb Size/MD5: 5736518 67e268b62aef4a788260ec46910bd970 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/k/koffice/karbon_1.4.1-0ubuntu7.4_i386.deb Size/MD5: 377394 97d295c575ac98c298a59ead1189def4 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kchart_1.4.1-0ubuntu7.4_i386.deb Size/MD5: 954852 94bbe0f51a198b020cdd7f6786648aa0 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kformula_1.4.1-0ubuntu7.4_i386.deb Size/MD5: 701352 80b333ec3aa6ec5c1b51f0a8dc5ede3e http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kivio_1.4.1-0ubuntu7.4_i386.deb Size/MD5: 153312 f26df7570623906502ff33853e7162e4 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-dev_1.4.1-0ubuntu7.4_i386.deb Size/MD5: 178460 5322a94138cfe9a6f0c3b1c6a729a992 http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-libs_1.4.1-0ubuntu7.4_i386.deb
Re: [Full-disclosure] PayPal acount removal: bug or feature?
I tried this on Paypal.com, with more than twenty consecutive incorrect passwords. I got no such offer. What paypal site were you using, and how many unsuccessful attempts is a couple? Matt 3APA3A wrote: Dear full-disclosure@lists.grok.org.uk, I was trying to remember the password for my older PayPal account in order to close it. After a couple of unsuccessful attempts I've got an offer to close this account if I don't remember the password. I clicked the link. It showed me current state (actually 0) and warned, because it less than $1.5 it will not be funded. OK. I click close. Now, guess what? account was closed (NO confirmation by e-mail, only We are sorry that you have decided to close your PayPal account.). I'm quite unexperienced with PayPal, becase it's service for Russia is new and very limited. But it makes me wonder: is this Feature known? signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PayPal acount removal: bug or feature?
On Wed, 29 Nov 2006 17:02:07 EST, Matthew Flaschen said: I tried this on Paypal.com, with more than twenty consecutive incorrect passwords. I got no such offer. What paypal site were you using, and how many unsuccessful attempts is a couple? Matt 3APA3A wrote: Dear full-disclosure@lists.grok.org.uk, I was trying to remember the password for my older PayPal account in order to close it. After a couple of unsuccessful attempts I've got an offer to close this account if I don't remember the password. Anybody else thinking 'phish'? :) pgpOkMWtZsWpe.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-389-1] GnuPG vulnerability
=== Ubuntu Security Notice USN-389-1 November 29, 2006 gnupg vulnerability http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: gnupg1.4.1-1ubuntu1.5 Ubuntu 6.06 LTS: gnupg1.4.2.2-1ubuntu2.3 Ubuntu 6.10: gnupg1.4.3-2ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user's privileges. This vulnerability is not exposed when running gpg in batch mode. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.5.diff.gz Size/MD5:21914 9c398c7ad981984ce7e2d5c73d39646c http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.5.dsc Size/MD5: 684 99674acf9842bede50bfc9cee94233bc http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5: 4059170 1cc77c6943baaa711222e954bbd785e5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.5_amd64.deb Size/MD5: 1136516 6f95cee543adea0d34af0db0270e8301 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.5_amd64.udeb Size/MD5: 152280 91e6fec1a7cac200e6607a5aca8e283c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.5_i386.deb Size/MD5: 1044704 511314c5de795b3f732fbc48fa9bc245 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.5_i386.udeb Size/MD5: 130672 c2af84edf925cf93e92df0afd1747a8b powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.5_powerpc.deb Size/MD5: 1119908 d942ad0abd5921bb771fd6180d32f28b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.5_powerpc.udeb Size/MD5: 140214 ac880f5f3a32fe0bba76d61ef5374f61 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.5_sparc.deb Size/MD5: 1064488 49125a2b181ce9e4ca22b67b6712b153 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.5_sparc.udeb Size/MD5: 139606 f97c2b5b2f406afb0cc8478df8529a1c Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.3.diff.gz Size/MD5:20808 4208a73338b5624d39f355e553927548 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.3.dsc Size/MD5: 690 858b47da7b535136aa99ab7ccbd2aaef http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2.orig.tar.gz Size/MD5: 4222685 50d8fd9c5715ff78b7db0e5f20d08550 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.3_amd64.deb Size/MD5: 1066374 7e03df9183620a5c23db7caefb3f5b2b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.3_amd64.udeb Size/MD5: 140312 9384b3aa9a950db2bb80ad20f820529c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.3_i386.deb Size/MD5: 981392 75eba5633769eb5c8e4fbd863d0ffed9 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.3_i386.udeb Size/MD5: 120284 5ab02d409b4b475657f5c52081d3ccf9 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.3_powerpc.deb Size/MD5: 1053850 43d575debcff4457419d48f78d164449 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.3_powerpc.udeb Size/MD5: 130154 9491f62000cc12df6f23b8d66fd97859 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.3_sparc.deb Size/MD5: 994040 09848e3252cae2efeefeef913e4ef9d5 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.3_sparc.udeb Size/MD5: 127412 56d3912d3002bf3f0377a6437a6f851c Updated packages for Ubuntu 6.10: Source
Re: [Full-disclosure] PayPal acount removal: bug or feature?
[EMAIL PROTECTED] wrote: Anybody else thinking 'phish'? :) Actually, no - I experienced almost precisely the same thing with an old paypal account that we'd long since lost the password to and which was associated with a dead e-mail address, and I remember experiencing something similar to that described. I don't remember precisely how much information I had to provide other than the account name. I don't know if this only works with long-idle accounts, but I do recall it being slightly odd at the time (and I checked the account was legitimately closed! Thankfully, I wasn't too shocked since the account was associated with dead bank details, anyhow..) - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Links smbclient command execution
On Wed, 29 Nov 2006, Mikulas Patocka wrote: Hi I fixed it in Links 1.00pre19 (at http://artax.karlin.mff.cuni.cz/~mikulas/links/download/) and Links 2.1pre25 (at http://links.twibright.com/download/) --- please check it. I changed it to refuse '' and ';' from file path. I hope that user name and password at smbclient command line cannot be used to execute arbitrary code, but if you have other information, contact me. Mikulas Hello, links-2.1pre25 still seems vulnerable to the smb vulnerability. The ChangeLog doesn't mention anything about fixing it, smb.c has a timestamp from November 2005, and the exploit posted earlier still works. Regards, Ulf Härnhammar Oops, I forgot to upload it yesterday. It's there now under name links-2.1pre26. If you have any other ideas how it could be broken, tell me. Mikulas___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser
Unfortunately, I spend a not insignificant amount of time fixing problems caused by technology teachers. From: Jim Popovitch Subject: Re: Sasser Matthew Flaschen wrote: I also don't think it would be the sysadmin's job to help with a networking class. Here in the states it's usually the networking class teacher that stays late and doubles as the sysadmin. :-) -Jim P. mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PayPal acount removal: bug or feature?
Dear Matthew Flaschen, PayPal is exactly https://www.paypal.com/. No, it's not phishing. I found on PayPal support it's only possible to close accounts in 'inactive' state. I'm not sure about the terms under which account becomes 'inactive'. --Thursday, November 30, 2006, 1:02:07 AM, you wrote to [EMAIL PROTECTED]: MF I tried this on Paypal.com, with more than twenty consecutive incorrect MF passwords. I got no such offer. What paypal site were you using, and MF how many unsuccessful attempts is a couple? MF Matt MF 3APA3A wrote: account was closed (NO confirmation by e-mail, only We are sorry that you have decided to close your PayPal account.). I'm quite unexperienced with PayPal, becase it's service for Russia is new and very limited. But it makes me wonder: is this Feature known? -- ~/ZARAZA Âå÷íàÿ ïàìÿòü ñâÿòîìó Ïàòðèêó! (Òâåí) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
