[Full-disclosure] BS.Player 2.22 NULL ptr dereference

[edi.strosar]

=
Team Intell Security Advisory TISA2007-10-Private
-
BS.Player 2.22 NULL pointer dereference
=


Release Date:03.08.2007
Severity:Less critical
Impact:  Failure to handle exceptional conditions
Status:  Official patch available
Software:BS.Player 2.22
Tested on:   Microsoft Windows XP Professional SP2
Vendor:  http://www.bsplayer.com
  http://www.bsplayer.org
Disclosed:   Edi Strosar (Team Intell)


Description:


BS.Player is media player for Windows platform that 
supports many kinds of multimedia files. The application 
is susceptible to NULL/invalid pointer dereference that 
will crash the application.

The exception may be reproduced when trying to use "Load 
subtitles" function from a context menu or by pressing 
CTRL + L during movie playback. The vendor was already 
aware of the problem.


Debugger output:


0:000> g
(ac8.cf4): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception 
handling.
This exception may be expected and handled.
eax= ebx=032ea810 ecx= edx=032fa440 
esi= edi=032d
eip=032ea8ed esp=0012d514 ebp=0012d538 iopl=0 nv 
up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= 
efl=00010297
032ea8ed 015600  add dword ptr [esi],edx 
 ds:0023:=


Tested on BS.Player 2.22 free. Other versions of 2.22 
series may be vulnerable.


Solution:
=
On August, 1st 2007 vendor released version 2.23 that 
solves this issue.


Timeline:
=
02.08.2007 - bug analysis
03.08.2007 - public disclosure


Contact:

Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: [EMAIL PROTECTED]


Disclaimer:
===
The content of this report is purely informational and 
meant for educational purposes only. Maldin d.o.o. shall 
in no event be liable for any damage whatsoever, direct or 
implied, arising from use or spread of this information. 
Any use of information in this advisory is entirely at 
user's own risk.


=

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Whitepaper SecNiche] Insecurities in Implementing Serialization in BISON

[Pranay Kanwar]

Thanks for the bullshit once again.

"...Remember students there are no stupid questions, only stupid people..."
--   Mr. Garrison to Stan in a 
Southpark episode.

warl0ck // MSG

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Whitepaper SecNiche] Insecurities inImplementing Serialization in BISON

[Joey Mengele]

LOLOLOLOLOLOLOLOLOLOLOL

On Thu, 02 Aug 2007 14:32:58 -0400 Debasis Mohanty 
<[EMAIL PROTECTED]> wrote:
>>> On Sat, 04 Aug 2007 01:17:36
>
>Interesting! I thought time machine only appears in movies :)
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of 
>Joey Mengele
>Sent: 02 August 2007 22:41
>To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED];
>[EMAIL PROTECTED]
>Subject: Re: [Full-disclosure] [Whitepaper SecNiche] Insecurities
>inImplementing Serialization in BISON
>
>LOLOLOLOLOLOLOLOL!
>
>This is the most retarded shit I have ever read in my life. Are 
>you 
>a Ph.D?
>
>Doc J
>
>On Sat, 04 Aug 2007 01:17:36 -0400 Aditya K Sood 
><[EMAIL PROTECTED]> wrote:
>>hi
>>
>> A specific white paper have been released comprising 
>
>>of
>>specific application problems related to Bison.
>>
>>You can look into it.
>>
>>http://www.secniche.org/papers/Ser_Insec_Bison.pdf
>>
>>Regards
>>AKS
>>http://www.secniche.org
>>
>>___
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
>--
>Be your own boss.  Click here for information on starting your own 
>business.
>http://tagline.hushmail.com/fc/Ioyw6h4dA5PRdKQIp9scq2f9RLHvAdxNR8xZ
>bfzjyji9f
>KO1bFJN0k/
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Free quote and debt consolidation information.  Click Here.
http://tagline.hushmail.com/fc/Ioyw6h4d7x4bsKuNQt9xaaSjSwUOfRpk18GSz1rEuAtPddTxywbXok/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Minimo .2 and more Firefox 2.0.0.6 Password Manager Vulnerabilites

[Seth Fogie]

Airscanner Mobile Security Advisory #07080102: Minimo <=.2 and Firefox 
2.0.0.6 Product:
Minimo <=.2 and Firefox 2.0.0.6

Platform:
Tested on Minimo .016 and .2 Windows Mobile Pocket PC 2005 and Firefox 
2.0.0.6 Windows XP SP2

Requirements:
Mobile device running Windows Mobile Pocket PC or Firefox 2.0.0.6 on XP

Credits:
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
01/10/2007 for Minimo .016 and 07/22/2007 for Minimo .2 (Windows Mobile) 
and 08/02/2007 for Firefox 2.0.0.6

Risk Level:
High - Disclosure of sensitive information

Program Summary:
 From the website: http://www.mozilla.org/projects/minimo/

Minimo uses Mozilla Technologies to produce a highly usable web browser 
for advanced mobile devices. Features include:
* Fast access to your mobile content via Homebase start page
* Best support for modern web standards (Javascript and AJAX).
* Social Bookmarking
* Tab browsing
* RSS Support
* Proven security (TLS, SSL3)
* International support
* Cross platform capability
* Widget and Extension support

Vulnerability Details:
Minimo includes a password manager feature that allows users to store 
user/password information of sites they visit. There are two ways this 
feature can be abused. First, the action of any form can be changed 
dynamically via JavaScript, which could be introduced into a site via a 
cross-site scripting (XSS)bug. Second, the form fields can be 
automatically filled in without user interaction. As a result, a XSS bug 
could allow an attacker to inject an invisible form into a victims 
browser that could collect the user/pass without any interaction or 
visible indication.

Note: The Password Manager bug is often misunderstood for how it work. 
The reason is that there are numerous subtle variations on how the 
username and password show up. The following highlights some of these:

1. If there is only one username stored in the password manager for the 
specific, it will automatically show up in the username field. If there 
is more than one username stored in the Password Manager, a user would 
normally type in or select the specific username for the site, which 
then allows Minimo/Firefox to fill in the password. As a result, an 
attacker would have to know the username to successfully grab the 
credentials.

2. If the password field is named 'password' and there is only one 
username associated with the site, the Password Manager will 
automatically fill in both the user and password. This particular 
version was noticed by 
http://www.heise-security.co.uk/services/browsercheck/demos/moz/pass1.shtml.

Similar Firefox bugs has been known about since mid-2006; however, 
https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c44 indicates these 
are supposedly resolved.

The details and vulnerable status of Minimo .2 and below is new.

Proof of Concept

The following webpage provides a link to two pages. The login.php page 
is just a sample form that you can enter a user/pass into. Enter and 
save some sample info and then click on the second poc.htm link. This 
will open a page with a script inside that dynamically creates a framed 
environment, one of which is essentially hidden (note: using 
style:hidden will not work). In the hidden frame, the login.php page is 
loaded, the action is changed, and the user/pass are tickled into the 
form fields. You should see two popups - one with the changed form 
action, and the other with the stored user & pass variables.

http://www.airscanner.com/tests/minimo.htm

Workaround:
Don't use password manager.

Vendor Response:
Awaiting Response.

Copyright (c) 2007 Airscanner Corp.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of Airscanner Corp. If you wish to reprint the whole or 
any part of this alert in any other medium other than electronically, 
please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use on an AS IS condition. 
There are no warranties with regard to this information. Neither the 
author nor the publisher accepts any liability for any direct, indirect, 
or consequential loss or damage arising from use of, or reliance on, 
this information.




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] L2TP packet genrator/Fuzzer?

[crazy frog crazy frog]

Hi,

For some work i need L2TP packet generator/fuzzer is there any tool
available for it?

-- 
---
http://www.secgeeks.com
get a blog on SecGeeks :)
register here:-
http://secgeeks.com/user/register
rss feeds :-
http://secradar.com/node/feed

http://www.newskicks.com
Submit and kick for new stories from all around the world.
---

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Whitepaper SecNiche] Insecurities inImplementing Serialization in BISON

[Debasis Mohanty]

>> On Sat, 04 Aug 2007 01:17:36

Interesting! I thought time machine only appears in movies :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joey Mengele
Sent: 02 August 2007 22:41
To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: [Full-disclosure] [Whitepaper SecNiche] Insecurities
inImplementing Serialization in BISON

LOLOLOLOLOLOLOLOL!

This is the most retarded shit I have ever read in my life. Are you 
a Ph.D?

Doc J

On Sat, 04 Aug 2007 01:17:36 -0400 Aditya K Sood 
<[EMAIL PROTECTED]> wrote:
>hi
>
> A specific white paper have been released comprising 
>of
>specific application problems related to Bison.
>
>You can look into it.
>
>http://www.secniche.org/papers/Ser_Insec_Bison.pdf
>
>Regards
>AKS
>http://www.secniche.org
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Be your own boss.  Click here for information on starting your own business.
http://tagline.hushmail.com/fc/Ioyw6h4dA5PRdKQIp9scq2f9RLHvAdxNR8xZbfzjyji9f
KO1bFJN0k/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Whitepaper SecNiche] Insecurities in Implementing Serialization in BISON

[Joey Mengele]

You're welcome.

Doc J

On Sat, 04 Aug 2007 02:44:18 -0400 Aditya K Sood 
<[EMAIL PROTECTED]> wrote:
>Hi joey
>
>Thanks. no Problem.
>
>Regards
>AKS

--
Debt collectors calling your house?  Click here to consolidate into one payment.
http://tagline.hushmail.com/fc/Ioyw6h4d7x4pstlbBO9lv7GkcAcVd7vrdMNZs6jAMM17ik1aZFYs0g/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Whitepaper SecNiche] Insecurities in Implementing Serialization in BISON

[Aditya K Sood]

Hi joey

Thanks. no Problem.

Regards
AKS

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Whitepaper SecNiche] Insecurities in Implementing Serialization in BISON

[Joey Mengele]

LOLOLOLOLOLOLOLOL!

This is the most retarded shit I have ever read in my life. Are you 
a Ph.D?

Doc J

On Sat, 04 Aug 2007 01:17:36 -0400 Aditya K Sood 
<[EMAIL PROTECTED]> wrote:
>hi
>
> A specific white paper have been released comprising 
>of
>specific application problems related to Bison.
>
>You can look into it.
>
>http://www.secniche.org/papers/Ser_Insec_Bison.pdf
>
>Regards
>AKS
>http://www.secniche.org
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Be your own boss.  Click here for information on starting your own business.
http://tagline.hushmail.com/fc/Ioyw6h4dA5PRdKQIp9scq2f9RLHvAdxNR8xZbfzjyji9fKO1bFJN0k/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Whitepaper SecNiche] Insecurities in Implementing Serialization in BISON

[Aditya K Sood]

hi

 A specific white paper have been released comprising of
specific application problems related to Bison.

You can look into it.

http://www.secniche.org/papers/Ser_Insec_Bison.pdf

Regards
AKS
http://www.secniche.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Testing from thr browser

[David Kierznowski]

Technika is a Firefox plugin that
myself  and
pdpwas toying with some months back.
The original idea behind this project was
to provide independent self-contained security tools based on JavaScript
which can be loaded and executed from the browser.

TS Framework is an automated web application testing framework that is
launched from the browser . . .

The advantages here over traditional security tools is that we utilize the
existing browser functionality instead of re-inventing the wheel. In other
words, Technika doesn't have to worry about network sockets, SSL libraries,
whether its OS independent and so on. Basically, anything the browser can
do, we can.

Check out more info at:
http://www.gnucitizen.org/blog/introducing-technika-security-framework/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] DVD Rental System multiple XSS and CSRF vulnerabilities

[edi.strosar]

=
TeamIntell Security Advisory TISA2007-04-Public
-
DVD Rental System multiple XSS and CSRF vulnerabilities
=


Release Date:02.08.2007
Severity:Less critical
Impact:  Cross Site Scripting (XSS)
 Cross Site Request Forgery (CSRF)
Status:  Official patch available
Software:DVD Rental System 5.1 (DRS)
Vendor:  http://www.dvdrentalsystem.com/
Disclosed:   Edi Strosar (TeamIntell)


Description:


DRS, an online DVD rental application, is vulnerable to 
multiple XSS and CSRF attacks. Proof of concept will not 
be publicly released.


Details:


TeamIntell discovered multiple vulnerabilities in online 
DVD Rental System, which can be exploited by malicious 
users to conduct cross-site scripting[1] and cross-site 
request forgery[2] attacks:

[1] DRS does not properly sanitize users supplied data 
before sending it to clients. This can be exploited to 
execute arbitrary HTML and script code in a user's browser 
session in context of an affected site.

[2] The script index.php allows users to perform certain 
actions via HTTP requests without performing validity 
checks to verify the request. This can be exploited to 
modify users's data or cancel subscription permanently.

Note: in some cases CSRF attacks could be site specific. 
TeamIntell developed working PoC that affects users of one 
among  DVD Rental System's business partners.

The vulnerabilities are confirmed in DVD Rental System 
version 5.1. Other versions may be affected.


Solution:
=

Vendor has reported that the DVD Rental System scripts are 
updated and patched. Customers should contact the vendor 
for details.


References:
===

http://en.wikipedia.org/wiki/XSS
http://en.wikipedia.org/wiki/Cross-site_request_forgery


Timeline:
=

20.07.2007 - vulnerabilities discovered
21.07.2007 - vendor informed
01.08.2007 - vendor reports that the scripts are updated 
and patched
02.08.2007 - public disclosure


Contact:


Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: [EMAIL PROTECTED]


Disclaimer:
===

The content of this report is purely informational and 
meant for educational purposes only. Maldin d.o.o. shall 
in no event be liable for any damage whatsoever, direct or 
implied, arising from use or spread of this information. 
Any use of information in this advisory is entirely at 
user's own risk.

=

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CVE-2007-3384: XSS in Tomcat cookies example

[Mark Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2007-3384: XSS in Tomcat cookies example

Severity:
Low (Cross-site scripting)

Vendor:
The Apache Software Foundation

Versions Affected:
3.3 to 3.3.2

Description:
When reporting error messages, Tomcat does not filter user supplied
data before display. This enables an XSS attack.

Mitigation:
Remove examples web application.
Apply patch available from http://tomcat.apache.org/download-33.cgi

Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.

Example:
http://localhost:8080/examples/servlet/CookieExample
populate Name or Value field with:
alert('XSS reflected');
and submit.

References:
http://tomcat.apache.org/security.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGsU0Vb7IeiTPGAkMRAoiwAJ4iETiZnDPLKM0v69YZ/FaIhGS8GwCgt+ux
FB0O3FigwHs+A8pP98+gRiA=
=VePF
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] rPSA-2007-0153-1 qt-x11-free

[rPath Update Announcements]

rPath Security Advisory: 2007-0153-1
Published: 2007-08-01
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification:
Indirect User Deterministic Unauthorized Access
Updated Versions:
qt-x11-free=/[EMAIL PROTECTED]:devel//1/3.3.4-5.9-1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3388
https://issues.rpath.com/browse/RPL-1597

Description:
Previous versions of the qt-11-free package are vulnerable to
user-assisted format-string attacks, possibly leading to arbitrary
code execution in applications that use the QTextEdit widget.

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/