Re: [Full-disclosure] A Botted Fortune 500 a Day
On 4/13/07, RMueller [EMAIL PROTECTED] wrote: How is the information gathered? The page mentions different types of spam, so it's really just a matter of doing whois lookups / reverse dns checks and stuff like that to see where the stuff comes from. Once you filter out all the end user ranges you can easily do some manual sorting of the list to find juicy stuff, aka things that are fun to laugh at. -- Knud ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] patch-9449
Dshied's recent diary entry might has something related about this virus i guess. except that the filename is patch-58214.zip. Here is the link to the diary -- http://www.dshield.org/diary.html?storyid=2618dshield=0fcfb711fed834995b1d52da5f438c11 cheers On 4/13/07, Steward Smith [EMAIL PROTECTED] wrote: Hi, Had a funny spam today that warned about mails coming from my IP address and I should apply the attached patch. The filename was named patch-9449.exe which was attached in a password protected zip file - presumably to fool your virus scanner. I unpacked it but my up-to-date virus scanner on my Windows XP vmware instance cannot detect any malware. Has anyone else seen this and know what it is? Stew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Wong Chee Chun SSA Network Sdn Bhd 509, 5th Flr, Lift Lobby 3, Blk A Damansara Intan 1 Jalan SS 20/27 Petaling Jaya, Selangor West Malaysia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] patch-9449
Wong Chee Chun [EMAIL PROTECTED] wrote: Dshield (ISC) page discusses about the same issue. The filenames are randomized. 4 or 5 numbers always. - Juha-Matti Dshied's recent diary entry might has something related about this virus i guess. except that the filename is patch-58214.zip. Here is the link to the diary -- http://www.dshield.org/diary.html?storyid=2618dshield=0fcfb711fed834995b1d52da5f438c11 cheers On 4/13/07, Steward Smith [EMAIL PROTECTED] wrote: Hi, Had a funny spam today that warned about mails coming from my IP address and I should apply the attached patch. The filename was named patch-9449.exe which was attached in a password protected zip file - presumably to fool your virus scanner. I unpacked it but my up-to-date virus scanner on my Windows XP vmware instance cannot detect any malware. Has anyone else seen this and know what it is? Stew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [OPENADS-SA-2007-004] Max Media Manager v0.1.29-rc and v0.3.31-alpha-pr2 vulnerability fixed
Openads security advisoryOPENADS-SA-2007-004 Advisory ID: OPENADS-SA-2007-004 Date: 2007-Apr-11 Security risk: medium risk Applications affetced: Max Media Manager Versions affected: = v0.1.29-rc, = v0.3.31-alpha-pr2 Versions not affected: = v0.3.31-alpha-pr3 Vulnerability: HTTP response splitting Description --- The ck.php (or adclick.php in v0.1.x) script is vulnerable to HTTP response splitting attacks because the maxdest parameter is not properly sanitized. The vulnerability DOES NOT affect those running PHP = 4.4.2 or PHP = 5.1.2, because the header function blocks this kind of attacks. References -- - OPENADS-SA-2007-03 Solution - Those running MMM v0.3.x should upgrade to v0.3.31-alpha-pr3 - Those running MMM v0.1.x should replace adclick.php with the updated file: https://developer.openads.org/browser/branches/max/branches/0.1/adclick.php?rev=5697format=raw Contact informations The security contact for Openads can be reached at: security AT openads DOT org Best regards -- Matteo Beccati http://www.openads.org http://phpadsnew.com http://phppgads.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
Did someone get out of bed on the wrong side?? From: poo [mailto:[EMAIL PROTECTED] Sent: Friday, April 13, 2007 6:03 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] A Botted Fortune 500 a Day gadi.. SHUT UP On 4/13/07, RMueller [EMAIL PROTECTED] wrote: Gadi wrote: -- Message: 8 Date: Wed, 11 Apr 2007 21:35:47 -0500 (CDT) From: Gadi Evron [EMAIL PROTECTED] Subject: [Full-disclosure] A Botted Fortune 500 a Day To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: TEXT/PLAIN; charset=US-ASCII Support Intelligence releases daily reports on different fortune 500 companies which are heavily affected by the botnet problem, with many compromised machines on their networks. You can find more information on their blog: http://blog.support-intelligence.com/ They are good people, and they know botnets. Gadi. -- How is the information gathered? ___ Fidelity Communications Webmail - http://webmail.fidnet.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- smile tomorrow will be worse ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. Steven Support Intelligence releases daily reports on different fortune 500 companies which are heavily affected by the botnet problem, with many compromised machines on their networks. You can find more information on their blog: http://blog.support-intelligence.com/ They are good people, and they know botnets. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ !DSPAM:461e546e15211693416514! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. TJX breach could cost company $1B - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd' things. Corps should only have a very few 'odd' things happening on their networks and a single outgoing portscan or IRC session are grounds for serious concern. (Assuming IRC is forbidden by policy - if not, you can still profile the IRC servers you expect to be talking to and those you don't.) It's not hard to find infected machines at a corp. Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. Based on the Received headers, or just on the From line ? The latter is trivial to forge and has been routinely forged pretty much forever. If Received headers show that mail has been relayed from within your organisation, then you have a serious problem, and it's better to learn of it by checking for outgoing spam than when someone notices something worse six months down the line. cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] UK Honeynet Project: http://www.ukhoneynet.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Spam is funny!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, it's interesting to find that attacks of all sorts (spam, phishing, and infiltration) are becoming targeted now. Previously, attacks were unsophisticated and limited to the unsecured, random hosts that were vulnerable to dropstatd. Now it seems these attackers are catching up and developing slightly more sophisticated tools for everything. I fear we are entering a brave new world of information security, and we need to worry about the next generation of threats. - - neal http://www.hackerfactor.com/blog/ On Thu, 12 Apr 2007 20:54:03 -0400 Saeed Abu Nimeh [EMAIL PROTECTED] wrote: good find. i think the same thing applies to ebay users. i have seen some phishing mailers that look for ebay userIDs in ebay listing pages and send bulk emails to these userids attached to famous email domains like yahoo, hotmail, aol, etc. This means that if you've never used ebay it is less likely that you will receive an ebay scam. Thanks, Saeed [EMAIL PROTECTED] wrote: In my last article at Security Focus, I mentioned that phishing is directed (based on your online profile) and not blast-o-gram (everyone gets one). My example used Arizona. I said: For example, if you are likely in Arizona then you are more likely to receive an Arizona Credit Union phish. They can guess where you are based on the forums you use. If you post in a Tucson forum or write about Flagstaff and Phoenix, then you might be in Arizona. Well, the email address associated with that article just received an Arizona State Credit Union phish. It had never received one of those before. Man, spammers are predictable and funny. - Dr Neal Krawetz, PhD Author of Yggdrasil Linux Unleashed and Other Stupid Shit -- Click for free info on Hollywood careers and quit your boring job http://tagline.hushmail.com/fc/CAaCXv1I4towGaUULqchcd3HA37FooZr/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYfknsACgkQDpFP8dW5K4Y6UgQAj0hLKY3Q0u2lrAkRu9rAQm/l8z7j vyPL8dz2Q3LpvHndQxvIn728FDS02uI5bIanPOlHbIkHIOD0hrGjNIjdHCN/Zxn9ZGO2 is9EAQOfn6CNtV5GzNHRw6T5/3lgKOu+duvCS4uUdAX/Vy4n5+x1DIb2r23jWYwP7A6z NXmddG0= =ATPo -END PGP SIGNATURE- -- Click to lower your debt and consolidate your monthly expenses http://tagline.hushmail.com/fc/CAaCXv1QPROIIkarOB2vKnhtK0un5Esh/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. TJX breach could cost company $1B - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. You list incentives but this doesn't mean I should really expect any differently. You are also equating a compromise into TJ MAXX servers for which details have not been given. I doubt and hope the same user that's an account for TJ MAXX and using e-mail isn't conencted or able to get to a server that processes credit card transactions. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. Well this is true but you seem to be missing the point of the comparison. These are large corporations with tens of thousands (some more, some less) that are geographically dispersed across the countries. This isn't a small shop of 50 elite IT users. This is probably like most other places were 90% of the users can barely use Microsoft Word and Excel. Once again.. do I expect differently? No. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. Sure they can in some instances. How would locking down a firewall stop this e-mail from going out? Maybe you can lock down SPAM firewalls but that doesn't stop the root cause. You have 100,000 users at a Fortune 500 company with admin access to their Windows laptops. Are you going to block them form using the Internet and using e-mail? If not I am going to continue to expect them to keep getting infected. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. Well usually corporations not only own the data on the machines, they own the computers themselves as well. You are equating a need and want for protection with what would really be expected. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd' things. Corps should only have a very few 'odd' things happening on their networks and a single outgoing portscan or IRC session are grounds for serious concern. (Assuming IRC is forbidden by policy - if not, you can still profile the IRC servers you expect to be talking to and those you don't.) It's not hard to find infected machines at a corp. Not sure last time you ever looked at XDCC/iroffer bots, but they can range from 10-50% .edu hosts. Universities are ripe for the picking. I've participated in UNISOG related lists and I know it's getting better and just like any organization it can very from location to location. I don't expect anything different here either. Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. Based on the Received headers, or just on the From line ? The latter is trivial to forge and has been routinely forged pretty much forever. You are talking about forging a MAIL FROM field. This is not what I am talking about. If Received headers show that mail has been relayed from within your organisation, then you have a serious problem, and it's better to learn of it by checking for outgoing spam than when someone notices something worse six months down the line. There's a field in most mail programs where you can enter in an SMTP/IMAP/Exchange address etc. This allows you to send e-mail using that server. This does not mean you are located on the internal network for that server. In fact you could even be using a forwarder server that it doens't show you. Hell you could be using a web form or webmail. My point is that seeing a header from a particular location does not necessarily mean the sender is behind a firewall sitting on that network. Do you want corporations to protect their data better? Absolutely.
Re: [Full-disclosure] A Botted Fortune 500 a Day
Hi Steven, I believe security of an organisation is orthogonal to the number of employees/users and how savvy they are. It depends more on the will and resources to secure the network properly. Two, corporations do have many financial incentives to make sure they are secure - if they are doing their risk analyses properly, they can see that. So, yes I do expect them to fare better - a lot better - than ISPs. More comments are in-line. On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. TJX breach could cost company $1B - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. You list incentives but this doesn't mean I should really expect any differently. You are also equating a compromise into TJ MAXX servers for which details have not been given. I doubt and hope the same user that's an account for TJ MAXX and using e-mail isn't conencted or able to get to a server that processes credit card transactions. A compromise is a compromise and you don't know the extent until you've looked at everything. If one of your machines is spewing spam, how do you know it is also not leaking confidential data to a third party? Any compromise has the potential to be *extremely* costly. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. Well this is true but you seem to be missing the point of the comparison. These are large corporations with tens of thousands (some more, some less) that are geographically dispersed across the countries. This isn't a small shop of 50 elite IT users. This is probably like most other places were 90% of the users can barely use Microsoft Word and Excel. Once again.. do I expect differently? No. There is no reason for an admin to let users compromise the company's security. If the company cares about security, they can disable admin rights, lock down the firewall and run an IDS. I can buy the argument that most companies don't care sufficiently, but this is really orthogonal to the number and experience level of their users. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. Sure they can in some instances. How would locking down a firewall stop this e-mail from going out? Maybe you can lock down SPAM firewalls but that doesn't stop the root cause. You have 100,000 users at a Fortune 500 company with admin access to their Windows laptops. Are you going to block them form using the Internet and using e-mail? If not I am going to continue to expect them to keep getting infected. Block the infection vectors: screen email, http and ftp traffic. No personal laptops on company networks. No admin rights as far as possible. Monitor and react to new vectors and threats as they arise. Yes, I would disable people's Internet access - in fact all intranet access too. My main interaction with Cisco kit to date is shutting down Ethernet ports and re-enabling them after the problem has been resolved. If there's an incident, the plug gets pulled until someone has examined the machine, and if necessary reinstalled from known good media. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. Well usually corporations not only own the data on the machines, they own the computers themselves as well. You are equating a need and want for protection with what would really be expected. They have a financial incentive to look after their machines, so I do expect them to look after them. An ISP has no such incentive to look after their customer's machines. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd' things. Corps should only have a very few 'odd' things happening on their networks and a single outgoing portscan or IRC session are grounds for serious concern. (Assuming IRC is forbidden by policy - if not, you can still profile the IRC servers you expect to be talking to and
Re: [Full-disclosure] A Botted Fortune 500 a Day
Just to add my two cents... The fact is that the cost in damages of a single compromise is usually far greater than the cost of implementing and maintaining good security. TJX is a golden example of that. On 4/13/07 11:05 AM, Jamie Riden [EMAIL PROTECTED] wrote: Hi Steven, I believe security of an organisation is orthogonal to the number of employees/users and how savvy they are. It depends more on the will and resources to secure the network properly. Two, corporations do have many financial incentives to make sure they are secure - if they are doing their risk analyses properly, they can see that. So, yes I do expect them to fare better - a lot better - than ISPs. More comments are in-line. On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. TJX breach could cost company $1B - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. You list incentives but this doesn't mean I should really expect any differently. You are also equating a compromise into TJ MAXX servers for which details have not been given. I doubt and hope the same user that's an account for TJ MAXX and using e-mail isn't conencted or able to get to a server that processes credit card transactions. A compromise is a compromise and you don't know the extent until you've looked at everything. If one of your machines is spewing spam, how do you know it is also not leaking confidential data to a third party? Any compromise has the potential to be *extremely* costly. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. Well this is true but you seem to be missing the point of the comparison. These are large corporations with tens of thousands (some more, some less) that are geographically dispersed across the countries. This isn't a small shop of 50 elite IT users. This is probably like most other places were 90% of the users can barely use Microsoft Word and Excel. Once again.. do I expect differently? No. There is no reason for an admin to let users compromise the company's security. If the company cares about security, they can disable admin rights, lock down the firewall and run an IDS. I can buy the argument that most companies don't care sufficiently, but this is really orthogonal to the number and experience level of their users. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. Sure they can in some instances. How would locking down a firewall stop this e-mail from going out? Maybe you can lock down SPAM firewalls but that doesn't stop the root cause. You have 100,000 users at a Fortune 500 company with admin access to their Windows laptops. Are you going to block them form using the Internet and using e-mail? If not I am going to continue to expect them to keep getting infected. Block the infection vectors: screen email, http and ftp traffic. No personal laptops on company networks. No admin rights as far as possible. Monitor and react to new vectors and threats as they arise. Yes, I would disable people's Internet access - in fact all intranet access too. My main interaction with Cisco kit to date is shutting down Ethernet ports and re-enabling them after the problem has been resolved. If there's an incident, the plug gets pulled until someone has examined the machine, and if necessary reinstalled from known good media. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. Well usually corporations not only own the data on the machines, they own the computers themselves as well. You are equating a need and want for protection with what would really be expected. They have a financial incentive to look after their machines, so I do expect them to look after them. An ISP has no such incentive to look after their customer's machines. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd'
Re: [Full-disclosure] patch-9449
Myself and a client have received several over the past 24hrs. I submitted one as the password protected zip file to VirusTotal and Kaspersky identified it as a virus/trojan as did several other AV products. Names varied so I didn't record them. Was most interested in seeing if there was a consistent identification of the archive. Received another this morning which I unzipped on a Linux box then tested with CA AV. It was identified as Win32/Pecoan.R - Mike Shafer Steward Smith wrote: Hi, Had a funny spam today that warned about mails coming from my IP address and I should apply the attached patch. The filename was named patch-9449.exe which was attached in a password protected zip file - presumably to fool your virus scanner. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-07-04: LANDesk Management Suite Alert Service Stack Overflow Vulnerability
TSRT-07-04: LANDesk Management Suite Alert Service Stack Overflow Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-07-04.html April 13, 2007 -- CVE ID: CVE-2007-1674 -- Affected Vendor: LANDesk -- Affected Products: Management Suite 8.7 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since March 23, 2007 by Digital Vaccine protection filter ID 5210. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of LANDesk Management Suite. User interaction is not required to exploit this vulnerability. The specific flaw exists in the Alert Service listening on UDP port 65535. The Aolnsrvr.exe process accepts user-supplied data and performs an inline memory copy into a 268 byte stack-based buffer. Supplying additional data results in a buffer overflow and SEH overwrite. The vulnerable memory copy is shown here: 0041EF49 mov edi, eax ; edi pointer to stack buffer 0041EF4B mov eax, ecx 0041EF4D shr ecx, 2; total size of data 0041EF50 rep movsd 0041EF52 mov ecx, eax 0041EF54 mov eax, ebx 0041EF56 and ecx, 3 0041EF59 rep movsb Exploitation allows an attacker to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: LANDesk has issued an update to correct this vulnerability. More details can be found at: http://kb.landesk.com/display/4n/kb/article.asp?aid=4142 -- Disclosure Timeline: 2007.03.08 - Vulnerability reported to vendor 2007.03.23 - Digital Vaccine released to TippingPoint customers 2007.04.13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
From: poo [mailto:[EMAIL PROTECTED] Sent: Friday, April 13, 2007 6:03 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] A Botted Fortune 500 a Day gadi.. SHUT UP On 4/13/07, Randall M [EMAIL PROTECTED] wrote: Did someone get out of bed on the wrong side?? or have their CC bots shut down :-P -JP aww, poor baby -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
Dude VanWinkle [EMAIL PROTECTED] wrote: From: poo [mailto:[EMAIL PROTECTED] Sent: Friday, April 13, 2007 6:03 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] A Botted Fortune 500 a Day gadi.. SHUT UP On 4/13/07, Randall M [EMAIL PROTECTED] wrote: Did someone get out of bed on the wrong side?? or have their CC bots shut down :-P -JP aww, poor baby -JP HaHaha!! that was good. Dammit I should have thought of that! thanks Randall ___ Fidelity Communications Webmail - http://webmail.fidnet.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
