[Full-disclosure] Technology and your Security Program
*Why should technology be the final tier to be fully implemented in a security program?* ** I am thinking in terms of the Digital Liability Management model: http://daemonic.wordpress.com/2006/04/26/it-security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] rPSA-2007-0212-1 util-linux
could anybody explain this bug? I saw the git diff: - setuid(getuid()); - setgid(getgid()); + if(setgid(getgid()) 0) + die(EX_FAIL, _(umount: cannot set group id: %s), strerror(errno)); + + if(setuid(getuid()) 0) + die(EX_FAIL, _(umount: cannot set user id: %s), strerror(errno)); + not only root can do mount ? what condition could cause setuid failed ? rPath Update Announcements [EMAIL PROTECTED] wrote: rPath Security Advisory: 2007-0212-1 Published: 2007-10-08 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local Root Deterministic Privilege Escalation Updated Versions: util-linux=/[EMAIL PROTECTED]:devel//1/2.12r-1.5-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-1757 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5191 Description: Previous versions of the util-linux package contain mount and umount utilities that do not correctly drop privileges, which may allow local attackers to gain privileges via helper utilities (such as mount.cifs). Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay it on us.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Defence in depth is in question? After more than 20 years in compsec, the fallacy of the argument that defence in depth is dead is ironic. D.I.D. means that if defence A fails, B comes in. If B fails C comes in then D. etc. Though pdp is a very inventive youngster, it takes a few grey hairs to master security. Or perhaps we in the 'old scool' are deluded. Rgds Pete CUSTOMER TESTIMONIAL OF THE WEEK Claudely Penchiari, IT Manager, Comgas: We selected MIMEsweeper because of its policy-based content security, advanced threat and remote management and its ability to integrate with virtually any third-party anti-virus tool Clearswift monitors, controls and protects all its messaging traffic in compliance with its corporate email policy using Clearswift products. Find out more about Clearswift, its solutions and services at http://www.clearswift.com This communication is confidential and may contain privileged information intended solely for the named addressee(s). It may not be used or disclosed except for the purpose for which it has been sent. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift. If you have received this communication in error, please notify Clearswift by emailing [EMAIL PROTECTED] quoting the sender and delete the message and any attached documents. Clearswift accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the Clearswift domain. This footnote confirms that this email message has been swept by MIMEsweeper for Content Security threats, including computer viruses. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] rPSA-2007-0212-1 util-linux
On Fri, Oct 12, 2007 at 05:02:48AM -0700, Andrew Farmer wrote: On 12 Oct 07, at 01:34, yearsilent wrote: could anybody explain this bug? I saw the git diff: - setuid(getuid()); - setgid(getgid()); + if(setgid(getgid()) 0) + die(EX_FAIL, _(umount: cannot set group id: %s), strerror(errno)); + + if(setuid(getuid()) 0) + die(EX_FAIL, _(umount: cannot set user id: %s), strerror(errno)); + not only root can do mount ? what condition could cause setuid failed ? setuid() fails if the operation would create more processes owned by the target user than the number specified by that user's process- count limit. Please also look closer and see the switch of the order of the setuid() and setgid() call to the correct order. CIao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tikiwiki 1.9.8 exploit ITW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SHUT UP VLADIS THE PIG On Fri, 12 Oct 2007 06:23:02 -0400 3APA3A [EMAIL PROTECTED] wrote: Dear Moritz Naumann, This vulnerability was found by ShAnKaR http://securityvulns.ru/Sdocument162.html and reported on Bugtraq yesterday (see Vulnerabilities digest message). TikiWiki developers were informed on October, 8. --Friday, October 12, 2007, 1:20:06 AM, you wrote to full- [EMAIL PROTECTED]: MN Disabling url_fopen() or denying access to tiki- graph_formula.php for MN unauthenticated users will prevent your site from being exploited. MN I've notified the developers. MN If, what it says on http://dev.tikiwiki.org/Security is up to date (i.e. MN unfixed security issues of high priority initially reported 9 months MN ago), then you really should not use this software. -- ~/ZARAZA http://securityvulns.com/ Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcPcdMACgkQ+dWaEhErNvSBmQP/YyKViYrNIFmSJMwLKogC7aey9IkI FWfpKxLHIncZ5RVkEsOZbdj6gRDua1+L05oSuCKzKxkz77BVjZG3gCmEO9n0na9Ac7GF 4suxGSRnkXjn5uIIHJS+o7E0PgyaT5Vpos/210JAY0AI0jn8o53F2l+0WFFPmMUv3UPS pMn8fYk= =RkFL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] gnucitizen bt home hub latest, attacks wide spread, outages reported
gnucitizen 0day concerning bt home hub router firmware is vulnerable to attack. bbc radio 1's newsbeat program has been reporting today that customers can't connect to the internet. bbc radio 1 is a national and international radio station. i tried to look on the bbc radio 1 newsbeat site but they haven't put an online version of the report online. they didn't say gnucitizen on the radio but they said a group. they said bt customers have been reporting problems with their bt home hub and the report said bt are denying its connected with the security groups disclosure. this is very interesting but there is very little online about it, even from the bbc, who have been reporting on it via bbc radio 1 at 16:30pm (UK GMT) today. i urge people to investigate. gnucitizen may be responible for bt being under a massive attack right now. the media can phone up bbc radio 1 newsbeat and ask for a copy of the report to be put online. i think they should. the bbc radio 1 shouldn't give reports like that without putting it online. should gnucitizen get into trouble or should we not blame the researchers and only the script kids who have brought down bt today? bbc radio 1 is a music station and the news reports are just top of the hour news flashes lasting about 5 miniutes. they didn't repeat the report at 17:00pm GMT today, but maybe they will repeat it in their 17:45pm GMT news update? i'm sorry i don't have a link, but there isn't one online, UNBELIEVABLE for the bbc, they are usually good at standards. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CallManager and OpeSer toll fraud and authentication forward attack
MADYNES Security Advisory : SIP toll fraud and authentication forward attack Date of Discovery 5 May, 2007 Vendor1 (Cisco) was informed on 22 May 2007 Vendor 2 (OpenSer, voice-systems) was informed in 4 th October 2007 ID: KIPH11 Affected products CallManager: System version: 5.1.1.3000-5 Administration version: 1.1.0.0-1 OpenSer SVN version until the 4 th October 2007 Version 1.2.2 Summary The tested systems do not associate a Digest authentication to a dialog which allows any user who can sniff the traffic to make its own calls on behalf of the the sniffed device. Synopsis The tested implementations do not allow to check if the provided URI in the Digest authentication header is the same as the REQUEST-URI of the message, which allows an attacker to call any other extension. This is not a simple replay attack. They do not allowed to generate one-time nonces. These issues will allow a malicious user able to sniff a Digest authentication from a regular user, to call (by spoofing data) any extension on behalf of the user; as long as the nonce does not expire. The first vendor (Cisco) was informed in May 2007 and acknowledged the vulnerability. The second vendor (OpenSer, voice-systems) was informed in October 2007 and fixed the vulnerabity on the same day. This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first vulnerabilities published where advanced state tracking is required. Background * SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP signalization. SIP is an ASCII based INVITE message is used to initiate and maintain a communication session. Impact : A malicious user perform toll fraud and call ID spoofing. Resolution OpenSer fixed the issue on the 4 th October. The devel branch was enhanced to export a variable $adu which refer to this field. It is easy now to check in config file whether it is equal or not with r-uri: if($adu != $ru) { # digest uri and request uri are different } Credits * Humberto J. Abdelnur (Ph.D Student) * Radu State (Ph.D) * Olivier Festor (Ph.D) This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer KIF POC: PoC code is available on request ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
CIL: Thor, with no disrespect but you are wrong. Security in depth does not work and I am not planning to support my argument in any way. This is just my personal humble opinion. I've seen only failure of the principles you mentioned. Security in depth works only in a perfect world. The truth is that you cannot implement true security mainly because you will hit on the accessibility side. It is all about achieving the balance between security and accessibility. Moreover, you cannot implement security in depth mainly because you cannot predict the future. Therefore, you don't know what kinds of attack will surface next. No disrespect taken - we're all just people here ;) Thing is, in a perfect world we wouldn't need security at all (well, depending on your definition of perfect world is of course) - it's real world issues that require we build multiple layers of defenses to ensure that assets are protected when other layers, mechanisms, or policies fail. And not being able to predict the future is *precisely* why security in depth is required. For example-- Back in January of 2003 (where has the time gone?) I published an article on Security Focus discussing how to secure Exchange Server deployments. (http://www.securityfocus.com/infocus/1654 if you want to check up on me). I would draw your attention to this excerpt in regard to using ISA's SMTP application filter to inspect SMTP traffic: Though we are filtering the command set through the ISA server, it is the element of the unknown that concerns me: we just don't know what vulnerabilities the future may present, and the possibility of a compromised Exchange server is just too much of a risk. Fast forward to April of 2005 where Microsoft published MS05-021: Vulnerability in Exchange Server Could Allow Remote Code Execution (The XLINK2STATE overflow). If one had followed the deployment example in the paper and practiced security in depth by implementing an SMTP application filter as described, they would have been completely protected against the XLINK2STATE issue years before it was exposed. *That* is security in depth, used in the real world, working both in principle and in practice. Not knowing what kinds of attack will surface next is the core concept that drives security in depth, not what obviates it. Security in depth coupled with least privilege WORKS. It's really the *only* thing that works. It is the foundation for dictating the logic of allow what you need as opposed to block what you think is bad. So, in that respect, the goal is not to be in a reactionary position when you post if I send attachment X, and the user opens it and connects with protocol Y, and then enter their credentials in server Z but rather to deploy an infrastructure that, by its own design, protects against the entire class of attack. Security is not a destination, it is a process. Security in depth sounds like a destination to me. However, for the record, this is not an attack. You might as well just email the target and ask for their password. Or if you can get them to open files, just send off a rootkit. But let's ignore that for now- let's pretend that somehow this is a magic attack-- This is where security-in-depth comes in, and where the overall context of your post is incorrect: It is not the same. We educate users not to open .exe files but RDP and ICA are just pure business tools. Users are familiar with them and their purpose. Therefore, they are more trusted. And what happens when the tools that you trust turn against you? The tools are not turning against us at all-- this requires that you email a target, and not only get them to open your attachment (against warnings), but to then click connect, and finally, to actually enter their username and password into your host (where you still have to get them, btw). *SO* much more has to happen beyond the tool that it doesn't matter. Besides, I don't think users know anything about .rdp files -- I can say that I've never, ever, been emailed an rdp file. And how come it is OK for a simple text file be able to ride your session and execute commands on behalf of you? I think that this is a problem. CSRF is a well known, widely acknowledged problem. The client should at least warn you that you are about to start an alternative shell. That's not the case though. BTW, I am not sure if you stumbled across the other post I released on FD and BUGTRAQ which is closely related to this one. Well, here is the situation: if you visit a remote page that happens to be malicious, attackers can inject any commands they wish into your remote desktop without any visible notice. No interaction is required. And the attack is super generic btw, and probably 100% wormable. I looked at what you posted, but there is no info. And you say that you are witholding the PoC so there's no way I can begin to comment on what you say you can do. If you are saying that if I
[Full-disclosure] SEC Consult SA-20071012-0 :: Madwifi xrates element remote DOS
SEC Consult Security Advisory 20071012-0 === title: Madwifi xrates element remote DOS program: Madwifi linux wlan driver for atheros chipsets vulnerable version: Madwifi = 0.9.3.2 homepage: www.madwifi.org found: July 2007 by: Clemens Kolbitsch, Sylvester Keil Secure Systems Lab / Technical University of Vienna http://seclab.tuwien.ac.at/ SEC Consult Vulnerability Lab http://www.sec-consult.com/ perm. link: http://www.sec-consult.com/298.html === Vendor description: --- MadWifi is one of the most advanced WLAN drivers available for Linux today. It is stable and has an established userbase. The driver itself is open source but depends on the proprietary Hardware Abstraction Layer (HAL) that is available in binary form only. Vulnerability overview: --- A specially crafted beacon frame causes the driver to exit(), leading to a kernel panic on the affected machine. An attacker could crash client machines that are listening for beacons using a fake access point. Vulnerability details: --- In short, the driver exits (via the BUG() macro) if a beacon frame with a high length value (15) in the extended supported rates element is received. This leads to a kernel panic. From net80211/ieee80211_scan_sta.c: 217 static int sta_add(...): KASSERT(sp-rates[1] = IEEE80211_RATE_MAXSIZE, (rate set too large: %u, sp-rates[1])); memcpy(ise-se_rates, sp-rates, 2 + sp-rates[1]); if (sp-xrates != NULL) { /* XXX validate xrates[1] */ KASSERT(sp-xrates[1] = IEEE80211_RATE_MAXSIZE, (xrate set too large: %u, sp-xrates[1])); memcpy(ise-se_xrates, sp-xrates, 2 + sp-xrates[1]); } else ise-se_xrates[1] = 0; IEEE80211_RATE_MAXSIZE is defined as 15. If the KASSERT() fails the BUG-macro, which exits the driver, is called. Vulnerability status: --- The bug has been fixed in SVN revision 2736 [1]. Timeline: --- vendor notified: 2007-10-11 vendor response: 2007-10-11 patch available: 2007-10-12 Additional info --- This vulnerability has been found using a novel wireless fuzzing approach developed in a joint project by the Secure Systems Lab (Technical University of Vienna) and the SEC Consult Vulnerability Lab. The technique, which allows very effective stateful fuzzing of wireless drivers by using emulated wireless chipsets, will be presented in detail on the Blackhat Briefings Japan [2] as well as the DeepSec IDSC in Vienna, Austria [3] in the talks by Sylvester Keil and Clemens Kolbitsch. References -- [1] http://madwifi.org/changeset/2736 [2] http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html [3] https://deepsec.net/ ~ EOF Bernhard Mueller / research [at] sec-consult [dot] com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Technology and your Security Program
On 10/12/07, Kelly Robinson [EMAIL PROTECTED] wrote: Why should technology be the final tier to be fully implemented in a security program? I am thinking in terms of the Digital Liability Management model: http://daemonic.wordpress.com/2006/04/26/it-security/ Is this a trick question? If you buy product first, you will find yourself changing policy and accepting otherwise unnecessary risk or expense (or both) in order to retrofit your policy to your technology. In other words, you're letting the tail wag the dog. PaulM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tikiwiki 1.9.8 exploit ITW
Dear Moritz Naumann, This vulnerability was found by ShAnKaR http://securityvulns.ru/Sdocument162.html and reported on Bugtraq yesterday (see Vulnerabilities digest message). TikiWiki developers were informed on October, 8. --Friday, October 12, 2007, 1:20:06 AM, you wrote to full-disclosure@lists.grok.org.uk: MN Disabling url_fopen() or denying access to tiki-graph_formula.php for MN unauthenticated users will prevent your site from being exploited. MN I've notified the developers. MN If, what it says on http://dev.tikiwiki.org/Security is up to date (i.e. MN unfixed security issues of high priority initially reported 9 months MN ago), then you really should not use this software. -- ~/ZARAZA http://securityvulns.com/ Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] rPSA-2007-0212-1 util-linux
On 12 Oct 07, at 01:34, yearsilent wrote: could anybody explain this bug? I saw the git diff: - setuid(getuid()); - setgid(getgid()); + if(setgid(getgid()) 0) + die(EX_FAIL, _(umount: cannot set group id: %s), strerror(errno)); + + if(setuid(getuid()) 0) + die(EX_FAIL, _(umount: cannot set user id: %s), strerror(errno)); + not only root can do mount ? what condition could cause setuid failed ? setuid() fails if the operation would create more processes owned by the target user than the number specified by that user's process- count limit. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-530-1] hplip vulnerability
=== Ubuntu Security Notice USN-530-1 October 12, 2007 hplip vulnerability CVE-2007-5208 === A security issue affects the following Ubuntu releases: Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.10: hplip 1.6.9-0ubuntu2.1 Ubuntu 7.04: hplip 1.7.3-0ubuntu1.1 In general, a standard system upgrade is sufficient to affect the necessary changes. Details follow: It was discovered that the hpssd tool of hplip did not correctly handle shell meta-characters. A local attacker could exploit this to execute arbitrary commands as the hplip user. Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.6.9-0ubuntu2.1.diff.gz Size/MD5: 259212 536df2eefb0b9fbe7265ce08cbcab8c6 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.6.9-0ubuntu2.1.dsc Size/MD5: 867 f3fcef4f5d77e560d6e689dd46bd43cf http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.6.9.orig.tar.gz Size/MD5: 10018087 38d57f58b48b5b0729d1de507776e7d1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs-ppds_2.6.9+1.6.9-0ubuntu2.1_all.deb Size/MD5: 206190 b9b489f0774aa87c39124cb0db13fd31 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_1.6.9-0ubuntu2.1_all.deb Size/MD5: 6275996 6418efb1c032cd56481f644f19b3b61f http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_1.6.9-0ubuntu2.1_all.deb Size/MD5: 1110706 e0178bd79b82544198aaaf530440383b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.6.9+1.6.9-0ubuntu2.1_amd64.deb Size/MD5: 353370 6bee9b223495e146322db33ba595a3dd http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_1.6.9-0ubuntu2.1_amd64.deb Size/MD5: 852854 0e1c50cf2f59f863fdd9f6921d75e182 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.6.9-0ubuntu2.1_amd64.deb Size/MD5: 558178 4993f82769599490e9afa75716ec676c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.6.9+1.6.9-0ubuntu2.1_i386.deb Size/MD5: 345224 d3b9fe0a4f475f27a4a7ed2f489bee5e http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_1.6.9-0ubuntu2.1_i386.deb Size/MD5: 825126 12c869a1721ccafc603583d711a01eff http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.6.9-0ubuntu2.1_i386.deb Size/MD5: 547254 dd426a5a7d2c9df72b6ca89e04bb546f powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.6.9+1.6.9-0ubuntu2.1_powerpc.deb Size/MD5: 358780 4f77e25806dea449159b42eead6a7c99 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_1.6.9-0ubuntu2.1_powerpc.deb Size/MD5: 862550 60f526a1953027144f3276425fd8048a http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.6.9-0ubuntu2.1_powerpc.deb Size/MD5: 563708 92351b2f1f6b6e9a8322e79818656c22 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.6.9+1.6.9-0ubuntu2.1_sparc.deb Size/MD5: 338118 74c15c966e2f094464cd476b3b5682fa http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_1.6.9-0ubuntu2.1_sparc.deb Size/MD5: 784194 92b986a25c359122a5f10123306921fd http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.6.9-0ubuntu2.1_sparc.deb Size/MD5: 542478 79ca390d413545ec5038624a40eddea0 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.7.3-0ubuntu1.1.diff.gz Size/MD5: 306365 f41ad069c89422c7cf532b7f0b2298e9 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.7.3-0ubuntu1.1.dsc Size/MD5: 1011 4205e63a16f1218403e403361351779b http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_1.7.3.orig.tar.gz Size/MD5: 13556732 6921d256c9efc37446f5d2fad71979f8 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_1.7.3-0ubuntu1.1_all.deb Size/MD5: 6497568 cd98dd4bd54b155e664f6fc988ce3995 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_1.7.3-0ubuntu1.1_all.deb Size/MD5: 4083742 089dcc3694e3d249188774c4ab6f727c http://security.ubuntu.com/ubuntu/pool/universe/h/hplip/hpijs-ppds_2.7.2+1.7.3-0ubuntu1.1_all.deb Size/MD5: 217720 cdf52af0871895a8e4e8a81ada765870 amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Re: [Full-disclosure] gnucitizen bt home hub latest, attacks wide spread, outages reported
On 10/12/07, worried security [EMAIL PROTECTED] wrote: this is very interesting but there is very little online about it, even from the bbc, who have been reporting on it via bbc radio 1 at 16:30pm (UK GMT) today. i urge people to investigate. someone at bbc radio 1 has obviously investigated this on the fly on a friday afternoon and didn't bother to fully follow through with putting a text version of it on the bbc radio 1 newsbeat website. i urge folks to e-mail [EMAIL PROTECTED] and get this report clarified and put online. the website is http://www.bbc.co.uk/radio1/news/ http://www.bbc.co.uk/radio1/news/newsbeat/ n3td3v / worried security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0day Orkut XSS [ NEW! ]
Greetings! Doing hard searches and working hard seeking for xss holes we finally found! The new hole is in the description of the pic, you can put html encode chars like this. l t ; meta http-equiv=refresh content=0;url=http://suafakeaqui; g t ; lt; means (minus) or open tag. gt; means ( more ) or close tag. So you can build great javascripts to stole cookies and whatever you want ;) *Proof of concept:* My Profile: http://www.orkut.com/Album.aspx?uid=4196484633792069568 ( just a javascript with location.href='mypersonalwebsite.com' ) Thanks to Pedro Boara ( http://www.suspensa.info ) Att; Fábio N Sarmento Programmer São Paulo / Brazil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] REALLY GOOD ARTICLE FROM SECURITYFOCUS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 THIS IS A REALLY GOOD ARTICLE FROM SECURITYFOCUS. http://www.securityfocus.com/columnists/454 Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcP0V8ACgkQ+dWaEhErNvTpdgP+Idne9OUHOegqhoxOd2gf+PKFxatW LXNXG0PH7pfOPEYM2j5Zx8Ced6gvR7A9JncAq83t9cOlcjHtT7ywW+5SIwbkL54azarR LlDy3+5ZQ0mAQ+ab0aWAIGjb6qqr4ljZGf9uqeObcuVWB3ZqaA74mTc4XDLNmytjf7wQ /eCqTWM= =JtJE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200710-10 ] SKK Tools: Insecure temporary file creation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SKK Tools: Insecure temporary file creation Date: October 12, 2007 Bugs: #193121 ID: 200710-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis SKK insecurely creates temporary files. Background == SKK is a Japanese input method for Emacs. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-i18n/skktools 1.2-r1 = 1.2-r1 Description === skkdic-expr.c insecurely writes temporary files to a location in the form $TMPDIR/skkdic$PID.{pag,dir,db}, where $PID is the process ID. Impact == A local attacker could create symbolic links in the directory where the temporary files are written, pointing to a valid file somewhere on the filesystem that is writable by the user running the SKK software. When SKK writes the temporary file, the target valid file would then be overwritten with the contents of the SKK temporary file. Workaround == There is no known workaround at this time. Resolution == All SKK Tools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-i18n/skktools-1.2-r1 References == [ 1 ] CVE-2007-3916 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3916 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpisTgFCeOmy.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day Orkut XSS [ NEW! ]
On 10/12/07, Fabio N Sarmento [ Gmail ] [EMAIL PROTECTED] wrote: Greetings! Doing hard searches and working hard seeking for xss holes we finally found! You surely mean ``ass holes''? The new hole is in the description of the pic, you can put html encode chars like this. l t ; meta http-equiv=refresh content=0;url=http://suafakeaqui; g t ; lt; means (minus) or open tag. gt; means ( more ) or close tag. So you can build great javascripts to stole cookies and whatever you want ;) Proof of concept: My Profile: http://www.orkut.com/Album.aspx?uid=4196484633792069568 ( just a javascript with location.href='mypersonalwebsite.com ' ) Thanks to Pedro Boara ( http://www.suspensa.info ) Att; Fábio N Sarmento Programmer São Paulo / Brazil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gnucitizen bt home hub latest, attacks wide spread, outages reported
gnucitizen may be responible for bt being under a massive attack right now. Oh my God, people stop talking nonsense! Have you seen the video provided by gnusitizen.org with demonstration of this attack or read the vulnerability description? The guy sends a link to victim, victim visits this link and bam. we see the IP address of the router (there are many ways to get his information. I`m not familiar with BT products, so I won`t try to guess which way was used). Then, we see, how attacker is trying to get access to the device via web interface, then we see an authentication dialog, which is bypassed via default password or through a bug in authentication mechanism. That's it. Best regards, Valery Marchuk www.SecurityLab.ru - Original Message - From: worried security [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, October 12, 2007 7:15 PM Subject: [Full-disclosure] gnucitizen bt home hub latest, attacks wide spread,outages reported gnucitizen 0day concerning bt home hub router firmware is vulnerable to attack. bbc radio 1's newsbeat program has been reporting today that customers can't connect to the internet. bbc radio 1 is a national and international radio station. i tried to look on the bbc radio 1 newsbeat site but they haven't put an online version of the report online. they didn't say gnucitizen on the radio but they said a group. they said bt customers have been reporting problems with their bt home hub and the report said bt are denying its connected with the security groups disclosure. this is very interesting but there is very little online about it, even from the bbc, who have been reporting on it via bbc radio 1 at 16:30pm (UK GMT) today. i urge people to investigate. gnucitizen may be responible for bt being under a massive attack right now. the media can phone up bbc radio 1 newsbeat and ask for a copy of the report to be put online. i think they should. the bbc radio 1 shouldn't give reports like that without putting it online. should gnucitizen get into trouble or should we not blame the researchers and only the script kids who have brought down bt today? bbc radio 1 is a music station and the news reports are just top of the hour news flashes lasting about 5 miniutes. they didn't repeat the report at 17:00pm GMT today, but maybe they will repeat it in their 17:45pm GMT news update? i'm sorry i don't have a link, but there isn't one online, UNBELIEVABLE for the bbc, they are usually good at standards. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] extension for Firefox to force HTTPS always?
Sometimes when pen-testing you don't want to leak any unencrypted data. Is there a Firefox extension that forces all content over HTTPS to ensure such security? -- Kristian Erik Hermansen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] extension for Firefox to force HTTPS always?
Saturday 13 October 2007 Tarihinde 00:20:26 yazmıştı: Sometimes when pen-testing you don't want to leak any unencrypted data. Is there a Firefox extension that forces all content over HTTPS to ensure such security? You can write a GreaseMonkey [0] script for that, there is even an example for GMail [1]. [0] https://addons.mozilla.org/en-US/firefox/addon/748 [1] http://userscripts.org/scripts/show/1404 -- Faith is believing what you know isn't so -- Mark Twain ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200710-11 ] X Font Server: Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: X Font Server: Multiple Vulnerabilities Date: October 12, 2007 Bugs: #185660, #194606 ID: 200710-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Three vulnerabilities have been discovered in the X Font Server possibly allowing local attackers to gain elevated privileges. Background == The X.Org X11 X Font Server provides a standard mechanism for an X server to communicate with a font renderer. Affected packages = --- Package / Vulnerable / Unaffected --- 1 x11-apps/xfs1.0.5 = 1.0.5 Description === iDefense reported that the xfs init script does not correctly handle a race condition when setting permissions of a temporary file (CVE-2007-3103). Sean Larsson discovered an integer overflow vulnerability in the build_range() function possibly leading to a heap-based buffer overflow when handling QueryXBitmaps and QueryXExtents protocol requests (CVE-2007-4568). Sean Larsson also discovered an error in the swap_char2b() function possibly leading to a heap corruption when handling the same protocol requests (CVE-2007-4990). Impact == The first issue would allow a local attacker to change permissions of arbitrary files to be world-writable by performing a symlink attack. The second and third issues would allow a local attacker to execute arbitrary code with privileges of the user running the X Font Server, usually xfs. Workaround == There is no known workaround at this time. Resolution == All X Font Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =x11-apps/xfs-1.0.5 References == [ 1 ] CVE-2007-3103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3103 [ 2 ] CVE-2007-4568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4568 [ 3 ] CVE-2007-4990 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4990 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHD+eHuhJ+ozIKI5gRAlcdAJ4t+dNJKPDJFQEte8XCtLiIcjzu1QCfdoaF uFfqllq2K1mtyPSCW+jz6DU= =iwzz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gnucitizen bt home hub latest, attacks wide spread, outages reported
On 10/12/07, Valery Marchuk [EMAIL PROTECTED] wrote: gnucitizen may be responible for bt being under a massive attack right now. Oh my God, people stop talking nonsense! Have you seen the video provided by gnusitizen.org with demonstration of this attack or read the vulnerability description? The guy sends a link to victim, victim visits this link and bam. we see the IP address of the router (there are many ways to get his information. I`m not familiar with BT products, so I won`t try to guess which way was used). Then, we see, how attacker is trying to get access to the device via web interface, then we see an authentication dialog, which is bypassed via default password or through a bug in authentication mechanism. That's it. I said maybe responisble. and you think it hasn't tipped off hackers such as the folks as StrikeCenter https://strikecenter.bpointsys.com/ who love to reverse engineer patches, videos and other stuff. plus, we don't all know whats available underground, so perhaps a 0-day exploit is in the wild? Because perhaps a hacker has worked out the how to exploit the hole from the reported vulnerability seen on gnucitizen. just because the full exploit isn't on gnucitizen website doesn't mean their tip off hasn't led to hackers and script kids focusing on the router to work out whats going on. and if someone does work out the exploit for the vulnerability, its very serious. i don't think gnucitizen are totally in the clear of responsibility if this does get out of hand. no one has come out to confirm or deny that there is a wide spread attack on these bt home hub routers yet, a very slow response from this list on the matter, i'm not impressed. i didn't say there was an attack, i just heard a news report very quickly and i wanted the bbc or someone on the list to confirm the story, but no one can be bothered at this stage to listen to anything i've got to say on the matter. leave me alone and stop attacking me all the time, when all i'm doing is trying to help. should i of just ignored what i heard on the radio then? i think this kind of report i heard is a serious one that needs to be clarified, and if no one takes me seriously then so be it, but at least i tried to alert the security community about what i heard on bbc radio 1. hopefully though the big corporations on this list have connected up a bt home hub router to the internet and are monitoring it for cyber attacks, which maybe attacking the routers firmware. and i wasn't intentionally trying to confuse, disinformation or just generally waste everyones time if it does turn out there are no attacks taking place. even if there are none cyber attacks taking place, it doesn't say there won't be any in the future, so get on top of this now. hopefully bt will roll out firmware updates very shortly. and for years now i've questioned how much researchers should take part of the blame when hackers or script kids attack the internet after a researcher discloses information, not just today. if cyber attacks with the bt home hub router do happen or have happened, in my own mind i will think gnucitizen triggered off the whole event sequence, even if they didn't directly provide the exploit, they certainly tipped hackers and script kids off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200710-12 ] T1Lib: Buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: T1Lib: Buffer overflow Date: October 12, 2007 Bugs: #193437 ID: 200710-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis T1Lib is vulnerable to a buffer overflow allowing for the user-assisted execution of arbitrary code. Background == T1Lib is a library for rasterizing bitmaps from Adobe Type 1 fonts. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/t1lib 5.0.2-r1 = 5.0.2-r1 Description === Hamid Ebadi discovered a boundary error in the intT1_EnvGetCompletePath() function which can lead to a buffer overflow when processing an overly long filename. Impact == A remote attacker could entice a user to open a font file with a specially crafted filename, possibly leading to the execution of arbitrary code with the privileges of the user running the application using T1Lib. Workaround == There is no known workaround at this time. Resolution == All T1Lib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-libs/t1lib-5.0.2-r1 References == [ 1 ] CVE-2007-4033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4033 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHD/B7uhJ+ozIKI5gRAv+oAJ9TvvlcU2rryYp+NELK3fLMCFYchQCfSU6B QoxP23u56d+Sy/ldO3vsQFY= =1q2P -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] extension for Firefox to force HTTPS always?
I just wanted to clarify that I am looking for an extension that will rewrite all encountered HTTP references in Firefox to HTTPS. I would already have a firewall or some other layer7 filtering device blocking unencrypted traffic. The addon Better Gmail does something similar to this, with the force HTTPS option, but not exactly... -- Kristian Erik Hermansen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gnucitizen bt home hub latest, attacks wide spread, outages reported
I'm wondering if this is like some of the home based router problems of the past. I seem to recall that it was maybe netgear that once had a problem where it didn't get rid of the factory password even after the end user set a new one, another brand had a problem where the cgi-bin dir was not properly protected, and another brand used to have a problem where the accessibility of the web based config interface was unaffected by any settings that the user might make. Another words, this might be some previously discovered vulnerability for another product that someone realized affects this product too. Geoff Sent from my BlackBerry wireless handheld. -Original Message- From: worried security [EMAIL PROTECTED] Date: Fri, 12 Oct 2007 23:05:22 To:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] gnucitizen bt home hub latest, attacks wide spread, outages reported On 10/12/07, Valery Marchuk [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: gnucitizen may be responible for bt being under a massive attack right now. Oh my God, people stop talking nonsense! Have you seen the video provided by gnusitizen.org http://gnusitizen.org/ with demonstration of this attack or read the vulnerability description? The guy sends a link to victim, victim visits this link and bam. we see the IP address of the router (there are many ways to get his information. I`m not familiar with BT products, so I won`t try to guess which way was used). Then, we see, how attacker is trying to get access to the device via web interface, then we see an authentication dialog, which is bypassed via default password or through a bug in authentication mechanism. That's it. I said maybe responisble. and you think it hasn't tipped off hackers such as the folks as StrikeCenter https://strikecenter.bpointsys.com/ https://strikecenter.bpointsys.com/ who love to reverse engineer patches, videos and other stuff. plus, we don't all know whats available underground, so perhaps a 0-day exploit is in the wild? Because perhaps a hacker has worked out the how to exploit the hole from the reported vulnerability seen on gnucitizen. just because the full exploit isn't on gnucitizen website doesn't mean their tip off hasn't led to hackers and script kids focusing on the router to work out whats going on. and if someone does work out the exploit for the vulnerability, its very serious. i don't think gnucitizen are totally in the clear of responsibility if this does get out of hand. no one has come out to confirm or deny that there is a wide spread attack on these bt home hub routers yet, a very slow response from this list on the matter, i'm not impressed. i didn't say there was an attack, i just heard a news report very quickly and i wanted the bbc or someone on the list to confirm the story, but no one can be bothered at this stage to listen to anything i've got to say on the matter. leave me alone and stop attacking me all the time, when all i'm doing is trying to help. should i of just ignored what i heard on the radio then? i think this kind of report i heard is a serious one that needs to be clarified, and if no one takes me seriously then so be it, but at least i tried to alert the security community about what i heard on bbc radio 1. hopefully though the big corporations on this list have connected up a bt home hub router to the internet and are monitoring it for cyber attacks, which maybe attacking the routers firmware. and i wasn't intentionally trying to confuse, disinformation or just generally waste everyones time if it does turn out there are no attacks taking place. even if there are none cyber attacks taking place, it doesn't say there won't be any in the future, so get on top of this now. hopefully bt will roll out firmware updates very shortly. and for years now i've questioned how much researchers should take part of the blame when hackers or script kids attack the internet after a researcher discloses information, not just today. if cyber attacks with the bt home hub router do happen or have happened, in my own mind i will think gnucitizen triggered off the whole event sequence, even if they didn't directly provide the exploit, they certainly tipped hackers and script kids off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gnucitizen bt home hub latest, attacks wide spread, outages reported
Hi guys, I just have a few comments for the sake accuracy. On 10/12/07, Valery Marchuk [EMAIL PROTECTED] wrote: gnucitizen may be responible for bt being under a massive attack right now. Oh my God, people stop talking nonsense! Have you seen the video provided by gnusitizen.org with demonstration of this attack or read the vulnerability description? The guy sends a link to victim, victim visits this link and bam. we see the IP address of the router (there are many ways to get his information. I`m not familiar with BT products, so I won`t try to guess which way was used). In the demo video the evil page loads JavaScript that requests a PHP script located on a third-party server. The PHP script simply emails the router's IP address to the attacker. Then, we see, how attacker is trying to get access to the device via web interface, then we see an authentication dialog, which is bypassed via default password or through a bug in authentication mechanism. That's it. We do NOT rely on default passwords in our demo exploit. The attacker logs into the router using the built-in tech support account and a password chosen by her (which was set on the Home Hub when the victim visited the evil page). The authentication bypass only takes place when the evil page is loaded on the victim's browser for the purpose of enabling remote assistance *without* requiring a password. btw, we haven't yet been informed by BT whether or not they have reproduced our findings successfully. Best regards, Valery Marchuk www.SecurityLab.ru - Original Message - From: worried security [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, October 12, 2007 7:15 PM Subject: [Full-disclosure] gnucitizen bt home hub latest, attacks wide spread,outages reported gnucitizen 0day concerning bt home hub router firmware is vulnerable to attack. bbc radio 1's newsbeat program has been reporting today that customers can't connect to the internet. bbc radio 1 is a national and international radio station. i tried to look on the bbc radio 1 newsbeat site but they haven't put an online version of the report online. they didn't say gnucitizen on the radio but they said a group. they said bt customers have been reporting problems with their bt home hub and the report said bt are denying its connected with the security groups disclosure. this is very interesting but there is very little online about it, even from the bbc, who have been reporting on it via bbc radio 1 at 16:30pm (UK GMT) today. i urge people to investigate. gnucitizen may be responible for bt being under a massive attack right now. the media can phone up bbc radio 1 newsbeat and ask for a copy of the report to be put online. i think they should. the bbc radio 1 shouldn't give reports like that without putting it online. should gnucitizen get into trouble or should we not blame the researchers and only the script kids who have brought down bt today? bbc radio 1 is a music station and the news reports are just top of the hour news flashes lasting about 5 miniutes. they didn't repeat the report at 17:00pm GMT today, but maybe they will repeat it in their 17:45pm GMT news update? i'm sorry i don't have a link, but there isn't one online, UNBELIEVABLE for the bbc, they are usually good at standards. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pagvac gnucitizen.org, ikwt.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Death of Defence in Depth ? - An invitation to Hack.lu
$0.02: Defense in Depth means *reducing* attackable surface, *reducing* execution privilege, *reducing* complexity, etc. If you guys are criticizing the ongoing trend towards enterprise-wide AV monitoring and routing all network traffic through SSL-terminating deep-packet-inspecting content-filtering 1U rack mount appliances, well, that's more like the exact opposite. That's more surface area, more complexity, and more privilege. I'd call it Defense in Breadth. - Eric Thierry Zoller wrote: Dear Felix, While I love your comment and really welcome constructive criticism, I actually think you should keep the focus on the Fox News style question marks. Nowhere is being said that this is the end of Defence in Depth (as a paradigm), we ask the question. Then again you seem to be judging about something you haven't seen nor read. Is this because I ask the Fox News style questions and you give Fox News style comments ? FFL the title is misleading at best. While I have the upmost respect of your person, in this particular case, I am sorry dude, but how can you tell ? Have you seen the presentation? Have you heard the conclusion? I don't think so? Though you are more than welcome to see it :) FFL Defense in Depth has nothing to do FFL with security software. In a certain sense it has. Defence in depth is a Paradigm as not only applied to how you design software but also how you implement solutions. The talk is about reality, not an RFC or CISSP Definition. FYI, while certainly not a reference, here is what Wikipedia has to say: Defense in Depth is an Information Assurance (IA) strategy where multiple layers of defense are placed through out an Information Technology (IT) system and addresses personnel, technology and operations for the duration of the system's lifecycle. http://en.wikipedia.org/wiki/Defense_in_Depth_(computing) FFL To the contrary. The paradigm describes an FFL approach where you assume that invidual (even multiple) elements of your FFL defense fall, in the worst possible way (which could be code FFL execution). Thank you for the definition, though I must let you know I am fully aware of it. (I miss an mandatory RFC link) The presentation will talk of exactly that ...assume.. multiple elements of your defense fall What currently is being done in the industry is to ADD more layers of defence to protect against one failing, this is being done by adding one parsing engine after the other. Again nobody said Defence in Depth is wrong in itself, it's just the way the Software Industry has led companies to implement it. _This_ is the point. Don't get me wrong, defence in depth as general Paradigm is perfectly fine :) But you would have had to listen to the talk to draw that conclusion, this is what I find most irrating about your comment. And it raises a big question mark as to your motivation for this public comment. FFL What you are describing is people adding security software FFL _instead_ of applying a thorough defense in depth design. I am describing nothing Felix, you are judging about a Presentation _you have not even seen_. How dare you !!! == FFL Your presentation title suggests that one of the very few paradigms FFL that actually promises long term security benefits does not work. Felix I am suggesting nothing, your are taking a friendly invitation as reason to bitch about how you THINK the talk will be given, though you have no clue. FFL Wrong. I suggest you find a better title. Zu befehl ! =) The title fits the presentation perfectly, I find it rather arrogant and bloated to comment in this way and fashion on a public mailing list. I welcome any other comment to my personal Inbox, Phone, Fax whatever, I will ignore any other comment by public means before the actually talk was given and there is actual substance to start a discussion. I would have loved to receive a question before you shoot. -- If we knew what it was we were doing, it would not be called research, would it?, Albert Einstein attachment: winmail.dat___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1381-2] New Linux 2.6.18 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1381-2[EMAIL PROTECTED] http://www.debian.org/security/ Dann Frazier October 12th, 2007 http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : several Problem-Type : local Debian-specific: no CVE ID : CVE-2006-5755 CVE-2007-4133 CVE-2007-4573 CVE-2007-5093 Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-5755 The NT bit maybe leaked into the next task which can local attackers to cause a Denial of Service (crash) on systems which run the 'amd64' flavour kernel. The stable distribution ('etch') was not believed to be vulnerable to this issue at the time of release, however Bastian Blank discovered that this issue still applied to the 'xen-amd64' and 'xen-vserver-amd64' flavours, and is resolved by this DSA. CVE-2007-4133 Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. CVE-2007-4573 Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. DSA-1378 resolved this problem for the 'amd64' flavour kernels, but Tim Wickberg and Ralf Hemmenst?dt reported an outstanding issue with the 'xen-amd64' and 'xen-vserver-amd64' issues that is resolved by this DSA. CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch4. This is an update to DSA-1381-1 which included only amd64 binaries for linux-2.6. Builds for all other architectures are now available, as well as rebuilds of ancillary packages that make use of the included linux source. The following matrix lists additional packages that were rebuilt for compatability with or to take advantage of this update: Debian 4.0 (etch) fai-kernels 1.17+etch.13etch4 kernel-patch-openvz 028.18.1etch5 user-mode-linux 2.6.18-1um-2etch.13etch4 We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - Source archives: http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17+etch.13etch4.dsc Size/MD5 checksum: 740 6dd1d21aea0566d84f12a4dcffa7d791 http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17+etch.13etch4.tar.gz Size/MD5 checksum:54614 886f8a7388d3063b30cbab365c9fd4cb http://security.debian.org/pool/updates/main/k/kernel-patch-openvz/kernel-patch-openvz_028.18.1etch5.dsc Size/MD5 checksum: 588 409655afa6a2969a5a2fae79c767c9cc http://security.debian.org/pool/updates/main/k/kernel-patch-openvz/kernel-patch-openvz_028.18.1etch5.tar.gz Size/MD5 checksum: 1578706 5a8084827360750b14648d5b997647e4 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-13etch4.dsc Size/MD5 checksum: 5672 37f70bdc04b866a5dbcaa8f849be618a http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-13etch4.diff.gz Size/MD5 checksum: 5321790
Re: [Full-disclosure] The Death of Defence in Depth ? - Aninvitation to Hack.lu
On Wed, 10 Oct 2007, imipak wrote: The problem - well, *a* problem, anyway - is that there are two contradictory axioms in infosec that are regularly cited to support or attack a particular strategy. Defence in depth The lines of defense are as independent as possible. The enemy does not win unless all of them are defeated. Formally, the attacker has to satisfy a conjuction of conditions. A chain is only as strong as it's weakest link. The links of a chain are dependent. The chain falls apart as soon as any of them are broken. Formally, the attacker has to satisfy a disjuction of conditions. There is no contradiction. You should try making the components of a secure system as independent as possible, and any residual dependencies should always go from less secure (and less important) components to more secure (and more important) components, never the other way. It was not difficult. Was it? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Death of Defence in Depth ? - An invitation to Hack.lu
On Wed, 10 Oct 2007, Thierry Zoller wrote: What currently is being done in the industry is to ADD more layers of defence to protect against one failing, this is being done by adding one parsing engine after the other. Again nobody said Defence in Depth is wrong in itself, it's just the way the Software Industry has led companies to implement it. _This_ is the point. Defense in depth is nothing without the venerable principle of least privilege. The right way to implement it is to split--to compartmentalize--existing system into mutually untrusting components with the minimal set of privileges needed for their task. A sandwich made of existing bloated systems and additional pieces of bloated so-called security software, all of them running with as many privileges as possible, is not defense in depth. It is vulnerability in depth. Unfortunately, the right way provides too few (if any) opportunities to sell new shiny boxes so it is very unappealing for the security industry. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
On Sun, 7 Oct 2007, KJK::Hyperion wrote: You cannot compare them, Windows doesn't have argc/argv, it passes around a flat string command line. and Strings are the root of all evil. Whenever you pass structured data around in a string, you are passing around _communism_. Cough, cough... --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] extension for Firefox to force HTTPS always?
On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said: I just wanted to clarify that I am looking for an extension that will rewrite all encountered HTTP references in Firefox to HTTPS. I would already have a firewall or some other layer7 filtering device blocking unencrypted traffic. The addon Better Gmail does something similar to this, with the force HTTPS option, but not exactly... What should this hypothetical extension do if it automagically redirects http: to https:, but the target server is something that is only listening on port 80 because it doesn't have https: enabled? https://www.cnn.com just sorta sits there for me. pgpqzer5fDqG0.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] extension for Firefox to force HTTPS always?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MAYBE YOU HAVE A SUGGESTION OR SOMETHING CONSTRUCTIVE TO SAY AFTER ALL THESE YEARS VLADIS OR MAYBE YOU SHOULD SHUT THE FUCK UP!!! YOU AREN'T SMARTER THAN WE THINK YOU ARE On Fri, 12 Oct 2007 21:55:37 -0400 [EMAIL PROTECTED] wrote: On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said: I just wanted to clarify that I am looking for an extension that will rewrite all encountered HTTP references in Firefox to HTTPS. I would already have a firewall or some other layer7 filtering device blocking unencrypted traffic. The addon Better Gmail does something similar to this, with the force HTTPS option, but not exactly... What should this hypothetical extension do if it automagically redirect http: to https:, but the target server is something that is only listening on port 80 because it doesn't have https: enabled? https://www.cnn.com just sorta sits there for me. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcQJ40ACgkQ+dWaEhErNvQjfAQAhvRta2YldG0s+RPwOOYQJhmavq4c uo/dTsCd3EQy6yQru6oGcmWR7CdCo8EvwoTpB0EwLgVW4z7/lujiayEMECV4zejTNztw NSabygNoko5I8wh5trmqvoSb4RfPW79qEWLgTosECR1dsCu5FfXuKZhgQwbweWpi09gh zDPTvGg= =jxe7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] extension for Firefox to force HTTPS always?
I don't know about a browser extension, but you might be able to install apache with mod_ssl, mod_proxy, and mod_rewrite locally then basically have it take care of everything. Geoff Sent from my BlackBerry wireless handheld. -Original Message- From: [EMAIL PROTECTED] Date: Fri, 12 Oct 2007 21:55:37 To:Kristian Erik Hermansen [EMAIL PROTECTED] Cc:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] extension for Firefox to force HTTPS always? On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said: I just wanted to clarify that I am looking for an extension that will rewrite all encountered HTTP references in Firefox to HTTPS. I would already have a firewall or some other layer7 filtering device blocking unencrypted traffic. The addon Better Gmail does something similar to this, with the force HTTPS option, but not exactly... What should this hypothetical extension do if it automagically redirects http: to https:, but the target server is something that is only listening on port 80 because it doesn't have https: enabled? https://www.cnn.com just sorta sits there for me. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] extension for Firefox to force HTTPS always?
what is wrong with his suggestion? If you look at the situation the following things happen: [EMAIL PROTECTED] ~]$ host www.cnn.com www.cnn.com has address 64.236.16.20 www.cnn.com has address 64.236.16.52 www.cnn.com has address 64.236.24.12 www.cnn.com has address 64.236.29.120 www.cnn.com has address 64.236.91.21 www.cnn.com has address 64.236.91.22 www.cnn.com has address 64.236.91.23 www.cnn.com has address 64.236.91.24 Host www.cnn.com not found: 3(NXDOMAIN) [EMAIL PROTECTED] ~]$ openssl s_client -connect www.cnn.com:443 [EMAIL PROTECTED] ~]# tcpdump -i wlan0 -ln tcp port 443 and net '64.236' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes 22:02:32.427607 IP 192.168.1.103.35113 64.236.24.12.https: S 2923208691:2923208691(0) win 5840 mss 1460,sackOK,timestamp 102380687 0,nop,wscale 7 22:02:35.427467 IP 192.168.1.103.35113 64.236.24.12.https: S 2923208691:2923208691(0) win 5840 mss 1460,sackOK,timestamp 102383687 0,nop,wscale 7 22:02:41.427496 IP 192.168.1.103.35113 64.236.24.12.https: S 2923208691:2923208691(0) win 5840 mss 1460,sackOK,timestamp 102389687 0,nop,wscale 7 22:02:53.427470 IP 192.168.1.103.35113 64.236.24.12.https: S 2923208691:2923208691(0) win 5840 mss 1460,sackOK,timestamp 102401687 0,nop,wscale 7 22:03:17.427469 IP 192.168.1.103.35113 64.236.24.12.https: S 2923208691:2923208691(0) win 5840 mss 1460,sackOK,timestamp 102425687 0,nop,wscale 7 22:04:05.427466 IP 192.168.1.103.35113 64.236.24.12.https: S 2923208691:2923208691(0) win 5840 mss 1460,sackOK,timestamp 102473687 0,nop,wscale 7 22:05:41.427556 IP 192.168.1.103.47627 64.236.29.120.https: S 2954205762:2954205762(0) win 5840 mss 1460,sackOK,timestamp 102569687 0,nop,wscale 7 22:05:44.427467 IP 192.168.1.103.47627 64.236.29.120.https: S 2954205762:2954205762(0) win 5840 mss 1460,sackOK,timestamp 102572687 0,nop,wscale 7 22:05:50.427472 IP 192.168.1.103.47627 64.236.29.120.https: S 2954205762:2954205762(0) win 5840 mss 1460,sackOK,timestamp 102578687 0,nop,wscale 7 22:06:02.428441 IP 192.168.1.103.47627 64.236.29.120.https: S 2954205762:2954205762(0) win 5840 mss 1460,sackOK,timestamp 102590687 0,nop,wscale 7 If there are a ton of addresses associated with the hostname record you'd be sitting there for a long time, no? It'd be nice if sites sent a unreachable message but some ppl still believe that blocking all ICMP is ok... go figure. Cheers, Harry [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MAYBE YOU HAVE A SUGGESTION OR SOMETHING CONSTRUCTIVE TO SAY AFTER ALL THESE YEARS VLADIS OR MAYBE YOU SHOULD SHUT THE FUCK UP!!! YOU AREN'T SMARTER THAN WE THINK YOU ARE On Fri, 12 Oct 2007 21:55:37 -0400 [EMAIL PROTECTED] wrote: On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said: I just wanted to clarify that I am looking for an extension that will rewrite all encountered HTTP references in Firefox to HTTPS. I would already have a firewall or some other layer7 filtering device blocking unencrypted traffic. The addon Better Gmail does something similar to this, with the force HTTPS option, but not exactly... What should this hypothetical extension do if it automagically redirect http: to https:, but the target server is something that is only listening on port 80 because it doesn't have https: enabled? https://www.cnn.com just sorta sits there for me. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcQJ40ACgkQ+dWaEhErNvQjfAQAhvRta2YldG0s+RPwOOYQJhmavq4c uo/dTsCd3EQy6yQru6oGcmWR7CdCo8EvwoTpB0EwLgVW4z7/lujiayEMECV4zejTNztw NSabygNoko5I8wh5trmqvoSb4RfPW79qEWLgTosECR1dsCu5FfXuKZhgQwbweWpi09gh zDPTvGg= =jxe7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] extension for Firefox to force HTTPS always?
My solution wasn't to cure that problem. Only the one the original author was looking for. Geoff Sent from my BlackBerry wireless handheld. -Original Message- From: [EMAIL PROTECTED] Date: Fri, 12 Oct 2007 22:45:12 To:[EMAIL PROTECTED] Cc:[EMAIL PROTECTED], Kristian Erik Hermansen [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] extension for Firefox to force HTTPS always? On Sat, 13 Oct 2007 02:15:39 -, [EMAIL PROTECTED] said: I don't know about a browser extension, but you might be able to install apache with mod_ssl, mod_proxy, and mod_rewrite locally then basically have it take care of everything. Same problem still - you proxy, you rewrite it to port 443 - and the destination doesn't *have* anything at port 443. What should your Apache do? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/