Re: [Full-disclosure] Symantec Contact?
I'm not sure exactly why they do not accept submissions from the general non-customer public, but I am sure there is a good reason. Chances are the most likely have the sample you are coming across from one source or another. They probably also get a much larger number of duplicates for something they already detect as a result too. If you're not a customer and you're submitting it, you might not realize they already detect it. If you put it in VirusTotal or one of those sites -- they're probably going to get it from them anyway. :D I have submitted through the Gold and Platinum support before and received pretty quick updates to the general virus definitions. If not there, they usually fire them out in an optional rapid release (not tested for everyone or every product). Personally, I haven't really run into massive delays in my past experiences with them. Steven securityzone.org What's really Sad is that Symantec does not have an option for the general public (i.e. Independent Virus Researchers) to submit virus samples . You have to either A. Submit it through their product. B. Have a Corporate Support contract. Guess they don't want new samples. -S On 9/17/07, Joel R. Helgeson [EMAIL PROTECTED] wrote: Symantec is notoriously slow to release AV updates, because while they may have the AV signature available within the hour, they hold it back until they have the signature configured and working for all versions of all their products running on all platforms, which at last count was over 2.45 gazillion (and counting). They state that they don't want to issue partial releases for different products, which makes sense. If you have version xxx..z of the definition file, then you're covered against the FOO variant of the BAR virus, irrespective of whatever Symantec application, platform, or version you're running. The downside is that they take a LONG time to release signatures, as you have now seen. I do not use Symantec, as too often they have been the single point of failure in the enterprise, and one should not underestimate the system slowdown brought on by 15 years of code bloat. -joel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beauchamp, Brian Sent: Monday, September 17, 2007 12:28 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Symantec Contact? That's where I submitted our file to yesterday. It's funny that less then 5 minutes ago I received an email that the defs had been updated to include this variant. From: Theodore Pham [mailto:[EMAIL PROTECTED] Sent: Mon 9/17/2007 1:13 PM To: Beauchamp, Brian Subject: Re: [Full-disclosure] Symantec Contact? Submit the sample to Symantec via http://www.symantec.com/avcenter/submit.html They've been pretty responsive in the past, though I haven't needed to submit a sample in over a year. Ted Pham Information Security Office Carnegie Mellon University Beauchamp, Brian wrote: Does anyone have a contact within symantec? We have numerous infections of the W32/Sdbot-DHS worm (http://www.sophos.com/virusinfo/analyses/w32sdbotdhs.html). Most major AV vendors are updating their definitions to block it, one of them isn't Symantec. We have created a removal kit but the machines keep being reinfected since they cannot all be disinfected at once (limited network access). We have submitted a virus sample last week and have contacted our sales rep neither are giving a helpful response. Aside from cutting over to sophos AV client, Any ideas? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Media Defender pwned big time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This was originally reported to Daily Dave by [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: After the email leak[1], a phone call was leaked[2], allegedly between Ben Grodsky of Media Defender and New York State General Attorney. here is a teaser transcript: Ben Grodsky: Yeah it seems...I mean, from our telephone call yesterday it seems that uhm... we all pretty much came to the conclusion that probably was ehm... caught in the email transmission because the attacker, I guess what you call, the Swedish IP, the attacker uhm... knew the login and the IP address and port uhm... but they weren't able to get in because we had changed the password on our end, you know, following our normal security protocols uhm... when we are making secure transactions like these on the first login we'll change the password so, obviously, well not obviously but, it seems that, most likely scenario is that, at some point that email was ehm... intercepted. You know just because it is,.. probably it was going through the public Internet and there wasn't any sort of encryption key used to ehm... protect the data in that email. Ben Grodsky: ...if you guys are comfortable just communicating with us by phone, anything that is really really sensitive we can just communicate in this fashion... Ben Grodsky: OK [confused, taking notes]. So, you are gonna disable password authentication and enable public key? Ben Grodsky: ...that part has... has not been compromised in any way. I mean, the communications between our offices in Santa Monica and our data centers have not been compromised in any way and all those communications to NY, to your offices, are secured. The only part that was compromised was...was the email communications about these things. Ben Grodsky: ...All we can say for sure Media Defender's mail server has not been hacked or compromised... [in answer to the question What kind of IDS you guys are running?] Ben Grodsky: Ehm...I don't know. Let me look into that. [1] http://torrentfreak.com/mediadefender-emails-leaked-070915/ [2] http://thepiratebay.org/tor/3809004/MediaDefender.Phonecall-MDD -- Orlando Vacations - Click Here! http://tagline.hushmail.com/fc/Ioyw6h4eQYIUh5GP6TXBJkrbGXtVy6e3wl8YMoCtnDIhNerwr43Wv2/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFG7/Tjf3Elv1PhzXgRAtrQAKDMH3IrVmuu+A7vOB2fHDO/gYrfdwCfSDbQ 2b9dYRSE+Q8TqXYcpspgNY4= =ma9i -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security notice: Backdooring Windows Media Files
Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials and just how do you propose you catch the SAS with your little IE window? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WifiZoo v1.1
Hi All!, So I was looking for something cool to do, didn't find anything, and wrote WifiZoo because I kind of needed it at the moment :). WifiZoo is a tool to gather 'wifi' information passively. Is like dsniff, but dsniff didn't work well (probably my fault) in the scenario I wanted to use it (wifi card, monitor mode, listening for everything, not associated to any AP, hopping channels all the time) and also lacked some wifi specific stuff I needed. is like Ferret, but WifiZoo is written in python and not in C, this for me makes it so much easier to maintain and modify, and WifiZoo also does some stuff Ferret does not do (and viceversa :)). Of course, kudos to the previous tools because they are the predecessors of this 'tool', 'group of python scripts' or whatever you want to call it :). WifiZoo does the following: -gathers bssid-ssid information from beacons and probe responses *(now the graph contains the ssid of the bssid :), new in v1.1)* -gathers list of unique SSIDS found on probe requests (you can keep track of all SSIDS machines around you are probing for, and use this information on further attacks)*new in v1.1* -gathers the list and graphs which SSIDS are being probed from what sources *new in v1.1* -gathers bssid-clients information and outputs it in a file that you can later use with graphviz and get a graph with 802.11 bssids-clients. It gathers both src and dst addresses of packets to make the list of clients so sometimes you get weird graphs that are fun to analyze :) (basically, because I still need to omit multicast dst addresses and things like that). Using the dst address means that sometimes you get mac addresses of wifi devices that are not near you, but I think gives you information about the wifi 'infrastructure', again, I think :). -gathers 'useful' information from unencrypted wifi traffic (ala Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http cookies/authinfo, msn messages,ftp credentials, telnet network traffic, nbt, etc. -and I think that's it. Requirements: -Linux -scapy -wifi card :) you can get it here, and take a look at some of the graphs it produces (very basic but functional :)): http://community.corest.com/~hochoa/wifizoo/index.html direct link: http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.1.tgz Thanks!, Hernan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symantec Contact?
What's really Sad is that Symantec does not have an option for the general public (i.e. Independent Virus Researchers) to submit virus samples . You have to either A. Submit it through their product. B. Have a Corporate Support contract. Guess they don't want new samples. agree 100%, stupidity ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symantec Contact?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I haven't been following this thread, but what about submitting the details to them in the same way that you'd submit a vulnerability. I'd find it hard to believe that they'd just ignore it. Morning Wood wrote: What's really Sad is that Symantec does not have an option for the general public (i.e. Independent Virus Researchers) to submit virus samples . You have to either A. Submit it through their product. B. Have a Corporate Support contract. Guess they don't want new samples. agree 100%, stupidity ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFG8ABIf3Elv1PhzXgRAhq0AKCb/kwPy17BJQ1sMtPxS8ORPXQS6QCgyw32 JyyH5s8kDS5Os7NYaZbsgzg= =yRLg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pro US government hackerganda
Nice to know. I hope my government can either install ispell or send some of you guys to Clueful University. Well maybe you can write up a perl script for me to fix that, maybe statd some ac.jp boxes, thats what you're good at right? It's humorous to see the script kids of yesterday go legit today. Here is one for you from the horses mouth. 100% true so help me any deity. So I get a group of individuals visit my company about two weeks ago. Golf shirts slacks, etc., really clean cut. Nice little blue and white plates can be seen from the conference room with a big old G on it. They start asking about pentesting EV-DO... They ramble on and mention we're using 128 bit... Wait a minute I told the gentleman. You know you shouldn't be using 128 bit for encryption of TS documents in according with NIST. (And I know this because I got a personal schooling from Bruce Schneier on this. (http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf for clarity on this)) Their response: We know but we have M16's on each side of the stream and they chuckled. My thoughts at that time... What a bunch of idiots. So what. M16's mean nothing if you can't track someone sniffing you - you idiot... In essence its stupid - and I sincerely and obnoxiously mean this - STUPID IDIOTS in the government who allow these so called pseudoIntrusions (add that to your buzzwords too). Well either you're full of it, they're full of it, or you just plainly misunderstood. In every place I've ever seen TS data getting transmitted, they're not using any cipher you've ever heard of, both ends of the connection use something like a kg-175 (now known as a taclane, you're lie would've been better if you had found out about these in your time spent using google), which uses NSA encryption and because of the crypto-module, is classified. Now what's possible (assuming this isnt the figment of your imagination), is that they were transmitting data rated at secret, which IIRC can use AES 128, depending on the implementation. So like I said, you're either making it up, misunderstood them, or they were having fun with you. See an intrusion hasn't occurred here period, error and human stupidity has though and now the US government is calling the kettle black. In case you have either forgotten or never heard of the abuses of ECHELON not to even bother pointing out the mess we have in this country with our warrantless MM color coded uberDuber terrorAlert crapaganda systems. So politics aside, its stupidity black and white, not an intrusion that is leading to the compromise of data. If the data is on unsecured webservers that are on the Internet, don't blame the ingenuity of someone for finding something that should have been on SIPR instead of being online (NIPR) to the public in the first place. The gov should re-iterate the differences between SIPR, NIPR, RIPR and other systems to clueless idiots on computers, servers, crackberries or whatever other mediums they choose to use. So what, you think because you found some documents on google that this is how the data is getting lost and this all somehow makes you authoritive? Here is the simple truth, as is the usual with many of you ex-feed-the-goats/etc kids, you just don't know wtf you're talking about. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symantec Contact?
What's really Sad is that Symantec does not have an option for the general public (i.e. Independent Virus Researchers) to submit virus samples . You have to either A. Submit it through their product. B. Have a Corporate Support contract. Guess they don't want new samples. On the devil's advocate side, maybe they don't have it since it would be trivial for a virus creator to flood them with bogus information. Its easy to point a finger and say shame shame shame on you guys. You guys blow, foobar, cry, but I've yet to have an instance where I was looking for a point of contact at a vendor and not found one. Most times I get the impression the (l)user on the mailing list disclosing sends out one email knowing damn well the ratio for a response will be low - especially when a response was sent to abuse or contact or some other generic account. They then run along to a mailing list(s) then cry foul Vendor absent. Typical nowadays when many that I've seen come and go never learning much other than how to be a PACH. (buzzword - Point And Click Hacker). -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pro US government hackerganda
jf wrote: Well either you're full of it, they're full of it, or you just plainly misunderstood. In every place I've ever seen TS data getting transmitted, they're not using any cipher you've ever heard of, both ends of the connection use something like a kg-175 (now known as a taclane, you're lie would've been better if you had found out about these in your time spent using google), which uses NSA encryption and because of the crypto-module, is classified. Oh right every single department in the government and agency has one along with with kiv-19's because after all everyone connects back to DREN. Right I forgot its all over TRADOC manuals. How stupid can I be to not know this (http://web.archive.org/web/*/http://venona.antioffline.com) my bad. Now what's possible (assuming this isnt the figment of your imagination), is that they were transmitting data rated at secret, which IIRC can use AES 128, depending on the implementation. So like I said, you're either making it up, misunderstood them, or they were having fun with you. No they were deathly serious about using EV-DO to transmit Top Secret documents over the wire and wanted to know it was sniffable period. So what, you think because you found some documents on google that this is how the data is getting lost and this all somehow makes you authoritive? Here is the simple truth, as is the usual with many of you ex-feed-the-goats/etc kids, you just don't know wtf you're talking about. Documents on Google? One in the government shouldn't be worried about documents on Google they should be worried about idiots behind some of those government machines which leave information not intended for the public on them. [1] I recall back in the mid to late 90's mirrors of dozens maybe hundreds of military, NASA sites left and right getting pwnd daily, hourly. Why these machines were up and on the Internet is anyone's guess from the public side. As to why someone would compromise them, the answer should be obvious to anyone with half a clue. It's alright to vent your frustration but I'm not the idiot putting up machines on the Internet when they shouldn't be there. I'm not the one who's allowing idiots to post classified information over non secure channels when they should know better. Facts are facts. Don't shoot the messenger: // begin [1] Numerous US military documents, some of which have critical strategic importance, have been found on publicly accessible ftp servers. ... Some of the most sensitive information found by AP included details of security vulnerabilities at a contingency operating base, security features at Tallil Air Base and plans of a military fuelling facility. Some files were apparently password protected, but in one case the password was given in another document on the same server. When asked for his views, Bruce Schneier called the leaks a sloppy user mistake - an understatement of monumental proportions ... http://www.heise-security.co.uk/news/92653 // end Some files were apparently password protected, but in one case the password was given in another document on the same server. What's that you were saying about stupidity? -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symantec Contact?
On the devil's advocate side, maybe they don't have it since it would be trivial for a virus creator to flood them with bogus information. Then they should consider not making security products if they are afraid of this. There are plenty of ways to prevent flooding with submittal forms on web pages. Bogus information is part of the game. Plus, I'm sure Malware authors would be a little more creative than that, if they cared. But your point is noted. They might have some reason... Who knows? Everyone else seems to be able to automate this process with no problems. -S ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] security notice: Backdooring Windows Media Files
http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02.asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-15: Automated Solutions Modbus TCP Slave ActiveX Control Heap Corruption Vulnerability
TPTI-07-15: Automated Solutions Modbus TCP Slave ActiveX Control Heap Corruption Vulnerability http://www.zerodayinitiative.com/advisories/TPTI-07-15.html September 17, 2007 -- CVE ID: CVE-2007-4827 -- Affected Vendor: Automated Solutions -- Affected Products: Modbus RTU/ASCII/TCP Slave ActiveX Control -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since September 7, 2007 by Digital Vaccine protection filter ID 5598. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of the Automated Solutions Modbus TCP Slave ActiveX Control. Authentication is not required to exploit this vulnerability. The specific flaw exists within MiniHMI.exe which binds to TCP port 502. When processing malformed Modbus requests on this port a controllable heap corruption can occur which may result in execution of arbitrary code. -- Vendor Response: Automated Solutions has issued an update to correct this vulnerability. More details can be found at: http://www.automatedsolutions.com/pub/asmbslv/setup.exe -- Disclosure Timeline: 2007.08.20 - Vulnerability reported to vendor 2007.09.07 - Digital Vaccine released to TippingPoint customers 2007.09.17 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Ganesh Devarajan, TippingPoint DVLabs. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Plague in (security) software drivers BSDOhook utility
Hello, We have found number of vulnerabilities in implementations of SSDT hooks in many different products. Vulnerable software: * BlackICE PC Protection 3.6.cqn * G DATA InternetSecurity 2007 * Ghost Security Suite beta 1.110 and alpha 1.200 * Kaspersky Internet Security 7.0.0.125 * Norton Internet Security 2008 15.0.0.60 * Online Armor Personal Firewall 2.0.1.215 * Outpost Firewall Pro 4.0.1025.7828 * Privatefirewall 5.0.14.2 * Process Monitor 1.22 * ProcessGuard 3.410 * ProSecurity 1.40 Beta 2 * RegMon 7.04 * ZoneAlarm Pro 7.0.362.000 * probably other versions of above mentioned software * possibly many other software products that implement SSDT hooks Not vulnerable software: * Comodo Personal Firewall 2.4.18.184 * Daemon Tools Lite 4.10 X86 * Sunbelt Personal Firewall 4.5.916.0 More details and the BSODhook utility that allows everyone to find similar vulnerabilities easily are available here: Advisory: http://www.matousec.com/info/advisories/plague-in-security-software-drivers.php Article: http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security notice: Backdooring Windows Media Files
Hi pdp! Great admirer of your work :) I just wanted to inform you that I have tested your claim, on a fully patched/updated Win XP SP2 system with an admin account logged in, and was warned sufficiently(asked whether I wanted to play asx files, then asked if I was sure by Media Player, then pop-up was blocked by IE), while the page you tried to produce was blocked via IE's pop-up blocker. You can see/confirm this by viewing these screenshots: http://preview.tinyurl.com/34xpcz (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) and http://preview.tinyurl.com/34jx5v (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) This was tested on a plain/manila/vanilla version of XP SP2. All I did was update/upgrade to latest available from M$ Update. Sincerely, Aras Memisyazici IT/Security/Dev. Specialist Outreach Information Services Virginia Tech -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 11:58 AM To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: security notice: Backdooring Windows Media Files http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 .asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security notice: Backdooring Windows Media Files
Err... Windows Media Player 11 update DOES come through on M$ Update. Of course not via the Express mode, but via Custom mode. It is a recommended update. When someone tells me they have fully patched their system I am assuming that they have applied any and all patched available from M$ without discrimination. -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 3:00 PM To: Memisyazici, Aras Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: Re: security notice: Backdooring Windows Media Files yes, of course :) but u are running Windows Media Player 11 which is not the default one for Windows XP SP2. Moreover, this Media Player edition is not slipped through any software update either. Therefore, if you are not a Media Player fan, you will never get this version on a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes I am vulnerable. On 9/18/07, Memisyazici, Aras [EMAIL PROTECTED] wrote: Hi pdp! Great admirer of your work :) I just wanted to inform you that I have tested your claim, on a fully patched/updated Win XP SP2 system with an admin account logged in, and was warned sufficiently(asked whether I wanted to play asx files, then asked if I was sure by Media Player, then pop-up was blocked by IE), while the page you tried to produce was blocked via IE's pop-up blocker. You can see/confirm this by viewing these screenshots: http://preview.tinyurl.com/34xpcz (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) and http://preview.tinyurl.com/34jx5v (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) This was tested on a plain/manila/vanilla version of XP SP2. All I did was update/upgrade to latest available from M$ Update. Sincerely, Aras Memisyazici IT/Security/Dev. Specialist Outreach Information Services Virginia Tech -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 11:58 AM To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: security notice: Backdooring Windows Media Files http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 .asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Uninformed Journal Release Announcement: Volume 8
Uninformed is pleased to announce the release of its eighth volume. This volume includes 6 articles on a variety of topics: - Covert Communications: Real-time Steganography with RTP Author: I)ruid - Engineering in Reverse: PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Author: Skywing - Exploitation Technology: Getting out of Jail: Escaping Internet Explorer Protected Mode Author: Skywing - Exploitation Technology: OS X Kernel-mode Exploitation in a Weekend Author: David Maynor - Rootkits: A Catalog of Local Windows Kernel-mode Backdoor Techniques Authors: skape Skywing - Static Analysis: Generalizing Data Flow Information Author: skape This volume of the journal can be found at: http://www.uninformed.org/?v=8 About Uninformed: Uninformed is a non-commercial technical outlet for research in areas pertaining to security technologies, reverse engineering, and low level programming. The goal, as the name implies, is to act as a medium for providing informative information to the uninformed. The research presented in each edition is simply an example of the evolutionary thought that affects all academic and professional disciplines. - The Uninformed Staff staff [at] uninformed.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security notice: Backdooring Windows Media Files
yes, of course :) but u are running Windows Media Player 11 which is not the default one for Windows XP SP2. Moreover, this Media Player edition is not slipped through any software update either. Therefore, if you are not a Media Player fan, you will never get this version on a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes I am vulnerable. On 9/18/07, Memisyazici, Aras [EMAIL PROTECTED] wrote: Hi pdp! Great admirer of your work :) I just wanted to inform you that I have tested your claim, on a fully patched/updated Win XP SP2 system with an admin account logged in, and was warned sufficiently(asked whether I wanted to play asx files, then asked if I was sure by Media Player, then pop-up was blocked by IE), while the page you tried to produce was blocked via IE's pop-up blocker. You can see/confirm this by viewing these screenshots: http://preview.tinyurl.com/34xpcz (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) and http://preview.tinyurl.com/34jx5v (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) This was tested on a plain/manila/vanilla version of XP SP2. All I did was update/upgrade to latest available from M$ Update. Sincerely, Aras Memisyazici IT/Security/Dev. Specialist Outreach Information Services Virginia Tech -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 11:58 AM To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: security notice: Backdooring Windows Media Files http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 .asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symantec Contact?
Guess they don't want new samples. agree 100%, stupidity OMG, don't be such fucking tools. Upload a suspected infected file: https://submit.symantec.com/websubmit/retail.cgi -- Be your own boss today! Go to Technical School. Click here. http://tagline.hushmail.com/fc/Ioyw6h4fRTb5IXSKxeDRdyJyAO00WQeGqtyiAq3i9SPHvQgLgsFi1i/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-513-1] Qt vulnerability
=== Ubuntu Security Notice USN-513-1 September 18, 2007 qt-x11-free vulnerability CVE-2007-4137 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libqt3-mt 3:3.3.6-1ubuntu6.4 Ubuntu 6.10: libqt3-mt 3:3.3.6-3ubuntu3.3 Ubuntu 7.04: libqt3-mt 3:3.3.8really3.3.7-0ubuntu5.2 After a standard system upgrade you need to restart your session to affect the necessary changes. Details follow: Dirk Mueller discovered that UTF8 strings could be made to cause a small buffer overflow. A remote attacker could exploit this by sending specially crafted strings to applications that use the Qt3 library for UTF8 processing, potentially leading to arbitrary code execution with user privileges, or a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.6-1ubuntu6.4.diff.gz Size/MD5: 348579 dafbafaf62353848b8ea74f86f144003 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.6-1ubuntu6.4.dsc Size/MD5: 1686 f7a708df015c1fb710e6676883eba284 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.6.orig.tar.gz Size/MD5: 17555352 a5597dd9ec6c0f2e29de63179d56b65c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt3-doc_3.3.6-1ubuntu6.4_all.deb Size/MD5: 5428996 545ef7ec41ca60fe00ad476b7f465d6b http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-i18n_3.3.6-1ubuntu6.4_all.deb Size/MD5: 132014 3554a72c34bccfaf3dc83d8aebb49e9d http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-examples_3.3.6-1ubuntu6.4_all.deb Size/MD5: 1556252 d27df87d4a9c3b8d0c13a67805951c02 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-compat-headers_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:81788 d8460d7cf5a48f43980586e5f57add09 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-headers_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 358304 880cdfc34ce1381b6e0049281a1bebf7 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-mt-dev_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:50384 a2dc301992cb5aa4bcd2e4142009b5e3 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-mt_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 3455014 3bf607d7f032b1415fead79c8f494095 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt3-apps-dev_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 2707638 020aa316a13f776d4b9c42fed7593593 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt3-dev-tools_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 1298076 9d163a9baf9d3fbc3b7eca6af05b6123 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-mysql_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:55422 dd5003c6d287ec1c9f77749018eb5613 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-odbc_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:77386 776de40e3ac5ac4b121ce1ca75cacceb http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-psql_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:60798 69dfff79895514089b1ae6e9e12519ea http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-sqlite_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 225568 395b201f4f2f4d519380a62729f02e14 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt-x11-free-dbg_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 32484528 154666f4d06491df7c057135b6114d4f http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-assistant_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 258832 cee2b7336b050cf8f4353ec92e5eef15 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-designer_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 4148458 be0ec973afe928c62c41082da2dee076 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-dev-tools-compat_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:75462 4649008cc5426f38fda97dd2e25f41c2 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-dev-tools-embedded_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 297154 34d36938a1ebbaa094a6e6848cc9e55e http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-linguist_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 356420 eb8d462026e1c910f5509b501f381a4a
Re: [Full-disclosure] security notice: Backdooring Windows Media Files
Depends on your definition of fully patched. I don't agree that fully patched means tiers one, two and three. There are three levels of Microsoft update: Upper section = Critical and Security updates (which to me is fully patched) (this isn't just security updates btw) Middle tier = Optional updates = those recommended updates you speak of. Just because Microsoft thinks I need .net 3.0 and Windows media player 11 doesn't mean that I agree with their assessment. There are also some issues in deployment of Media player 11 in corporate settings. Bottom tier = drivers (aka the no patches from here get on my machines at all section) It's all in how you define fully patched. Top section yes, bottom two, no. Windows media player 11 is in the optional as you said. Memisyazici, Aras wrote: Err... Windows Media Player 11 update DOES come through on M$ Update. Of course not via the Express mode, but via Custom mode. It is a recommended update. When someone tells me they have fully patched their system I am assuming that they have applied any and all patched available from M$ without discrimination. -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 3:00 PM To: Memisyazici, Aras Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: Re: security notice: Backdooring Windows Media Files yes, of course :) but u are running Windows Media Player 11 which is not the default one for Windows XP SP2. Moreover, this Media Player edition is not slipped through any software update either. Therefore, if you are not a Media Player fan, you will never get this version on a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes I am vulnerable. On 9/18/07, Memisyazici, Aras [EMAIL PROTECTED] wrote: Hi pdp! Great admirer of your work :) I just wanted to inform you that I have tested your claim, on a fully patched/updated Win XP SP2 system with an admin account logged in, and was warned sufficiently(asked whether I wanted to play asx files, then asked if I was sure by Media Player, then pop-up was blocked by IE), while the page you tried to produce was blocked via IE's pop-up blocker. You can see/confirm this by viewing these screenshots: http://preview.tinyurl.com/34xpcz (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) and http://preview.tinyurl.com/34jx5v (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) This was tested on a plain/manila/vanilla version of XP SP2. All I did was update/upgrade to latest available from M$ Update. Sincerely, Aras Memisyazici IT/Security/Dev. Specialist Outreach Information Services Virginia Tech -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 11:58 AM To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: security notice: Backdooring Windows Media Files http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 .asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200709-10 ] PhpWiki: Authentication bypass
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200709-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: PhpWiki: Authentication bypass Date: September 18, 2007 Bugs: #181692 ID: 200709-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in PhpWiki authentication mechanism. Background == PhpWiki is an application that creates a web site where anyone can edit the pages through HTML forms. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/phpwiki 1.3.14 = 1.3.14 Description === The PhpWiki development team reported an authentication error within the file lib/WikiUser/LDAP.php when binding to an LDAP server with an empty password. Impact == A remote attacker could provide an empty password when authenticating. Depending on the LDAP implementation used, this could bypass the PhpWiki authentication mechanism and grant the attacker access to the application. Workaround == There is no known workaround at this time. Resolution == All PhpWiki users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/phpwiki-1.3.14 References == [ 1 ] CVE-2007-3193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3193 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200709-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp42kO8PVmYr.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200709-11 ] GDM: Local Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200709-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: GDM: Local Denial of Service Date: September 18, 2007 Bugs: #187919 ID: 200709-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis GDM can be crashed by a local user, preventing it from managing future displays. Background == GDM is the GNOME display manager. Affected packages = --- Package / Vulnerable / Unaffected --- 1 gnome-base/gdm 2.18.4= 2.18.4 *= 2.16.7 Description === The result of a g_strsplit() call is incorrectly parsed in the files daemon/gdm.c, daemon/gdmconfig.c, gui/gdmconfig.c and gui/gdmflexiserver.c, allowing for a null pointer dereference. Impact == A local user could send a crafted message to /tmp/.gdm_socket that would trigger the null pointer dereference and crash GDM, thus preventing it from managing future displays. Workaround == Restrict the write permissions on /tmp/.gdm_socket to trusted users only after each GDM restart. Resolution == All GDM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose gnome-base/gdm References == [ 1 ] CVE-2007-3381 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3381 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200709-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpOTPKqsGFa2.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-514-1] X.org vulnerability
=== Ubuntu Security Notice USN-514-1 September 18, 2007 xorg-server vulnerability CVE-2007-4730 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: xserver-xorg-core 1:1.0.2-0ubuntu10.7 After a standard system upgrade you need to restart your session to affect the necessary changes. Details follow: Aaron Plattner discovered that the Composite extension did not correctly calculate the size of buffers when copying between different bit depths. An authenticated user could exploit this to execute arbitrary code with root privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xorg-server_1.0.2-0ubuntu10.7.diff.gz Size/MD5:32472 6a6d37635fc4ea64383125476f12125f http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xorg-server_1.0.2-0ubuntu10.7.dsc Size/MD5: 1804 721150a166cc2624006d393b50b7efdd http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xorg-server_1.0.2.orig.tar.gz Size/MD5: 7966941 f44f0f07136791ed7a4028bd0dd5eae3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xnest_1.0.2-0ubuntu10.7_amd64.deb Size/MD5: 1414612 b040adf842f4808332b1c2ae9398fd35 http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xserver-xorg-core_1.0.2-0ubuntu10.7_amd64.deb Size/MD5: 4048390 34e71f9f1dc217e59defadaf11005c9d http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xserver-xorg-dev_1.0.2-0ubuntu10.7_amd64.deb Size/MD5: 294578 53bd2b029db77a964f95740f9b156476 http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xvfb_1.0.2-0ubuntu10.7_amd64.deb Size/MD5: 1564722 2097c92c355d4353a035c7c70063b937 http://security.ubuntu.com/ubuntu/pool/universe/x/xorg-server/xdmx-tools_1.0.2-0ubuntu10.7_amd64.deb Size/MD5:49962 3bc71c9ae003ab40f1b79488278994d1 http://security.ubuntu.com/ubuntu/pool/universe/x/xorg-server/xdmx_1.0.2-0ubuntu10.7_amd64.deb Size/MD5: 849026 3347c6029df6a0e39d3f71e4691f4760 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xnest_1.0.2-0ubuntu10.7_i386.deb Size/MD5: 1241798 eecebed99b8d63b9b7caa562a228638f http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xserver-xorg-core_1.0.2-0ubuntu10.7_i386.deb Size/MD5: 3531696 a5c73e04b5f17546deb0dd688dfe2743 http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xserver-xorg-dev_1.0.2-0ubuntu10.7_i386.deb Size/MD5: 294620 aa2bc63cf7effea51e6867a8d866c508 http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xvfb_1.0.2-0ubuntu10.7_i386.deb Size/MD5: 1382916 30246f435cc61b20243bea831673a3c3 http://security.ubuntu.com/ubuntu/pool/universe/x/xorg-server/xdmx-tools_1.0.2-0ubuntu10.7_i386.deb Size/MD5:42502 8d0e1cd2999487dd86a67082ca04e4c1 http://security.ubuntu.com/ubuntu/pool/universe/x/xorg-server/xdmx_1.0.2-0ubuntu10.7_i386.deb Size/MD5: 748778 129c73ea8525ba80211c5ba2dab196ee powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xnest_1.0.2-0ubuntu10.7_powerpc.deb Size/MD5: 1368488 89e2dfd7dd992227131fc34786068797 http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xserver-xorg-core_1.0.2-0ubuntu10.7_powerpc.deb Size/MD5: 4076120 5ed11b5c4784173687107fa13762928f http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xserver-xorg-dev_1.0.2-0ubuntu10.7_powerpc.deb Size/MD5: 294634 071a6282d870a46df34f3fa13466eaa3 http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xvfb_1.0.2-0ubuntu10.7_powerpc.deb Size/MD5: 1506792 97b2fc49134d81c1956cb21e15b2292b http://security.ubuntu.com/ubuntu/pool/universe/x/xorg-server/xdmx-tools_1.0.2-0ubuntu10.7_powerpc.deb Size/MD5:55218 bd239e1bd4ff9a6700569fcf9f8e5826 http://security.ubuntu.com/ubuntu/pool/universe/x/xorg-server/xdmx_1.0.2-0ubuntu10.7_powerpc.deb Size/MD5: 825392 120bb955450c27103b72174be816ad09 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xnest_1.0.2-0ubuntu10.7_sparc.deb Size/MD5: 1313534 b8d8b442473a36f3df11ba6c11132b86 http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xserver-xorg-core_1.0.2-0ubuntu10.7_sparc.deb Size/MD5: 3789634 d44baec0b8f7b1f2b7de12eecc4f11ef http://security.ubuntu.com/ubuntu/pool/main/x/xorg-server/xserver-xorg-dev_1.0.2-0ubuntu10.7_sparc.deb Size/MD5: 295044
[Full-disclosure] FLEA-2007-0056-1 openoffice.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0056-1 Published: 2007-09-18 Rating: Moderate Updated Versions: openoffice.org=/[EMAIL PROTECTED]:devel//1//[EMAIL PROTECTED]:1-devel//1/2.3.0-0.0.2-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.4.0-0.2-2 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2834 http://www.openoffice.org/security/cves/CVE-2007-2834.html Description: Previous versions of openoffice.org allow unauthorized arbitrary code execution when a user opens a malformed TIFF image. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) iQIVAwUBRvChbNfwEn07iAtZAQK77Q/8Cbu1b451obRbAHesCUw6mGXp9hpNEHBO 12Y/wFITRnQlzfWeM8c9LYPBowyGxGuy81G/4FezQf0JlFUOUqPkIob5nivWTuXF YG9i4Xte8vdGplrYxBaxWTK+EHLhTy/Acf0vOKwKmPd7Fdeiuhn9viNu4mOylqGo wCoeBufVLc8gewas/ty3ylEyZspua+SJGGzGYEVby5OkjmZvPzYvpozMHjvQo11z SRFqVCHeYx8mQolBB8VcWBdmR4V+5k5TZB/pG0ayPlhVR260U7mQL0ED52UgcW2S ctNIjQD+Fjo/gLOoVswskAyUKyZlNmOtK3BaLEALFePG7IwLD8/UcHxO+WWLGpTl wJRPvSbP7Aeb3lqkX9eGszK7r70TVWQAew7tZUYQjzqmqaxQ4Cos9zZqduLbCAcL W1AtKg5f/zdEOtEhmd12t6z7MKpug4sWdYaVC4X2+pN7fT6aSAvnTb1durRh9lwK a4eKM7MGuuRM1CnuOB3/D82Q1QinZ6XYX8n41eAztTAGkUf8EIzAGodRQrAMjAwr 0w2zG7o5j8+lTOz/JQh9nHHnGlC/Xo0Iee+/y92RoRHRp0d116bRKfn8rptoIOcL xQx8Dc/3VTCbG2fCPy7LI1FpflggNFzrSKysAuq/T7eZymkdD6vSTcVCsaFvthCr UpfS/27AcJQ= =htKi -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/