[Full-disclosure] Hail list!
Hail list... Could someone with a bit more experience (than me) please verify a few things. I came over a job listing yesterday (sys admin) for a Norwegian company called rubrikk.no. The guy who posted it clearly knows nothing about computers, talking about Windows server 2005, and maintaining perl and reg.ex servers (go figure). I ran a quick scan on the domain and found 54 vulns! (GFI Languard) Netcraft says BSD, but why then is he talking about Winblows. Please tell me I found a honeypot? If not, please shut down the computer, it should not be on the internet!!! I also have a couple of questions about software firewalls/routers: 1. M0n0wall or SmoothWall? 2. Looking for a low footprint windows firewall that's only supposed to do one thing. If someone hits port 110, block the I.P for a week? (should take care of most portscanners (skiddies)). And no I'm not worried about blocking real users on the box. Regards Simon www.supernoia.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1229-1] New Asterisk packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1229-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 6th, 2006 http://www.debian.org/security/faq - -- Package: asterisk Vulnerability : integer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-5444 CERT advisory : VU#521252 BugTraq ID : 20617 Adam Boileau discovered an integer overflow in the Skinny channel driver in Asterisk, an Open Source Private Branch Exchange or telephone system, as used by Cisco SCCP phones, which allows remote attackers to execute arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 1.0.7.dfsg.1-2sarge4. For the unstable distribution (sid) this problem has been fixed in version 1.2.13~dfsg-1. We recommend that you upgrade your asterisk packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.dsc Size/MD5 checksum: 1259 2441c1ccc8467ecefc45b58711b9602f http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.diff.gz Size/MD5 checksum:70588 17c8aaae715230d9ea8d0485eb7cfe95 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz Size/MD5 checksum: 2929488 0d0f718ccd7a06ab998c3f637df294c0 Architecture independent components: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum:61616 84dd16720f492033c5c034b69f033f7f http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum:83382 0fda6ac9d47e7d5bcd9786c7ab17ebd5 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum: 1577766 a5ddadc5ba22723d32a74a2bc4fb9dfc http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum: 1180298 bf9fae8e20a5e299d1c24e5fce59ee96 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum:28378 eb425bfc6db224dd17346c0a03f06853 Alpha architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_alpha.deb Size/MD5 checksum: 1477714 2835395f4796f717330ec4bc6decca4e http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_alpha.deb Size/MD5 checksum:31406 03e9021f5867a19500fadd3e27563e47 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_alpha.deb Size/MD5 checksum:21444 06a45fc8f1407adfdcaf1453e1cd0874 AMD64 architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_amd64.deb Size/MD5 checksum: 138 73a991fc324d71d53a375dd81b9eb8e2 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_amd64.deb Size/MD5 checksum:30832 21bde76d77e7948ec115c0752e025353 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_amd64.deb Size/MD5 checksum:21444 c426ea519c9a806039aec64fc58083fc ARM architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_arm.deb Size/MD5 checksum: 1262870 4e73f23ddaadabb52c1f06b37e1c520e http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_arm.deb Size/MD5 checksum:29544 7d7f780f79006309910f2f6a66e06818 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_arm.deb Size/MD5 checksum:21444 e50e31d85cc4835fc0023b02d4a19b39 HP Precision architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_hppa.deb Size/MD5 checksum: 1448202 32dd05dd323f87a5e2af536e49985faa http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_hppa.deb
Re: [Full-disclosure] Nmap Online
Simon Smith wrote: Why would you do this? For all Nmap fans, our group have implemented Nmap Online service. Its address is http://nmap-online.com/. The interface allows you to perform custom Because you like lawers and being in court? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
thus Schanulleke spake: Simon Smith wrote: Why would you do this? For all Nmap fans, our group have implemented Nmap Online service. Its address is http://nmap-online.com/. The interface allows you to perform custom Because you like lawers and being in court? lawyers are wimps :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle PL/SQL Fuzzing Tool
Hi to all, In the past I wrote a python tool to fuzz PL/SQL procedures, functions and packages. With this wonderfull tool I found many vulnerabilities, many crashes and many-many interesting issues. I decided to release it to the public because it's a part of an Oracle specific Vulnerability Assesment Tool I will release when it's completely finished. It will be licensed under the GPL. To use the attached python tool you will need a valid Oracle database account with, at least, the CREATE SESSION privilege granted. You will need to adapt it to your feets to fuzz a database under your control. At least: username, password, Oracle SID and IP address. It only fuzzes 'VARCHAR2', 'RAW', 'NCHAR', 'BINARY_INTEGER', 'BINARY_FLOAT', 'CHAR', 'NVARCHAR2', 'NUMBER', 'FLOAT' and 'LONG RAW' datatypes, at the moment, but you can easily adapt it to fuzz other Oracle datatypes, even user defined. Well, if you find it interesting or if you have any question about, any criticism, etc... Don't heasitate to contact me. Take fun. --- Joxean Koret --- Agian, agian, egün batez jeikiko dira egiazko Ziberotarrak, egiazko eüskaldünak, tirano arrotzen hiltzeko eta gure aiten aitek ützi daikien lurraren popüliari erremetitzeko. --- #!/usr/bin/python Oracle Database PL/SQL Fuzzing Tool Copyright (c) 2005, 2006 Joxean Koret, joxeankoret [at] yahoo.es This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. import sys import cx_Oracle global connection funnydata = (TEST, SYS, XMLREF, ' || XMLREF() || ', 'TEST A A ', ', '', A*30, A*100, A*128,A*256,A*512,A*1024, A*2048,A*3000,A*4000,A*5000,A*6000,A*7000,A*8000,A*1,A*15000,A*2,A*25000, A*3,A*32767, -1, -2, 0, 1, 2, 2147483647, -2147483647, 2147483648, -2147483648, ROWID, PRIMARY KEY, %s%s%s%s%s%s%s, %x%x%x%x%x%x, %d%d%d%d%d%d, GRANT DBA TO TEST, GRANT DBA TO PUBLIC, SELECT * FROM DBA_USERS, ' OR '1'='1, AA' or TEST.XMLREF ,V1, TEST.V1, 'TEST.V1', None) def fuzzData(data, index): global connection for x in funnydata: try: if type(x) is int: print Data is number,x else: print Data is + str(x)[0:30] + of length + str(len(str(x))) varList = [] for var in range(index): varList.append(x) cur = connection.cursor() cur.execute(data, varList) except: error = str(sys.exc_info()[1]) if error.upper().find(ORA-00933) -1 or error.upper().find(ORA-01756:) -1 or error.upper().find(ORA-00923:) -1: print *** POSSIBLE SQL INJECTION FOUND *** elif error.upper().find(ORA-03113) -1: if len(str(x)) 50: print *** POSSIBLE BUFFER OVERFLOW *** else: print *** INSTANCE CRASHED *** print Reconnecting ... connect() elif error.upper().find(ORA-00600) -1: print *** INTERNAL ERROR *** elif error.upper().find(PLS-00306:) -1: print Currently unfuzzable :( continue elif error.upper().find(ORA-03114) -1: print We are not connected :? connect() print error def connect(): global connection link= test/test@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.10)(PORT=1521))) link += (CONNECT_DATA=(SERVICE_NAME=orcl))) connection = cx_Oracle.connect(link) connection.rollback() connection.commit() def isFunc(data, index, cursorData): global connection try: varList = [] data = BEGIN + data + ( index = 0 for x in cursorData: index += 1 if index == 1: data += str(x[1]) + =: + str(index) else: data += , + str(x[1]) + =: + str(index) data += ); end; for var in range(index): varList.append(None) cur = connection.cursor() cur.execute(data, varList) return 0 except: error = str(sys.exc_info()[1]) if error.upper().find(PLS-00221)
[Full-disclosure] Another former 'hacker' now 'security guru'
f8 labs' very own eric 'loki' hines goes national... http://www.foxnews.com/video2/launchPage.html?120406/120406_cav_hinesCyber%20SecurityYour_WorldFormer%20computer%20hacker%3A%20Al%20Qaeda%20can%20pull%20off%20cyber%20attackYour%20World-1Cyber%20SecurityVideo%20Launch%20PageBusiness - Everyone is raving about the all-new Yahoo! Mail beta.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Greg wrote: I don't wish to upset anyone but that answer has to be the craziest FIRST port of call approach I have seen used. I get plenty of those sorts of calls. I take about 30 seconds time on the phone for almost all of them. I say Pull the power plug out of the router. Wait 10 seconds, plug it back in and wait another 10 seconds. OK, try now and almost all of them report it works well. What about the people whose router configuration (which was done by a friend months/years ago) you just resetted? Better prepare for some house visits to restore SOHO router configurations :-) And I think that the more you know about a certain topic, the more you are able to find nice half-decent solutions. Resetting the whole device just because of what is a maybe temporarly problem doesn't seem clever to me. But I understand your point.. At some point in time first level support gets boring. Regards, Christian - -- Christian Khark Lauf [EMAIL PROTECTED] GPG: 0x6AADC60A | IRCnet/silcnyet: Khark silcnyet-Fingerprint: 82DA 447F B957 1E18 82EC 44B7 1800 CC3C 0EDE 6DCA -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) iD4DBQFFdwo4AaLWKGqtxgoRAuh2AJdpFYr/jK1AA4J00HgFedIgDrJvAJ0UnxbQ I8Xie+CGT9qOUvKv0WeanA== =lWLi -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:225 ] - Updated ruby packages fix DoS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:225 http://www.mandriva.com/security/ ___ Package : ruby Date: December 6, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6303 ___ Updated Packages: Mandriva Linux 2006.0: cf4eb0abe6d54c41a9b7e94adbd894ab 2006.0/i586/ruby-1.8.2-7.5.20060mdk.i586.rpm 42a501b32ad7f9c1140d2665a8c35bdf 2006.0/i586/ruby-devel-1.8.2-7.5.20060mdk.i586.rpm fadf1005a3cecb41da322d6472023562 2006.0/i586/ruby-doc-1.8.2-7.5.20060mdk.i586.rpm 6754c4c9f5047d032a15819820595fcb 2006.0/i586/ruby-tk-1.8.2-7.5.20060mdk.i586.rpm fb133b0d4f1b5eb27e67f0eb39772564 2006.0/SRPMS/ruby-1.8.2-7.5.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: a68db589ace220742904a49587e65087 2006.0/x86_64/ruby-1.8.2-7.5.20060mdk.x86_64.rpm 7f14ec97214b7f501c7bcd8963ad2b0a 2006.0/x86_64/ruby-devel-1.8.2-7.5.20060mdk.x86_64.rpm 5b6604fd9628a2312ee2b7f3b4371f45 2006.0/x86_64/ruby-doc-1.8.2-7.5.20060mdk.x86_64.rpm ba38430b90e8b454c7b2228073c4d3dd 2006.0/x86_64/ruby-tk-1.8.2-7.5.20060mdk.x86_64.rpm fb133b0d4f1b5eb27e67f0eb39772564 2006.0/SRPMS/ruby-1.8.2-7.5.20060mdk.src.rpm Mandriva Linux 2007.0: b126d91632869a7a659f7044cbca180c 2007.0/i586/ruby-1.8.5-2.2mdv2007.0.i586.rpm a1414e09dcb3d0c858e3fc5070608e47 2007.0/i586/ruby-devel-1.8.5-2.2mdv2007.0.i586.rpm d6bf66762039af18a6c5f0a8b27d2bfa 2007.0/i586/ruby-doc-1.8.5-2.2mdv2007.0.i586.rpm 017468bee38279e7f42adad194866cff 2007.0/i586/ruby-tk-1.8.5-2.2mdv2007.0.i586.rpm 45e958263f67f96797318621052f1e3f 2007.0/SRPMS/ruby-1.8.5-2.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 2721a9103870075c0e64dd1a7c01b9a5 2007.0/x86_64/ruby-1.8.5-2.2mdv2007.0.x86_64.rpm 6b6bd12e97b4ddf070849603bea45623 2007.0/x86_64/ruby-devel-1.8.5-2.2mdv2007.0.x86_64.rpm 2e163941297e43e62d2f798a93efe960 2007.0/x86_64/ruby-doc-1.8.5-2.2mdv2007.0.x86_64.rpm d953012dc537a4f6e8343138d8f32f31 2007.0/x86_64/ruby-tk-1.8.5-2.2mdv2007.0.x86_64.rpm 45e958263f67f96797318621052f1e3f 2007.0/SRPMS/ruby-1.8.5-2.2mdv2007.0.src.rpm Corporate 3.0: 95abd86462f84450392cd41ab594 corporate/3.0/i586/ruby-1.8.1-1.8.C30mdk.i586.rpm 174fe6c12a1a6a7dbf03f755cf0a57cd corporate/3.0/i586/ruby-devel-1.8.1-1.8.C30mdk.i586.rpm 2d0e7d3f950e7040f6e6c19a921bdb78 corporate/3.0/i586/ruby-doc-1.8.1-1.8.C30mdk.i586.rpm 37fe39a689b25aa2caf193994a5dbf05 corporate/3.0/i586/ruby-tk-1.8.1-1.8.C30mdk.i586.rpm 71b024abd10b00f7e278e39492f98aa6 corporate/3.0/SRPMS/ruby-1.8.1-1.8.C30mdk.src.rpm Corporate 3.0/X86_64: 366a4003551813d500eec00996981abf corporate/3.0/x86_64/ruby-1.8.1-1.8.C30mdk.x86_64.rpm ef95e042be0f3a881ae6a66502c1c905 corporate/3.0/x86_64/ruby-devel-1.8.1-1.8.C30mdk.x86_64.rpm d72e56164f0a0fcb99b190dbb2ce7c2c corporate/3.0/x86_64/ruby-doc-1.8.1-1.8.C30mdk.x86_64.rpm 81c6c9a396d26dea3bd683c2207eb96b corporate/3.0/x86_64/ruby-tk-1.8.1-1.8.C30mdk.x86_64.rpm 71b024abd10b00f7e278e39492f98aa6 corporate/3.0/SRPMS/ruby-1.8.1-1.8.C30mdk.src.rpm Corporate 4.0: 9796f3458efc694c98ab821158a0599b corporate/4.0/i586/ruby-1.8.2-7.5.20060mlcs4.i586.rpm 3578dc2bd6735967f79f43b21b14f8b2 corporate/4.0/i586/ruby-devel-1.8.2-7.5.20060mlcs4.i586.rpm 4505b6152a025ecef599e48c4ef11763 corporate/4.0/i586/ruby-doc-1.8.2-7.5.20060mlcs4.i586.rpm 466b48eb68199179c044b8a0fe5f7a3f corporate/4.0/i586/ruby-tk-1.8.2-7.5.20060mlcs4.i586.rpm b7f41e2f4f5f71e3c2f214c041957533 corporate/4.0/SRPMS/ruby-1.8.2-7.5.20060mlcs4.src.rpm Corporate 4.0/X86_64: 2771fffe29e377ea0bcf594bb94a0f7b corporate/4.0/x86_64/ruby-1.8.2-7.5.20060mlcs4.x86_64.rpm 2d0b06a00590a0dfae303be8079f852a corporate/4.0/x86_64/ruby-devel-1.8.2-7.5.20060mlcs4.x86_64.rpm 87d597d03cc146b1b9ac89e29b7a2879 corporate/4.0/x86_64/ruby-doc-1.8.2-7.5.20060mlcs4.x86_64.rpm ec2d09506bfebab08d523fd258f8136b corporate/4.0/x86_64/ruby-tk-1.8.2-7.5.20060mlcs4.x86_64.rpm b7f41e2f4f5f71e3c2f214c041957533 corporate/4.0/SRPMS/ruby-1.8.2-7.5.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for
[Full-disclosure] rPSA-2006-0226-1 kernel
rPath Security Advisory: 2006-0226-1 Published: 2006-12-06 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Local Root Non-deterministic Privilege Escalation Updated Versions: kernel=/[EMAIL PROTECTED]:devel//1/2.6.17.14-0.4-1 kernel=/[EMAIL PROTECTED]:devel//1-xen/2.6.16.29-0.11-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5751 https://issues.rpath.com/browse/RPL-803 https://issues.rpath.com/browse/RPL-837 Description: Previous versions of the kernel package are vulnerable to a local denial of service or privilege escalation attack by unprivileged users if any network bridge interface has been configured with more than two interfaces. The attacker can cause the system to crash, and is believed to be able to provide arbitrary code that may (with undetermined probability) run in kernel context. Xen dom0 instances in the default bridging configuration are vulnerable. Previous versions of the Xen dom0 kernel did not embed the firmware for QLogic 2XXX Fibre Channel adapters, disabling Xen dom0 on those systems. This update requires a system reboot to implement the fixes. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
-Original Message- From: Christian Khark Lauf [mailto:[EMAIL PROTECTED] Sent: Thursday, 7 December 2006 5:22 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Nmap Online -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Greg wrote: I don't wish to upset anyone but that answer has to be the craziest FIRST port of call approach I have seen used. I get plenty of those sorts of calls. I take about 30 seconds time on the phone for almost all of them. I say Pull the power plug out of the router. Wait 10 seconds, plug it back in and wait another 10 seconds. OK, try now and almost all of them report it works well. What about the people whose router configuration (which was done by a friend months/years ago) you just resetted? Better prepare for some house visits to restore SOHO router configurations :-) I am fairly certain that the NV in NV-ram doesn't mean New Victim but Non Volatile. Eg, even if nothing else works so you pull the plug and put it back in, the settings you have changed remain intact. So, in most cases, no you do not need to worry when pulling the plug. And I think that the more you know about a certain topic, the more you are able to find nice half-decent solutions. Resetting the whole device just because of what is a maybe temporarly problem doesn't seem clever to me. That wasn't what I said of course. The whole point was that if the user is complaining about not getting email from their ISP via whatever method they decide to use and/or cannot get onto the web, then pulling the power plug is a viable answer that is normally correct in most situations. Sure, there are some where it isn't the answer but if you find out it is still as bad as it ever was after pulling the plug and putting it back in, then you need to go there, physically, in any case. But I understand your point.. At some point in time first level support gets boring. It wasn't even that which I said. My point was always that there are better ways of doing things. You could drive 30 miles just to pull the plug yourself leaving the current job unfinished or unable to get to that next problem in a suitable response time or you could just tell the person on the phone to do that while you wait and see the result. In most cases, it has been the answer. It has never ALWAYS been the case. In the cases where it works, it is just a more efficient way for YOU to work. No online answer is going to fix a router that just lost its cool and is locked up unless you have installed a remote power down and power up (yeah, they exist but I haven't used one and cant remember the name). The end result of working this way is a happy customer who is now able to work, a contact who feels superior because they worked with you to fix the problem and is more likely to help you out in future when you want something done that they are capable of doing and you can get to your next appointment on time. Call me crazy but I reckon trying it first is always the best approach. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
1) I'm sure none of you can imagine this, but sometimes running and startup configs aren't the same. YES it's TRUE! So, your approach could be disastrous and is really ill advised. 2) Nmap may not give reliable results from all sites. Surely you've encounted ACLs that caused erroneous nmap results from some locations. As the guy said: sometimes he travels. Having the capability to run it from a neutral location can get by that. I'm sure there's more. On 12/5/06, Greg [EMAIL PROTECTED] wrote: I don't wish to upset anyone but that answer has to be the craziest FIRST port of call approach I have seen used. I get plenty of those sorts of calls. I take about 30 seconds time on the phone for almost all of them. I say Pull the power plug out of the router. Wait 10 seconds, plug it back in and wait another 10 seconds. OK, try now and almost all of them report it works well. So why would I need and how could I use Nmap online to tell me the router went crazy and locked up? Besides, wouldn't it be just as easy to use the Nmap sitting on my computer if I decided I needed to use it? Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-390-3] evince-gtk vulnerability
=== Ubuntu Security Notice USN-390-3 December 06, 2006 evince-gtk vulnerability CVE-2006-5864 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: evince-gtk 0.5.2-0ubuntu2.1 Ubuntu 6.10: evince-gtk 0.5.2-0ubuntu4.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-390-2 fixed vulnerabilities in evince. This update provides the corresponding update for evince-gtk. Original advisory details: A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user's privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1.diff.gz Size/MD5:22511 0cf118d6918268ba4f53c9b21c2e4abc http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1.dsc Size/MD5: 893 6bd5d56c1d26042f0882ad1c8f35d8c4 http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2.orig.tar.gz Size/MD5: 1362513 5020afb1768d89c251ad8c2a233d9fcf amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_amd64.deb Size/MD5: 311524 9afc1a61adb192c0c115bcc8231008c1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_i386.deb Size/MD5: 282212 15a8292c95bed93d2af5d4917172ca8c powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_powerpc.deb Size/MD5: 299064 510f7b8c93b8a8a65f71cae17176cd59 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_sparc.deb Size/MD5: 287254 f75088c1015e44cf7ed2633340d0d24f Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1.diff.gz Size/MD5:22622 194a824da15c50fe472762f960f2b9fb http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1.dsc Size/MD5: 893 24d9a86b4a012fd133ee37b538e9156c http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2.orig.tar.gz Size/MD5: 1362513 5020afb1768d89c251ad8c2a233d9fcf amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_amd64.deb Size/MD5: 305732 af144ed0736a7ef77aba67ef9cbbeaae i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_i386.deb Size/MD5: 286362 21f58e429f79a605fa2bff0c36a7cbb6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_powerpc.deb Size/MD5: 293918 c9e00c6154cddae33bd8c99afbace8fd sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_sparc.deb Size/MD5: 282784 596cfcc780feac5016866a46375cbc42 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-06-044: Adobe Download Manager AOM Parsing Buffer Overflow Vulnerability
ZDI-06-044: Adobe Download Manager AOM Parsing Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-044.html December 6, 2006 -- CVE ID: CVE-2006-5856 -- Affected Vendor: Adobe -- Affected Products: Adobe Download Manager 2.1 and earlier -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 3, 2006 by Digital Vaccine protection filter ID 4280. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Download Manager application. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the AOM file format parser. A long [URL] element inside of a [DownloadRecord] element within an AOM file will result in a stack-based buffer overflow condition leading to execution of arbitrary code. The Download Manager is installed during the installation of of other Adobe products, such as Acrobat Reader. When installed, the download manager becomes the default application to handle .AOM files. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/go/apsb06-19/ -- Disclosure Timeline: 2006.04.03 - Digital Vaccine released to TippingPoint customers 2006.04.07 - Vulnerability reported to vendor 2006.12.06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0227-1 gnupg
rPath Security Advisory: 2006-0227-1 Published: 2006-12-06 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Indirect Deterministic Privilege Escalation Updated Versions: gnupg=/[EMAIL PROTECTED]:devel//1/1.4.6-0.1- References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235 https://issues.rpath.com/browse/RPL-835 Description: Previous versions of the gnupg package will execute attacker-provided code found in intentionally malformed OpenPGP packets. This allows an attacker to run arbitrary code as the user invoking gpg on the file that contains the malformed packets. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-15: Citrix Presentation Server Client ActiveX Heap Overflow Vulnerability
TSRT-06-15: Citrix Presentation Server Client ActiveX Heap Overflow Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-15.html December 6, 2006 -- CVE ID: CVE-2006-6334 -- Affected Vendor: Citrix -- Affected Products: Citrix Presentation Server Client for Windows v9.230 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since February 2006 by a pre-existing Digital Vaccine protection filter ID 4163. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Citrix Presentation Server Client for Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw resides in the SendChannelData function of the ActiveX control Wfica.ocx (CLSID 238F6F83-B8B4-11CF-8771-00A024541EE3). The function is prototyped as follows: SendChannelData(ChannelName As String, Data As String, DataSize As Long, DataType As ICAVCDataType) Specifying an undersized buffer length as the 'DataSize' parameter and supplying a large buffer as the 'Data' parameter results in an exploitable heap corruption. -- Vendor Response: Citrix has issued an update to correct this vulnerability. More details can be found at: http://support.citrix.com/article/CTX111827 -- Disclosure Timeline: 2006.02.01 - Pre-existing Digital Vaccine released to TippingPoint customers 2006.09.19 - Vulnerability reported to vendor 2006.12.06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan
Vulnerability Description == The Linksys WIP 330 VoIP wireless phone will crash when a full port-range Nmap scan is run against its IP address. Linksys WIP 330 Firmware Version == 1.00.06A Nmap scan command nmap -P0 WIP 330 ip address -p 1-65535 Impact = The crash is only after Nmap has finished. The Nmap scan also seems to disrupt updating of the display as the clock is not updated. The crash appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 operating system. Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/ Credit Credit for discovering this vulnerability goes to Armijn Hemel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-393-1] GnuPG vulnerability
=== Ubuntu Security Notice USN-393-1 December 07, 2006 gnupg vulnerability CVE-2006-6235 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: gnupg1.4.1-1ubuntu1.6 Ubuntu 6.06 LTS: gnupg1.4.2.2-1ubuntu2.4 Ubuntu 6.10: gnupg1.4.3-2ubuntu3.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered that gnupg was incorrectly using the stack. If a user were tricked into processing a specially crafted message, an attacker could execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6.diff.gz Size/MD5:23701 7a9033efbfb1f0028f53cef54f1a6522 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6.dsc Size/MD5: 684 4740552c8acbe2143bfff11dbfaee85b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5: 4059170 1cc77c6943baaa711222e954bbd785e5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_amd64.deb Size/MD5: 1136698 64e954a21f51c939792b140f5a0fc5df http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_amd64.udeb Size/MD5: 152276 c703faddbf82858fa85560912ea3f7b0 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_i386.deb Size/MD5: 1044848 6dc25f6204f754f80b15f90bac175a25 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_i386.udeb Size/MD5: 130672 3a69e1804fb1234a70d9715d42b929e1 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_powerpc.deb Size/MD5: 1120042 16103aee54c188b9e74b81d776537bc4 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_powerpc.udeb Size/MD5: 140218 fcc41df5bf7d7336ac00ab8a1edaa665 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_sparc.deb Size/MD5: 1064838 8c78b6bca94a9bc62a9d7a9f5a8ae298 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_sparc.udeb Size/MD5: 139598 830785d65ea4bdb0d8ed8d123fcb2d6f Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4.diff.gz Size/MD5:22621 3e45e6fe65cd1334a12d6bfbc9d26f2b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4.dsc Size/MD5: 690 1ce5bd388f35b6bdd48e12719308cea5 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2.orig.tar.gz Size/MD5: 4222685 50d8fd9c5715ff78b7db0e5f20d08550 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_amd64.deb Size/MD5: 1066564 f3c60d096d2ea85b02f8898660ab7997 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_amd64.udeb Size/MD5: 140308 5f18581d5ab54d33f2d69b079985c599 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_i386.deb Size/MD5: 981652 8497f389c4feb73d10ff8c82810b2659 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_i386.udeb Size/MD5: 120282 a0001759aec7eb6317d8bd0656078ff6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_powerpc.deb Size/MD5: 1054114 565e5af4a14baed975050837af3d600b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_powerpc.udeb Size/MD5: 130160 d97f253e9f24a3f831b31d1fae25a67c sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_sparc.deb Size/MD5: 994418 15ec9d7565fd5a2ba18ca8cbd03357f8 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_sparc.udeb Size/MD5: 127412 028eaa2d4ca1c8d96eefaa663f853290 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.2.diff.gz
Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan
The Linksys WIP 330 VoIP wireless phone will crash when a full port-range Nmap scan is run against its IP address. oh crap so does this shitty sipoora box! i will turn it off now to avoid hakkings! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan
The Linksys WIP 330 VoIP wireless phone will crash when a full port-range Nmap scan is run against its IP address. surprise! the zyxel something 2200 will die from malformed packets! WOW! CALL THE INTARWEB POLIECE! CALL ZYXEL POLICE, THEIR STUFFZ DON'T LIKE WEIRD PACKETZ! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan
No better/worse than this I suppose. http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml Thanks, --scm On 12/6/06, Knud Erik Højgaard [EMAIL PROTECTED] wrote: The Linksys WIP 330 VoIP wireless phone will crash when a full port-range Nmap scan is run against its IP address. surprise! the zyxel something 2200 will die from malformed packets! WOW! CALL THE INTARWEB POLIECE! CALL ZYXEL POLICE, THEIR STUFFZ DON'T LIKE WEIRD PACKETZ! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hail list!
On 12/6/06, aNub15 wrote: 2. Looking for a low footprint windows firewall that's only supposed to do one thing. If someone hits port 110, block the I.P for a week? (should take care of most portscanners (skiddies)). And no I'm not worried about blocking real users on the box. Has it occurred to you that someone could send spoofed SYN packets with port 110 as the destination, and any IP as the source? Maybe you should worry about blocking real users after all. If there is an IP range where you know you have no legitimate users, you should instead block that IP range. Any IP range where you might have legitimate users is a range that someone could deny access to easily. Except actually it would be you denying access to them--a person attacking you in that way would would likely not even be legally responsible (but I am not a lawyer). Also, why would that prevent access by most people scanning your ports? Suppose someone is scanning your entire subnet, for instance, but only on port 22. Or someone could scan lots of ports on your box, and notice that plenty were open until 110 was probed. This person could then think one of three things: (1) Hmm, I guess that's all the ports open on that box. (2) Hmm, lots of ports open, and then I scan port 110, and the rest are all closed/filtered. (This is specially likely if it is the person's *second* scan.) There must be something nice and juicy on that box. I will scan the rest of the ports from another IP and then penetrate any service I can and find out why such a strange measure of pseudo-security is in place. (3) Hmm, I was reading Full Disclosure recently and somebody was asking about how to blacklist IPs for a week that send traffic to port 110. I bet this is the box of the guy who wanted to know how to do it. Let's find out why he wanted to do that... www.supernoia.com Script kiddies and anybody else who likes portscanning thank you for the heads up. If you are going to implement this almost certainly bad idea--and it is for that server--you may wish to at least make it a different port. -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New MySpace worm could be on its way
http://www.gnucitizen.org/blog/myspace-quicktime-worm-follow-up MySpace was hit by a worm in a semi-automatic manner. This time the worm propagated via a QuickTime flaw found a couple of months ago. This shouldn't be a surprise to anyone. It is quite serious that this attack vector was picked up by Apple so late. In this post I am not going to explain how this particular MySpace hack works but rather to send a reminder to the security community that another http://www.gnucitizen.org/blog/backdooring-mp3-files QuickTime XSS vector was found right after the first one. This vector can be used in a similar way although, IMHO, the impact is greater. I guess Apple should fix both issues NOW: we don't want MySpace worms spreading around again, although this is very utopic to say. Here is a brief reminder of what the XSS issue was all about. The problems is caused by a quite useful feature called QuickTime Media Link (.qtl). The whole point of these QuickTime Media Link files is to provide means of playing media files in a more accessible way. In this respect the developer can create a .qtl file which holds information about the media content that needs to be played plus recommended dimensions, accessibility features, control features etc... .qtl files can contain malicious JavaScript code that can takeover some important network device when executed for example. That's not the end of the story though. Because of its flexibility QuickTime doesn't mind if Media Link (.qtl) files end with .mp3, .mp4, .m4a or even .mov extension... This is a quite big problem especially in default configurations of iTunes. The iTunes installation wizard installs the QuickTime player and QuickTime browser plugins and associates various media files with its components. If you open an mp3 file from the desktop it will be played in iTunes player by default, however if you open it from some website it will be played in the QuickTime player browser plugin. In this respect, users who are previewing mp3 and other media files from the Internet are vulnerable. GNUCITIZEN Backdooring MP3 Files To sum up, and put into context, attackers can use QuickTime Media Links to imitate popular media files and as such trick the user into opening malicious content that could lead to their (MySpace) account or their browser being compromised. Lets look at the following hypothetical situation: Evil Hacker decides to overtake MySpace in order to DoS google.com. He finds that MySpace allows users to supply links in their posts and comments. He spends some time to research the 1000 most popular MySpace members where he will post links to media files titled orgy.mov or myconfession.mp3 or even prankster.avi. Once an unaware user clicks on the link, a phishing page is presented asking the current user to enter their MySpace details to see the private content. If the user is tricked, their credentials will be on their way to the specifically designed for that operation collection point where another automatic process overtakes their user account installing the same malicious file or simply hijack other media files by wrapping them up in QuickTime Media Links the same way it is described in the article mentioned above. The process repeats when another users falls into the trap. When enough number of accounts are compromised Evil Hacker will launch his/her DDoS against Google's AdSense server farm. Before seeing more worms of this kind I suggest that we gather our intellectual power to find a fix or at least a workaround. I welcome you to join me at GNUCITIZEN's MySpace Worms Topic http://www.gnucitizen.org/topics/myspace-worms for further discussion. I can assure you that GNUCITIZEN neither me has anything to do with MySpace or any other related organization. The purpose of this symposium is learn more about these types of worms and help other online applications and communities protect themselves. This is much better than just sitting in our comfy chairs and laughing at people's mistakes. Many thanks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/