Re: [Full-disclosure] ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Exposure Vulnerability
Date: Wed, 28 Nov 2007 03:32:51 + From: cocoruder. [EMAIL PROTECTED] Subject: Re: [Full-disclosure] ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Expos To: full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED] it is so amazing that the vendor's advisory has been released more than one month ago, (see my advisory of a similar vul at http://ruder.cdut.net/blogview.asp?logID=221), and another thing is that I have tested my reported vul again after CA's patch released one month ago, but in fact they have not fixed it!! I report it again to CA but there is no response, I guess CA is making an international joke with us:), or because this product is so bad that they will not support it any more? welcome to my blog:http://ruder.cdut.net cocoruder, We have not received any email from [EMAIL PROTECTED], but we did receive an email about this issue from [EMAIL PROTECTED] on 2007-10-15. We responded to that email on 2007-10-15. FYI, we are currently wrapping up QA on new patches, and we have contacted [EMAIL PROTECTED] with details. Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PlayStation 3 predicts next US president (fwd)
is it real ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DC4420 - London DEFCON chapter Christmas Party - 11th December
hi all, you are cordially invited to the final DC4420 meet of 2007, which will be held on Tuesday the 11th December, at the usual location - Charing Cross Sports Club, Charing Cross Hospital: http://www.multimap.com/map/browse.cgi?lat=51.4857lon=-0.2194scale=5000icon=x more info here: http://dc4420.org we have the bar to ourselves and there will be no particular agenda other than drinking the place dry, eating good food and socialising, but we will definitely also be celebrating Alien's continued presence on our home planet after his near miss with the man in the black cloak! all are welcome... fight club speaking rules are suspended for the evening, so bring a friend or two and make this a party to remember! cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Phioust gets all emotional to gobbles and friends ...
Phioust means business with his real name and all those philosopher (H), CISSP and MCSE (lol) degrees ... see for urself in his dangerously sexy email ... in response to our spam threat :) -- Forwarded message -- From: phioust [EMAIL PROTECTED] Date: Nov 30, 2007 9:33 PM Subject: spam? To: [EMAIL PROTECTED] i suggest you do not make anymore threats, belive me, i have lots of contacts to track you down .. -- Lionel Phioust Phd, CISSP, MCSE o f33r the b33r, he owns 100 TOR nodes, 1 wireless hotspots and one lesbian gmail server admin to track our IP's .. wu Spammers - We got Phiousts real name for yaall, self pat on the back for good work. ohhh wait wait .. lets make him a bit more jobless by the oath of google Lionel Phioust, security, exploits, bugtraq, scriptkiddie, lamer, idiot, bisexual, Phioust. ROFL Note - Some of our concerned fans suspect us not to be gobbles. I will save all those online forensic retards the time to analyse our emails and come straight to the point .. in w00w00 style .. 10 europeans, 15 asians, 11 americans and one hell of a funny little turkey .. 5 member required to not f33r w00w00 might .. and no .. Shok dont look like Marilyn Mansons gimp boy !!! .. well the gimp suite was stiched by us .. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MD5 algorithm considered toxic (and harmful)
I know of many commercial security products which still utilize MD5 to prove integrity of the data they distribute to customers. This should no longer be considered appropriate. Now that tools are readily available to exploit newer MD5 collision research, I think it is safe to say that the public should retire its usage for good. Read the most recent research regarding chosen-prefix collisions: http://www.win.tue.nl/hashclash/EC07v2.0.pdf A concrete example for your perusal: [EMAIL PROTECTED]:/tmp$ wget http://www.win.tue.nl/hashclash/SoftIntCodeSign/HelloWorld-colliding.exe --04:36:32-- http://www.win.tue.nl/hashclash/SoftIntCodeSign/HelloWorld-colliding.exe = `HelloWorld-colliding.exe' Resolving www.win.tue.nl... 131.155.70.190 Connecting to www.win.tue.nl|131.155.70.190|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 41,792 (41K) [application/octet-stream] 100%[] 41,792 109.16K/s 04:36:33 (108.92 KB/s) - `HelloWorld-colliding.exe' saved [41792/41792] [EMAIL PROTECTED]:/tmp$ wget http://www.win.tue.nl/hashclash/SoftIntCodeSign/GoodbyeWorld-colliding.exe --04:36:37-- http://www.win.tue.nl/hashclash/SoftIntCodeSign/GoodbyeWorld-colliding.exe = `GoodbyeWorld-colliding.exe' Resolving www.win.tue.nl... 131.155.70.190 Connecting to www.win.tue.nl|131.155.70.190|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 41,792 (41K) [application/octet-stream] 100%[] 41,792 127.20K/s 04:36:38 (126.82 KB/s) - `GoodbyeWorld-colliding.exe' saved [41792/41792] [EMAIL PROTECTED]:/tmp$ ls -lsha *.exe 44K -rw-r--r-- 1 khermans khermans 41K 2007-11-23 01:08 GoodbyeWorld-colliding.exe 44K -rw-r--r-- 1 khermans khermans 41K 2007-11-23 01:08 HelloWorld-colliding.exe [EMAIL PROTECTED]:/tmp$ strings HelloWorld-colliding.exe | tail SetFilePointer MultiByteToWideChar LCMapStringA LCMapStringW GetStringTypeA GetStringTypeW SetStdHandle CloseHandle KERNEL32.dll Hello World ;-) [EMAIL PROTECTED]:/tmp$ strings GoodbyeWorld-colliding.exe | tail SetFilePointer MultiByteToWideChar LCMapStringA LCMapStringW GetStringTypeA GetStringTypeW SetStdHandle CloseHandle KERNEL32.dll Goodbye World :-( [EMAIL PROTECTED]:/tmp$ md5sum HelloWorld-colliding.exe | awk '{print $1}' | tee hw 18fcc4334f44fed60718e7dacd82dddf [EMAIL PROTECTED]:/tmp$ md5sum GoodbyeWorld-colliding.exe | awk '{print $1}' | tee gw 18fcc4334f44fed60718e7dacd82dddf [EMAIL PROTECTED]:/tmp$ cmp hw gw [EMAIL PROTECTED]:/tmp$ echo $? 0 There you have it. Surely a GPL'd tool implementing this attack style will be available shortly. And since Chinese researchers have been attacking SHA-1 lately, should SHA-256 be considered the proper replacement? I am unsure :-( -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox 2.0.0.11 File Focus Stealing vulnerability
Firefox 2.0.0.11 File Focus Stealing vulnerability: Sorry Mozilla, but the recent file focus fix was not enough. I think Mozilla made another mistake while fixing the previous file/label issue. Because now I embed a file field and a textfield inside one label. When this happens, and you type only one time in the textfield, the focus travels to the file field and the value travels with it. Back to the drawing board I would say. I only got it to work in Firefox, Gareth checked Safari for me, and it also works in Safari. I guess this type of exploit could function on other HTML objects as well, and could be very dangerous because it only requires a one time focus in a textfield. PoC here: http://carl-hardwick.googlegroups.com/web/Firefox20011StealFocusFlaw.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
There you have it. Surely a GPL'd tool implementing this attack style will be available shortly. And since Chinese researchers have been attacking SHA-1 lately, should SHA-256 be considered the proper replacement? I am unsure :-( Yes, it would probably be a good idea. I think this link has been put out on this list in the past with respect to discussion on SHA-1: http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html NIST might not be the bible to you on what to follow and implement, but they are definitely worth listening to (even if you're not a U.S. Federal agency) when they tell you not to use something anymore. For those that don't want to click and just want to read, here's the relevant parts: March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols. Steven http://www.securityzone.org -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.11 File Focus Stealing vulnerability
Netscape Navigator version 9.0.0.4 is affected too. Test done with PoC-type URL mentioned on Mac OS X 10.4.10 fully patched. Vendor was contacted on 1st Dec 2007. - Juha-Matti carl hardwick [EMAIL PROTECTED] wrote: Firefox 2.0.0.11 File Focus Stealing vulnerability: Sorry Mozilla, but the recent file focus fix was not enough. I think Mozilla made another mistake while fixing the previous file/label issue. Because now I embed a file field and a textfield inside one label. When this happens, and you type only one time in the textfield, the focus travels to the file field and the value travels with it. Back to the drawing board I would say. I only got it to work in Firefox, Gareth checked Safari for me, and it also works in Safari. I guess this type of exploit could function on other HTML objects as well, and could be very dangerous because it only requires a one time focus in a textfield. PoC here: http://carl-hardwick.googlegroups.com/web/Firefox20011StealFocusFlaw.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0255-1 nss_ldap
rPath Security Advisory: 2007-0255-1 Published: 2007-11-30 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Local Weakness Updated Versions: [EMAIL PROTECTED]:1/239-9.2-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-1913 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794 Description: Previous versions of the nss_ldap package contain a race condition that can cause nss_ldap to return incorrect data to requesting processes. http://wiki.rpath.com/Advisories:rPSA-2007-0255 Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] High Value Target Selection
translation: let's discuss how to discern high degree and/or vulnerable nodes in critical infrastructure networks. Correct. 1. To bring like minded people together while operating under the strategy of 'leaderless resistance' (http://en.wikipedia.org/wiki/Leaderless_resistance) *yawn* Apologies, but there's some people that haven't heard of the idea. Not everyone here is from a western country, or wastes their time combing for what might be perceived as 'out there' literature like ELF or SHAC stuff. 2. To be the 'aboveground' partner to the 'underground' scene, or at least serve to distract authorities from the activities of underground groups ... ZZZZZ ... you're losing me, jim. If we wind up not being to do anything useful, then at least run interference for the real subversives. Keep our friends in intel and law enforcement busy chasing dead ends. Lower the signal-to-noise ratio and make them have to spend as much money as possible. Tarpit them. 4. To capture the imagination of the public more like hatred. What exactly is the difference? :) So, types of infrastructure to attack: [ list of infrastructure domains as if they exist as discrete units independent of each other... lolz! ] Well, what was one to do - just put 1. The Internet? No, the domains were split up for the matter of discussion. Of course with networks any divisions are arbitrary. But given the large area to attack, some focusing of effort will be required, at least at first. [lots of blah blah blah misunderstanding of what critical infrastructure is and how it is organized, USA bashing, etc...] Please elaborate on your perceptions of my failure to adequately define 'critical infrastructure'. As for USA bashing, meh. It's just that they make a great target and they got lots of enemies. If I was Irish, maybe I'd have picked England, and if I was Chechen, maybe I'd pick Russia. Not important. first, go read Global Guerrillas. that will keep you busy for a few weeks and save us all more of this blather: http://globalguerrillas.typepad.com/globalguerrillas/ Thanks for the link, I'll check it out. second, some attacking critical infrastructure clif notes: 1. those with clue have realized the folly of trying to make infallible infrastructure. their focus has shifted to rapid repair instead of prevention. there are papers written that describe exactly how stupid it is to think you can build resilient infrastructure in the face of a skilled attacker. (see the ATT telco in a trailer truck, etc) 2. critical infrastructure viewed as a graph theory problem highlights the compound vulnerabilities across multiple infrastructures inherent in high degree / high value nodes of critical infrastucture. (metropolitan bridges carrying fiber, gas, electricity, vehicles, etc over the same physical span, etc.) 3. most critical infrastructure is resilient against planned / common failure scenarios, and these protections actually create hyper- sensitive vulnerabilities against targeted / unplanned attacks. (M of N redundancy that leads to catastrophic failure against well targeted M attacks, etc.) Good stuff. But wouldn't you have already surprised yourself vis-a-vis your first point? 'those with clue' are smaller than we'd like. Sloppiness abounds; I am certain of that. combining these aspects into attack scenarios is left as an exercise for the reader [who pines for a vacation in club fed...] Well that depends on the exact nature of any alleged or purported crime, and whatever extradition treaties between the nation-state someone resides in and the USA. They also have to catch you first. the crux of the problem for the practical attacker is discerning the nature and location of critical infrastructure nodes and links. fortunately for the determined individual this is merely a matter of effort and time, not a question of ability. for the rest of us this means our life style / way of life is highly dependent on the lack of sufficiently skilled malcontents able and willing to express their grievances in direct action against such systems. A good summary, thank you. So I suppose I'm saying Hey malcontents, if we can't go more public let's start sharing info and making it incredibly easy for other malcontents. And would people, for once, consider that maybe the net was adopted too damn fast by too many morons in too slap-dash a fashion? I never thought I'd find myself arguing for a conservative approach in, well, anything. But people really need to start doing a better job as it's affecting too many people. Since that's not likely to happen.. perhaps this can be viewed as a check against the fascist dystopia many fear as the end result of authoritarian abuse of power coupled with high tech tools for manipulation and control of the populace... p.s. my favorite tools in such scenarios (of course not advocation): - the thermic
Re: [Full-disclosure] Firefox 2.0.0.11 File Focus Stealing vulnerability
And the Mozilla bugzilla number is? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juha-Matti Laurio Sent: 01 December 2007 15:25 To: carl hardwick; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Firefox 2.0.0.11 File Focus Stealing vulnerability Netscape Navigator version 9.0.0.4 is affected too. Test done with PoC-type URL mentioned on Mac OS X 10.4.10 fully patched. Vendor was contacted on 1st Dec 2007. - Juha-Matti carl hardwick [EMAIL PROTECTED] wrote: Firefox 2.0.0.11 File Focus Stealing vulnerability: Sorry Mozilla, but the recent file focus fix was not enough. I think Mozilla made another mistake while fixing the previous file/label issue. Because now I embed a file field and a textfield inside one label. When this happens, and you type only one time in the textfield, the focus travels to the file field and the value travels with it. Back to the drawing board I would say. I only got it to work in Firefox, Gareth checked Safari for me, and it also works in Safari. I guess this type of exploit could function on other HTML objects as well, and could be very dangerous because it only requires a one time focus in a textfield. PoC here: http://carl-hardwick.googlegroups.com/web/Firefox20011StealFocusFlaw.h tm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] High Value Target Selection
Forgot to tack these onto the last post. The wikipedia entry http://en.wikipedia.org/wiki/Submarine_communications_cable has some amusing links in it's reference section: http://www.telegeography.com/products/map_cable/images/sub_cable_2007_large.jpg http://www1.alcatel-lucent.com/submarine/refs/World_Map_LR.pdf http://www.kddi.com/english/business/oversea/pdf/kddi_gnm_en.pdf http://www.kidorf.com/DBLandings.php And a list of the cable laying ships. Does that equate to cable repairships? http://www.iscpc.org/information/Cableships_Page.htm Apologies for the noise. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.11 File Focus Stealing vulnerability
More than likely all the gecko based browsers will be vulnerable to this. So that would include Mozilla, Camino, SeaMonkey... possibly even things like Thunderbird if you could get it to render. Nice find guys! Nate On 12/1/07, Juha-Matti Laurio [EMAIL PROTECTED] wrote: Netscape Navigator version 9.0.0.4 is affected too. Test done with PoC-type URL mentioned on Mac OS X 10.4.10 fully patched. Vendor was contacted on 1st Dec 2007. - Juha-Matti carl hardwick [EMAIL PROTECTED] wrote: Firefox 2.0.0.11 File Focus Stealing vulnerability: Sorry Mozilla, but the recent file focus fix was not enough. I think Mozilla made another mistake while fixing the previous file/label issue. Because now I embed a file field and a textfield inside one label. When this happens, and you type only one time in the textfield, the focus travels to the file field and the value travels with it. Back to the drawing board I would say. I only got it to work in Firefox, Gareth checked Safari for me, and it also works in Safari. I guess this type of exploit could function on other HTML objects as well, and could be very dangerous because it only requires a one time focus in a textfield. PoC here: http://carl-hardwick.googlegroups.com/web/Firefox20011StealFocusFlaw.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
I agree! It should be changed and i have no idea why people still use it! On Dec 1, 2007 4:20 PM, Steven Adair [EMAIL PROTECTED] wrote: There you have it. Surely a GPL'd tool implementing this attack style will be available shortly. And since Chinese researchers have been attacking SHA-1 lately, should SHA-256 be considered the proper replacement? I am unsure :-( Yes, it would probably be a good idea. I think this link has been put out on this list in the past with respect to discussion on SHA-1: http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html NIST might not be the bible to you on what to follow and implement, but they are definitely worth listening to (even if you're not a U.S. Federal agency) when they tell you not to use something anymore. For those that don't want to click and just want to read, here's the relevant parts: March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols. Steven http://www.securityzone.org -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://search.goldwatches.com/?Search=Movado+Watches http://www.jewelerslounge.com http://www.goldwatches.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
because they perform risk-analysis: - what are the threats to my assets? - which role does MD5 play there? - any subsequent risk then from using it? - high priority risk? mitigating controls or risk acceptance? would you be so kind to show me a real-world attack against a VPN using MD5 hashing? ... thanks, Enno On Sat, Dec 01, 2007 at 06:39:56PM +0100, James Matthews wrote: I agree! It should be changed and i have no idea why people still use it! On Dec 1, 2007 4:20 PM, Steven Adair [EMAIL PROTECTED] wrote: There you have it. Surely a GPL'd tool implementing this attack style will be available shortly. And since Chinese researchers have been attacking SHA-1 lately, should SHA-256 be considered the proper replacement? I am unsure :-( Yes, it would probably be a good idea. I think this link has been put out on this list in the past with respect to discussion on SHA-1: http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html NIST might not be the bible to you on what to follow and implement, but they are definitely worth listening to (even if you're not a U.S. Federal agency) when they tell you not to use something anymore. For those that don't want to click and just want to read, here's the relevant parts: March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols. Steven http://www.securityzone.org -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://search.goldwatches.com/?Search=Movado+Watches http://www.jewelerslounge.com http://www.goldwatches.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
because they perform risk-analysis: - what are the threats to my assets? - which role does MD5 play there? - any subsequent risk then from using it? - high priority risk? mitigating controls or risk acceptance? Don't kid yourself. Very few businesses in my experience think about this stuff when they go to use a hash. Most just use whatever hash they're used to using. I rarely see clients actually sitting down and thinking about what the application of a given hash is and what the threats are in their specific case. would you be so kind to show me a real-world attack against a VPN using MD5 hashing? ... Assuming there are no real-world attacks against your particular VPN that uses MD5, does that make it safe for the rest of us in any given application? A rather leading question IMO. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.11 File Focus Stealing vulnerability
Doesn't work in Gran Paradiso 3.0a7 On Dec 1, 2007 12:37 PM, Nate McFeters [EMAIL PROTECTED] wrote: More than likely all the gecko based browsers will be vulnerable to this. So that would include Mozilla, Camino, SeaMonkey... possibly even things like Thunderbird if you could get it to render. Nice find guys! Nate On 12/1/07, Juha-Matti Laurio [EMAIL PROTECTED] wrote: Netscape Navigator version 9.0.0.4 is affected too. Test done with PoC-type URL mentioned on Mac OS X 10.4.10 fully patched. Vendor was contacted on 1st Dec 2007. - Juha-Matti carl hardwick [EMAIL PROTECTED] wrote: Firefox 2.0.0.11 File Focus Stealing vulnerability: Sorry Mozilla, but the recent file focus fix was not enough. I think Mozilla made another mistake while fixing the previous file/label issue. Because now I embed a file field and a textfield inside one label. When this happens, and you type only one time in the textfield, the focus travels to the file field and the value travels with it. Back to the drawing board I would say. I only got it to work in Firefox, Gareth checked Safari for me, and it also works in Safari. I guess this type of exploit could function on other HTML objects as well, and could be very dangerous because it only requires a one time focus in a textfield. PoC here: http://carl-hardwick.googlegroups.com/web/Firefox20011StealFocusFlaw.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox explicit charset inheritance
I found that Firefox 2.0.0.10 will inherit the charset of the parent page, when that had been selected manually (does not inherit the charset specified in headers or meta). I found this inheritance to work both with [a href] links and [iframe src] in the parent page. See also: http://www.mozilla.org/security/announce/2007/mfsa2007-02.html https://bugzilla.mozilla.org/show_bug.cgi?id=356280 Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
--On December 1, 2007 2:20:21 PM -0500 Tim [EMAIL PROTECTED] wrote: because they perform risk-analysis: - what are the threats to my assets? - which role does MD5 play there? - any subsequent risk then from using it? - high priority risk? mitigating controls or risk acceptance? Don't kid yourself. Very few businesses in my experience think about this stuff when they go to use a hash. Most just use whatever hash they're used to using. I rarely see clients actually sitting down and thinking about what the application of a given hash is and what the threats are in their specific case. would you be so kind to show me a real-world attack against a VPN using MD5 hashing? ... Assuming there are no real-world attacks against your particular VPN that uses MD5, does that make it safe for the rest of us in any given application? A rather leading question IMO. While I don't think it's time to panic, it's definitely time to begin moving to SHA-256 and stop using MD-5. FreeBSD has already done so in its ports system, although you can still use MD-5 as well. But far too many downloads still use MD-5 or **no checksum at all**, and that is a problem. While collisions in MD-5 are now proven, what I've not seen yet is the ability to alter a legitimate file or tarball yet generate the same checksum. It *is* theoretically possible, however, and the fact that collisions have been proven should be enough to begin abandoning its use IMO. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Phioust is now getting really emotional ...
Phioust, we love you .. google your name for the christmas gift !!! -- Forwarded message -- From: phioust [EMAIL PROTECTED] Date: Dec 1, 2007 2:33 PM Subject: Re: spam? To: Gobbles is back [EMAIL PROTECTED] Why are you doing this ? i dont even know you. i would appriciate if you really stop doing this. incase i have offended anyone of you in the past in any way , i did not mean to .. Infact i think its quite cool what you guys are doing to matasano .. so please stop this .. its a honest request, sorry. On Dec 1, 2007 4:32 AM, Gobbles is back [EMAIL PROTECTED] wrote: You lil fucking idiot !!! now this mail of yours will be on Full D too, sadly with your dumb turky name and those useless degrees ... lol ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Phioust is now getting really emotional ...
Phioust, we love you .. google your name for the christmas gift !!! -- Forwarded message -- From: phioust [EMAIL PROTECTED] Date: Dec 1, 2007 2:33 PM Subject: Re: spam? To: Gobbles is back [EMAIL PROTECTED] why are you doing this ? i dont even know you. i would appreciate if you really stop doing this. incase i have offended anyone of you in the past in any way , i did not mean to. infact i think its quite cool what you guys are doing to matasano. so please stop this, its a honest request, sorry. On Dec 1, 2007 4:32 AM, Gobbles is back [EMAIL PROTECTED] wrote: You lil idiot !!! now this mail of yours will be on Full D too, sadly with your dumb turkey name and those useless degrees ... lol ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 34, Issue 1
-- Message: 6 Date: Fri, 30 Nov 2007 23:44:07 +0100 From: Max Moser [EMAIL PROTECTED] Subject: [Full-disclosure] 27Mhz based wireless security insecurities - Aka - We know what you typed last summer To: [EMAIL PROTECTED], [EMAIL PROTECTED], Full Disclosure full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Dear List members, Today the team remote-exploit.org together with Dreamlab Technologies likes to release another piece of uniq research work. [snip} Max Moser Philipp Schroedel Dreamlab Technologies AG / Team remote-exploit.org -- 1. Thought is was great 2. Thought it was funny I had to Allow remote-exploit.org on Firefox Noscript! 3. Anyway you can share that software??!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
On Dec 1, 2007 5:06 AM, Kristian Erik Hermansen [EMAIL PROTECTED] wrote: [MD5 is dead like WEP] yup. And since Chinese researchers have been attacking SHA-1 lately, should SHA-256 be considered the proper replacement? SHA2 is good. (so 256 or 512). the design differs from SHA1 and avoids the weaknesses being exploited against this hash func. still, ~2^69 collision resistance for SHA1 is a world of security better than MD5. iMD5 is really dead, lingering only to feast on the brains of the unawares... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] High Value Target Selection
On Dec 1, 2007 8:09 AM, gmaggro [EMAIL PROTECTED] wrote: ... Why not advocate? If you did get in trouble for this post, I don't think adding a caveat like of course not advocation would help you much, if at all. Like those quips in Phrack or Paladin Press books For educational purposes only. Bwahahaha! Paladin Press, now you're taking me back... ah, the days. not advocating because as funny as some dude in jeans and a t-shirt firing up a thermal lance would seem, in the end the darwin awards need no assistance. also, i don't want them cloggin' ma tubes! jeez mang. Really, how much trouble could we get in if we posted up a list of street addresses, each address being a building that contained significant telco and/or routing infrastructure? try it, it's amusing. remember the all the photogs getting hassled by the man for merely taking pictures of bridges and plants and such? if you're actually effective at amassing a good database of infrastructure information you'll get the attention you so desperately crave; i promise! :P~ Probably be some interesting/useful information poking around BGP land and looking at ASs and their relationships in more detail. Especially when cross-referenced to actual physical locations. not really, focus on the physical transport. the MPLS/IP layers just confirm what you should have suspected all along: apparent diversity at the routing layer is sharing way too much of the same physical transport. (in telco land, one SONET span over aerial transport and the other buried plant is considered sufficient path diversity/redundancy. never mind that the same right of way is used...) http://xkcd.com/195/ xkcd is highly recommended. in particular, a Shibboleth to sift the pyro-anarcho-dimwits from those who recognize more effective means at expressing and redressing grievances against their government. one last hint: news feeds are a great way to discern details about critical infrastructure and response times for repair. don't forget to set your google news alerts... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.11 File Focus Stealing vulnerability
N/A unfortunately, but BID26669 points to entries https://bugzilla.mozilla.org/show_bug.cgi?id=258875 and https://bugzilla.mozilla.org/show_bug.cgi?id=56236 via this older one advisory: http://www.securityfocus.com/bid/18308/references Link: http://www.securityfocus.com/bid/26669/discuss (Probably BID18038 mentioned is a typo...) - Juha-Matti Randal, Phil [EMAIL PROTECTED] kirjoitti: And the Mozilla bugzilla number is? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juha-Matti Laurio Sent: 01 December 2007 15:25 To: carl hardwick; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Firefox 2.0.0.11 File Focus Stealing vulnerability Netscape Navigator version 9.0.0.4 is affected too. Test done with PoC-type URL mentioned on Mac OS X 10.4.10 fully patched. Vendor was contacted on 1st Dec 2007. - Juha-Matti carl hardwick [EMAIL PROTECTED] wrote: Firefox 2.0.0.11 File Focus Stealing vulnerability: Sorry Mozilla, but the recent file focus fix was not enough. I think Mozilla made another mistake while fixing the previous file/label issue. Because now I embed a file field and a textfield inside one label. When this happens, and you type only one time in the textfield, the focus travels to the file field and the value travels with it. Back to the drawing board I would say. I only got it to work in Firefox, Gareth checked Safari for me, and it also works in Safari. I guess this type of exploit could function on other HTML objects as well, and could be very dangerous because it only requires a one time focus in a textfield. PoC here: http://carl-hardwick.googlegroups.com/web/Firefox20011StealFocusFlaw.h tm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
On Sat, 01 Dec 2007 05:06:36 PST, Kristian Erik Hermansen said: I know of many commercial security products which still utilize MD5 to prove integrity of the data they distribute to customers. This should no longer be considered appropriate. Now that tools are readily available to exploit newer MD5 collision research, I think it is safe to say that the public should retire its usage for good. Admittedly, MD5 is on its last legs. However, please note that the current state of the art for MD5 collisions is create two plaintexts that collide with the same (but unpredictable) MD5 hash. That's what these binaries demonstrate. What is still *not* known to be doable is given a plaintext that has a pre-specified MD5 hash, compute a second plaintext with the same hash. So publishing the MD5 hash of the binary is still safe - for now. If I was a vendor, I'd be publishing both MD5 and SHA-256 for the data. (Note that strictly speaking, what you *really* want is a PGP-signed or otherwise authenticated MD5/SHA-256 hash. Otherwise, if I'm an attacker, I can just splat a new binary up, and a new MD5SUMS file that lists the MD5 sum for the backdoored binaries. If anything, more people manage to screw *this* part up than the much lesser offense of still using MD5 rather than something from the SHA-2 family) pgplz75PUeTjX.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
On Dec 1, 2007 7:08 PM, [EMAIL PROTECTED] wrote: Admittedly, MD5 is on its last legs. However, please note that the current state of the art for MD5 collisions is create two plaintexts that collide with the same (but unpredictable) MD5 hash. That's what these binaries demonstrate. Correct... What is still *not* known to be doable is given a plaintext that has a pre-specified MD5 hash, compute a second plaintext with the same hash. So publishing the MD5 hash of the binary is still safe - for now. But is it? Let's create a thought experiment. Let us first assume that an internal security product release engineer has access to the source code, the product binaries, and is responsible for creating ISO images and MD5 hashes to accompany them for distribution to government agencies which will utilize the security product internally. OK, now let's say that this release engineer wants to create two different ISO images, each with a different AUTORUN feature on the disc. Since he has the ability to choose the hash here, then we must therefore conclude that MD5 will not actually ensure that the disc is legitimate and unaltered. Now, such an attack is not as sexy as colliding with a pre-formed MD5 hash, but we do know that approximately 70% of exploited security issues somehow involve internal personnel. If I was a vendor, I'd be publishing both MD5 and SHA-256 for the data. So my question to you then is why even bother with MD5, and not just choose to use SHA-256 instead? In fact, I might even go so far to say that future Linux distributions should stop including the md5sum program in default installations. I say this because it correlates with the secure by default motto. If the user really needs md5sum, they can install it separately. The only issue is that both applications are included in coreutils, so it is unlikely that they would ever be separated. (Note that strictly speaking, what you *really* want is a PGP-signed or otherwise authenticated MD5/SHA-256 hash. Otherwise, if I'm an attacker, I can just splat a new binary up, and a new MD5SUMS file that lists the MD5 sum for the backdoored binaries. If anything, more people manage to screw *this* part up than the much lesser offense of still using MD5 rather than something from the SHA-2 family) Yeah, storing your MD5 and binary on the same asset is just like keeping your important security logs on a system that was just compromised. Your data is tainted... -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] High Value Target Selection
(in telco land, one SONET span over aerial transport and the other buried plant is considered sufficient path diversity/redundancy. never mind that the same right of way is used...) Ah yes, I remember an old story not too dissimilar... multiple redundant lines, all severed at the same time with the same backhoe. Idiots. Anyone dig really deeply into that Maltego/Evolution program From Paterva (http://www.paterva.com/web/Maltego/index.html)? It looks interesting. HD Moore references it in that 'Tactical Exploitation' PDF (http://milw0rm.com/papers/172) which is itself a good primer for novitiates. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] High Value Target Selection
On Sat, 01 Dec 2007 23:13:31 EST, gmaggro said: Ah yes, I remember an old story not too dissimilar... multiple redundant lines, all severed at the same time with the same backhoe. Idiots. To be fair, it's often not idiots. First, you have to find 2 providers that can get fiber from point A to point B at all (note that if one or the other doesn't already have dark fiber laid, they're either digging a ditch or they're going to lease some fiber from a 3rd party). Then you often need to do NDA's with both to find out where their fibers are and verify that they in fact are diverse. And then you need to make sure they *stay* diverse. The following happens a *LOT*: 1) You get Vendor A to give you 4 pairs of fiber that run south on B Avenue, east on 3rd street, south on D ave, east on 5th st, and then south on E Av. Vendor B's runs south on C avenue, east on 6th street, then south on F Av. Except for a few crossovers, they're diverse. 2) Vendor B has to re-groom because of a construction project at C Av 5th st. So they re-route to another conduit (not A's) that runs east on 3rd st to F av. 3) Bozo with a backhoe on a water main break nails both conduits on 3rd street between C Ave and D Ave. What are your chances of getting vendor A to re-groom your paths off 3rd St while B has their path going down that street, and then put them back once B goes back the other way after the construction at C and 5th is done? Note that sometimes, there really *isn't* a good way to get diversity - how many ways are there to get an east-west long-haul fiber across the Mississippi between St Louis and New Orleans? Your choices are limited - under the bottom of an interstate highway bridge right next to your competitor's conduit, or you get to trench all the way across the river, and hope you put it deep enough so if they ever have to dredge the channel, you won't get hit. Similar issues apply to Manhattan and a lot of other places. pgpSNvgVtk43Q.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Signature or checksum? (was: MD5 considered harmful)
On Dec 1, 2007 7:08 PM, [EMAIL PROTECTED] wrote: ... (Note that strictly speaking, what you *really* want is a PGP-signed or otherwise authenticated MD5/SHA-256 hash. Otherwise, if I'm an attacker, I can just splat a new binary up, and a new MD5SUMS file that lists the MD5 sum for the backdoored binaries. If anything, more people manage to screw *this* part up than the much lesser offense of still using MD5 rather than something from the SHA-2 family) this has come up recently in situations like the hushmail trojan'd applets and so forth. consider a court order that compels you to sign a given backdoor'd product in use by a targeted individual. in this case, the use of signatures provides less security than comparing public checksums. (because you'd notice that your particular download has a different sum, while comparing signatures you'd assume it was legitimate.) ideally everyone would compare both a signature (a trusted source provided it) as well as a public checksum (let's assume you can do so out of band securely using archives or other channel not actively controlled by an attacker). i know that signatures include a checksum, but this is hidden by the verification process. the human really needs to be in the loop for both. best regards, p.s. for the tin foil hat crowd, those digital sigs are looking weaker every year compared to cryptographic hash functions and block ciphers: http://dwave.wordpress.com/2007/11/26/slides-from-sc07-progress-in-quantum-computing-panel/ not to mention GNFS improvements the last few years... (ok, i admit, i love an excuse to reference Mr. T) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] authentic hackers still do it for the love ... (was: Hell Camp: It never pays enough)
On Dec 1, 2007 9:12 PM, Goebbels Amadeus [EMAIL PROTECTED] wrote: ... Have you ever considered your future in their hands? You've been working for 50 years, your liver and kidneys start failing, creating visible symptoms, stains in your skin. You can't handle life in the same way anymore. For what? What have you done in those 50 years but serving another man to become more wealthy and over powered. The approaching day of your death and its mere vision strikes you like a burning iron blade. ... talented youth started emerging and dedicated passionately to fulfill its curiosity. Day after day, spending countless hours in front of a machine. Understanding it's inner design and details, breaking it apart and reassembling it the way it wasn't meant to be assembled. [a parable of looking for filthy lucre in a trade of love, only to to discover that these dark funds have tainted the joy and purity of a process and lifestyle that once brought fulfillment] sooner or later every authentic hacker discovers that you must separate work from play. when you try and mix them both you betray the joy and fulfillment of hacking for a paycheck, and it never pays enough. the ability of a person to deny and downplay this reality will determine their ability to abide the infosecwhore industry. as captain of their own independent ship they can insulate themselves from much of this whoreish taint, but sooner or later a labor for lucre will destroy the love. no need to preach, the authentic hacker will discover this on their own accord sooner or later. it is inevitable. for those of you on the cusp of this realization and ready to start anew, do it. abandon ship. find a comfy admin or analyst position with decent benefits and a wage that pays the mortgage. adopt that pseudonym and rediscover the joy of hacking for its own sake. the rewards are still there, worth more than a dollar can provide... --- as with any broad categorization there are exceptions to this rule. there is a minuscule minority that has found an amalgamation sufficiently lucrative and deeply enjoyable without compromising on any personal integrity. to these people i say: you lucky fucks! may i find such fortune one day... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/