Re: [Full-disclosure] bind9 remote vulnerability, possibly exploitable - vendor unresponsive :~~~

2007-09-03 Thread Mark Andrews 

> From: herbietwink whatsitworth2ya 
> Date: Sat, 25 Aug 2007 04:38:27 +1000
> 
> [EMAIL PROTECTED] [x] \/\/3ZTc04ztC00ol3Rcr3w @[EMAIL PROTECTED]@#$ 
> .[x].
> 
> if ur queer and ur not sure u know it - clap ur handz
> is what i'd say
> 
> if i had immunity shaved in the back if my head
> ..and i was undecided as to whether i wanted to sink the pink or the brown
> itz ok i hire young euro entourage boys at a bargin price
> 
> WC crU ready to drop some threatc0n5 shit more serious then a gadi evron
> threat at defcon presentation * 5
> cuntz g0t right amougzt it rem0te shell bind9 r00ter, uneed more inf0? read
> the c0de n00b lololol
> 
> pr0pz 2 mixt3r foundin father of int33ger skullduggry
> 
> READY
> &
> GO @#$$%
> 
> struct dns_rdata {
> unsigned char * data;
> int length;
> dns_rdataclass_t rdclass;
> dns_rdatatype_t type;
> int flags;
> ISC_LINK(dns_rdata_t) link;
> };

I say, "Never let reality get in the way of a good story ..."
except people actually believed this load of rubbish.

Well rdata->length is (unsigned int) as is tr.length.

1.1  (halley   16-Dec-98): struct dns_rdata {
1.4  (halley   13-Jan-99):  unsigned char * data;
1.4  (halley   13-Jan-99):  unsigned intlength;
1.19 (halley   02-Aug-99):  dns_rdataclass_trdclass;
1.4  (halley   13-Jan-99):  dns_rdatatype_t type;
1.42 (marka19-Oct-00):  unsigned intflags;
1.4  (halley   13-Jan-99):  ISC_LINK(dns_rdata_t)   link;
1.4  (halley   13-Jan-99): };

and as it was in version 1.1

/*
 * Clients are strongly discouraged from using this type directly.
 */
struct dns_rdata {
unsigned char *data;
unsigned int length;
dns_rdataclass_t class;
dns_rdatatype_t type;
/*
 * XXX should rdata be linkable (i.e. as in ) to make
 * rdata lists easy?
 */
};

Mark

P.S.  If he had actually reported it to us (ISC) it would
have reached my mailbox by one path or another as we don't
let reports of security vulnerabilities go unexamined.

Yes. I am the lead Engineer on BIND 9.

> isc_result_t
> dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
>  isc_buffer_t *target)
> {
> isc_result_t result = ISC_R_NOTIMPLEMENTED;
> isc_boolean_t use_default = ISC_FALSE;
> isc_region_t tr;
> isc_buffer_t st;
> 
> REQUIRE(rdata != NULL);
> REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
> 
> /*
>  * Some DynDNS meta-RRs have empty rdata.
>  */
> if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
> INSIST(rdata->length == 0);
> return (ISC_R_SUCCESS);
> }
> 
> st = *target;
> 
> TOWIRESWITCH
> 
> if (use_default) {
> isc_buffer_availableregion(target, &tr);
> if (tr.length < rdata->length)
> return (ISC_R_NOSPACE);
> memcpy(tr.base, rdata->data, rdata->length);
> isc_buffer_add(target, rdata->length);
> return (ISC_R_SUCCESS);
> }
> if (result != ISC_R_SUCCESS) {
> *target = st;
> INSIST(target->used < 65536);
> dns_compress_rollback(cctx, (isc_uint16_t)target->used);
> }
> return (result);
> }
> 
> bigup2 Lam3rZ's see u at nonamecon
> 
> Herbert Twinkleworth
> *Information Security Interest Group - NZ
> 
> *
-- 
Mark Andrews (BE Elec), ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:  +61 2 9871 4742  INTERNET: [EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory

2007-09-03 Thread Jan Münther 
Hello everyone,

please allow me to chime in real quick to try and clarify some issues
which may have caused confusion.

First of all: As Sophos has now acknowledged, this bug in discussion
does constitute an exploitable condition. Of course a single byte
overwrite in an arbitrary memory location isn't your classical
drive-by-shooting stack overflow, but there are plenty of methods to
achieve code execution (function pointers and exception handlers being
the most obvious choice). Sergio just sent Sophos a crash-PoC, so their
initial reaction was to consider it just a crash bug.
When I asked Sergio about the details of the bug I already knew it'd be
exploitable - when he dubs a bug exploitable, it typically is (unless
there's an error in the topic, hah hah :P ).
Sergio discussed the topic with Sophos and they've conceded to the fact
there's exploitability, and updated their own advisory accordingly - we
couldn't ask for better cooperation, really!

As of the recent German "anti-hacking-tool laws" - these really bug
everyone around here. The biggest problem is the fuzziness of the actual
punishable acts: The law implies that the "criminal energy" is basically
contained within the tools themselves, which of course is an absurd
thought that only someone with zero contact with the actual subject
matter can come up with. However, due to these new rules nobody around
here knows what the real deal is - is having nmap on your box dangerous
now? Is having ping and telnet dangerous? What about metasploit, CANVAS
or CORE Impact, or god beware, own exploits, possibly 0days?

The problem really is that without the law being applied at least once,
it is impossible to tell. Just for the record: When this law is applied
for the first time, I am positive the German Supreme Court will send the
lawmakers back to school. One of the most important principles in
legislation is the clarity of the laws, and this has very obviously been
neglected here, else we wouldn't have such a mess now.

Let me assure you that we at n.runs and our highly respected colleagues
over at Recurity (ex-SABRE, please note the name change due to a stupid
a** lawsuit, gah) as well as the CCC and some other valued individuals
have strongly lobbied against this law and done everything we deemed
possible. The unfortunate truth however is that the lawmakers simply
didn't care what the experts had to say, mostly out of sheer
stubbornness and the attitude that if a law is lacking in any way,
jurisdiction will fix it in the long run. As many of you probably know,
these laws are the German national implementation of the so-called
European Cybercrime Convention. The convention however - in contrast to
our national law - does contain explicit exceptions for researchers and
professionals. As of the reasons why these are missing here, one can
only speculate (a task that I better leave to Fefe, he's much better at
it :P ).

In any case, Lisa is of course right (as usual :) ). The law does not
directly prohibit publishing vulnerability details. A particularly
anally retentive lawyer may construct punishability through assistance
or something, but that seems far fetched even by German standards.
Sergio's comment in this regard was just the outcome of the ubiquitous
confusion regarding these new rules.

One other little barrier is one that we gave ourselves - we currently
subscribe to Rain Forest Puppy's Responsible Disclosure Policy with a
little bit of @stake's publishing policy mixed in, as you can see under
http://www.nruns.com/rfppolicy.php, and the policy contains the
following passus:

"The Security Advisory will not contain the following information:
Proof of concept code or test code that could readily be turned into an
exploit. Sufficiently detailed technical information, such as exact data
inputs, buffer offsets, or shell code strategies that could expedite the
writing of exploit code."

We may have overinterpreted that a little, however, we plan on just
changing it. Please understand that we cannot publish details on past
bugs since our communication with the vendors was under the premises of
this policy. However, in future advisories, we will be more verbose. If
any authorities give us a hard time about it, we will surely let you
know! :)

In the meantime, please trust Sergio that when he confirms the
exploitability of a bug repeatedly, it is exploitable.

Thanks for listening, and have a great day,

Jan
--
Jan Münther, CTO Security, n.runs AG

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Sec] Re: n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory

2007-09-03 Thread Thierry Zoller 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Updated Advisory :
http://www.nruns.com/security_advisory_sophos_upx_code_execution.php

The complete list :
http://www.nruns.com/parsing-engines-advisories.php

- --
Thierry Zoller - Security Engineer
Fingerprint 9180 F9C9 A0EF BDA3 C46A BFEB B149 0FE4 3AFC 9B09


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG3D+8sUkP5Dr8mwkRAqAXAKCTu5GtJqhJAEb1O0xJLT0mGcypLgCeMh0S
Oa9LBAHs+ahKAw4PEhYLlLE=
=cV8e
-END PGP SIGNATURE-
begin:vcard
fn:Thierry Zoller
n:Zoller;Thierry
org:n.runs AG;Security
email;internet:[EMAIL PROTECTED]
title:Security Engineer
tel;work:+49 6171 699-0
tel;fax:+49 6171 699-199
tel;cell:+49 151 5500 2771 
x-mozilla-html:FALSE
version:2.1
end:vcard

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] informative...

2007-09-03 Thread Fabian (Lists) 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Andrea Purificato - bunker wrote:
> Il giorno mer, 29/08/2007 alle 09.31 -0400, Fabrizio ha scritto:
>> And even more informative
>>
>> http://www.belkin.com/search/?q=%3cscript%3ealert('XSS')%3c%2fscript%
>> 3e&sid=1
>>
> 
> [Informative 2]
> 
> It seems a common practice, otherwise they were warned months ago, but
> no answer...
> 
> http://sitesearch.corriere.it/searchresults.jsp?adsEnvironment=corriere&channel_par=corriere&ricerca_par=%22%3Cscript%3Ealert('XSS');%3C/script%3E
> 
> 
> Bye,

Informative 3: The 'did you mean' feature even xss' itself...

http://www.belkin.com/search/?q=%3ciframe+border%3d0+width%3d700+height%3d400+src%3d%22http%3a%2f%2fwww.bitrain.net%22%3e%3c%2fiframe%3e&sid=1

- --Fabian

- --
"You could start by defining the meaning of certain esoteric terms, like
'Doesn't work', for exfuckingample." (Kadaitcha Man)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG3F3+OG44jO5akmwRAqytAKDFwuBuctc8GD/N2Qe3uPFzoLsvAACgoy2F
+tcYMX85bCXRx0Z0by7bIdA=
=sAwW
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] most powerful supercomputer, etc.

2007-09-03 Thread [EMAIL PROTECTED] 
It is usually fairly easy to pick out the idiots in these sorts of
conversations.

They are generally the first to ask someone to prove a negative and the
last to understand why that makes them look so dumb.



I now return the list to it's regularly scheduled silliness, random hashes
and zero-day sale offers.


mail2web.com – What can On Demand Business Solutions do for you?
http://link.mail2web.com/Business/SharePoint


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Lame ass of the month - Aditya K Sood (from India)

2007-09-03 Thread Lamer Buster 
finally I decided to give this lame ass a heads up for his yak yak yak.

congratulation for your yet another gay paper, gays like you have
proved in the past how this industry has encouraged people like you. I
brand you as the lame ass of the month for your ass fucking gay paper.

Have your mom stopped breast feeding you yet?


---

-Original Message-

From: Aditya K Sood [

mailto:[EMAIL PROTECTED]
Sent: 01 September 2007 11:35

To: [EMAIL PROTECTED]; [EMAIL PROTECTED]

Subject: [Paper] The Anatomy of Third Party Pop Up Attacks.

Hi

This article deals with the latest third party popup attacks that are
performed by an attacker from the rogue and vulnerable links of the
web sites to circumvent the normal functioning on the web. The target
website always seems to be the liable web provider from where the
popup attacks are possible. It also discusses other problems related
with Pop Ups.

You can find it at:


http://www.secniche.org/papers/Analogy_of_Popups.pdf

http://www.secniche.org/paper.html
Regards

Aks


http://www.secniche.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Lame ass of the month - Aditya K Sood (from India)

2007-09-03 Thread Lamer Buster 
finally I decided to give this lame ass a heads up for his yak yak yak.

congratulation for your yet another gay paper, gays like you have proved in
the past how this industry has encouraged people like you. I brand you as
the lame ass of the month for your ass fucking gay paper.

Have your mom stopped breast feeding you yet?


---

-Original Message-

From: Aditya K Sood [*mailto:[EMAIL PROTECTED]<[EMAIL PROTECTED]>]


Sent: 01 September 2007 11:35

To: [EMAIL PROTECTED]; [EMAIL PROTECTED]

Subject: [Paper] The Anatomy of Third Party Pop Up Attacks.

Hi

This article deals with the latest third party popup attacks that are
performed by an attacker from the rogue and vulnerable links of the web
sites to circumvent the normal functioning on the web. The target website
always seems to be the liable web provider from where the popup attacks are
possible. It also discusses other problems related with Pop Ups.

You can find it at:

*http://www.secniche.org/papers/Analogy_of_Popups.pdf*

*http://www.secniche.org/paper.html* 

Regards

Aks

*http://www.secniche.org* 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] most powerful supercomputer, etc.

2007-09-03 Thread Timo Schoeler 
thus cybergoth spake:
> Interesting movie about religion, conspiracy and shit 
> http://www.zeitgeistmovie.com/

Sicko -- http://imdb.com/find?s=all&q=sicko

Who Killed the Electric Car? -- http://imdb.com/title/tt0489037/

Loose Change -- http://imdb.com/title/tt0839892/

NB: Korey Rowe's Arrest Makes Him A Political Prisoner

http://www.roguegovernment.com/news.php?id=3202

So, remember: 2 + 2 = 5

> - Original Message - 
> From: "Timo Schoeler" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: 
> Sent: Monday, September 03, 2007 7:28 PM
> Subject: Re: [Full-disclosure] most powerful supercomputer, etc.
> 
> 
> thus [EMAIL PROTECTED] spake:
>> Net-Dev's current alias wrote:
>> --
>>
>> "just like the u.s intelligence
>> services allowed a foreign government
>> or terrorist group such as al queda
>> to do 9/11 as a proof of concept
>> to show the american people that a
>> "war on terror" was necessary."
>> ~~
>> And FDR allowed the Japs to bomb Pearly Harbor, and Lincoln allowed the
>> attack on Ft Sumter.
>> Hell... Even Leonidas allowed Xerxes to encircle him to help create a
>> legend.
>> Normally, I would feel obligated to point out that you're an idiot, but
>> your reputation is already well established and that won't be necessary.
> 
> No, you are wrong; why does the U.S. government NOT disclose legal
> evidence that 'it was not an inside job'?
> 
> (...)
> 
>> Timo Schoeler wrote:
>> 
>>
>> maybe some time you realize
>> that there are only about 500
>> idiots world-wide that make people
>> (i.e. blatant idiots like soldiers)
>> fight against each other?
>>
>> soldiers are murderers... period.
>> ~~
> 
> Too bad I missed it in the first place, to combined reply qua this email:
> 
>> 1) Given your last statement, you should probably consider yourself lucky
>> that you aren't in the geographical vicinity of THIS former soldier.
> 
> Huh? Totally regardless of the time one lives in, soldiers are
> murderers. Do you have any argumentation against this, i.e. proof that
> soldiers do NOT kill other people on behalf of some other idiot that
> gives order to do so?
> 
>> 2) People who are prone to silly conspiracy theories should perhaps be a
>> bit less sanguine about calling OTHER people idiots.
> 
> See above; proof that 9/11 was NOT an inside job and you did much more
> on this topic than the U.S. government; until you can do so, you could
> provide health care to those wounded (firefighters, policemen etc) there
> -- the U.S. government did NOT (they had to travel to Cuba to get help).
> 
>> 3) Your ability to sleep peacefully in your bed at night, then wake up and
>> insult your betters; was granted to you BY a soldier.
> 
> Wrong. The neccessity that the RED ARMY had to fight Nazis was risen by
> SOLDIERS (German Nazis). Did you miss logics AND history in school?
> (Seems so, otherwise YOU would KNOW that the U.S. entered the war on the
> European Continent much too late to have an enemy to fight; it was
> already superweak, thanks to the Russians.)
> 
>> In your case, you are
>> NOT welcome.
> 
> Go F*** yourself, kid. Or even better, try to get decent health care and
> education -- almost impossible in the U.S. It takes only five lines of
> the 'Star-spangled banner' to see what it's all about in the U.S.:
> 
> O say, can you see, by the dawn’s early light,
> What so proudly we hailed at the twilight's last gleaming,
> Whose broad stripes and bright stars, through the perilous fight
> O’er the ramparts we watched, were so gallantly streaming?
> And the rockets’ red glare, the bombs bursting in air
> ^
> 
> "Whatever war can do, peace can do better."
> (Desmond Mpilo Tutu)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] most powerful supercomputer, etc.

2007-09-03 Thread cybergoth 
Interesting movie about religion, conspiracy and shit 
http://www.zeitgeistmovie.com/

- Original Message - 
From: "Timo Schoeler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: 
Sent: Monday, September 03, 2007 7:28 PM
Subject: Re: [Full-disclosure] most powerful supercomputer, etc.


thus [EMAIL PROTECTED] spake:
> Net-Dev's current alias wrote:
> --
>
> "just like the u.s intelligence
> services allowed a foreign government
> or terrorist group such as al queda
> to do 9/11 as a proof of concept
> to show the american people that a
> "war on terror" was necessary."
> ~~
> And FDR allowed the Japs to bomb Pearly Harbor, and Lincoln allowed the
> attack on Ft Sumter.
> Hell... Even Leonidas allowed Xerxes to encircle him to help create a
> legend.
> Normally, I would feel obligated to point out that you're an idiot, but
> your reputation is already well established and that won't be necessary.

No, you are wrong; why does the U.S. government NOT disclose legal
evidence that 'it was not an inside job'?

(...)

> Timo Schoeler wrote:
> 
>
> maybe some time you realize
> that there are only about 500
> idiots world-wide that make people
> (i.e. blatant idiots like soldiers)
> fight against each other?
>
> soldiers are murderers... period.
> ~~

Too bad I missed it in the first place, to combined reply qua this email:

> 1) Given your last statement, you should probably consider yourself lucky
> that you aren't in the geographical vicinity of THIS former soldier.

Huh? Totally regardless of the time one lives in, soldiers are
murderers. Do you have any argumentation against this, i.e. proof that
soldiers do NOT kill other people on behalf of some other idiot that
gives order to do so?

> 2) People who are prone to silly conspiracy theories should perhaps be a
> bit less sanguine about calling OTHER people idiots.

See above; proof that 9/11 was NOT an inside job and you did much more
on this topic than the U.S. government; until you can do so, you could
provide health care to those wounded (firefighters, policemen etc) there
-- the U.S. government did NOT (they had to travel to Cuba to get help).

> 3) Your ability to sleep peacefully in your bed at night, then wake up and
> insult your betters; was granted to you BY a soldier.

Wrong. The neccessity that the RED ARMY had to fight Nazis was risen by
SOLDIERS (German Nazis). Did you miss logics AND history in school?
(Seems so, otherwise YOU would KNOW that the U.S. entered the war on the
European Continent much too late to have an enemy to fight; it was
already superweak, thanks to the Russians.)

> In your case, you are
> NOT welcome.

Go F*** yourself, kid. Or even better, try to get decent health care and
education -- almost impossible in the U.S. It takes only five lines of
the 'Star-spangled banner' to see what it's all about in the U.S.:

O say, can you see, by the dawn’s early light,
What so proudly we hailed at the twilight's last gleaming,
Whose broad stripes and bright stars, through the perilous fight
O’er the ramparts we watched, were so gallantly streaming?
And the rockets’ red glare, the bombs bursting in air
^

"Whatever war can do, peace can do better."
(Desmond Mpilo Tutu)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] most powerful supercomputer, etc.

2007-09-03 Thread Timo Schoeler 
thus [EMAIL PROTECTED] spake:
> Net-Dev's current alias wrote:
> --
> 
> "just like the u.s intelligence 
> services allowed a foreign government
> or terrorist group such as al queda 
> to do 9/11 as a proof of concept
> to show the american people that a 
> "war on terror" was necessary."
> ~~
> And FDR allowed the Japs to bomb Pearly Harbor, and Lincoln allowed the
> attack on Ft Sumter.
> Hell... Even Leonidas allowed Xerxes to encircle him to help create a
> legend. 
> Normally, I would feel obligated to point out that you're an idiot, but
> your reputation is already well established and that won't be necessary.

No, you are wrong; why does the U.S. government NOT disclose legal 
evidence that 'it was not an inside job'?

(...)

> Timo Schoeler wrote:
> 
> 
> maybe some time you realize 
> that there are only about 500 
> idiots world-wide that make people 
> (i.e. blatant idiots like soldiers) 
> fight against each other?
> 
> soldiers are murderers... period. 
> ~~

Too bad I missed it in the first place, to combined reply qua this email:

> 1) Given your last statement, you should probably consider yourself lucky
> that you aren't in the geographical vicinity of THIS former soldier.

Huh? Totally regardless of the time one lives in, soldiers are 
murderers. Do you have any argumentation against this, i.e. proof that 
soldiers do NOT kill other people on behalf of some other idiot that 
gives order to do so?

> 2) People who are prone to silly conspiracy theories should perhaps be a
> bit less sanguine about calling OTHER people idiots.

See above; proof that 9/11 was NOT an inside job and you did much more 
on this topic than the U.S. government; until you can do so, you could 
provide health care to those wounded (firefighters, policemen etc) there 
-- the U.S. government did NOT (they had to travel to Cuba to get help).

> 3) Your ability to sleep peacefully in your bed at night, then wake up and
> insult your betters; was granted to you BY a soldier.

Wrong. The neccessity that the RED ARMY had to fight Nazis was risen by 
SOLDIERS (German Nazis). Did you miss logics AND history in school? 
(Seems so, otherwise YOU would KNOW that the U.S. entered the war on the 
European Continent much too late to have an enemy to fight; it was 
already superweak, thanks to the Russians.)

> In your case, you are
> NOT welcome.

Go F*** yourself, kid. Or even better, try to get decent health care and 
education -- almost impossible in the U.S. It takes only five lines of 
the 'Star-spangled banner' to see what it's all about in the U.S.:

O say, can you see, by the dawn’s early light,
What so proudly we hailed at the twilight's last gleaming,
Whose broad stripes and bright stars, through the perilous fight
O’er the ramparts we watched, were so gallantly streaming?
And the rockets’ red glare, the bombs bursting in air
^

"Whatever war can do, peace can do better."
(Desmond Mpilo Tutu)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] World's most powerful supercomputer goesonline (fwd)

2007-09-03 Thread J. Oquendo 
[EMAIL PROTECTED] wrote:

> Uh... I think you're missing some key
> points about the gov't and the internet. 
> First off, all methods of connecting to
> the internet (cable, DSL, etc) invariably
> fall under the control of the FCC.

Oh really all of the methods. Including those
outside of the juridstiction of United States
laws. This is certainly news to me and I'm
sure its also news to many other persons and
countries outside of the United States.

-- 

J. Oquendo
"Excusatio non petita, accusatio manifesta"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: most powerful supercomputer, etc.

2007-09-03 Thread James Rankin 
I'm amazed the CIA haven't been onto NetDev's new alias, seeing as though he
tries, to all intents and purposes, to function like al-Qaeda's global PR
and conspiracy-theory consultant.

Having said that, a CIA ninja party booting down NetDev's door and dragging
him out of bed (probably interrupting a marathon masturbation session) would
simply justify his paranoia, so maybe they've elected to leave him alone.

On 03/09/07, [EMAIL PROTECTED] <[EMAIL PROTECTED] > wrote:
>
> Net-Dev's current alias wrote:
> --
>
> "just like the u.s intelligence
> services allowed a foreign government
> or terrorist group such as al queda
> to do 9/11 as a proof of concept
> to show the american people that a
> "war on terror" was necessary."
> ~~
> And FDR allowed the Japs to bomb Pearly Harbor, and Lincoln allowed the
> attack on Ft Sumter.
> Hell... Even Leonidas allowed Xerxes to encircle him to help create a
> legend.
> Normally, I would feel obligated to point out that you're an idiot, but
> your reputation is already well established and that won't be necessary.
>
>
> 
>
> 
>
> 
> 
>
>
> Geoff write:
> 
>
> "Uh... I think you're missing some
> key points about the gov't and the internet..."
> 
>
> It appears that most of the people on this list are coders, and coders
> have
> an unfortunate tendency to forget that their computers are attached to a
> NETWORK. Nor do they seem to be completely aware of precisely what the
> "network" is or what it does.
>
>
>
> 
> 
> 
>
> 
>
>
> Timo Schoeler wrote:
> 
>
> maybe some time you realize
> that there are only about 500
> idiots world-wide that make people
> (i.e. blatant idiots like soldiers)
> fight against each other?
>
> soldiers are murderers... period.
> ~~
>
> 1) Given your last statement, you should probably consider yourself lucky
> that you aren't in the geographical vicinity of THIS former soldier.
> 2) People who are prone to silly conspiracy theories should perhaps be a
> bit less sanguine about calling OTHER people idiots.
> 3) Your ability to sleep peacefully in your bed at night, then wake up and
> insult your betters; was granted to you BY a soldier. In your case, you
> are
> NOT welcome.
>
>
>
> 
> 
>
> 
> 
>
> 
> 
>
>
> 
> mail2web LIVE – Free email based on Microsoft(r) Exchange technology -
> http://link.mail2web.com/LIVE
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Apple QuickTime integer overflow vulnerability when parsing SMIL file

2007-09-03 Thread David Vaartjes 
==
Apple QuickTime integer overflow vulnerability when parsing SMIL file
==

Date:   09/03/2007
Author: David Vaartjes 
Identifier: CVE-2007-2394
Revision:   0.2

--
AFFECTED VERSIONS
--

Researched on QuickTime 7.1.3 running on Windows 2000 SP4.

iDefense confirmed the existence of this vulnerability in version
7.1.3 and 7.1.5 for Windows XP SP2 and Mac OS X also [1]. As QuickTime
binaries for Windows XP and Vista are identical, this issue will
affect QuickTime running on Windows Vista also.

--
FIXED VERSIONS
--

Apple has released QuickTime version 7.2 for Mac OS X v10.3.9, Mac OS
X v10.4.9 or later, Windows Vista and Windows XP SP2 to address this
issue. See [2] for additional information about this update.

QuickTime 7.2 is not available for the Windows 2000 platform.
Presumably, Apple dropped support for this platform.

--
PRODUCT DESCRIPTION
--

QuickTime is Apple's media player product. According to Apple,
QuickTime is downloaded over 10 million times a month. According to
Secunia, QuickTime is currently installed on over 50% of PCs [3].

The Synchronized MultiMedia Integration Language (SMIL) provides a
high-level scripting syntax for describing multimedia presentations.
SMIL files are text files that use XML-based syntax to specify what
media elements to present and where and when to present them.

--
VULNERABILITY DESCRIPTION
--

An integer overflow vulnerability exists in a part of QuickTime.qts
that calculates the size of a buffer that stores the title and author
fields of a SMIL file. This can be exploited to overflow that heap
buffer with user supplied content, which eventually can result in the
execution of arbitrary code.

--
VULNERABILITY DETAILS
--

The integer overflow can be triggered by creating a SMIL file
containing a title and author field of a specific length.

--


  
  


--

When such a SMIL file is parsed the length value of the author field
is stored in a short int data type (16 bit) without bounds checking.
In sub_66952B50(), this value is (sign) extended to a long int data
type (32 bit).

--
66952C9Apusheax
66952C9Bcallsub_668B57D0
66952CA0  -->   movsx   eax, word ptr [esp+2Ch+var_C]
66952CA5mov edx, [esp+2Ch+arg_4]
66952CA9lea ecx, [esp+2Ch+var_10]
--

So, when the length of the author field is >= 0x8000 bytes, it will be
extended to a length value between 0x8000 and 0x.

Next, in sub_668DCFD0() the sign extended length of the author field
is added to the length of the title field + 0x20:

--
668DD04Djnz short loc_668DD0A0
668DD04Ftestebx, ebx
668DD051jz  loc_668DD1EB
668DD057  -->   lea eax, [edi+ebx]  // edi holds the length of
// the title field + 0x20.
// ebx holds the sign
// extended length of the
// author field.
668DD05Apusheax
668DD05Bpushecx
--

In sub_668DCA60(), 4 is added to the result of the calculation:

--
668DCB37testedi, edi
668DCB39jz  short loc_668DCB40
668DCB3B  -->   lea eax, [edi+4]// edi holds the result
668DCB3Ejmp short loc_668DCB42
--

Next, in sub_668F5550() the final length value is used as the dwBytes
argument in a call to HeapRealloc():

--
668F555Epusheax // dwBytes (user specified)
668F555Fpushecx // lpMem
668F5560push1   // dwFlags
668F5562pushedx // hHeap
668F5563  -->   callds:HeapReAlloc
--

This allows for the allocation of a controlled amount of memory. For
example, when setting the length of the author field to 0xff00 (65280)
and the length of the title field to 0xdf (223), the following
situation occurs:

1: sub_66952B50():

0xff00 will be sign extended to 0xff00.

2: sub_668DCFD0():

0x00ff (0x00df + 0x0020) will be added to 0xff00
resulting in a length value of 0x.

3: sub_668DCA60():

0x0004 is added to 0x, resulting in a value of 0x0003.

Re: [Full-disclosure] most powerful supercomputer, etc.

2007-09-03 Thread [EMAIL PROTECTED] 
Net-Dev's current alias wrote:
--

"just like the u.s intelligence 
services allowed a foreign government
or terrorist group such as al queda 
to do 9/11 as a proof of concept
to show the american people that a 
"war on terror" was necessary."
~~
And FDR allowed the Japs to bomb Pearly Harbor, and Lincoln allowed the
attack on Ft Sumter.
Hell... Even Leonidas allowed Xerxes to encircle him to help create a
legend. 
Normally, I would feel obligated to point out that you're an idiot, but
your reputation is already well established and that won't be necessary.








Geoff write:


"Uh... I think you're missing some 
key points about the gov't and the internet..."


It appears that most of the people on this list are coders, and coders have
an unfortunate tendency to forget that their computers are attached to a
NETWORK. Nor do they seem to be completely aware of precisely what the
"network" is or what it does.








Timo Schoeler wrote:


maybe some time you realize 
that there are only about 500 
idiots world-wide that make people 
(i.e. blatant idiots like soldiers) 
fight against each other?

soldiers are murderers... period. 
~~

1) Given your last statement, you should probably consider yourself lucky
that you aren't in the geographical vicinity of THIS former soldier.
2) People who are prone to silly conspiracy theories should perhaps be a
bit less sanguine about calling OTHER people idiots.
3) Your ability to sleep peacefully in your bed at night, then wake up and
insult your betters; was granted to you BY a soldier. In your case, you are
NOT welcome.











mail2web LIVE – Free email based on Microsoft® Exchange technology -
http://link.mail2web.com/LIVE


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory

2007-09-03 Thread Sergio Alvarez 
Hi all,

Just want to let you know that Sophos has updated their advisory:

http://www.sophos.com/support/knowledgebase/article/28407.html

To make things a bit more clear, it's a one byte overwrite in an
arbitrary location caused by an integer handling issue while parsing the
UPX file format.

The advisory at http://www.nruns.com/security_advisory.php will be
updated soon.

Cheers,
  Sergio

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: DeepSec IDSC 2007 Vienna Registration Now Open

2007-09-03 Thread Paul Böhm 
Good News Everyone,

The DeepSec IDSC 2007 Registration has begun at http://deepsec.net/register/

Since we've received a lot of great feedback so far, we've made some
changes to the conference since the initial announcement.

* 36 top-notch Talks instead of 26. (see http://deepsec.net/schedule/)
- we had over a hundred great submissions, and rejecting so many has
been really hard on us!
* 5 Trainings instead of 4 (we're thinking about adding two more! -
you'll be able to switch if you like one of the added ones better)
* We're using the whole Hotel Floor now (see http://deepsec.net/venue/)
* We'll get specialist atmospheric design and lightning by the same
agency that's been working with the Chaos Computer Club and Cap Gemini
Berlin for a while now. (http://www.artevent.de/)

And in addition to all this, at the conference you'll have as announced before:
* Great Networking Opportunities
* Web Hacking Competition
* Live Capture the Flag Contest by Hack in the Box
(https://conference.hackinthebox.org/)
* Evening Parties at the Roboexotica Cocktail Robotics Festival (see
http://www.roboexotica.org/) including two free drinks!
* After Party at the Metalab Hackerspace on Saturday (http://metalab.at/)

Register here now: http://deepsec.net/register/

Finally we'd like to thank our sponsors SEC-Consult, T-Systems,
Telekom Austria, Microsoft, Phion, and Secure Network, as well as all
our community and media partners for making this event possible.

Oh, and if you still want to sponsor us - hurry up - our print
materials will leave the office soon!

Have a great time and see you soon in Vienna!

The DeepSec Team!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/