Re: [Full-disclosure] Very strange nmap scan results

[Jeffrey Denton]

Use the -sV --version-all options to determine version/service info
for each port.

On 9/21/07, scott [EMAIL PROTECTED] wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Did this particular person,or persons know what you were going to do?

 Looks like a honeypot,to me.

 Been wrong before,won't be the last.I hope,for the sake of whomever
 you are auditing,that this is the case.

 Cheers,  Redwolfs always


 Juan B wrote:
  Hi all,
 
  For a client in scaning his Dmz from the internet.
 
  I know the servers are behind a pix 515 without any add security
  features ( they dont have any ips or the didnt enabled the ips
  feature of the pix).
 
  the strange is that two I receive too many open ports! for example
  I scan the mail relay and although just port 25 is open it report
  lots of more open ports! this is the nmap scan I issued:
 
  nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA cpsa.txt
 
  ( I changed the ip's here...)
 
  and the result for the mail relay for example are:
 
 
  nteresting ports on mail.cpsa.com (200.61.44.50): PORT STATE
  SERVICE 1/tcpopen tcpmux 2/tcpopen compressnet
  3/tcpopen compressnet 4/tcpopen unknown 5/tcp
  open rje 6/tcpopen unknown 7/tcpopen echo 8/tcp
  filtered unknown 9/tcpopen discard 10/tcp   open
  unknown 11/tcp   open systat 12/tcp   open unknown 13/tcp
  open daytime 14/tcp   open unknown 15/tcp   open
  netstat 16/tcp   open unknown 17/tcp   open qotd 18/tcp
  filtered msp 19/tcp   open chargen 20/tcp   open ftp-data
  21/tcp   open ftp 22/tcp   open ssh 23/tcp   open
  telnet 24/tcp   open priv-mail 25/tcp   open smtp 26/tcp
  open unknown 27/tcp   open nsw-fe 28/tcp   open unknown
   29/tcp   open msg-icp 30/tcp   open unknown 31/tcp   open
  msg-auth 32/tcp   open unknown 33/tcp   open dsp 34/tcp
  open unknown
 
  this continues up to port 1024..
 
  any ideas how to eliminate so many false positives?
 
  thanks a lot,
 
  Juan
 
 
 
  
   Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get
  listings, and more! http://tv.yahoo.com/collections/3658
 

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.6 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 iD8DBQFG81G8srt057ENXO4RAkAoAJ9QAmp65M7nICyOvK0IBDb5ZGgdvwCg2iqL
 0AffiGeALD+T9XlXXblycek=
 =Drx9
 -END PGP SIGNATURE-

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A Request To Everyone

[Evil Black Pete]

Surely you mean dalnet :)

I'm in favor of booting them all off the list.  Let 'em keep their flame
wars on EFNet.

Geoff
Sent from my BlackBerry wireless handheld.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [irc-security] Multiple vulnerabilities in ircu

[Colin Alston]

Please be careful labeling something as vulnerabilities when they 
aren't. You've described software bugs which should be reported to the 
maintainer, none of them so far as I can see are vulnerabilities or 
exploits.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day: PDF pwns Windows

[pdp (architect)]

back online - too many users ..

On 9/21/07, Rohit Srivastwa [EMAIL PROTECTED] wrote:
 And your website is down at this moment

 http://www.gnucitizen.org/   403
 http://www.gnucitizen.org/blog/   403
 http://www.gnucitizen.org/blog/0day-pdf-pwns-windows 404

 Is it a reverse attack by someone hurt :)

 --Through the Firewall,Out the Router,Down the T1,Across the Backbone,Bounced 
 from Satellite  Nothing but the Internet

 - Original Message 
 From: pdp (architect) [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
 Sent: Thursday, September 20, 2007 6:51:33 PM
 Subject: [Full-disclosure] 0day: PDF pwns Windows

 http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

 I am closing the season with the following HIGH Risk vulnerability:
 Adobe Acrobat/Reader PDF documents can be used to compromise your
 Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
 is to open a PDF document or stumble across a page which embeds one.

 The issue is quite critical given the fact that PDF documents are in
 the core of today's modern business. This and the fact that it may
 take a while for Adobe to fix their closed source product, are the
 reasons why I am not going to publish any POCs. You have to take my
 word for it. The POCs will be released when an update is available.

 Adobe's representatives can contact me from the usual place. My advise
 for you is not to open any PDF files (locally or remotely). Other PDF
 viewers might be vulnerable too. The issues was verified on Windows XP
 SP2 with the latest Adobe Reader 8.1, although previous versions and
 other setups are also affected.

 A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected 
 soon.

 cheers

 --
 pdp (architect) | petko d. petkov
 http://www.gnucitizen.org

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/






 
 Building a website is a piece of cake. Yahoo! Small Business gives you all 
 the tools to get online.
 http://smallbusiness.yahoo.com/webhosting



-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day: PDF pwns Windows

[Antivirus Taneja]

Hi,

Too interesting and dangerousLast couple of months there were PDF
spamming (Stocks Information)  all over the internet..I analyzed those PDF i
didn't find any such thingDid you checked them? Are they related to any
vulnerability?

Regards,
Taneja Vikas
http://annysoft.wordpress.com


On 9/20/07, pdp (architect) [EMAIL PROTECTED] wrote:

  My upcoming research feature everything regarding this and the issue you
  have
  already discussed.

 really :).. which one... the one from last year?

 On 9/20/07, Aditya K Sood [EMAIL PROTECTED] wrote:
  pdp (architect) wrote:
   http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
  
   I am closing the season with the following HIGH Risk vulnerability:
   Adobe Acrobat/Reader PDF documents can be used to compromise your
   Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
   is to open a PDF document or stumble across a page which embeds one.
  
   The issue is quite critical given the fact that PDF documents are in
   the core of today's modern business. This and the fact that it may
   take a while for Adobe to fix their closed source product, are the
   reasons why I am not going to publish any POCs. You have to take my
   word for it. The POCs will be released when an update is available.
  
   Adobe's representatives can contact me from the usual place. My advise
   for you is not to open any PDF files (locally or remotely). Other PDF
   viewers might be vulnerable too. The issues was verified on Windows XP
   SP2 with the latest Adobe Reader 8.1, although previous versions and
   other setups are also affected.
  
   A formal summary and conclusion of the GNUCITIZEN bug hunt to be
 expected soon.
  
   cheers
  
  
  Hi
 
   Your point is right. But there are a number of factors other
  than this
  in exploiting pdf  in other sense. My latest research is working over
 the
  exploitation of PDF.
 
  Even if you look at the core then there are no restriction on READ in
 PDF
  in most of the versions. Only outbound data is filtered to some extent.
 you
  can even read /etc/passwd file from inside of PDF.
 
  Other infection vector includes infection through Local Area Networks
  through
  sharing and printing PDF docs and all.
 
  My upcoming research feature everything regarding this and the issue you
  have
  already discussed.
 
  Regards
  Aks
  http://ww.secniche.org
 
 
 


 --
 pdp (architect) | petko d. petkov
 http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [irc-security] Multiple vulnerabilities in ircu

[Tom Laermans]

Colin Alston wrote:
 Please be careful labeling something as vulnerabilities when they 
 aren't. You've described software bugs which should be reported to the 
 maintainer, none of them so far as I can see are vulnerabilities or 
 exploits.
   
I can see crashbugs, operfloods, channel takeovers and ways to find out 
people's IP addresses who think they are hidden thanks to the IP hiding 
feature.
Having this malfunction certainly looks like a vulnerability to me.

Most vulnerabilities are indeed software bugs, and the exploits are 
actually documented in the post you comment on.

Tom

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A Request To Everyone

[Jimby Sharp]

Dear Lamer Buster,

Thanks for busting some lamers but now the situation in FD is going
out of hands. I seriously do not think that it is worth increasing the
noise in the list just to prove that Aditya K Sood is an idiot. We
already know he is. I am sure none of us take Aditya seriously because
of his extremely poor career record in the field of security. No
offence meant to you, but I genuinely request you to ignore Aditya
because we all know that Aditya is an idiot.

Dear Aditya K Sood,

I request you to kindly not post fake vulnerabilities and documents
which you merely copy paste from somewhere else without knowing what
they mean. If someday, you come with something real, that you can call
your own and which you have verified from someone else who knows a
thing or two about security, then you are most welcome to post your
article in our list. But posting lame documents, like you do always,
which mostly have technical errors, wrong facts, misleading arguments,
etc. are extremely detrimental to our list. Also, you do not realise
that by doing this again and again you are spoiling your image in the
field of security community.

Have you ever searched yourself in Google? See the results.

aditya k sood - Lame ass of the month -
http://seclists.org/fulldisclosure/2007/Sep/0028.html
lame ass of the month - Full Disclosure: Lame ass of the month -
Aditya K Sood (from India) -
http://seclists.org/fulldisclosure/2007/Sep/0028.html

I sincerely request you to verify your claims before posting so that
we do not have to deal with more flame wars where everyone is trying
to attack you for your foolishness and stupid documents.

Thanks everybody,
Jimby

On 9/21/07, Nikolay Kichukov [EMAIL PROTECTED] wrote:
 I'd request that all of you stop fighting and leave the list to deal
 with what it's meant to.

 Cheers,
 -Nikolay

 [EMAIL PROTECTED] wrote:
  I'm in favor of booting them all off the list.  Let 'em keep their flame 
  wars on EFNet.
 
  Geoff
 
  Sent from my BlackBerry wireless handheld.
 
  -Original Message-
  From: Aditya K Sood [EMAIL PROTECTED]
 
  Date: Thu, 20 Sep 2007 12:57:57
  To:full-disclosure@lists.grok.org.uk
  Subject: [Full-disclosure] A Request To Everyone
 
 
  Hi
 
  After looking at the mail wars , I want to say only two lines.
 
  I dont know who Meta Info is , Lamer Buster is , LSNN is and all.
  I dont know how they are generating mails and putting my name
  everywhere. Thats it.
 
  Thanks to all.
 
  Regards
  Aks
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A Request To Everyone

[gjgowey]

Can't we all just get along?  Now let's all have a nice giant group hug ;)

Geoff

Sent from my BlackBerry wireless handheld.

-Original Message-
From: Jimby Sharp [EMAIL PROTECTED]

Date: Fri, 21 Sep 2007 15:24:36 
To:Nikolay Kichukov [EMAIL PROTECTED]
Cc:[EMAIL PROTECTED], Aditya K Sood [EMAIL 
PROTECTED],full-disclosure@lists.grok.org.uk,[EMAIL PROTECTED], [EMAIL 
PROTECTED]
Subject: Re: [Full-disclosure] A Request To Everyone


Dear Lamer Buster,

Thanks for busting some lamers but now the situation in FD is going
out of hands. I seriously do not think that it is worth increasing the
noise in the list just to prove that Aditya K Sood is an idiot. We
already know he is. I am sure none of us take Aditya seriously because
of his extremely poor career record in the field of security. No
offence meant to you, but I genuinely request you to ignore Aditya
because we all know that Aditya is an idiot.

Dear Aditya K Sood,

I request you to kindly not post fake vulnerabilities and documents
which you merely copy paste from somewhere else without knowing what
they mean. If someday, you come with something real, that you can call
your own and which you have verified from someone else who knows a
thing or two about security, then you are most welcome to post your
article in our list. But posting lame documents, like you do always,
which mostly have technical errors, wrong facts, misleading arguments,
etc. are extremely detrimental to our list. Also, you do not realise
that by doing this again and again you are spoiling your image in the
field of security community.

Have you ever searched yourself in Google? See the results.

aditya k sood - Lame ass of the month -
http://seclists.org/fulldisclosure/2007/Sep/0028.html
lame ass of the month - Full Disclosure: Lame ass of the month -
Aditya K Sood (from India) -
http://seclists.org/fulldisclosure/2007/Sep/0028.html

I sincerely request you to verify your claims before posting so that
we do not have to deal with more flame wars where everyone is trying
to attack you for your foolishness and stupid documents.

Thanks everybody,
Jimby

On 9/21/07, Nikolay Kichukov [EMAIL PROTECTED] wrote:
 I'd request that all of you stop fighting and leave the list to deal
 with what it's meant to.

 Cheers,
 -Nikolay

 [EMAIL PROTECTED] wrote:
  I'm in favor of booting them all off the list.  Let 'em keep their flame 
  wars on EFNet.
 
  Geoff
 
  Sent from my BlackBerry wireless handheld.
 
  -Original Message-
  From: Aditya K Sood [EMAIL PROTECTED]
 
  Date: Thu, 20 Sep 2007 12:57:57
  To:full-disclosure@lists.grok.org.uk
  Subject: [Full-disclosure] A Request To Everyone
 
 
  Hi
 
  After looking at the mail wars , I want to say only two lines.
 
  I dont know who Meta Info is , Lamer Buster is , LSNN is and all.
  I dont know how they are generating mails and putting my name
  everywhere. Thats it.
 
  Thanks to all.
 
  Regards
  Aks
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] AIRRAID2 Wireless Hacking Tournament - Dec 2007, Bangkok Thailand

[[EMAIL PROTECTED]]

ThinkSECURE (securitystartshere.org) will be running AIRRAID2 in 
Bangkok Thailand at the CentralWorld Shopping Complex (the ex-World 
Trade Center) on 21 December 2007.  

If you would like to register and participate in the event, read on:


=== What is AIRRAID2? ===

AIRRAID2 (http://airraid2.securitystartshere.org) is a cutting-edge 
wireless and wired hacking tournament.  It challenges participants 
with WiFi and Bluetooth wireless hacking against an enterprise 
infrastructure which is specially designed to mirror a typical 
corporate wireless and wired network deployment.

AIRRAID2 is the successor to the original AIRRAID tournament, Asia's 
first-ever true (i.e. not mere wardriving!) wireless hacking 
tournament, which was held in Singapore's Suntec Convention Center in 
August 2005. Photo archives of the original AIRRAID are available at 
http://airraid.securitystartshere.org. 
ThinkSECURE now brings this unique brand of wireless hacking 
excitement and flavor to the Land of a Thousand Smiles!




=== Who is it intended for? ===

AIRRAID2 continues our tradition of giving back to the Asian IT-
security community by providing them an entertaining and fun way of 
testing their skills against each other and against a realistic 
enterprise-class wireless-and-wired infrastructure setup.  As many 
security professionals rarely get a chance to do some real, full-
bore, hands-on hacking, our purpose-built tournament infrastructure 
mirrors an extensive corporate wireless/wired network which allows 
them to fully and legitimately employ all their skills to meet the in-
game challenges we've put in place, said Mr. Julian Ho, 
ThinkSECURE's co-founder.




=== Why is there a need for it? ===

Many reports cover wireless security incidents and issues after-the-
fact or re-hash old generic warnings and stories.  AIRRAID2 cuts 
through this fluff by:

- showing in real life the capabilities that modern hackers and 
security professionals possess;

- revealing as-it-happens how they utilize those abilities to 
compromise a representative and realistic enterprise-class 
environment;

- showcasing the abilities of today's hackers and their security 
professional counterparts in a real world setting;

- highlighting the importance of applying security to wireless 
networks in a holistic manner and not relying on vendors' technology 
alone;

- illustrating the benefits to IT professionals of attending 
practical technical certifications such as the Organizational Systems 
Wireless Auditor and Organizational Systems Security Analyst to 
develop and upgrade their wireless and enterprise security skills;

- making organizations realize that partners' and vendor 
support/maintenance networks can also be a weak link in the security 
posture of an organization.




=== When and Where will the event be held? ===

AIRRAID2 will be held at the following venue, date and time:

Venue:  
CentralWorld Shopping Complex
(former World Trade Center)
Level 1, Eden Zone
4 Rajdamri Road, Patumwan
Bangkok
Thailand

Date:
Friday, 21 December 2007

Time:
0930hrs - 1900hrs (Bangkok Time)




=== How do you register to participate in it? ===

Registration and participation is free!  To register, please visit 
http://airraid2.securitystartshere.org

Registration is now open and officially ends on 14 Dec 2007, 2359hrs 
(GMT+8)
Note: interested parties should try to register as early as possible, 
preferably before 5 Dec 2007.

Participants are free to register a team of anywhere between 1 to 4 
pax inclusive.

After registration, further directions and instructions will be 
emailed to registrants.  Although participation is free, registrants  
will have to make their own travel and accommodation arrangements.  
Registrants should not make any travel or accommodation arrangements 
until they have received and read the official email containing the 
further directions and instructions.  

Qualifying teams stand a chance to win various prizes and the bonus 
cash prize.  Plus, the event will be recorded for Thai national TV so 
you could become (in)famous in Thailand...!

For more details, please visit http://airraid2.securitystartshere.org



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A Request To Everyone

[Ferdinand Klinzer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Good idear...


Am 21.09.2007 um 10:49 schrieb Nikolay Kichukov:

 I'd request that all of you stop fighting and leave the list to deal
 with what it's meant to.

 Cheers,
 -Nikolay

 [EMAIL PROTECTED] wrote:
 I'm in favor of booting them all off the list.  Let 'em keep their  
 flame wars on EFNet.

 Geoff

 Sent from my BlackBerry wireless handheld.

 -Original Message-
 From: Aditya K Sood [EMAIL PROTECTED]

 Date: Thu, 20 Sep 2007 12:57:57
 To:full-disclosure@lists.grok.org.uk
 Subject: [Full-disclosure] A Request To Everyone


 Hi

 After looking at the mail wars , I want to say only two lines.

 I dont know who Meta Info is , Lamer Buster is , LSNN is and all.
 I dont know how they are generating mails and putting my name
 everywhere. Thats it.

 Thanks to all.

 Regards
 Aks

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFG85g5ivpgT1glX4cRArWfAKCJ48LbT9u1+gpSYhXEz/UXVzf3pgCglqaj
It5ketzn1lQ2S38NYjqkAJc=
=Qkzb
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A Request To Everyone

[Richard Golodner]

Nikolay, best thing I have read on Fool Disclosure for a least a
week now. Aditya, STFU and please with sugar on it. Listen to what we are
saying. Your professional reputation is through unless you post some real
work and vulnerabilities. I really am tired of the S/N ratio at If's current
level. Let's bring it down to where it once was. YOU do not impress anyone
on here except yourself. Great suggestion Nikolay.
Richard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimby Sharp
Sent: Friday, September 21, 2007 5:55 AM
To: Nikolay Kichukov
Cc: Aditya K Sood; [EMAIL PROTECTED];
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] A Request To Everyone

Dear Lamer Buster,

Thanks for busting some lamers but now the situation in FD is going
out of hands. I seriously do not think that it is worth increasing the
noise in the list just to prove that Aditya K Sood is an idiot. We
already know he is. I am sure none of us take Aditya seriously because
of his extremely poor career record in the field of security. No
offence meant to you, but I genuinely request you to ignore Aditya
because we all know that Aditya is an idiot.

Dear Aditya K Sood,

I request you to kindly not post fake vulnerabilities and documents
which you merely copy paste from somewhere else without knowing what
they mean. If someday, you come with something real, that you can call
your own and which you have verified from someone else who knows a
thing or two about security, then you are most welcome to post your
article in our list. But posting lame documents, like you do always,
which mostly have technical errors, wrong facts, misleading arguments,
etc. are extremely detrimental to our list. Also, you do not realise
that by doing this again and again you are spoiling your image in the
field of security community.

Have you ever searched yourself in Google? See the results.

aditya k sood - Lame ass of the month -
http://seclists.org/fulldisclosure/2007/Sep/0028.html
lame ass of the month - Full Disclosure: Lame ass of the month -
Aditya K Sood (from India) -
http://seclists.org/fulldisclosure/2007/Sep/0028.html

I sincerely request you to verify your claims before posting so that
we do not have to deal with more flame wars where everyone is trying
to attack you for your foolishness and stupid documents.

Thanks everybody,
Jimby

On 9/21/07, Nikolay Kichukov [EMAIL PROTECTED] wrote:
 I'd request that all of you stop fighting and leave the list to deal
 with what it's meant to.

 Cheers,
 -Nikolay

 [EMAIL PROTECTED] wrote:
  I'm in favor of booting them all off the list.  Let 'em keep their flame
wars on EFNet.
 
  Geoff
 
  Sent from my BlackBerry wireless handheld.
 
  -Original Message-
  From: Aditya K Sood [EMAIL PROTECTED]
 
  Date: Thu, 20 Sep 2007 12:57:57
  To:full-disclosure@lists.grok.org.uk
  Subject: [Full-disclosure] A Request To Everyone
 
 
  Hi
 
  After looking at the mail wars , I want to say only two lines.
 
  I dont know who Meta Info is , Lamer Buster is , LSNN is and all.
  I dont know how they are generating mails and putting my name
  everywhere. Thats it.
 
  Thanks to all.
 
  Regards
  Aks
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass

[Steve Kemp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1376[EMAIL PROTECTED]
http://www.debian.org/security/   Steve Kemp
September 21, 2007http://www.debian.org/security/faq
- 

Package: kdebase
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE Id(s)  : CVE-2007-4569


iKees Huijgen discovered that under certain circumstances KDM, an X
session manage for KDE, it is possible for KDM to be tricked into
allowing user logins without a password.

For the stable distribution (etch), this problem has been fixed in version
4:3.5.5a.dfsg.1-6etch1.

For the old stable distribution (sarge), this problem was not present.

We recommend that you upgrade your kdebase package.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- 

Source archives:

  
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.5.5a.dfsg.1-6etch1.diff.gz
Size/MD5 checksum:   680950 a147755180984a77b3f512da2bd846f8
  
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.5.5a.dfsg.1.orig.tar.gz
Size/MD5 checksum: 28613054 72aedf0a7be0ace9363ad0ba9fe89585
  
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.5.5a.dfsg.1-6etch1.dsc
Size/MD5 checksum: 2062 7616918057238c96be6994216f549fac

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_3.5.5a.dfsg.1-6etch1_all.deb
Size/MD5 checksum:41038 a922b0428c8445cde739bf3486a4d898
  
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-data_3.5.5a.dfsg.1-6etch1_all.deb
Size/MD5 checksum:  9763624 da0e01a3a6deac38ce579e38f135f999
  
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-doc-html_3.5.5a.dfsg.1-6etch1_all.deb
Size/MD5 checksum:   390408 56eae457d3f49d7fce34b4d4767e9a7d
  
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-doc_3.5.5a.dfsg.1-6etch1_all.deb
Size/MD5 checksum:  1916664 2ef4c7189a7ac6715e449ca98dda8cd5

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/k/kdebase/kmenuedit_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   392430 711d621bb264e30d172958c7cad3c408
  
http://security.debian.org/pool/updates/main/k/kdebase/kpersonalizer_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   496870 7c0c21af47d2926999fccb1bbca6e252
  
http://security.debian.org/pool/updates/main/k/kdebase/kcontrol_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:  3120190 afaf77e08ca02aeee2b25b9e2979f460
  
http://security.debian.org/pool/updates/main/k/kdebase/kdesktop_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   796332 ce50b0bcdd6f85066c4b3a0ec3180d8a
  
http://security.debian.org/pool/updates/main/k/kdebase/khelpcenter_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:  412 12b352ec677cc32ba67ae0607ac20433
  
http://security.debian.org/pool/updates/main/k/kdebase/libkonq4_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   285008 931b0d4a6cd3a3931570457ae651503a
  
http://security.debian.org/pool/updates/main/k/kdebase/kicker_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:  2104618 e4c2604dd98ac111db4e8bc6fb1aab3e
  
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dbg_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum: 33814914 98d43406dccc44a4ba8269eb394954d0
  
http://security.debian.org/pool/updates/main/k/kdebase/kdm_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   665190 eb0417b64bfe2031644d1b70c4f01d97
  
http://security.debian.org/pool/updates/main/k/kdebase/kpager_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   120178 752be58902a498d7b8a257cfb30649ca
  
http://security.debian.org/pool/updates/main/k/kdebase/ksplash_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   722402 63545bb53717729557ca88d6efa8a0a2
  
http://security.debian.org/pool/updates/main/k/kdebase/klipper_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   286770 3e1a2d8c08861394a2884eda77b40a72
  
http://security.debian.org/pool/updates/main/k/kdebase/kate_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   813820 27da09d10f164b91840ac0d99469fe29
  
http://security.debian.org/pool/updates/main/k/kdebase/kdepasswd_3.5.5a.dfsg.1-6etch1_amd64.deb
Size/MD5 checksum:   247164 0b7692f4e11a83f99237ed565c5caa2d
  

[Full-disclosure] [SECURITY] [DSA 1377-1] New fetchmail packages fix denial of service

[Steve Kemp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1377[EMAIL PROTECTED]
http://www.debian.org/security/   Steve Kemp
September 21, 2007http://www.debian.org/security/faq
- 

Package: fetchmail
Vulnerability  : null pointer dereference
Problem type   : remote
Debian-specific: no
CVE Id(s)  : CVE-2007-4565

Matthias Andree discovered that fetchmail, an SSL enabled POP3, APOP 
and IMAP mail gatherer/forwarder, can under certain circumstances 
attempt to dereference a NULL pointer and crash.

For the stable distribution (etch), this problem has been fixed in
version 6.3.6-1etch1.

For the old stable distribution (sarge), this problem was not present.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your fetchmail package.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1.diff.gz
Size/MD5 checksum:44533 19b72a3a0b2cf08f833ea21c3e18902c
  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz
Size/MD5 checksum:  1680200 04175459cdf32fdb10d9e8fc46b633c3
  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1.dsc
Size/MD5 checksum:  874 0aa3d869aba6fdfe87d1c4a626f5380e

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.6-1etch1_all.deb
Size/MD5 checksum:61564 f587ce05ee98694f3bd4db0fa88742f7

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_amd64.deb
Size/MD5 checksum:   650278 b00d2237d26d9e588e6c03ad17f79a74

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_arm.deb
Size/MD5 checksum:   645026 67e5ebf76d55cc857610d3b326784d3c

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_hppa.deb
Size/MD5 checksum:   654006 58d5770e497d405c1e2f867add9d6f87

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_ia64.deb
Size/MD5 checksum:   700752 df4c57c97970537cb2f6a885bc03e54d

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_mips.deb
Size/MD5 checksum:   650540 49b888adc52c5bf8d4be82c4b51d68f5

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_powerpc.deb
Size/MD5 checksum:   647060 a278efba96b95e15977628bd85af5c85

s390 architecture (IBM S/390)

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_s390.deb
Size/MD5 checksum:   646896 e520c2c6febf1e756a75b75cbc06c723

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_sparc.deb
Size/MD5 checksum:   641102 938f11eb5071c7e141c6ff8795af87e7


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG86n1wM/Gs81MDZ0RAvPVAKC4lgA5aDOauQRj+GuilRf6KQh4awCfRNIO
T3VniMNQLomlcq+S3Pv1uyU=
=bHlq
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [USN-515-1] t1lib vulnerability

[3APA3A]

Dear Kees Cook,

CVE-2007-4033  is  Buffer  overflow  in php_gd2.dll in the gd (PHP_GD2)
extension  in  PHP  5.2.3  allows context-dependent attackers to execute
arbitrary code via a long argument to the imagepsloadfont function.

Please, provide valid CVE entry.

--Thursday, September 20, 2007, 12:18:02 AM, you wrote to [EMAIL PROTECTED]:

KC === 
KC Ubuntu Security Notice USN-515-1 September 19, 2007
KC t1lib vulnerability
KC CVE-2007-4033
KC ===


-- 
~/ZARAZA http://securityvulns.com/
Sir Isaac Newton discovered an apple falling to the ground (Mark Twain)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ISR] - Barracuda Spam Firewall. Cross-Site Scripting

[ISR-noreply]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

|| [ISR]  
|| || Infobyte Security Research 
|| www.infobyte.com.ar
|| 09.21.2007 
||


.:: SUMMARY

Barracuda Spam Firewall Cross-Site Scripting

Version: Barracuda Spam Firewall firmware v3.4.10.102 
It is suspected that all previous versions of Barracuda Spam Firewall are
vulnerable.

.:: BACKGROUND

The Barracuda Spam Firewall is an integrated hardware and software solution
designed to protect your email server 
from spam, virus, spoofing, phishing and spyware attacks.

More info:http://www.barracudanetworks.com

.:: DESCRIPTION

The Web Administration Console is vulnerable to a Pre-Auth Cross-Site
Scripting due to a failure of the application to properly
sanitize user-supplied input prior to including it in dynamically generated
web document when logging in with a username that 
contains javascript injections and only while the Monitor Web Syslog
screen is open. 


Example :
- - -
Inserting HTML/Javascript in the username form it will be injected, only if
an autheticated user has the Monitor Web Syslog open. 

 john@scriptalert(String)/script.blah.com 


.:: IMPACT
This can lead to credentials stealing.

.:: VENDOR RESPONSE

Vendor advisory:
 http://www.barracudanetworks.com/ns/support/tech_alert.php;
Vendor patch: 
 Upgrade to Firmware 3.5.10.016 


.:: DISCLOSURE TIMELINE

08/24/2007  Initial vendor notification
08/27/2007  Initial vendor response
09/06/2007  Fix released by vendor
09/21/2007  Coordinated public disclosure

.:: CREDIT

Federico Kirschbaum is credited with discovering this vulnerability.
fedek][at][infobyte][dot][com][dot][ar

.:: LEGAL NOTICES

Copyright (c) 2007 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long as
it is not 
edited in any way unless authorized by Infobyte Security Research Response.
Reprinting the whole or part of this alert in any medium other than
electronically 
requires permission from infobyte com ar

Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing 
based on currently available information. Use of the information
constitutes acceptance 
for use in an AS IS condition. There are no warranties with regard to this
information. 
Neither the author nor the publisher accepts any liability for any direct,
indirect, or 
consequential loss or damage arising from use of, or reliance on, this
information.

-BEGIN PGP SIGNATURE-
Version: PGP Desktop

wsBVAwUBRvPAIvr3+fypwNnjAQgSdwgAsn0E6SbaGcQTEzioQ5871C/EUpo3Iz/L
bb6wE3/0S97WQKbyDZLa6fQHKTHxoHDxnmw5H8GszsZSGtfdHvgmeSGyom6r1BIw
cqtfV8u3FTb7P/ULZt9pR5odfI71lz7JU08M5oWqpFbxrcBE3owAfrmf4WmvfxlP
6XYKxyIhEQ+qzZEnYUD9gA771Vj3TnmyyUiqObSOl4tBDUSZU6wOVHSfEqtM/u0G
W5x6KqU05aTEsMCc/e26OgPLJd5ZaR3u5XSXIAR1zEs6waIp+g79sy3Q2yiI2EcP
2b4JhA9lrnFRmUjqgdCXVi5qwSabaras+x2VfjaEMGVtwxS9mOM8Jw==
=SovY
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Panda Antivirus 2008 Local Privileg Escalation (UPS they did it again)

[3APA3A]

Dear Panda Security Response,


 [EMAIL PROTECTED] was contacted about this same vulnerability in
 Panda  Antivirus  2007  on August, 11 2006 (more than year ago) without
 any results and response, until information was published in Bugtraq.

 As  far,  as  I  can  see, pandasecurity.com is Swedish domain of Panda
 while  pandasoftware.com  is  international  one.  I believe it's quite
 reasonable   to   have  [EMAIL PROTECTED]  to  be  forwarded  to
 [EMAIL PROTECTED], don't you think so?


--Thursday, September 20, 2007, 12:58:42 AM, you wrote to 
full-disclosure@lists.grok.org.uk:

 

PSR Users of vulnerable 2007 versions should upgrade to Panda Antivirus
PSR 2008 and apply the fix provided.

skipped

PSR For future vulnerability reporting to Panda please write specifically
PSR and exclusively to Panda Security Response
PSR [EMAIL PROTECTED] instead of generic beta or informational
PSR contact mailboxes.

skipped

PSR blog:  http://research.pandasoftware.com

-- 
~/ZARAZA http://securityvulns.com/
Да, ему чертовски повезло. Эх и паршиво б ему пришлось если бы он выжил! (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A Request To Everyone

[Fabrizio]

I think anybody giving heat to Aditya is lame. He's just doin' what he do.
What's it got to do with you? Get real people. Stop complainin' 'cause
you're jealous of someone else's research. I'm sure it's the under 20's
complainin' on here.

On 9/21/07, Fabrizio [EMAIL PROTECTED] wrote:

 whirred.

 On 9/21/07, [EMAIL PROTECTED] [EMAIL PROTECTED] 
 wrote:
 
  Can't we all just get along?  Now let's all have a nice giant group hug
  ;)
 
  Geoff
 
  Sent from my BlackBerry wireless handheld.
 
  -Original Message-
  From: Jimby Sharp [EMAIL PROTECTED]
 
  Date: Fri, 21 Sep 2007 15:24:36
  To:Nikolay Kichukov [EMAIL PROTECTED]
  Cc:[EMAIL PROTECTED], Aditya K Sood  [EMAIL PROTECTED]
  ,full-disclosure@lists.grok.org.uk,
  [EMAIL PROTECTED] , [EMAIL PROTECTED]
  Subject: Re: [Full-disclosure] A Request To Everyone
 
 
  Dear Lamer Buster,
 
  Thanks for busting some lamers but now the situation in FD is going
  out of hands. I seriously do not think that it is worth increasing the
  noise in the list just to prove that Aditya K Sood is an idiot. We
  already know he is. I am sure none of us take Aditya seriously because
  of his extremely poor career record in the field of security. No
  offence meant to you, but I genuinely request you to ignore Aditya
  because we all know that Aditya is an idiot.
 
  Dear Aditya K Sood,
 
  I request you to kindly not post fake vulnerabilities and documents
  which you merely copy paste from somewhere else without knowing what
  they mean. If someday, you come with something real, that you can call
  your own and which you have verified from someone else who knows a
  thing or two about security, then you are most welcome to post your
  article in our list. But posting lame documents, like you do always,
  which mostly have technical errors, wrong facts, misleading arguments,
  etc. are extremely detrimental to our list. Also, you do not realise
  that by doing this again and again you are spoiling your image in the
  field of security community.
 
  Have you ever searched yourself in Google? See the results.
 
  aditya k sood - Lame ass of the month -
  http://seclists.org/fulldisclosure/2007/Sep/0028.html
  lame ass of the month - Full Disclosure: Lame ass of the month -
  Aditya K Sood (from India) -
  http://seclists.org/fulldisclosure/2007/Sep/0028.html
 
  I sincerely request you to verify your claims before posting so that
  we do not have to deal with more flame wars where everyone is trying
  to attack you for your foolishness and stupid documents.
 
  Thanks everybody,
  Jimby
 
  On 9/21/07, Nikolay Kichukov [EMAIL PROTECTED] wrote:
   I'd request that all of you stop fighting and leave the list to deal
   with what it's meant to.
  
   Cheers,
   -Nikolay
  
   [EMAIL PROTECTED] wrote:
I'm in favor of booting them all off the list.  Let 'em keep their
  flame wars on EFNet.
   
Geoff
   
Sent from my BlackBerry wireless handheld.
   
-Original Message-
From: Aditya K Sood  [EMAIL PROTECTED]
   
Date: Thu, 20 Sep 2007 12:57:57
To:full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] A Request To Everyone
   
   
Hi
   
After looking at the mail wars , I want to say only two lines.
   
I dont know who Meta Info is , Lamer Buster is , LSNN is and all.
I dont know how they are generating mails and putting my name
everywhere. Thats it.
   
Thanks to all.
   
Regards
Aks
   
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
   
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
  
   ___
   Full-Disclosure - We believe in it.
   Charter: http://lists.grok.org.uk/full-disclosure-charter.html
   Hosted and sponsored by Secunia - http://secunia.com/
  
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day: PDF pwns Windows

[Steven Adair]

Not in my book.  I guess the people on this list are working off too many
different definitions of 0day.  0day to me is something for which there is
no patch/update at the time of the exploit being coded/used.  So if I code
an exploit for IE right now and they don't patch it until April September
2008, it's a 0day exploit for a year.  It's not necessarily new and it
doesn't have to be used maliciously.

If I code an exploit (for which there is no patch) and use it on my own
servers, does that mean it's not 0day?  I don't think so.  If my WordPress
blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
everything on there.  It just makes me an idiot for not upgrading.  Now if
I get hit with some WP exploit that's not patched, then that's another
[0-day] story.

Steven
securityzone.org

 Gadi Evron wrote:
 Impressive vulnerability, new. Not a 0day.

 Not to start an argument again, but fact is, people stop calling
 everything a 0day unless it is, say WMF, ANI, etc. exploited in the
 wild without being known.

 I don't like the mis-use of this buzzword.
 I respectfully disagree. By your definition, we have:

 * new vulnerability is just what it sounds like
 * 0day is a new vulnerability that comes to public attention
   because someone used it maliciously

 But then there is the important concept of the private 0day, a new
 vulnerability that a malicious person has but has not used yet.

 Does it really matter how the new vulnerability came to light? Do you
 really want to get into arguments about whether the person who
 discovered it was malicious? Especially for private 0days where the
 discoverer may be sitting on his discovery for some time, waiting for
 the highest bider to buy his result. If he sells it to criminals, then
 it becomes an 0day, and if he sells it to a vulnerability marketing
 company, then it is something else.

 I don't like this chain of logic. Whether a new vulnerability is an 0day
 or not depends entirely too much on the disclosure process, with funky
 race conditions in there.

 Rather, I just treat 0day as a synonym for new vulnerability and
 don't give a hoot about the alleged intentions of whoever discovered it.
 What makes it an 0 day is that whoever is announcing it is first to
 announce it in public. You could only invalidate the 0day claim by
 showing that the same vulnerability had previously been disclosed by
 someone else.

 Crispin

 --
 Crispin Cowan, Ph.D.   http://crispincowan.com/~crispin/
 Director of Software Engineering   http://novell.com
   AppArmor Chat: irc.oftc.net/#apparmor


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [USN-515-1] t1lib vulnerability

[Kees Cook]

Hi,

On Fri, Sep 21, 2007 at 04:30:31PM +0400, 3APA3A wrote:
 CVE-2007-4033  is  Buffer  overflow  in php_gd2.dll in the gd (PHP_GD2)
 extension  in  PHP  5.2.3  allows context-dependent attackers to execute
 arbitrary code via a long argument to the imagepsloadfont function.
 
 Please, provide valid CVE entry.
 
 --Thursday, September 20, 2007, 12:18:02 AM, you wrote to [EMAIL PROTECTED]:
 
 KC === 
 KC Ubuntu Security Notice USN-515-1 September 19, 2007
 KC t1lib vulnerability
 KC CVE-2007-4033
 KC ===

That is the correct CVE -- the true cause of the gd2 issue was in t1lib,
not gd2:

http://www.securityfocus.com/bid/25079/info

-Kees

-- 
Kees Cook


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1377-2] New fetchmail packages fix denial of service

[Steve Kemp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1377-2  [EMAIL PROTECTED]
http://www.debian.org/security/   Steve Kemp
September 21, 2007http://www.debian.org/security/faq
- 

Package: fetchmail
Vulnerability  : null pointer dereference
Problem type   : remote
Debian-specific: no
CVE Id(s)  : CVE-2007-4565

Matthias Andree discovered that fetchmail, an SSL enabled POP3, APOP 
and IMAP mail gatherer/forwarder, can under certain circumstances 
attempt to dereference a NULL pointer and crash.

For the stable distribution (etch), this problem has been fixed in
version 6.3.6-1etch1.

For the old stable distribution (sarge), this problem was not present.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your fetchmail package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_i386.deb
Size/MD5 checksum:   641344 2eadc43a18712b3a1763094f7c837475


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG8/RowM/Gs81MDZ0RAsV5AJ4zq/rWuYTHRafkjTPp5Eg0cv1teACfQztf
4GE7IYiy9jSuAA5hSvi0ccI=
=Qmk2
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-07-053: Microsoft ISA Server SOCKS4 Proxy Connection Leakage

[zdi-disclosures]

ZDI-07-053: Microsoft ISA Server SOCKS4 Proxy Connection Leakage
http://www.zerodayinitiative.com/advisories/ZDI-07-053.html
September 20, 2007

-- CVE ID:
CVE-2007-4991

-- Affected Vendor:
Microsoft

-- Affected Products:
ISA Server 2004 SP1
ISA Server 2004 SP2

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since September 20, 2007 by Digital Vaccine protection
filter ID 4085. For further product information on the TippingPoint IPS:

http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to extract IP addresses
visited through the SOCKS4 Proxy on vulnerable ISA Server
installations. Authentication is not required to exploit this
vulnerability.

This specific flaw exists when an empty packet is sent to the SOCKS4.
The server will return a packet containing the last IP address it
proxied to.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=A05A074A-5033-4792-AF8B-58B90D841436displaylang=en

-- Disclosure Timeline:
2006.01.30 - Vulnerability reported to vendor
2007.09.20 - Digital Vaccine released to TippingPoint customers
2007.09.20 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by CIRT.DK.

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hacking software is lame -- try medical research...

[Kristian Erik Hermansen]

Some interesting discussion came up on some security lists this week
and it got me to thinking.  Yes, hacking software is lame.  Cool, so
you found some vulnerabilities in some widely distributed application,
service, or OS and it is patched just as quickly.  Why don't we spend
our time and valuable energy researching cures for rare or popular
diseases instead?  For instance, my brother (Jon Hermansen) has a very
rare disease called Langerhans Cell Histiocytosis.  It is also better
known as LCH.  It can be identified as causing such further diseases
as Diabetes Insipidus, which is also uncommon (not sugar diabetes).
Have you heard of these diseases before?  Let me educate you…

General Information:
http://en.wikipedia.org/wiki/Langerhans_cell_histiocytosis
http://en.wikipedia.org/wiki/Diabetes_insipidus

Seven Part Video Series:
http://youtube.com/watch?v=KkBRqZS8nfM
http://youtube.com/watch?v=w1h6ZjxF-To
http://youtube.com/watch?v=0ojbJpERlt8
http://youtube.com/watch?v=dzUqdYofMCQ
http://youtube.com/watch?v=lNhzwNYhi0M
http://youtube.com/watch?v=nY9DDEhShcE
http://youtube.com/watch?v=5_8SEYyEZGI

And even worse than this, a friend of mine who is a PhD student in
Math at Berkeley has an even rarer disease known as Gaucher's Disease.
 This costs $550,000 / year to treat.  That's a hefty bill every year
(you make that much doing security vulns?), and some insurance
companies might refuse to accept you due to pre-existing conditions.
 So guess what, my friend does not have health insurance and has not
been treated for two years.  A genius might die.  That's ludicrous.

http://en.wikipedia.org/wiki/Gaucher's_disease
http://youtube.com/watch?v=0nX6QM5iVaU

If we consider ourselves decent hackers, why don't we put our
efforts toward helping cure this and other diseases rather than some
very simple programming vulnerability?  Is it because then we would
have to reinvent a whole new slew of tools and re-orient/re-educate
ourselves to be successful?  Think about it…
-- 
Kristian Erik Hermansen

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Dailydave] Hacking software is lame -- try medical research...

[M. Shirk]

There is more money to be made in the treatment of a disease, then actually 
finding a cure.

Remind you of anything? 

Shirkdog 
' or 1=1-- 
http://www.shirkdog.us

 Date: Fri, 21 Sep 2007 10:37:20 -0700
 From: [EMAIL PROTECTED]
 To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]
 Subject: [Dailydave] Hacking software is lame -- try medical research...
 
 Some interesting discussion came up on some security lists this week
 and it got me to thinking.  Yes, hacking software is lame.  Cool, so
 you found some vulnerabilities in some widely distributed application,
 service, or OS and it is patched just as quickly.  Why don't we spend
 our time and valuable energy researching cures for rare or popular
 diseases instead?  For instance, my brother (Jon Hermansen) has a very
 rare disease called Langerhans Cell Histiocytosis.  It is also better
 known as LCH.  It can be identified as causing such further diseases
 as Diabetes Insipidus, which is also uncommon (not sugar diabetes).
 Have you heard of these diseases before?  Let me educate you…
 
 General Information:
 http://en.wikipedia.org/wiki/Langerhans_cell_histiocytosis
 http://en.wikipedia.org/wiki/Diabetes_insipidus
 
 Seven Part Video Series:
 http://youtube.com/watch?v=KkBRqZS8nfM
 http://youtube.com/watch?v=w1h6ZjxF-To
 http://youtube.com/watch?v=0ojbJpERlt8
 http://youtube.com/watch?v=dzUqdYofMCQ
 http://youtube.com/watch?v=lNhzwNYhi0M
 http://youtube.com/watch?v=nY9DDEhShcE
 http://youtube.com/watch?v=5_8SEYyEZGI
 
 And even worse than this, a friend of mine who is a PhD student in
 Math at Berkeley has an even rarer disease known as Gaucher's Disease.
  This costs $550,000 / year to treat.  That's a hefty bill every year
 (you make that much doing security vulns?), and some insurance
 companies might refuse to accept you due to pre-existing conditions.
  So guess what, my friend does not have health insurance and has not
 been treated for two years.  A genius might die.  That's ludicrous.
 
 http://en.wikipedia.org/wiki/Gaucher's_disease
 http://youtube.com/watch?v=0nX6QM5iVaU
 
 If we consider ourselves decent hackers, why don't we put our
 efforts toward helping cure this and other diseases rather than some
 very simple programming vulnerability?  Is it because then we would
 have to reinvent a whole new slew of tools and re-orient/re-educate
 ourselves to be successful?  Think about it…
 -- 
 Kristian Erik Hermansen
 ___
 Dailydave mailing list
 [EMAIL PROTECTED]
 http://lists.immunitysec.com/mailman/listinfo/dailydave

_
More photos; more messages; more whatever – Get MORE with Windows Live™ 
Hotmail®. NOW with 5GB storage.
http://imagine-windowslive.com/hotmail/?locale=en-usocid=TXT_TAGHM_migration_HM_mini_5G_0907___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Dailydave] Hacking software is lame -- try medical research...

[Simon Smith]

Just like technology research (hacking)... but... if you are the one
that finds a cure, you'll make your buck too.

M. Shirk wrote:
 There is more money to be made in the treatment of a disease, then
 actually finding a cure.
 
 Remind you of anything?
 
 Shirkdog
 ' or 1=1--
 http://www.shirkdog.us
 
 Date: Fri, 21 Sep 2007 10:37:20 -0700
 From: [EMAIL PROTECTED]
 To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]
 Subject: [Dailydave] Hacking software is lame -- try medical research...

 Some interesting discussion came up on some security lists this week
 and it got me to thinking. Yes, hacking software is lame. Cool, so
 you found some vulnerabilities in some widely distributed application,
 service, or OS and it is patched just as quickly. Why don't we spend
 our time and valuable energy researching cures for rare or popular
 diseases instead? For instance, my brother (Jon Hermansen) has a very
 rare disease called Langerhans Cell Histiocytosis. It is also better
 known as LCH. It can be identified as causing such further diseases
 as Diabetes Insipidus, which is also uncommon (not sugar diabetes).
 Have you heard of these diseases before? Let me educate you…

 General Information:
 http://en.wikipedia.org/wiki/Langerhans_cell_histiocytosis
 http://en.wikipedia.org/wiki/Diabetes_insipidus

 Seven Part Video Series:
 http://youtube.com/watch?v=KkBRqZS8nfM
 http://youtube.com/watch?v=w1h6ZjxF-To
 http://youtube.com/watch?v=0ojbJpERlt8
 http://youtube.com/watch?v=dzUqdYofMCQ
 http://youtube.com/watch?v=lNhzwNYhi0M
 http://youtube.com/watch?v=nY9DDEhShcE
 http://youtube.com/watch?v=5_8SEYyEZGI

 And even worse than this, a friend of mine who is a PhD student in
 Math at Berkeley has an even rarer disease known as Gaucher's Disease.
 This costs $550,000 / year to treat. That's a hefty bill every year
 (you make that much doing security vulns?), and some insurance
 companies might refuse to accept you due to pre-existing conditions.
 So guess what, my friend does not have health insurance and has not
 been treated for two years. A genius might die. That's ludicrous.

 http://en.wikipedia.org/wiki/Gaucher's_disease
 http://youtube.com/watch?v=0nX6QM5iVaU

 If we consider ourselves decent hackers, why don't we put our
 efforts toward helping cure this and other diseases rather than some
 very simple programming vulnerability? Is it because then we would
 have to reinvent a whole new slew of tools and re-orient/re-educate
 ourselves to be successful? Think about it…
 --
 Kristian Erik Hermansen
 ___
 Dailydave mailing list
 [EMAIL PROTECTED]
 http://lists.immunitysec.com/mailman/listinfo/dailydave
 
 
 More photos; more messages; more whatever – Get MORE with Windows Live™
 Hotmail®. NOW with 5GB storage. Get more!
 http://imagine-windowslive.com/hotmail/?locale=en-usocid=TXT_TAGHM_migration_HM_mini_5G_0907
 
 
 
 
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


-- 

- simon

--
http://www.snosoft.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Dailydave] Hacking software is lame -- try medical research...

[Curt]

I notice that you didn't mention any rare disease that none of your
friends or relatives have.

Why is it that all of these altruistic people seem to never give a
crap until it happens to them?  Did Michael J Fox give one thin dime
to Parkinsons until he had it?  How about Christopher Reeves and
spinal injury/stem cell?

I'd much rather make my money, and donate to non-profit orgs that do
things that I am interested in.

--Curt


On 9/21/07, Kristian Erik Hermansen [EMAIL PROTECTED] wrote:
 Some interesting discussion came up on some security lists this week
 and it got me to thinking.  Yes, hacking software is lame.  Cool, so
 you found some vulnerabilities in some widely distributed application,
 service, or OS and it is patched just as quickly.  Why don't we spend
 our time and valuable energy researching cures for rare or popular
 diseases instead?  For instance, my brother (Jon Hermansen) has a very
 rare disease called Langerhans Cell Histiocytosis.  It is also better
 known as LCH.  It can be identified as causing such further diseases
 as Diabetes Insipidus, which is also uncommon (not sugar diabetes).
 Have you heard of these diseases before?  Let me educate you…

 General Information:
 http://en.wikipedia.org/wiki/Langerhans_cell_histiocytosis
 http://en.wikipedia.org/wiki/Diabetes_insipidus

 Seven Part Video Series:
 http://youtube.com/watch?v=KkBRqZS8nfM
 http://youtube.com/watch?v=w1h6ZjxF-To
 http://youtube.com/watch?v=0ojbJpERlt8
 http://youtube.com/watch?v=dzUqdYofMCQ
 http://youtube.com/watch?v=lNhzwNYhi0M
 http://youtube.com/watch?v=nY9DDEhShcE
 http://youtube.com/watch?v=5_8SEYyEZGI

 And even worse than this, a friend of mine who is a PhD student in
 Math at Berkeley has an even rarer disease known as Gaucher's Disease.
  This costs $550,000 / year to treat.  That's a hefty bill every year
 (you make that much doing security vulns?), and some insurance
 companies might refuse to accept you due to pre-existing conditions.
  So guess what, my friend does not have health insurance and has not
 been treated for two years.  A genius might die.  That's ludicrous.

 http://en.wikipedia.org/wiki/Gaucher's_disease
 http://youtube.com/watch?v=0nX6QM5iVaU

 If we consider ourselves decent hackers, why don't we put our
 efforts toward helping cure this and other diseases rather than some
 very simple programming vulnerability?  Is it because then we would
 have to reinvent a whole new slew of tools and re-orient/re-educate
 ourselves to be successful?  Think about it…
 --
 Kristian Erik Hermansen
 ___
 Dailydave mailing list
 [EMAIL PROTECTED]
 http://lists.immunitysec.com/mailman/listinfo/dailydave


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day: PDF pwns Windows

[Casper . Dik]

But then there is the important concept of the private 0day, a new
vulnerability that a malicious person has but has not used yet.

But the point is there is no such thing as a 0day *vulnerability; there's
a 0day exploit, an exploit in the wild before the vulnerability id
discovered.

By claiming all new vulnerabilities are 0day the term becomes completely
meaningless; by your reasoning there is no such thing as a non-0day 
vulnerabillity; well, the next they it's no longer a 0day vulnerability but
the funny thing is that everybody keeps calling it that.

When a vulnerability is discovered you cannot be sure no-one found it
before; the only thing you can ever be sure of whether at that point
an exploit was detected in the wild.


I don't like this chain of logic. Whether a new vulnerability is an 0day
or not depends entirely too much on the disclosure process, with funky
race conditions in there.

But by your reasoning *all* vulnerabilities are 0day at some point; or
is the only exception those found by the vendor itself?

Rather, I just treat 0day as a synonym for new vulnerability and
don't give a hoot about the alleged intentions of whoever discovered it.
What makes it an 0 day is that whoever is announcing it is first to
announce it in public. You could only invalidate the 0day claim by
showing that the same vulnerability had previously been disclosed by
someone else.


The point is that it is not supposed to be moniker for vulnerabilities;
it's a moniker for exploits.  In any other context it does not make sense.

Specifically considering that 0-day exploit is the only definition which
holds meaning with respect to a particular exploit over time.  An exploit
which existed before the vulnerability was publicly known.

But a 0 day vulnerability is meaningless as a definition; it applies to
a vulnerability for exactly 24 hours and then is meaningless.  ALL 
vulnerabilities were discovered at some point and had their 24 hours of
0 day fame by your definition.  It just does not make sense.

Casper

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 09.19.07: Multiple Vendor ImageMagick Off-By-One Vulnerability

[iDefense Labs]

Multiple Vendor ImageMagick Off-By-One Vulnerability

iDefense Security Advisory 09.19.07
http://labs.idefense.com/intelligence/vulnerabilities/
Sep 19, 2007

I. BACKGROUND

ImageMagick is a suite of image manipulation tools (animate, composite,
conjure, convert, display, identify, import, mogrify and montage) that
are sometimes used by other applications for processing image files.
For more information about ImageMagick, visit the vendor's site at the
following URL.

http://www.imagemagick.org/

II. DESCRIPTION

Remote exploitation of an off-by-one vulnerability in ImageMagick, as
included in various vendors' operating system distributions, allows
attackers to execute arbitrary code.

This vulnerability specifically exists in the ReadBlobString() function
in magick/blob.c as shown below.

  3110for (i=0; i  (long) MaxTextExtent; i++)
  3111{
  3112  p=ReadBlobStream(image,1,buffer,count);
  ...
  3119  string[i]=(char) (*p);
  3120  if ((string[i] == '\n') || (string[i] == '\r'))
  3121break;
  3122}
  3123string[i]='\0';

The variable string is a character array of length MaxTextExtent. An
off-by-one buffer overflow will occur on line 3123 when i is exactly
MaxTextExtent. This function is called from several image file
processing routines. Most of the buffers involved are stack based,
although some are on the heap.

III. ANALYSIS

Exploitation of this vulnerability allows an attacker to execute
arbitrary code in the context of the user.

One way of exploiting this vulnerability is to persuade a targeted user
to open a malicious image file with a program that utilizes the
ImageMagick library.

As the tools that are part of ImageMagick are sometimes used as helper
tools by other applications, this user may be the same as the web
server user. This scenario is somewhat more severe than the previously
described attack vector since the image processing can occur
automatically.

Exploitation in stack-based scenarios depends on the stack layout, which
depends on the compiler and compiler options used to build the library.

IV. DETECTION

iDefense Labs confirmed that ImageMagick version 6.3.4 is vulnerable. It
is suspected that other versions of ImageMagick are also vulnerable.

V. WORKAROUND

iDefense is unaware of any effective workaround for this vulnerability.

VI. VENDOR RESPONSE

The ImageMagick maintainers have addressed this vulnerability with the
release of version 6.3.5-9. More information is available from the
following URL.

http://studio.imagemagick.org/pipermail/magick-announce/2007-September/37.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-4987 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/04/2007  Initial vendor notification
09/05/2007  Initial vendor response
09/19/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] help analysing asn overflow

[Code Breaker]

Hi,
i am trying to analyse the old asn integer overflow.Can anyone guide me
towards right direction?which function contains the vulnerable code?is it
asn1_decode?
thanks for any help.
--
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacking software is lame -- try medical research...

[full-disclosure]

Dear Kristian Erik Hermansen,

It sounds like you are friends with a lot of people that would make
good Youtube material[1].

What makes your friends so special?  A lot of geniuses are dying in
the world.  Consider African children[2] that are smart enough to
crawl towards food, but fail en route and become food for the
lesser intelligent lultures.

It sounds like your friend has had a good life up to this point,
and is much more fortunate than most Asian children[3].  Sure his
life might be ending soon, but at least he got to eyefuck a lot of
babes at Berkeley.

Maybe if his health were important to him he'd be studying
something pertinent to helping other people.  Medicine or
anthropology perhaps!

... or is it because he needs the achievement of getting a PhD in
something, and knows he may not live long enough to become a real
doctor?  Or is he too stupid to understand that not all doctors
cure diseases?  Maybe God wants this guy to die.

I read somewhere that incest can lead to various genetic defects. 
If you don't have what your brother has, which one of your parents
is lying?

Maybe you should cross-post your stupid fucking sob story to other
unrelated industries' mailing lists.  I'm sure the food industry
wants to stop producing frozen waffle technologies to direct their
efforts to save a couple random fat people that you know.

In closing, I hope you also become Youtube material sometime.  Soon.

[1] http://tinyurl.com/2blvo5
[2] http://tinyurl.com/2n5xk4
[3] http://tinyurl.com/yoj2a6



On Fri, 21 Sep 2007 13:37:20 -0400 Kristian Erik Hermansen 
[EMAIL PROTECTED] wrote:
Some interesting discussion came up on some security lists this 
week
and it got me to thinking.  Yes, hacking software is lame.  Cool, 
so
you found some vulnerabilities in some widely distributed 
application,
service, or OS and it is patched just as quickly.  Why don't we 
spend
our time and valuable energy researching cures for rare or popular
diseases instead?  For instance, my brother (Jon Hermansen) has a 
very
rare disease called Langerhans Cell Histiocytosis.  It is also 
better
known as LCH.  It can be identified as causing such further 
diseases
as Diabetes Insipidus, which is also uncommon (not sugar 
diabetes).
Have you heard of these diseases before?  Let me educate you…

General Information:
http://en.wikipedia.org/wiki/Langerhans_cell_histiocytosis
http://en.wikipedia.org/wiki/Diabetes_insipidus

Seven Part Video Series:
http://youtube.com/watch?v=KkBRqZS8nfM
http://youtube.com/watch?v=w1h6ZjxF-To
http://youtube.com/watch?v=0ojbJpERlt8
http://youtube.com/watch?v=dzUqdYofMCQ
http://youtube.com/watch?v=lNhzwNYhi0M
http://youtube.com/watch?v=nY9DDEhShcE
http://youtube.com/watch?v=5_8SEYyEZGI

And even worse than this, a friend of mine who is a PhD student in
Math at Berkeley has an even rarer disease known as Gaucher's 
Disease.
 This costs $550,000 / year to treat.  That's a hefty bill every 
year
(you make that much doing security vulns?), and some insurance
companies might refuse to accept you due to pre-existing 
conditions.
 So guess what, my friend does not have health insurance and has 
not
been treated for two years.  A genius might die.  That's 
ludicrous.

http://en.wikipedia.org/wiki/Gaucher's_disease
http://youtube.com/watch?v=0nX6QM5iVaU

If we consider ourselves decent hackers, why don't we put our
efforts toward helping cure this and other diseases rather than 
some
very simple programming vulnerability?  Is it because then we 
would
have to reinvent a whole new slew of tools and re-orient/re-
educate
ourselves to be successful?  Think about it…
-- 
Kristian Erik Hermansen

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
Learn to trade futures online and make extra money. Click here to learn more!
http://tagline.hushmail.com/fc/Ioyw6h4dPIlUjUmiwIG2qPHjFdMsJzUpmVa3et3DBzBz5fYynvZdCg/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day: PDF pwns Windows

[J. Oquendo]

[EMAIL PROTECTED] wrote:

 But a 0 day vulnerability is meaningless as a definition; it applies to
 a vulnerability for exactly 24 hours and then is meaningless.  ALL 
 vulnerabilities were discovered at some point and had their 24 hours of
 0 day fame by your definition.  It just does not make sense.
 
 Casper
 

Should we now create a new term for the industry +0day or 1day. How
about? nowaday

-- 

J. Oquendo
Excusatio non petita, accusatio manifesta

http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net



smime.p7s
Description: S/MIME Cryptographic Signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Will the real daddy of Aditya stand up? and spank the kidddo's ass

[Lamer Buster]

wow! I am going to love Aditya after sometime for his shameless nature
and being even more adamant than some of the FD trolls.

Aditya - we can understand your feeling that you are completely lost
and looking for your daddy over internet. Guess what we have a
surprise for you! Dr Neal's recent research is going to prove that
n3td3v is your daddy.

bty what the fuck is reverse Engineering layout?

-Original Message-
From: Aditya K Sood [mailto:[EMAIL PROTECTED]
Sent: 21 September 2007 04:35
To: [EMAIL PROTECTED]
Subject: [Mlabs] Dissecting Internals of Windows XP Svchost : Reverse
Engineering Stature

Hi all

This is the reverse Engineering layout of Scvhost Internals.

|Category : Reverse Engineering Analysis.

The paper solely relates to the core internals that build up the
Windows XP Svchost. The Svchost internals have not been disseminated
into informative elements yet. I have found only one or two analysis
but that wont satisfy my views regarding XP Svchost. The anatomy of
Svchost has got complexity in its own term. This pushes me to write a
specific analysis over it. The analysis provide a structural design
with concept wise dissection. The point is to understand the hidden
artifacts and how it affects the working aspect of prime service host
controller.Every process is disseminated into primary process and
secondary process. In terms related to operating system there is a
parent process and its child. If one look at the implementation
scenario then child processes are undertaken as thread internally. The
kernel level implementation is subjugated like this. The XP Svchost
runs as threads under services process.|

http://mlabs.secniche.org/winxp_svchost.html
http://mlabs.secniche.org/papers/Win_Xp_Svc_Int.pdf

Regards
Aks aka 0kn0ck
http://mlabs.secniche.org | http://www.secniche.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 09.19.07: Multiple Vendor ImageMagick Sign Extension Vulnerability

[iDefense Labs]

Multiple Vendor ImageMagick Sign Extension Vulnerability

iDefense Security Advisory 09.19.07
http://labs.idefense.com/intelligence/vulnerabilities/
Sep 19, 2007

I. BACKGROUND

ImageMagick is a suite of image manipulation tools (animate, composite,
conjure, convert, display, identify, import, mogrify and montage) that
are sometimes used by other applications for processing image files.
For more information about ImageMagick, visit the vendor's site at the
following URL.

http://www.imagemagick.org/

II. DESCRIPTION

Remote exploitation of a sign extension vulnerability in ImageMagick, as
included in various vendors' operating system distributions, allows
attackers to execute arbitrary code.

This vulnerability specifically exists in the ReadDIBImage() as shown
below.

  558image-columns=(unsigned long) dib_info.width
  ...
  620bytes_per_line=4*((image-columns*dib_info.bits_per_pixel+31)/32);
  621length=bytes_per_line*image-rows;
  622pixels=(unsigned char *) AcquireMagickMemory((size_t) MagickMax(
  623  bytes_per_line,image-columns+256)*image-rows*sizeof(*pixels));
  ...
  629   count=ReadBlob(image,length,pixels);
  ...
  638   status=DecodeImage(image,dib_info.compression ? MagickTrue :
MagickFalse,pixels);

At line 558, dib_info.width is a signed short, which is extended to an
unsigned long and assigned to image-columns. For example, a value of
0x8000 will be extended to 0x8000. Later, it is used as a
multiplier when calculating the allocation size. An integer overflow
occurs, leading to a heap block of insufficient size being allocated.
Consequently, a heap buffer overflow occurs.

III. ANALYSIS

Exploitation of this vulnerability allows an attacker to execute
arbitrary code in the context of the user.

One way of exploiting this vulnerability is to persuade a targeted user
to open a malicious image file with a program that utilizes the
ImageMagick library.

As the tools that are part of ImageMagick are sometimes used as helper
tools by other applications, this user may be the same as the web
server user. This scenario is somewhat more severe than the previously
described attack vector since the image processing can occur
automatically.

IV. DETECTION

iDefense Labs confirmed that ImageMagick version 6.3.4 is vulnerable. It
is suspected that other versions of ImageMagick are also vulnerable.

V. WORKAROUND

Exposure to this vulnerability can be mitigated by moving or deleting
the related module files. The file locations may vary between
distributions. The globbing expression listed below corresponds to a
Red Hat Linux system.

  /usr/lib/ImageMagick-*/modules*/coders/dib.*

VI. VENDOR RESPONSE

The ImageMagick maintainers have addressed this vulnerability with the
release of version 6.3.5-9. More information is available from the
following URL.

http://studio.imagemagick.org/pipermail/magick-announce/2007-September/37.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-4988 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/04/2007  Initial vendor notification
09/05/2007  Initial vendor response
09/19/2007  Public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] help analysing asn overflow

[Valdis . Kletnieks]

On Sat, 22 Sep 2007 00:49:30 +0530, Code Breaker said:

 i am trying to analyse the old asn integer overflow.Can anyone guide me
 towards right direction?which function contains the vulnerable code?is it
 asn1_decode?

It's not the old asn integer, it's one of the old asn integer...

There were about a zillion and a half different places in that code that
were exploitable, because actual error checking was, like, a foreign language
to that crew when they wrote it originally.


pgpAs6qUg1AtQ.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities

[Florian Weimer]

* Code Audit Labs:

 that's funny, the above code still can be bypassed because of
 incorrect check  order.

 and example code
 calloc(0x1001, 0x10);

 it will return NULL in winxp or gligc 2.5
 it will return 0x10 sizes heap in glibc 2.5(maybe prior) or
 win2000 sp4

This bug has been fixed in GNU libc CVS in August 2002.  I've just
checked version 2.3.6, and it does return NULL on overflow.  There is,
however, a different version of calloc that GDB sees, but this is not
the real one invoked by application code.

On Windows, this bug depends on the Microsoft Visual C++ run-time
library.  As a result, it's not completely determined by the Windows
version alone.

By the way, the similar operator new[] issue that has been reported in
conjunction with that calloc issue:

  http://cert.uni-stuttgart.de/advisories/calloc.php

has allegedly been fixed by Microsoft as well, by throwing
std::bad_alloc.  G++ and libstdc++ are still vulnerable to
applications that perform unbounded allocations.  Over the years, it's
been debated again and again what the C++ standard says on this
matter, how large the performance impact would be, and so on, but no
one has created a patch (which would need to change the cross-vendor
C++ ABI, too).

The Ada Reference Manual does not preclude a fix, but I don't think
anyone has written a patch for GNAT.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] DEFCON London DC4420 meet - Monday 24th September

[Major Malfunction]

To quote Alien from the 4420 website:

Monday  24th September, 2007 starting at 19:30
-room private till 21:30 then we might pop out to a certain local 
again... :-)

Location: Charing Cross Sports Club, Charing Cross Hospital
Tube: Hammersmith or Barons Court
http://www.multimap.com/map/browse.cgi?lat=51.4857lon=-0.2194scale=5000icon=x

Note: it's MONDAY this time!

If you haven't been before, please do come. We've got some great talks 
coming in the next few months Smiley

Talks Planned:

- Injecting RDS-TMC Traffic Information Systems - Andrea Barisani.

This talk is HIGHLY recommended - fresh from appearing at Blackhat, this 
is a great project that will amuse and inform you.. great possibilities.

- 'MPLS Security' - Thorsten Fischer - what it is, what people are doing 
about it and the current issues with it.
- 10 min special - TBA

Additionally - we will have 36Gb of WPA rainbow tables courtesy of the 
Church of Wifi available - bring your laptop  diskspace and grab it 
whilst you can.

Zac  Major hope to have something cool to show you too...

Oh, and we'll have DC15 stickers as well :-)

All welcome   bring a friend.

More details here: http://dc4420.org

cheers,
MM
-- 
In DEFCON, we have no names... errr... well, we do... but silly ones...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 09.19.07: Multiple Vendor ImageMagick Multiple Integer Overflow Vulnerabilities

[iDefense Labs]

Multiple Vendor ImageMagick Multiple Integer Overflow Vulnerabilities

iDefense Security Advisory 09.19.07
http://labs.idefense.com/intelligence/vulnerabilities/
Sep 19, 2007

I. BACKGROUND

ImageMagick is a suite of image manipulation tools (animate, composite,
conjure, convert, display, identify, import, mogrify and montage) that
are sometimes used by other applications for processing image files.
For more information about ImageMagick, visit the vendor's site at the
following URL.

http://www.imagemagick.org/

II. DESCRIPTION

Remote exploitation of multiple integer overflow vulnerabilities in
ImageMagick, as included in various vendors' operating system
distributions, allows attackers to crash applications using the
ImageMagick library, and in some cases, execute arbitrary code.

Several integer overflow vulnerabilities have been identified in
ImageMagick's handling of various file formats. By creating a specially
crafted DCM, DIB, XBM, XCF, or XWD image file, an attacker can cause a
heap buffer of insufficient size to be allocated. This results in a
heap-based buffer overflow.

III. ANALYSIS

Exploitation of these vulnerabilities allows an attacker to crash the
programs using ImageMagick library, or execute arbitrary code in the
context of the user.

One way of exploiting these vulnerabilities is to persuade a targeted
user to open a malicious image file with a program that utilizes the
ImageMagick library.

As the tools that are part of ImageMagick are sometimes used as helper
tools by other applications, this user may be the same as the web
server user. This scenario is somewhat more severe than the previously
described attack vector since the image processing can occur
automatically.

IV. DETECTION

iDefense Labs confirmed that ImageMagick version 6.3.4 is vulnerable. It
is suspected that other versions of ImageMagick are also vulnerable.

V. WORKAROUND

Exposure to some of these vulnerabilities can be mitigated by moving or
deleting the related module files. The file locations may vary between
distributions. The globbing expressions listed below correspond to a
Red Hat Linux system.

  /usr/lib/ImageMagick-*/modules*/coders/dcm.*
  /usr/lib/ImageMagick-*/modules*/coders/dib.*
  /usr/lib/ImageMagick-*/modules*/coders/xbm.*
  /usr/lib/ImageMagick-*/modules*/coders/xcf.*
  /usr/lib/ImageMagick-*/modules*/coders/xwd.*

VI. VENDOR RESPONSE

The ImageMagick maintainers have addressed these vulnerabilities with
the release of version 6.3.5-9. More information is available from the
following URL.

http://studio.imagemagick.org/pipermail/magick-announce/2007-September/37.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-4986 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/04/2007  Initial vendor notification
09/05/2007  Initial vendor response
09/19/2007  Coordinated public disclosure

IX. CREDIT

These vulnerabilities were reported to iDefense by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day: PDF pwns Windows

[Thierry Zoller]

Dear All,

pa http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
Is this the way responsible disclosure works these days ?
Adobe’s representatives can contact me from the usual place.

Wow, now that's coordinated release. Knowing the bugs that you found
previously it should take 10 minutes to rediscover this one. Which
makes this even worse.

-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 09.19.07: Multiple Vendor ImageMagick Multiple Denial of Service Vulnerabilities

[iDefense Labs]

Multiple Vendor ImageMagick Multiple Denial of Service Vulnerabilities

iDefense Security Advisory 09.19.07
http://labs.idefense.com/intelligence/vulnerabilities/
Sep 19, 2007

I. BACKGROUND

ImageMagick is a suite of image manipulation tools (animate, composite,
conjure, convert, display, identify, import, mogrify and montage) that
are sometimes used by other applications for processing image files.
For more information about ImageMagick, visit the vendor's site at the
following URL.

http://www.imagemagick.org/

II. DESCRIPTION

Remote exploitation of multiple denial of service vulnerabilities in
ImageMagick, as included in various vendors' operating system
distributions, allows attackers to consume excessive CPU resources on
the target system.

The first vulnerability exists in the ReadDCMImage() function. Since the
return value of ReadBlobByte() is not properly checked, it can enter an
infinite loop.

The second vulnerability exists in the ReadXCFImage() function. Since
the return value of ReadBlobMSBLong() is not properly checked, it can
enter an infinite loop.

III. ANALYSIS

Exploitation of these vulnerabilities allows an attacker to consume
excessive CPU resource on the system using the ImageMagick library to
process images.

One way of exploiting these vulnerabilities is to persuade a targeted
user to open a malicious image file with a program that utilizes the
ImageMagick library.

As the tools that are part of ImageMagick are sometimes used as helper
tools by other applications, this user may be the same as the web
server user. This scenario is somewhat more severe than the previously
described attack vector since the image processing can occur
automatically.

IV. DETECTION

iDefense Labs confirmed that ImageMagick version 6.3.4 is vulnerable. It
is suspected that other versions of ImageMagick are also vulnerable.

V. WORKAROUND

Exposure to some of these vulnerabilities can be mitigated by moving or
deleting the related module files. The file locations may vary between
distributions. The globbing expressions listed below correspond to a
Red Hat Linux system.

  /usr/lib/ImageMagick-*/modules*/coders/dcm.*
  /usr/lib/ImageMagick-*/modules*/coders/xcf.*

VI. VENDOR RESPONSE

The ImageMagick maintainers have addressed these vulnerabilities with
the release of version 6.3.5-9. More information is available from the
following URL.

http://studio.imagemagick.org/pipermail/magick-announce/2007-September/37.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-4985 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/04/2007  Initial vendor notification
09/05/2007  Initial vendor response
09/19/2007  Coordinated public disclosure

IX. CREDIT

These vulnerabilities were reported to iDefense by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day: PDF pwns Windows

[Geo.]

 pa http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
 Is this the way responsible disclosure works these days ?
 Adobe?s representatives can contact me from the usual place.

 Wow, now that's coordinated release. Knowing the bugs that you found
 previously it should take 10 minutes to rediscover this one. Which
 makes this even worse.

I just saw his video showing the exploit fireing up calculator, it looks
like the same stuff (feature/exploit call it what you want) that's been
around for years. See www.nthelp.com/test.pdf (warning, it won't damage
anything but it may scare you)

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] help analysing asn overflow

[David Chastain]

Are you gonna blow hot air VK or are you gonna help the man/woman???
 
On Friday, September 21, 2007, at 12:44PM, [EMAIL PROTECTED] wrote:
On Sat, 22 Sep 2007 00:49:30 +0530, Code Breaker said:

 i am trying to analyse the old asn integer overflow.Can anyone guide me
 towards right direction?which function contains the vulnerable code?is it
 asn1_decode?

It's not the old asn integer, it's one of the old asn integer...

There were about a zillion and a half different places in that code that
were exploitable, because actual error checking was, like, a foreign language
to that crew when they wrote it originally.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Dailydave] Hacking software is lame -- try medical research...

[Kristian Erik Hermansen]

On 9/21/07, Curt [EMAIL PROTECTED] wrote:
 I notice that you didn't mention any rare disease that none of your
 friends or relatives have.

 Why is it that all of these altruistic people seem to never give a
 crap until it happens to them?  Did Michael J Fox give one thin dime
 to Parkinsons until he had it?  How about Christopher Reeves and
 spinal injury/stem cell?

 I'd much rather make my money, and donate to non-profit orgs that do
 things that I am interested in.

You make some great points -- but I think you jumped the gun on
assuming I am evil.  Friends and people who know me understand that I
am active in many circles, offering help to those in need.  I highly
encourage you to do the same so that we can live in a world where
people are friendlier and healthier.  The world is what we make of it,
and I always disliked the hostility in the security and free software
communities.  Everyone should be nicer to each other and not bash
people when they ask simple questions, even if they haven't read the
manual...
-- 
Kristian Erik Hermansen

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDKSA-2007:187 ] - Updated PHP packages fix numerous vulnerabilities

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:187
 http://www.mandriva.com/security/
 ___
 
 Package : php
 Date: September 21, 2007
 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0,
   Multi Network Firewall 2.0
 ___
 
 Problem Description:
 
 Numerous vulnerabilities were discovered in the PHP scripting language
 that are corrected with this update.
 
 An integer overflow in the substr_compare() function allows
 context-dependent attackers to read sensitive memory via a large
 value in the length argument.  This only affects PHP5 (CVE-2007-1375).
 
 A stack-based buffer overflow in the zip:// URI wrapper in PECL
 ZIP 1.8.3 and earlier allowes remote attackers to execute arbitrary
 code via a long zip:// URL.  This only affects Corporate Server 4.0
 (CVE-2007-1399).
 
 A CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter
 could allow an attacker to inject arbitrary email headers via a
 special email address.  This only affects Mandriva Linux 2007.1
 (CVE-2007-1900).
 
 The mcrypt_create_iv() function calls php_rand_r() with an
 uninitialized seed variable, thus always generating the same
 initialization vector, which may allow an attacker to decrypt
 certain data more easily because of the guessable encryption keys
 (CVE-2007-2727).
 
 The soap extension calls php_rand_r() with an uninitialized seec
 variable, which has unknown impact and attack vectors; an issue
 similar to that affecting mcrypt_create_iv().  This only affects PHP5
 (CVE-2007-2728).
 
 The substr_count() function allows attackers to obtain sensitive
 information via unspecified vectors.  This only affects PHP5
 (CVE-2007-2748).
 
 An infinite loop was found in the gd extension that could be used to
 cause a denial of service if a script were forced to process certain
 PNG images from untrusted sources (CVE-2007-2756).
 
 An integer overflow flaw was found in the chunk_split() function that
 ould possibly execute arbitrary code as the apache user if a remote
 attacker was able to pass arbitrary data to the third argument of
 chunk_split() (CVE-2007-2872).
 
 A flaw in the PHP session cookie handling could allow an attacker to
 create a cross-site cookie insertion attack if a victim followed an
 untrusted carefully-crafted URL (CVE-2007-3799).
 
 Various integer overflow flaws were discovered in the PHP gd extension
 that could allow a remote attacker to execute arbitrary code as the
 apache user (CVE-2007-3996).
 
 A flaw in the wordwrap() frunction could result in a denial of ervice
 if a remote attacker was able to pass arbitrary data to the function
 (CVE-2007-3998).
 
 A flaw in the money_format() function could result in an information
 leak or denial of service if a remote attacker was able to pass
 arbitrary data to this function; this situation would be unlikely
 however (CVE-2007-4658).
 
 A bug in the PHP session cookie handling could allow an attacker to
 stop a victim from viewing a vulnerable website if the victim first
 visited a malicious website under the control of the attacker who
 was able to use that page to set a cookie for the vulnerable website
 (CVE-2007-4670).
 
 Updated packages have been patched to prevent these issues.
 In addition, PECL ZIP version 1.8.10 is being provided for Corporate
 Server 4.0.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1375
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1399
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1900
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2727
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2728
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2748
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2872
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3799
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3996
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3998
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4658
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4670
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 57a68f47fd8c691db93b9eadbbf19b40  
2007.0/i586/libphp5_common5-5.1.6-1.9mdv2007.0.i586.rpm
 f82d39f70da087f4d7f9470f81211276  
2007.0/i586/php-cgi-5.1.6-1.9mdv2007.0.i586.rpm
 a22e66bf85ab53ff1782ce331ffa60a6  
2007.0/i586/php-cli-5.1.6-1.9mdv2007.0.i586.rpm
 c3cd07dba2182b4f583794a3b240e84e  
2007.0/i586/php-devel-5.1.6-1.9mdv2007.0.i586.rpm
 265ef0003e043ad3013022b1e566fd89  

Re: [Full-disclosure] 0day: PDF pwns Windows

[h4h]

Jeez, what a bunch of whiny pussies.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] 2 vanilla XSS on Wordpress ‘ wp-register.php’

[Adrian P]

There are two vanilla XSS on 'wp-register.php'. Only versions =2.0.1
appear to be affected.

More info can be found on GNUCITIZEN's BlogSecurity:

http://blogsecurity.net/wordpress/2-vanilla-xss-on-wordpress-wp-registerphp/


Regards,

-- 
pagvac
gnucitizen.org, ikwt.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day: PDF pwns Windows

[Tremaine Lea]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

That's been disclosed already, but thanks for your $0.02 USD ($0.02 CDN)

Cheers,

- ---
Tremaine Lea
Network Security Consultant
Intrepid ACL
Paranoia for hire



On 21-Sep-07, at 5:40 PM, h4h wrote:

 Jeez, what a bunch of whiny pussies.
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (Darwin)

iQEcBAEBAgAGBQJG9F1TAAoJEKGa22zRy9WCBqgH/3rx3uiZU7USUJP96nWJXrg9
3jsHq6TkAIkE5hlJbNePsMCTKL9DgbPSRyD7sg2m9J9yf59rGCOEOmsvkEutFxGi
kYDdizGijl1aYQlqDYRztANjENdpJW0lGCsfjEEB51hIzBq6wC+o/hAZe/QTcHnT
MTUVQA0+/92o1pTqVeRRkG+T6tl9EgPLbhyJXHwtTJwWPtEg0EQcxGOz4W1ODOf6
Vw2vnGv/nR/DycOvVMHRt5IxjPKJkkXBHdx2TTgJH9+CQ021PUjG4xwgJO7qkAoy
Jdg5v2yzKHGwYOeRr98jh3jvh7Lh5om+PMFv+WTXD1QY6ZpSx+bxUUrCvUTmkug=
=f+bR
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/