[Full-disclosure] Symbian Security Contact ?
Hi List, I am searching for an official Symbian Security Contact. Could anyone provide me an e-mail address or similar ? Thank you in advance, The Fuffologist. _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do with how arguments are processed via getopt() if I recall correctly. Oliver -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Sunday, February 11, 2007 10:01 PM To: bugtraq@securityfocus.com Cc: full-disclosure@lists.grok.org.uk Subject: Solaris telnet vulnberability - how many on your network? Johannes Ullrich from the SANS ISC sent this to me and then I saw it on the DSHIELD list: If you run Solaris, please check if you got telnet enabled NOW. If you can, block port 23 at your perimeter. There is a fairly trivial Solaris telnet 0-day. telnet -l -froot [hostname] will give you root on many Solaris systems with default installs We are still testing. Please use our contact form at https://isc.sans.org/contact.html if you have any details about the use of this exploit. You mean they still use telnet?! Update from HD Moore: but this bug isnt -froot, its -fanythingbutroot =P On the exploits@ mailing list and on DSHIELD this vulnerability was verified as real. If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a strong suggestion. Anyone else running Solaris? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pedophiles On YouTube (ringleader Irish282)
I think the forward this email to everyone you know line should have been enough to set off anyone's bullshit alarm. On 2/12/07, Nicholas Winn [EMAIL PROTECTED] wrote: And I assume your not full of shit and have proof of this because? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pedophiles On YouTube (ringleader Irish282)
Yo! TheGesus wrote: On 2/12/07, Nicholas Winn [EMAIL PROTECTED] wrote: And I assume your not full of shit and have proof of this because? I think the forward this email to everyone you know line should have been enough to set off anyone's bullshit alarm. No need to worry. Since receiving this e-mail I have murdered irish282 to death with my bare hands. Yours truly, MC anonymous. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pedophiles On YouTube (ringleader Irish282)
murdered to death. Isn't that the point of murder? You don't murder someone to life, or to hospitalization. The department of redundancy department... ;] On 2/13/07 10:08 AM, Siim Põder [EMAIL PROTECTED] wrote: Yo! TheGesus wrote: On 2/12/07, Nicholas Winn [EMAIL PROTECTED] wrote: And I assume your not full of shit and have proof of this because? I think the forward this email to everyone you know line should have been enough to set off anyone's bullshit alarm. No need to worry. Since receiving this e-mail I have murdered irish282 to death with my bare hands. Yours truly, MC anonymous. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works
I can't believe nobody has documented this yet. I can't believe nobody uses Torpark on a machine with hardware-enforced DEP. I mean, it's a basic security measure. Zero effort. Enabled by default by all operating systems that count on all recent CPUs that support it. Oh well. Torpark, for the couple of people who don't know yet, is a bloated launcher for Portable Firefox and Tor, for all your roaming child porn needs. It's inexplicably written in NSIS, a scripting language originally designed for impressing your friends with your ignorance of Windows Installer. NSIS includes impressive capabilities, such as the goto instruction and the ability to call bloated, buggy and poorly thought-out plugin DLLs, that make it somewhat usable as a general purpose programming language. A capability that, incidentally, grossly misguided individuals can mistake for the perfect opportunity to write a launcher front-end application that's 1.81 MB in size. Compressed. That dumps a half dozen DLLs in temporary directories. One of which a theme manager. To skin one window. With two buttons. (to say it lyrically, Torpark embodies the KISS principle in the flesh - or rather, in the [mega]byte) To get to the point, though. For several releases now, my child porn browsing has been severely impaired by a significant drawback: Torpark just did not start. No error message. The /debug command line switch - a sad, cruel joke, depending as it did on the programmer's skill and foresight - was of no help. A real debugger revealed the error: the plugin DLL (my heart feels pain from typing this) to display message boxes is incompatible with DEP. And of course, since you need a plugin to display message boxes, you can't display a message box about the failure to load the plugin that displays message boxes. In a way, that makes perfect sense. In _another_ way, one wonders just how could you mess up a 6 KB DLL (still pretty darn huge for a message box). The exercise is left to the reader (the answer may surprise you!) How to unbreak Torpark before your pedo-boner wears off, though? HOW, you ask, trembling and panicked? Again, the answer may surprise you: we are going to break Torpark further so the system will detect its lameness early enough to disable DEP for the whole process (for a launcher, this normally wouldn't be a security issue, but all bets are off with a program coded in Visual Basic for Llamas). For the uninitiated: binary executables (.EXE, .DLL) consist of a list of memory ranges to allocate (sections), the data to initialize them with, and the attributes (readable, writable, executable) of said memory. The code is typically (... typically!) emitted as the initialization data for a section with the executable attribute. Finally, a byte inside the executable is marked as the entry point, i.e. the beginning of the program, the first instruction to execute. Now, when Windows encounters a program so sadly broken its entry point lies into a non-executable section (something not even Borland tools manage to do, despite the incompatible binary format they use internally), it will take pity upon the user and disable DEP for the whole process. Again, for the benefit of the philistines in the crowd: DEP is a system policy that actually enforces the requirement for memory to be marked as executable; older x86 processors (read: all computers in the world, ever) did not actually support this, so developers felt justified to act damn fucking smart and break their code to brag their superior knowledge. The Opera browser is an example of such a broken application (it's the fault of the packer, though). The easiest way to disable DEP for a program, therefore, is to break it on purpose. Rather anticlimatically, this consists of opening the executable in a hex editor, looking for the byte pattern 60 00 00 20 near the beginning and replacing it with 40 00 00 40. Adventurous readers can have fun figuring out why. The answer will not surprise you at all! That's all. Happy naked kids to all security-conscious Windows users! PS: stop posting child porn on 4chan.org, faggots. You got almost all exit nodes banned. GTFO khtxbye, go gum up anonib.com instead ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple IOS IPS Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple IOS IPS Vulnerabilities Advisory ID: cisco-sa-20070213-iosips http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml Revision 1.0 For Public Release 2007 February 13 1600 UTC (GMT) - --- Summary === The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include: * Fragmented IP packets may be used to evade signature inspection. * IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service. There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml. Affected Products = Vulnerable Products +-- The following Cisco IOS release trains with the IPS feature set enabled are vulnerable to the fragmented packet evasion vulnerability: * 12.3T, except versions 12.3(2)T, 12.3(4)T, and 12.3(7)T * 12.4 * 12.4T * 12.4XE The following Cisco IOS release trains with the IPS feature set enabled are vulnerable to the ATOMIC.TCP regular expression denial of service vulnerability: * 12.3T, except versions 12.3(2)T, 12.3(4)T, and 12.3(7)T * 12.3XQ, 12.3XR, 12.3XS, 12.3XW, 12.3XX, 12.3XY * 12.3YA, 12.3YD, 12.3YG, 12.3YH, 12.3YI, 12.3YJ, 12.3YK, 12.3YM, 12.3YQ, 12.3YS, 12.3YT, 12.3YX, 12.3YZ * 12.4 * 12.4MR * 12.4T * 12.4XA, 12.4XB To determine if the IPS feature set is active on an IOS device, use the show ip ips configuration command. This command will list the interfaces configured to use IPS inspection. You will then need to further check the status of each interface to confirm if they are enabled or not. router#show ip ips configuration Configured Config Locations: -none- Last signature default load time: 18:46:50 UTC Jan 5 2007 Last signature delta load time: -none- Last event action (SEAP) load time: -none- IPS Auto Update is not currently configured IPS fail closed is disabled Fastpath ips is enabled Quick run mode is enabled Event notification through syslog is enabled Event notification through SDEE is enabled Total Active Signatures: 85 Total Inactive Signatures: 61 IPS Rule Configuration IPS name test IPS Category CLI is not configured Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is test Outgoing IPS rule is not set router#show ip interface FastEthernet0/0 FastEthernet0/0 is up, line protocol is up In the above example, interface FastEthernet0/0 is configured to use IPS and is shown to be enabled. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based feature that enables Cisco IOS software to mitigate network attacks. Cisco IOS IPS enables the network to defend itself with the intelligence to identify, classify, and stop or block certain malicious or damaging traffic in real time. The IOS IPS feature set contains multiple vulnerabilities. Only IOS images containing the IPS feature set are affected by these vulnerabilities. Fragmented Packet Evasion Vulnerability +-- Some of the IPS signatures utilize regular expressions. Due to a vulnerability, an attacker can evade those IPS signatures by sending malicious network traffic as IP fragments. This may result in potential malicious traffic bypassing signature inspection and possibly allow the exploitation of protected systems. IPS signatures which do not utilize regular expressions are not affected by this vulnerability. All IP protocols (e.g. TCP, UDP, ICMP) are affected by this vulnerability. There is a mitigation for this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsg15598. ATOMIC.TCP Regular Expression Denial of Service Vulnerability + Certain network traffic can trigger IPS signatures which use the regular expression feature of the ATOMIC.TCP signature engine which may cause the IOS IPS device to crash. This may cause a denial of service resulting in disruption network traffic. Signature 3123.0 (Netbus Pro Traffic) has been demonstrated to trigger this vulnerability. There is a workaround for this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsa53334. Vulnerability Scoring Details + Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System
[Full-disclosure] UPDATE: [ GLSA 200611-05 ] Netkit FTP Server: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [UPDATE] GLSA 200611-05:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Netkit FTP Server: Privilege escalation Date: November 10, 2006 Updated: February 11, 2007 Bugs: #150292 ID: 200611-05:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Update == The original fix introduced a new vulnerability allowing the listing of any arbitrary directory with root group permissions due to a typo in the setgid() call. New fixed packages are available. Also, this update adds a second CVE reference which was not originally mentionned while it was covered by the original fix. Additionally, please note that the Netkit FTP Server package has been renamed from net-ftp/ftpd to net-ftp/netkit-ftpd. The updated sections appear below. Background == net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL support. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-ftp/netkit-ftpd 0.17-r5 = 0.17-r5 Resolution == All Netkit FTP Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-ftp/netkit-ftpd-0.17-r5 References == [ 1 ] CVE-2006-5778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5778 [ 2 ] CVE-2006-6008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6008 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200611-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpXXMDPPwIEd.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnerability - how many on your network?
[EMAIL PROTECTED] writes: Of course disabling in.telnetd in /etc/inetd.conf (and doing a pkill -HUP inetd) if possible is a safe bet, Or, going with Solaris 10's 'SMF' thing: % svcadm disable svc:/network/telnet And, while you're at it, % svcadm disable svc:/network/shell:default % svcadm disable svc:/network/login:rlogin (See man pages for in.telnetd, in.rshd, and in.rlogind.) At least one machine I run doesn't have the usual /etc/inetd.conf. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007, Gadi Evron wrote: I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. You're attributing malice to what could be equally well (or better!) explained by incompetence or gross negligence. The latter two haunt large companies far more often, compared to sinister conspiracies. Yeah, a backdoor is a remote possibility. But it's also an arbitrary and needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed shadow government, but chances are, it's not (they have better things to do today). Keep that in mind: when risking so much, of all the places to put a covert backdoor to use for years to come, pulling out a known flaw that will be spotted by many existing vulnerability scanners, and putting it in a service that is often disabled as obsolete and generally unreachable from the outside world, doesn't really make that much sense. Unless, of course, it's a sabotage attempt orchestrated by a joint team of IBM and SCO developers... now, that begins to make sense.. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200702-01 ] Samba: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200702-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Samba: Multiple vulnerabilities Date: February 13, 2007 Bugs: #165549 ID: 200702-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple flaws exist in the Samba suite of programs, the most serious of which could result in the execution of arbitrary code. Background == Samba is a suite of SMB and CIFS client/server programs for UNIX. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-fs/samba 3.0.24 = 3.0.24 Description === A format string vulnerability exists in the VFS module when handling AFS file systems and an infinite loop has been discovered when handling file rename operations. Impact == A user with permission to write to a shared AFS file system may be able to compromise the smbd process and execute arbitrary code with the permissions of the daemon. The infinite loop could be abused to consume excessive resources on the smbd host, denying service to legitimate users. Workaround == There is no known workaround at this time. Resolution == All Samba users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-fs/samba-3.0.24 References == [ 1 ] CVE-2007-0452 http://samba.org/samba/security/CVE-2007-0452.html [ 2 ] CVE-2007-0454 http://samba.org/samba/security/CVE-2007-0454.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200702-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp3P3BMsjNIL.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 02.13.07: Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption Vulnerability
Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption Vulnerability iDefense Security Advisory 02.13.07 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 13, 2007 I. BACKGROUND The WinInet module provides access to common Internet protocols, including FTP and HTTP, allowing a programmers to add this functionality to their code without having to re-impelement the details. As an part of the base operating system, it is used in many applications including Microsoft's Internet Explorer. More information on the WinInet module is available at the following link: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wininet/wininet/portal.asp II. DESCRIPTION Remote exploitation of a design error in Microsoft Corp.'s 'wininet.dll' FTP client code could allow an attacker to execute arbitrary code. The vulnerability specifically exists in the parsing of reply lines from remote FTP servers. During an FTP session, the client makes requests for the server to perform some operation and the server responds with a numeric code, a human readable message and possibly some other information. As there can be multiple lines in a reply, code in the client breaks the reply up into lines, putting a null byte (character 0x00) after any end of line character. In the case where a line ends exactly on the last character of the reply buffer, the terminating null byte is written outside of the allocated space, overwriting a byte of the heap management structure. By sending a specially crafted series of replys to the client, the heap may be corrupted in a controlled way to cause the execution of arbitrary code. III. ANALYSIS Successful remote exploitation of this vulnerability would allow a attacker to execute arbitrary commands in the context of the currently logged in user. In order to exploit this vulnerability, the attacker must convince the target to follow a link in a program which uses the vulnerable functions, such as Internet Explorer, Word, or Outlook. For any of these applications it is sufficient to embed an image linked to a malicious ftp server, but for modern versions of Outlook, the image will not render unless the user allows it. In testing by iDefense Labs, server responses were generated which put controlled values into controlled memory locations in Internet Explorer, with varying degrees of success on a system running Windows XP SP2. Although methods applied during initial testing were unreliable, they did indicate that it was possible to use this vulnerability to cause code execution. The portion of the heap management structure overwritten is used to determine the length of the allocation it refers to. In combination with another less severe vulnerability in the FTP code, which allows a remote attacker to see a valid memory address, it may be possible to cause reliable remote exploitation. IV. DETECTION iDefense has verified that Internet Explorer 6 on the following Microsoft operating systems, with all security patches applied as of May 2006, are affected: Windows 2000 Advanced Server SP4 Windows XP SP2 Windows Server 2003 Enterprise Edition SP1 This vulnerability appears to have existed from at least Internet Explorer 5.0. It is suspected that all versions of Internet Explorer on all supported platforms are affected. V. WORKAROUND iDefense is unaware of any effective workarounds for this vulnerability. Blocking outgoing port 21 (ftp) requests is not effective, as this it is possible to supply an ftp URL with an alternative port. It may be possible to limit exposure to this vulnerability by configuring systems to use a proxy server for all ftp requests and only allowing white-listed sites. VI. VENDOR RESPONSE Microsoft has addressed this vulnerability within MS07-016. For more information, consult their bulletin at the following URL. http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/16/2006 Initial vendor notification 08/16/2006 Initial vendor response 10/05/2006 Second vendor notification 02/13/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus, iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
On Mon, 12 Feb 2007, Oliver Friedrichs wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do with how arguments are processed via getopt() if I recall correctly. Hey Oliver! :) Well than, I guess it just became new again. And to be honest, I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. The reason why this vulnerability is so critical is the number of networks and organizations which rely on Solaris for critical production servers, as well as use telnet for internal communication on their LAN (now how smart is that? I'd rather use telnet on the Internet than on a local LAN). Further, there are quite a few third party appliances (some infrastructure back-end) that can not easily be patched running on Solaris (forget fuzzing or VA, people never even NMAP appliances they buy). I am unsure of how long we will see this in to-do items of corporate security teams around the world, but I am sure Sun's /8 is getting a lot of action recently. Oliver Gadi. -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Sunday, February 11, 2007 10:01 PM To: bugtraq@securityfocus.com Cc: full-disclosure@lists.grok.org.uk Subject: Solaris telnet vulnberability - how many on your network? Johannes Ullrich from the SANS ISC sent this to me and then I saw it on the DSHIELD list: If you run Solaris, please check if you got telnet enabled NOW. If you can, block port 23 at your perimeter. There is a fairly trivial Solaris telnet 0-day. telnet -l -froot [hostname] will give you root on many Solaris systems with default installs We are still testing. Please use our contact form at https://isc.sans.org/contact.html if you have any details about the use of this exploit. You mean they still use telnet?! Update from HD Moore: but this bug isnt -froot, its -fanythingbutroot =P On the exploits@ mailing list and on DSHIELD this vulnerability was verified as real. If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a strong suggestion. Anyone else running Solaris? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
Gadi, It looks like I was confused, this actually affected AIX and Linux in 1994: http://www.securityfocus.com/bid/458/info http://www.cert.org/advisories/CA-1994-09.html Oliver -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:46 AM To: Oliver Friedrichs Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: RE: Solaris telnet vulnberability - how many on your network? On Mon, 12 Feb 2007, Oliver Friedrichs wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do with how arguments are processed via getopt() if I recall correctly. Hey Oliver! :) Well than, I guess it just became new again. And to be honest, I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. The reason why this vulnerability is so critical is the number of networks and organizations which rely on Solaris for critical production servers, as well as use telnet for internal communication on their LAN (now how smart is that? I'd rather use telnet on the Internet than on a local LAN). Further, there are quite a few third party appliances (some infrastructure back-end) that can not easily be patched running on Solaris (forget fuzzing or VA, people never even NMAP appliances they buy). I am unsure of how long we will see this in to-do items of corporate security teams around the world, but I am sure Sun's /8 is getting a lot of action recently. Oliver Gadi. -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Sunday, February 11, 2007 10:01 PM To: bugtraq@securityfocus.com Cc: full-disclosure@lists.grok.org.uk Subject: Solaris telnet vulnberability - how many on your network? Johannes Ullrich from the SANS ISC sent this to me and then I saw it on the DSHIELD list: If you run Solaris, please check if you got telnet enabled NOW. If you can, block port 23 at your perimeter. There is a fairly trivial Solaris telnet 0-day. telnet -l -froot [hostname] will give you root on many Solaris systems with default installs We are still testing. Please use our contact form at https://isc.sans.org/contact.html if you have any details about the use of this exploit. You mean they still use telnet?! Update from HD Moore: but this bug isnt -froot, its -fanythingbutroot =P On the exploits@ mailing list and on DSHIELD this vulnerability was verified as real. If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a strong suggestion. Anyone else running Solaris? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007, Oliver Friedrichs wrote: Gadi, It looks like I was confused, this actually affected AIX and Linux in 1994: http://www.securityfocus.com/bid/458/info http://www.cert.org/advisories/CA-1994-09.html Same same but with rlogin, as someone mentioned on DSHIELD. Gadi. Oliver -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:46 AM To: Oliver Friedrichs Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: RE: Solaris telnet vulnberability - how many on your network? On Mon, 12 Feb 2007, Oliver Friedrichs wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do with how arguments are processed via getopt() if I recall correctly. Hey Oliver! :) Well than, I guess it just became new again. And to be honest, I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. The reason why this vulnerability is so critical is the number of networks and organizations which rely on Solaris for critical production servers, as well as use telnet for internal communication on their LAN (now how smart is that? I'd rather use telnet on the Internet than on a local LAN). Further, there are quite a few third party appliances (some infrastructure back-end) that can not easily be patched running on Solaris (forget fuzzing or VA, people never even NMAP appliances they buy). I am unsure of how long we will see this in to-do items of corporate security teams around the world, but I am sure Sun's /8 is getting a lot of action recently. Oliver Gadi. -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Sunday, February 11, 2007 10:01 PM To: bugtraq@securityfocus.com Cc: full-disclosure@lists.grok.org.uk Subject: Solaris telnet vulnberability - how many on your network? Johannes Ullrich from the SANS ISC sent this to me and then I saw it on the DSHIELD list: If you run Solaris, please check if you got telnet enabled NOW. If you can, block port 23 at your perimeter. There is a fairly trivial Solaris telnet 0-day. telnet -l -froot [hostname] will give you root on many Solaris systems with default installs We are still testing. Please use our contact form at https://isc.sans.org/contact.html if you have any details about the use of this exploit. You mean they still use telnet?! Update from HD Moore: but this bug isnt -froot, its -fanythingbutroot =P On the exploits@ mailing list and on DSHIELD this vulnerability was verified as real. If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a strong suggestion. Anyone else running Solaris? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Casper ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007, Michal Zalewski wrote: On Tue, 13 Feb 2007, Gadi Evron wrote: I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. You're attributing malice to what could be equally well (or better!) explained by incompetence or gross negligence. The latter two haunt large companies far more often, compared to sinister conspiracies. Yeah, a backdoor is a remote possibility. But it's also an arbitrary and needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed shadow government, but chances are, it's not (they have better things to do today). Keep that in mind: when risking so much, of all the places to put a covert backdoor to use for years to come, pulling out a known flaw that will be spotted by many existing vulnerability scanners, and putting it in a service that is often disabled as obsolete and generally unreachable from the outside world, doesn't really make that much sense. Well, I just can't rule it out. It speaks for itself. Your voice of reason is naturally appreciated. I still believe it is a possibility, as what could be better? In 1994, this wasn't very far-off, nor was this noticable. Probable other explanations are abound, we will see if Sun sets us straight. Unless, of course, it's a sabotage attempt orchestrated by a joint team of IBM and SCO developers... now, that begins to make sense.. Trucks and tubes I tell ya! /mz Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? Many thanks, Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? Now, follow the links from http://sunsolve.sun.com/tpatches Casper Many thanks Casper! Can you give some more information on exactly what is patched. Any Sun released advisory? Thanks again, Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007, Gadi Evron wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? Now, follow the links from http://sunsolve.sun.com/tpatches Casper Many thanks Casper! Can you give some more information on exactly what is patched. Any Sun released advisory? Specifically, more than: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security Because of the wide implications of this particular issue? Also, any idea on how this vulnerability was introduced? Thanks again, Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Yeah, a backdoor is a remote possibility. But it's also an arbitrary and needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed shadow government, but chances are, it's not (they have better things to do today). And one which was too easy to discover; real back doors are better masquared as buffer overflows you might not chance upon. We all agree it is not a very likely possibility, but I wouldn't rule it out completely just yet until more information from Sun becomes available. There are a lot more relevant issues to discuss here regarding this vulnerability, however, and we can move on from that moot point for now. Thanks for your help and Sun's, Casper, but we would all like more information. Casper Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many onyour network?
I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. Reminds me of the WMF SetAbortProc() backdoor accusation. :-) It was just bad design. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
Yeah, a backdoor is a remote possibility. But it's also an arbitrary and needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed shadow government, but chances are, it's not (they have better things to do today). And one which was too easy to discover; real back doors are better masquared as buffer overflows you might not chance upon. Casper ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? Now, follow the links from http://sunsolve.sun.com/tpatches Casper ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pedophiles On YouTube (ringleader Irish282)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Please, save the kids from this man, and forward this email to everyone you know. Well, it just goes to show there are still plenty of gullible fools out in user-land. Thank goodness so much security work results from the efforts (or ignorance) of those gullible fools. Forward this email to everyone you know! - - Ninja -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkXSNHwACgkQtM6vtsm2y1vsWgCcCSt022MDyK/Cv3C/po9Mec8gB/0A oJSlq4b3deEfzCY58tCZO2/JJ/os =pzts -END PGP SIGNATURE- -- Click to become a master chef, own a restaurant and make millions http://tagline.hushmail.com/fc/CAaCXv1QhbQQuwRW2kjZvVXVMWMXRRuu/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200702-02 ] ProFTPD: Local privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200702-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: ProFTPD: Local privilege escalation Date: February 13, 2007 Bugs: #158122 ID: 200702-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A flaw in ProFTPD may allow a local attacker to obtain root privileges. Background == ProFTPD is a powerful, configurable, and free FTP daemon. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-ftp/proftpd 1.3.1_rc1 = 1.3.1_rc1 Description === A flaw exists in the mod_ctrls module of ProFTPD, normally used to allow FTP server administrators to configure the daemon at runtime. Impact == An FTP server administrator permitted to interact with mod_ctrls could potentially compromise the ProFTPD process and execute arbitrary code with the privileges of the FTP Daemon, which is normally the root user. Workaround == Disable mod_ctrls, or ensure only trusted users can access this feature. Resolution == All ProFTPD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-ftp/proftpd-1.3.1_rc1 References == [ 1 ] CVE-2006-6563 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6563 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200702-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpgwzTShhW6M.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200702-04 ] RAR, UnRAR: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200702-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: RAR, UnRAR: Buffer overflow Date: February 13, 2007 Bugs: #166440 ID: 200702-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis RAR and UnRAR contain a buffer overflow allowing the execution of arbitrary code. Background == RAR and UnRAR provide command line interfaces for compressing and decompressing RAR files. Affected packages = --- Package /Vulnerable/ Unaffected --- 1 app-arch/rar 3.7.0_beta1 = 3.7.0_beta1 2 app-arch/unrar 3.7.3 = 3.7.3 --- 2 affected packages on all of their supported architectures. --- Description === RAR and UnRAR contain a boundary error when processing password-protected archives that could result in a stack-based buffer overflow. Impact == A remote attacker could entice a user to process a specially crafted password-protected archive and execute arbitrary code with the rights of the user uncompressing the archive. Workaround == There is no known workaround at this time. Resolution == All UnRAR users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-arch/rar-3.7.3 All RAR users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-arch/rar-3.7.0_beta1 References == [ 1 ] CVE-2007-0855 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0855 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200702-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpth8R4RmKeo.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
seriously why the fuck is 10 email on the telnet of the solaris with worthless content by gadi enron in mine inbox? off take your jacket sports please On 2/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: Am I missing something? This vulnerability is close to 10 years old. It was in one of the first versions of Solaris after Sun moved off of the SunOS BSD platform and over to SysV. It has specifically to do w= ith how arguments are processed via getopt() if I recall correctly. You're confused with AIX/Linux Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? Now, follow the links from http://sunsolve.sun.com/tpatches Casper Many thanks Casper! Can you give some more information on exactly what is patched. Any Sun released advisory? The simplest possible fix on such short notice: http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c?r2=3629r1=2923 Casper ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works
coderman wrote: ... Torpark, for the couple of people who don't know yet, is a bloated launcher for Portable Firefox and Tor... fun stuff; if you don't mind even a little more bloat you might want to try out janusvm which gives you a transparent DNS/TCP proxy through Tor using a virtual machine. Talk about overkill - avoids crappy windoze tcp/ip stacks via ethernet bridge. Sorry, I'm a noted Windows fanboy and I'm not sure I find that a plus PS: stop posting child porn on 4chan.org, faggots. You got almost all exit nodes banned. GTFO khtxbye, go gum up anonib.com instead fortunately stupidity leaves many traces; these idiots leave tracks elsewhere and will face consequences for their actions at some point. [this isn't limited to banned exit nodes either, these assholes are also getting exit nodes confiscated in germany and elsewhere. *sigh*] personally? I don't care. All I know is because of some greasy kiddyfucker in Armpit, Nebraska I can't get my daily fix of footsole fetish from /d/ without half the campus (and, oh, any buildings in neighboring blocks - thank you, Fastweb! You sure make me feel connected!) snooping on me for blackmailing purposes. I have a reputation, dammit (haha, just kidding. I'm more of a shitting dicknipples person) P.S. we've been trying for a number of weeks to get a qemu version working like the vmware bridge with the tap device used by qemu. this causes problems due to windows routing tables, even in bridged mode (2k/XP) when the VPN connects to janusvm and pushes a new default route. if anyone has dealt with this and knows the requisite tricks for making a bridged tap route outside of the windows IP routes i'd love to hear it... dammit Jim, I'm a kernel hacker, not a network admin! A couple ideas, though: * why not PPPoE instead of a VPN? Sorry if it doesn't make sense to you, I just have a thing for PPPoE. Not a fetish or anything like that. No way. Seriously, it sounds perfect for a bridged tunnel, to me * VMware works flawlessly because it attaches a protocol driver to all the bridged interfaces, simulating a bridge (duh). I suspect the tap driver is not as smart. Nowhere near as smart. I suspect, in fact, that the tap driver expects user-mode applications to open the NIC device directly, because that's how UNIX-heads think. It would be funny, in a very sad way, considering that the most prominent open source NDIS project, WinPcap, gets that right. One day, I swear, I will turn that pile of manure into a proper, well-behaving Windows component (I mean tap, silly! WinPcap is beyond my help now) * alternatively, my psychic debugging powers tell me Qemu might be trying to inject packets through a raw socket, or something similarly boneheaded that nevertheless works perfectly on Linux. As a general rule, if a bridging application doesn't install a bridging protocol, there you know something's wrong Please ignore me if I am talking out of my ass (... hey, did you know you can turn a Windows Server into a PPPoE terminal server if you install a PPPoE port driver and bind RRAS to it? easy like that! now ain't that... cool?) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Fwd: Re: Full functional 0day exploit builder for sale!]
LOL!!! ... too funny On Fri, Feb 09, 2007 at 01:23:45PM -0500, Matthew Flaschen wrote: From: yuanfan bai [EMAIL PROTECTED] To: Matthew Flaschen [EMAIL PROTECTED] Subject: Re: [Full-disclosure] Full functional 0day exploit builder for sale! Hi List. I am that [EMAIL PROTECTED] I donot know why my hotmail account password was changed by someone, maybe ones here. Now I should claim here, I am NOT a technical hacker or resercher. I donot know such magics. I am just a bussinessman. I provide my 0day builder to customers. So anyone, attacking my mailbox is not so interesting. And I'm sorry that I hope anyone contacted me in the last two days, resend your un-replied letters to the new box: this gmail mailbox. I'm sorry, thank you. 2007/2/5, Matthew Flaschen [EMAIL PROTECTED]: 0dayDealer 0dayDealer wrote: Hi List, Full functional 0day exploit builder for sale! This is the one you want. Contact me with the mailbox A0dayDealer###hotmail.com. Here is some of the exploits: 0day word2003 all languages universal How can you have a 0-day on a program that's been completely replaced? Matthew Flaschen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ |hello, my name is | | .__ .___ .___| | | |__ __| _/__| _/___ | |_/ ___\| | \_/ __ \ / __ |/ __ |/ __ \_ __ \| |\ \___| Y \ ___// /_/ / /_/ \ ___/| | \/| | \___ ___| /\___ \ |\___ __| | |\/ \/ \/ \/\/\/| |http://chedder.hacked.in | |___| You don't exist. Go away pgpEhDjwcanDt.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
Dear Casper Dik ([EMAIL PROTECTED]), I wasn't crying wolf about a Backdoor, heck I am not Steve Gibson. I was asking whether somebody will investigate why this hasn't been caught by audits or simply QA ? CDSC And one which was too easy to discover; You said it, it's easy to discover, so who has discovered it? Sun ? Considering it's that easy to catch, why hasn't SUN ? Maybe you can give us a heads up on that ? CDSC real back doors are better I like that tautologie, real backdoors, what makes a backdoor more real than another one ? Is it the coolness, the stealth ? Or is it simply the fact that it gives back door access ? CDSC masquared as buffer overflows you might not chance upon. Nobody doesn't that anymore, everybody does code audits now and catches bufferoverflows, right? I think other overflows are more interesting to hide access. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works
On 2/13/07, KJKHyperion [EMAIL PROTECTED] wrote: ... Sorry, I'm a noted Windows fanboy and I'm not sure I find that a plus you must have w2k server, no WSAENOBUFS [0] hell for you! *g* in any case, i hope you are aware of which claims are actually supported by Torpark and which aren't. [1] dammit Jim, I'm a kernel hacker, not a network admin! A couple ideas, though: * why not PPPoE instead of a VPN? Sorry if it doesn't make sense to you, I just have a thing for PPPoE. Not a fetish or anything like that. No way. Seriously, it sounds perfect for a bridged tunnel, to me the problem lies in the routing. PPPoE doesn't resolve this, and i'm not sure if the tap device can do it anyway (since it is not really an ethernet device, but sort of). it will probably require a new device (like the vmware bridge) to do this. more to the point, the windows bridge from ethernet to the tap is not really a bridge. i guess that's the root of the problem (and where the vmware bridge device acts like a bridge, and doesn't subject the bridged vmnet device to the same routing table used by the host IP stack associated with the actual ethernet device) * VMware works flawlessly because it attaches a protocol driver to all the bridged interfaces, simulating a bridge (duh). I suspect the tap driver is not as smart. Nowhere near as smart. yes, exactly! (well, it doesn't actually show as a bridge, it's a magic bridge that can bind to anything that speaks ethernet, including wireless devices, without giving windows the heads up, and thus avoids routing table badness.) * alternatively, my psychic debugging powers tell me Qemu might be trying to inject packets through a raw socket, or something similarly boneheaded that nevertheless works perfectly on Linux. nah, it's a tap device just like openvpn uses. it just appears to be a realtek ethernet device inside the linux guest (or any other guest OS)... (... hey, did you know you can turn a Windows Server into a PPPoE terminal server if you install a PPPoE port driver and bind RRAS to it? easy like that! now ain't that... cool?) that's sick dude! quit drinking the cool-aid before it's too late! :P 0. Tor Windows Buffer Problems http://wiki.noreply.org/noreply/TheOnionRouter/WindowsBufferProblems 1. Traces left by Torpark, and other security discussion http://archives.seul.org/or/talk/Nov-2006/msg00219.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works
afed wrote: I have come up with a unique and proprietary solution to the problems presented by Torpark: problems! Sorry mister, I'm afraid I can't share your negative outlook on the matters at hand. What I presented to you was an _opportunity_. Let's say, in a purely hypothetical fashion, that you made a copy of the iexplore.exe executable, renaming it iexplore-nx.exe. Let's add, still firmly in the realm of speculation, that you apply the binary hack I described to said renamed executable. What you find yourself with, gentleman, is a copy of Internet Explorer you, security researcher, can use to test those pesky shellcode exploits with, without disabling DEP globally. You will surely concede that it is, indeed, nifty Don't download or look at CP. killjoy. It's people like you who make IT security so dull. Next thing you know, you'll decry selling 0-day exploits for a profit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 02.13.07: Hewlett-Packard HP-UX SLSd Arbitrary File Creation Vulnerability
Hewlett-Packard HP-UX SLSd Arbitrary File Creation Vulnerability iDefense Security Advisory 02.13.07 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 13, 2007 I. BACKGROUND Hewlett-Packard's HP-UX introduced Single Logical Screen (SLS) in 1995 to facilitate using multiple graphics devices on a single desktop. Distributed SLS, or SLS/d, extends SLS to allow the utilization of graphics devices within multiple computer systems. More information is available at the following URL. http://docs.hp.com/en/B2355-90142/ch05s03.html II. DESCRIPTION Remote exploitation of a design error within Hewlett-Packard's SLSd daemon could allow an attacker to execute privileges as the superuser. The problem specifically exists due to a design error within the SLSd_daemon RPC daemon that provides connectivity between the distributed systems. This daemon registers itself under the RPC PROGID of 536870913 or 351456, depending on the HP-UX version. By sending a specially crafted request, the daemon will write attacker supplied data to an arbitrary file as the superuser. III. ANALYSIS Exploitation allows an unauthenticated attacker to gain superuser privileges by overwriting select files such as .rhosts, cron scripts, or other files used for authentication. IV. DETECTION iDefense has confirmed the existence of this vulnerability within the SLSd_daemon binary as shipped with HP-UX 11.11i and 10.20. All versions are suspected to be vulnerable. V. WORKAROUND Employ firewalls to limit access to the affected system to reduce exposure to this vulnerability. If you are not using Distrubuted SLS, disable the SLSd_daemon. VI. VENDOR RESPONSE Hewlett-Packard has addressed this vulnerabilty with HP Security Advisory HPSBUX02191. More information is available at the following URL. http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00862809 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 01/30/2007 Initial vendor notification 01/30/2007 Initial vendor response 02/13/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works
coderman wrote: Sorry, I'm a noted Windows fanboy and I'm not sure I find that a plus you must have w2k server, no WSAENOBUFS [0] hell for you! *g* woe onto the unwary developer who uses select on Windows. It is merely a concession to portability, not actually meant to be used. Seriously, guys, we have had a good laugh about it. But it was all a joke. A prank! Stop using it, k? No love lost, we hope in any case, i hope you are aware of which claims are actually supported by Torpark and which aren't. [1] My counterclaim is that Torpark is crappy and bloated. I tolerate it because I am lazy. I also seriously, earnestly cannot accept for a fact that nobody else has noticed that it breaks with hard-DEP enabled that's sick dude! quit drinking the cool-aid before it's too late! :P I used to be the proud owner of a Windows server that NATted a PPP-over-LPT connection onto an ISDN line (inexplicably [!], RRAS didn't appear to have been designed to support a scenario where you NAT a PPP connection into another PPP connection.). A virtual Ethernet interface (Microsoft Loopback) also somehow fit in the scheme, if I recall correctly. Despite Microsoft's best intentions, the whole Rube Goldberg actually worked ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works
On 2/13/07, KJKHyperion [EMAIL PROTECTED] wrote: ... Torpark, for the couple of people who don't know yet, is a bloated launcher for Portable Firefox and Tor... fun stuff; if you don't mind even a little more bloat you might want to try out janusvm which gives you a transparent DNS/TCP proxy through Tor using a virtual machine. advantages: - full transparent proxy, no SOCKS or wrappers required. - avoids crappy windoze tcp/ip stacks via ethernet bridge. (for network intensive Tor this can be a big problem) drawbacks: - requires vmware (player or workstation) - users must take care to clean any necessary state in browser or application between anonymous and non-anonymous modes. latest january release trimmed off 12M of fat from the dc14 build. at least we're trying... ;) http://janusvm.peertech.org/JanusVM.zip MD5: 44e13efde64810c8df50babb636fa253 SHA1: dfa29620c8d14110d8507dfcb395a80326ee7b1b SHA2-256: 0B062B02739E34020510CE41650B338AF695686DBA9DAD9FC667E4AF8EC6DA60 PS: stop posting child porn on 4chan.org, faggots. You got almost all exit nodes banned. GTFO khtxbye, go gum up anonib.com instead fortunately stupidity leaves many traces; these idiots leave tracks elsewhere and will face consequences for their actions at some point. [this isn't limited to banned exit nodes either, these assholes are also getting exit nodes confiscated in germany and elsewhere. *sigh*] P.S. we've been trying for a number of weeks to get a qemu version working like the vmware bridge with the tap device used by qemu. this causes problems due to windows routing tables, even in bridged mode (2k/XP) when the VPN connects to janusvm and pushes a new default route. if anyone has dealt with this and knows the requisite tricks for making a bridged tap route outside of the windows IP routes i'd love to hear it... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Diagnostics Mode + Phreaking
Alo again, any1 have any tool to do forensics over cellphones? , freeware or shareware? any1 know howto put Diagnostic Mode over cellphones (Motorola, Nokia etc?, links and tutorials?) regards - Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works
I have come up with a unique and proprietary solution to the problems presented by Torpark: Don't download or look at CP. This technique is my intellectual property so don't steal it! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/