Re: [Full-disclosure] Remote hole in OpenBSD 4.1

[Joey Mengele]

LOLOLOL STOP NAMEDROPPING YOU GAY BASHING KIKE

J

On Mon, 06 Aug 2007 05:19:13 -0400 Gadi Evron <[EMAIL PROTECTED]> 
wrote:
>Sorry, I don't know who [EMAIL PROTECTED] is, but it wasn't me. 
>I'd 
>suggest emailing Rocky, he likes big guys. :)
>
>Thanks,
>
>   Gadi.
>
>On Mon, 6 Aug 2007, monikerd wrote:
>
>> Gadi Evron wrote:
>>> I formerly had a great deal of respect, bordering on 
>admiration, for Theo
>>> deRaadt's refusals to compromise his open source principles, 
>even in the
>>> face of stiff opposition. Although he has occasionally gone 
>over-the-top,
>>> recommended some frankly very dubious changes to OpenBSD, and 
>is regularly
>>> arrogant (which is even more annoying because he's so often 
>right!), he's
>>> always remained consistent in his devotion to the cause of 
>GNU/Free Software.
>>>
>>> Notice "formerly": my confidence in deRaadt has been soundly 
>shaken by his
>>> latest round of unfounded aspersions cast against Intel's Core 
>2 line of
>>> CPUs. Instead of getting the facts with careful analysis and 
>study, deRaadt
>>> has jumped the gun by trying to preempt proper research with 
>posts to the
>>> openbsd-misc mailing list. This in itself wouldn't be so bad, 
>but his only
>>> proper citation is a 404 page, and his only other source is an 
>old summary
>>> of unverified errata from a hobbyist website.
>>>
>>> The lack of fact-checking and complete absence of any credible 
>sources for
>>> his allegations is suspicious in itself, but he compounds it 
>into a complete
>>> boner by making an equally unsupported claim that the supposed 
>(in fact
>>> non-existent) CPU problems are security flaws:
>>>
>>> As I said before, hiding in this list are 20-30 bugs that 
>cannot be worked
>>> around by operating systems, and will be potentially 
>exploitable. I would
>>> bet a lot of money that at least 2-3 of them are.
>>>
>>> Without real references to backup his exaggerated concerns, 
>deRaadt's post
>>> crosses the line into outright libel and scare-mongering. It's 
>obvious when
>>> you know what to look for: the subtle use of neurolinguistic 
>priming in
>>> emotive leading phrases such as "some errata like AI65, AI79, 
>AI43, AI39,
>>> AI90, AI99 scare the hell out of us", "Open source operating 
>systems are
>>> largely left in the cold", "hiding in this list", and so forth. 
>This does
>>> not lead me to share Theo's purported fears; instead it leads 
>me to believe
>>> that he's trying to unduly influence Intel's reputation with 
>lies.
>>>
>>> I have an idea of why. It's the same reason deRaadt feels 
>comfortable in
>>> saying that he'd "bet a lot of money" on Intel's Core 2 
>processors having
>>> multiple (not one, but several) security flaws originating from 
>these
>>> errata. Namely, one of Intel's largest competitors has supplied 
>the OpenBSD
>>> project with a substantial amount of monetary support since 
>2004, presumably
>>> because they can't compete even in the open source market 
>without propping
>>> it up with a flow of money. They cannot maintain their position 
>on the
>>> processor front, so they're resorting to buying out open source 
>software
>>> developers. It's regrettably cheap to do so, even if they have 
>deRaadt's
>>> prestige, because their business models stifle income and so a 
>monolith such
>>> as AMD can trivially tempt them with greater incentives. In 
>fact deRaadt is
>>> an easier target for "donations" because he makes it clear that 
>he has no
>>> business model for OpenBSD.
>>>
>>> Intel, by contrast, have no discernable incentive to deceive or 
>play down
>>> security flaws in their products; the consecutive f00f and FDIV 
>bugs of the
>>> past have taught Intel that their best course of action is to 
>face up to
>>> their errors and offer speedy fixes.
>>>
>>> DeRaadt's claim that Intel must "be come [sic] more 
>transparent" is most
>>> unfounded, especially when one considers who stands to benefit 
>from this
>>> anti-Intel arrangement; the connections between the AMD-ATI 
>leviathan and
>>> deRaadt-driven projects are not hard to find. AMD make a point 
>of
>>> emphasising OpenBSD's place in the "AMD64 ecosystem", and, as 
>already
>>> mentioned, lends its deep pockets to deRaadt's grasp. And the 
>connections go
>>> both ways too: deRaadt has a blatant chip on his shoulder 
>regarding Intel.
>>>
>>> Ultimately, it hasn't been enough for deRaadt to level 
>unsubstantiated
>>> libels at Intel, or to elicit spurious security fears about its 
>solidly
>>> tested products. He's added an extra layer of hypocrisy on top 
>by attacking
>>> Intel for being opaque and complaining about made-up fatal 
>flaws in their
>>> Core 2 system. I would go as far as to posit that it is in fact 
>deRaadt's
>>> system for running the OpenBSD project which has a fatal flaw. 
>This escapade
>>> proves that deRaadt -- and by extension the OpenBSD project -- 
>is simply too
>>> vulnerable to external influence from corporations with a 
>vested interest
>>> a

Re: [Full-disclosure] Right, or wrong?

[Brian Eaton]

On 8/7/07, Sol_Invictus <[EMAIL PROTECTED]> wrote:
> My 2 cents?  Anyone trying to sell a bug to the vendor with the problem is
> extortion.  Feel free to sell it to others, but only AFTER giving the vendor
> a chance to fix it.  If the vendor ignores you then that's what FD is all
> about... but please lets be responsible out there!

As far as some vendors are concerned, threatening full disclosure is
equivalent to extortion.  I don't know what lawyers would think of
that definition.

- Brian

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Right, or wrong?

[Sol_Invictus]

Gates doesn't have bugs... He has Features!  ;-)

My 2 cents?  Anyone trying to sell a bug to the vendor with the problem is
extortion.  Feel free to sell it to others, but only AFTER giving the vendor
a chance to fix it.  If the vendor ignores you then that's what FD is all
about... but please lets be responsible out there!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Kim
Wireless Internet Advisor
Sent: Tuesday, August 07, 2007 8:06 PM
To: Jared DeMott
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Right, or wrong?

Ask gates what his business position is regarding bugs

On 8/7/07, Jared DeMott <[EMAIL PROTECTED]> wrote:
> All:
>
> So, I've tried the vendor pay model for bug hunting and it wasn't always
> well received.  Apparently auction sites and 3 party purchasers are
> fine, but some folks don't like the idea of selling directly to the
> vendor.  I was thinking that this would be ideal since the vendor would
> have the most interest in knowing about/fixing the bug.  My question to
> the list is this:
> Is it morally right, wrong, don't know, don't care, good business, bad
> business, etc.?  Either way we're moving away from that model, but I was
> just curious how others on FD see it.
>
> Blessings,
> Jared
> --
Robert Q Kim, Wireless Internet Provider
http://evdo-coverage.com/satellite-wireless-internet.html
http://groups.google.com/group/unpaid-overtime
2611 S. Pacific Coast Highway 101
Suite 203 Unpaid Overtime Dept
Cardiff by the Sea, CA 92007
206 984 0880

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Right, or wrong?

[Thierry Zoller]

Dear Jared,

My opinion :

>but some folks don't like the idea of selling directly to the
>vendor.
It reads a bit like the mob, extorion style. I have a bug, you want it
? Pay me money.


Ps. Nice presentaion @BH


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-496-2] poppler vulnerability

[Kees Cook]

=== 
Ubuntu Security Notice USN-496-2August 07, 2007
poppler vulnerability
CVE-2007-3387
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libpoppler1  0.5.1-0ubuntu7.2

Ubuntu 6.10:
  libpoppler1  0.5.4-0ubuntu4.2

Ubuntu 7.04:
  libpoppler1  0.5.4-0ubuntu8.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-496-1 fixed a vulnerability in koffice.  This update provides the
corresponding updates for poppler, the library used for PDF handling in
Gnome.

Original advisory details:

 Derek Noonburg discovered an integer overflow in the Xpdf function
 StreamPredictor::StreamPredictor(). By importing a specially crafted PDF
 file into KWord, this could be exploited to run arbitrary code with the
 user's privileges.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.5.1-0ubuntu7.2.diff.gz
  Size/MD5: 9689 fd83cab364b869ead211c939f00600c8

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.5.1-0ubuntu7.2.dsc
  Size/MD5: 1725 d97c39626aa8fa19cf271c9d6adde9d6

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.5.1.orig.tar.gz
  Size/MD5:   954930 a136cd731892f4570933034ba97c8704

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.5.1-0ubuntu7.2_amd64.deb
  Size/MD5:   719270 69d465f873de06c44b7b02729a645caa

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.5.1-0ubuntu7.2_amd64.deb
  Size/MD5:57132 52fb553e8d00a41b0cd060e4e472a1d0

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.5.1-0ubuntu7.2_amd64.deb
  Size/MD5:46302 5053a4394689efb866d988efba410f53

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-glib_0.5.1-0ubuntu7.2_amd64.deb
  Size/MD5:51914 6d3c9d025a0fbdc4a68df8639b55ed98

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-qt_0.5.1-0ubuntu7.2_amd64.deb
  Size/MD5:42524 3933ee0524a7c73145ea12eed24c0974

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1_0.5.1-0ubuntu7.2_amd64.deb
  Size/MD5:   536308 1da646e263fc345d8973d8f547ceb1ac

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.5.1-0ubuntu7.2_amd64.deb
  Size/MD5:99866 ee64cf9213680d235dc091f476c03a06

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.5.1-0ubuntu7.2_i386.deb
  Size/MD5:   651382 6126b1f5dfb2e57b6f045ec2984ca862

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.5.1-0ubuntu7.2_i386.deb
  Size/MD5:53836 170e8ece3dc2f8066f48c59e44052ef6

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.5.1-0ubuntu7.2_i386.deb
  Size/MD5:44294 8099be233a67d2096eedffd106744cc8

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-glib_0.5.1-0ubuntu7.2_i386.deb
  Size/MD5:49820 8b15bafb3c8db3dd0e8673e9018e1ab2

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-qt_0.5.1-0ubuntu7.2_i386.deb
  Size/MD5:41412 fb47a72bcc3bc57e7ab7a9366c63a30f

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1_0.5.1-0ubuntu7.2_i386.deb
  Size/MD5:   494400 8b29531d50d70e6eac672aa8b032a507

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.5.1-0ubuntu7.2_i386.deb
  Size/MD5:93050 45169b5d3a7ac070d7b18b2b84effd6b

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.5.1-0ubuntu7.2_powerpc.deb
  Size/MD5:   758382 c917bddc9440273bfd176858e3b3b474

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.5.1-0ubuntu7.2_powerpc.deb
  Size/MD5:59126 a1f6bc920cf8503fba0312ab7f2ba5da

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.5.1-0ubuntu7.2_powerpc.deb
  Size/MD5:46430 e057682bf00e58ac71954d8bd5da3868

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-glib_0.5.1-0ubuntu7.2_powerpc.deb
  Size/MD5:53142 f36b7d07b32037a635d81f41a88ae8a4

http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-qt_0.5.1-0ubuntu7.2_powerpc.deb
  Size/MD5:43784 709aea77f79f7557d403e8e915fb0d7b

http://security.ubuntu.com/ubuntu/pool/main/p/poppl

Re: [Full-disclosure] Right, or wrong?

[Robert Kim Wireless Internet Advisor]

Ask gates what his business position is regarding bugs

On 8/7/07, Jared DeMott <[EMAIL PROTECTED]> wrote:
> All:
>
> So, I've tried the vendor pay model for bug hunting and it wasn't always
> well received.  Apparently auction sites and 3 party purchasers are
> fine, but some folks don't like the idea of selling directly to the
> vendor.  I was thinking that this would be ideal since the vendor would
> have the most interest in knowing about/fixing the bug.  My question to
> the list is this:
> Is it morally right, wrong, don't know, don't care, good business, bad
> business, etc.?  Either way we're moving away from that model, but I was
> just curious how others on FD see it.
>
> Blessings,
> Jared
> --
Robert Q Kim, Wireless Internet Provider
http://evdo-coverage.com/satellite-wireless-internet.html
http://groups.google.com/group/unpaid-overtime
2611 S. Pacific Coast Highway 101
Suite 203 Unpaid Overtime Dept
Cardiff by the Sea, CA 92007
206 984 0880

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Right, or wrong?

[Valdis . Kletnieks]

On Tue, 07 Aug 2007 17:46:51 EDT, Jared DeMott said:
> vendor.  I was thinking that this would be ideal since the vendor would
> have the most interest in knowing about/fixing the bug.

That's a dubious statement at best.

What a commercial vendor is interested in is minimizing their *total cost*
of providing whatever level of security they do.  As a result, unless the
bad press starts impacting product sales, the *best* stance is "stick head
in sand and pretend it's bulletproof".  Second best is "issue lots of press
releases saying we're dedicated to security".  Actually spending the big bucks
to make the product secure is a *distant* third.

And the instant they actually *buy* a byg report, they've lost all semblance
of plausible deniability.  "D'Oh! somebody reported it in our bugzilla but we
overlooked it" doesn't work if you've obviously *not* overlooked it to the
point of writing the submitter an actual check.


pgpJphCd8fvni.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BTsniff - Bleutooth sniffing under *nix

[shiftnato]

All,

During Renderman's talk @ defcon, he mentioned an email list where
development of an open firmware for sniffing bluetooth off the ether
was being developed.

I thought I had copied it down, but apparently I got it wrong because
there's nothing at the address I wrote down.

If there's concern this shouldn't be added to the interweb archives,
please send it to me off-list.

Regards,
N

On 7/27/07, Thierry Zoller <[EMAIL PROTECTED]> wrote:
>
> Dear List,
>
> This Message is thrown together in a hurry with limited Internet
> access, please take my aplogise for typos and missing information,
> more will follow soon :)
>
> My call for an OSS Bluetooth sniffer during the last 23C3
> in Berlin has not been left unanswered,  first there  was
> Max Moser("Bluetooth - Getting raw access") that uncovered
> how you can modify a consumer USB stick by flashing it with
> a BTSnifferfirmware and get  RAW access to it. The question
> that was leftwas how to send commands to it, get it into
> sniffing mode, synchingit.
>
> Exactly this is what Andrea Bittau and Dominic Spill found out
> during their work on a Paper entitled "BlueSniff: Eve meets Alice
> and Bluetooth", Andrea further implemented it in C code. The paper
> will be shortly be published and presented at this years' USENIX.
>
> In other words a Bluetooth Hacker dream has partially come true,
> a cheap and (partialy) open way to sniff and capture packets,
> including the pariring-handshake which may than be cracked.
>
> Andrea is currently working on cracking open the very last
> thing that holds him from crafting low level Bluetooth packets,
> the XAP2 processor, he dissassembled the firmware to find out
> how exactly it works, for that he wrote his own dissassembler,
> after this he/we may write our own firmware and basicaly do
> whatever we like, for example code a full blown fuzzer or full
> blown attack device.
>
> Other very interesting findings will be uncovered during the next
> weeks, more on this later :)
>
> PS. Renderman will demonstrate the findings at this years
> DEFCON during the Church of WiFi, be there (I will)
>
> Information and Files from :
> http://secdev.zoller.lu
> Thierry Zoller - Security Engineer
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Right, or wrong?

[Jared DeMott]

All:

So, I've tried the vendor pay model for bug hunting and it wasn't always
well received.  Apparently auction sites and 3 party purchasers are
fine, but some folks don't like the idea of selling directly to the
vendor.  I was thinking that this would be ideal since the vendor would
have the most interest in knowing about/fixing the bug.  My question to
the list is this:
Is it morally right, wrong, don't know, don't care, good business, bad
business, etc.?  Either way we're moving away from that model, but I was
just curious how others on FD see it.

Blessings,
Jared

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 08.07.07: Apple Mac OS X mDNSResponder HTTP Request Heap Overflow Vulnerability

[iDefense Labs]

Apple Mac OS X mDNSResponder HTTP Request Heap Overflow Vulnerability

iDefense Security Advisory 08.07.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 07, 2007

I. BACKGROUND

mDNSResponder is part of the Bonjour suite of applications. Bonjour is
used to provide automatic and transparent configuration of network
devices. It is similar to UPnP, in that the goal of both is to allow
users to simply plug devices into a network without worrying about
configuration details. mDNSResponder runs by default on both Server and
Workstation. More information can be found on the vendor's website.

http://developer.apple.com/opensource/internet/bonjour.html

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Apple Inc.'s
mDNSResponder application may allow attackers to execute arbitrary code
with root privileges.

The vulnerability exists within the Legacy NAT Traversal code. Unlike
the core of the mDNSResponder service, this area of code does not rely
on Multicast UDP. It listens on a dynamically allocated Unicast UDP
port.

The vulnerability occurs when parsing a malformed HTTP request. This
results in an exploitable heap overflow.

III. ANALYSIS

Exploitation of this vulnerability allows an attacker to execute
arbitrary code with root privileges on a vulnerable host. No
authentication is needed to exploit this vulnerability.

Failed attempts will result in the service crashing. Shortly after
crashing, it will be restarted.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Mac OS X
version 10.4.10, Server and Workstation, with mDNSResponder version
108.5. Previous versions may also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

Apple addressed this vulnerability within their Mac OS X 2007-007
security update. More information is available at the following URL.

http://docs.info.apple.com/article.html?artnum=306172

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3744 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

07/26/2007  Initial vendor notification
07/26/2007  Initial vendor response
08/07/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Neil Kettle (mu-b) of
www.digit-labs.org.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ASA-2007-019: Remote crash vulnerability in Skinny channel driver

[Security Response Team]

   Asterisk Project Security Advisory - ASA-2007-019

   ++
   |  Product   | Asterisk  |
   |+---|
   |  Summary   | Remote crash vulnerability in Skinny channel  |
   || driver|
   |+---|
   | Nature of Advisory | Denial of Service |
   |+---|
   |   Susceptibility   | Remote Authenticated Sessions |
   |+---|
   |  Severity  | Moderate  |
   |+---|
   |   Exploits Known   | No|
   |+---|
   |Reported On | August 7, 2007|
   |+---|
   |Reported By | Wei Wang of McAfee AVERT Labs |
   |+---|
   | Posted On  | August 7, 2007|
   |+---|
   |  Last Updated On   | August 7, 2007|
   |+---|
   |  Advisory Contact  | Jason Parker <[EMAIL PROTECTED]> |
   |+---|
   |  CVE Name  |   |
   ++

   ++
   | Description | The Asterisk Skinny channel driver, chan_skinny, has a   |
   | | remotely exploitable crash vulnerability. A segfault can |
   | | occur when Asterisk receives a   |
   | | "CAPABILITIES_RES_MESSAGE" packet where the capabilities |
   | | count is greater than the total number of items in the   |
   | | capabilities_res_message array. Note that this requires  |
   | | an authenticated session.|
   ++

   ++
   | Resolution | Asterisk code has been modified to limit the incoming |
   || capabilities count.   |
   ||   |
   || Users with configured Skinny devices should upgrade to|
   || the appropriate version listed in the corrected in|
   || section of this advisory. |
   ++

   ++
   |   Affected Versions|
   ||
   | Product  |   Release   |   |
   |  |   Series|   |
   |--+-+---|
   |   Asterisk Open Source   |1.0.x| Not affected  |
   |--+-+---|
   |   Asterisk Open Source   |1.2.x| Not affected  |
   |--+-+---|
   |   Asterisk Open Source   |1.4.x| All versions prior to |
   |  | | 1.4.10|
   |--+-+---|
   |Asterisk Business Edition |A.x.x| Not affected  |
   |--+-+---|
   |Asterisk Business Edition |B.x.x| Not affected  |
   |--+-+---|
   |   AsteriskNOW| pre-release | All versions prior to |
   |  | | beta7 |
   |--+-+---|
   | Asterisk App

[Full-disclosure] [SECURITY] [DSA 1352-1] New pdfkit.framework packages fix arbitrary code execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1352-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
August 7th, 2007http://www.debian.org/security/faq
- --

Package: pdfkit.framework
Vulnerability  : integer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID : CVE-2007-3387

It was discovered that an integer overflow in the xpdf PDF viewer may lead
to the execution of arbitrary code if a malformed PDF file is opened.

pdfkit.framework includes a copy of the xpdf code and required an update
as well.

For the oldstable distribution (sarge) this problem has been fixed in
version 0.8-2sarge4.

The package from the stable distribution (etch) links dynamically
against libpoppler and doesn't require a separate update.

The package from the unstable distribution (sid) links dynamically
against libpoppler and doesn't require a separate update.

We recommend that you upgrade your pdfkit.framework packages.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4.dsc
  Size/MD5 checksum:  725 bfe8bf57eeadaeeaa5ba33a458a8e185

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4.diff.gz
  Size/MD5 checksum: 7077 a9e6dc46fa95a2763e865999b3789e50

http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8.orig.tar.gz
  Size/MD5 checksum:  1780533 7676643ff78a0602c10bfb97fe0bd448

  Alpha architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_alpha.deb
  Size/MD5 checksum:  1822590 0f097258e91f1d7eabf3384ecb10b3e8

  AMD64 architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_amd64.deb
  Size/MD5 checksum:  1797204 534d18691bdd0729af9e854311408460

  HP Precision architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_hppa.deb
  Size/MD5 checksum:  1863092 764d3796d34c879af9a5594c4f50e5e9

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_i386.deb
  Size/MD5 checksum:  1750926 fd435c2d7270d324c74aa054c7230e96

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_ia64.deb
  Size/MD5 checksum:  1981838 c7a18c58ea887fb5b0f2194659ccdd77

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_m68k.deb
  Size/MD5 checksum:  1786348 3b4885f47d0d55dad0e70aa20e42c73d

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_mips.deb
  Size/MD5 checksum:  1769560 9f0071e086fa239f2068d426f9dddae9

  Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_mipsel.deb
  Size/MD5 checksum:  1755228 cda830fc73806bc80e1104359fea752a

  PowerPC architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_powerpc.deb
  Size/MD5 checksum:  1771430 1d2fb8df07e688855b1c716123c2213d

  IBM S/390 architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_s390.deb
  Size/MD5 checksum:  1805290 78cfaa378a73eae337978d3df379be99

  Sun Sparc architecture:


http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge4_sparc.deb
  Size/MD5 checksum:  1780538 cb9824fd6a64b10257f79d0df7c1a474


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show ' and http://packages.debian.org/

-BEGIN PGP SIGNATURE-
Version

[Full-disclosure] iDefense Security Advisory 08.07.07: Hewlett-Packard HP-UX Remote ldcconn Buffer Overflow Vulnerability

[iDefense Labs]

Hewlett-Packard HP-UX Remote ldcconn Buffer Overflow Vulnerability

iDefense Security Advisory 08.07.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 07, 2007

I. BACKGROUND

Cisco Local Director is a load-balancing, connection fail-over device
used to help manage large enterprise networks. HP-UX allows for easy
interfacing with Cisco Local Director using the HP Controller for Cisco
Local Director package. In this package is ldcconn, which is configured
to run via inetd on TCP port 17781.

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in ldcconn allows
attackers to execute arbitrary code with root privileges.

By sending a long string to the TCP port that ldcconn listens on, a
buffer overflow is triggered. No authentication or data validation is
performed.

III. ANALYSIS

Exploitation allows unauthenticated remote attackers to gain root access
on affected machines.

The seriousness of this vulnerability is increased by the fact that in
most cases an attacker will have unlimited attempts at successful
exploitation due to the fact that inetd will continue to launch the
service for each new connection.

IV. DETECTION

iDefense confirmed the existence of this vulnerability in HP-UX 11.11i.
It is suspected that other versions are also vulnerable.

To determine if ldcconn is installed on your specific install, use the
command:

  # swlist -l file | grep ldcconn

If this command returns anything, it means it is installed. To tell if
it is currently configured to run from inetd, use the command:

  # grep ldcconn /etc/inetd.conf

If it returns an entry, that means it is currently configured to run
from inetd.

V. WORKAROUND

Firewall rules should be set to only allow Cisco equipment to access the
service (port 17781).

If the service is not being used, simply remove, or comment out, the
entry in /etc/inetd.conf and restart inetd.

VI. VENDOR RESPONSE

Hewlett-Packard states that this product is obsolete and no longer
supported. They have no plans to release a patch or advisory. They
further stated that the version of HP-UX used to verify this
vulnerability is also obsolete.

"HP simply recommends that customers upgrade to a currently supported OS
release and to some other tool, if one is available."

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

11/02/2004  Initial vendor notification
11/03/2004  Initial vendor response
12/19/2005  Second vendor notification
01/30/2007  Third vendor notification
01/30/2007  Third vendor response
04/25/2007  Status update requested
06/08/2007  Status update requested
07/24/2007  Status update requested
07/30/2007  Vendor stated product's support ended in 2002
08/06/2007  Vendor communicated their response
08/07/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1351-] New bochs packages fix privilege escalation

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1351-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
August 7th, 2007http://www.debian.org/security/faq
- --

Package: bochs
Vulnerability  : buffer overflow
Problem type   : local
Debian-specific: no
CVE ID : CVE-2007-2893

Tavis Ormandy discovered that bochs, a highly portable IA-32 PC emulator,
is vulnerable to a buffer overflow in the emulated NE2000 network device
driver, which may lead to privilege escalation.

For the oldstable distribution (sarge) this problem has been fixed in
version 2.1.1+20041109-3sarge1.

For the stable distribution (etch) this problem has been fixed in
version 2.3-2etch1.

For the unstable distribution (sid) this problem has been fixed in
version 2.3+20070705-1.

We recommend that you upgrade your bochs packages.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/b/bochs/bochs_2.1.1+20041109-3sarge1.dsc
  Size/MD5 checksum: 1095 c68bfe59dd98276f0a9e1b97ae0bdfb4

http://security.debian.org/pool/updates/main/b/bochs/bochs_2.1.1+20041109-3sarge1.diff.gz
  Size/MD5 checksum:   119045 465bd12d05822820c485f4e65ab998b2

http://security.debian.org/pool/updates/main/b/bochs/bochs_2.1.1+20041109.orig.tar.gz
  Size/MD5 checksum:  3633019 45022fbb35468fd725e205e2218d8a72

  Architecture independent components:


http://security.debian.org/pool/updates/main/b/bochs/bochs-doc_2.1.1+20041109-3sarge1_all.deb
  Size/MD5 checksum:   208586 338114a4ff2ec37a3f8ffe8bfab3f988

http://security.debian.org/pool/updates/main/b/bochs/bochsbios_2.1.1+20041109-3sarge1_all.deb
  Size/MD5 checksum:   131232 5d72368002b506685b4f301f7fad3958

  Alpha architecture:


http://security.debian.org/pool/updates/main/b/bochs/bochs_2.1.1+20041109-3sarge1_alpha.deb
  Size/MD5 checksum:   675638 9f6803fc2d43e23654144707b2570d42

http://security.debian.org/pool/updates/main/b/bochs/bochs-sdl_2.1.1+20041109-3sarge1_alpha.deb
  Size/MD5 checksum:65664 7659a0d4a8a2a00e84510a8333f65e1a

http://security.debian.org/pool/updates/main/b/bochs/bochs-term_2.1.1+20041109-3sarge1_alpha.deb
  Size/MD5 checksum:53752 2ce5249a6fa2e62f9ccae101fc9834e4

http://security.debian.org/pool/updates/main/b/bochs/bochs-wx_2.1.1+20041109-3sarge1_alpha.deb
  Size/MD5 checksum:   144604 200dcaaad2b889fc2daed8f37337d28e

http://security.debian.org/pool/updates/main/b/bochs/bochs-x_2.1.1+20041109-3sarge1_alpha.deb
  Size/MD5 checksum:64990 67543bfa9b178c6118a6c97c338928ad

http://security.debian.org/pool/updates/main/b/bochs/bximage_2.1.1+20041109-3sarge1_alpha.deb
  Size/MD5 checksum:53554 60cffca9cc05f6c80efd68629015d11a

  AMD64 architecture:


http://security.debian.org/pool/updates/main/b/bochs/bochs_2.1.1+20041109-3sarge1_amd64.deb
  Size/MD5 checksum:   588380 f733c64e27f8a0b07f448e28590d6b34

http://security.debian.org/pool/updates/main/b/bochs/bochs-sdl_2.1.1+20041109-3sarge1_amd64.deb
  Size/MD5 checksum:63516 804a2021ebc6b22c3b2f09cae62ecbba

http://security.debian.org/pool/updates/main/b/bochs/bochs-term_2.1.1+20041109-3sarge1_amd64.deb
  Size/MD5 checksum:53086 424913f0b5fe87547e1ad8bf040337db

http://security.debian.org/pool/updates/main/b/bochs/bochs-wx_2.1.1+20041109-3sarge1_amd64.deb
  Size/MD5 checksum:   137260 a04ff1120b1b5b645b69f1cbe65d2090

http://security.debian.org/pool/updates/main/b/bochs/bochs-x_2.1.1+20041109-3sarge1_amd64.deb
  Size/MD5 checksum:62646 515236bbe9e5b699787b7a15d1bf99c0

http://security.debian.org/pool/updates/main/b/bochs/bximage_2.1.1+20041109-3sarge1_amd64.deb
  Size/MD5 checksum:52362 2610b36e959720df44a305602732d95b

  ARM architecture:


http://security.debian.org/pool/updates/main/b/bochs/bochs_2.1.1+20041109-3sarge1_arm.deb
  Size/MD5 checksum:   589556 06070a16c14cd7f3fde9d327a0972527

http://security.debian.org/pool/updates/main/b/bochs/bochs-sdl_2.1.1+20041109-3sarge1_arm.deb
  Size/MD5 checksum:63210 62f08696e69af8f215b72a525061da60

http://security.debian.org/pool/updates/main/b/bochs/bochs-term_2.1.1+20041109-3sarge1_a

Re: [Full-disclosure] intrusion kit

[h4h]

On 8/6/07, Morning Wood <[EMAIL PROTECTED]> wrote:
>
> >What I'm looking for is an "intrusion kit", a ZIP file that contains
> > common tools like: vnc, nmap, pwdump, ssh client, etc. That have all
> > dependencies in the zip file, so I could do:
> >
> > unzip kit.zip
> > cd nmap
> > nmap -sS localhost
> > cd ..
> > cd vnc
> > run-vnc-server
> >
>
> i guess your so talented in breaking into boxen that you cant simply
> make your own SFX to do what you want.
>
> btw: i seriously doubt anyone will help you ( or you buy the ebay offered
> one LOL...
> have fun getting yourelf pwnt )
>
> byez,
> MW


Did you ever notice that you type like a child?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox 2.0.0.6 Java Pop-Up DoS flaw

[Daniel Veditz]

Daniel Veditz wrote:
> carl hardwick wrote:
>> @Daniel Veditz
>> IE6 SP2 and IE7 are not affected!
> 
> IE is affected if you use the Sun JRE. Not the default, I know, but then
> unless you've installed Sun's JRE Firefox doesn't come with Java either.
> 
> http://evil.hackademix.net/fullscreen/applet.html

Better link (links to the above):
http://hackademix.net/2007/08/07/java-evil-popups/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox 2.0.0.6 Java Pop-Up DoS flaw

[Daniel Veditz]

carl hardwick wrote:
> @Daniel Veditz
> IE6 SP2 and IE7 are not affected!

IE is affected if you use the Sun JRE. Not the default, I know, but then
unless you've installed Sun's JRE Firefox doesn't come with Java either.

http://evil.hackademix.net/fullscreen/applet.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Mozilla Firefox and Internet Explorer susceptible to DNS Re-binding attacks

[Eric Uday Kumar]

Hi, I came across this post on Slashdot about DNS Re-binding attacks.


I visited the information URL at  using 
both Mozilla Firefox (2.0.0.6) and Internet Explorer (7.0.5730.11) and 
the page reported as " We have detected that your browser is vulnerable 
to efficient DNS rebinding attacks". Is this of any concern to browser 
application developers or users?

best regards,
Eric Kumar
Authentium Inc.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] IE6 DOS

[Tonu Samuel]

Unsure if this new here:

http://immike.net/blog/2007/08/06/single-line-of-html-crashes-ie-6/

  Tõnu

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/