[Full-disclosure] Hail list!

2006-12-06 Thread aNub15
Hail list...

Could someone with a bit more experience (than me) please verify a few
things.

I came over a job listing yesterday (sys admin) for a Norwegian company
called rubrikk.no.
The guy who posted it clearly knows nothing about computers, talking about
Windows server 2005, and maintaining perl and reg.ex servers (go figure).

I ran a quick scan on the domain and found 54 vulns! (GFI Languard)
Netcraft says BSD, but why then is he talking about Winblows.

Please tell me I found a honeypot?

If not, please shut down the computer, it should not be on the internet!!!



I also have a couple of questions about software firewalls/routers:
1. M0n0wall or SmoothWall?
2. Looking for a low footprint windows firewall that's only supposed to do
one thing. If someone hits port 110, block the I.P for a week? (should take
care of most portscanners (skiddies)). And no I'm not worried about blocking
real users on the box.

Regards

Simon
www.supernoia.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] [SECURITY] [DSA 1229-1] New Asterisk packages fix arbitrary code execution

2006-12-06 Thread Martin Schulze
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1229-1[EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
December 6th, 2006  http://www.debian.org/security/faq
- --

Package: asterisk
Vulnerability  : integer overflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2006-5444
CERT advisory  : VU#521252
BugTraq ID : 20617

Adam Boileau discovered an integer overflow in the Skinny channel
driver in Asterisk, an Open Source Private Branch Exchange or
telephone system, as used by Cisco SCCP phones, which allows remote
attackers to execute arbitrary code.

For the stable distribution (sarge) this problem has been fixed in
version 1.0.7.dfsg.1-2sarge4.

For the unstable distribution (sid) this problem has been fixed in
version 1.2.13~dfsg-1.

We recommend that you upgrade your asterisk packages.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.dsc
  Size/MD5 checksum: 1259 2441c1ccc8467ecefc45b58711b9602f

http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.diff.gz
  Size/MD5 checksum:70588 17c8aaae715230d9ea8d0485eb7cfe95

http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz
  Size/MD5 checksum:  2929488 0d0f718ccd7a06ab998c3f637df294c0

  Architecture independent components:


http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge4_all.deb
  Size/MD5 checksum:61616 84dd16720f492033c5c034b69f033f7f

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge4_all.deb
  Size/MD5 checksum:83382 0fda6ac9d47e7d5bcd9786c7ab17ebd5

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge4_all.deb
  Size/MD5 checksum:  1577766 a5ddadc5ba22723d32a74a2bc4fb9dfc

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge4_all.deb
  Size/MD5 checksum:  1180298 bf9fae8e20a5e299d1c24e5fce59ee96

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge4_all.deb
  Size/MD5 checksum:28378 eb425bfc6db224dd17346c0a03f06853

  Alpha architecture:


http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_alpha.deb
  Size/MD5 checksum:  1477714 2835395f4796f717330ec4bc6decca4e

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_alpha.deb
  Size/MD5 checksum:31406 03e9021f5867a19500fadd3e27563e47

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_alpha.deb
  Size/MD5 checksum:21444 06a45fc8f1407adfdcaf1453e1cd0874

  AMD64 architecture:


http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_amd64.deb
  Size/MD5 checksum:  138 73a991fc324d71d53a375dd81b9eb8e2

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_amd64.deb
  Size/MD5 checksum:30832 21bde76d77e7948ec115c0752e025353

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_amd64.deb
  Size/MD5 checksum:21444 c426ea519c9a806039aec64fc58083fc

  ARM architecture:


http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_arm.deb
  Size/MD5 checksum:  1262870 4e73f23ddaadabb52c1f06b37e1c520e

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_arm.deb
  Size/MD5 checksum:29544 7d7f780f79006309910f2f6a66e06818

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_arm.deb
  Size/MD5 checksum:21444 e50e31d85cc4835fc0023b02d4a19b39

  HP Precision architecture:


http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_hppa.deb
  Size/MD5 checksum:  1448202 32dd05dd323f87a5e2af536e49985faa

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_hppa.deb
   

Re: [Full-disclosure] Nmap Online

2006-12-06 Thread Schanulleke
Simon Smith wrote:
 Why would you do this?
   
 For all Nmap fans, our group have implemented Nmap Online service.
 Its address is http://nmap-online.com/. The interface allows you to perform
 custom

Because you like lawers and being in court?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Nmap Online

2006-12-06 Thread Timo Schoeler
thus Schanulleke spake:
 Simon Smith wrote:
 Why would you do this?
   
 For all Nmap fans, our group have implemented Nmap Online service.
 Its address is http://nmap-online.com/. The interface allows you to perform
 custom
 
 Because you like lawers and being in court?

lawyers are wimps :)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] Oracle PL/SQL Fuzzing Tool

2006-12-06 Thread Joxean Koret
Hi to all,

In the past I wrote a python tool to fuzz PL/SQL procedures, functions
and packages. With this wonderfull tool I found many vulnerabilities,
many crashes and many-many interesting issues.

I decided to release it to the public because it's a part of an Oracle
specific Vulnerability Assesment Tool I will release when it's
completely finished. It will be licensed under the GPL.

To use the attached python tool you will need a valid Oracle database
account with, at least, the CREATE SESSION privilege granted. You will
need to adapt it to your feets to fuzz a database under your control. At
least: username, password, Oracle SID and IP address.

It only fuzzes 'VARCHAR2', 'RAW', 'NCHAR', 'BINARY_INTEGER',
'BINARY_FLOAT', 'CHAR', 'NVARCHAR2', 'NUMBER', 'FLOAT' and 'LONG RAW'
datatypes, at the moment, but you can easily adapt it to fuzz other
Oracle datatypes, even user defined.

Well, if you find it interesting or if you have any question about, any
criticism, etc... Don't heasitate to contact me. Take fun.

---
Joxean Koret

---
Agian, agian, egün batez
jeikiko dira egiazko Ziberotarrak,
egiazko eüskaldünak,
tirano arrotzen hiltzeko 
eta gure aiten aitek ützi daikien 
lurraren popüliari erremetitzeko.
---
#!/usr/bin/python


Oracle Database PL/SQL Fuzzing Tool

Copyright (c) 2005, 2006 Joxean Koret, joxeankoret [at] yahoo.es

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; version 2
of the License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.


import sys
import cx_Oracle

global connection

funnydata = (TEST, SYS, XMLREF, ' || XMLREF() || ', 'TEST A A ', ', '', A*30, A*100, A*128,A*256,A*512,A*1024,
A*2048,A*3000,A*4000,A*5000,A*6000,A*7000,A*8000,A*1,A*15000,A*2,A*25000,
A*3,A*32767, -1, -2, 0, 1, 2, 2147483647, -2147483647, 2147483648, -2147483648,
ROWID, PRIMARY KEY, %s%s%s%s%s%s%s, %x%x%x%x%x%x, %d%d%d%d%d%d,
GRANT DBA TO TEST, GRANT DBA TO PUBLIC, SELECT * FROM DBA_USERS,
' OR '1'='1, AA' or TEST.XMLREF ,V1, TEST.V1, 'TEST.V1',
None)

def fuzzData(data, index):
global connection

for x in funnydata:
try:
if type(x) is int:
print Data is number,x
else:
print Data is  + str(x)[0:30] +  of length  + str(len(str(x)))

varList = []

for var in range(index):
varList.append(x)

cur = connection.cursor()
cur.execute(data, varList)

except:
error = str(sys.exc_info()[1])

if error.upper().find(ORA-00933)  -1 or error.upper().find(ORA-01756:)  -1 or error.upper().find(ORA-00923:)  -1:
print *** POSSIBLE SQL INJECTION FOUND ***
elif error.upper().find(ORA-03113)  -1:
if len(str(x))  50:
print *** POSSIBLE BUFFER OVERFLOW ***
else:
print *** INSTANCE CRASHED ***

print Reconnecting ... 
connect()
elif error.upper().find(ORA-00600)  -1:
print *** INTERNAL ERROR ***
elif error.upper().find(PLS-00306:)  -1:
print Currently unfuzzable :(
continue
elif error.upper().find(ORA-03114)  -1:
print We are not connected :?
connect()

print error

def connect():
global connection

link= test/test@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.10)(PORT=1521)))
link += (CONNECT_DATA=(SERVICE_NAME=orcl)))

connection = cx_Oracle.connect(link)
connection.rollback()
connection.commit()

def isFunc(data, index, cursorData):
global connection

try:
varList = []

data = BEGIN
   + data + (

index = 0
for x in cursorData:
index += 1

if index == 1:
data += str(x[1]) + =: + str(index)
else:
data += , + str(x[1]) + =: + str(index)

data += );
end;

for var in range(index):
varList.append(None)

cur = connection.cursor()
cur.execute(data, varList)

return 0
except:
error = str(sys.exc_info()[1])
if error.upper().find(PLS-00221) 

[Full-disclosure] Another former 'hacker' now 'security guru'

2006-12-06 Thread Reece Mills
f8 labs' very own eric 'loki' hines goes national...

http://www.foxnews.com/video2/launchPage.html?120406/120406_cav_hinesCyber%20SecurityYour_WorldFormer%20computer%20hacker%3A%20Al%20Qaeda%20can%20pull%20off%20cyber%20attackYour%20World-1Cyber%20SecurityVideo%20Launch%20PageBusiness



-
Everyone is raving about the all-new Yahoo! Mail beta.___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Nmap Online

2006-12-06 Thread Christian \Khark\ Lauf
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Greg wrote:

 I don't wish to upset anyone but that answer has to be the craziest FIRST
 port of call approach I have seen used. I get plenty of those sorts of
 calls. I take about 30 seconds time on the phone for almost all of them. I
 say Pull the power plug out of the router. Wait 10 seconds, plug it back in
 and wait another 10 seconds. OK, try now and almost all of them report it
 works well.

What about the people whose router configuration (which was done by a
friend months/years ago) you just resetted?
Better prepare for some house visits to restore SOHO router
configurations :-)

And I think that the more you know about a certain topic, the more you
are able to find nice  half-decent solutions. Resetting the whole
device just because of what is a maybe temporarly problem doesn't seem
clever to me.

But I understand your point.. At some point in time first level support
gets boring.

Regards,
Christian
- --
Christian Khark Lauf [EMAIL PROTECTED]
GPG: 0x6AADC60A | IRCnet/silcnyet: Khark
silcnyet-Fingerprint: 82DA 447F B957 1E18 82EC 44B7 1800 CC3C 0EDE 6DCA
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (MingW32)

iD4DBQFFdwo4AaLWKGqtxgoRAuh2AJdpFYr/jK1AA4J00HgFedIgDrJvAJ0UnxbQ
I8Xie+CGT9qOUvKv0WeanA==
=lWLi
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] [ MDKSA-2006:225 ] - Updated ruby packages fix DoS vulnerability

2006-12-06 Thread security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2006:225
 http://www.mandriva.com/security/
 ___
 
 Package : ruby
 Date: December 6, 2006
 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
 ___
 
 Problem Description:
 
 Another vulnerability has been discovered in the CGI library (cgi.rb)
 that ships with Ruby which could be used by a malicious user to create
 a denial of service attack (DoS).

 Updated packages have been patched to correct this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6303
 ___
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 cf4eb0abe6d54c41a9b7e94adbd894ab  2006.0/i586/ruby-1.8.2-7.5.20060mdk.i586.rpm
 42a501b32ad7f9c1140d2665a8c35bdf  
2006.0/i586/ruby-devel-1.8.2-7.5.20060mdk.i586.rpm
 fadf1005a3cecb41da322d6472023562  
2006.0/i586/ruby-doc-1.8.2-7.5.20060mdk.i586.rpm
 6754c4c9f5047d032a15819820595fcb  
2006.0/i586/ruby-tk-1.8.2-7.5.20060mdk.i586.rpm 
 fb133b0d4f1b5eb27e67f0eb39772564  2006.0/SRPMS/ruby-1.8.2-7.5.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 a68db589ace220742904a49587e65087  
2006.0/x86_64/ruby-1.8.2-7.5.20060mdk.x86_64.rpm
 7f14ec97214b7f501c7bcd8963ad2b0a  
2006.0/x86_64/ruby-devel-1.8.2-7.5.20060mdk.x86_64.rpm
 5b6604fd9628a2312ee2b7f3b4371f45  
2006.0/x86_64/ruby-doc-1.8.2-7.5.20060mdk.x86_64.rpm
 ba38430b90e8b454c7b2228073c4d3dd  
2006.0/x86_64/ruby-tk-1.8.2-7.5.20060mdk.x86_64.rpm 
 fb133b0d4f1b5eb27e67f0eb39772564  2006.0/SRPMS/ruby-1.8.2-7.5.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 b126d91632869a7a659f7044cbca180c  2007.0/i586/ruby-1.8.5-2.2mdv2007.0.i586.rpm
 a1414e09dcb3d0c858e3fc5070608e47  
2007.0/i586/ruby-devel-1.8.5-2.2mdv2007.0.i586.rpm
 d6bf66762039af18a6c5f0a8b27d2bfa  
2007.0/i586/ruby-doc-1.8.5-2.2mdv2007.0.i586.rpm
 017468bee38279e7f42adad194866cff  
2007.0/i586/ruby-tk-1.8.5-2.2mdv2007.0.i586.rpm 
 45e958263f67f96797318621052f1e3f  2007.0/SRPMS/ruby-1.8.5-2.2mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 2721a9103870075c0e64dd1a7c01b9a5  
2007.0/x86_64/ruby-1.8.5-2.2mdv2007.0.x86_64.rpm
 6b6bd12e97b4ddf070849603bea45623  
2007.0/x86_64/ruby-devel-1.8.5-2.2mdv2007.0.x86_64.rpm
 2e163941297e43e62d2f798a93efe960  
2007.0/x86_64/ruby-doc-1.8.5-2.2mdv2007.0.x86_64.rpm
 d953012dc537a4f6e8343138d8f32f31  
2007.0/x86_64/ruby-tk-1.8.5-2.2mdv2007.0.x86_64.rpm 
 45e958263f67f96797318621052f1e3f  2007.0/SRPMS/ruby-1.8.5-2.2mdv2007.0.src.rpm

 Corporate 3.0:
 95abd86462f84450392cd41ab594  
corporate/3.0/i586/ruby-1.8.1-1.8.C30mdk.i586.rpm
 174fe6c12a1a6a7dbf03f755cf0a57cd  
corporate/3.0/i586/ruby-devel-1.8.1-1.8.C30mdk.i586.rpm
 2d0e7d3f950e7040f6e6c19a921bdb78  
corporate/3.0/i586/ruby-doc-1.8.1-1.8.C30mdk.i586.rpm
 37fe39a689b25aa2caf193994a5dbf05  
corporate/3.0/i586/ruby-tk-1.8.1-1.8.C30mdk.i586.rpm 
 71b024abd10b00f7e278e39492f98aa6  
corporate/3.0/SRPMS/ruby-1.8.1-1.8.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 366a4003551813d500eec00996981abf  
corporate/3.0/x86_64/ruby-1.8.1-1.8.C30mdk.x86_64.rpm
 ef95e042be0f3a881ae6a66502c1c905  
corporate/3.0/x86_64/ruby-devel-1.8.1-1.8.C30mdk.x86_64.rpm
 d72e56164f0a0fcb99b190dbb2ce7c2c  
corporate/3.0/x86_64/ruby-doc-1.8.1-1.8.C30mdk.x86_64.rpm
 81c6c9a396d26dea3bd683c2207eb96b  
corporate/3.0/x86_64/ruby-tk-1.8.1-1.8.C30mdk.x86_64.rpm 
 71b024abd10b00f7e278e39492f98aa6  
corporate/3.0/SRPMS/ruby-1.8.1-1.8.C30mdk.src.rpm

 Corporate 4.0:
 9796f3458efc694c98ab821158a0599b  
corporate/4.0/i586/ruby-1.8.2-7.5.20060mlcs4.i586.rpm
 3578dc2bd6735967f79f43b21b14f8b2  
corporate/4.0/i586/ruby-devel-1.8.2-7.5.20060mlcs4.i586.rpm
 4505b6152a025ecef599e48c4ef11763  
corporate/4.0/i586/ruby-doc-1.8.2-7.5.20060mlcs4.i586.rpm
 466b48eb68199179c044b8a0fe5f7a3f  
corporate/4.0/i586/ruby-tk-1.8.2-7.5.20060mlcs4.i586.rpm 
 b7f41e2f4f5f71e3c2f214c041957533  
corporate/4.0/SRPMS/ruby-1.8.2-7.5.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 2771fffe29e377ea0bcf594bb94a0f7b  
corporate/4.0/x86_64/ruby-1.8.2-7.5.20060mlcs4.x86_64.rpm
 2d0b06a00590a0dfae303be8079f852a  
corporate/4.0/x86_64/ruby-devel-1.8.2-7.5.20060mlcs4.x86_64.rpm
 87d597d03cc146b1b9ac89e29b7a2879  
corporate/4.0/x86_64/ruby-doc-1.8.2-7.5.20060mlcs4.x86_64.rpm
 ec2d09506bfebab08d523fd258f8136b  
corporate/4.0/x86_64/ruby-tk-1.8.2-7.5.20060mlcs4.x86_64.rpm 
 b7f41e2f4f5f71e3c2f214c041957533  
corporate/4.0/SRPMS/ruby-1.8.2-7.5.20060mlcs4.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for 

[Full-disclosure] rPSA-2006-0226-1 kernel

2006-12-06 Thread rPath Update Announcements
rPath Security Advisory: 2006-0226-1
Published: 2006-12-06
Products: rPath Linux 1
Rating: Severe
Exposure Level Classification:
Local Root Non-deterministic Privilege Escalation
Updated Versions:
kernel=/[EMAIL PROTECTED]:devel//1/2.6.17.14-0.4-1
kernel=/[EMAIL PROTECTED]:devel//1-xen/2.6.16.29-0.11-1

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5751
https://issues.rpath.com/browse/RPL-803
https://issues.rpath.com/browse/RPL-837

Description:
Previous versions of the kernel package are vulnerable to a local
denial of service or privilege escalation attack by unprivileged
users if any network bridge interface has been configured with more
than two interfaces.  The attacker can cause the system to crash,
and is believed to be able to provide arbitrary code that may
(with undetermined probability) run in kernel context.  Xen dom0
instances in the default bridging configuration are vulnerable.

Previous versions of the Xen dom0 kernel did not embed the
firmware for QLogic 2XXX Fibre Channel adapters, disabling Xen
dom0 on those systems.

This update requires a system reboot to implement the fixes.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Nmap Online

2006-12-06 Thread Greg


 -Original Message-
 From: Christian Khark Lauf [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, 7 December 2006 5:22 AM
 To: full-disclosure@lists.grok.org.uk
 Subject: Re: [Full-disclosure] Nmap Online
 
 
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Hi,
 
 Greg wrote:
 
  I don't wish to upset anyone but that answer has to be the craziest 
  FIRST port of call approach I have seen used. I get 
 plenty of those 
  sorts of calls. I take about 30 seconds time on the phone 
 for almost 
  all of them. I say Pull the power plug out of the router. Wait 10 
  seconds, plug it back in and wait another 10 seconds. OK, 
 try now and 
  almost all of them report it works well.
 
 What about the people whose router configuration (which was 
 done by a friend months/years ago) you just resetted? Better 
 prepare for some house visits to restore SOHO router 
 configurations :-)

I am fairly certain that the NV in NV-ram doesn't mean New Victim but Non
Volatile. Eg, even if nothing else works so you pull the plug and put it
back in, the settings you have changed remain intact. So, in most cases, no
you do not need to worry when pulling the plug.

 
 And I think that the more you know about a certain topic, the 
 more you are able to find nice  half-decent solutions. 
 Resetting the whole device just because of what is a maybe 
 temporarly problem doesn't seem clever to me.
 

That wasn't what I said of course. The whole point was that if the user is
complaining about not getting email from their ISP via whatever method they
decide to use and/or cannot get onto the web, then pulling the power plug is
a viable answer that is normally correct in most situations. Sure, there are
some where it isn't the answer but if you find out it is still as bad as it
ever was after pulling the plug and putting it back in, then you need to go
there, physically, in any case.

 But I understand your point.. At some point in time first 
 level support gets boring.
 

It wasn't even that which I said. My point was always that there are better
ways of doing things. You could drive 30 miles just to pull the plug
yourself leaving the current job unfinished or unable to get to that next
problem in a suitable response time or you could just tell the person on the
phone to do that while you wait and see the result. In most cases, it has
been the answer. It has never ALWAYS been the case. In the cases where it
works, it is just a more efficient way for YOU to work. No online answer
is going to fix a router that just lost its cool and is locked up unless you
have installed a remote power down and power up (yeah, they exist but I
haven't used one and cant remember the name). The end result of working this
way is a happy customer who is now able to work, a contact who feels
superior because they worked with you to fix the problem and is more likely
to help you out in future when you want something done that they are capable
of doing and you can get to your next appointment on time.

Call me crazy but I reckon trying it first is always the best approach.

Greg.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Nmap Online

2006-12-06 Thread Mike Vasquez

1) I'm sure none of you can imagine this, but sometimes running and startup
configs aren't the same.  YES it's TRUE!  So, your approach could be
disastrous and is really ill advised.

2) Nmap may not give reliable results from all sites.  Surely you've
encounted ACLs that caused erroneous nmap results from some locations.  As
the guy said: sometimes he travels.  Having the capability to run it from a
neutral location can get by that.

I'm sure there's more.


On 12/5/06, Greg [EMAIL PROTECTED] wrote:




I don't wish to upset anyone but that answer has to be the craziest FIRST
port of call approach I have seen used. I get plenty of those sorts of
calls. I take about 30 seconds time on the phone for almost all of them. I
say Pull the power plug out of the router. Wait 10 seconds, plug it back
in
and wait another 10 seconds. OK, try now and almost all of them report it
works well.

So why would I need and how could I use Nmap online to tell me the router
went crazy and locked up?

Besides, wouldn't it be just as easy to use the Nmap sitting on my
computer
if I decided I needed to use it?

Greg.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-390-3] evince-gtk vulnerability

2006-12-06 Thread Kees Cook
=== 
Ubuntu Security Notice USN-390-3  December 06, 2006
evince-gtk vulnerability
CVE-2006-5864
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  evince-gtk   0.5.2-0ubuntu2.1

Ubuntu 6.10:
  evince-gtk   0.5.2-0ubuntu4.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-390-2 fixed vulnerabilities in evince.  This update provides the 
corresponding update for evince-gtk.

Original advisory details:

  A buffer overflow was discovered in the PostScript processor included 
  in evince.  By tricking a user into opening a specially crafted PS 
  file, an attacker could crash evince or execute arbitrary code with 
  the user's privileges.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1.diff.gz
  Size/MD5:22511 0cf118d6918268ba4f53c9b21c2e4abc

http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1.dsc
  Size/MD5:  893 6bd5d56c1d26042f0882ad1c8f35d8c4

http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2.orig.tar.gz
  Size/MD5:  1362513 5020afb1768d89c251ad8c2a233d9fcf

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_amd64.deb
  Size/MD5:   311524 9afc1a61adb192c0c115bcc8231008c1

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_i386.deb
  Size/MD5:   282212 15a8292c95bed93d2af5d4917172ca8c

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_powerpc.deb
  Size/MD5:   299064 510f7b8c93b8a8a65f71cae17176cd59

  sparc architecture (Sun SPARC/UltraSPARC)


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu2.1_sparc.deb
  Size/MD5:   287254 f75088c1015e44cf7ed2633340d0d24f

Updated packages for Ubuntu 6.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1.diff.gz
  Size/MD5:22622 194a824da15c50fe472762f960f2b9fb

http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1.dsc
  Size/MD5:  893 24d9a86b4a012fd133ee37b538e9156c

http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2.orig.tar.gz
  Size/MD5:  1362513 5020afb1768d89c251ad8c2a233d9fcf

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_amd64.deb
  Size/MD5:   305732 af144ed0736a7ef77aba67ef9cbbeaae

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_i386.deb
  Size/MD5:   286362 21f58e429f79a605fa2bff0c36a7cbb6

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_powerpc.deb
  Size/MD5:   293918 c9e00c6154cddae33bd8c99afbace8fd

  sparc architecture (Sun SPARC/UltraSPARC)


http://security.ubuntu.com/ubuntu/pool/main/e/evince-gtk/evince-gtk_0.5.2-0ubuntu4.1_sparc.deb
  Size/MD5:   282784 596cfcc780feac5016866a46375cbc42



signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-06-044: Adobe Download Manager AOM Parsing Buffer Overflow Vulnerability

2006-12-06 Thread zdi-disclosures
ZDI-06-044: Adobe Download Manager AOM Parsing Buffer Overflow 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-06-044.html
December  6, 2006

-- CVE ID:
CVE-2006-5856

-- Affected Vendor:
Adobe

-- Affected Products:
Adobe Download Manager 2.1 and earlier

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since April  3, 2006 by Digital Vaccine protection
filter ID 4280. For further product information on the TippingPoint IPS:

http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Adobe Download Manager application.
User interaction is required to exploit this vulnerability in that the
target must visit a malicious page.

The specific flaw exists in the AOM file format parser. A long [URL]
element inside of a [DownloadRecord] element within an AOM file will
result in a stack-based buffer overflow condition leading to execution
of arbitrary code. The Download Manager is installed during the
installation of of other Adobe products, such as Acrobat Reader. When
installed, the download manager becomes the default application to
handle .AOM files.

-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More details
can be found at:

http://www.adobe.com/go/apsb06-19/

-- Disclosure Timeline:
2006.04.03 - Digital Vaccine released to TippingPoint customers
2006.04.07 - Vulnerability reported to vendor
2006.12.06 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by an anonymous researcher.

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] rPSA-2006-0227-1 gnupg

2006-12-06 Thread rPath Update Announcements
rPath Security Advisory: 2006-0227-1
Published: 2006-12-06
Products: rPath Linux 1
Rating: Severe
Exposure Level Classification:
Indirect Deterministic Privilege Escalation
Updated Versions:
gnupg=/[EMAIL PROTECTED]:devel//1/1.4.6-0.1-

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235
https://issues.rpath.com/browse/RPL-835

Description:
Previous versions of the gnupg package will execute attacker-provided
code found in intentionally malformed OpenPGP packets. This allows an
attacker to run arbitrary code as the user invoking gpg on the file
that contains the malformed packets.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] TSRT-06-15: Citrix Presentation Server Client ActiveX Heap Overflow Vulnerability

2006-12-06 Thread TSRT
TSRT-06-15: Citrix Presentation Server Client ActiveX Heap Overflow
Vulnerability
http://www.tippingpoint.com/security/advisories/TSRT-06-15.html
December 6, 2006

-- CVE ID:
CVE-2006-6334

-- Affected Vendor:
Citrix

-- Affected Products:
Citrix Presentation Server Client for Windows  v9.230 

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since February 2006 by a pre-existing Digital Vaccine
protection filter ID 4163. For further product information on the
TippingPoint IPS:

http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Citrix Presentation Server Client for
Windows. User interaction is required to exploit this vulnerability in
that the target must visit a malicious page.

The specific flaw resides in the SendChannelData function of the
ActiveX control Wfica.ocx (CLSID 238F6F83-B8B4-11CF-8771-00A024541EE3).
The function is prototyped as follows:

SendChannelData(ChannelName As String,
Data As String,
DataSize As Long,
DataType As ICAVCDataType)

Specifying an undersized buffer length as the 'DataSize' parameter and
supplying a large buffer as the 'Data' parameter results in an
exploitable heap corruption.

-- Vendor Response:
Citrix has issued an update to correct this vulnerability. More details
can be found at:

http://support.citrix.com/article/CTX111827

-- Disclosure Timeline:
2006.02.01 - Pre-existing Digital Vaccine released to TippingPoint 
customers
2006.09.19 - Vulnerability reported to vendor
2006.12.06 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Aaron Portnoy, TippingPoint Security 
Research Team.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan

2006-12-06 Thread Shawn Merdinger
Vulnerability Description
==
The Linksys WIP 330 VoIP wireless phone will crash when a full
port-range Nmap scan is run against its IP address.


Linksys WIP 330 Firmware Version
==
1.00.06A


Nmap scan command

nmap -P0 WIP 330 ip address -p 1-65535


Impact
=
The crash is only after Nmap has finished. The Nmap scan also seems to
disrupt updating of the display as the clock is not updated. The crash
appears related to PhoneCtl.exe running on the phone's Windows CE 4.2
operating system.

Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/


Credit

Credit for discovering this vulnerability goes to Armijn Hemel

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] [USN-393-1] GnuPG vulnerability

2006-12-06 Thread Kees Cook
=== 
Ubuntu Security Notice USN-393-1  December 07, 2006
gnupg vulnerability
CVE-2006-6235
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  gnupg1.4.1-1ubuntu1.6

Ubuntu 6.06 LTS:
  gnupg1.4.2.2-1ubuntu2.4

Ubuntu 6.10:
  gnupg1.4.3-2ubuntu3.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Tavis Ormandy discovered that gnupg was incorrectly using the stack.  If 
a user were tricked into processing a specially crafted message, an 
attacker could execute arbitrary code with the user's privileges.


Updated packages for Ubuntu 5.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6.diff.gz
  Size/MD5:23701 7a9033efbfb1f0028f53cef54f1a6522

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6.dsc
  Size/MD5:  684 4740552c8acbe2143bfff11dbfaee85b
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz
  Size/MD5:  4059170 1cc77c6943baaa711222e954bbd785e5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_amd64.deb
  Size/MD5:  1136698 64e954a21f51c939792b140f5a0fc5df

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_amd64.udeb
  Size/MD5:   152276 c703faddbf82858fa85560912ea3f7b0

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_i386.deb
  Size/MD5:  1044848 6dc25f6204f754f80b15f90bac175a25

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_i386.udeb
  Size/MD5:   130672 3a69e1804fb1234a70d9715d42b929e1

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_powerpc.deb
  Size/MD5:  1120042 16103aee54c188b9e74b81d776537bc4

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_powerpc.udeb
  Size/MD5:   140218 fcc41df5bf7d7336ac00ab8a1edaa665

  sparc architecture (Sun SPARC/UltraSPARC)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.6_sparc.deb
  Size/MD5:  1064838 8c78b6bca94a9bc62a9d7a9f5a8ae298

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.6_sparc.udeb
  Size/MD5:   139598 830785d65ea4bdb0d8ed8d123fcb2d6f

Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4.diff.gz
  Size/MD5:22621 3e45e6fe65cd1334a12d6bfbc9d26f2b

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4.dsc
  Size/MD5:  690 1ce5bd388f35b6bdd48e12719308cea5

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2.orig.tar.gz
  Size/MD5:  4222685 50d8fd9c5715ff78b7db0e5f20d08550

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_amd64.deb
  Size/MD5:  1066564 f3c60d096d2ea85b02f8898660ab7997

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_amd64.udeb
  Size/MD5:   140308 5f18581d5ab54d33f2d69b079985c599

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_i386.deb
  Size/MD5:   981652 8497f389c4feb73d10ff8c82810b2659

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_i386.udeb
  Size/MD5:   120282 a0001759aec7eb6317d8bd0656078ff6

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_powerpc.deb
  Size/MD5:  1054114 565e5af4a14baed975050837af3d600b

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_powerpc.udeb
  Size/MD5:   130160 d97f253e9f24a3f831b31d1fae25a67c

  sparc architecture (Sun SPARC/UltraSPARC)


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubuntu2.4_sparc.deb
  Size/MD5:   994418 15ec9d7565fd5a2ba18ca8cbd03357f8

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1ubuntu2.4_sparc.udeb
  Size/MD5:   127412 028eaa2d4ca1c8d96eefaa663f853290

Updated packages for Ubuntu 6.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.3-2ubuntu3.2.diff.gz
  

Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan

2006-12-06 Thread Knud Erik Højgaard
 The Linksys WIP 330 VoIP wireless phone will crash when a full
 port-range Nmap scan is run against its IP address.

oh crap so does this shitty sipoora box! i will turn it off now to
avoid hakkings!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan

2006-12-06 Thread Knud Erik Højgaard
 The Linksys WIP 330 VoIP wireless phone will crash when a full
 port-range Nmap scan is run against its IP address.

surprise! the zyxel something 2200 will die from malformed packets!
WOW! CALL THE INTARWEB POLIECE! CALL ZYXEL POLICE, THEIR STUFFZ DON'T
LIKE WEIRD PACKETZ!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan

2006-12-06 Thread Shawn Merdinger
No better/worse than this I suppose.

http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml

Thanks,
--scm


On 12/6/06, Knud Erik Højgaard [EMAIL PROTECTED] wrote:
  The Linksys WIP 330 VoIP wireless phone will crash when a full
  port-range Nmap scan is run against its IP address.

 surprise! the zyxel something 2200 will die from malformed packets!
 WOW! CALL THE INTARWEB POLIECE! CALL ZYXEL POLICE, THEIR STUFFZ DON'T
 LIKE WEIRD PACKETZ!


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Hail list!

2006-12-06 Thread Eliah Kagan
On 12/6/06, aNub15 wrote:
 2. Looking for a low footprint windows firewall that's only supposed to do
 one thing. If someone hits port 110, block the I.P for a week? (should take
 care of most portscanners (skiddies)). And no I'm not worried about blocking
 real users on the box.

Has it occurred to you that someone could send spoofed SYN packets
with port 110 as the destination, and any IP as the source? Maybe you
should worry about blocking real users after all. If there is an IP
range where you know you have no legitimate users, you should instead
block that IP range. Any IP range where you might have legitimate
users is a range that someone could deny access to easily. Except
actually it would be you denying access to them--a person attacking
you in that way would would likely not even be legally responsible
(but I am not a lawyer).

Also, why would that prevent access by most people scanning your
ports? Suppose someone is scanning your entire subnet, for instance,
but only on port 22. Or someone could scan lots of ports on your box,
and notice that plenty were open until 110 was probed. This person
could then think one of three things:

(1) Hmm, I guess that's all the ports open on that box.
(2) Hmm, lots of ports open, and then I scan port 110, and the rest
are all closed/filtered. (This is specially likely if it is the
person's *second* scan.) There must be something nice and juicy on
that box. I will scan the rest of the ports from another IP and then
penetrate any service I can and find out why such a strange measure of
pseudo-security is in place.
(3) Hmm, I was reading Full Disclosure recently and somebody was
asking about how to blacklist IPs for a week that send traffic to port
110. I bet this is the box of the guy who wanted to know how to do it.
Let's find out why he wanted to do that...

 www.supernoia.com

Script kiddies and anybody else who likes portscanning thank you for
the heads up. If you are going to implement this almost certainly bad
idea--and it is for that server--you may wish to at least make it a
different port.

-Eliah

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] New MySpace worm could be on its way

2006-12-06 Thread pdp (architect)
http://www.gnucitizen.org/blog/myspace-quicktime-worm-follow-up

MySpace was hit by a worm in a semi-automatic manner. This time the
worm propagated via a QuickTime flaw found a couple of months ago.
This shouldn't be a surprise to anyone. It is quite serious that this
attack vector was picked up by Apple so late.

In this post I am not going to explain how this particular MySpace
hack works but rather to send a reminder to the security community
that another http://www.gnucitizen.org/blog/backdooring-mp3-files
QuickTime XSS vector was found right after the first one. This vector
can be used in a similar way although, IMHO, the impact is greater. I
guess Apple should fix both issues NOW: we don't want MySpace worms
spreading around again, although this is very utopic to say.

Here is a brief reminder of what the XSS issue was all about.

The problems is caused by a quite useful feature called QuickTime
Media Link (.qtl). The whole point of these QuickTime Media Link files
is to provide means of playing media files in a more accessible way.
In this respect the developer can create a .qtl file which holds
information about the media content that needs to be played plus
recommended dimensions, accessibility features, control features
etc...

.qtl files can contain malicious JavaScript code that can takeover
some important network device when executed for example. That's not
the end of the story though. Because of its flexibility QuickTime
doesn't mind if Media Link (.qtl) files end with .mp3, .mp4, .m4a or
even .mov extension...

This is a quite big problem especially in default configurations
of iTunes. The iTunes installation wizard installs the QuickTime
player and QuickTime browser plugins and associates various media
files with its components. If you open an mp3 file from the desktop it
will be played in iTunes player by default, however if you open it
from some website it will be played in the QuickTime player browser
plugin. In this respect, users who are previewing mp3 and other media
files from the Internet are vulnerable.

GNUCITIZEN  Backdooring MP3 Files

To sum up, and put into context, attackers can use QuickTime Media
Links to imitate popular media files and as such trick the user into
opening malicious content that could lead to their (MySpace) account
or their browser being compromised. Lets look at the following
hypothetical situation:

Evil Hacker decides to overtake MySpace in order to DoS google.com.
He finds that MySpace allows users to supply links in their posts and
comments. He spends some time to research the 1000 most popular
MySpace members where he will post links to media files titled
orgy.mov or  myconfession.mp3 or even prankster.avi. Once an unaware
user clicks on the link, a phishing page is presented asking the
current user to enter their MySpace details to see the private
content. If the user is tricked, their credentials will be on their
way to the specifically designed for that operation collection point
where another automatic process overtakes their user account
installing the same malicious file or simply hijack other media files
by wrapping them up in QuickTime Media Links the same way it is
described in the article mentioned above. The process repeats when
another users falls into the trap. When enough number of accounts are
compromised Evil Hacker will launch his/her DDoS against Google's
AdSense server farm.

Before seeing more worms of this kind I suggest that we gather our
intellectual power to find a fix or at least a workaround. I welcome
you to join me at GNUCITIZEN's MySpace Worms Topic
http://www.gnucitizen.org/topics/myspace-worms for further
discussion. I can assure you that GNUCITIZEN neither me has anything
to do with MySpace or any other related organization. The purpose of
this symposium is learn more about these types of worms and help other
online applications and communities protect themselves. This is much
better than just sitting in our comfy chairs and laughing at people's
mistakes.

Many thanks.

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/