[Full-disclosure] CanSecWest 2008 Mar 26-28
CanSecWest 2008 Presentations Snort 3.0 - Marty Roesch, Sourcefire Cross-Site Scripting Vulnerabilities in Flash Authoring Tools - Rich Cannings, Google Proprietary RFID Systems - Jan starbug Krissler and Karsten Nohl, CCC Media Frenzy: Finding Bugs in Windows Media Software - Mark Dowd and John McDonald, IBM ISS Targeted Attacks and Microsoft Office Malware - Rob Hensing, Microsoft Virtually Secure - Oded Horovitz, VMWare Malicious Cryptography - Frédéric Raynal and Eric Filiol, Sogeti/Cap-Gemini and ESAT The Death of AV Defense in Depth: Revisiting Anti-Virus Software - Thierry Zoller and Sergio Alvarez, nRuns VMWare Issues - Sun Bing, McAfee Intrusion Detection Systems Correlation: a Weapon of Mass Investigation - Sebastien Tricaud and Pierre Chifflier, INL Web Wreck-utation - Dan Hubbard and Stephan Chenette, WebSense Secure programming with gcc and glibc - Marcel Holtmann, Intel Mobitex network security - olleB, toolcrypt.org Peach Fuzzing - Michael Eddington, Leviathan Fuzz by Number - Charlie Miller, Independent Security Evaluators Fuzzing WTF? What Fuzzing Was, Is And Never Will Be. - Frank Marcus and Mikko Varpiola,Wurldtech / Condenomicon Vulnerabilities Die Hard - Kowsik Guruswamy, Mu Hacking Windows Vista - Dan Grifin, JW Secure ExeFilter: a new open-source framework for active content filtering - Philippe Lagadec, NATO/NC3A VetNetSec: Security testing for Extremists - Eric Hacker, BT INS w3af: A framework to own the web - Andres Riancho, Cybsec A Unique Behavioral Science Approach to Threats, Extortion and Internal Computer Investigations - Scott K. Larson, Stroz Friedberg -- 2008 Dojos Vulnerability Discovery Demystified Mark Dowd and Justin Schuh The Exploit Laboratory - Advanced Edition Saumil Shah Advanced Honeypot Tactics Thorsten Holz Mastering the network with ScapyPhilippe Biondi Voice over IP (VoIP) Security Nico Fischbach Practical 802.11 WiFi (In)Security Cédric Blancher Advanced Linux HardeningAndrea Barisani Defend The Flag Microsoft -- 2008 PWN 2 OWN There will be three targets: A MacBook Air, running the latest OSX, patched, typical configuration. A Sony VAIO VGN-TZ37CNB, running Ubuntu, latest release. A Fujitsu U810, Running Vista, latest update. The contest will be adjudicated by our impartial celebrity judge: Ronald C. Dodge JR., Ph.D. Lieutenant Colonel, Academy Professor Associate Dean, Information and Education Technology, United States Military Academy The victory conditions will be the contents of specific specially planted files on each system, to be extracted by winners. Hack them and you get to keep them, and any associated prizes for the exploits used, oh and the fame and glory. :-) Browsers (I.E., Mozilla, Safari), Mail Clients (Outlook, Mail.app, Thunderbird), and IM clients (MSN, Adium, Pigdin, Skype all platforms) are all in scope. More details and official rules soon. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 25-28 - 2008http://cansecwest.com pgpkey http://dragos.com/ kyxpgp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tool release: extract Windows credentials from registry hives
Two Things Infinite: The Universe and Human Stupidity Albert Einstein Google Error Forbidden Your client does not have permission to get URL /files/creddump-0.1.tar.bz2 from this server. (Client IP address: xxx.xxx.xxx.xxx) You are accessing this page from a forbidden country. Why google code? Don't waste your time or others that want to download and use SourceForge, Codeplex, FSF, etc. and make them loose revenue. Is so laughable that even the license permits redistribution in the first place and mirroring it won't be a crime. And then proxies / bouncers / tunnels. But then why make you or your visitors loose time? Or... maybe Google want us to make mirrors without limitations of it's entire website and make us get the revenue they won't ;). Let us know google we are impatient to clone your SF takeover attempt sh... without restrictions. On 2/20/08, Brendan Dolan-Gavitt [EMAIL PROTECTED] wrote: CredDump is a new tool implemented entirely in Python that is capable of extracting: * LM and NT hashes (SYSKEY protected) * Cached domain passwords * LSA secrets It has no dependencies on any part of Windows, and operates directly on registry hive files. It is licensed under the GPL and intended to be easy to read, so you can find out how various Windows obfuscation algorithms work by reading the code. (I will also be posting a series of articles explaining the algorithms in detail on my blog in the coming weeks). You can download the tool at: http://code.google.com/p/creddump/ Or read a more detailed introduction at: http://moyix.blogspot.com/2008/02/creddump-extract-credentials-from.html CredDump is based on the hard work of many people, so please to read the credits section in the README. Cheers, Brendan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html (cooling down DRAMs keeps their contents for longer time, even during reboot.) well, this shows how important mechanical security still is, even with all the crypto-stuff out there. if you e.g. just *glued* your RAM modules into your motherboard, the option left would be booting a malicious OS. a BIOS-password might put delays on that. so, if it is really secret put your PC in a locked steel box! as a dircet countermeasure you might as well consider a simple temperature sensor next to your DRAMs, releasing [evil self-destruction hack] when temperatures drop below 0°C. thermite does a good job on destroying HDDs but it's very dangerous. it's probably more easy to use this device then: http://www.wiebetech.com/products/HotPlug.php looking at these two methods, i notice how they (whoever) seem to aim not only on physical access but also more and more on surprising the crypto-user. they might use the methods mentioned above or just hit you with a flashbang, so you can't press the lock key anymore. this worries me more than any it-related security flaw. i don't want the police to behave like that. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
I found the article interesting, but I wonder about it's practicality. If you have physical access to the box you never really need to power down the box in the first place and generally if the box is already on, I think most people would prefer to attack a service to get on the system directly. But there are some special cases where these techniques will likely be very useful. For me, I've always disliked the practice of doing live forensic discovery. I'd much rather get a clean disk dump than to poke around on the system first, but losing RAM sucks. Maybe now IR/Forensic guys can get the best of both worlds? They can yank the power to save the disk state and dump memory by using the techniques described in the article. :) On Fri, Feb 22, 2008 at 8:32 AM, niclas [EMAIL PROTECTED] wrote: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html (cooling down DRAMs keeps their contents for longer time, even during reboot.) well, this shows how important mechanical security still is, even with all the crypto-stuff out there. if you e.g. just *glued* your RAM modules into your motherboard, the option left would be booting a malicious OS. a BIOS-password might put delays on that. so, if it is really secret put your PC in a locked steel box! as a dircet countermeasure you might as well consider a simple temperature sensor next to your DRAMs, releasing [evil self-destruction hack] when temperatures drop below 0°C. thermite does a good job on destroying HDDs but it's very dangerous. it's probably more easy to use this device then: http://www.wiebetech.com/products/HotPlug.php looking at these two methods, i notice how they (whoever) seem to aim not only on physical access but also more and more on surprising the crypto-user. they might use the methods mentioned above or just hit you with a flashbang, so you can't press the lock key anymore. this worries me more than any it-related security flaw. i don't want the police to behave like that. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Matthew Wollenweber [EMAIL PROTECTED] | [EMAIL PROTECTED] www.cyberwart.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1502-1] New wordpress packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1502-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans February 22, 2008 http://www.debian.org/security/faq - Package: wordpress Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-3238 CVE-2007-2821 CVE-2008-0193 CVE-2008-0194 Several remote vulnerabilities have been discovered in wordpress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3238 Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. CVE-2007-2821 SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. CVE-2008-0193 Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. CVE-2008-0194 Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. For the stable distribution (etch), these problems have been fixed in version 2.0.10-1etch1. Wordpress is not present in the oldstable distribution (sarge). We recommend that you upgrade your wordpress package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch1.diff.gz Size/MD5 checksum:10454 5f3c8c32c87ac34dca41f2d93b87b1da http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz Size/MD5 checksum: 520314 e9d5373b3c6413791f864d56b473dd54 http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch1.dsc Size/MD5 checksum: 572 aacd4d2338fa941f11147d36d85149b9 Architecture independent packages: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch1_all.deb Size/MD5 checksum: 519232 7508cf16054729cfae3444e07b369caf These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHvhtRYrVLjBFATsMRAu7fAJ9xZL9Xz77s2IqZ/3aZtNoMysUY3ACaAn8X /t9dR3Px4yFVk7lZTfb1bg0= =9oIE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] On Topic Off Topic: How To Behave On An Internet Forum
http://www.videojug.com/film/how-to-behave-on-an-internet-forum :) Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Citrix MetaFrame web manager remote XSS
Citrix MetaFrame remote xss Author: handrix Contact: handrix_at_morx_dot_org Vulnerability: Cross Site Scripting Severity: Medium/High MorX security research team www.morx.org The Citrix MetaFrame web manager are vulnerable to XSS attack. XSS Vector : http://server/Citrix/MetaFrameXP/default/login.asp?NFuse_LogoutId=OffNFuse_MessageType=warningNFuse_Message=%3Cscript%3Ealert(document.cookie);%3C/script%3E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] On Topic Off Topic: How To Behave On An Internet Forum
On Thursday 21 February 2008 22:18:05 Gadi Evron wrote: http://www.videojug.com/film/how-to-behave-on-an-internet-forum :) Gadi. I AGREE! LOL -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] On Topic Off Topic: How To Behave On An Internet Forum
Bloody hell. that site took away nearly 30 minutes of my time.. thanks for sharing /pd On Fri, Feb 22, 2008 at 1:38 PM, Peter Besenbruch [EMAIL PROTECTED] wrote: On Thursday 21 February 2008 22:18:05 Gadi Evron wrote: http://www.videojug.com/film/how-to-behave-on-an-internet-forum :) Gadi. I AGREE! LOL -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go, keys in ram are ripe for picking...
Countermeasures and their Limitations FIPS 140-1 [http://www.itl.nist.gov/fipspubs/fip140-1.htm] addresses this. [snip] *SECURITY LEVEL 4* In addition to the requirements for Security Levels 1, 2 and 3, the following requirements shall also apply to a multiple-chip embedded cryptographic module for Security Level 4. * The contents of the module shall be completely contained within a tamper detection envelope (e.g., a flexible mylar printed circuit with a serpentine geometric pattern of conductors or a wire- wound package or a non-flexible, brittle circuit) which will detect tampering by means such as drilling, milling, grinding or dissolving of the potting material or cover. * The module shall contain tamper response and zeroization circuitry. The circuitry shall continuously monitor the tamper detection envelope for tampering, and upon the detection of tampering, shall immediately zeroize all plaintext cryptographic keys and other unprotected critical security parameters (see Section 4.8.5). The circuitry shall be operational whenever plaintext cryptographic keys or other unprotected critical security parameters are contained within the cryptographic module. * The module shall either include environmental failure protection (EFP) features or undergo environmental failure testing (EFT) as specified in Section 4.5.4. [snip] Consider the IBM 4758 [http://www-03.ibm.com/security/cryptocards/pcicc/overproduct.shtml] as a good example of how it's implemented. Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
I would think a more realistic scenario might be a person working at an airport shutting their system down then getting it stolen vs a forensic examiner yanking the cord on purpose. Just an observation. - Original Message - From: matthew wollenweber [mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Fri, 22 Feb 2008 09:57:55 -0500 Subject: Re: [Full-disclosure] round and round they go I found the article interesting, but I wonder about it's practicality. If you have physical access to the box you never really need to power down the box in the first place and generally if the box is already on, I think most people would prefer to attack a service to get on the system directly. But there are some special cases where these techniques will likely be very useful. For me, I've always disliked the practice of doing live forensic discovery. I'd much rather get a clean disk dump than to poke around on the system first, but losing RAM sucks. Maybe now IR/Forensic guys can get the best of both worlds? They can yank the power to save the disk state and dump memory by using the techniques described in the article. :) On Fri, Feb 22, 2008 at 8:32 AM, niclas [EMAIL PROTECTED] wrote: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html (cooling down DRAMs keeps their contents for longer time, even during reboot.) well, this shows how important mechanical security still is, even with all the crypto-stuff out there. if you e.g. just *glued* your RAM modules into your motherboard, the option left would be booting a malicious OS. a BIOS-password might put delays on that. so, if it is really secret put your PC in a locked steel box! as a dircet countermeasure you might as well consider a simple temperature sensor next to your DRAMs, releasing [evil self-destruction hack] when temperatures drop below 0?C. thermite does a good job on destroying HDDs but it's very dangerous. it's probably more easy to use this device then: http://www.wiebetech.com/products/HotPlug.php looking at these two methods, i notice how they (whoever) seem to aim not only on physical access but also more and more on surprising the crypto-user. they might use the methods mentioned above or just hit you with a flashbang, so you can't press the lock key anymore. this worries me more than any it-related security flaw. i don't want the police to behave like that. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Matthew Wollenweber [EMAIL PROTECTED] | [EMAIL PROTECTED] www.cyberwart.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go, keys in ram are ripe for picking...
On Fri, Feb 22, 2008 at 10:05 AM, Michael Holstein [EMAIL PROTECTED] wrote: ... FIPS 140-1 [http://www.itl.nist.gov/fipspubs/fip140-1.htm] addresses this. ... * The contents of the module shall be completely contained within a tamper detection envelope... * The module shall contain tamper response and zeroization circuitry. ... * The module shall either include environmental failure protection (EFP) features or undergo environmental failure testing (EFT) .. i'm fond of tamper resistant / evident packaging, but this is usually applied to persistent key storage rather than working system memory. works well for authentication tokens and such, even if these methods can also be bypassed with some effort. (see http://flylogic.net/ and their disassemblies at http://flylogic.net/blog ) tamper resistant cases are bit more fun, like the blackbox [0] pelican padlock'ed with zeroization / panic button. however, after reading this paper, it appears that secure overwrite of all key scrubbed memory and other sensitive locations would be preferable to simple power off, even if the case is a pain to open... a fun attack, to be sure. 0. DefCon 13 black box challenge http://blog.makezine.com/archive/2005/07/_defcon_the_jan.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] On Topic Off Topic: How To Behave On An Internet Forum
On Fri, Feb 22, 2008 at 8:18 AM, Gadi Evron [EMAIL PROTECTED] wrote: Gadi. what you gonna do when all the trolls who are college kids like me grow up and don't troll anymore and take note of your video blog, and then you're the only one left on the list, still trolling away about your life and career, as an adult. does that not make you a very sad person? i feel sorry for you evron, you're a 40 year old troll, by far the stupidest person on the list in terms of intellect...and the trolls who we areyoung folks without a clue and who are you? you're ment to be the responsible adult who knows best, but you real name troll all the time. more power to you or more power to us? you are the loser in the world of trolling. when you die i will remember as a troll and nothing else. you have crediblity problems evron, it sunk away from you when you tried to get the term 0-day dropped from the industry. how low will you go further? you trolled gnucitizen's legitimate disclosure, to better your own reputation, but it failed miserbly. now you have a power struggle to hold onto, on the mailing lists to stay fore front and relevant, and you couldn't think of anything security related to talk about, so you thought you would try and pioneer the end of f-d trolling. yet you prove again and again to be the biggest adult 40 year old troll ever, who should know better than us college kids. yet it fails to register with you continually. so tell us gadi evron, was this not a troll or not a troll, and i protested why they let a troll on bugtraq at the time... but they still let the 40 year old troll and troll again, to ruin bugtraq and the mailing lists generally. http://seclists.org/bugtraq/2007/Sep/0229.html http://seclists.org/fulldisclosure/2007/Sep/0486.html you've got a cheek to talk about trolling, you complete jerk off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Double-Take 5.0.0.2865
### Luigi Auriemma Application: Double-Take http://www.doubletake.com Versions: = 5.0.0.2865 (version 4.5.x tested with success too) Platforms:Windows Bugs: A] server termination through vectorT too long exception B] NULL pointer crash C] termination through memory allocation D] informations disclosure E] other exceptions Exploitation: remote Date: 22 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Double-Take is a disaster recovery and backup software distribuited also under other different names depending by the company which distribuites it like for example HP StorageWorks Storage Mirroring (where version 4.5.0.1629 is vulnerable to a pre-auth buffer overflow). ### === 2) Bugs === A] server termination through vectorT too long exception The Double-Take service can be terminated through an exception raised when the size of a vectorT value is bigger than how much supported. Exist different ways for exploiting this vulnerability anyway the main two arbitrary effects are the vectorT too long exception or CPU at 100%. - B] NULL pointer crash - The server can be crashed through malformed packets (like 0x2722 and 0x272a) which cause the access to a NULL pointer. C] termination through memory allocation An error with some packets allows to allocate a partially arbitrary amount of memory with the possibility to crash the process when no additional memory is available. -- D] informations disclosure -- The server sends various types of informations to any unauthenticated user, for example the running operating system and the program's paths with packet 0x2728, the ethernet adapters with packet 0x274e, all the partitions and their types of filesystem with packet 0x2726, the printer driver with 0x274f and the latest log entries using packet 0x2757. --- E] other exceptions --- Exist also additional problems mainly exploitable through packet 0x2719 which cause respectively a ospace/time/src\date.cpp exception and the recursive calling of a function which fills the available stack and causes the silent termination of the service. ### === 3) The Code === http://aluigi.org/poc/doubletakedown.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] let's name something after dude vanwinkle
On Sat, Feb 16, 2008 at 3:33 PM, Andrew A [EMAIL PROTECTED] wrote: dear mengele, n3td3v isn't gobbles. rocky is pretty sharp and hilarious. n3td3v is only unintentionally funny. n3td3v is fucking sharp and is about the takeover and the win, fuck the comedy. i watched die hard 4.0 last night and was energised by it. the DHS keep making everything electronic, but don't think about the potential cyber terrorist attacks they create. http://ap.google.com/article/ALeqM5jE_bOUpQb6MxrxSQno3N6gEdY-MAD8UVH3800 if you make everything electronic, make sure you have old skool backups which are run by old skool methods of cup and string, because if the bad guys strike, they will strike knowing your technology and its backups. i thought the die hard 4.0 movie was going to be crap, but it actually highlighted a lot of real life potentials that got my mind thought processes working, i'm suprised the U.S government didn't VETO the release of DIE HARD 4.0, since they are still struggling to decide where to build their U.S cyber command LOL. I will apply for the MI5/GCHQ cyber command and hopefully i will get gadi evron's home address and send him my good wishes. I don't need to work for MI5/GCHQ to find out all the troll's personal infos, i already have contacts with guys in there, who pay me off with info, for being an informant in the online cyber world. seriously though, ROFL at the U.S cyber command. Played any video games lately? http://www.news.com/News.com-Extra/8601-9373_3-9869337.html?communityId=2056messageId=306273#306273 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] let's name something after dude vanwinkle
They also drive under I695 in Baltimore. 695 is not an elevated freeway except for the Key Bridge and various causeways over wetlands. Just more errors for ya for a horrible movie. On Fri, Feb 22, 2008 at 6:09 PM, worried security [EMAIL PROTECTED] wrote: On Sat, Feb 16, 2008 at 3:33 PM, Andrew A [EMAIL PROTECTED] wrote: dear mengele, n3td3v isn't gobbles. rocky is pretty sharp and hilarious. n3td3v is only unintentionally funny. n3td3v is fucking sharp and is about the takeover and the win, fuck the comedy. i watched die hard 4.0 last night and was energised by it. the DHS keep making everything electronic, but don't think about the potential cyber terrorist attacks they create. http://ap.google.com/article/ALeqM5jE_bOUpQb6MxrxSQno3N6gEdY-MAD8UVH3800 if you make everything electronic, make sure you have old skool backups which are run by old skool methods of cup and string, because if the bad guys strike, they will strike knowing your technology and its backups. i thought the die hard 4.0 movie was going to be crap, but it actually highlighted a lot of real life potentials that got my mind thought processes working, i'm suprised the U.S government didn't VETO the release of DIE HARD 4.0, since they are still struggling to decide where to build their U.S cyber command LOL. I will apply for the MI5/GCHQ cyber command and hopefully i will get gadi evron's home address and send him my good wishes. I don't need to work for MI5/GCHQ to find out all the troll's personal infos, i already have contacts with guys in there, who pay me off with info, for being an informant in the online cyber world. seriously though, ROFL at the U.S cyber command. Played any video games lately? http://www.news.com/News.com-Extra/8601-9373_3-9869337.html?communityId=2056messageId=306273#306273 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
I would think a more realistic scenario might be a person working at an airport shutting their system down then getting it stolen vs a forensic examiner yanking the cord on purpose. Just an observation. if somebody steals your notebook at the air port the chance of this person just beeing an ordinary criminal not interested in your data is very high. and if you just shut down your notebook, the DRAMs are still warm, decreasing the time window for an ice-spray-attack. so, unless the notebook is thrown into a barrel of liquid nitrogen... n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] let's name something after dude vanwinkle
On behalf of the thousands of members of full disclosure who are not at all interested in your prepubescent comments, I say: shut the fuck up. Kthx. On 2/22/08, worried security [EMAIL PROTECTED] wrote: On Sat, Feb 16, 2008 at 3:33 PM, Andrew A [EMAIL PROTECTED] wrote: dear mengele, n3td3v isn't gobbles. rocky is pretty sharp and hilarious. n3td3v is only unintentionally funny. n3td3v is fucking sharp and is about the takeover and the win, fuck the comedy. i watched die hard 4.0 last night and was energised by it. the DHS keep making everything electronic, but don't think about the potential cyber terrorist attacks they create. http://ap.google.com/article/ALeqM5jE_bOUpQb6MxrxSQno3N6gEdY-MAD8UVH3800 if you make everything electronic, make sure you have old skool backups which are run by old skool methods of cup and string, because if the bad guys strike, they will strike knowing your technology and its backups. i thought the die hard 4.0 movie was going to be crap, but it actually highlighted a lot of real life potentials that got my mind thought processes working, i'm suprised the U.S government didn't VETO the release of DIE HARD 4.0, since they are still struggling to decide where to build their U.S cyber command LOL. I will apply for the MI5/GCHQ cyber command and hopefully i will get gadi evron's home address and send him my good wishes. I don't need to work for MI5/GCHQ to find out all the troll's personal infos, i already have contacts with guys in there, who pay me off with info, for being an informant in the online cyber world. seriously though, ROFL at the U.S cyber command. Played any video games lately? http://www.news.com/News.com-Extra/8601-9373_3-9869337.html?communityId=2056messageId=306273#306273 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
hrm. sigh. Normal moles not being able to grasp trivial knowledge. Airports are duh known conduits of business travellers with lots of data, thus increasing the possibility of targeting a more valuable target. So your statement that only ordinary criminals steal at airports is shortsighted. If anything a common criminal isnt going to try and steal at a place with a fucking million security cameras around. You obviously dont have enough of a grasp of the techniques to understand this thread so drop back off. You hardly need a barrel of liquid nitrogen - If you could summon not a barrel but more of a can of clue you would be better off. Jay - Original Message - From: niclas [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Cc: [EMAIL PROTECTED],[EMAIL PROTECTED] Sent: Sat, 23 Feb 2008 01:16:48 +0100 Subject: Re: [Full-disclosure] round and round they go I would think a more realistic scenario might be a person working at an airport shutting their system down then getting it stolen vs a forensic examiner yanking the cord on purpose. Just an observation. if somebody steals your notebook at the air port the chance of this person just beeing an ordinary criminal not interested in your data is very high. and if you just shut down your notebook, the DRAMs are still warm, decreasing the time window for an ice-spray-attack. so, unless the notebook is thrown into a barrel of liquid nitrogen... n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1503-1] New Linux kernel 2.4.27 packages fix several issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1503 [EMAIL PROTECTED] http://www.debian.org/security/ dann frazier February 22, 2008 http://www.debian.org/security/faq - Package: kernel-source-2.4.27 (2.4.27-10sarge6) Vulnerability : several Problem-Type : local/remote Debian-specific: no CVE ID : CVE-2004-2731 CVE-2006-4814 CVE-2006-5753 CVE-2006-5823 CVE-2006-6053 CVE-2006-6054 CVE-2006-6106 CVE-2007-1353 CVE-2007-1592 CVE-2007-2172 CVE-2007-2525 CVE-2007-3848 CVE-2007-4308 CVE-2007-4311 CVE-2007-5093 CVE-2007-6063 CVE-2007-6151 CVE-2007-6206 CVE-2007-6694 CVE-2008-0007 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2004-2731 infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. CVE-2006-4814 Doug Chapman discovered a potential local DoS (deadlock) in the mincore function caused by improper lock handling. CVE-2006-5753 Eric Sandeen provided a fix for a local memory corruption vulnerability resulting from a misinterpretation of return values when operating on inodes which have been marked bad. CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. CVE-2006-6053 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext3 filesystem. CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. CVE-2006-6106 Marcel Holtman discovered multiple buffer overflows in the Bluetooth subsystem which can be used to trigger a remote DoS (crash) and potentially execute arbitray code. CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. CVE-2007-1592 Masayuki Nakagawa discovered that flow labels were inadvertently being shared between listening sockets and child sockets. This defect can be exploited by local users to cause a DoS (Oops). CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. CVE-2007-4308 Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. CVE-2007-4311 PaX team discovered an issue in the random driver where a defect in the reseeding code leads to a reduction in entropy. CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. CVE-2007-6063 Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. CVE-2007-6151 ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory leading by issuing ioctls with unterminated data. CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core
[Full-disclosure] [SECURITY] [DSA 1504-1] New Linux kernel 2.6.8 packages fix several issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1504 [EMAIL PROTECTED] http://www.debian.org/security/ dann frazier February 22, 2008 http://www.debian.org/security/faq - Package: kernel-source-2.6.8 (2.6.8-17sarge1) Vulnerability : several Problem-Type : local Debian-specific: no CVE ID : CVE-2006-5823 CVE-2006-6054 CVE-2006-6058 CVE-2006-7203 CVE-2007-1353 CVE-2007-2172 CVE-2007-2525 CVE-2007-3105 CVE-2007-3739 CVE-2007-3740 CVE-2007-3848 CVE-2007-4133 CVE-2007-4308 CVE-2007-4573 CVE-2007-5093 CVE-2007-6063 CVE-2007-6151 CVE-2007-6206 CVE-2007-6694 CVE-2008-0007 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. CVE-2006-7203 OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. CVE-2007-3105 The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. CVE-2007-3740 Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process' umask which may lead to unintentinally relaxed permissions. CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. CVE-2007-4133 Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. CVE-2007-4308 Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. CVE-2007-4573 Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. CVE-2007-6063 Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl
[Full-disclosure] [SECURITY] [DSA 1505-1] New alsa-driver packages fix kernel memory leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1505 [EMAIL PROTECTED] http://www.debian.org/security/ dann frazier February 22, 2008 http://www.debian.org/security/faq - Package: alsa-driver Vulnerability : kernel memory leak Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-4571 Takashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel (CVE-2007-4571). For the stable distribution (etch), this problem has been fixed in version 1.0.13-5etch1. This issue was already fixed for the version of ALSA provided by linux-2.6 in DSA 1479. For the oldstable distribution (sarge), this problem has been fixed in version 1.0.8-7sarge1. The prebuilt modules provided by alsa-modules-i386 have been rebuilt to take advantage of this update, and are available in version 1.0.8+2sarge2. For the unstable distributions (sid), this problem was fixed in version 1.0.15-1. We recommend that you upgrade your alsa-driver and alsa-modules-i386 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages The prebuilt modules update coincides with an ABI change in the 2.4.27 kernel in oldstable (see DSA 1503). If you are using the prebuilt modules provided by one of the alsa-modules-i386 packages, you will need to update your kernel to the new ABI before you can use the updated version of that package. For more information about Debian kernel ABI changes, see: http://wiki.debian.org/DebianKernelABIChanges Any modules manually built from the alsa-source package will need to be rebuilt against the updated alsa-source package to inherit this fix. You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/alsa-driver/alsa-driver_1.0.8-7sarge1.dsc Size/MD5 checksum: 856 948be734bc12fb0ff08dfc1955d5e77d http://security.debian.org/pool/updates/main/a/alsa-driver/alsa-driver_1.0.8-7sarge1.diff.gz Size/MD5 checksum: 150046 050e64b0872e80fb3151a4392d80dd08 http://security.debian.org/pool/updates/main/a/alsa-driver/alsa-driver_1.0.8.orig.tar.gz Size/MD5 checksum: 2493810 5d5e44e35ed109e2c293a20bd9d68489 http://security.debian.org/pool/updates/main/a/alsa-modules-i386/alsa-modules-i386_1.0.8+2sarge2.dsc Size/MD5 checksum: 1121 2e094a561912a0acf6cc5edf3f122ca8 http://security.debian.org/pool/updates/main/a/alsa-modules-i386/alsa-modules-i386_1.0.8+2sarge2.tar.gz Size/MD5 checksum: 5249 1604fe719636c98547f287653a7cf0a8 Architecture independent packages: http://security.debian.org/pool/updates/main/a/alsa-driver/alsa-headers_1.0.8-7sarge1_all.deb Size/MD5 checksum:13140 faa9b7ad33aeaa2dd7855616b9744a08 http://security.debian.org/pool/updates/main/a/alsa-driver/alsa-source_1.0.8-7sarge1_all.deb Size/MD5 checksum: 2003186 e5d0518e4fce125fe34a3fa22693e462 http://security.debian.org/pool/updates/main/a/alsa-driver/alsa-base_1.0.8-7sarge1_all.deb Size/MD5 checksum: 113854 7f369a8728e533884cd2ff081047f18a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/a/alsa-modules-i386/alsa-modules-2.4.27-4-386_1.0.8+2sarge2_i386.deb Size/MD5 checksum: 1262528 ff0e8032f0ea8b5ea174c97a7dd20da7 http://security.debian.org/pool/updates/main/a/alsa-modules-i386/alsa-modules-2.4.27-4-686_1.0.8+2sarge2_i386.deb Size/MD5 checksum: 1369022 2c141d44bb23f0ff23fc4051a064dbe9 http://security.debian.org/pool/updates/main/a/alsa-modules-i386/alsa-modules-2.4-386_1.0.8+2sarge2_i386.deb Size/MD5 checksum: 4396 7329077b0171010fb61d5c3bc18eb306 http://security.debian.org/pool/updates/main/a/alsa-modules-i386/alsa-modules-2.4.27-4-k7-smp_1.0.8+2sarge2_i386.deb Size/MD5 checksum: 1381190 874346a5f9bbce101ce1effbb10209aa http://security.debian.org/pool/updates/main/a/alsa-modules-i386/alsa-modules-2.4-k7-smp_1.0.8+2sarge2_i386.deb Size/MD5 checksum: 4478 172afe01c05d84d413c730f92265d985 http://security.debian.org/pool/updates/main/a/alsa-modules-i386/alsa-modules-2.4.27-4-686-smp_1.0.8+2sarge2_i386.deb Size/MD5 checksum: 1412810 cc8bf0b6f778ca428dd1f2aa219898a7