date:20070213

2007-02-13 Thread Cisco Systems Product Security Incident Response Team

I can't believe nobody has documented this yet. I can't believe nobody 
uses Torpark on a machine with hardware-enforced DEP. I mean, it's a 
basic security measure. Zero effort. Enabled by default by all operating 
systems that count on all recent CPUs that support it. Oh well.

Torpark, for the couple of people who don't know yet, is a bloated 
launcher for Portable Firefox and Tor, for all your roaming child porn 
needs. It's inexplicably written in NSIS, a scripting language 
originally designed for impressing your friends with your ignorance of 
Windows Installer.

NSIS includes impressive capabilities, such as the goto instruction and 
the ability to call bloated, buggy and poorly thought-out plugin DLLs, 
that make it somewhat usable as a general purpose programming language. 
A capability that, incidentally, grossly misguided individuals can 
mistake for the perfect opportunity to write a launcher front-end 
application that's 1.81 MB in size. Compressed. That dumps a half dozen 
DLLs in temporary directories. One of which a theme manager. To skin one 
window. With two buttons.

(to say it lyrically, Torpark embodies the KISS principle in the flesh - 
or rather, in the [mega]byte)

To get to the point, though. For several releases now, my child porn 
browsing has been severely impaired by a significant drawback: Torpark 
just did not start. No error message. The /debug command line switch - a 
sad, cruel joke, depending as it did on the programmer's skill and 
foresight - was of no help. A real debugger revealed the error: the 
plugin DLL (my heart feels pain from typing this) to display message 
boxes is incompatible with DEP. And of course, since you need a plugin 
to display message boxes, you can't display a message box about the 
failure to load the plugin that displays message boxes. In a way, that 
makes perfect sense. In _another_ way, one wonders just how could you 
mess up a 6 KB DLL (still pretty darn huge for a message box). The 
exercise is left to the reader (the answer may surprise you!)

How to unbreak Torpark before your pedo-boner wears off, though? HOW, 
you ask, trembling and panicked? Again, the answer may surprise you: we 
are going to break Torpark further so the system will detect its 
lameness early enough to disable DEP for the whole process (for a 
launcher, this normally wouldn't be a security issue, but all bets are 
off with a program coded in Visual Basic for Llamas).

For the uninitiated: binary executables (.EXE, .DLL) consist of a list 
of memory ranges to allocate (sections), the data to initialize them 
with, and the attributes (readable, writable, executable) of said 
memory. The code is typically (... typically!) emitted as the 
initialization data for a section with the executable attribute. 
Finally, a byte inside the executable is marked as the entry point, 
i.e. the beginning of the program, the first instruction to execute.

Now, when Windows encounters a program so sadly broken its entry point 
lies into a non-executable section (something not even Borland tools 
manage to do, despite the incompatible binary format they use 
internally), it will take pity upon the user and disable DEP for the 
whole process. Again, for the benefit of the philistines in the crowd: 
DEP is a system policy that actually enforces the requirement for memory 
to be marked as executable; older x86 processors (read: all computers in 
the world, ever) did not actually support this, so developers felt 
justified to act damn fucking smart and break their code to brag their 
superior knowledge. The Opera browser is an example of such a broken 
application (it's the fault of the packer, though).

The easiest way to disable DEP for a program, therefore, is to break it 
on purpose.

Rather anticlimatically, this consists of opening the executable in a 
hex editor, looking for the byte pattern 60 00 00 20 near the 
beginning and replacing it with 40 00 00 40. Adventurous readers can 
have fun figuring out why. The answer will not surprise you at all!

That's all. Happy naked kids to all security-conscious Windows users!

PS: stop posting child porn on 4chan.org, faggots. You got almost all 
exit nodes banned. GTFO khtxbye, go gum up anonib.com instead

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cisco Security Advisory: Multiple IOS IPS Vulnerabilities

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Cisco Security Advisory: Multiple IOS IPS Vulnerabilities

Advisory ID: cisco-sa-20070213-iosips

http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml

Revision 1.0

For Public Release 2007 February 13 1600 UTC (GMT)

- ---

Summary
===

The Intrusion Prevention System (IPS) feature set of Cisco IOS
contains several vulnerabilities. These include:

  * Fragmented IP packets may be used to evade signature inspection.
  * IPS signatures utilizing the regular expression feature of the
ATOMIC.TCP signature engine may cause a router to crash resulting
in a denial of service.

There are mitigations and workarounds for these vulnerabilities. Cisco
has made free software available to address these vulnerabilities for
affected customers.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml.

Affected Products
=

Vulnerable Products
+--

The following Cisco IOS release trains with the IPS feature set enabled
are vulnerable to the fragmented packet evasion vulnerability:

  * 12.3T, except versions 12.3(2)T, 12.3(4)T, and 12.3(7)T
  * 12.4
  * 12.4T
  * 12.4XE

The following Cisco IOS release trains with the IPS feature set enabled
are vulnerable to the ATOMIC.TCP regular expression denial of service
vulnerability:

  * 12.3T, except versions 12.3(2)T, 12.3(4)T, and 12.3(7)T
  * 12.3XQ, 12.3XR, 12.3XS, 12.3XW, 12.3XX, 12.3XY
  * 12.3YA, 12.3YD, 12.3YG, 12.3YH, 12.3YI, 12.3YJ, 12.3YK, 12.3YM,
12.3YQ, 12.3YS, 12.3YT, 12.3YX, 12.3YZ
  * 12.4
  * 12.4MR
  * 12.4T
  * 12.4XA, 12.4XB

To determine if the IPS feature set is active on an IOS device, use the
show ip ips configuration command. This command will list the
interfaces configured to use IPS inspection. You will then need to
further check the status of each interface to confirm if they are
enabled or not.

router#show ip ips configuration
Configured Config Locations: -none-
Last signature default load time: 18:46:50 UTC Jan 5 2007
Last signature delta load time: -none-
Last event action (SEAP) load time: -none-
IPS Auto Update is not currently configured
IPS fail closed is disabled
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is enabled
Total Active Signatures: 85
Total Inactive Signatures: 61
IPS Rule Configuration
 IPS name test
IPS Category CLI is not configured
Interface Configuration
 Interface FastEthernet0/0
  Inbound IPS rule is test
  Outgoing IPS rule is not set

router#show ip interface FastEthernet0/0
FastEthernet0/0 is up, line protocol is up


In the above example, interface FastEthernet0/0 is configured to use
IPS and is shown to be enabled.

Products Confirmed Not Vulnerable
+

No other Cisco products are currently known to be affected by this
vulnerability.

Details
===

Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet
inspection-based feature that enables Cisco IOS software to mitigate
network attacks. Cisco IOS IPS enables the network to defend itself
with the intelligence to identify, classify, and stop or block certain
malicious or damaging traffic in real time. The IOS IPS feature set
contains multiple vulnerabilities. Only IOS images containing the IPS
feature set are affected by these vulnerabilities.

Fragmented Packet Evasion Vulnerability
+--

Some of the IPS signatures utilize regular expressions. Due to a
vulnerability, an attacker can evade those IPS signatures by sending
malicious network traffic as IP fragments. This may result in potential
malicious traffic bypassing signature inspection and possibly allow the
exploitation of protected systems. IPS signatures which do not utilize
regular expressions are not affected by this vulnerability. All IP
protocols (e.g. TCP, UDP, ICMP) are affected by this vulnerability.
There is a mitigation for this vulnerability. This vulnerability is
documented in Cisco Bug ID CSCsg15598.

ATOMIC.TCP Regular Expression Denial of Service Vulnerability
+

Certain network traffic can trigger IPS signatures which use the
regular expression feature of the ATOMIC.TCP signature engine which may
cause the IOS IPS device to crash. This may cause a denial of service
resulting in disruption network traffic. Signature 3123.0 (Netbus Pro
Traffic) has been demonstrated to trigger this vulnerability. There is
a workaround for this vulnerability. This vulnerability is documented
in Cisco Bug ID CSCsa53334.

Vulnerability Scoring Details
+

Cisco is providing scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System

[Full-disclosure] UPDATE: [ GLSA 200611-05 ] Netkit FTP Server: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory [UPDATE]   GLSA 200611-05:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: Netkit FTP Server: Privilege escalation
  Date: November 10, 2006
   Updated: February 11, 2007
  Bugs: #150292
ID: 200611-05:02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Update
==

The original fix introduced a new vulnerability allowing the listing of
any arbitrary directory with root group permissions due to a typo in the
setgid() call. New fixed packages are available. Also, this update adds
a second CVE reference which was not originally mentionned while it was
covered by the original fix.

Additionally, please note that the Netkit FTP Server package has been
renamed from net-ftp/ftpd to net-ftp/netkit-ftpd.

The updated sections appear below.

Background
==

net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL
support.

Affected packages
=

---
 Package  /  Vulnerable  /  Unaffected
---
  1  net-ftp/netkit-ftpd   0.17-r5 = 0.17-r5

Resolution
==

All Netkit FTP Server users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =net-ftp/netkit-ftpd-0.17-r5

References
==

  [ 1 ] CVE-2006-5778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5778
  [ 2 ] CVE-2006-6008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6008

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200611-05.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpXXMDPPwIEd.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnerability - how many on your network?

2007-02-13 Thread Graham Reed

[EMAIL PROTECTED] writes:
 Of course disabling in.telnetd in /etc/inetd.conf (and doing a pkill -HUP 
 inetd) if possible is a safe bet,

Or, going with Solaris 10's 'SMF' thing: 

% svcadm disable svc:/network/telnet 

And, while you're at it, 

% svcadm disable svc:/network/shell:default
% svcadm disable svc:/network/login:rlogin 

(See man pages for in.telnetd, in.rshd, and in.rlogind.) 

At least one machine I run doesn't have the usual /etc/inetd.conf. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

2007-02-13 Thread Michal Zalewski

On Tue, 13 Feb 2007, Gadi Evron wrote:

 I have to agree with a previous poster and suspect (only suspect) it
 could somehow be a backdoor rather than a bug.

You're attributing malice to what could be equally well (or better!)
explained by incompetence or gross negligence. The latter two haunt large
companies far more often, compared to sinister conspiracies.

Yeah, a backdoor is a remote possibility. But it's also an arbitrary and
needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed
shadow government, but chances are, it's not (they have better things to
do today).

Keep that in mind: when risking so much, of all the places to put a covert
backdoor to use for years to come, pulling out a known flaw that will be
spotted by many existing vulnerability scanners, and putting it in a
service that is often disabled as obsolete and generally unreachable from
the outside world, doesn't really make that much sense.

Unless, of course, it's a sabotage attempt orchestrated by a joint team of
IBM and SCO developers... now, that begins to make sense..

/mz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200702-01 ] Samba: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200702-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Samba: Multiple vulnerabilities
  Date: February 13, 2007
  Bugs: #165549
ID: 200702-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple flaws exist in the Samba suite of programs, the most serious
of which could result in the execution of arbitrary code.

Background
==

Samba is a suite of SMB and CIFS client/server programs for UNIX.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  net-fs/samba   3.0.24  = 3.0.24

Description
===

A format string vulnerability exists in the VFS module when handling
AFS file systems and an infinite loop has been discovered when handling
file rename operations.

Impact
==

A user with permission to write to a shared AFS file system may be able
to compromise the smbd process and execute arbitrary code with the
permissions of the daemon. The infinite loop could be abused to consume
excessive resources on the smbd host, denying service to legitimate
users.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Samba users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =net-fs/samba-3.0.24

References
==

  [ 1 ] CVE-2007-0452
http://samba.org/samba/security/CVE-2007-0452.html
  [ 2 ] CVE-2007-0454
http://samba.org/samba/security/CVE-2007-0454.html

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200702-01.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgp3P3BMsjNIL.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 02.13.07: Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption Vulnerability

2007-02-13 Thread iDefense Labs NO-REPLY

Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption
Vulnerability

iDefense Security Advisory 02.13.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 13, 2007

I. BACKGROUND

The WinInet module provides access to common Internet protocols, including
FTP and HTTP, allowing a programmers to add this functionality to their
code without having to re-impelement the details. As an part of the base
operating system, it is used in many applications including Microsoft's
Internet Explorer. More information on the WinInet module is available at
the following link:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wininet/wininet/portal.asp

II. DESCRIPTION

Remote exploitation of a design error in Microsoft Corp.'s 'wininet.dll'
FTP client code could allow an attacker to execute arbitrary code.

The vulnerability specifically exists in the parsing of reply lines from
remote FTP servers. During an FTP session, the client makes requests for
the server to perform some operation and the server responds with a
numeric code, a human readable message and possibly some other
information. As there can be multiple lines in a reply, code in the client
breaks the reply up into lines, putting a null byte (character 0x00) after
any end of line character. In the case where a line ends exactly on the
last character of the reply buffer, the terminating null byte is written
outside of the allocated space, overwriting a byte of the heap management
structure. By sending a specially crafted series of replys to the client,
the heap may be corrupted in a controlled way to cause the execution of
arbitrary code.

III. ANALYSIS

Successful remote exploitation of this vulnerability would allow a attacker
to execute arbitrary commands in the context of the currently logged in
user.

In order to exploit this vulnerability, the attacker must convince the
target to follow a link in a program which uses the vulnerable functions,
such as Internet Explorer, Word, or Outlook. For any of these applications
it is sufficient to embed an image linked to a malicious ftp server, but
for modern versions of Outlook, the image will not render unless the user
allows it.

In testing by iDefense Labs, server responses were generated which put
controlled values into controlled memory locations in Internet Explorer,
with varying degrees of success on a system running Windows XP SP2.
Although methods applied during initial testing were unreliable, they did
indicate that it was possible to use this vulnerability to cause code
execution.

The portion of the heap management structure overwritten is used to
determine the length of the allocation it refers to. In combination with
another less severe vulnerability in the FTP code, which allows a remote
attacker to see a valid memory address, it may be possible to cause
reliable remote exploitation.

IV. DETECTION

iDefense has verified that Internet Explorer 6 on the following Microsoft
operating systems, with all security patches applied as of May 2006, are
affected:

Windows 2000 Advanced Server SP4
Windows XP SP2
Windows Server 2003 Enterprise Edition SP1

This vulnerability appears to have existed from at least Internet Explorer
5.0. It is suspected that all versions of Internet Explorer on all
supported platforms are affected.

V. WORKAROUND

iDefense is unaware of any effective workarounds for this vulnerability.
Blocking outgoing port 21 (ftp) requests is not effective, as this it is
possible to supply an ftp URL with an alternative port. It may be possible
to limit exposure to this vulnerability by configuring systems to use a
proxy server for all ftp requests and only allowing white-listed sites.

VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability within MS07-016. For more
information, consult their bulletin at the following URL.

http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0217 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/16/2006 Initial vendor notification
08/16/2006 Initial vendor response
10/05/2006 Second vendor notification
02/13/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Greg MacManus, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
[EMAIL PROTECTED] for permission.

Disclaimer: The information

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

On Mon, 12 Feb 2007, Oliver Friedrichs wrote:
 
 Am I missing something?  This vulnerability is close to 10 years old.
 It was in one of the first versions of Solaris after Sun moved off of
 the SunOS BSD platform and over to SysV.  It has specifically to do with
 how arguments are processed via getopt() if I recall correctly.

Hey Oliver! :)

Well than, I guess it just became new again. And to be honest, I have to
agree with a previous poster and suspect (only suspect) it could somehow
be a backdoor rather than a bug.

The reason why this vulnerability is so critical is the number of networks
and organizations which rely on Solaris for critical production servers,
as well as use telnet for internal communication on their LAN (now how
smart is that? I'd rather use telnet on the Internet than on a local LAN).

Further, there are quite a few third party appliances (some
infrastructure back-end) that can not easily be patched running on
Solaris (forget fuzzing or VA, people never even NMAP appliances they
buy).

I am unsure of how long we will see this in to-do items of corporate
security teams around the world, but I am sure Sun's /8 is getting a lot
of action recently.

 
 Oliver 

Gadi.

 
 -Original Message-
 From: Gadi Evron [mailto:[EMAIL PROTECTED] 
 Sent: Sunday, February 11, 2007 10:01 PM
 To: bugtraq@securityfocus.com
 Cc: full-disclosure@lists.grok.org.uk
 Subject: Solaris telnet vulnberability - how many on your network?
 
 Johannes Ullrich from the SANS ISC sent this to me and then I saw it on
 the DSHIELD list:
 
 
 If you run Solaris, please check if you got telnet enabled NOW. If
 you
 can, block port 23 at your perimeter. There is a fairly trivial
 Solaris telnet 0-day.
 
 telnet -l -froot [hostname]
 
 will give you root on many Solaris systems with default installs
 We are still testing. Please use our contact form at
 https://isc.sans.org/contact.html
 if you have any details about the use of this exploit.
 
 
 You mean they still use telnet?!
 
 Update from HD Moore:
 but this bug isnt -froot, its -fanythingbutroot =P
 
 On the exploits@ mailing list and on DSHIELD this vulnerability was
 verified as real.
 
 If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a
 strong suggestion.
 
 Anyone else running Solaris?
 
   Gadi.
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

2007-02-13 Thread Oliver Friedrichs


Gadi,

It looks like I was confused, this actually affected AIX and Linux in
1994:

http://www.securityfocus.com/bid/458/info
http://www.cert.org/advisories/CA-1994-09.html

Oliver

-Original Message-
From: Gadi Evron [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 13, 2007 1:46 AM
To: Oliver Friedrichs
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: RE: Solaris telnet vulnberability - how many on your network?

On Mon, 12 Feb 2007, Oliver Friedrichs wrote:
 
 Am I missing something?  This vulnerability is close to 10 years old.
 It was in one of the first versions of Solaris after Sun moved off of 
 the SunOS BSD platform and over to SysV.  It has specifically to do 
 with how arguments are processed via getopt() if I recall correctly.

Hey Oliver! :)

Well than, I guess it just became new again. And to be honest, I have to
agree with a previous poster and suspect (only suspect) it could somehow
be a backdoor rather than a bug.

The reason why this vulnerability is so critical is the number of
networks and organizations which rely on Solaris for critical production
servers, as well as use telnet for internal communication on their LAN
(now how smart is that? I'd rather use telnet on the Internet than on a
local LAN).

Further, there are quite a few third party appliances (some
infrastructure back-end) that can not easily be patched running on
Solaris (forget fuzzing or VA, people never even NMAP appliances they
buy).

I am unsure of how long we will see this in to-do items of corporate
security teams around the world, but I am sure Sun's /8 is getting a lot
of action recently.

 
 Oliver

Gadi.

 
 -Original Message-
 From: Gadi Evron [mailto:[EMAIL PROTECTED]
 Sent: Sunday, February 11, 2007 10:01 PM
 To: bugtraq@securityfocus.com
 Cc: full-disclosure@lists.grok.org.uk
 Subject: Solaris telnet vulnberability - how many on your network?
 
 Johannes Ullrich from the SANS ISC sent this to me and then I saw it 
 on the DSHIELD list:
 
 
 If you run Solaris, please check if you got telnet enabled NOW. If

 you
 can, block port 23 at your perimeter. There is a fairly trivial
 Solaris telnet 0-day.
 
 telnet -l -froot [hostname]
 
 will give you root on many Solaris systems with default installs
 We are still testing. Please use our contact form at
 https://isc.sans.org/contact.html
 if you have any details about the use of this exploit.
 
 
 You mean they still use telnet?!
 
 Update from HD Moore:
 but this bug isnt -froot, its -fanythingbutroot =P
 
 On the exploits@ mailing list and on DSHIELD this vulnerability was 
 verified as real.
 
 If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it

 a strong suggestion.
 
 Anyone else running Solaris?
 
   Gadi.
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

On Tue, 13 Feb 2007, Oliver Friedrichs wrote:
 
 Gadi,
 
 It looks like I was confused, this actually affected AIX and Linux in
 1994:
 
 http://www.securityfocus.com/bid/458/info
 http://www.cert.org/advisories/CA-1994-09.html

Same same but with rlogin, as someone mentioned on DSHIELD.

Gadi.

 
 Oliver
 
 -Original Message-
 From: Gadi Evron [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, February 13, 2007 1:46 AM
 To: Oliver Friedrichs
 Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
 Subject: RE: Solaris telnet vulnberability - how many on your network?
 
 On Mon, 12 Feb 2007, Oliver Friedrichs wrote:
  
  Am I missing something?  This vulnerability is close to 10 years old.
  It was in one of the first versions of Solaris after Sun moved off of 
  the SunOS BSD platform and over to SysV.  It has specifically to do 
  with how arguments are processed via getopt() if I recall correctly.
 
 Hey Oliver! :)
 
 Well than, I guess it just became new again. And to be honest, I have to
 agree with a previous poster and suspect (only suspect) it could somehow
 be a backdoor rather than a bug.
 
 The reason why this vulnerability is so critical is the number of
 networks and organizations which rely on Solaris for critical production
 servers, as well as use telnet for internal communication on their LAN
 (now how smart is that? I'd rather use telnet on the Internet than on a
 local LAN).
 
 Further, there are quite a few third party appliances (some
 infrastructure back-end) that can not easily be patched running on
 Solaris (forget fuzzing or VA, people never even NMAP appliances they
 buy).
 
 I am unsure of how long we will see this in to-do items of corporate
 security teams around the world, but I am sure Sun's /8 is getting a lot
 of action recently.
 
  
  Oliver
 
   Gadi.
 
  
  -Original Message-
  From: Gadi Evron [mailto:[EMAIL PROTECTED]
  Sent: Sunday, February 11, 2007 10:01 PM
  To: bugtraq@securityfocus.com
  Cc: full-disclosure@lists.grok.org.uk
  Subject: Solaris telnet vulnberability - how many on your network?
  
  Johannes Ullrich from the SANS ISC sent this to me and then I saw it 
  on the DSHIELD list:
  
  
  If you run Solaris, please check if you got telnet enabled NOW. If
 
  you
  can, block port 23 at your perimeter. There is a fairly trivial
  Solaris telnet 0-day.
  
  telnet -l -froot [hostname]
  
  will give you root on many Solaris systems with default installs
  We are still testing. Please use our contact form at
  https://isc.sans.org/contact.html
  if you have any details about the use of this exploit.
  
  
  You mean they still use telnet?!
  
  Update from HD Moore:
  but this bug isnt -froot, its -fanythingbutroot =P
  
  On the exploits@ mailing list and on DSHIELD this vulnerability was 
  verified as real.
  
  If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it
 
  a strong suggestion.
  
  Anyone else running Solaris?
  
  Gadi.
  
  
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

2007-02-13 Thread Casper . Dik



Am I missing something?  This vulnerability is close to 10 years old.
It was in one of the first versions of Solaris after Sun moved off of
the SunOS BSD platform and over to SysV.  It has specifically to do w=
ith
how arguments are processed via getopt() if I recall correctly.

You're confused with AIX/Linux

Solaris did not have the -f option in login until much later.

Casper

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

On Tue, 13 Feb 2007, Michal Zalewski wrote:
 On Tue, 13 Feb 2007, Gadi Evron wrote:
 
  I have to agree with a previous poster and suspect (only suspect) it
  could somehow be a backdoor rather than a bug.
 
 You're attributing malice to what could be equally well (or better!)
 explained by incompetence or gross negligence. The latter two haunt large
 companies far more often, compared to sinister conspiracies.
 
 Yeah, a backdoor is a remote possibility. But it's also an arbitrary and
 needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed
 shadow government, but chances are, it's not (they have better things to
 do today).
 
 Keep that in mind: when risking so much, of all the places to put a covert
 backdoor to use for years to come, pulling out a known flaw that will be
 spotted by many existing vulnerability scanners, and putting it in a
 service that is often disabled as obsolete and generally unreachable from
 the outside world, doesn't really make that much sense.

Well, I just can't rule it out. It speaks for itself. Your voice of reason
is naturally appreciated.

I still believe it is a possibility, as what could be better?

In 1994, this wasn't very far-off, nor was this noticable. Probable other
explanations are abound, we will see if Sun sets us straight.

 
 Unless, of course, it's a sabotage attempt orchestrated by a joint team of
 IBM and SCO developers... now, that begins to make sense..

Trucks and tubes I tell ya!

 /mz
 

Gadi.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
 
 
 Am I missing something?  This vulnerability is close to 10 years old.
 It was in one of the first versions of Solaris after Sun moved off of
 the SunOS BSD platform and over to SysV.  It has specifically to do w=
 ith
 how arguments are processed via getopt() if I recall correctly.
 
 You're confused with AIX/Linux
 
 Solaris did not have the -f option in login until much later.

Hi Casper. While we have you here, any idea on when Sun will be patching
this issue?

Many thanks,

Gadi.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
 
 On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
  
  
  Am I missing something?  This vulnerability is close to 10 years old.
  It was in one of the first versions of Solaris after Sun moved off of
  the SunOS BSD platform and over to SysV.  It has specifically to do w=
  ith
  how arguments are processed via getopt() if I recall correctly.
  
  You're confused with AIX/Linux
  
  Solaris did not have the -f option in login until much later.
 
 Hi Casper. While we have you here, any idea on when Sun will be patching
 this issue?
 
 Now, follow the links from http://sunsolve.sun.com/tpatches
 
 Casper
 

Many thanks Casper! Can you give some more information on exactly what is
patched. Any Sun released advisory?

Thanks again,

Gadi.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

On Tue, 13 Feb 2007, Gadi Evron wrote:
 On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
  
  On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
   
   
   Am I missing something?  This vulnerability is close to 10 years old.
   It was in one of the first versions of Solaris after Sun moved off of
   the SunOS BSD platform and over to SysV.  It has specifically to do w=
   ith
   how arguments are processed via getopt() if I recall correctly.
   
   You're confused with AIX/Linux
   
   Solaris did not have the -f option in login until much later.
  
  Hi Casper. While we have you here, any idea on when Sun will be patching
  this issue?
  
  Now, follow the links from http://sunsolve.sun.com/tpatches
  
  Casper
  
 
 Many thanks Casper! Can you give some more information on exactly what is
 patched. Any Sun released advisory?

Specifically, more than:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security

Because of the wide implications of this particular issue?

Also, any idea on how this vulnerability was introduced?

Thanks again,

Gadi.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
 
 Yeah, a backdoor is a remote possibility. But it's also an arbitrary and
 needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed
 shadow government, but chances are, it's not (they have better things to
 do today).
 
 And one which was too easy to discover; real back doors are better
 masquared as buffer overflows you might not chance upon.

We all agree it is not a very likely possibility, but I wouldn't rule it
out completely just yet until more information from Sun becomes
available.

There are a lot more relevant issues to discuss here regarding this
vulnerability, however, and we can move on from that moot point for now.

Thanks for your help and Sun's, Casper, but we would all like more
information.

 Casper
 

Gadi.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many onyour network?

2007-02-13 Thread Peter Ferrie

 I have to agree with a previous poster and suspect (only 
 suspect) it could somehow be a backdoor rather than a bug.

Reminds me of the WMF SetAbortProc() backdoor accusation.
:-) It was just bad design.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

2007-02-13 Thread Casper . Dik


Yeah, a backdoor is a remote possibility. But it's also an arbitrary and
needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed
shadow government, but chances are, it's not (they have better things to
do today).

And one which was too easy to discover; real back doors are better
masquared as buffer overflows you might not chance upon.

Casper

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

2007-02-13 Thread Casper . Dik


On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
 
 
 Am I missing something?  This vulnerability is close to 10 years old.
 It was in one of the first versions of Solaris after Sun moved off of
 the SunOS BSD platform and over to SysV.  It has specifically to do w=
 ith
 how arguments are processed via getopt() if I recall correctly.
 
 You're confused with AIX/Linux
 
 Solaris did not have the -f option in login until much later.

Hi Casper. While we have you here, any idea on when Sun will be patching
this issue?

Now, follow the links from http://sunsolve.sun.com/tpatches

Casper

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Pedophiles On YouTube (ringleader Irish282)

2007-02-13 Thread ninjadaito

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Please, save the kids from this man, and forward this email to
everyone you know.

Well, it just goes to show there are still plenty of gullible fools
out in user-land.

Thank goodness so much security work results from the efforts (or
ignorance) of those gullible fools.

Forward this email to everyone you know!

- - Ninja
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wkYEARECAAYFAkXSNHwACgkQtM6vtsm2y1vsWgCcCSt022MDyK/Cv3C/po9Mec8gB/0A
oJSlq4b3deEfzCY58tCZO2/JJ/os
=pzts
-END PGP SIGNATURE-



--
Click to become a master chef, own a restaurant and make millions
http://tagline.hushmail.com/fc/CAaCXv1QhbQQuwRW2kjZvVXVMWMXRRuu/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200702-02 ] ProFTPD: Local privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200702-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: ProFTPD: Local privilege escalation
  Date: February 13, 2007
  Bugs: #158122
ID: 200702-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A flaw in ProFTPD may allow a local attacker to obtain root privileges.

Background
==

ProFTPD is a powerful, configurable, and free FTP daemon.

Affected packages
=

---
 Package  /   Vulnerable   /Unaffected
---
  1  net-ftp/proftpd   1.3.1_rc1 = 1.3.1_rc1

Description
===

A flaw exists in the mod_ctrls module of ProFTPD, normally used to
allow FTP server administrators to configure the daemon at runtime.

Impact
==

An FTP server administrator permitted to interact with mod_ctrls could
potentially compromise the ProFTPD process and execute arbitrary code
with the privileges of the FTP Daemon, which is normally the root user.

Workaround
==

Disable mod_ctrls, or ensure only trusted users can access this
feature.

Resolution
==

All ProFTPD users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =net-ftp/proftpd-1.3.1_rc1

References
==

  [ 1 ] CVE-2006-6563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6563

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200702-02.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpgwzTShhW6M.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200702-04 ] RAR, UnRAR: Buffer overflow

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200702-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: RAR, UnRAR: Buffer overflow
  Date: February 13, 2007
  Bugs: #166440
ID: 200702-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


RAR and UnRAR contain a buffer overflow allowing the execution of
arbitrary code.

Background
==

RAR and UnRAR provide command line interfaces for compressing and
decompressing RAR files.

Affected packages
=

---
 Package /Vulnerable/   Unaffected
---
  1  app-arch/rar 3.7.0_beta1  = 3.7.0_beta1
  2  app-arch/unrar  3.7.3   = 3.7.3
---
 2 affected packages on all of their supported architectures.
---

Description
===

RAR and UnRAR contain a boundary error when processing
password-protected archives that could result in a stack-based buffer
overflow.

Impact
==

A remote attacker could entice a user to process a specially crafted
password-protected archive and execute arbitrary code with the rights
of the user uncompressing the archive.

Workaround
==

There is no known workaround at this time.

Resolution
==

All UnRAR users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =app-arch/rar-3.7.3

All RAR users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =app-arch/rar-3.7.0_beta1

References
==

  [ 1 ] CVE-2007-0855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0855

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200702-04.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpth8R4RmKeo.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

2007-02-13 Thread Ham Beast


seriously why the fuck is 10 email on the telnet of the solaris with
worthless content by gadi enron in mine inbox?

off take your jacket sports please 

On 2/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:



On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:

 On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
 
  
  Am I missing something?  This vulnerability is close to 10 years
old.
  It was in one of the first versions of Solaris after Sun moved off
of
  the SunOS BSD platform and over to SysV.  It has specifically to do
w=
  ith
  how arguments are processed via getopt() if I recall correctly.
 
  You're confused with AIX/Linux
 
  Solaris did not have the -f option in login until much later.
 
 Hi Casper. While we have you here, any idea on when Sun will be
patching
 this issue?

 Now, follow the links from http://sunsolve.sun.com/tpatches

 Casper


Many thanks Casper! Can you give some more information on exactly what is
patched. Any Sun released advisory?


The simplest possible fix on such short notice:


http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c?r2=3629r1=2923

Casper

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works

coderman wrote:
 ...
 Torpark, for the couple of people who don't know yet, is a bloated 
 launcher for Portable Firefox and Tor...
 fun stuff; if you don't mind even a little more bloat you might want 
 to try out janusvm which gives you a transparent DNS/TCP proxy through 
 Tor using a virtual machine.
Talk about overkill
 - avoids crappy windoze tcp/ip stacks via ethernet bridge.
Sorry, I'm a noted Windows fanboy and I'm not sure I find that a plus
 PS: stop posting child porn on 4chan.org, faggots. You got almost all 
 exit nodes banned. GTFO khtxbye, go gum up anonib.com instead
 fortunately stupidity leaves many traces; these idiots leave tracks 
 elsewhere and will face consequences for their actions at some point. 
 [this isn't limited to banned exit nodes either, these assholes are 
 also getting exit nodes confiscated in germany and elsewhere.  *sigh*]
personally? I don't care. All I know is because of some greasy 
kiddyfucker in Armpit, Nebraska I can't get my daily fix of footsole 
fetish from /d/ without half the campus (and, oh, any buildings in 
neighboring blocks - thank you, Fastweb! You sure make me feel 
connected!) snooping on me for blackmailing purposes. I have a 
reputation, dammit

(haha, just kidding. I'm more of a shitting dicknipples person)
 P.S.  we've been trying for a number of weeks to get a qemu version 
 working like the vmware bridge with the tap device used by qemu.  this 
 causes problems due to windows routing tables, even in bridged mode 
 (2k/XP) when the VPN connects to janusvm and pushes a new default 
 route.  if anyone has dealt with this and knows the requisite tricks 
 for making a bridged tap route outside of the windows IP routes i'd 
 love to hear it... 
dammit Jim, I'm a kernel hacker, not a network admin! A couple ideas, 
though:
 * why not PPPoE instead of a VPN? Sorry if it doesn't make sense to 
you, I just have a thing for PPPoE. Not a fetish or anything like that. 
No way. Seriously, it sounds perfect for a bridged tunnel, to me
 * VMware works flawlessly because it attaches a protocol driver to all 
the bridged interfaces, simulating a bridge (duh). I suspect the tap 
driver is not as smart. Nowhere near as smart. I suspect, in fact, that 
the tap driver expects user-mode applications to open the NIC device 
directly, because that's how UNIX-heads think. It would be funny, in a 
very sad way, considering that the most prominent open source NDIS 
project, WinPcap, gets that right. One day, I swear, I will turn that 
pile of manure into a proper, well-behaving Windows component (I mean 
tap, silly! WinPcap is beyond my help now)
 * alternatively, my psychic debugging powers tell me Qemu might be 
trying to inject packets through a raw socket, or something similarly 
boneheaded that nevertheless works perfectly on Linux. As a general 
rule, if a bridging application doesn't install a bridging protocol, 
there you know something's wrong

Please ignore me if I am talking out of my ass

(... hey, did you know you can turn a Windows Server into a PPPoE 
terminal server if you install a PPPoE port driver and bind RRAS to it? 
easy like that! now ain't that... cool?)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Fwd: Re: Full functional 0day exploit builder for sale!]

2007-02-13 Thread chedder1

LOL!!!
... too funny

On Fri, Feb 09, 2007 at 01:23:45PM -0500, Matthew Flaschen wrote:

 From: yuanfan bai [EMAIL PROTECTED]
 To: Matthew Flaschen [EMAIL PROTECTED]
 Subject: Re: [Full-disclosure] Full functional 0day exploit builder for sale!

 Hi List.
I am that [EMAIL PROTECTED] I donot know why my hotmail 
 account
 password was changed by someone, maybe ones here. Now I should 
 claim here, I
 am NOT a technical hacker or resercher. I donot know such magics. I 
 am just
 a bussinessman. I provide my 0day builder to customers. So anyone, 
 attacking
 my mailbox is not so interesting.
   And I'm sorry that I hope anyone contacted me in the last two 
 days,
 resend your un-replied letters to the new box: this gmail mailbox. 
 I'm
 sorry, thank you.

 2007/2/5, Matthew Flaschen [EMAIL PROTECTED]:

 0dayDealer 0dayDealer wrote:
  Hi List,
 Full functional 0day exploit builder for sale!

 This is the one you want. Contact me with the mailbox
  A0dayDealer###hotmail.com.
  Here is some of the exploits: 0day word2003 all languages 
 universal

 How can you have a 0-day on a program that's been completely 
 replaced?

 Matthew Flaschen

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

-- 
 ___
|hello, my name is  |
|   .__   .___  .___|
|   |  |__      __| _/__| _/___ |
|_/ ___\|  |  \_/ __ \ / __ |/ __ |/ __ \_  __ \|
|\  \___|   Y  \  ___// /_/ / /_/ \  ___/|  | \/|
| \___  ___|  /\___   \ |\___  __|   |
|\/ \/ \/ \/\/\/|
|http://chedder.hacked.in   |
|___|
   You don't exist. Go away

pgpEhDjwcanDt.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?

2007-02-13 Thread Thierry Zoller

Dear Casper Dik ([EMAIL PROTECTED]),

I wasn't crying wolf about a Backdoor, heck I am not Steve Gibson. I
was asking whether somebody will investigate why this hasn't been
caught by audits or simply QA ?

CDSC And one which was too easy to discover;
You said it, it's easy to discover, so who has discovered it? Sun ? 
Considering
it's that easy to catch, why hasn't SUN ? Maybe you can give us a
heads up on that ?

CDSC  real back doors are better
I like that tautologie, real backdoors, what makes a backdoor more
real than another one ? Is it the coolness, the stealth ? Or is it
simply the fact that it gives back door access ?

CDSC masquared as buffer overflows you might not chance upon.
Nobody doesn't that anymore, everybody does code audits now and catches
bufferoverflows, right? I think other overflows are more interesting
to hide access.

-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works

2007-02-13 Thread coderman

On 2/13/07, KJKHyperion [EMAIL PROTECTED] wrote:
 ...
 Sorry, I'm a noted Windows fanboy and I'm not sure I find that a plus

you must have w2k server, no WSAENOBUFS [0] hell for you!  *g*

in any case, i hope you are aware of which claims are actually
supported by Torpark and which aren't. [1]


 dammit Jim, I'm a kernel hacker, not a network admin! A couple ideas,
 though:
  * why not PPPoE instead of a VPN? Sorry if it doesn't make sense to
 you, I just have a thing for PPPoE. Not a fetish or anything like that.
 No way. Seriously, it sounds perfect for a bridged tunnel, to me

the problem lies in the routing. PPPoE doesn't resolve this, and i'm
not sure if the tap device can do it anyway (since it is not really an
ethernet device, but sort of).  it will probably require a new device
(like the vmware bridge) to do this.

more to the point, the windows bridge from ethernet to the tap is
not really a bridge.  i guess that's the root of the problem (and
where the vmware bridge device acts like a bridge, and doesn't subject
the bridged vmnet device to the same routing table used by the host IP
stack associated with the actual ethernet device)


  * VMware works flawlessly because it attaches a protocol driver to all
 the bridged interfaces, simulating a bridge (duh). I suspect the tap
 driver is not as smart. Nowhere near as smart.

yes, exactly!   (well, it doesn't actually show as a bridge, it's a
magic bridge that can bind to anything that speaks ethernet,
including wireless devices, without giving windows the heads up, and
thus avoids routing table badness.)


  * alternatively, my psychic debugging powers tell me Qemu might be
 trying to inject packets through a raw socket, or something similarly
 boneheaded that nevertheless works perfectly on Linux.

nah, it's a tap device just like openvpn uses.  it just appears to be
a realtek ethernet device inside the linux guest (or any other guest
OS)...


 (... hey, did you know you can turn a Windows Server into a PPPoE
 terminal server if you install a PPPoE port driver and bind RRAS to it?
 easy like that! now ain't that... cool?)

that's sick dude!  quit drinking the cool-aid before it's too late!  :P


0. Tor Windows Buffer Problems
   http://wiki.noreply.org/noreply/TheOnionRouter/WindowsBufferProblems

1. Traces left by Torpark, and other security discussion
   http://archives.seul.org/or/talk/Nov-2006/msg00219.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works

afed wrote:
 I have come up with a unique and proprietary solution to the problems 
 presented by Torpark:
problems! Sorry mister, I'm afraid I can't share your negative outlook 
on the matters at hand. What I presented to you was an _opportunity_. 
Let's say, in a purely hypothetical fashion, that you made a copy of the 
iexplore.exe executable, renaming it iexplore-nx.exe. Let's add, still 
firmly in the realm of speculation, that you apply the binary hack I 
described to said renamed executable. What you find yourself with, 
gentleman, is a copy of Internet Explorer you, security researcher, can 
use to test those pesky shellcode exploits with, without disabling DEP 
globally.

You will surely concede that it is, indeed, nifty
 Don't download or look at CP.
killjoy. It's people like you who make IT security so dull. Next thing 
you know, you'll decry selling 0-day exploits for a profit

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 02.13.07: Hewlett-Packard HP-UX SLSd Arbitrary File Creation Vulnerability

2007-02-13 Thread iDefense Labs NO-REPLY

Hewlett-Packard HP-UX SLSd Arbitrary File Creation Vulnerability

iDefense Security Advisory 02.13.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 13, 2007

I. BACKGROUND

Hewlett-Packard's HP-UX introduced Single Logical Screen (SLS) in 1995 to
facilitate using multiple graphics devices on a single desktop. Distributed
SLS, or SLS/d, extends SLS to allow the utilization of graphics devices
within multiple computer systems. More information is available at the
following URL.

http://docs.hp.com/en/B2355-90142/ch05s03.html

II. DESCRIPTION

Remote exploitation of a design error within Hewlett-Packard's SLSd daemon
could allow an attacker to execute privileges as the superuser.

The problem specifically exists due to a design error within the
SLSd_daemon RPC daemon that provides connectivity between the
distributed systems. This daemon registers itself under the RPC PROGID of
536870913 or 351456, depending on the HP-UX version. By sending a
specially crafted request, the daemon will write attacker supplied data to
an arbitrary file as the superuser.

III. ANALYSIS

Exploitation allows an unauthenticated attacker to gain superuser
privileges by overwriting select files such as .rhosts, cron scripts, or
other files used for authentication.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability within the
SLSd_daemon binary as shipped with HP-UX 11.11i and 10.20. All versions
are suspected to be vulnerable.

V. WORKAROUND

Employ firewalls to limit access to the affected system to reduce exposure
to this vulnerability. If you are not using Distrubuted SLS, disable the
SLSd_daemon.

VI. VENDOR RESPONSE

Hewlett-Packard has addressed this vulnerabilty with HP Security Advisory
HPSBUX02191. More information is available at the following URL.

http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00862809

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

01/30/2007  Initial vendor notification
01/30/2007  Initial vendor response
02/13/2007  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
[EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works