Re: [Full-disclosure] Chinese Professor Cracks Fifth Data SecurityAlgorithm (SHA-1)

[Michael Silk]

On 3/23/07, Dave No, not that one Korn <[EMAIL PROTECTED]> wrote:


Tim wrote:
> Hello,
>
> On Wed, Mar 21, 2007 at 06:45:19PM +0300, 3APA3A wrote:
>> Dear Michael Silk,
>>
>> First,  by  reading  'crack'  I thought lady can recover full
>> message by it's signature. After careful reading she can bruteforce
>> collisions 2000 times faster.
>
> Both of you guys are confused.
>
> First off Michael: this is old news.  It doesn't seem to indicate that
> finding collisions is any faster than 2^63, which was reported quite
> some time ago[1].

  It's not just old news, but old old news, since we already had this
discussion about how it was old news back in january when the piece was
published...




yes yes yes. i have a bad memory. i don't read articles before posting them.
anyone else want to take a shot?



   cheers,

  DaveK
--
Can't think of a witty .sigline today



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--
mike
00110001 <3 00110111
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fix Update: Disable Google Desktop Link Integration with IE & FireFox

[Debasis Mohanty]

Thanks to all those who sent their few lines of appreciations or good words
after the first release of this fix details. 

Many requested offlist and onlist to put some info for disabling the GDS
*desktop* link for FireFox. However, being a bit lazy guy ;) I delayed the
response for such long time. After doing few minutes of study, I figured out
disabling the GDS desktop link in FireFox is far simpler compared to IE. 

Here are few updates made to the present release - 

- [Section 2.a] Added section for identifying components responsible for
GDS desktop link integration with FireFox

- [Section 3] Two more methods to fix are added under the "Permanent
Fix Details".

- [Section 4] Added fix details for FireFox


Disabling GDS Desktop Link Integration in Google Pages
Download Link - http://hackingspirits.com/vuln-rnd/vuln-rnd.html

Regards,
-d

-Original Message-
From: Debasis Mohanty [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 27, 2007 11:17 PM
To: [EMAIL PROTECTED]
Subject: [WEB SECURITY] Disabling Google Desktop Link Integration In Google
Pages

GDS Desktop Link and Google.com Integration -
Bad Design or Necessary Evil?

The recent security advisory on Google Desktop Search (GDS) published by
Watchfire did not really surprised me as I was expecting more like this in
past 2 years. However, the fact that intrigued me to write this article is
Google has not yet bothered to provide it's GDS tool users the option to
disable GDS desktop link regardless of knowing this design will attract more
attacks in future as well. 

In this article, I'll discuss a bit about why the GDS issues revolves
primarily around the GDS Desktop link and how one can fix it permanently by
disabling it which will ensure that users can still use GDS without the fear
against exploits that are targeted towards the desktop link. 

Get the entire article here - 

Disabling GDS Desktop Link Integration in Google Pages
http://hackingspirits.com/vuln-rnd/vuln-rnd.html



Regards,
-d (aka T)





Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 03.23.07: Sun Java System Directory Server 5.2 Uninitialized Pointer Cleanup Design Error Vulnerability

[iDefense Labs]

Sun Java System Directory Server 5.2 Uninitialized Pointer Cleanup
Design Error Vulnerability

iDefense Security Advisory 03.23.07
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 23, 2007

I. BACKGROUND

Sun Java System Directory Server is an LDAP server distributed by Sun with
multiple products. More information is available at the following URL.

http://www.sun.com/software/products/directory_srvr/home_directory.xml

II. DESCRIPTION

Remote exploitation of a design error vulnerability in Sun Microsystems
Inc.'s
Java System Directory Server 5.2 may cause a denial of service (DoS)
condition.

Due to a design error in the clean-up code following certain types of failed
queries, it is possible to cause the server to call the free() function
on an
address obtained from uninitialized memory. This can result in an invalid
memory reference leading to denial of service.

III. ANALYSIS

Exploitation of this vulnerability allows remote attackers to cause a denial
of service against the affected server, 'ns-slapd'.

In some situations it may be possible to put information from the remote
attacker in the memory range being accessed which may allow execution of
code, however this has not yet been demonstrated.

IV. DETECTION

iDefense has confirmed Sun Java System Directory Server 5.2 Directory Server
5.2 2005Q4 is affected by this vulnerability. Previous versions are also
suspected to be vulnerable.

V. WORKAROUND

Restrict remote access at the network boundary, unless remote parties
require
service. Access to the affected host should be filtered at the network
boundary if global accessibility is not required. Restricting access to only
trusted hosts and networks may reduce the likelihood of exploitation.

VI. VENDOR RESPONSE

Sun Microsystems Inc. has addressed this issue in Sun Java System Directory
Server 5.2 Patch5. For more information see Sun Alert ID 102853 by visiting
the URL shown below.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102853-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-4175 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/16/2006  Initial vendor notification
08/21/2006  Initial vendor response
03/23/2007  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
[EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 03.23.07: DataRescue IDA Pro Remote Debugger Server Authentication Bypass Vulnerability

[iDefense Labs]

DataRescue IDA Pro Remote Debugger Server Authentication Bypass
Vulnerability

iDefense Security Advisory 03.23.07
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 23, 2007

I. BACKGROUND

DataRescue Inc.'s IDA Pro is a disassembler and debugger for Windows, Linux,
or Macintosh. It supports multiple binary formats as well as many processor
architectures. For more information about IDA Pro, visit the vendor's
website
at the following URL.

http://www.datarescue.com/idabase/index.htm

II. DESCRIPTION

Remote exploitation of a password bypass vulnerability in DataRescue Inc.'s
IDA Pro Remote Debugger Server allows attackers to execute arbitrary code
under the context of the user who is running the remote debugger server.

Since version 4.8, IDA Pro supports remote debugging of x86/AMD64 Windows PE
applications and Linux ELF applications over TCP/IP networks. The IDA
distribution ships with a debugger server for Windows, Linux, and (as of
version 5.1) MacOS X.

The IDA Pro debugger server allows a user to specify a password for
authentication by supplying the -P parameter. The vulnerability specifically
exists in the the processor_request() function. This function is used
for the
initial packet exchange as well as subsequent requests. This function
did not
ensure that the remote user has authenticated prior to calling the
perform_request() function. As such, attacker requests sent prior to
authenticating would be processed normally.

III. ANALYSIS

Exploitation of the described vulnerability allows attackers to execute
arbitrary code under the context of the user who starts the remote debugger
server.

It should be noted that the debugger server does not run as a service.
It must
be manually executed. Additionally, the remote debugger server can only
handle
one debugger session at a time. As such, this vulnerability can not be
exploited while the debugger server is in use.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in the remote
debugger server for Windows and Linux from IDA Pro versions 5.0 and 5.1. It
is suspected that the MacOS X version and earlier versions are also
affected.

V. WORKAROUND

In order to reduce exposure to this vulnerability, the remote debugger
server
should not be left running when it is not in use.

Additionally, access to the port used by the remote debugger server could be
blocked with the use of a firewall.

VI. VENDOR RESPONSE

"Since this vulnerability is in the open part of IDA, we provide the
corrected
source code for the modified files."

DataRescue Inc. has made the fix available at the following URL.

http://www.datarescue.com/freefiles/ida_remdeb_fix_22032007.zip

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

03/20/2007  Initial vendor notification
03/20/2007  Initial vendor response
03/23/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by enhalos.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
[EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fuzzled - Perl fuzzing framework

[Tim Brown]

Having noticed the popularity of fuzzing tools recently, I was feeling a
bit left out.  Where is the Perl framework to complete the family?  With
that in mind I've spent the last months working on something that should
fill the gap - Fuzzled.

Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, 
namespaces, factories which allow a wide variety of fuzzing tools to be 
developed. Fuzzled comes with several example protocols and drivers for them.

Fuzzled v1.0 can be found at http://www.portcullis-security.com/16.php.

Cheers,
Tim
-- 
Tim Brown


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] dproxy - arbitrary code execution through stack buffer overflow vulnerability

[Alexander Klink]

Hi,

On Fri, Mar 23, 2007 at 04:54:33PM +, mu-b wrote:
> you might want to NULL terminate query_string while your there
Good point (C is not exactly my native language ...). Actually, it
is not necessary in this case though, because this is done in
the decode_domain_name() function that is executed right below:

> > -  strcpy( query_string, pkt.buf );
> > +  strncpy( query_string, pkt.buf, sizeof(query_string) );
> >decode_domain_name( query_string );
> >debug("query: %s\n", query_string );

Granted, I only figured that out after looking why it was working
despite the \0-omission :-)

Regards,
Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |[EMAIL PROTECTED]
 mobile: +49 (0)178 2121703 |  Cynops GmbH | http://www.cynops.de
+--+-
  HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
 Bad Homburg v. d. Höhe |  |  Martin Bartosch

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] dproxy - arbitrary code execution through stack buffer overflow vulnerability

[mu-b]

you might want to NULL terminate query_string while your there

Alexander Klink wrote:
> 
> ||| Security Advisory AKLINK-SA-2007-001 |||
> ||| CVE-2007-1465 (CVE candidate)|||
> 
>
> dproxy - remotely exploitable buffer overflow
> 
>
> Date released: 20.03.2007
> Date reported: 11.03.2007
> $Revision: 1.1 $
>
> by Alexander Klink
>Cynops GmbH
>[EMAIL PROTECTED]
>https://www.cynops.de/advisories/CVE-2007-1465.txt
>(S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1465-signed.txt)
>
> https://www.klink.name/security/aklink-sa-2007-001-dproxy-bufferoverflow.txt
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1465
>
> Vendor: Matthew Pratt (Open Source)
> Product: dproxy - a small caching DNS server
> Website: http://dproxy.sourceforge.net
> Vulnerability: buffer overflow
> Class: remote
> Status: unpatched (author is unresponsive)
> Severity: high (arbitrary command execution as root)
> Releases known to be affected: 0.1, 0.2, 0.3, 0.4, 0.5
> Releases known NOT to be affected: dproxy-nexgen
>
> +
> Overview:
>
> dproxy suffers from a typical buffer overflow condition, which allows
> an attacker to overwrite the stack.
>
> +
> Technical details:
>
> In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long
> is copied into a variable called query_string, which is at most 2048
> bytes. As this is done using strcpy, the stack can be overwritten
> which leads to arbitrary command execution.
>
> Note that one can easily find out whether dproxy is running
> using the fpdns tool (see http://www.rfc.se/fpdns/). dproxy also
> seems to be used in a number of WLAN access points / routers, but
> the version used there (at least in the Linksys WRT54AG, the Asus
> WL500g and the Netgear DG834G) seems to be dproxy-nexgen, which is not
> vulnerable to this attack.
>
> Thanks to Dan Kaminsky, who provided me with the interesting statistics
> that apparently only 20 out of about 2.000.000 DNS servers he scanned
> are using dproxy. So this does not look like a major attack vector.
>
> +
> Exploit:
>
> A MetaSploit Framework 2.7 exploit module is available from
> https://www.cynops.de/downloads/metasploit/dproxy.pm
>
> It has been tested successfully with both a Debian stable and an
> Ubuntu system (with randomize_va_space=0).
>
> +
> Workaround:
>
> Drop packets to the destination UDP port 53 which are larger than
> 2048 bytes (which is a pretty large DNS query packet anyway).
>
> +
> Communication:
>
> * 13.03.2007: Author updated on vulnerable versions
> * 11.03.2007: First problem report to author
>
> +
> Solution:
>
> Patch dproxy.c:
>
> --- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.0 +0100
> +++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.0 +0100
> @@ -105,7 +105,7 @@
>/* child process only here */
>signal(SIGCHLD, SIG_IGN);
>
> -  strcpy( query_string, pkt.buf );
> +  strncpy( query_string, pkt.buf, sizeof(query_string) );
>decode_domain_name( query_string );
>debug("query: %s\n", query_string );
>
> +
> Credits:
>
> Alexander Klink, Cynops GmbH (discovery and exploit development, patch)

-- 
mu-b
([EMAIL PROTECTED])

  "Only a few people will follow the proof. Whoever does will
 spend the rest of his life convincing people it is correct."
- Anonymous, "P ?= NP"

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Sexy, spankable 22 year old girl looking for a wild time

[Dude VanWinkle]

On 3/22/07, evilrabbi <[EMAIL PROTECTED]> wrote:
> I called that number because I didn't think it was real 

suuure, THATS why you called up, you deviant little tampon-lusting
monkey-man ;-)

> and apprently it
> wasn't. It was a real girl, but I don't belive it was the girl in the
> picture. The person on the other end said some guys in virginia did this to
> mess with her. It's kinda fucked up to give out someones home number like
> that. Just sayin people should quit calling her and asking her if she likes
> to be spanked.

well, isnt THAT the pot calling the kettle black :-P

-JP

"Women must always be honored and treated with respect, no matter the cost."
-L. Flint

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XBOX ID's being Jacked

[Kevin Finisterre (lists)]

There are lots of folks that mention obtaining the IP in order to  
hack your account. They usually say they have done this with Cain and  
Able or Commview or any other sniffer out there. You IP can be easily  
obtained by the usual standby groups or bridgers  The only reason  
they want your IP is because that can buy them ONE piece of  
information. In some cases if you have paid for the proper program  
you can get an address and GPS coordinates for an IP. In most cases  
the address will be that of your neighborhood router or something  
like that.


I just wanted to clear this up as there appears to be some confusion  
over what the IP address has to do with prextexing Microsoft XBL  
employees.


You can try something like this...

http://www.melissadata.com/lookups/iplocation.asp? 
ipaddress=209.11.233.26


and get something back like this

IP Address 209.11.233.26

City FINDLAY

State or Region OHIO

Country UNITED STATES

ISP CENTRACOMM COMMUNICATIONS.

This may be JUST enough info to trick a dumb employee



-KF


On Mar 22, 2007, at 7:21 PM, [EMAIL PROTECTED] wrote:


Kevin,

My son's Xbox Live ID was jacked by "Brad" of the o Infamous o  
Clan. It happened in such a short amount of time that I don't feel  
that it was a case of Social Engineering. I did some research and  
came up with a way to do it using your Xbox, with Action Replay and  
a memory card, and the DVD of the game Splinter Cell, your PC  
Kernal IP Logger and an FTP program. It seems that the DVD has a  
copy of Linux on it that you use to help get the person's gamertag  
by using that person's IP address.


I found the steps to do it on a message board. However, by the time  
I got to it, the message board admin had edited it and then also  
closed the thread. I think that the social engingineering angle is  
only a small percentage of the ID thefts. I have a feeling that the  
technical way is more likely how the majority of IDs are stolen.


Rich
AOL now offers free email to everyone. Find out more about what's  
free from AOL at AOL.com.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] XBOX ID's being Jacked

[richfa1]

Kevin, 
 
My son's Xbox Live ID was jacked by "Brad" of the o Infamous o Clan. It 
happened in such a short amount of time that I don't feel that it was a case of 
Social Engineering. I did some research and came up with a way to do it using 
your Xbox, with Action Replay and a memory card, and the DVD of the game 
Splinter Cell, your PC Kernal IP Logger and an FTP program. It seems that the 
DVD has a copy of Linux on it that you use to help get the person's gamertag by 
using that person's IP address. 
 
I found the steps to do it on a message board. However, by the time I got to 
it, the message board admin had edited it and then also closed the thread. I 
think that the social engingineering angle is only a small percentage of the ID 
thefts. I have a feeling that the technical way is more likely how the majority 
of IDs are stolen.
 
Rich

AOL now offers free email to everyone.  Find out more about what's free from 
AOL at AOL.com.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] dproxy - arbitrary code execution through stack buffer overflow vulnerability

[Alexander Klink]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


||| Security Advisory AKLINK-SA-2007-001 |||
||| CVE-2007-1465 (CVE candidate)|||


dproxy - remotely exploitable buffer overflow


Date released: 20.03.2007
Date reported: 11.03.2007
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   [EMAIL PROTECTED]
   https://www.cynops.de/advisories/CVE-2007-1465.txt
   (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1465-signed.txt)
   https://www.klink.name/security/aklink-sa-2007-001-dproxy-bufferoverflow.txt
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1465

Vendor: Matthew Pratt (Open Source)
Product: dproxy - a small caching DNS server
Website: http://dproxy.sourceforge.net
Vulnerability: buffer overflow
Class: remote
Status: unpatched (author is unresponsive)
Severity: high (arbitrary command execution as root)
Releases known to be affected: 0.1, 0.2, 0.3, 0.4, 0.5
Releases known NOT to be affected: dproxy-nexgen

+
Overview:

dproxy suffers from a typical buffer overflow condition, which allows
an attacker to overwrite the stack.

+
Technical details:

In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long
is copied into a variable called query_string, which is at most 2048
bytes. As this is done using strcpy, the stack can be overwritten
which leads to arbitrary command execution.

Note that one can easily find out whether dproxy is running
using the fpdns tool (see http://www.rfc.se/fpdns/). dproxy also
seems to be used in a number of WLAN access points / routers, but
the version used there (at least in the Linksys WRT54AG, the Asus
WL500g and the Netgear DG834G) seems to be dproxy-nexgen, which is not
vulnerable to this attack.

Thanks to Dan Kaminsky, who provided me with the interesting statistics
that apparently only 20 out of about 2.000.000 DNS servers he scanned
are using dproxy. So this does not look like a major attack vector.

+
Exploit:

A MetaSploit Framework 2.7 exploit module is available from
https://www.cynops.de/downloads/metasploit/dproxy.pm

It has been tested successfully with both a Debian stable and an
Ubuntu system (with randomize_va_space=0).

+
Workaround:

Drop packets to the destination UDP port 53 which are larger than
2048 bytes (which is a pretty large DNS query packet anyway).

+
Communication:

* 13.03.2007: Author updated on vulnerable versions
* 11.03.2007: First problem report to author

+
Solution:

Patch dproxy.c:

- --- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.0 +0100
+++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.0 +0100
@@ -105,7 +105,7 @@
   /* child process only here */
   signal(SIGCHLD, SIG_IGN);
 
- -  strcpy( query_string, pkt.buf );
+  strncpy( query_string, pkt.buf, sizeof(query_string) );
   decode_domain_name( query_string );
   debug("query: %s\n", query_string );

+
Credits:

Alexander Klink, Cynops GmbH (discovery and exploit development, patch)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFF/7TXAEAIlkRL9AcRAhxmAJoDj8OT6wx+/CjKP3GOPb5+Uae/hQCffcoq
/2D9FAkTfhEJyBuUuTmarew=
=JIGg
-END PGP SIGNATURE-

-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |[EMAIL PROTECTED]
 mobile: +49 (0)178 2121703 |  Cynops GmbH | http://www.cynops.de
+--+-
  HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
 Bad Homburg v. d. Höhe |  |  Martin Bartosch

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability

[Kingcope]

Hello,

I just tested it with UNC paths,
and yes this works too, but you have to
press on the yes button when it asks because
the file is not authorized (it comes from remote).
After pressing Yes one time it gets executed.
Normally Windows Mail does not execute
exe or other executable files, now it does :-)


Thank you for this nice idea Joxean Koret.



Regards,

kcope

- Original Message - 
From: "Joxean Koret" <[EMAIL PROTECTED]>
To: ; <[EMAIL PROTECTED]>
Sent: Friday, March 23, 2007 11:15 AM
Subject: RE: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client 
Side Code Execution Vulnerability


> Hi,
>
> Did you test it using UNC paths? It may be a way to
> truly execute arbitrary code.
>
> Regards,
> Joxean Koret
>
>>Exploit:
>>Send a HTML email message containing the URL:
>>Click here!
>>or
>>Click here!
>>and winrm.cmd/migwiz.exe gets executed without asking
>
>>for permission.
>>These are just examples.
>>
>>I could not pass arguments to winrm (hehe this would
>>be beautiful), but I guess there
>>are several attack vectors.
>
>
>
> __
> LLama Gratis a cualquier PC del Mundo.
> Llamadas a fijos y móviles desde 1 céntimo por minuto.
> http://es.voice.yahoo.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability

[Joxean Koret]

Hi,

Did you test it using UNC paths? It may be a way to
truly execute arbitrary code.

Regards,
Joxean Koret

>Exploit:
>Send a HTML email message containing the URL:
>Click here!
>or
>Click here!
>and winrm.cmd/migwiz.exe gets executed without asking

>for permission.
>These are just examples.
>
>I could not pass arguments to winrm (hehe this would 
>be beautiful), but I guess there
>are several attack vectors.



__ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/