Re: [Full-disclosure] Nmap Online
first of all, IANAL, but the TOS seem to cover the basics... However, I am unsure whether they would hold up under strict legal scrutiny. As far as I can tell, they may hold up under US criminal law, but not under civil law, as tort law has its own wonderful little eccentricities. The best safeguard they seem to have is that they must log the source IP of all scan requests... As far as I know, anyone who takes the time to read the nmap man page should be able to craft a scan which won't be detected by the scanned host (can someone be a definitive source on this point?), and anyone taking malicious action ought to be taking sufficient precautions to avoid detection anyway. None-the-less, my 8-ball sees litigation in their future. On 11/30/06, Jason Miller [EMAIL PROTECTED] wrote: im detecting legal actions already. On 11/28/06, David Matousek [EMAIL PROTECTED] wrote: Hello, For all Nmap fans, our group have implemented Nmap Online service. Its address is http://nmap-online.com/. The interface allows you to perform custom Nmap scans from our server with only a few limitations in the syntax. The service is free and can be used immediately, no registration is required. Please direct your questions and suggestions to our emails. Regards, -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0220-1 dovecot
rPath Security Advisory: 2006-0220-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Local Deterministic Denial of Service Updated Versions: dovecot=/[EMAIL PROTECTED]:devel//1/1.0.beta8-4.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5973 https://issues.rpath.com/browse/RPL-802 Description: Previous versions of the dovecot package are vulnerable to a denial of service attack only in a non-default configuration, and only by authenticated users in that configuration. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0221-1 openldap openldap-clients openldap-servers
rPath Security Advisory: 2006-0221-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: openldap=/[EMAIL PROTECTED]:devel//1/2.2.26-8.5-1 openldap-clients=/[EMAIL PROTECTED]:devel//1/2.2.26-8.5-1 openldap-servers=/[EMAIL PROTECTED]:devel//1/2.2.26-8.5-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779 https://issues.rpath.com/browse/RPL-820 Description: Previous versions of the openldap package are vulnerable to a remote denial of service attack that causes the openldap daemon to crash. This vulnerability is understood not to enable any form of remote execution. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0222-1 tar
rPath Security Advisory: 2006-0222-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Indirect User Deterministic Vulnerability Updated Versions: tar=/[EMAIL PROTECTED]:devel//1/1.15.1-7.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097 https://issues.rpath.com/browse/RPL-821 Description: Previous version of the tar package are vulnerable to an attack in which unpacking an intentionally-malformed tar archive can overwrite arbitrary files to which the user running tar has write access. If the attacking user knows the name of a vulnerable binary file and overwrites it, this allows the attacker to place arbitrary code on the system which is likely to be run. If root is running tar, this includes any file on the system, which would elevate this to an indirect non-deterministic remote root unauthorized access vulnerability. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0224-1 gnupg
rPath Security Advisory: 2006-0224-1 Published: 2006-11-30 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Non-deterministic Unauthorized Access Updated Versions: gnupg=/[EMAIL PROTECTED]:devel//1/1.4.5-1.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169 https://issues.rpath.com/browse/RPL-826 Description: Previous versions of the gnupg package contain a weakness that may enable an attacker to create a malformed message that causes gnupg to crash or execute arbitrary code provided by the attacker. This weakness exists only in interactive mode; other applications which call gpg in batch mode are not susceptible. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] deV!L`z Clanportal - SQL Injection [061124a]
/ -[061124a]- \ | deV!L`z Clanportal - SQL Injection | \ / S Y N O P S I S / =' -( access: remote severity: high )- An SQL injection has been found in deV!L`z Clanportal, which allows any logged in user to grant herself admin privileges in the system. B A C K G R O U N D / =' deV!L`z Clanportal (short DZCP) is a suite of PHP scripts that allow anybody to create a feature-rich website for her online gaming clan. A F F E C T E D V E R S I O N S / ===' verified on: 1.3.6 possibly vulnerable: = 1.3.6 fixed in: 1.3.6.1 I M P A C T / =' The attacker gains admin privileges in DZCP and is thus able to create and download a MySQL dump, upload files, post news, delete users etc. P R E R E Q U I S I T I E S / =' o the attacker needs to have an user account in the suite and be logged in o php.ini directive magic_quotes_gpc has to be disabled D E S C R I P T I O N / ===' sites/index.php is not escaping the $_GET['show'] parameter, leading to an SQL injection. This can be used to pass any string to the $where parameter in DZCP's page() function. page(), in turn, is not checking that parameter, allowing a second SQL injection in an UPDATE statement on the users table to change arbitrary attributes in the calling user's tuple, including the level attribute, which, set to 4, grants the user administrator privileges. W O R K A R O U N D / =' Some possibilities: o Add a mysql_real_escape_string() around the $_GET parameter in the SQL query in sites/index.php. o Remove sites/index.php or make it inaccessible. o Quit using DZCP. I mean it! There are tons of other vulnerabilites just waiting to be exploited; some of them more severe than this one. IMHO, DZCP is just a chaotic bunch of vulnerabilities that, by some coincidence, happen to look like a clan portal. P R O O F O F C O N C E P T / =' Check if magic_quotes_gpc is enabled: http://dzcp/sites/index.php?show=' If a MySQL error appears or the script dies, it is disabled. Then: http://dzcp/sites/index.php?show=-1'+%55NION+%53ELECT+1,+'Admin+Panel\',+level%3d4,+waffe%3d\'SQL+Injection',+2,+3,+' T I M E L I N E (CET) / ' 2006-11-23 23:05 started searching 24 0:35 exploited 14:20 advisory finished 17:31 informed vendor that any user can get admin privileges 25 23:00 full disclosure to vendor 27 14:36 hotfix available on vendor website 12-01 10:00 full disclosure to the general public A B O U T T H E A U T H O R / =' Tim Weber, computer science student at the University of Mannheim, Germany, currently looking for an internship at some IT security or pentesting company, can be reached via e-mail: scy-adv-061124a at the host scytale.de. T H A N K S / =' o Kallista o yorn for showing me DZCP and the basics of SQL injections o the DZCP authors for the fun in secure.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] deV!L`z Clanportal - Arbitrary File Upload [061124b]
/ -[061124b]- \ | deV!L`z Clanportal - Arbitrary File Upload | \ / S Y N O P S I S / =' -( access: remote severity: high )- deV!L`z Clanportal allows nearly arbitrary files to be uploaded and stored on the server's filesystem, which enables anyone, even without a user account, to upload PHP code and execute it, leading to arbitrary code execution. B A C K G R O U N D / =' deV!L`z Clanportal (short DZCP) is a suite of PHP scripts that allow anybody to create a feature-rich website for her online gaming clan. A F F E C T E D V E R S I O N S / ===' verified on: 1.3.6 possibly vulnerable: = 1.3.6 fixed in: 1.3.6.1 I M P A C T / =' The attacker can run own code on the web sever with the same privileges as DZCP itself, enabling her to do almost anything from getting the MySQL password to hosting own files and scripts or getting a shell on the server. P R E R E Q U I S I T I E S / =' o the attacker needs a file that is both a valid JPEG or GIF file and valid PHP (or probably other) code D E S C R I P T I O N / ===' upload/index.php is not checking the file extension of uploaded files. Instead it is simply checking the MIME type (that can be spoofed) and the format of an uploaded image. A skilled attacker could upload an image file that has been specially crafted to contain PHP code and yet be recognized as a valid image. The file will be stored on the server, using a file name supplied by the attacker (ending in .php, for example), and can then be executed via HTTP. W O R K A R O U N D / =' Some possibilities: o Add something like this before the switch statement in upload/index.php: if (isset($_FILES['file']['name']) !preg_match('/\.(jpg|gif)$/i', $_FILES['file']['name'])) die(); o Remove upload/index.php or make it inaccessible. o Quit using DZCP. I mean it! There are tons of other vulnerabilites just waiting to be exploited; some of them might be as severe as this one. IMHO, DZCP is just a chaotic bunch of vulnerabilities that, by some coincidence, happen to look like a clan portal. P R O O F O F C O N C E P T / =' Get a JPEG file, open it in a hex editor, add some PHP inside the EXIF data or in similar places. Make sure PHP's getimagesize() does not return false and that the file does not throw parse errors or the like when fed to PHP. Then: curl -F '[EMAIL PROTECTED];type=image/jpeg' 'http://dzcp/upload/index.php?action=userpicdo=upload' Then check http://dzcp/inc/images/uploads/userpics/.php T I M E L I N E (CET) / ' 2006-11-24 2:00 started searching 4:00 exploited 15:05 advisory finished 17:31 informed vendor that anybody can run arbitrary code 25 23:00 full disclosure to vendor 27 14:36 hotfix available on vendor website 12-01 10:45 full disclosure to the general public A B O U T T H E A U T H O R / =' Tim Weber, computer science student at the University of Mannheim, Germany, currently looking for an internship at some IT security or pentesting company, can be reached via e-mail: scy-adv-061124b at the host scytale.de. T H A N K S / =' o Kallista o the cat in the fridge o KHexEditor o the DZCP authors for the fun in secure.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Outpost Bypassing Self-Protection via Advanced DLL injection with handle stealing Vulnerability
Hello, We would like to inform you about a vulnerability in Outpost Firewall PRO 4.0. Description: The system process services.exe cares about system services. It runs them during the system boot and thus owns full access handles to all system services. Outpost protects all processes against common DLL injection and forbids other processes to manipulate its own service process. However, it does not protect services.exe against Advanced DLL injection that does not rely on writing into the target process memory. It is possible to infect services.exe with a malicious DLL and execute an arbitrary code in this system process. It is also possible to find and use its handle of the outpost.exe process to infect Outpost service process similarly. As a result, the attacker is able to inject an arbitrary code into the Outpost's process and thus bypass any of its security mechanisms. Vulnerable software: * Outpost Firewall PRO 4.0 (971.584.079) * Outpost Firewall PRO 4.0 (964.582.059) * probably all older versions of Outpost Firewall PRO 4.0 * possibly older versions of Outpost Firewall PRO More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Outpost-Bypassing-Self-Protection-via-Advanced-DLL-injection-with-handle-stealing.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Salut, On Fri, 2006-12-01 at 06:59 -0500, J. Oquendo wrote: Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 awk '($5==Illegal||$6==Illegal)$9==from{print $10}' What if I set my user name to bikermice from mars? Are you going to blacklist mars then? Apparently you are as stupid as your question is. The syntax won't allow to pass off anything. Try it before responding idiotically Did you even try it? And what exactly in this awk statement would prevent me from inserting mars in this case? The log statement would look like this: Nov 27 16:31:21 local sshd[67010]: Illegal user bikermice from mars from 213.134.128.227 In this case, your awk statement checks that argument $6 is Illegal (which it is) and argument $9 is from (which it is). So it takes $10 and prints it (in this case, mars.) If you check $10 to look like an IP address, I set my username to bikermice from 217.14.64.1, you're going to blacklist 217.14.64.1 because it is a valid IP. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33Roeschenzerstrasse 9 Fax:+41 61 383 14 674153 Reinach BL Web:www.sygroup.ch [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
Salut, On Fri, 2006-12-01 at 07:26 -0500, J. Oquendo wrote: So again... Some of you guys need to go back and read before you post In this case, the NF wasn't in your original posting, so I could hardly have seen it. Still, there are problems with it, but not security wise... awk 'NF=10($6==nvalid||$7==user)$9==from{print $10}' Once you try a moronic name insertion it makes the columns more than 10 rows invalidating it. In that case, your script isn't going to work in most cases. For example, on our router we get: Dec 1 13:35:24 rtsyg01 sshd[12178]: Failed password for invalid user asdf from 10.1.5.166 port 51558 ssh2 - more than 10 columns. Also, one of our customers uses user names which consist of two parts which are separated by spaces. This is due to his use of Windows. The users are called e.g. John Doe, so you do an ssh John [EMAIL PROTECTED]. In this case, your script fails entirely. Probably a top-down parser isn't really suitable for this. If at all, you should make an attempt to parse from the end of the string. sed can help you there. Perhaps I should re-write TCP into the script to ensure no one ever spoofs again. That wouldn't be very useful since the L4Addr doesn't matter much here, as we're dealing with L3addrs... Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33Roeschenzerstrasse 9 Fax:+41 61 383 14 674153 Reinach BL Web:www.sygroup.ch [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
I agree with Dave on this one. Dude Van, I thought it was illegal in the states..? Or am I mistaken? Also, think of this from the ISP's view, do they really want a service port scanning their users? And look at it this way, said target has a proxy server on it, attacker proxies into the proxy and scans the target server with that service, since he is now on the targets IP address, I think you understand what I'm getting at by now. nmap is made to find exploits, that is what this service is going to wind up being abused for (in most cases that i know). On 12/1/06, Dave Moore [EMAIL PROTECTED] wrote: On 12/1/06, Mike Huber [EMAIL PROTECTED] wrote: first of all, IANAL, but the TOS seem to cover the basics... However, I am unsure whether they would hold up under strict legal scrutiny. As far as I can tell, they may hold up under US criminal law, but not under civil law, as tort law has its own wonderful little eccentricities. The best safeguard they seem to have is that they must log the source IP of all scan requests... As far as I know, anyone who takes the time to read the nmap man page should be able to craft a scan which won't be detected by the scanned host (can someone be a definitive source on this point?), and anyone taking malicious action ought to be taking sufficient precautions to avoid detection anyway. None-the-less, my 8-ball sees litigation in their future. All nmap scans are detectable. All port scans are detectable. Just depends on how hard you're looking. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
How do you plan on dealing with all the abuse complaints you get hit with when people use your server to perform unauthorized scans of their networks? == David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ == Shadowserver Foundation Member http://www.shadowserver.org/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Matousek Sent: Tuesday, November 28, 2006 3:19 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Nmap Online Hello, For all Nmap fans, our group have implemented Nmap Online service. Its address is http://nmap-online.com/. The interface allows you to perform custom Nmap scans from our server with only a few limitations in the syntax. The service is free and can be used immediately, no registration is required. Please direct your questions and suggestions to our emails. Regards, -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Fri, 01 Dec 2006, J. Oquendo wrote: Tonnerre Lombard wrote: In this case, your awk statement checks that argument $6 is Illegal (which it is) and argument $9 is from (which it is). So it takes $10 and prints it (in this case, mars.) If you check $10 to look like an IP address, I set my username to bikermice from 217.14.64.1, you're going to blacklist 217.14.64.1 because it is a valid IP. Tonnerre So again... Some of you guys need to go back and read before you post ok, you're right, let's go back and let's read again: You mention (from the attached mail, you've written): Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 awk '($5==Illegal||$6==Illegal)$9==from{print $10}' Note that there is no NF in this line. awk 'NF=10($6==nvalid||$7==user)$9==from{print $10}' you're fixing your script when someone shows a security hole, that's a good practice. But don't insult the men who mention the vulnerabilities... They are actually helping you, because you're improving your script thanks to them. Once you try a moronic name insertion it makes the columns more than 10 rows invalidating it. Is this a difficult concept to understand? Set your host to whatever you would like, its been discussed and resolved. Is there anything else? Perhaps I should re-write TCP into the script to ensure no one ever spoofs again. -- Raphaël Marichez aka Falco pgpLzGZdZPGHD.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Fri, 01 Dec 2006, Raphael Marichez wrote: You mention (from the attached mail, you've written): sorry, here's your email -- Raphaël Marichez aka Falco ---BeginMessage--- Tavis Ormandy wrote: On Tue, Nov 28, 2006 at 04:02:36PM +, Tavis Ormandy wrote: I notice you also havnt solved the local privilege escalation, this can be abused by local users to gain root by attempting to login with the username set to a valid passwd entry and then winning the race condition by creating a symlink to the system passwd file (of course, there are dozens of other attacks). Thanks, Tavis. And just what on God's earth does SOMEONE LOGGING IN WITH USERNAME SET TO A VALID PASSWORD ENTRY have to do with this script. Let me take my script out of the equation for a minute. SOMEONE LOGS IN WITH A USERNAME SET TO A VALID PASSWORD ENTRY don't you think this is a problem with the system they're on? Please explain to me how because I'm seriously curious to know how you envision this happening with this script of mine. Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 awk '($5==Illegal||$6==Illegal)$9==from{print $10}' Would stop the insertion attack and only print out the tench field if fields 5, 6 and 9 match Illegal user from. So that would pretty much minimize the attack on name insertion. If I wanted to I could also make sure that if someone came after field 10, then ignore the entire line: Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227 But before you shoot back let me send your response for you: Tavis Ormandy will write: Someone could log in using: Illegal User foo from $OWNIPADDRESS@host which would make an entry: Nov 27 16:31:21 local sshd[67010]: Illegal user dd from Illegal User foo from $OWNIPADDRESS 213.134.128.227 SO let me restate. I could modify it to look at lines 5, 6, and 9 ... Take a look at the tenth column and if anything comes after that...Ignore that entire line... Should I have done so, maybe... Will I do so... Maybe... But wait there's more... Before you respond back Tavis, I will do so for you: Tavis Ormandy will write: Someone could cause a race condition in awk that will allow peanut butter to seep into my colo Sorry can't help you there. As to a fix to someone injecting ranDumb addresses. That same awk statement above will work but if they're doing some netcat voodoo, then feel free to shoot off another email on how my script broke TCP/IP entirely. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/---End Message--- pgphsNKB4ZRhV.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On 12/1/06, Jason Miller [EMAIL PROTECTED] wrote: I agree with Dave on this one. Dude Van, I thought it was illegal in the states..? Or am I mistaken? http://www.securityfocus.com/news/126 Also, think of this from the ISP's view, do they really want a service port scanning their users? And look at it this way, said target has a proxy server on it, attacker proxies into the proxy and scans the target server with that service, since he is now on the targets IP address, I think you understand what I'm getting at by now. nmap is made to find exploits, that is what this service is going to wind up being abused for (in most cases that i know). nmap is used to find open ports and fingerprint OS's. What you do with that info is up to you. Here is an example of what is legal vs what isnt: If you scan a machine with nmap from one machine, that is not illegal. If you run 100,00 nmap scans from a distributed botnet and take down their server, thats illegal. If your nmap scan tells you that port 80 is open and you run a nessus scan and find that they are vulnerable to a bug in their webserver is that illegal? I do know If you exploit that weakness and backdoor their machine, you just broke the law, but am unsure about nessus's legality on systems you dont have a get out of jail free card for or own. I have no doubt about nmap though. as long as you dont take down their servers with the scans, you are legit. -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Financial firms warned of Qaeda cyber attack
From the Reuters article: WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said. Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. More at http://today.reuters.com/News/newsArticle.aspx?type=internetNewsstoryID=2006-12-01T061519Z_01_WBT006236_RTRUKOC_0_US-SECURITY-USA-QAEDA.xmlWTmodLoc=InternetNewsHome_C1_%5bFeed%5d-8 SANS Internet Storm Center (ISC) has issued the following Diary entries, several references included: From ISC director Marcus H. Sachs: http://isc.sans.org/diary.php?storyid=1900 and US DHS banking alert entry released earlier by Johannes Ullrich: http://isc.sans.org/diary.php?storyid=1899 - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
Service unavailable. Please try again later. That was quick! Col. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
Maybe it got hacked? ...I wonder if someone probably didn't like all the portscans they got from it (thinks of Microsoft) and took it out? David. Col [EMAIL PROTECTED] 12/1/2006 7:48 am Service unavailable. Please try again later. That was quick! Col. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Founded in Faith - Preserved with Pride - Sustained by Spirit __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Layered Defense Advisory: Novell Client 4.91 Format String Vulnerability
== Layered Defense Advisory 1 December 2006 == 1) Affected Software Novell Client 4.91 SP2 Novell Client 4.91 SP2 Patch Kit Novell Client 4.91 SP3 Earlier versions may also be vulnerable == 2) SeverityRating: Low - Medium risk Impact: Read arbitrary memory, denial of service. == 3) Description of Vulnerability A format string vulnerability was discovered within Novell client 4.91 . The vulnerability is due to improper processing of format strings within NMAS (Novell Modular Authentication Services) Information message window. An attacker who enters special crafted format strings in the Username field at the Novell logon and selects Sequences under the NMAS tab can read data from the winlogon process stack or read from arbitrary memory, and at a minimum cause a denial of service. == 4) Solution Fix: Presently no patch is available. Work around: Disable NMAS Authentication == 5) Time Table: 07/15/2006 Reported Vulnerability to Vendor. 08/21/2006 Vendor released Novell Client - 4.91 SP2 Patch Kit which made the vulnerability worse. (This patch made it easier to read arbitrary memory) 09/17/2006 Contacted Vendor about increased risk with SP2 Patch Kit 11/28/2006 Received the following message from Vendor : At this point in time, development has determined this is a very low priority and apparently it will be some time before the issue is addressed. I have reported this to our Security Review Board so development's claim can be re-examined. As such, you certainly have every right to publish your findings at this time. The bug will remain open against the product. nbsp;Hopefully this can be fixed in the near future == 6) CreditsDiscovered by Deral Heiland, www.LayeredDefense.com == 7) About Layered DefenseLayered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
We have set limits to prevent abusing of our service. Yes, one can still scan someone other's network, this is in violation with out Terms of Service. We log every attempt and we are ready to provide these logs to authorities. However, everyone who has Internet access is able to download Nmap and do similar scan. You can do nothing more with our service. There is no damage you can cause with our service even if it is abused. We believe that pros are more than cons here, that people will use our service to fix their issues on their firewalls and networks. -- David Matousek Founder and Chief Representative of Matousec - Transparent security http://www.matousec.com/ David Taylor wrote: How do you plan on dealing with all the abuse complaints you get hit with when people use your server to perform unauthorized scans of their networks? == David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ == Shadowserver Foundation Member http://www.shadowserver.org/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Matousek Sent: Tuesday, November 28, 2006 3:19 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Nmap Online Hello, For all Nmap fans, our group have implemented Nmap Online service. Its address is http://nmap-online.com/. The interface allows you to perform custom Nmap scans from our server with only a few limitations in the syntax. The service is free and can be used immediately, no registration is required. Please direct your questions and suggestions to our emails. Regards, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] how to hide files, services and process in windows 2k/xp/2k3 box
I am trying to find a rootkit to hide processes ad dll's from World of Warcraft but can't find where to download AFX rootkit. Can you direct me where to download the rootkit and instructions? Thanks! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
From the Reuters article: WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said. Makes me remind US Bombs' The World song ;) Julio Cesar Fort Recife, PE, Brazil www.rfdslabs.com.br - computers, sex, human mind, music and more. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. and since when is DHS credible itself? and why to people scatter every time their terrorism mood ring changes color? I guess they don't realize that servers overheat when wrapped with plastic and duct tape. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
...I wonder if someone probably didn't like all the portscans they got from it (thinks of Microsoft) and took it out? David. Heck .. how to portscan Microsoft has been in the Nmap man page for ages (even in the help you get when you execute it without arguments) .. although it's not in the latest version (it was the -P0 option). It still has Microsoft as an example in usage though : Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
I beg to differ Mike, they are trying to play the same lame ass game that the (Bush) Oil industry, trying to raise interest rates because Osama Bin Laden is going to hack everyones account. Not so smart, I guess I better withdraw all my money American and buy Euros to be safe? On Friday, December 01, 2006 9:04 AM, Michael Holstein wrote: Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. Date: Fri, 01 Dec 2006 10:04:39 -0500 From: Michael Holstein To: Subject: Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack and since when is DHS credible itself? and why to people scatter every time their terrorism mood ring changes color? I guess they don't realize that servers overheat when wrapped with plastic and duct tape. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Great Spirits Have Always Encountered Violent Opposition From Mediocre Minds - Einstein Cuanta estupidez en tan poco cerebro! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
Teehee, yeah.. and they are gunna use pen-guns like in james bond, expose iraqs WMDs, an tople in entire western world to... since when do caves even have connections? On Fri, Dec 01, 2006 at 04:34:06PM +0200, Juha-Matti Laurio wrote: From the Reuters article: WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said. Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. More at http://today.reuters.com/News/newsArticle.aspx?type=internetNewsstoryID=2006-12-01T061519Z_01_WBT006236_RTRUKOC_0_US-SECURITY-USA-QAEDA.xmlWTmodLoc=InternetNewsHome_C1_%5bFeed%5d-8 SANS Internet Storm Center (ISC) has issued the following Diary entries, several references included: From ISC director Marcus H. Sachs: http://isc.sans.org/diary.php?storyid=1900 and US DHS banking alert entry released earlier by Johannes Ullrich: http://isc.sans.org/diary.php?storyid=1899 - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ |hello, my name is | | .__ .___ .___| | | |__ __| _/__| _/___ | |_/ ___\| | \_/ __ \ / __ |/ __ |/ __ \_ __ \| |\ \___| Y \ ___// /_/ / /_/ \ ___/| | \/| | \___ ___| /\___ \ |\___ __| | |\/ \/ \/ \/\/\/| |http://chedder.hacked.in | |___| You don't exist. Go away ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
On Fri, 01 Dec 2006 11:37:43 -0300, Julio Cesar Fort said: From the Reuters article: WASHINGTON (Reuters) - The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said. We're lucky that al Qaeda didn't call for a bioterrorism attack, like flesh-eating bacteria in the entire US supply of Hanes jockey shorts. ;) pgps9iBPtv5vx.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpmyfaq exploit using PHP bug, CVE-2006-1490
Long time ago I made unneccesary noise about PHP zeroday. I expected it to be maybe much more dangerous that it appeared to be at end. There was lot of disscussions and one of main consensus was that this bug is not exploitable in real world because noone is using those vulnerable functions. This bug was originally found using phpmyfaq software and wrong assumption was made about wideness of problem. Anyway now half year later it is time to show exploit: curl http://vulnerablehost/phpmyfaq/admin/index.php; -D - -d faqusername=%00VERYLONGSTRINGHER Longer input you provide, longer memory dump you get. Works if PHP is unpatched AND phpmyfaq is older than 1.6.0. Memory dump you get is part of apache memory and often contains sensitive information from other served pages and contexts. To make it clear - this is NOT fault of phpmyfaq people at all. Even more, they made workaround within an hour after I contacted them and urged users to upgrade. Just phpmyfaq appears to be one popular software which is easily findable by Google and this was the software where initially discovery was made. PHP people knew about problem but ignored for long enough to discover it independently from them. Tõnu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to hide files, services and process in windows 2k/xp/2k3 box
Mark Baker wrote: I am trying to find a rootkit to hide processes ad dll's from World of Warcraft but can't find where to download AFX rootkit. Can you direct me where to download the rootkit and instructions? The home page seems to be down. You can download AFX 2005 here: www.rootkit.com/vault/therealaphex/AFXRootkit2005.zip They also have a nice selection of alternatives. But why would u want to cheat at Warcraft? Must be Alliance. Cheers Colin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On 01 Dec 2006 08:31:11 -0800, Randal L. Schwartz merlyn@stonehenge.com wrote: Dude == Dude VanWinkle [EMAIL PROTECTED] writes: Dude On 12/1/06, Mike Huber [EMAIL PROTECTED] wrote: first of all, IANAL, but the TOS seem to cover the basics... Dude snip None-the-less, my 8-ball sees litigation in their future. Dude portscanning isnt illegal in the states If it can be argued as an unauthorized access, it's at least a misdemeanor in many states, felony in some. And you don't want to be on the wrong end of that prosecution. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Its obvious that anyone who hires Stonehenge Consulting services is getting someone who cant read. I never said postscanning was illegal. i said it isnt illegal. I even provided a link to the case in georgia that helped decide this. -JPwho is amazed at who can charge $250/hr these days ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On 01 Dec 2006 08:33:00 -0800, Randal L. Schwartz merlyn@stonehenge.com wrote: Dude == Dude VanWinkle [EMAIL PROTECTED] writes: Dude Here is an example of what is legal vs what isnt: If you scan a Dude machine with nmap from one machine, that is not illegal. If you run Dude 100,00 nmap scans from a distributed botnet and take down their Dude server, thats illegal. It's clear you're not a lawyer, and anyone who takes your advice here would be a fool. But I just wanted to point that out again for the clueless. so if you are disagreeing with one of the above statements, then one of the following must be true in your opinion: you _can_ legally DoS someones server with 100,000 nmap scans or It is illegal to portscan learn to read buddy. -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
Dude == Dude VanWinkle [EMAIL PROTECTED] writes: Dude On 12/1/06, Mike Huber [EMAIL PROTECTED] wrote: first of all, IANAL, but the TOS seem to cover the basics... Dude snip None-the-less, my 8-ball sees litigation in their future. Dude portscanning isnt illegal in the states If it can be argued as an unauthorized access, it's at least a misdemeanor in many states, felony in some. And you don't want to be on the wrong end of that prosecution. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 merlyn@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
Dude == Dude VanWinkle [EMAIL PROTECTED] writes: Dude Here is an example of what is legal vs what isnt: If you scan a Dude machine with nmap from one machine, that is not illegal. If you run Dude 100,00 nmap scans from a distributed botnet and take down their Dude server, thats illegal. It's clear you're not a lawyer, and anyone who takes your advice here would be a fool. But I just wanted to point that out again for the clueless. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 merlyn@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
HOLY SHIT!!! What if they are responsible for japanese gameshows!? On Fri, Dec 01, 2006 at 04:33:56PM +, [EMAIL PROTECTED] wrote: Valdis, or worse a Japanese game show I think? http://www.glumbert.com/media/tonguetwister.html -- Original message -- From: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ |hello, my name is | | .__ .___ .___| | | |__ __| _/__| _/___ | |_/ ___\| | \_/ __ \ / __ |/ __ |/ __ \_ __ \| |\ \___| Y \ ___// /_/ / /_/ \ ___/| | \/| | \___ ___| /\___ \ |\___ __| | |\/ \/ \/ \/\/\/| |http://chedder.hacked.in | |___| You don't exist. Go away ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1223-1] New tar packages fix arbitrary file overwrite
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1223-1 [EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans December 01, 2006 - Package: tar Vulnerability : input validation error Problem type : local Debian-specific: no CVE Id(s) : CVE-2006-6097 BugTraq ID : 21235 Debian Bug : 399845 Teemu Salmela discovered a vulnerability in GNU tar that could allow a malicious user to overwrite arbitrary files by inducing the victim to attempt to extract a specially crafted tar file containing a GNUTYPE_NAMES record with a symbolic link. For the stable distribution (sarge), this problem has been fixed in version 1.14-2.3 For the unstable distribution (sid) and the forthcoming stable release (etch), this problem will be fixed in version 1.16-2. We recommend that you upgrade your tar package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/tar/tar_1.14.orig.tar.gz Size/MD5 checksum: 1485633 3094544702b1affa32d969f0b6459663 http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.diff.gz Size/MD5 checksum:51004 d6513454cbe12eec5908c2b41253f843 http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.dsc Size/MD5 checksum: 554 85503d4264d7b39c7969051c3661fa96 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_alpha.deb Size/MD5 checksum: 520736 4b14a87c6e8b4dda327d802eddcf9af7 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_amd64.deb Size/MD5 checksum: 503902 98a8169210eb273252a7997c726c4333 arm architecture (ARM) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_arm.deb Size/MD5 checksum: 500266 49ef1817d4ee1753f66bd37be8f91455 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_hppa.deb Size/MD5 checksum: 517810 5f48745a747ee36c330d97f3bc5cc980 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_i386.deb Size/MD5 checksum: 499560 c764b0894f6c3317a78124177cfed9fe ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_ia64.deb Size/MD5 checksum: 543432 0dc8b4d66a82d05d7b68f2dbee960791 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_m68k.deb Size/MD5 checksum: 489058 381e468152e0a5a37113f412f13d85a7 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mips.deb Size/MD5 checksum: 520512 29bc4c6133bfeb259175fea45277a647 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mipsel.deb Size/MD5 checksum: 520258 ed3b0aadf8720c97a1df6334a90efe3c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_powerpc.deb Size/MD5 checksum: 506908 3a57a912dc159ee20d47ca1591a68619 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_s390.deb Size/MD5 checksum: 511972 79cb92aaeee839c2d82efe743a8cea59 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_sparc.deb Size/MD5 checksum: 499698 d260b9f5db00b12414d6136c63e37202 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFcFcbYrVLjBFATsMRAn5hAJ93K1jekZBwWNyIksJkhFoJjcFczwCdHu23 g3FxyAVvV5ABJFj/9m4O8iE= =Es6i -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] Nmap Online
On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz merlyn@stonehenge.com wrote: Dude == Dude VanWinkle [EMAIL PROTECTED] writes: Dude Its obvious that anyone who hires Stonehenge Consulting services is Dude getting someone who cant read. I never said postscanning was illegal. Dude i said it isnt illegal. And I'm disagreeing with this. Why? Dude I even provided a link to the case in Dude georgia that helped decide this. If there's caselaw in Georgia, that's useful for Georgia, but certainly isn't referencable in the 49 other states. So you can't generalize that. So, you are disagreeing with Kevin who states: http://www.securityfocus.com/news/126 The ruling does not affect criminal applications of the anti-hacking law, but federal law enforcement officials are generally in agreement that port scanning is not a crime. Do you know of a case where someone was convicted due to a portscan? I can imagine that a portscan may be used in conjunction with other evidence to build a case for intent, but I have not heard of anyone being busted for an nmap scan. I was going to build the case, but it looks like someone has already done it for me: from:http://www.krcf.org/krcfhome/MINDS_NEWYORK/1MoC3e_d.htm snip Only one published opinion has considered the legality of port scans. That court held that such activity did not violate federal or state computer protection statues or other law. The federal district court for the Northern District of Georgia held that a party who conducted port scans of another party's computer systems did not violate the Computer Fraud and Abuse Act (18 U.S.C. s. 1030) [1], because he neither caused damaged nor gained access to the computers at issue. Moulton v. VC3, 2000 WL 3331091 at *6 (N.D. Ga., Nov. 7, 2000). Nor did the port scans violate state law, because they did not interfere with computer or network activity. References: [1] The Computer Fraud and Abuse Act: http://www.usdoj.gov:80/criminal/cybercrime/1030_new.html [2] Moulton v. VC3, 2000 WL 3331091 (N.D. Ga., Nov. 7, 2000) [3] Computer Crime and Intellectual Property Section, U.S. Department of Justice, Legislative Analysis of the 1996 National Information Infrastructure Protection Act: http://www.usdoj.gov:80/criminal/cybercrime/1030_anal.html [4] Computer Crime and Intellectual Property Section, U.S. Department of Justice, Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001http://www.usdoj.gov:80/criminal/cybercrime/PatriotAct.htm --- So back to my earlier statement, if you nessus someones machine, that would impact their performance and be illegal, a single nmap scan, not so much. Now I am not saying that some hot-shot lawyer wouldnt be able to convince a judge to imprison someone for an nmap scan but while you may be able to convince a judge that OJ didnt do it, murder is still illegal -JP who has seen someone convicted of hacking from remote via evidence that was 192.168.x ip addresses in the logs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz merlyn@stonehenge.com wrote: If there's caselaw in Georgia, that's useful for Georgia, but certainly isn't referencable in the 49 other states. actually, it is. it is called legal precedence ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
Dude == Dude VanWinkle [EMAIL PROTECTED] writes: Dude On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz merlyn@stonehenge.com wrote: If there's caselaw in Georgia, that's useful for Georgia, but certainly isn't referencable in the 49 other states. Dude actually, it is. it is called legal precedence It wasn't clear from your posting that you were talking about a federal case. In that case, yes, it's caselaw. However, if it was just Georgia state law, that would *not* create case law for any other state. By the way, caselaw and legal precedent are the same. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 merlyn@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On 12/1/06, Randall M [EMAIL PROTECTED] wrote: [ [-- [ [Message: 11 [Date: Fri, 1 Dec 2006 06:48:38 -0500 [From: Dude VanWinkle [EMAIL PROTECTED] [Subject: Re: [Full-disclosure] Nmap Online [To: Mike Huber [EMAIL PROTECTED] [Cc: full-disclosure@lists.grok.org.uk [Message-ID: [ [EMAIL PROTECTED] [Content-Type: text/plain; charset=ISO-8859-1; format=flowed [ [On 12/1/06, Mike Huber [EMAIL PROTECTED] wrote: [ first of all, IANAL, but the TOS seem to cover the basics... [snip [ None-the-less, my 8-ball sees litigation in their future. [ [ [portscanning isnt illegal in the states [ [-JPwho really hopesIANAL has something to do with not being [a lawyer [ [ RandallMwondering if JP learned this from experience! -JPwho thinks getting screwed in the ass and hiring a lawyer are close enough so it dosnt matter what the acronym means ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On 01 Dec 2006 09:36:58 -0800, Randal L. Schwartz merlyn@stonehenge.com wrote: Dude == Dude VanWinkle [EMAIL PROTECTED] writes: Dude On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz merlyn@stonehenge.com wrote: If there's caselaw in Georgia, that's useful for Georgia, but certainly isn't referencable in the 49 other states. Dude actually, it is. it is called legal precedence It wasn't clear from your posting that you were talking about a federal case. well try reading the material I reference before saying that anyone who listens to me is a fool next time plz. In that case, yes, it's caselaw. However, if it was just Georgia state law, that would *not* create case law for any other state. By the way, caselaw and legal precedent are the same. thanks for the info, i learned something new today, which makes it a good day. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On 12/1/06, Mike Huber [EMAIL PROTECTED] wrote: first of all, IANAL, but the TOS seem to cover the basics... However, I am unsure whether they would hold up under strict legal scrutiny. As far as I can tell, they may hold up under US criminal law, but not under civil law, as tort law has its own wonderful little eccentricities. The best safeguard they seem to have is that they must log the source IP of all scan requests... As far as I know, anyone who takes the time to read the nmap man page should be able to craft a scan which won't be detected by the scanned host (can someone be a definitive source on this point?), and anyone taking malicious action ought to be taking sufficient precautions to avoid detection anyway. None-the-less, my 8-ball sees litigation in their future. All nmap scans are detectable. All port scans are detectable. Just depends on how hard you're looking. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
On 12/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I beg to differ Mike, they are trying to play the same lame ass game that the (Bush) Oil industry, trying to raise interest rates because Osama Bin Laden is going to hack everyones account. Not so smart, I guess I better withdraw all my money American and buy Euros to be safe? On Friday, December 01, 2006 9:04 AM, Michael Holstein wrote: Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. Date: Fri, 01 Dec 2006 10:04:39 -0500 From: Michael Holstein To: Subject: Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack and since when is DHS credible itself? and why to people scatter every time their terrorism mood ring changes color? I guess they don't realize that servers overheat when wrapped with plastic and duct tape. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Great Spirits Have Always Encountered Violent Opposition From Mediocre Minds - Einstein Cuanta estupidez en tan poco cerebro! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ If you ever plan to get money out of the bank, you better do it now, while the getting is good. In a bank run, the federal government (guardian angel and loyal slave of the banks) would most certainly declare a moratorium on withdrawals. More and more people are hearing the recommendation to withdraw a little extra cash out of the banks to prepare for cyber attacks. If as many as 1.32% of bank depositors take their advice and withdraw all their money, the banks will close their doors. Al Qaeda threatens to disrupt the electronic bank payments system. This system contributes about 90% of the US money supply. Without it, 10% of the money supply (the cash coin) must take over the work of the other 90%. Conclusion: Withdraw and stockpile some cash now. Shoot for at least three months' cash requirements. Don't wait. Start now. == -- Paul Milne If you live within five miles of a 7-11, you're toast. (thanks, Paul, wherever you are!) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 802.1X tool?
Hi folks, I am trying to find a tool which provides automatic client configuration for 802.1X implementation in windows environment. I'm trying to implement 802.1x authentication for both wired and wireless connection. Is there any way to do remote client configuration tool for win32 environment. Will i be able to do that? I'd appreciate any real world experience on the subject. thanks -- Ozan Ozkara [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 802.1X tool?
Okay .. wait, maybe I didn't understand your question. Windows XP (post sp1) can natively do 802.1x on both wired and wireless connections. Windows 2000 can do it if you get this : http://support.microsoft.com/kb/313664 You can push the 802.1x details out via GPO. http://technet2.microsoft.com/WindowsServer/en/Library/5506eeef-9e91-4cab-8e1e-3efb504d1b471033.mspx The wired instructions are similar. If you're not in a domain model (ie: you're talking about a college resnet, etc) you're out of luck on the GPOs, but you can do it other ways (package your own script, .reg file, etc .. but telling people to click ok on a .reg file is a *bad* thing to do... It gets a bit trickier if you're using client-side certs, more so if you're not using a Microsoft CA to issue them, but certainly not impossible (eg: you've got to import the root and client certs manually, not to mention getting OpenSSL/whatever to cough up ones that MS understands) ... Cheers, Michael Holstein CISSP GCIA Cleveland State University Ozan Ozkara wrote: Hi folks, I am trying to find a tool which provides automatic client configuration for 802.1X implementation in windows environment. I'm trying to implement 802.1x authentication for both wired and wireless connection. Is there any way to do remote client configuration tool for win32 environment. Will i be able to do that? I'd appreciate any real world experience on the subject. thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 12.01.06: Novell ZENworks Asset Management Collection Client Heap Overflow Vulnerability
Novell ZENworks Asset Management Collection Client Heap Overflow Vulnerability iDefense Security Advisory 12.01.06 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 01, 2006 I. BACKGROUND Novell Inc's ZENworks is a set of tools used to automate IT management and business processes across the various computing resources within an organization. The Collection Client provides functionality, as a service, that will supply the Collection Server with information regarding the managed machine's hardware and software configuration. For more information, visit http://www.novell.com/products/zenworks/ II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in Novell Inc.'s ZENworks Asset Management could potentially allow an attacker to execute arbitrary code with SYSTEM privileges on Windows or root on the various supported UNIX based operating systems. A heap overflow may occur when processing specially crafted packets sent to the Collection Client daemon. The root cause of this vulnerability is identical to that of the vulnerability in Msg.dll. For more information please consult the Msg.dll advisory. III. ANALYSIS Successful exploitation of this vulnerability could allow a remote attacker to take complete control of the affected system. While researching this vulnerability, iDefense Labs found that the Task Server and Collection Server components were also affected. It seems that the Collection Client is statically linked with the Msg.dll library. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 7.0.0.36 of the CClient.exe and Msg.dll files included with Novell Inc's ZENworks Asset Management 7.0 SP1. Older versions are suspected to be vulnerable as well. V. WORKAROUND iDefense is unaware of an effective workarounds for this issue. VI. VENDOR RESPONSE Novell's ZENworks team has addressed this vulnerability within ZENworks 7 Asset Management SP1 IR11. More information can be found by visiting http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974824.htm . VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 10/16/2006 Initial vendor notification 10/19/2006 Initial vendor response 12/01/2006 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Eric Detoisien. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 12.01.06: Novell ZENworks Asset Management Msg.dll Heap Overflow Vulnerability
Novell ZENworks Asset Management Msg.dll Heap Overflow Vulnerability iDefense Security Advisory 12.01.06 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 01, 2006 I. BACKGROUND Novell Inc's ZENworks is a set of tools used to automate IT management and business processes across the various computing resources within an organization. The Task Server and Collection server daemons provide functionality to manage a distributed network of machines. These daemons will typically only be running on the machine that is being used to manage assets. For more information see http://www.novell.com/products/zenworks/ II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in Novell Inc.'s ZENworks Asset Management could potentially allow an attacker to execute arbitrary code with the privileges of the administrator. A heap overflow may occur when processing specially crafted packets sent to the Task Server or Collection Server daemons. This problem specifically exists due to an integer overflow when allocating memory for remotely supplied data. III. ANALYSIS Successful exploitation of this vulnerability could allow a remote attacker to take complete control of the affected system. While researching this vulnerability, iDefense Labs found that the Task Server and Collection Server components were both affected. Additionally, the Collection Client is statically linked with this library. Information on the vulnerability as it relates to the Collection Client can be found in a separate advisory. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 7.0.0.36 of the CClient.exe and Msg.dll files included with Novell Inc's ZENworks Asset Management 7.0 SP1. Older versions are suspected to be vulnerable as well. V. WORKAROUND iDefense is unaware of any effective workaround for this issue. VI. VENDOR RESPONSE Novell's ZENworks team has addressed this vulnerability within ZENworks 7 Asset Management SP1 IR11. More information can be found by visiting http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974824.htm . VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 10/16/2006 Initial vendor notification 10/19/2006 Initial vendor response 12/01/2006 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Eric Detoisien. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:223 ] - Updated ImageMagick packages fixes vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:223 http://www.mandriva.com/security/ ___ Package : ImageMagick Date: December 1, 2006 Affected: 2006.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: Multiple buffer overflows in Imagemagick 6.0 before 6.0.6.2, and 6.2 before 6.2.4.5, has unknown impact and user-assisted attack vectors via a crafted SGI image. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5868 ___ Updated Packages: Mandriva Linux 2006.0: df62dd8449b08426a4188d5959b3f823 2006.0/i586/ImageMagick-6.2.4.3-1.4.20060mdk.i586.rpm e87bbddff33171aae89d1d08400907a7 2006.0/i586/ImageMagick-doc-6.2.4.3-1.4.20060mdk.i586.rpm 8755d8beabe9a85f3e7a07b73d071c59 2006.0/i586/libMagick8.4.2-6.2.4.3-1.4.20060mdk.i586.rpm 2b6ae5e3b4c8e187e095442e7dcd5c24 2006.0/i586/libMagick8.4.2-devel-6.2.4.3-1.4.20060mdk.i586.rpm d7e61aa5943b52eb374b0a2e44232e93 2006.0/i586/perl-Image-Magick-6.2.4.3-1.4.20060mdk.i586.rpm e5875ef8dd63237d5c7c74a441b123fc 2006.0/SRPMS/ImageMagick-6.2.4.3-1.4.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 973d1bb7026248e93c9f1a16eba0cfaf 2006.0/x86_64/ImageMagick-6.2.4.3-1.4.20060mdk.x86_64.rpm ca759633ecf8ef52b1c34f55d5a3af6d 2006.0/x86_64/ImageMagick-doc-6.2.4.3-1.4.20060mdk.x86_64.rpm f65de07d50364a3c861f50ce6f11fee4 2006.0/x86_64/lib64Magick8.4.2-6.2.4.3-1.4.20060mdk.x86_64.rpm c9e86c379bdfeb36e25bfd34e094b921 2006.0/x86_64/lib64Magick8.4.2-devel-6.2.4.3-1.4.20060mdk.x86_64.rpm 9d58fe1606d8f1f0f6a225df3ac58b48 2006.0/x86_64/perl-Image-Magick-6.2.4.3-1.4.20060mdk.x86_64.rpm e5875ef8dd63237d5c7c74a441b123fc 2006.0/SRPMS/ImageMagick-6.2.4.3-1.4.20060mdk.src.rpm Corporate 3.0: fc15d48d236f0d1f738c795190081ddd corporate/3.0/i586/ImageMagick-5.5.7.15-6.9.C30mdk.i586.rpm 3ba801afddeb42759aebd891971b5fce corporate/3.0/i586/ImageMagick-doc-5.5.7.15-6.9.C30mdk.i586.rpm 35c8a337172b91501486381be4e0aa7d corporate/3.0/i586/libMagick5.5.7-5.5.7.15-6.9.C30mdk.i586.rpm 3273f233005c79adf0602ade443de675 corporate/3.0/i586/libMagick5.5.7-devel-5.5.7.15-6.9.C30mdk.i586.rpm 8dfce9d9e5e990c1203c1144ac34 corporate/3.0/i586/perl-Magick-5.5.7.15-6.9.C30mdk.i586.rpm 3cf9bff07102ada97373a66c5f4c6e05 corporate/3.0/SRPMS/ImageMagick-5.5.7.15-6.9.C30mdk.src.rpm Corporate 3.0/X86_64: 0f8193fed5ac7b344398b9e99fe5bccb corporate/3.0/x86_64/ImageMagick-5.5.7.15-6.9.C30mdk.x86_64.rpm bdae28be1bcacf4f5bc6d9bdfa589cbd corporate/3.0/x86_64/ImageMagick-doc-5.5.7.15-6.9.C30mdk.x86_64.rpm fa4a5fe3e447770c33ef0596da8570fb corporate/3.0/x86_64/lib64Magick5.5.7-5.5.7.15-6.9.C30mdk.x86_64.rpm 8af081adcd750d5edec44bf1e85e5c7d corporate/3.0/x86_64/lib64Magick5.5.7-devel-5.5.7.15-6.9.C30mdk.x86_64.rpm e238642447217ade5a772c4b12b492b3 corporate/3.0/x86_64/perl-Magick-5.5.7.15-6.9.C30mdk.x86_64.rpm 3cf9bff07102ada97373a66c5f4c6e05 corporate/3.0/SRPMS/ImageMagick-5.5.7.15-6.9.C30mdk.src.rpm Corporate 4.0: dde2f028a95732f3d5fd5bfd48ede727 corporate/4.0/i586/ImageMagick-6.2.4.3-1.4.20060mlcs4.i586.rpm 6affed772cabdc8e8eb6e6ed96efb178 corporate/4.0/i586/ImageMagick-doc-6.2.4.3-1.4.20060mlcs4.i586.rpm 426d44c76834a660ea48c09719048de2 corporate/4.0/i586/libMagick8.4.2-6.2.4.3-1.4.20060mlcs4.i586.rpm 4cc0f80f0bbfdbc1c26a497f14e2dd0d corporate/4.0/i586/libMagick8.4.2-devel-6.2.4.3-1.4.20060mlcs4.i586.rpm 9deab133788e00cf6487a057042c3ae0 corporate/4.0/i586/perl-Image-Magick-6.2.4.3-1.4.20060mlcs4.i586.rpm 0b75266159c73fcb8a0f7027d208bee2 corporate/4.0/SRPMS/ImageMagick-6.2.4.3-1.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 283a0751148b3468bd3e2281d819f08d corporate/4.0/x86_64/ImageMagick-6.2.4.3-1.4.20060mlcs4.x86_64.rpm 48ee2e7835b97a89e27342c3a27db913 corporate/4.0/x86_64/ImageMagick-doc-6.2.4.3-1.4.20060mlcs4.x86_64.rpm fad038ed56f886f4656302721a616578 corporate/4.0/x86_64/lib64Magick8.4.2-6.2.4.3-1.4.20060mlcs4.x86_64.rpm 17b7841d6459f0a52662f43d16f09771 corporate/4.0/x86_64/lib64Magick8.4.2-devel-6.2.4.3-1.4.20060mlcs4.x86_64.rpm dbcfd793204ead891cbf779c1075287e corporate/4.0/x86_64/perl-Image-Magick-6.2.4.3-1.4.20060mlcs4.x86_64.rpm 0b75266159c73fcb8a0f7027d208bee2 corporate/4.0/SRPMS/ImageMagick-6.2.4.3-1.4.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for