[Full-disclosure] Maria Sharapova is a Cisco Certified Specialist
Maria Sharapova, one of the most famous tennis players, gained the CCIE status yesterday. More at http://www.securitylab.ru/news/extra/293608.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>>The issue is that this only works with DEP turned off! Interesting point. I haven't seen this mentioned anywhere, including the Microsoft advisory (http://www.microsoft.com/technet/security/advisory/935423.mspx). Has anyone actually tested this with DEP on/off to be sure? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry_seltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Norton Multiple insufficient argument validation of hooked SSDT function Vulnerability
Hello, We would like to inform you about a vulnerability in Symantec Norton products. Description: Symantec Norton Personal Firewall hooks many functions in SSDT and in at least two cases it fails to validate arguments that come from the user mode. User calls to NtCreateMutant and NtOpenEvent with invalid argument values can cause system crashes because of errors in Norton driver SPBBCDrv.sys. Further impacts of this bug (like arbitrary code execution in the kernel mode) were not examined. Vulnerable software: * Norton Personal Firewall 2006 version 9.1.1.7 * Norton Personal Firewall 2006 version 9.1.0.33 * probably all versions of Norton Personal Firewall 2006, Norton Internet Security 2006 and other products that use SPBBCDrv driver * possibly older versions of Norton Personal Firewall and Norton Internet Security More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Norton-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kcpentrix 2.0 is Out !!
Dear List, The Kcpentrix Project was founded in May 2005 , KCPentrix 1.0 was liveCD designed to be a standalone Penetration testing toolkit for pentesters, security analysts and System administrators What's New in KcPentrix 2.0: Now release 2.0 is a liveDVD, It features a lot of new or up to date tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities Kcpentrix is based on SLAX 5, a Slackware live Dvd The Powerful modularity which Kcpentrix uses, allow us to easily customize our version, and include whichever modules we need. KCPENTRIX 2.0 is the most inovative and promising KCPENTRIX ever. It switched to 2.6 kernel line. Zisofs compression was replaced by SquashFS, which provides better compression ratio and higher read speed. Tools Lis: Server tools : Mysql PostgreSQL apache php DNS DHCP FTP SMTP POP3 IMAP SSH TFTPD Internet tools: Skype Fire fox Gftp Gaim Arp: arping-2.04 seringe arp-sk arpspoof backdoors: hbkdr.tar.gz hbkdr.zip sbd-1.37.tar.gz ssheater-1.1.tar.gz x86-linux-connectback.c x86-linux-portbind.c Bruteforce: adsmb-0.3 adsnmp-0.1 brutus-0.9.2 crackcvspass-v0.1 john-1.7.2 Online_Rainbow onesixtyone-0.3.2 nat-1.0.4 mdcoll lodowep SIPcrack-0.1 smbat TFTP-bruteforce VNCcrack-0.9.1 wyd crunch md5crack.pl ophcrack thc-pptp-bruter vncrack cisco: brute-enable-v.1.0.2 cisco-auditing-tool-v.1.0 cisco-global-exploiter cisco-scanner-v.1.3 cisco-torch-0.4b ciscopack copy-router-config-v.0.1 eigrp-tools ios-w3-vul ios7decrypt-v.1.1 jitney-0.10 database: sqlbrute.py bsqlbf.pl mysql_bftools metacoretex-0.8.0 oat oscanner_bin checkpwd sidguess tnscmd10g.pl bfora.pl dbcool_audit.pl oracletest.pl tnsprobe.sh oracle-scanner-v.1.0.6 oracle-dump-sids-v0.0.1 oat-v.1.3.1 enumeration: dnswalk DNSBruteforce.py dns-ptr dnsenum dnsmap dns-predict-v.0.0.2 fingergoogle-1.1 googrape-v.0.1 gooscan-v0.9 goog-mail.py qgoogle.py google-search dnspython-1.3.2 dnslib.py httplib.py inet-enum.py isr-form-1.0 ldap-enum-v.003 ldapbrowser list-urls lsrtunnel-0.2.1 mibble-2.6 mibble-2.7 nmbscan-1.2.4 nstx relayscanner revhosts smb-enum smtp-vrfy snmpenum.pl httprint_301 exploits: client-side exploit-tree framework-2.5 framework-2.6 framework-2.7 framework3 Beta framework-3.0 microsoft milw0rm packetstorm secfocus win32 Bin’s Firewall: ftester-1.0 Morena hping2 forensics: autopsy-2.06 sleuthkit sleuthkit-2.03 Fuzzers: bed bed-v.0.5 cirt-fuzzer clfuzz fuzzer-1.1 fuzzer-1.2 fuzzer-mod mistress Peach pirana-0.2.1 snmp-fuzzer-0.1.1 spike IDS: nemesis snort ossec misc-tools: find_ddos3.1 fping-2.4b2 ipgenv2 printer: hijetter pft proxies: 3proxy_0_5_2 paros penproxy-0.4.10 scanners: banshee-3.3 dcom_scanner hydra-5.3 knocker-0.7.1 lsrscan-1.0 ike-scan amap nikto-1.35 pbnj nbtscan nmap nmapfe sinfp.pl VNC_bypauth Sniffers: aimsniff-0.9d aimsniff-1.0beta PHoss xspy dsniff p0f wireshark spoofing: netsed tunnelling: 3proxy iodine-0.3.2 proxytunnel-1.6.3 Web: asp-audit metoscan04 proxyfinder-1.0 sqlibf sqlinject-1.1 wal easy-scraper.pl hacker_webkit.tar.gz mysql-miner.pl put.pl wireless: aircrack-2.2-beta1 aircrack-ng-0.6.2 airpwn-1.3 airsnarf-0.2 asleap-1.4 wifitap hotspotter-0.4 fakeap-0.3.2 cowpatty-2.0 wep_crack wep_decrypt windows-binaries: - databases : Absinthe-1.4.1-Linux sqlexec20.exe -Misc : enumplus exe2bat.exe Fport.exe klogger.exe mbenum.exe radmin.exe plink.exe nc.exe nbtenum.exe mstsc.exe regdmp.exe sbd.exe tftpd32.exe vnc-ssh vncviewer.exe WHOAMI.EXE wget.exe - pstools pstoreview.exe pssuspend.exe psshutdown.exe psservice.exe pskill.exe pslist.exe psloggedon.exe psloglist.exe pspasswd.exe Psinfo.exe psgetsid.exe psfile.exe psexec.exe - passwd-attack: ipcscan lbrute smbcrack2 cachedump FindPass.exe pulist.exe PWDump4.exe SAMDUMP.EXE tsgrinder-2.03.zip TSgrinder.rar -Scanners : hscan ipcscan languard ntscangui retina-scanners DSScan.exe dfind.exe CIScan.exe X-Scan-v2.3-en superscan gdiscan.exe HS_WINS MS05039Scan.exe MyDoomScanner.exe SQLScan.exe SNScan.exe sl.exe RPCScan2.exe NetSchedScan.exe SynScan -sniffers rawsniffer ngrep.exe -trojans : sbd.exe Institution_2004.zip -vpn: ike-scan ikeprobe Thanks to all beta testers and supporters, special thanks to the friends from Security-database.com and SecurityDistro.com You can Download the iso @ Kcpentrix.com / knowledgecave.com and Securitydistro.com. Best regards, Fred aka HC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
Hi Max, you are promoting Software Piracy. Like a group of warez people so called - "Team IND" 2007/3/30, Max Moser <[EMAIL PROTECTED]>: Dear List During the last year, rumours had come to my attention that apparently it is possible to transform a standard 30USD Bluetooth(r) dongle into a full-blown Bluetooth(r) sniffer. Thinking you absolutely need Hardware to be able to hop 79 channels 1600 times a second I was rather suspicious about these claims. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
Hi, You missed the point completely. He's not promoting software piracy but showing that the high-dollar bluetooth sniifers are not required and that you're average dongle can do everything that a proprietary product can. Also, if your going to make thinly veiled adverts for a group, you should probably ensure that they are findable via google or similar. On Sun, 1 Apr 2007, Giorgio Fedon wrote: > Date: Sun, 1 Apr 2007 15:52:59 +0200 > From: Giorgio Fedon <[EMAIL PROTECTED]> > To: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Busting The Bluetooth Myth > > Hi Max, you are promoting Software Piracy. > Like a group of warez people so called - "Team IND" > > 2007/3/30, Max Moser <[EMAIL PROTECTED]>: > > > > Dear List > > > > During the last year, rumours had come to my attention that apparently > > it is possible to transform a standard 30USD Bluetooth(r) dongle into > > a full-blown Bluetooth(r) sniffer. Thinking you absolutely need > > Hardware to be able to hop 79 channels 1600 times a second I was > > rather suspicious about these claims. > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
| Hi, | | You missed the point completely. He's not promoting software piracy but | showing that the high-dollar bluetooth sniifers are not required and that | you're average dongle can do everything that a proprietary product can. The "thinly veiled advert" was to mention that either: 1. He is using a pireted version of the bluetooth sniffer; 2. He has downloaded a pirated version of the bluetooth sniffer and printed a pdf of the readme inside; 3. He is the author of the pirated version of the bluetooth sniffer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
I made a mistake in including "jmp esp" for XP SP2 because the stack cannot be executed (due to DEP of course :P). It is completely possible to execute shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) to add execute access to the stack and jmp to our code. My PoC i updated yesterday (added as an attachment to the full disclosure post) returns to ExitProcess() and closes explorer.exe upon viewing the .ani file, just to show that it is possible to do our own shiznat in SP2. >From: "Larry Seltzer" <[EMAIL PROTECTED]> >To: >Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow >Date: Sun, 1 Apr 2007 07:49:58 -0400 > > >>The issue is that this only works with DEP turned off! > >Interesting point. I haven't seen this mentioned anywhere, including the >Microsoft advisory >(http://www.microsoft.com/technet/security/advisory/935423.mspx). > >Has anyone actually tested this with DEP on/off to be sure? > >Larry Seltzer >eWEEK.com Security Center Editor >http://security.eweek.com/ >http://blog.eweek.com/blogs/larry_seltzer/ >Contributing Editor, PC Magazine >[EMAIL PROTECTED] > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _ Exercise your brain! Try Flexicon. http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] April 1 joke
too bad i don't get it.
On 4/1/07, V Comics <[EMAIL PROTECTED]> wrote:
> vim:
> foldmethod=expr:foldexpr=feedkeys("x3a%!cat\\x20-n\\x
> 3a%s/./\:)/g\\x3aq!\\"):
>
> a
>
>
>
>
> Ask a question on any topic and get answers from real people. Go to Yahoo!
> Answers.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
On 4/1/07, Larry Seltzer <[EMAIL PROTECTED]> wrote: >>The issue is that this only works with DEP turned off! Interesting point. I haven't seen this mentioned anywhere, including the Microsoft advisory (http://www.microsoft.com/technet/security/advisory/935423.mspx). Has anyone actually tested this with DEP on/off to be sure? Yes, winhex uses the function when you open the .ani and I don't have it running with DEP turned on and the same goes for firefox that also leaves the file openend when I openen web link dev sent me (already tested winhex with the address of exitprocess that btw seems to float around from system to system since the version dev sent me does not works for me and it works like a charm when I built it). I was talking with dev code about DEP bypassing btw, we think that is possible to exploit even with >> DEP ON <<. Just ideas for now. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry_seltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
Giorgio if anything he is blowing the whistle on the vendors that charge a metric shit ton for a piece of hardware that is not necessary. -KF On Apr 1, 2007, at 11:17 AM, Giorgio Fedon wrote: > | Hi, > | > | You missed the point completely. He's not promoting software > piracy but > | showing that the high-dollar bluetooth sniifers are not required > and that > | you're average dongle can do everything that a proprietary > product can. > > The "thinly veiled advert" was to mention that either: > > 1. He is using a pireted version of the bluetooth sniffer; > 2. He has downloaded a pirated version of the bluetooth sniffer and > printed a pdf of the readme inside; > 3. He is the author of the pirated version of the bluetooth sniffer. > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
On 4/1/07, wac <[EMAIL PROTECTED]> wrote: On 4/1/07, Larry Seltzer <[EMAIL PROTECTED]> wrote: > > >>The issue is that this only works with DEP turned off! > > Interesting point. I haven't seen this mentioned anywhere, including the > Microsoft advisory > ( http://www.microsoft.com/technet/security/advisory/935423.mspx). > > Has anyone actually tested this with DEP on/off to be sure? Did you guys see this from the CISRT. http://www.cisrt.org/enblog/read.php?68 Yes, winhex uses the function when you open the .ani and I don't have it running with DEP turned on and the same goes for firefox that also leaves the file openend when I openen web link dev sent me (already tested winhex with the address of exitprocess that btw seems to float around from system to system since the version dev sent me does not works for me and it works like a charm when I built it). I was talking with dev code about DEP bypassing btw, we think that is possible to exploit even with >> DEP ON <<. Just ideas for now. Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry_seltzer/ > Contributing Editor, PC Magazine > [EMAIL PROTECTED] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
On 4/1/07, Giorgio Fedon <[EMAIL PROTECTED]> wrote: > 3. He is the author of the pirated version of the bluetooth sniffer. Isn't that a logical impossibility? If he's the author, it can't be pirated, now can it? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
Hi Kevin, I could understand that vendors are charging simple CSR dongles (19 dollars??) up to thousands of dollars. But the way to publish a paper making a direct reference (if someone is aware about the underlying piece of software he is talking about) to a particular vendor it's not so cute. Maybe they have written their firmware. Worse is to sustain the fact that the world need a better bluetooth sniffer, using the information that can be found inside the warezed version of the tool. The opensource community I think that is able to do it's own research without software piracy. 2007/4/1, Kevin Finisterre (lists) <[EMAIL PROTECTED]>: Giorgio if anything he is blowing the whistle on the vendors that charge a metric shit ton for a piece of hardware that is not necessary. -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
Dear Giorgio, Oh, dear, here is my "thinly veiled advert" for you : - Either proof it or shut up - You can potentially be sued for this (I would sue you, see you are slandering a consultant here that gets jobs based on his reputation) So let's move over to some facts shall we, I think that some of your bold claims need questioning, here they come: Quoting Giorgio Fedon : >But the way to publish a paper making a direct reference Where is that "direct reference..to a particular vendor " you refer to ? I have read the paper and found none, where did you ? >Hi Max, you are promoting Software Piracy. Where is he promoting Software Piracy ? I have read the paper and found none, where did you ? >Worse is to sustain the fact that the world need a better bluetooth sniffer, >using the information that can be found inside the warezed version of the tool. First, I knew nothing about such a "release" until YOU posted information about the name of a (what apparently is) a Warez group, using the Information in YOUR posting I found the release, I think you need to rethink about who is actually "promoting" software piracy. Second, you apparently assume the Warez group is the same person that wrote the paper, which is a very ignorant assumption to make, not to mention a dangerous one. >The opensource community I think that is able to do it's own research without >software piracy. Where the heck does this come from ? Quote from : http://program.whatthehack.org/speaker/92.en.html > Now I like much more dealing with people behaviour and the false sense > of security behind trusting unsecure and expensive infrastructures. I see how you are "dealing" with "poeple behaviour". -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
Giorgio Fedon wrote: > Worse is to sustain the fact that the world need a better bluetooth > sniffer, using the information that can be found inside the warezed > version of the tool. The opensource community I think that is able to do > it's own research without software piracy. If the information is within the 'warezed' version, then it's also within 'the non-warezed' one. Using available distributed information to write software isn't piracy. Taking someones written software and distributing it as your own and under your own terms most certainly is. But building on someones idea and distributed information to write a different tool (smaller, bigger, better, worse, cheaper, what ever) isn't. -- // hdw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
Giorgio Fedon wrote: > The "thinly veiled advert" was to mention that either: > > 1. He is using a pireted version of the bluetooth sniffer; > 2. He has downloaded a pirated version of the bluetooth sniffer and > printed a pdf of the readme inside; > 3. He is the author of the pirated version of the bluetooth sniffer. Erh? Are we talking of pirate as in "stealing our holy IP", where 'IP' as in using j.random BT as a BT sniffer or 'IP' as in the words "bluetooth sniffer"? As far as I can understand the statement it was frikken obvious. You _can_ use j.random BT dongle _if_ you have the required software. Well 'doh!', of course you can. But you need a piece of software that can do that. The use of the phrase "the bluetooth sniffer" got me wondering. Do you really think that there's only one single software that can do this? It's like stating that there's one software to capture audio from a microphone and that all other audiorecorders are 'pirated software'. Or a network device? A firewire device? A USB device? Sniffers are essential tools, if available they'll be used. If not available, they'll be created, if available but bad, broken or too expensive they'll be recreated. -- // hdw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
- To Thierry: Oh, dear, here is my "thinly veiled advert" for you : - You can potentially be sued for this (I would sue you, see you are slandering a consultant here that gets jobs based on his reputation) First of all I haven't said anything that could not be rebated. So I am not slandering anyone. I just said what I'm thinking at the moment; maybe Max Moser can make me change my mind. you refer to ? I have read the paper and found none, where did you ? The software is described into detail inside the paper. Dongle activation, .ini files and .dcu files. This seems to run on Windows. I know only one software like this one (Maybe you are using it as well). Where is he promoting Software Piracy ? I have read the paper and found none, where did you ? Those software are based upon a dongle (USB Bluetooth in this case). If you can clone the dongle, you could be able to easily clone the software. First, I knew nothing about such a "release" until YOU posted information about the name of a (what apparently is) a Warez group I'm sorry this was my mistake, but there wasn't any direct link to the release. Anyway I found this stuff after I have read the .pdf document. At first I have found the vendor then I have searched in google "Vendor + CSR dongle" and I found that. Second, you apparently assume the Warez group is the same person that wrote the paper, which is a very ignorant assumption to make, not to mention a dangerous one. I never told this. The opensource community I think that is able to do it's own research without software piracy. Read it as not forcing (or partially forcing) the protection of commercial software. - To Anders: I agree with you ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] April 1 joke
punch it in vi
On 4/1/07, Jason Miller <[EMAIL PROTECTED]> wrote:
too bad i don't get it.
On 4/1/07, V Comics <[EMAIL PROTECTED]> wrote:
> vim:
>
foldmethod=expr:foldexpr=feedkeys("x3a%!cat\\x20-n\\x
> 3a%s/./\:)/g\\x3aq!\\"):
>
> a
>
>
>
>
> Ask a question on any topic and get answers from real people. Go to
Yahoo!
> Answers.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Busting The Bluetooth Myth
Anyone wanna buy a used BPA100? =] -KF On Apr 1, 2007, at 2:15 PM, Giorgio Fedon wrote: > - To Thierry: > > > Oh, dear, here is my "thinly veiled advert" for you : > > > - You can potentially be sued for this (I would sue you, > > see you are slandering a consultant here that gets jobs based > > on his reputation) > > First of all I haven't said anything that could not be rebated. > So I am not slandering anyone. I just said what I'm thinking at the > moment; > maybe Max Moser can make me change my mind. > > > you refer to ? I have read the paper and found none, where did you ? > > The software is described into detail inside the paper. > Dongle activation, .ini files and .dcu files. This seems to run on > Windows. I know only one software like this one (Maybe you are > using it as well). > > > Where is he promoting Software Piracy ? I have read the paper > and found none, where did you ? > > Those software are based upon a dongle (USB Bluetooth in this case). > If you can clone the dongle, you could be able to easily clone the > software. > > > First, I knew nothing about such a "release" until YOU posted > information about the name > > of a (what apparently is) a Warez group > > I'm sorry this was my mistake, but there wasn't any direct link to > the release. > Anyway I found this stuff after I have read the .pdf document. At > first I have found the vendor > then I have searched in google "Vendor + CSR dongle" and I found that. > > > Second, you apparently assume the Warez group is the same person > that wrote the paper, which is > > a very ignorant assumption to make, not to mention a dangerous one. > > I never told this. > > > The opensource community I think that is able to do it's own > research without software piracy. > > Read it as not forcing (or partially forcing) the protection of > commercial software. > > > - To Anders: > > I agree with you > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Hi, I tested it in Windows xp sp2 and it doesn't work. Greetings Callax Shellcode Security Research Team. Argentine -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Larry Seltzer Envoyé : Domingo, 01 de Abril de 2007 01:50 p.m. À : full-disclosure@lists.grok.org.uk Objet : Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow >>The issue is that this only works with DEP turned off! Interesting point. I haven't seen this mentioned anywhere, including the Microsoft advisory (http://www.microsoft.com/technet/security/advisory/935423.mspx). Has anyone actually tested this with DEP on/off to be sure? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry_seltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>>I tested it in Windows xp sp2 and it doesn't work. >>Callax Did you try turning DEP off and re-testing? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>>It is completely possible to execute shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) In Vista this should have problems because of ASLR, right? I'm beginning to think that web-based attacks with this in Vista aren't really so scary. Even if you can get them to execute what can you really do in IE protected mode? You need to get the user to run the ANI outside of IE. Can anyone say what actually happens if you read an e-mail in the Vista Mail program with an attack ANI embedded? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] April 1 joke
I don't know how to use vi what do i do
On 4/1/07, James Matthews <[EMAIL PROTECTED]> wrote:
> punch it in vi
>
>
> On 4/1/07, Jason Miller <[EMAIL PROTECTED]> wrote:
> > too bad i don't get it.
> >
> > On 4/1/07, V Comics <[EMAIL PROTECTED]> wrote:
> > > vim:
> > >
> foldmethod=expr:foldexpr=feedkeys("x3a%!cat\\x20-n\\x
> > > 3a%s/./\:)/g\\x3aq!\\"):
> > >
> > > a
> > >
> > >
> > >
> > >
> > > Ask a question on any topic and get answers from real people. Go to
> Yahoo!
> > > Answers.
> > >
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > > http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> http://www.goldwatches.com/watches.asp?Brand=39
> http://www.wazoozle.com
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Matti Ranta
This e-mail and any attachments may contain confidential and privileged
information. If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this e-mail and destroy any
copies. Any dissemination or use of this information by a person other
than the intended recipient is unauthorized and may be illegal.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Just wanted to post that using a ret2libc attack works as shown in the video here: http://www.zippyvideos.com/5991194746836606/ani-xp-sp2/ >From: "Chris Lyon" <[EMAIL PROTECTED]> >To: full-disclosure@lists.grok.org.uk >Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow >Date: Sun, 1 Apr 2007 09:24:51 -0700 > >On 4/1/07, wac <[EMAIL PROTECTED]> wrote: >> >> >> >>On 4/1/07, Larry Seltzer <[EMAIL PROTECTED]> wrote: >> > >> > >>The issue is that this only works with DEP turned off! >> > >> > Interesting point. I haven't seen this mentioned anywhere, including >>the >> > Microsoft advisory >> > ( http://www.microsoft.com/technet/security/advisory/935423.mspx). >> > >> > Has anyone actually tested this with DEP on/off to be sure? >> >> >Did you guys see this from the CISRT. > >http://www.cisrt.org/enblog/read.php?68 > > >Yes, winhex uses the function when you open the .ani and I don't have it >>running with DEP turned on and the same goes for firefox that also leaves >>the file openend when I openen web link dev sent me (already tested >>winhex >>with the address of exitprocess that btw seems to float around from system >>to system since the version dev sent me does not works for me and it works >>like a charm when I built it). I was talking with dev code about DEP >>bypassing btw, we think that is possible to exploit even with >> DEP ON >><<. >>Just ideas for now. >> >>Larry Seltzer >> > eWEEK.com Security Center Editor >> > http://security.eweek.com/ >> > http://blog.eweek.com/blogs/larry_seltzer/ >> > Contributing Editor, PC Magazine >> > [EMAIL PROTECTED] >> > >> > ___ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >>___ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _ The average US Credit Score is 675. The cost to see yours: $0 by Experian. http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
I'm not familiar with Solar Eclipe's claims. I thought the low-entropy argument was impeached a while ago. See http://blogs.msdn.com/michael_howard/archive/2006/10/04/Alleged-Bugs-in- Windows-Vista_1920_s-ASLR-Implementation.aspx The author of the original paper arguing low entropy replies to the blog conceding the point. There are two stages of randomization. Perhaps your exploit proves this wrong, but it's the last I heard on the subject. And even if there are only 256 slots how do you try more than one? Isn't the first wrong one going to crash the browser? As for the exploits in protected mode I'm sure there are things you can do, but it's a huge step down from what you can do in XP and it's gone as soon as you exit IE7 Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: Dave Aitel [mailto:[EMAIL PROTECTED] Sent: Sunday, April 01, 2007 3:42 PM To: Larry Seltzer Cc: dev code; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ASRL has limited entropy and the attacker can continue to try exploits an infinite number of times (as Solar Eclipse points out). This means you can write a reliable Vista exploit, theoretically. I'll probably finish one up on Monday. IE in protected mode would still allow you access to the local network and, more importantly, anything IE does. You could, for example, inject code into all viewed webpages that steals passwords and whatnot. Just at the very minimum. - -dave Larry Seltzer wrote: >>> It is completely possible to execute shellcode if we can do some DEP > bypass (ie. ret2libc attack, etc..) > > In Vista this should have problems because of ASLR, right? > > I'm beginning to think that web-based attacks with this in Vista > aren't really so scary. Even if you can get them to execute what can > you really do in IE protected mode? You need to get the user to run > the ANI outside of IE. Can anyone say what actually happens if you > read an e-mail in the Vista Mail program with an attack ANI embedded? > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry%5Fseltzer/ > Contributing Editor, PC Magazine > [EMAIL PROTECTED] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGEAsYtehAhL0gheoRAutoAJ0QhPsOvcdCTU2dZZgkZYINC3+K3QCdFMQH UH02qnLi2Gbp07rLWpKv/5w= =4oC5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
From the published poc yes vista is vulnerable , the poc doesn't exploit it but shows enough.. The whole windows browser crashes when you try to open the folder of the malicious .ani file, can't even attach it to an email because thunderbird crashes when I'm browsing to attach the .ani, EIP is overwritten by some wrong datas near the shellcode, . To resume you don't have to open the file on vista, displaying it is enough, there is less user interaction required to exploit that bug on vista than older windows os, surprising... ...or not =) Larry Seltzer wrote: >>> It is completely possible to execute shellcode if we can do some DEP >>> > bypass (ie. ret2libc attack, etc..) > > In Vista this should have problems because of ASLR, right? > > I'm beginning to think that web-based attacks with this in Vista aren't > really so scary. Even if you can get them to execute what can you really > do in IE protected mode? You need to get the user to run the ANI outside > of IE. Can anyone say what actually happens if you read an e-mail in the > Vista Mail program with an attack ANI embedded? > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry%5Fseltzer/ > Contributing Editor, PC Magazine > [EMAIL PROTECTED] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > . > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
http://www.milw0rm.com/exploits/3634 str0ke told me to test this one and no miracle, it works under vista and the default DEP settings doesnt catch it. [EMAIL PROTECTED] wrote: > From the published poc yes vista is vulnerable , the poc doesn't > exploit it but shows enough.. > The whole windows browser crashes when you try to open the folder of the > malicious .ani file, > can't even attach it to an email because thunderbird crashes when I'm > browsing to attach the .ani, > EIP is overwritten by some wrong datas near the shellcode, . To resume > you don't have to open the file > on vista, displaying it is enough, there is less user interaction > required to exploit that bug on vista than older windows os, > > surprising... ...or not =) > > Larry Seltzer wrote: > It is completely possible to execute shellcode if we can do some DEP >> bypass (ie. ret2libc attack, etc..) >> >> In Vista this should have problems because of ASLR, right? >> >> I'm beginning to think that web-based attacks with this in Vista aren't >> really so scary. Even if you can get them to execute what can you really >> do in IE protected mode? You need to get the user to run the ANI outside >> of IE. Can anyone say what actually happens if you read an e-mail in the >> Vista Mail program with an attack ANI embedded? >> >> Larry Seltzer >> eWEEK.com Security Center Editor >> http://security.eweek.com/ >> http://blog.eweek.com/blogs/larry%5Fseltzer/ >> Contributing Editor, PC Magazine >> [EMAIL PROTECTED] >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> . >> >> >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > . > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Severe CSRF vulnerabilities allow mail/msg spoofing in Libero.it portal
<--start--> Other severe vulnerabilities are present on Libero.it (italian ISP) portal, always in the Community section. The portal allows users to create personal web pages with unchecked contents. These pages will be hosted under digilander.libero.it domain, so that is possible for an attacker to read and manipulate visitors cookie (with obvious risks for privacy & phishing opportunities...). This is a conceptual mistake... But this is just the beginning: an attacker can use his Libero personal site to conduct CSRF attacks against Community users; merely opening the malicious pages can result in: 1-attaccker can send msgs to other community users from victim's account Ciao! http://digiland.libero.it/msg/inviamsg.php";> alert(document.cookie); document.evil.submit(); 2- attacker can send e-mails to other community users using victim's account Ciao! http://digiland.libero.it/msg/inviamsg.php?destinatario=testxss&riferimento=NULL&med=msg&rispondi=&quale=&firma=0&messaggio=CSRFmsg&paperv=0";> http://digiland.libero.it/inviamail.php";> alert(document.cookie); document.evil.submit(); In both cases neither Referrer nor unique tokens are used to prevent CSRF. POC (until not deleted) can be found at : http://digilander.libero.it/testxss/demo/img.htm http://digilander.libero.it/testxss/demo/img2.htm both require you're logged in libero Community. Greetings, Rosario Valotta rosario.valotta at gmail dot com <---end--> ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
"[EMAIL PROTECTED] said: http://www.milw0rm.com/exploits/3634 str0ke told me to test this one and no miracle, it works under vista and the default DEP settings doesn't catch it." Default DEP settings in Windows XP or Vista are worthless since it's off for all applications including IE7. I tested with DEP always-on and it crashed IE7 and the exploit failed. Note that when you manually launch an HTML from your hard drive, Protected Mode is turned off because your HDD is considered a trusted source where as the public Internet is not. If I had try to browse a webpage with this exploit, protected mode would have been turned on. I also had to manually bypass the Active X warning to get the exploit to run and even then it crashed with my fully-on DEP settings with hardware-enforcement. I don't really feel like turning off my DEP settings on my Vista machine though I have a feeling that UAC would prevent it from rooting my system though it could probably damage my files if it were coded to do that. But I had to go out of my way to get this exploit to run by manually downloading the zip and manually enabling the ActiveX control just to get it to crash my browser. So I think it's fair to say that hardware-enforced fully-enabled DEP will defeat the ANI exploit (in the current generic state) all by itself. Protected Mode would have also mitigated the ANI exploit to a low-risk state that is non-persistent as soon as IE is closed. So with protected mode turned off, DEP not fully enabled (or missing NX hardware), the ANI exploit would be able to compromise the local user profile and data but it would still need to get around UAC if it wants to put a backdoor in Vista. George ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Windows security has allways been pockmarked On 4/1/07, George Ou <[EMAIL PROTECTED]> wrote: "[EMAIL PROTECTED] said: http://www.milw0rm.com/exploits/3634 str0ke told me to test this one and no miracle, it works under vista and the default DEP settings doesn't catch it." Default DEP settings in Windows XP or Vista are worthless since it's off for all applications including IE7. I tested with DEP always-on and it crashed IE7 and the exploit failed. Note that when you manually launch an HTML from your hard drive, Protected Mode is turned off because your HDD is considered a trusted source where as the public Internet is not. If I had try to browse a webpage with this exploit, protected mode would have been turned on. I also had to manually bypass the Active X warning to get the exploit to run and even then it crashed with my fully-on DEP settings with hardware-enforcement. I don't really feel like turning off my DEP settings on my Vista machine though I have a feeling that UAC would prevent it from rooting my system though it could probably damage my files if it were coded to do that. But I had to go out of my way to get this exploit to run by manually downloading the zip and manually enabling the ActiveX control just to get it to crash my browser. So I think it's fair to say that hardware-enforced fully-enabled DEP will defeat the ANI exploit (in the current generic state) all by itself. Protected Mode would have also mitigated the ANI exploit to a low-risk state that is non-persistent as soon as IE is closed. So with protected mode turned off, DEP not fully enabled (or missing NX hardware), the ANI exploit would be able to compromise the local user profile and data but it would still need to get around UAC if it wants to put a backdoor in Vista. George ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] April 1 joke
On 4/1/07, Matti Ranta <[EMAIL PROTECTED]> wrote: I don't know how to use vi what do i do use vim :-P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS Patch Coming Tuesday
http://www.microsoft.com/technet/security/bulletin/advance.mspx Microsoft Security Bulletin Advance Notification Updated: April 1, 2007 As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively. In addition, to help customers prioritize monthly security updates with any non-security updates released on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services on the same day as the monthly security bulletins, we also provide: * Information about the release of updated versions of the Microsoft Windows Malicious Software Removal Tool. * Information about the release of NON-SECURITY, High Priority updates on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS). Note that this information will pertain ONLY to updates on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services and only about High Priority, non-security updates being released on the same day as security updates. Information will NOT be provided about Non-security updates released on other days. On Tuesday 3 April 2007 Microsoft is planning to release: Security Updates * One Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer. Microsoft Windows Malicious Software Removal Tool * Microsoft will not release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center on Tuesday 3 April 2007. Non-security High Priority updates on MU, WU, WSUS and SUS * Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS) on Tuesday 3 April 2007. * Microsoft will not release any NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS) on Tuesday 3 April 2007. Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released. Microsoft will host a webcast next week to address customer questions on these bulletins. For more information on this webcast please see below: * TechNet Webcast: Information about Microsoft's Security Bulletins * Wednesday, 11 April 2007 11:00 AM (GMT-08:00) Pacific Time (US & Canada) * http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=10323 27017&EventCategory=4&culture=en-US&CountryCode=US At this time no additional information on these bulletins such as details regarding severity or details regarding the vulnerability will be made available until 3 April 2007. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] MS Patch Coming Tuesday
http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx Larry Seltzer wrote: > http://www.microsoft.com/technet/security/bulletin/advance.mspx > > Microsoft Security Bulletin Advance Notification > Updated: April 1, 2007 > > As part of the monthly security bulletin release cycle, Microsoft > provides advance notification to our customers on the number of new > security updates being released, the products affected, the aggregate > maximum severity and information about detection tools relevant to the > update. This is intended to help our customers plan for the deployment > of these security updates more effectively. > > In addition, to help customers prioritize monthly security updates with > any non-security updates released on Microsoft Update, Windows Update, > Windows Server Update Services and Software Update Services on the same > day as the monthly security bulletins, we also provide: > > * Information about the release of updated versions of the Microsoft > Windows Malicious Software Removal Tool. > > * Information about the release of NON-SECURITY, High Priority updates > on Microsoft Update (MU), Windows Update (WU), Windows Server Update > Services (WSUS) and Software Update Services (SUS). > > > Note that this information will pertain ONLY to updates on Microsoft > Update, Windows Update, Windows Server Update Services and Software > Update Services and only about High Priority, non-security updates being > released on the same day as security updates. Information will NOT be > provided about Non-security updates released on other days. > > On Tuesday 3 April 2007 Microsoft is planning to release: > > Security Updates > > * One Microsoft Security Bulletin affecting Microsoft Windows. The > highest Maximum Severity rating for these is Critical. These updates > will require a restart. These updates will be detectable using the > Microsoft Baseline Security Analyzer. > > > Microsoft Windows Malicious Software Removal Tool > > * Microsoft will not release an updated version of the Microsoft Windows > Malicious Software Removal Tool on Windows Update, Microsoft Update, > Windows Server Update Services and the Download Center on Tuesday 3 > April 2007. > > > Non-security High Priority updates on MU, WU, WSUS and SUS > > * Microsoft will not release any NON-SECURITY High-Priority Updates for > Windows on Windows Update (WU) and Software Update Services (SUS) on > Tuesday 3 April 2007. > > * Microsoft will not release any NON-SECURITY High-Priority Updates on > Microsoft Update (MU) and Windows Server Update Services (WSUS) on > Tuesday 3 April 2007. > > > Although we do not anticipate any changes, the number of bulletins, > products affected, restart information and severities are subject to > change until released. > > Microsoft will host a webcast next week to address customer questions on > these bulletins. For more information on this webcast please see below: > > * TechNet Webcast: Information about Microsoft's Security Bulletins > > * Wednesday, 11 April 2007 11:00 AM (GMT-08:00) Pacific Time (US & > Canada) > > * > http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=10323 > 27017&EventCategory=4&culture=en-US&CountryCode=US > > > At this time no additional information on these bulletins such as > details regarding severity or details regarding the vulnerability will > be made available until 3 April 2007. > > > ___ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow -> Its ok, its in IE Protected Mode
Hi Larry.. Larry Seltzer wrote: > I'm beginning to think that web-based attacks with this in Vista aren't > really so scary. Even if you can get them to execute what can you really > do in IE protected mode? You need to get the user to run the ANI outside > of IE. Assuming a compromised IE session is relatively harmless is pretty dangerous.While low privileged browsing is a welcome idea it is unfortunately (mostly) a solution to yesterdays problem. In the past we used to worry about zillions of machines being compromised and becoming zombies. Today, we are realizing more and more that its all about the data. ex: I run as mh on my machine. Everything of value on my machine is accessible to me. My music, my videos, my documents, my email, etc. Getting root/system on my machine gets you bragging rights, but if you were serious about hurting me, then mh is the only account you really need to compromise. By default, IE uses a NoWriteUp policy. Meaning that a low IL mh shell still gets to read everything of mh's by default (Check out Mark Minasi's chml to convert this to a more secure NoReadUp : http://www.minasi.com/vista/chml.htm) A low integrity shell (as a result of an IE compromise) may not be able to write files to most locations on my machine, and so prevents my machine from being "owned" in the traditional sense, but wont stop me from losing all of my data. /mh -- Haroon Meer, SensePost Information Security PGP: http://www.sensepost.com/pgp/haroon.txt Tel: +27 83786 6637 ** CRM114 Whitelisted by: From [EMAIL PROTECTED] ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
