Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash fromNmap scan
Hi, Yes, this is an extraordinarily lame bug, but that's sort of the point with many of these VoIP phones, both wired and wireless. They are a new class of device going onto networks and tend to be kind of sucky when it comes to what I'd consider *expected customer environment tool runs* like Nmap and Nessus, not to mention plenty of others such as ISIC, Protos, Asteroid, ...and that's just sticking with the free stuff. I didn't find the bug anyways, I just reported it to Linksys and then FD. And even though I'm poking around with a bunch of VoIP phones on my own time and dime, I don't own one of these WIP 330s. Anyway, you seem happy with your WIP 330...once you got it configured... http://www.trixbox.org/modules/newbb/viewtopic.php?topic_id=5974&forum=3#forumpost23445 Say, if you have the cycles for some free vendor QA, and since you have a WIP 330 in hand, maybe you can find something much cooler with that PhoneCtl.exe crash and get back to us? Thanks, --scm On 12/7/06, pingywon <[EMAIL PROTECTED]> wrote: > > "The crash > > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 > > operating system." > > "Let me take a look at that screenshot again..." > > http://www.flickr.com/photos/metalmijn/295348294/ > > "Heck buddy, you appear correct" > > ~p > > > > > > - Original Message - > From: "Shawn Merdinger" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, December 06, 2006 1:40 PM > Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash > fromNmap scan > > > > Vulnerability Description > > == > > The Linksys WIP 330 VoIP wireless phone will crash when a full > > port-range Nmap scan is run against its IP address. > > > > > > Linksys WIP 330 Firmware Version > > == > > 1.00.06A > > > > > > Nmap scan command > > > > nmap -P0 -p 1-65535 > > > > > > Impact > > = > > The crash is only after Nmap has finished. The Nmap scan also seems to > > disrupt updating of the display as the clock is not updated. The crash > > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 > > operating system. > > > > Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/ > > > > > > Credit > > > > Credit for discovering this vulnerability goes to Armijn Hemel > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] What was the name of the web site ...
... that keeps track of MS vulnerabilities, patches and the corresponding exploits? I know that it was mentioned earlier in this list but can not remember the URL right now... TIA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google pageranked 4 doamin on sale...
hi, there: I don't konw whether it is the right place to post this message, but the web site is security related in my original thought. I'd like to sell my web site http://www.lwang.org. It has google pageranked 4, and full control of domain. The web server is in Czech, it has 500M space and 5G traffic per month. Anyone interested in it, please contact me. Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash fromNmap scan
They are truly a "fragile" class of new devices. I bought the over priced WIP330 for testing myself. And minus the rather good screen brightness and resolution in pretty disappointed with it (its just a cumbersome phone). but as long as Cisco is still selling their gray scale wifi phone for $500 I consider it a deal. - Original Message - From: "Shawn Merdinger" <[EMAIL PROTECTED]> To: "pingywon" <[EMAIL PROTECTED]>; Sent: Friday, December 08, 2006 1:53 AM Subject: Re: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash fromNmap scan > Hi, > > Yes, this is an extraordinarily lame bug, but that's sort of the point > with many of these VoIP phones, both wired and wireless. They are a > new class of device going onto networks and tend to be kind of sucky > when it comes to what I'd consider *expected customer environment tool > runs* like Nmap and Nessus, not to mention plenty of others such as > ISIC, Protos, Asteroid, ...and that's > just sticking with the free stuff. > > I didn't find the bug anyways, I just reported it to Linksys and then > FD. And even though I'm poking around with a bunch of VoIP phones on > my own time and dime, I don't own one of these WIP 330s. > > Anyway, you seem happy with your WIP 330...once you got it configured... > http://www.trixbox.org/modules/newbb/viewtopic.php?topic_id=5974&forum=3#forumpost23445 > > Say, if you have the cycles for some free vendor QA, and since you > have a WIP 330 in hand, maybe you can find something much cooler with > that PhoneCtl.exe crash and get back to us? > > Thanks, > --scm > > > > > On 12/7/06, pingywon <[EMAIL PROTECTED]> wrote: >> >> "The crash >> > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 >> > operating system." >> >> "Let me take a look at that screenshot again..." >> >> http://www.flickr.com/photos/metalmijn/295348294/ >> >> "Heck buddy, you appear correct" >> >> ~p >> >> >> >> >> >> - Original Message - >> From: "Shawn Merdinger" <[EMAIL PROTECTED]> >> To: >> Sent: Wednesday, December 06, 2006 1:40 PM >> Subject: [Full-disclosure] Linksys WIP 330 VoIP wireless phone crash >> fromNmap scan >> >> >> > Vulnerability Description >> > == >> > The Linksys WIP 330 VoIP wireless phone will crash when a full >> > port-range Nmap scan is run against its IP address. >> > >> > >> > Linksys WIP 330 Firmware Version >> > == >> > 1.00.06A >> > >> > >> > Nmap scan command >> > >> > nmap -P0 -p 1-65535 >> > >> > >> > Impact >> > = >> > The crash is only after Nmap has finished. The Nmap scan also seems to >> > disrupt updating of the display as the clock is not updated. The crash >> > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 >> > operating system. >> > >> > Screenshot of the crash: >> > http://www.flickr.com/photos/metalmijn/295348294/ >> > >> > >> > Credit >> > >> > Credit for discovering this vulnerability goes to Armijn Hemel >> > >> > ___ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA-1230-1] new l2tpns packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1230-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp December 08, 2006 - Package: l2tpns (2.0.14-1sarge1) Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2006-5873 Debian Bug : 401742 Rhys Kidd discovered a vulnerability in l2tpns, a layer 2 tunnelling protocol network server, which could be triggered by a remote user to execute arbitary code. For the stable distribution (sarge), this problem has been fixed in version 2.0.14-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.1.21-1 We recommend that you upgrade your l2tpns package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14.orig.tar.gz Size/MD5 checksum: 149672 462bca675b5e27f40f5e5f92918911cb http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1.diff.gz Size/MD5 checksum: 2760 21dd07043e996a6deb282ad9318ff523 http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1.dsc Size/MD5 checksum: 585 16faad913601881770b688f2fc8e8357 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_alpha.deb Size/MD5 checksum: 195906 4d8481e9bf411cd71b3439fba8c65f4d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_amd64.deb Size/MD5 checksum: 152440 164d2205b4cd8fc99bc4763fb7ac9b38 arm architecture (ARM) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_arm.deb Size/MD5 checksum: 151706 317794e1cbd89bf03a5276a5e0e6e946 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_hppa.deb Size/MD5 checksum: 169062 80e4b651500315e6cfeae09cbd990cca i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_i386.deb Size/MD5 checksum: 144584 4a447fcc5dae3781f84f21bc8a262937 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_ia64.deb Size/MD5 checksum: 227898 e14fc8e036271566d4a9178e10650ad3 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_m68k.deb Size/MD5 checksum: 128076 e30c757e00a9914890caeab4da5e364d mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_mips.deb Size/MD5 checksum: 165256 c5eadfb746ff587e557241fcea756011 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_mipsel.deb Size/MD5 checksum: 168406 b11641d83e799878de35512edb09dbfa powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_powerpc.deb Size/MD5 checksum: 168706 9b4038dbfaa5fe14ac7df25857cc0e7f s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_s390.deb Size/MD5 checksum: 155020 d4a196ecf8b13ae8d0830e45571cc29d sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/l/l2tpns/l2tpns_2.0.14-1sarge1_sparc.deb Size/MD5 checksum: 160188 ab36083d96a6d5ca028d93032eccdec0 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFeYTewM/Gs81MDZ0RAiNuAJ4o30KstSFj0X5GrshuYyqA9ZQD+ACg0Sra sYfycLstw+C/fh2GUnJDBdM= =zQOG -END PGP SIGNATURE- ___ Full-Disclosure - We believ
Re: [Full-disclosure] Google pageranked 4 doamin on sale...
On 12/8/06, Louis Wang <[EMAIL PROTECTED]> wrote: > I'd like to sell my web site http://www.lwang.org. It has google > pageranked 4, and full control of domain. The web server is in Czech, > it has 500M space and 5G traffic per month. is it pageranked #4 for the word "wang"? what is the czech work for Willie the One Eyed Wonder Weasel?? anyways, if you are going to try and sell a site based on its rank, and assuming you arent talking about smell, you might want to include the category. Even though you said its a security related site; the content isnt always a guarantee of the category it is associated with, see: disney pr0n googlebombing, etc, etc. We could look it up, but not only are FD'ers notoriously lazy, as you are the "salesman" you might want to try and attract lazy marks,.. err buyers. -JP Bonus wang link with a hat-tip to Larry Seltzer for providing it, maybe NSFW depending on where you W: http://www.starma.com/penis/penis.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
Greetings, My name is Tom Holt, and I am an Assistant Professor at the University of North Carolina at Charlotte. I am currently conducting a study of hackers and hacking and am seeking interested men and women who may be willing to participate. The purpose of this research is to understand the ways that people become interested in computers and hacking, their motives for hacking, and how they apply their skills in different settings. This study will also consider individuals’ conceptions of hacking and experiences in hacker culture. To understand this phenomenon, I am seeking individuals who are willing to share their experiences and opinions in an interview which can be conducted either in person or via encrypted e-mail. Strict confidentiality will be maintained and your privacy ensured. I have obtained a Certificate of Confidentiality from the National Institutes of Health to further protect and ensure your privacy and confidentiality. All individuals who complete an interview will be paid $10 for their time, and $10 will also be paid for successful referrals. If you know anyone who is, or considers his/herself to be a hacker and is willing to be interviewed, please contact me via email at [EMAIL PROTECTED], at [EMAIL PROTECTED], or by phone at 704-795-9544. Again, strict confidentiality will be maintained and your privacy ensured. I am not a law enforcement agent nor connected with any law enforcement agency and am not looking to hear crazy stories about how you hacked NASA. If you have, great, but I realize there is more to hacking than simple media conceptions of the hacker as a criminal. Instead, I am interested in understanding hacking from the hackers’ point of view. I have presented my research and described this project at several cons, including CarolinaCon 06, PhreakNIC X, and Defcons 13/14 and am hoping to hear from more individuals in the community. Please contact me if you are interested, and I look forward to hearing from you. Thank you, Thomas J. Holt, Ph. D. Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Enforcing Java Security Manager in Restricted Windows Environments?
Hi Lately I came across several Citrix and Terminal Server projects which provide a restricted set of applications to their users. This is achieved using Windows Software Restriction Policies or AppSense Application Manager to white or black list executables. One of these permitted binaries is often java.exe. Now the problem arises that once Java is enabled any Java application can be executed on the system. This allows a malicious user to execute arbitrary Java code, like replacement shells (JSH), RDP clients (Propero Java RDP) and network port scanners. I could block java.exe but business requires that the company's Java application must still work. This lead me into this research on how to white list Java applications in a restricted Windows environment. For gory details see: http://www.iplosion.com/archives/54 So all this melts down to my question: Is there a way to tell java.exe to always use the Java Security Manager without the possibility of manipulation by the user? I would be very interested to learn your ideas. Kind regards Jan P. Monsch ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
Hello, Thomas Holt wrote: > The purpose of this research is to understand > the ways that people become interested in computers and hacking, their > motives for hacking, and how they apply their skills in different > settings. This study will also consider individuals’ conceptions of > hacking and experiences in hacker culture. [...] > I am not a law enforcement agent nor connected with any law enforcement > agency and am not looking to hear crazy stories about how you hacked > NASA. If you have, great, but I realize there is more to hacking than > simple media conceptions of the hacker as a criminal. Instead, I am > interested in understanding hacking from the hackers’ point of view. It is not clear how you understand the term "hacker". In your opening paragraph, it basically describes someone who is interested in "how things work" (which is close to the definition given in The New Hacker's Dictionary), in the closing it appears to describe people engaged in illegal activity (whom TNHD calls "crackers"). So the question is, are you researching the motivation for gaining knowledge about technology, or are you researching the motivation for illegal activity in a technology setting (which is not really related to knowledge gathering, as can be seen by the vast numbers of "script kiddies" out there)? If this is about the former, I might have a few pointers for you. Simon ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 34846]: CA BrightStor ARCserve Backup Discovery Service Buffer Overflow Vulnerability
Title: CAID 34846: CA BrightStor ARCserve Backup Discovery Service Buffer Overflow Vulnerability CA Vulnerability ID (CAID): 34846 CA Advisory Date: 2006-12-07 Discovered By: Assurent Secure Technologies (assurent.com) Impact: Remote attacker can execute arbitrary code. Summary: CA BrightStor ARCserve Backup contains a buffer overflow that allows remote attackers to execute arbitrary code with local SYSTEM privileges on Windows. This issue affects the BrightStor Backup Discovery Service in multiple BrightStor ARCserve Backup application agents and the Base product. Mitigating Factors: None. Severity: CA has given this vulnerability a High risk rating. Affected Products: BrightStor Products: - BrightStor ARCserve Backup r11.5 SP1 and below (SP2 does not have this vulnerability ; please apply r11.5 SP2) - BrightStor ARCserve Backup r11.1 - BrightStor ARCserve Backup for Windows r11 - BrightStor Enterprise Backup 10.5 - BrightStor ARCserve Backup v9.01 CA Protection Suites r2: - CA Server Protection Suite r2 - CA Business Protection Suite r2 - CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 - CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected platforms: Microsoft Windows Status and Recommendation: Customers with vulnerable versions of BrightStor ARCserve Backup products should upgrade to the latest versions which are available for download from http://supportconnect.ca.com. Solution Document Reference APARs: QO84609, QI82917, QO84611, QO84610 Determining if you are affected: For a list of updated files, and instructions on how to verify that the security update was fully applied, please review the Informational Solution referenced in the appropriate Solution Document. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Important Security Notice for BrightStor ARCserve Backup http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp Solution Document Reference APARs: QO84609, QI82917, QO84611, QO84610 CA Security Advisor Research Blog postings: http://www3.ca.com/blogs/posting.aspx?id=90744&pid=96149&date=2006/12 CAID: 34846 CAID Advisory links: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34846 Discoverer: Assurent Secure Technologies http://www.assurent.com/ CVE Reference: CVE-2006-6379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6379 OSVDB Reference: OSVDB IDs: 30775 http://osvdb.org/30775 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright © 2006 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
Sorry for any confusion. I am referring to hacker in the context of an individual with a strong interest in technology who uses their skill in unique or innovative ways (in essence, the definition provided by TNHD). How did that knowledge base develop, what furthered your interests, and how do you apply your knowledge? I am not interested in script kiddies, crackers, and lamers who are only out to perform malicious attacks and want to brag about their experiences without actually understanding the mechanics behind what they have done. I hope that clears things up, though if there is still any confusion please let me know. Thanks, Tom - Original Message From: Simon Richter <[EMAIL PROTECTED]> To: Thomas Holt <[EMAIL PROTECTED]> Cc: full-disclosure@lists.grok.org.uk Sent: Friday, December 8, 2006 12:39:29 PM Subject: Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture Hello, Thomas Holt wrote: > The purpose of this research is to understand > the ways that people become interested in computers and hacking, their > motives for hacking, and how they apply their skills in different > settings. This study will also consider individuals’ conceptions of > hacking and experiences in hacker culture. [...] > I am not a law enforcement agent nor connected with any law enforcement > agency and am not looking to hear crazy stories about how you hacked > NASA. If you have, great, but I realize there is more to hacking than > simple media conceptions of the hacker as a criminal. Instead, I am > interested in understanding hacking from the hackers’ point of view. It is not clear how you understand the term "hacker". In your opening paragraph, it basically describes someone who is interested in "how things work" (which is close to the definition given in The New Hacker's Dictionary), in the closing it appears to describe people engaged in illegal activity (whom TNHD calls "crackers"). So the question is, are you researching the motivation for gaining knowledge about technology, or are you researching the motivation for illegal activity in a technology setting (which is not really related to knowledge gathering, as can be seen by the vast numbers of "script kiddies" out there)? If this is about the former, I might have a few pointers for you. Simon Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
Greetings!
I come in peace!!!
"I am currently conducting a study of hackers
> and hacking and am seeking interested men and women who may be willing to
> participate."
- "participate"?? *raises eyebrows* men hacking women? *raises-hand* me me!
"The purpose of this research is to understand the ways that
> people become interested in computers and hacking"
- actually there is no "way". if you grow up around computers, you
start to like them and experiment with them more (applies to women as
well. *epiphany* so THAT's why I could never get to experiment with
them in high school).
If you grow up in a family full of doctors, chances are, you'll become
a doctor and be quite good at it as well ("chances are", not "YOU
WILL")
So I think you have the answer already. Just think on how YOU became
an Assistant Professor, and how you now have a PhD and apply it to the
other people with a different interest.
"I have obtained a Certificate of
> Confidentiality from the National Institutes of Health to further protect
> and ensure your privacy and confidentiality."
- of Health?? to ensure privacy?? something's not right. in fact,
something smells fishy (btw, fish sauce is very good with beef
boiled for a lng time with onions. and some salt. and whatever
suits your fancy)
"than simple media
> conceptions of the hacker as a criminal."
- nope that's not true now. at least it was a few years ago, but then
again that is just my opinion, and I believe the media has grown to
respect the "hackers" and have made a distinction between the
"hackers" and the
Russian-mafia-chinese-mafia-whatever-mafia-releasing-0-days-and-attacking-organizations-or-those-sites-with-drive-by-downloadings-and-shit.
" hear crazy stories about how you hacked NASA.
> If you have,"
- no, but I have read some crazy-ass stories by a Tom Holt (a lot like
Harry Potter, although I prefer Harry Potter, err, i mean I prefer the
story of Harry Potter, especially all the parts with Hermione.
goow)
growling,
"swing and stretch. secrets to making great noodles"
On 12/8/06, Thomas Holt <[EMAIL PROTECTED]> wrote:
>
>
>
> Greetings,
> My name is Tom Holt, and I am an Assistant Professor at the University of
> North Carolina at Charlotte. I am currently conducting a study of hackers
> and hacking and am seeking interested men and women who may be willing to
> participate. The purpose of this research is to understand the ways that
> people become interested in computers and hacking, their motives for
> hacking, and how they apply their skills in different settings. This study
> will also consider individuals' conceptions of hacking and experiences in
> hacker culture.
>
> To understand this phenomenon, I am seeking individuals who are willing to
> share their experiences and opinions in an interview which can be conducted
> either in person or via encrypted e-mail. Strict confidentiality will be
> maintained and your privacy ensured. I have obtained a Certificate of
> Confidentiality from the National Institutes of Health to further protect
> and ensure your privacy and confidentiality. All individuals who complete an
> interview will be paid $10 for their time, and $10 will also be paid for
> successful referrals.
>
> If you know anyone who is, or considers his/herself to be a hacker and is
> willing to be interviewed, please contact me via email at [EMAIL PROTECTED],
> at [EMAIL PROTECTED], or by phone at 704-795-9544. Again, strict
> confidentiality will be maintained and your privacy ensured.
>
> I am not a law enforcement agent nor connected with any law enforcement
> agency and am not looking to hear crazy stories about how you hacked NASA.
> If you have, great, but I realize there is more to hacking than simple media
> conceptions of the hacker as a criminal. Instead, I am interested in
> understanding hacking from the hackers' point of view. I have presented my
> research and described this project at several cons, including CarolinaCon
> 06, PhreakNIC X, and Defcons 13/14 and am hoping to hear from more
> individuals in the community.
>
>
> Please contact me if you are interested, and I look forward to hearing from
> you.
>
> Thank you,
>
> Thomas J. Holt, Ph. D.
>
>
>
>
> Have a burning question? Go to Yahoo! Answers and get answers from real
> people who know.
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Madwifi] Madwifi SIOCGIWSCAN buffer overflow // France Telecom
Name: Madwifi SIOCGIWSCAN buffer overflow Vendor: http://www.madwifi.org Release date: December, 7th 2006 CVE ID: CVE-2006-6332 Authors:Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES 1. Description There is a buffer overflow in the madwifi Atheros driver in some functions called by SIOCSIWSCAN ioctl. This issue is remotely exploitable because ioctl SIOCSIWSCAN may be called automatically by some connexion managers (either directly, by using iwlib or by calling iwlist) when trying to get a list of nearby access points. 2. Details There is a stack buffer overflow in both the giwscan_cb() and encode_ie() functions (ieee80211_wireless.c). The first issue, in giwscan_cb, is related with insufficient checks on the length in some 802.11 information elements which are controlled by the attacker: memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2); The second issue is improper boundary checks in encode_ie() where ielen is never checked with bufsize. for (i = 0; i < ielen && bufsize > 2; i++) p += sprintf(p, "%02x", ie[i]); A properly crafted 802.11 beacon or probe response frame will trigger the bug when a process tries to get scanning results by calling ioctl SIOCGIWSCAN. The information element used by the attacker can be either WPA IE, RSN IE, WMM IE or ATH IE and will lead to a kernel stack overflow. 3. Vendor status The vendor was notified on December, 6th 2006 and issued version 0.9.2.1 to correct the issue. 4. Authors Laurent BUTTI Jerome RAZNIEWSKI Julien TINNES -- Tyop? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
Wouldn't the best way to do this to be find a way to get friendly with the State's board of Probation & Parole? .. survey the folks that got caught so they can tell you about it. Folks that haven't gotten caught are obviously not all that bright if they chat it up about their misdeeds. That said .. I've had some interesting discussions with the botnet kiddies by reverse-engineering their malware and lurking in the appropriate IRC channel (just do it from a separate dialup connection, lest you get DDOS'ed). Usually the "why" question is answered with a variation of "because I could.." or "boredom" or both. Cheers, Michael Holstein CISSP GCIA Cleveland State University PS: I hate to be the one to point this out, but nothing will protect your "confidential" research from a subpoena. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What was the name of the web site ...
> ... that keeps track of MS vulnerabilities, patches and the > corresponding exploits? > > I know that it was mentioned earlier in this list but can not remember > the URL right now... elsenot.com ? Seems to be inactive til March :( -nicolas- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.)
(waiting for the deluge of other lemmings who go: "it works on blahblah with SPblahblah" "confirmed on blahblah with blahblah language" "blablah did not work for me blahblah" can't you just find out the cause and not test EVERY version of IE that you have? I mean, yeah, ok, so you tested it on IE7 yeah big deal. he reports it on IE6. you know why it is "putting iexplore.exe at 100% CPU"? It's like when a truck crashes into a car and everyone goes out and tests the truck against their own cars: "Hey, the truck also totally destroyed my Ford Explorer!" "Oh, it also totalled my Toyota!". "Nope, it had no effect on my tank" yeah i mean i COULD test it, but i'm too busy with... ehrm... cooking. yes cooking. cooking, "i like my noodles boiled, not fried. well, sometimes fried" On 12/7/06, Andrius Paurys <[EMAIL PROTECTED]> wrote: > On 12/6/06, José Carlos Nieto Jarquín <[EMAIL PROTECTED]> wrote: > > Note: > > I'm sorry, two of the the exploits in the prior e-mail were incomplete. > > > > This is just another couple of proof of concept exploits for this > > well-known browser. The third one is a lame combination of both. > > > > Tested under Windows XP SP2, MSIE 6.0.2900.2180 > > > Also confirmed working on Windows Server 2003 R2 (Build 3790) with > Internet Explorer 7.0.5730.11 > > 1st exploit was working fine putting iexplore.exe at 100% CPU. It > complained about "IE restricting this web page from running scripts" > (probably because of enabled Internet Explorer Enhanced Security > Configuration), but if you click "allow this website to run this" > (which is enabled by default if above mentioned IE ESC is not present) > it works. > > 2nd and 3rd were not exactly working, (also because of IE ESC) because > after clicking allow after several windows it was asking again, but > should work on WinXP and IE7. > > > > -- > Andrius Paurys > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > Tel.: +37067449273 > ICQ: 279424019 > MSN: [EMAIL PROTECTED] > http://shaman.tinkle.lt/ > > I'm Lithuanian, what's _your_ excuse? > Sėdi programeris nevalgęs ir nieko... > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 12.08.06: Multiple Vendor Antivirus RAR File Denial of Service Vulnerability
Multiple Vendor Antivirus RAR File Denial of Service Vulnerability iDefense Security Advisory 12.08.06 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 08, 2006 I. BACKGROUND AntiVirus products typically handle searching files for known viruses within their scan engines. Most scan engines support searching inside of known archive types for viruses as well. For more information refer to any of the popular AntiVirus vendors' web sites. II. DESCRIPTION Remote exploitation of a denial of service vulnerability in Multiple Vendors' Antivirus engines allows an attacker to cause the engines to consume excessive resources. The affected vendors' scan engines are vulnerable to a DoS attack when scanning specially malformed RAR archives. Specifically, the malformed archives will have the head_size and pack_size fields set to zero in Archive Header section. When such a file is encountered, the affected scan engines will enter an infinite loop. III. ANALYSIS Successful exploitation will allow an attacker to cause the affected scan engine to consume excessive CPU, and in some cases memory, resources. The malicious RAR file would need to be uploaded to a server to initiate the attack. Several common ways this could be achived are e-mail attachments, available network shares, FTP accounts, or Web form uploads. The impact of the vulnerability varies slightly from vendor to vendor as described below. Sophos: Scanning of archives is not enabled by default and must be specified by the user. This denial of service attack will prevent the scanner from scanning other files on disk while it is stuck on the exploit file. The hung process can be stopped by the user. Trend Micro: Once attacked, the scan engine will consume 99 percent of CPU resources and the affected computer will require a reboot to recover from the condition. The scan engine process cannot be forced to quit, although its thread priority can be lowered to regain some use of the system before reboot. IV. DETECTION iDefense has confirmed this vulnerability exists in the following vendors' products. This should not be considered an exhaustive list as these vendors tend to include the scan engine in many of their products. Previous versions are likely to be affected as well. * Sophos Small business edition (Windows/Linux) 4.06.1 with engine version 2.34.3. * Trend Micro PC Cillin - Internet Security 2006 * Trend Micro Office Scan 7.3 * Trend Micro Server Protect 5.58 V. WORKAROUND For Sophos' scan engine, this exploit will not have any effect if the "Enabled scanning of archives" option is not set. iDefense is currently unaware of a workaround for this issue for the remaining vendor's engines. VI. VENDOR RESPONSE Sophos has addressed this problem with new versions of their products. See http://www.sophos.com/support/knowledgebase/article/7609.html for more information. Trend Micro stated that this vulnerability does not affect version 8.320 of their Windows scan engine. Additionally, they have released version 8.150 of the HPUX and AIX builds of their scan engine to address this problem in those environments. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-5645 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/27/2006 Initial vendor notifications 09/27/2006 Initial vendor response - Trend Micro 09/28/2006 Initial vendor response - Sophos 12/08/2006 Coordinated public disclosure IX. CREDIT The vulnerability was reported by Titon of BastardLabs, Damian Put <[EMAIL PROTECTED]>, and an anonymous researcher. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 12.08.06: Sophos Antivirus CHM Chunk Name Length Memory Corruption Vulnerability
Sophos Antivirus CHM Chunk Name Length Memory Corruption Vulnerability iDefense Security Advisory 12.08.06 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 08, 2006 I. BACKGROUND Sophos AntiVirus offers protection from the latest Trojans, worms and Viruses. More information is available on the vendors site at: http://sophos.com/products/ II. DESCRIPTION Sophos AntiVirus Engine is vulnerable to a Memory Corruption vulnerability when scanning malformed CHM archives. This memory corruption vulnerability can be triggered when Sophos Antivirus engine scans a malformed CHM file which has a large name length specified in a CHM chunk header. III. ANALYSIS Malformed CHM files can lead to a Memory Corruption condition on the local machine. This memory corruption vulnerability could potentially result in arbitrary code execution. Files received as email attachments, uploaded via web forms or otherwise saved to disk may trigger this condition if auto scanning is enabled on the target machine. Archive scanning is disabled by default and must be specified in order for this vulnerability to trigger. IV. DETECTION iDefense has confirmed this vulnerability in the following Sophos Antivirus products: * Sophos Small business edition (Linux) Product version: 4.06.1 Engine version : 2.34.3 Previous versions of Sophos Antivirus are suspected vulnerable. Other Sophos Antivirus products may also be vulnerable. Windows versions of the Sophos Antivirus product do not appear to be vulnerable. V. WORKAROUND Disabling the option to scan within archives will prevent exploitation of this vulnerability. VI. VENDOR RESPONSE Sophos has addressed this problem with new versions of their products. See http://www.sophos.com/support/knowledgebase/article/7609.html for more information. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-5647 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/28/2006 Initial vendor notification 10/02/2006 Initial vendor response 12/08/2006 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Damian Put <[EMAIL PROTECTED]>. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 12.08.06: Sophos Antivirus CHM File Heap Overflow Vulnerability
Sophos Antivirus CHM File Heap Overflow Vulnerability iDefense Security Advisory 12.08.06 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 08, 2006 I. BACKGROUND Sophos AntiVirus offers protection from the latest Trojans, worms and Viruses. More information is available on the vendors site at: http://sophos.com/products/ II. DESCRIPTION Sophos AntiVirus Engine is vulnerable to a Heap Overflow attack when scanning malformed CHM archives. Specifically, if the CHM file has a Window_size of 0 set in a LZX decompression header then memory corruption will occur. III. ANALYSIS Malformed CHM files can lead to a heap overflow condition on the local machine. Files received as email attachments, uploaded via web forms or otherwise saved to disk may trigger this condition if auto scanning is enabled on the target machine. Archive scanning is disabled by default and must be specified in order for this vulnerability to trigger. IV. DETECTION iDefense has confirmed this vulnerability in the following Sophos Antivirus products: * Sophos Antivirus for Linux Product version: 4.03 Engine version : 4.05 Previous versions of Sophos Antivirus are suspected vulnerable. Other Sophos Antivirus products may also be vulnerable. Windows versions of the Sophos Antivirus product do not appear to be vulnerable. V. WORKAROUND Disabling the option to scan within archives will prevent exploitation of this vulnerability. VI. VENDOR RESPONSE Sophos has addressed this problem with new versions of their products. See http://www.sophos.com/support/knowledgebase/article/7609.html for more information. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-5646 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/28/2006 Initial vendor notification 10/02/2006 Initial vendor response 12/08/2006 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Damian Put <[EMAIL PROTECTED]>. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What was the name of the web site ...
http://elsenot.com/ http://jav.ch/ both inactive, btw... ./E On Fri, 8 Dec 2006 at 13:29:00, solenoid (lists) wrote: > ... that keeps track of MS vulnerabilities, patches and the > corresponding exploits? > > I know that it was mentioned earlier in this list but can not remember > the URL right now... > > TIA > http://www.email.si/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google pageranked 4 doamin on sale...
This domain name means something for someone, and it is hard for a person to level up google pagerank to 4. I've do a lot on it. 2006/12/8, Louis Wang <[EMAIL PROTECTED]>: > hi, there: >I don't konw whether it is the right place to post this message, > but the web site is security related in my original thought. >I'd like to sell my web site http://www.lwang.org. It has google > pageranked 4, and full control of domain. The web server is in Czech, > it has 500M space and 5G traffic per month. >Anyone interested in it, please contact me. > Thanks. > -- Regards, Bill Louis. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google pageranked 4 doamin on sale...
2006/12/9, Dude VanWinkle <[EMAIL PROTECTED]>: > On 12/8/06, Louis Wang <[EMAIL PROTECTED]> wrote: > > I'd like to sell my web site http://www.lwang.org. It has google > > pageranked 4, and full control of domain. The web server is in Czech, > > it has 500M space and 5G traffic per month. > > is it pageranked #4 for the word "wang"? You even don't know google pagerank, so i don't talk to u. SB! > > what is the czech work for Willie the One Eyed Wonder Weasel?? > > anyways, if you are going to try and sell a site based on its rank, > and assuming you arent talking about smell, you might want to include > the category. Even though you said its a security related site; the > content isnt always a guarantee of the category it is associated with, > see: disney pr0n googlebombing, etc, etc. > > We could look it up, but not only are FD'ers notoriously lazy, as you > are the "salesman" you might want to try and attract lazy marks,.. err > buyers. > > -JP > > Bonus wang link with a hat-tip to Larry Seltzer for providing it, > maybe NSFW depending on where you W: > http://www.starma.com/penis/penis.html > -- Regards, Bill Louis. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] EEYE: Intel Network Adapter Driver Local Privilege Escalation
> eEye Research - http://research.eeye.com > > Intel Network Adapter Driver Local Privilege Escalation > > Release Date: > December 7, 2006 > > Date Reported: > July 10, 2006 > > Severity: > Medium (Local Privilege Escalation to Kernel) > > Systems Affected: > Windows 2000, XP, 2003, Vista > Intel PRO 10/100 - 8.0.27.0 or previous > Intel PRO/1000 - 8.7.1.0 or previous > Intel PRO/1000 PCI - 9.1.30.0 or previous > Linux > Intel PRO 10/100 - 3.5.14 or previous > Intel PRO/1000 - 7.2.7 or previous > Intel PRO/10GbE- 1.0.109 or previous > UnixWare/SCO6 > Intel PRO 10/100 - 4.0.3 or previous > Intel PRO/1000 - 9.0.15 or previous It's worth noting that this advisory is misleading. This flaw does not affect the Linux drivers. The Linux drivers do not support the NDIS API and the OID concept that Windows does. -- Josh Bressers // Red Hat Security Response Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.0 session.save_path safe_mode and open_basedir bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[PHP 5.2.0 session.save_path safe_mode and open_basedir bypass]
Author: Maksymilian Arciemowicz (SecurityReason)
Date:
- - Written: 02.10.2006
- - Public: 08.12.2006
SecurityAlert Id: 43
CVE: CVE-2006-6383
SecurityRisk: High
Affected Software: PHP 5.2.0
Advisory URL: http://securityreason.com/achievement_securityalert/43
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features thrown in. The
goal of the language is to allow web developers to write dynamically generated
pages quickly.
A nice introduction to PHP by Stig Sather Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
Session support in PHP consists of a way to preserve certain data across
subsequent accesses. This enables you to build more customized applications and
increase the appeal of your web site.
A visitor accessing your web site is assigned a unique id, the so-called
session id. This is either stored in a cookie on the user side or is propagated
in the URL.
session.save_path defines the argument which is passed to the save handler. If
you choose the default files handler, this is the path where the files are
created. Defaults to /tmp. See also session_save_path().
There is an optional N argument to this directive that determines the number of
directory levels your session files will be spread around in. For example,
setting to '5;/tmp' may end up creating a session file and location like
/tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In order to use N you
must create all of these directories before use. A small shell script exists in
ext/session to do this, it's called mod_files.sh. Also note that if N is used
and greater than 0 then automatic garbage collection will not be performed, see
a copy of php.ini for further information. Also, if you use N, be sure to
surround session.save_path in "quotes" because the separator (;) is also used
for comments in php.ini.
- --- 1. session.save_path safe mode and open basedir bypass ---
session.save_path can be set in ini_set(), session_save_path() function. In
session.save_path there must be path where you will save yours tmp file. But
syntax for session.save_path can be:
[/PATH]
OR
[N;/PATH]
N - can be a string.
EXAMPLES:
1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS")
2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS")
and
3.
session_save_path("/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS")
- -1477-1493--- Code from PHP520 ext/session/session.c [START]
PHP_FUNCTION(session_save_path)
{
zval **p_name;
int ac = ZEND_NUM_ARGS();
char *old;
if (ac < 0 || ac > 1 || zend_get_parameters_ex(ac, &p_name) == FAILURE)
WRONG_PARAM_COUNT;
old = estrdup(PS(save_path));
if (ac == 1) {
convert_to_string_ex(p_name);
zend_alter_ini_entry("session.save_path",
sizeof("session.save_path"), Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name),
PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
}
RETVAL_STRING(old, 0);
}
- -1477-1493--- Code from PHP520 ext/session/session.c [END]
Values are set to hash_memory (but before that, safe_mode and open_basedir
check this value).
And if you are starting session (for example session_start()), that value from
session.save_path is checked by function PS_OPEN_FUNC(files).
- -242-300--- Code from PHP520 ext/session/mod_files.c [START]
PS_OPEN_FUNC(files)
{
ps_files *data;
const char *p, *last;
const char *argv[3];
int argc = 0;
size_t dirdepth = 0;
int filemode = 0600;
if (*save_path == '\0') {
/* if save path is an empty string, determine the temporary dir
*/
save_path = php_get_temporary_directory();
}
/* split up input parameter */
last = save_path;
p = strchr(save_path, ';');
while (p) {
argv[argc++] = last;
last = ++p;
p = strchr(p, ';');
if (argc > 1) break;
}
argv[argc++] = last;
if (argc > 1) {
errno = 0;
dirdepth = (size_t) strtol(argv[0], NULL, 10);
if (errno == ERANGE) {
php_error(E_WARNING,
"The first parameter in
session.save_path is invalid");
return FAILURE;
}
}
if (argc > 2) {
errno = 0;
filemode = strtol(argv[1], NULL, 8);
if (errno == ERANGE || filemode < 0 || filemode > 0) {
php_error(E_WARNING,
[Full-disclosure] LS-20060908 - Computer Associates BrightStor ARCserve Backup v11.5 Remote Buffer Overflow Vulnerability
LS-20060908 LSsec has discovered a vulnerability in Computer Associates BrightStor ARCserve Backup v11.5, which could be exploited by an anonymous attacker in order to execute arbitrary code with SYSTEM privileges on an affected system. The flaw specifically exists within the Tape Engine (tapeeng.exe) due to incorrect handling of RPC requests on TCP port 6502. The interface is identified by 62b93df0-8b02-11ce-876c-00805f842837. Opnum 37 specifies the vulnerable operation within this interface. Technical details: http://www.lssec.com/advisories.html LSsecurity - LSsec.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] LS-20061001 - Computer Associates BrightStor ARCserve Backup v11.5 Remote Buffer Overflow Vulnerability
LS-20061001 LSsec has discovered a vulnerability in Computer Associates BrightStor ARCserve Backup v11.5, which could be exploited by an anonymous attacker in order to execute arbitrary code with SYSTEM privileges on an affected system. The flaw specifically exists within the Tape Engine (tapeeng.exe) due to incorrect handling of RPC requests on TCP port 6502. The interface is identified by 62b93df0-8b02-11ce-876c-00805f842837. Opnum 38 specifies the vulnerable operation within this interface. Technical details: http://www.lssec.com/advisories.html LSsecurity - LSsec.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Agenda and Schedule for January ISOI 2 Workshop
The agenda and schedule for the workshop can be found here: http://isotf.org/isoi2.html Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
Greetings Tom, My name is Evan ($LastNameNotDisclosed$). I currently work at an Internet security company. I work alongside security professionals, hackers, crackers, and the like. They, like most professionals, are all very ethical, and intelligent people who I am proud to call my colleagues. Reading through the thread in response to your email has got me wondering: What do you mean by hacker? I have recently discovered that there are a few different meanings to this term, and therefore a few different 'cultures'. The one, most negative connotation of hacker, was introduced to me (by my girlfriend) a few weeks ago. Apparently (according to her), when most people hear the term "hacker" they think of some greasy 13-year old boy sitting alone in his room breaking other peoples computers "because they can" or "to be destructive" or "because they're spoiled rich kids"... the list goes on. Another, more sinister "hacker" I have heard of, is more of a "movie star hacker". Some person (usually a guy, but not always *remember "Mainframe from the classic cartoon COPS"*) who with sinister intent would break computer systems for profit. This does extend to the "good guy hacker" who is usually doing it for money or fame, or at least a reward of some type. These "hackers" are almost magical beings, with the ability to erase an entire network with little more than a keystroke. These "hackers" are (imho) fairy tales. That isn't to say there aren't some "hackers" with sinister intent, who "hack" banks for money, and "hack" the Pentagon for whatever conspiracy that's being covered up. I doubt that these hackers are any kind of majority. And these are the "hackers" commonly referred to as "crackers," and the ones you'd probably want to look for in jail, or working for some big security corporation (see http://news.bbc.co.uk/1/hi/sci/tech/1541252.stm mafiaboy) The "hacker" that I identify with is the definition commonly associated with the 'glider emblem' (see: http://catb.org/~esr/faqs/hacker-howto.html#what_is) and is what I call myself. My answer to "why?" Although I am very technically savvy, I would not say that I am by any means elite (l337 ;) ) or even as elite as some of my colleagues. I guess that would be one trait of the "hacker". They always are willing to learn more and mostly concerned with the fact that everyone can teach them something. In fact, any hacker that I have known, or met, has had just that; "an unquenchable thirst for knowledge". Knowledge of any kind, not just computers. You may, if your research points to the type of "hacker" that I am referring to, want to read this excellent site: http://catb.org/~esr/faqs/hacker-howto.html If you are interested, I would happily speak with you further. If not, good luck with your research. Thanks, -e` > Greetings, > My name is Tom Holt, and I am an Assistant Professor at the University of > North Carolina > at Charlotte. I am currently conducting a study of hackers and hacking and > am seeking > interested men and women who may be willing to participate. The purpose of > this > research is to understand the ways that people become interested in computers > and > hacking, their motives for hacking, and how they apply their skills in > different settings. >This study will also consider individualsʼ conceptions of hacking and experiences in hacker > culture. > > To understand this phenomenon, I am seeking individuals who are willing to > share their > experiences and opinions in an interview which can be conducted either in > person or via > encrypted e-mail. Strict confidentiality will be maintained and your privacy > ensured. I have > obtained a Certificate of Confidentiality from the National Institutes of > Health to further > protect and ensure your privacy and confidentiality. All individuals who > complete an > interview will be paid $10 for their time, and $10 will also be paid for > successful referrals. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Call For Papers: SecurityOPUS 2007
Call for Papers Security OPUS - Call for Papers March 19-20, 2006. San Francisco, California. USA http://www.securityopus.com/papers.phphttp://www.securityopus.com/papers.php Security OPUS is an annual meeting of professional security researchers and information security practioners. The conference is a single track series of presentations designed to focus on new research/advances in the field. We are looking to ensure each talk contains relevant and current research and/or addresses today's issues. One-hour and extended presentation sessions, provides attendees with a significant advantage, by being informed about current and future challenges. Submit to 'contact -at- securityOPUS - com Step 1. Submit abstract by JANUARY 30th 2007. Talk abstracts should be in plain text and contain: - Presenter name and contact info (e-mail, postal address, phone, fax). - Brief biography, list of publications, employer or relevant associations. - Talk title and summary The review committee assesses the relevance of your abstract to the conference, your qualifications to be presenting your proposed topic, and your rationale. Step 2. Committee Review The program committee will review your proposal per the guidelines above. Notification of acceptance will follow. Step 3 Submit Slides by FEBRUARY 15th, 2007 Your talk slides should be submitted for review by February 15th, 2007. We ask that you submit this content in PDF format to facilitate publication and distribution of the content. Fine Print Publication Rights The conference requires non-exclusive publication rights to submitted papers including the publication of audio and video proceedings. Copyright is retained by the author. We do ask that we be the first organization to publish any given paper. Failure to Submit In the event that a deadline is missed we reserve the right to revoke any offer to present. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASX Playlists and Jumping to Conclusions
Hi list(s), The recent coverage of ASX Playlist issues seems somewhat strange. For the uninitiated, here is a quick wrapup: XMPlay ASX buffer overflow PoC code posted to milw0rm - 21 November This PoC demonstrated an exploitable buffer overflow condition in the handling of 'ref href' URIs. A CVE entry (CVE-2006-6063 - though this only identifies the .m3u method of exploiting the vulnerability) appears around the same time, and reporting is carried by the usual third parties. With no fix present, this remains an effective 0-day (plus, with existing malware targeting .asx files it could make for interesting real-world use). Windows Media Player DoS code posted to BugTraq - 22 November Oddly, this code represented an almost exact duplicate of the buffer overflow demonstrated the day before, only with the exploit payload removed and replaced with a bunch of 'A's, and fails to draw much interest from third parties. It isn't until eEye publishes data on this issue (and increases the perceived threat posed) on their 0-day reporting / information site that it attracts some attention from other reporting parties (such as FrSIRT on 7 December), though uptake is slow. Leaving Chinese Soup's critique (BugTraq) of eEye's analysis aside (why they haven't identified on the XMPlay vulnerability is another question), users need to be aware that if they replace WMP with XMPlay as the default handler of .asx content, then they are potentially creating a much riskier environment than if they accept the current DoS risk against their platform. If this particular code release had appropriate accompanying documentation, it would be possible to work out whether it is a derivative of the earlier code, or fortuitous timing on something found independently. Criticism has been recently levelled against third party reporting bodies for failing to adequately investigate reports (after one of the recent MoKB OS X corrupted .dmg file handling errors), and the way that information is flowing between, and being distributed by, third party reporting bodies in this case is showing similar patterns. In summary: - There is a known 0-day targeting a vulnerability in XMPlay's handling of malicious .asx (and other content types) data passed via 'ref href' that can lead to arbitrary code execution. - There is a known DoS targeting WMP that is exploited via a long string passed via 'ref href' and using the .asx media type - There has been no proven link between the two disclosures - It has yet to be shown that the WMP vulnerability leads to arbitrary code execution - The advice to replace WMP as the default .asx filetype handler can lead to an increased security risk if the replacement application is XMPlay (accepting arbitrary code execution in an effort to avoid a DoS). Sincerely, Carl Jongsma [EMAIL PROTECTED] Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Sûnnet Beskerming Pty. Ltd. Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise advanced Information Security research. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed in house, provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
On 08 Dec 06, at 12:47, Evan Stawnyczy wrote: ^ > My name is Evan ($LastNameNotDisclosed$). Nice job with the last-name-non-disclosure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200612-02 ] xine-lib: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200612-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: xine-lib: Buffer overflow Date: December 09, 2006 Bugs: #156645 ID: 200612-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis xine-lib is vulnerable to a buffer overflow in the Real Media input plugin, which could lead to the execution of arbitrary code. Background == xine is a portable and reusable multimedia playback engine. xine-lib is xine's core engine. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/xine-lib < 1.1.2-r3>= 1.1.2-r3 Description === A possible buffer overflow has been reported in the Real Media input plugin. Impact == An attacker could exploit this vulnerability by enticing a user into loading a specially crafted stream with xine or an application using xine-lib. This can lead to a Denial of Service and possibly the execution of arbitrary code with the rights of the user running the application. Workaround == There is no known workaround at this time. Resolution == All xine-lib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.2-r3" References == [ 1 ] CVE-2006-6172 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6172 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200612-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpeWaw4StUUo.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
