Re: [Full-disclosure] 0day: PDF pwns Windows
pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Mlabs] Scrutinising SIP Payloads - Someone break his e-kneecaps please
First of all you should credit ALL the individuals, companies and sites you rip your information from else its called plagiarism On Page 12. Word for word you simply copied: http://www.cisco.com/en/US/docs/voice_ip_comm/sip/proxies/2.0/release/notes/stnSolRn.html Temper the contents and make it work according to attackers usage. What the hell are you talking about... You stated The Cisco proxy server does not accept calls after 150 cps I don't know what the hell you were using but Netra's can easily push in upwards of CPS, IBM X's 1000 via udp, 200+ via tcp... On Page 19 you stated Wiretapping Attacks: These are the generic class of attacks which take place when modification of communication channel is done by an attacker between two parties. ... Really? So when I'm running VoIPong and nothing is getting modified yet I'm steady recording a conversation what is this called. An unmodified wiretapping attack. That paper was yet another waste of time for me to read. Instead of copying and pasting to your hearts content and putting together something that makes sense only to you, why don't you first try to understand 1) what the hell you're talking about 2) what the hell you're writing about 3) what the protocol truly does and then - what attacks are possible based on something you truly know - as opposed to something you may think sounds logical. Page 28: It can be exploited by the attackers to have Denial of service attacks. The mechanism starts from the payload designing. The actual infection starts or is mainly coded in the payload itself by the attackers. What kind of high potent hashish are you smoking? Outside of these ignorant assumptions you make based on what I infer as an overall lack of knowledge on the subject, I could barely skim through the rest of your document since it was mainly terrible english with huge chunks of copied RFC material and ramblings that made zero sense. Nothing worth noting - other than me repeating in my head this jackass should STFU and learn what he's talking about instead of making an idiot out of himself And I don't mean to sound harsh - well yea I do, but that's irrelevant. What you're doing is flooding the industry with bullshit documents that those without a clue might read and become even more clueless. Please stop your ramblings. J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0day: PDF pwns Windows
http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. Gadi. On Thu, 20 Sep 2007, pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
My upcoming research feature everything regarding this and the issue you have already discussed. really :).. which one... the one from last year? On 9/20/07, Aditya K Sood [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GOD save this Industry: Meta Info == Aditya === Lame Ass striked back :PPPPpppppppppppp
Here goes the height of foolishness ... even though we all know, here is the foolish confession of Aditya that he is Meta Info :)) GOD SAVE FD /* More over thanks for adding to my fame and glory. You dont know what you r doing for me indirectly. */ -- Forwarded message -- From: Meta Info [EMAIL PROTECTED] Date: Sep 20, 2007 11:31 AM Subject: Hahahah ! If you are a real son fo your father To: [EMAIL PROTECTED] Hey fucker First of all your this stupidity not going to work what ever you do. You have already hsown you are not a REAL SON of your FATHER. Teri Maa di Lun , Teri Behn di Lun too. You write this Here is a final chance for you to grow up and stop posting your shit otherwise I am going to make your life a hell virtually and use my contacts in India to take care of you physically. Do it if you are real son of your father then do it. Use your contacts. Teri Maa di lun. If your mother have breast feeded you and do it , use your contacts. You impotent asshole. I am waiting for it. More over thanks for adding to my fame and glory. You dont know what you r doing for me indirectly. Regards Fucking Lamer Buster ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Mlabs] Scrutinising SIP Payloads - Someone break his e-kneecaps please
JO: expect a mail after this from some fake gmail id with terrible Hinglish and extreamly kiddish slangs :D On 9/20/07, J. Oquendo [EMAIL PROTECTED] wrote: First of all you should credit ALL the individuals, companies and sites you rip your information from else its called plagiarism On Page 12. Word for word you simply copied: http://www.cisco.com/en/US/docs/voice_ip_comm/sip/proxies/2.0/release/notes/stnSolRn.html Temper the contents and make it work according to attackers usage. What the hell are you talking about... You stated The Cisco proxy server does not accept calls after 150 cps I don't know what the hell you were using but Netra's can easily push in upwards of CPS, IBM X's 1000 via udp, 200+ via tcp... On Page 19 you stated Wiretapping Attacks: These are the generic class of attacks which take place when modification of communication channel is done by an attacker between two parties. ... Really? So when I'm running VoIPong and nothing is getting modified yet I'm steady recording a conversation what is this called. An unmodified wiretapping attack. That paper was yet another waste of time for me to read. Instead of copying and pasting to your hearts content and putting together something that makes sense only to you, why don't you first try to understand 1) what the hell you're talking about 2) what the hell you're writing about 3) what the protocol truly does and then - what attacks are possible based on something you truly know - as opposed to something you may think sounds logical. Page 28: It can be exploited by the attackers to have Denial of service attacks. The mechanism starts from the payload designing. The actual infection starts or is mainly coded in the payload itself by the attackers. What kind of high potent hashish are you smoking? Outside of these ignorant assumptions you make based on what I infer as an overall lack of knowledge on the subject, I could barely skim through the rest of your document since it was mainly terrible english with huge chunks of copied RFC material and ramblings that made zero sense. Nothing worth noting - other than me repeating in my head this jackass should STFU and learn what he's talking about instead of making an idiot out of himself And I don't mean to sound harsh - well yea I do, but that's irrelevant. What you're doing is flooding the industry with bullshit documents that those without a clue might read and become even more clueless. Please stop your ramblings. J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Save FD from idiots - Vaibhav Pandey doesn't know how to clone cookies - How LAME!!! :X
While I was reading through the lame reports by Aditya K Sood which look less like research and more plagiarism, I also happened to make an amazing discovery about Vaibhav Pandey who made a false claim to have found a serious orkut bug a couple of weeks ago. Vaibhav is a member of an Orkut community called Hackers Library, an equally lame group of idiots. When he made his silly disclosure about the so-called serious Orkut bug in the community, one member objected, a few members objected that what he has reported doesn't qualify to be a vulnerability since it requires network sniffing for exploitation. Vaibhav Pandey said, Not exactly.. because all websites in the world do not use GET pattern for fetching important and secure data.. hope you are getting the point... I say, Vaibhav Pandey, don't be an idiot and get your facts right. Most of the HTTPS requests that you make everyday are also GET requests. Now, if Vaibhav Pandey thinks the data in an HTTPS tunnel is not secure and important, he must die and improve our gene pool. Further in the discussion that took place here:- http://www.orkut.com/CommMsgs.aspx?cmm=1162977tid=2553634938994390060na=3nst=11nid=1162977-2553634938994390060-2555181462236326948 he confessed, As per the knowledge i have, i feel even if the user is able to sniff the Cookie; he/she will then need to clone the cookies in his/her browser to actually make use of them. Are thr any tools available for cloning cookies? I heard Hamster is the one that is going to be released soon. Lemme know. No wonder why these idiots are spoiling the name of India. This guy doesn't even know how to clone a cookie but goes on making publicity stunts about absurd claims just to get 15 minutes of fame. I say, screw Vaibhav Pandey, screw Aditya K Sood, screw Ankit Fadia. Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:186 ] - Updated openoffice.org packages fix TIFF parser vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:186 http://www.mandriva.com/security/ ___ Package : openoffice.org Date: September 17, 2007 Affected: 2007.0, 2007.1, Corporate 3.0 ___ Problem Description: An integer overflow in the TIFF parser in OpenOffice.org prior to version 2.3 allows remote attackers to execute arbitrary code via a TIFF file with crafted values which triggers the allocation of an incorrect amount of memory which results in a heap-based buffer overflow. Updated packages have been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2834 ___ Updated Packages: Mandriva Linux 2007.0: a4d81424938e8f51451b422cf84eca3e 2007.0/i586/openoffice.org-2.0.4-2.6mdv2007.0.i586.rpm c7cfae30e45b58b6f826a467aac6c464 2007.0/i586/openoffice.org-devel-2.0.4-2.6mdv2007.0.i586.rpm 0b7444dd2eb7e9c527440404d87c4de0 2007.0/i586/openoffice.org-devel-doc-2.0.4-2.6mdv2007.0.i586.rpm cf856763e033e016112db04298055901 2007.0/i586/openoffice.org-galleries-2.0.4-2.6mdv2007.0.i586.rpm 3b5e3e3f255e5de7f91b479256c7ffe2 2007.0/i586/openoffice.org-gnome-2.0.4-2.6mdv2007.0.i586.rpm d3b1815e496804d46fe3da2c57118c54 2007.0/i586/openoffice.org-kde-2.0.4-2.6mdv2007.0.i586.rpm a68cd22f05465911153f2b768e3b9258 2007.0/i586/openoffice.org-l10n-af-2.0.4-2.6mdv2007.0.i586.rpm 1aaef2f8996dc632427eb8e6fbed2838 2007.0/i586/openoffice.org-l10n-ar-2.0.4-2.6mdv2007.0.i586.rpm b5d755dc3276d506dd0a3f9c4818b1a9 2007.0/i586/openoffice.org-l10n-bg-2.0.4-2.6mdv2007.0.i586.rpm 313211a1c180fba5b3a09863aa1a58c0 2007.0/i586/openoffice.org-l10n-br-2.0.4-2.6mdv2007.0.i586.rpm 50aab14a093c2c590bee2ab49ac09534 2007.0/i586/openoffice.org-l10n-bs-2.0.4-2.6mdv2007.0.i586.rpm d38dce9bac2b5ee8fd95bab8bbaa9954 2007.0/i586/openoffice.org-l10n-ca-2.0.4-2.6mdv2007.0.i586.rpm dce2af3766f2531cf5e7170971877d3f 2007.0/i586/openoffice.org-l10n-cs-2.0.4-2.6mdv2007.0.i586.rpm f7bf25d2c4cd966ba149b5046a7f0f20 2007.0/i586/openoffice.org-l10n-cy-2.0.4-2.6mdv2007.0.i586.rpm 9795689550c442cc73d896fcf94308bb 2007.0/i586/openoffice.org-l10n-da-2.0.4-2.6mdv2007.0.i586.rpm 729a20d3aba6b7229d44aac31d6aeb03 2007.0/i586/openoffice.org-l10n-de-2.0.4-2.6mdv2007.0.i586.rpm a91c27612ab8d13aea02056fb5507eb4 2007.0/i586/openoffice.org-l10n-el-2.0.4-2.6mdv2007.0.i586.rpm 372eaa95e9d3a01a658a3db5d1a4a1b5 2007.0/i586/openoffice.org-l10n-en_GB-2.0.4-2.6mdv2007.0.i586.rpm d95d301efc6c8686c948c1781d5571ab 2007.0/i586/openoffice.org-l10n-es-2.0.4-2.6mdv2007.0.i586.rpm af8317081d0ad527ec4c45db0eaf0f8c 2007.0/i586/openoffice.org-l10n-et-2.0.4-2.6mdv2007.0.i586.rpm 93b373dac33c8c53a9ef9e1ec34574df 2007.0/i586/openoffice.org-l10n-eu-2.0.4-2.6mdv2007.0.i586.rpm b17930722ff857244d7c94f965f70ef7 2007.0/i586/openoffice.org-l10n-fi-2.0.4-2.6mdv2007.0.i586.rpm 30bdc0252f1be35a663c204b5322f889 2007.0/i586/openoffice.org-l10n-fr-2.0.4-2.6mdv2007.0.i586.rpm 1e26e7adccf5ba445bce6c7f642be0f5 2007.0/i586/openoffice.org-l10n-he-2.0.4-2.6mdv2007.0.i586.rpm 6668d9efdef95f362a2b7741e9c37a37 2007.0/i586/openoffice.org-l10n-hi-2.0.4-2.6mdv2007.0.i586.rpm b58e47fbf541c4428cbfa7128d67e0dd 2007.0/i586/openoffice.org-l10n-hu-2.0.4-2.6mdv2007.0.i586.rpm 12b4442a8a01b846f4f0f55bc61a2329 2007.0/i586/openoffice.org-l10n-it-2.0.4-2.6mdv2007.0.i586.rpm c812895ebede2613f2054d75f9b46dcf 2007.0/i586/openoffice.org-l10n-ja-2.0.4-2.6mdv2007.0.i586.rpm c83c4873ba5c93e41502581a33ef9eaf 2007.0/i586/openoffice.org-l10n-ko-2.0.4-2.6mdv2007.0.i586.rpm 27a4b865b57e2e08274f5a8d49050612 2007.0/i586/openoffice.org-l10n-mk-2.0.4-2.6mdv2007.0.i586.rpm 1877c9bf19a8f922007a278572103250 2007.0/i586/openoffice.org-l10n-nb-2.0.4-2.6mdv2007.0.i586.rpm 5770df672d5ce0f244df4f137d3356aa 2007.0/i586/openoffice.org-l10n-nl-2.0.4-2.6mdv2007.0.i586.rpm c1f28b42c6001ea6cd0659880347755a 2007.0/i586/openoffice.org-l10n-nn-2.0.4-2.6mdv2007.0.i586.rpm 9fb81f43add5b9a8fe612aa5b05735b7 2007.0/i586/openoffice.org-l10n-pl-2.0.4-2.6mdv2007.0.i586.rpm b1c4b5bdecff7ab2242ece96aa540b62 2007.0/i586/openoffice.org-l10n-pt-2.0.4-2.6mdv2007.0.i586.rpm 7f8aa8f46ed109a3e9d63b8ad7d89311 2007.0/i586/openoffice.org-l10n-pt_BR-2.0.4-2.6mdv2007.0.i586.rpm ddbbf41dd54b1794356f560e4222cb0d 2007.0/i586/openoffice.org-l10n-ru-2.0.4-2.6mdv2007.0.i586.rpm 002770cede8ccfe5b92c585d72955ae1 2007.0/i586/openoffice.org-l10n-sk-2.0.4-2.6mdv2007.0.i586.rpm acd074d4812fa4ee361363bc064c7d80 2007.0/i586/openoffice.org-l10n-sl-2.0.4-2.6mdv2007.0.i586.rpm
[Full-disclosure] [ GLSA 200709-13 ] rsync: Two buffer overflows
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200709-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: rsync: Two buffer overflows Date: September 20, 2007 Bugs: #189132 ID: 200709-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two user-assisted buffer overflow vulnerabilities have been discovered in rsync. Background == rsync is a file transfer program to keep remote directories synchronized. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/rsync 2.6.9-r3 = 2.6.9-r3 Description === Sebastian Krahmer from the SUSE Security Team discovered two off-by-one errors in the function f_name() in file sender.c when processing overly long directory names. Impact == A remote attacker could entice a user to synchronize a repository containing specially crafted directories, leading to the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All rsync users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/rsync-2.6.9-r3 References == [ 1 ] CVE-2007-4091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200709-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpu0gxZzu5dd.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0194-1 kdebase
rPath Security Advisory: 2007-0194-1 Published: 2007-09-20 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local Root Deterministic Unauthorized Access Updated Versions: kdebase=/[EMAIL PROTECTED]:devel//1/3.4.2-3.14-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-1725 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569 Description: Previous versions of the kdebase package contain a kdm vulnerability in which an unprivileged user may, if auto-login is enabled, be allowed to log in as a another user (or as root) without supplying proper login credentials. If kdm is also configured to service incoming XDMCP requests, remote root unauthorized access may be possible. In its default configuration, rPath Linux 1 is not vulnerable to this unauthorized access. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200709-14 ] ClamAV: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200709-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: ClamAV: Multiple vulnerabilities Date: September 20, 2007 Bugs: #189912 ID: 200709-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Vulnerabilities have been discovered in ClamAV allowing remote execution of arbitrary code and Denial of Service attacks. Background == Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-antivirus/clamav 0.91.2 = 0.91.2 Description === Nikolaos Rangos discovered a vulnerability in ClamAV which exists because the recipient address extracted from email messages is not properly sanitized before being used in a call to popen() when executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference errors exist within the cli_scanrtf() function in libclamav/rtf.c and Stefanos Stamatis discovered a NULL-pointer dereference vulnerability within the cli_html_normalise() function in libclamav/htmlnorm.c (CVE-2007-4510). Impact == The unsanitized recipient address can be exploited to execute arbitrary code with the privileges of the clamav-milter process by sending an email with a specially crafted recipient address to the affected system. Also, the NULL-pointer dereference errors can be exploited to crash ClamAV. Successful exploitation of the latter vulnerability requires that clamav-milter is started with the black hole mode activated, which is not enabled by default. Workaround == There is no known workaround at this time. Resolution == All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-antivirus/clamav-0.91.2 References == [ 1 ] CVE-2007-4510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4510 [ 2 ] CVE-2007-4560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4560 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200709-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG8utnuhJ+ozIKI5gRAmMkAKCDDq+kFKHDaDbdWWWyHd7UcWISQwCbB+39 /DA8NxuOjBKxEw0ESjw2bgY= =QLPG -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Uninformed Journal Release Announcement: Volume 8
Did you guys lose all the good papers to phrack? ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-516-1] xfsdump vulnerability
=== Ubuntu Security Notice USN-516-1 September 20, 2007 xfsdump vulnerability CVE-2007-2654 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: xfsdump 2.2.30-1ubuntu0.1 Ubuntu 6.10: xfsdump 2.2.38-1ubuntu0.6.10.1 Ubuntu 7.04: xfsdump 2.2.38-1ubuntu0.7.04.1 In general, a standard system upgrade is sufficient to affect the necessary changes. Details follow: Paul Martin discovered that xfs_fsr creates a temporary directory with insecure permissions. This allows a local attacker to exploit a race condition in xfs_fsr to read or overwrite arbitrary files on xfs filesystems. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1ubuntu0.1.dsc Size/MD5: 618 d4f3b9ad40143e751b220f726961ebba http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1ubuntu0.1.tar.gz Size/MD5: 576453 0bdb54112e248aec97ec3f76e31db3bc amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1ubuntu0.1_amd64.deb Size/MD5: 292386 0599bfb1c91ff8dd91092573aeddf7eb i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1ubuntu0.1_i386.deb Size/MD5: 272798 24c9b70f6bc313fd74e1c796fc8275c3 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1ubuntu0.1_powerpc.deb Size/MD5: 289254 2ca3f1498a821cedcdbbabb0e3e3024e sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.30-1ubuntu0.1_sparc.deb Size/MD5: 269570 90ccbc30495a8af38bbd12036a9f777d Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.6.10.1.dsc Size/MD5: 637 f531f5e74e784f3eed86079c4bb4a399 http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.6.10.1.tar.gz Size/MD5: 566100 7b23a7834d606502d7a417c27c985cd9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.6.10.1_amd64.deb Size/MD5: 307830 073c61422d102e82e5c19d0a02efb31f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.6.10.1_i386.deb Size/MD5: 297776 1f9d437502c787707a615370de257c03 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.6.10.1_powerpc.deb Size/MD5: 323958 2bb7d2a50cb420dba81a852ff82495ec sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.6.10.1_sparc.deb Size/MD5: 288660 33596c287661474fb78beb9501813657 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.7.04.1.dsc Size/MD5: 721 392609671d6695b02245178ea01bd755 http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.7.04.1.tar.gz Size/MD5: 566169 665eca44b04dbcc7f753d59ff1e92997 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.7.04.1_amd64.deb Size/MD5: 308552 c61901d79e291f4ac7c64f0f721d02a8 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.7.04.1_i386.deb Size/MD5: 298510 d81af22139ffeefce8ef5979b4468773 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.7.04.1_powerpc.deb Size/MD5: 334954 d423004a9bf53ae41806902d1e80a1ee sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/x/xfsdump/xfsdump_2.2.38-1ubuntu0.7.04.1_sparc.deb Size/MD5: 291278 1bbe48738754e5a2c293723d8e3ef3e4 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A Request To Everyone
Hi After looking at the mail wars , I want to say only two lines. I dont know who Meta Info is , Lamer Buster is , LSNN is and all. I dont know how they are generating mails and putting my name everywhere. Thats it. Thanks to all. Regards Aks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Request To Everyone
STFU you lame ass. bty what is your request? atleast develope a decent writing skill and know what you are writing. the only way I see this would stop is, if you become little considerate and stop posting all your craps in mailing list and appologise openly for posting fake / crappy articles or postings. many has adviced you several times in the past but you have never listened and have been abusing mailinglist for positng your craps. All we seen is that you want fame and glory by posting your craps with media friendly fancy lines for those clueless media lurkers who think they have been publishing breaking news out of your fake article. sparky, here is a self assessement homework for you: Try to google for one single seasoned security folk who has acknowledeged your work. I am sure you get none and that proves something you need to worry about yourself. Looks like your mom made love with a wailling donkey on the river side and you got birth. On 9/21/07, Aditya K Sood [EMAIL PROTECTED] wrote: Hi After looking at the mail wars , I want to say only two lines. I dont know who Meta Info is , Lamer Buster is , LSNN is and all. I dont know how they are generating mails and putting my name everywhere. Thats it. Thanks to all. Regards Aks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Request To Everyone
I'm in favor of booting them all off the list. Let 'em keep their flame wars on EFNet. Geoff Sent from my BlackBerry wireless handheld. -Original Message- From: Aditya K Sood [EMAIL PROTECTED] Date: Thu, 20 Sep 2007 12:57:57 To:full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] A Request To Everyone Hi After looking at the mail wars , I want to say only two lines. I dont know who Meta Info is , Lamer Buster is , LSNN is and all. I dont know how they are generating mails and putting my name everywhere. Thats it. Thanks to all. Regards Aks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Dear Fatboy, Let's put aside for a minute the fact that you have no idea what you are talking about and let's also, for the benefit of this very valuable debate, assume your definition is correct. First, please prove this bug was never used in the wild. After that, please prove your credibility in the realm of defining words related to illegal computer hacking. Thanks. J P.S. Talking about botnets doesn't count to satisfy part 1 OR part 2 ___ If today I stand here as a revolutionary, it is as a revolutionary against the Revolution. On Thu, 20 Sep 2007 11:29:22 -0400 Gadi Evron [EMAIL PROTECTED] wrote: Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. Gadi. On Thu, 20 Sep 2007, pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Never miss a moment. Click here for great deals on name brand camcorders! http://tagline.hushmail.com/fc/Ioyw6h4dKrqQnNKtnJWwaEuBMGhZ0f84BqiDwgxOl7ZGGE8yUbxeA4/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Thu, 20 Sep 2007, Joey Mengele wrote: Dear Fatboy, Let's put aside for a minute the fact that you have no idea what You like people on the heavy side? Psst... call me. you are talking about and let's also, for the benefit of this very valuable debate, assume your definition is correct. First, please prove this bug was never used in the wild. After that, please prove your credibility in the realm of defining words related to illegal computer hacking. Thanks. J P.S. Talking about botnets doesn't count to satisfy part 1 OR part 2 ___ If today I stand here as a revolutionary, it is as a revolutionary against the Revolution. On Thu, 20 Sep 2007 11:29:22 -0400 Gadi Evron [EMAIL PROTECTED] wrote: Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. Gadi. On Thu, 20 Sep 2007, pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Click now for accounting software that's a huge plus! http://tagline.hushmail.com/fc/Ioyw6h4eooFnoPRHh77yKi8qPMTyf03wCE9icEun2cA0zQJXBBid3w/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Gadi Evron wrote: Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. I respectfully disagree. By your definition, we have: * new vulnerability is just what it sounds like * 0day is a new vulnerability that comes to public attention because someone used it maliciously But then there is the important concept of the private 0day, a new vulnerability that a malicious person has but has not used yet. Does it really matter how the new vulnerability came to light? Do you really want to get into arguments about whether the person who discovered it was malicious? Especially for private 0days where the discoverer may be sitting on his discovery for some time, waiting for the highest bider to buy his result. If he sells it to criminals, then it becomes an 0day, and if he sells it to a vulnerability marketing company, then it is something else. I don't like this chain of logic. Whether a new vulnerability is an 0day or not depends entirely too much on the disclosure process, with funky race conditions in there. Rather, I just treat 0day as a synonym for new vulnerability and don't give a hoot about the alleged intentions of whoever discovered it. What makes it an 0 day is that whoever is announcing it is first to announce it in public. You could only invalidate the 0day claim by showing that the same vulnerability had previously been disclosed by someone else. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Very strange nmap scan results
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did this particular person,or persons know what you were going to do? Looks like a honeypot,to me. Been wrong before,won't be the last.I hope,for the sake of whomever you are auditing,that this is the case. Cheers, Redwolfs always Juan B wrote: Hi all, For a client in scaning his Dmz from the internet. I know the servers are behind a pix 515 without any add security features ( they dont have any ips or the didnt enabled the ips feature of the pix). the strange is that two I receive too many open ports! for example I scan the mail relay and although just port 25 is open it report lots of more open ports! this is the nmap scan I issued: nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA cpsa.txt ( I changed the ip's here...) and the result for the mail relay for example are: nteresting ports on mail.cpsa.com (200.61.44.50): PORT STATE SERVICE 1/tcpopen tcpmux 2/tcpopen compressnet 3/tcpopen compressnet 4/tcpopen unknown 5/tcp open rje 6/tcpopen unknown 7/tcpopen echo 8/tcp filtered unknown 9/tcpopen discard 10/tcp open unknown 11/tcp open systat 12/tcp open unknown 13/tcp open daytime 14/tcp open unknown 15/tcp open netstat 16/tcp open unknown 17/tcp open qotd 18/tcp filtered msp 19/tcp open chargen 20/tcp open ftp-data 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 24/tcp open priv-mail 25/tcp open smtp 26/tcp open unknown 27/tcp open nsw-fe 28/tcp open unknown 29/tcp open msg-icp 30/tcp open unknown 31/tcp open msg-auth 32/tcp open unknown 33/tcp open dsp 34/tcp open unknown this continues up to port 1024.. any ideas how to eliminate so many false positives? thanks a lot, Juan Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more! http://tv.yahoo.com/collections/3658 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG81G8srt057ENXO4RAkAoAJ9QAmp65M7nICyOvK0IBDb5ZGgdvwCg2iqL 0AffiGeALD+T9XlXXblycek= =Drx9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On 9/20/07, Crispin Cowan [EMAIL PROTECTED] wrote: ... Rather, I just treat 0day as a synonym for new vulnerability 0day is a perspective; if it came out of nowhere and pwnd your ass it is 0day. [that is, where you are on that clunky chain of disclosure process you describe...] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Very strange nmap scan results
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Looks like a honeypot,to me. Yeah there is that bloody PortSentry that will do the same thing as well, security through obscurity you have to love it. The only way that you could really be certain that there is something open is to then do some banner grabbing, etc. JS -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG81XGKEj7ZJktQNsRAogtAKCRVNxjafnn38nlO4/Kjr/E8y/vwACeJPM7 MeL7L1mkaxPljskd4HN6/78= =maM2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/