Re: [Full-disclosure] Web Application Security Awareness Day

[n3td3v]

On Tue, Apr 15, 2008 at 7:24 PM, Jeff Stebelton
<[EMAIL PROTECTED]> wrote:
> On Tue, Apr 15, 2008 at 12:32 PM, n3td3v <[EMAIL PROTECTED]
>
> > wrote:
>  >
>  >
>  >
>  > Why May 1st 2008? Because web applications are closely related to
>  > e-commerce
>  > and May Day is a common day for peaceful anti-capitalism protests, so
>  > it makes sense
>  > to be on this day.
>  >
>  >
>  > 
>
>  I almost missed this little jewel, having the inestimable Mr. "n3td3v"
>  in my junk list (anyone else think it odd he always refers to himself in
>  the third party?)
>
>  I want to see if I can follow the logic here. May 1st is a common day
>  for ANTI-capitalism protests. Web applications are tied to e-commerce.
>  Therefore, the day you *protest* commerce is the perfect day to hold a
>  contest that conceivably you wish to help make commerce more *secure*?
>  These threads never  fail to provide some comic relief just when I need it.

i was just trying to bring awareness to web application security, not
have a protest against capitalism, and like you say posting
vulnerabilities in web applications is pro capitalism, so i don't see
where the problem is. having it on may the 1st is just more shock and
awe and is more likely to get attention towards web application
security. there is no protest, there is web application security
awareness day, it just makes it more interesting being on may day. if
web application security awareness day was on december the 1st, would
it have as much buzz about it? i say no... so to get the maximum
benefits from WASAD then you need to have some controversay in it,
than just say, ok we're going to have an annual day that for no reason
we release more web application bugs than normal. i think its useful
for web application security awareness day to be on may the 1st and
not december the 1st, what do you think? no one is protesting
anything, we all have a web applcation bug sitting in our back pockets
anyway, they are easy to find and are useful tools. all web
application security awareness day is ment to do is say *hey, we know
maybe releasing cross-site scripting is normally lame and not very
hacker credible, but if we have one day a year that says, if you
release your lame xss's we won't laugh at you, like we might do on a
normal day* and it even goes for people who don't normally release web
application bugs, like folks who just go after buffer overruns in
internet explorer, on a normal day they wouldn't release a xss, but
what i say to them is, on web application security awareness day, its
cool to do it.. and if you are a security researcher who normally only
releases B0f's, you on web app sec awareness day you can throw your
web app bug onto the list and it won't be considered lame. the vision
is simple, on web app sec awareness day, its uncool not to release a
web app bug, its the ppl who don't release one who should be the ones
pointed and laughed at. thats the problem with web app sec awareness
on a normal day, ppl say *boring xss*, *i'm not going to get hacker
points with my peers, i'm just going to copy&paste it to a txt file
and leave it on my mem key for five years until i remember its there
again*. i say there should be one day a year, when its cool to release
xss, just one day when ppl put their hands up and say, yup this is
what i've got. one day in the year when everyone agrees ppl won't
laugh and make fun of you because you post a xss, one day in the year
when you're doing something positive in the scene to get bugs patched
that you are on a normal day embarrassed to disclose. maybe may day
*is* the wrong day to have web app sec awareness day on, but i do
think there needs to be a web app sec bug amnesty day when high
ranking security researchers will say, actually i've got a xss, or the
script kid who thinks hes cool actually says *i've got an xss* and
isn't laughed at. so no matter who you are or your supposed ranking in
the security community, there should be a day where everyone
participates in web app bug disclosure, thats ammune from all the
other days in the year when its considered lame to release xss,
because we've seen it all before, and admittedly, there not too hard
to find. so what if there is some controversy with the date of it
being on mayday? as long as its doing the main key thing of securing
and bringing awareness, then overall its got to be a good thing. i've
been observing that ppl are reluctant to post xss anymore, even though
they have a ton in their back pocket. folks like morning_wood, he used
to post sql injection/xss all time, i noticed he doesn't anymore, now
is that because he doesn't have any, or is that because he thinks its
not cool and hacker cred as it used to be. so now you've learned my
thinking behind this day, i hope ppl can support it. and if ppl are
really not happy about mayday being the day, then let's talk about it,

[Full-disclosure] VMSA-2008-0007 Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasus

[VMware Security team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- ---
~   VMware Security Advisory

Advisory ID:   VMSA-2008-0007
Synopsis:  Moderate Updated Service Console packages pcre
~   net-snmp, and OpenPegasus
Issue date:2008-04-15
Updated on:2008-04-15 (initial release of advisory)
CVE numbers:   CVE-2006-7228 CVE-2007-1660 CVE-2007-5846
~   CVE-2008-0003
- ---

1. Summary:

~   Updated Service Console packages for pcre, net-snmp, and OpenPegasus

2. Relevant releases:

~   VMware ESX 3.5 without patch ESX350-200803214-UG

3. Problem description:

~   a. Updated pcre Service Console package addresses several security issues

~   The pcre package contains the Perl-Compatible Regular Expression library.
~   pcre is used by various Service Console utilities.

~   Several security issues were discovered in the way PCRE handles
~   regular expressions. If an application linked against PCRE parsed a
~   malicious regular expression, it may have been possible to run
~   arbitrary code as the user running the application.

~   VMware would like to thank Ludwig Nussel for reporting these issues.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the names CVE-2006-7228 and CVE-2007-1660 to these issues.

~   RPM Updated:
~   pcre-3.9-10.4.i386.rpm

~   b. Updated net-snmp Service Console package addresses denial of service

~   net-snmp is an implementation of the Simple Network Management
~   Protocol (SNMP).  SNMP is used by network management systems to
~   monitor hosts.  By default ESX has this service enabled and its ports
~   open on the ESX firewall.

~   A flaw was discovered in the way net-snmp handled certain requests. A
~   remote attacker who can connect to the snmpd UDP port could send a
~   malicious packet causing snmpd to crash, resulting in a denial of
~   service.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the name CVE-2007-5846 to this issue.

~   RPM Updated:
~   net-snmp-5.0.9-2.30E.23.i386.rpm
~   net-snmp-libs-5.0.9-2.30E.23.i386.rpm
~   net-snmp-utils-5.0.9-2.30E.23.i386.rpm

~   c. Updated OpenPegasus Service Console package fixes overflow condition

~   OpenPegasus is a CIM (Common Information Model) and Web-Based Enterprise
~   Management (WBEM) broker.  These protocols are used by network management
~   systems to monitor and control hosts.  By default ESX has this service
~   enabled and its ports open on the ESX firewall.

~   A flaw was discovered in the OpenPegasus CIM management server that
~   might allow remote attackers to execute arbitrary code.  OpenPegasus
~   when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC
~   defined, has a stack-based buffer overflow condition.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the name CVE-2008-0003 to this issue.

~   RPMS updated:
~   cim-smwg-1.0-release-606113.i386.rpm
~   pegasus-2.5-release-606113.i386.rpm

4. Solution:

Please review the Patch notes for your product and version and verify the
md5sum of your downloaded file.

~   ESX 3.5 patch ESX350-200803214-UG
~   http://download3.vmware.com/software/esx/ESX350-200803214-UG.zip
~   md5sum:  9ff7b416afed3acfbfbb5d1d63ca5060
~   http://kb.vmware.com/kb/1003721

~   RPMS updated with patch ESX350-200803214-UG
~   e2fsprogs-1.32-15.4.i386.rpm
~   net-snmp-5.0.9-2.30E.23.i386.rpm
~   net-snmp-libs-5.0.9-2.30E.23.i386.rpm
~   net-snmp-utils-5.0.9-2.30E.23.i386.rpm
~   pcre-3.9-10.4.i386.rpm
~   libxml2-2.5.10-8.i386.rpm
~   libxml2-python-2.5.10-8.i386.rpm

~   ESX 3.5 patch ESX350-200803201-UG
~   http://download3.vmware.com/software/esx/ESX350-200803201-UG.zip
~   md5sum: 55dee9f4e256b996229ff0c9a5f0f72c
~   http://kb.vmware.com/kb/1003695

~   RPMS updated with ESX350-200803201-UG
~   cim-smwg-1.0-release-606113.i386.rpm
~   pegasus-2.5-release-606113.i386.rpm

5. References:

~   CVE numbers
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5846
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0003

6. Change log

2008-04-15  VMSA-2008-0007Initial release

- ---
7. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

~  * [EMAIL PROTECTED]
~  * [EMAIL PROTECTED]
~  * full-disclosure@lists.grok.org.uk

E-mail:  [EMAIL PROTECTED]
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies

[Full-disclosure] HARD CHAT

[Andrew A]

ARE YOU HARD?
ARE YOU A CHATTER?
ARE YOU A HARD CHATTER?

THEN MAYBE U CHAT HARD ENUFF 2 ROLL WITH THE CHAT KREW.

WANT TO JOIN?

Step 1: Obtain a copy of the low budget chink comedy "Gwok chaan Ling Ling
Chat" and watch it. You will be tested on ur knowledge of this film.
http://www.imdb.com/title/tt0109962/

Step 2: Do some acid and burn down a synagogue.

Step 3: CHAT HARD.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2008:086 ] - Updated kernel packages fix vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDVSA-2008:086
 http://www.mandriva.com/security/
 ___
 
 Package : kernel
 Date: April 15, 2008
 Affected: Corporate 4.0
 ___
 
 Problem Description:
 
 The isdn_ioctl function in isdn_common.c in the Linux kernel prior to
 2.6.23 allows local users to cause a denial of service via a crafted
 ioctl struct in which iocts is not null terminated, which trigger a
 buffer overflow (CVE-2007-6151).
 
 The do_corefump function in fs/exec.c in the Linux kernel prior to
 2.6.24-rc3 did not change the UID of a core dump file if it exists
 before a root process creates a core dump in the same location, which
 could possibly allow local users to obtain sensitive information
 (CVE-2007-6206).
 
 The shmem_getpage function in mm/shmem.c in the Linux kernel versions
 2.6.11 through 2.6.23 did not properly clear allocated memory in
 certain rare circumstances related to tmps, which could possibly
 allow local users to read sensitive kernel data or cause a crash
 (CVE-2007-6417).
 
 Additionally, this kernel provides a fix for megaraid_sas and updates
 it to version 3.13, updates mptsas to version 3.12.19, and updates
 e1000-ng to version 7.6.12, as well as adds igb version 1.0.8.
 
 To update your kernel, please follow the directions located at:
 
   http://www.mandriva.com/en/security/kernelupdate
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6151
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6417
 ___
 
 Updated Packages:
 
 Corporate 4.0:
 4ecd928352ae1a0e37af030841e1daca  
corporate/4.0/i586/kernel-2.6.12.34mdk-1-1mdk.i586.rpm
 e25d7be22e3e194dd1f50409d0e71b90  
corporate/4.0/i586/kernel-BOOT-2.6.12.34mdk-1-1mdk.i586.rpm
 e42a62385fd608bf8d9b3ec62d6684e8  
corporate/4.0/i586/kernel-doc-2.6.12.34mdk-1-1mdk.i586.rpm
 0522dc2efc14a6fb456bed196e5ef87e  
corporate/4.0/i586/kernel-i586-up-1GB-2.6.12.34mdk-1-1mdk.i586.rpm
 723df91e8a94e9e4654a30875fe9de94  
corporate/4.0/i586/kernel-i686-up-4GB-2.6.12.34mdk-1-1mdk.i586.rpm
 b276ba8700f7e611bfdf02b3b26c4796  
corporate/4.0/i586/kernel-smp-2.6.12.34mdk-1-1mdk.i586.rpm
 0a369c5c6e085596c2fa579074e0eed0  
corporate/4.0/i586/kernel-source-2.6.12.34mdk-1-1mdk.i586.rpm
 53e34bb761dbf927ec911248aee1f23b  
corporate/4.0/i586/kernel-source-stripped-2.6.12.34mdk-1-1mdk.i586.rpm
 c10f59cf9d289f0e9e8cdeb4e7fb3f0e  
corporate/4.0/i586/kernel-xbox-2.6.12.34mdk-1-1mdk.i586.rpm
 90a86dd0e5fb9d62edd9682f5a86f978  
corporate/4.0/i586/kernel-xen0-2.6.12.34mdk-1-1mdk.i586.rpm
 af3beaab8bf06f0beef21158e5d6878e  
corporate/4.0/i586/kernel-xenU-2.6.12.34mdk-1-1mdk.i586.rpm 
 5137cdde7b33a50562d783ee93bfa608  
corporate/4.0/SRPMS/kernel-2.6.12.34mdk-1-1mdk.src.rpm

 Corporate 4.0/X86_64:
 371f8a2b038bbe058dea1666b3b186da  
corporate/4.0/x86_64/kernel-2.6.12.34mdk-1-1mdk.x86_64.rpm
 c7c9bfe79048fb2f94ca600ddd2da911  
corporate/4.0/x86_64/kernel-BOOT-2.6.12.34mdk-1-1mdk.x86_64.rpm
 a27a0da5b9e28ce0193a83a75e6e73c8  
corporate/4.0/x86_64/kernel-doc-2.6.12.34mdk-1-1mdk.x86_64.rpm
 7615a2c0aee3363886f159f4bfc5f538  
corporate/4.0/x86_64/kernel-smp-2.6.12.34mdk-1-1mdk.x86_64.rpm
 0e896d19f066f836fcfb7dd470522d0c  
corporate/4.0/x86_64/kernel-source-2.6.12.34mdk-1-1mdk.x86_64.rpm
 b09194d6e8a07b1ae836be6335808464  
corporate/4.0/x86_64/kernel-source-stripped-2.6.12.34mdk-1-1mdk.x86_64.rpm
 6845355d4579b2f2933935c88567981b  
corporate/4.0/x86_64/kernel-xen0-2.6.12.34mdk-1-1mdk.x86_64.rpm
 f0e8c8777c6da9db4dbea6de1b0fc920  
corporate/4.0/x86_64/kernel-xenU-2.6.12.34mdk-1-1mdk.x86_64.rpm 
 5137cdde7b33a50562d783ee93bfa608  
corporate/4.0/SRPMS/kernel-2.6.12.34mdk-1-1mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIBMMImqjQ0CJFipgRAlhAAKCSx+207LFEtYh4kv4BwVKttP9FZgCg7

Re: [Full-disclosure] gallarific backdoored , vulnerable to xss

[Andrew Farmer]

On 15 Apr 08, at 09:07, Thomas Pollet wrote:
> I was looking at the free version of gallarific, and I found some  
> suspicious
> code in the scopbin directory.
> Attached is a file I found in the zip i downloaded, in case someone  
> wants to
> decode it.

Looks like a component of the ScopBin PHP obfuscator. It's not  
particularly hard to reverse, but I didn't bother.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 04.09.08: IBM DB2 Universal Database db2dasStartStopFMDaemon Buffer Overflow Vulnerability

[iDefense Labs]

iDefense Security Advisory 04.09.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 09, 2008

I. BACKGROUND

IBM Corp.'s DB2 Universal Database product is a large database server
product commonly used for high-end databases. For more information,
visit the product website at the following URL.

http://ibm.com/db2/

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in the db2dasrrm
program, as included with IBM Corp.'s DB2 Universal Database, allows
attackers to elevate privileges to root.

This vulnerability exists due to insufficient validation of the length
of the attacker-supplied "DASPROF" environment variable contents. By
setting the variable to a specially crafted string, an attacker can
cause a buffer overflow when the string is copied into a static-sized
buffer stored on the stack. By overflowing the buffer, the attacker can
overwrite execution control structures stored on the stack and execute
arbitrary code.

III. ANALYSIS

Exploitation allows local attackers to gain root privileges. In order to
exploit this vulnerability, the attacker must have access to execute the
vulnerable set-uid root "db2dasrrm" program.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in IBM
Corp.'s DB2 Universal Database 9.1 with Fix Pack 4 installed on a Linux
system. Versions for other supported UNIX-like systems should also be
considered vulnerable. All previously released versions are suspected
vulnerable.

V. WORKAROUND

The best defense against this type of vulnerability is to prevent
untrusted users from having code execution abilities on the respective
database server. The following workarounds may also be useful.

  Use a more strict permissions setting for the DB2 instance directory 
would prevent non-instance users from accessing the set-uid root binaries.
  Remove the set-uid bit from all programs included with DB2.

These configuration changes have not been tested and may cause adverse
behavior.

VI. VENDOR RESPONSE

IBM Corp. has addressed this vulnerability with the release of V9.1 Fix
Pack 4a, V8 FixPak 16, and V9.5 Fix Pack 1 of its Universal Database
product. More information can be found at the following URLs.

V8: http://www-1.ibm.com/support/docview.wss?uid=swg21256235

V9.1: http://www-1.ibm.com/support/docview.wss?uid=swg21255572

V9.5: http://www-1.ibm.com/support/docview.wss?uid=swg21287889

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-5758 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/29/2007  Initial vendor notification
12/01/2007  Initial vendor response
04/09/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 04.09.08: IBM DB2 Universal Database Administration Server File Creation Vulnerability

[iDefense Labs]

iDefense Security Advisory 04.09.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 09, 2008

I. BACKGROUND

IBM Corp.'s DB2 Universal Database product is a large database server
product commonly used for high-end databases. The DB2 Administration
Server (DAS) implements the server component to which the Java-based
DB2 Control Center GUI connects. For more information, visit the
product website at the following URL.

http://ibm.com/db2/

II. DESCRIPTION

Local exploitation of a file creation vulnerability in the
Administration Server of IBM Corp.'s DB2 Universal Database allows
attackers to elevate privileges to root.

This vulnerability exists due to unsafe file access from within the
db2dasrrm program. When a user starts the DAS, the "db2dasrrm" process
is started with root privileges. As part of the initialization, the
"dasRecoveryIndex", "dasRecoveryIndex.tmp", ".dasRecoveryIndex.lock",
and "dasRecoveryIndex.cor" files are created with root privileges. By
removing and re-creating these files as symbolic links, an attacker can
create arbitrary files as root.

III. ANALYSIS

Exploitation allows local attackers to gain root privileges. In order to
exploit this vulnerability, an attacker must have access to an account
that is allowed to start and stop the DB2 Administration Server. For
example, the "dasusr1" account or an account with access to the
"db2adm1" group.

It should be noted that an attacker does not appear to any control over
the contents of the data written. However, this does not significantly
impact exploitation since the file is created using the user's umask
and group.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in IBM
Corp.'s DB2 Universal Database 9.1 release with Fix Pack 3 installed on
Linux. Other versions are also suspected to be vulnerable.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for this
issue.

VI. VENDOR RESPONSE

IBM Corp. has addressed this vulnerability with the release of V9.1 Fix
Pack 4a, V8 FixPak 16, and V9.5 Fix Pack 1 of its Universal Database
product. More information can be found at the following URLs.

V8: http://www-1.ibm.com/support/docview.wss?uid=swg21256235

V9.1: http://www-1.ibm.com/support/docview.wss?uid=swg21255572

V9.5: http://www-1.ibm.com/support/docview.wss?uid=swg21287889

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-5664 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/03/2007  Initial vendor notification
10/16/2007  Initial vendor response
04/09/2008  Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Joshua J. Drake (iDefense Labs).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2008:086 ] - Updated kernel packages fix vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDVSA-2008:086
 http://www.mandriva.com/security/
 ___
 
 Package : kernel
 Date: April 15, 2008
 Affected: Corporate 4.0
 ___
 
 Problem Description:
 
 The isdn_ioctl function in isdn_common.c in the Linux kernel prior to
 2.6.23 allows local users to cause a denial of service via a crafted
 ioctl struct in which iocts is not null terminated, which trigger a
 buffer overflow (CVE-2007-6151).
 
 The do_corefump function in fs/exec.c in the Linux kernel prior to
 2.6.24-rc3 did not change the UID of a core dump file if it exists
 before a root process creates a core dump in the same location, which
 could possibly allow local users to obtain sensitive information
 (CVE-2007-6206).
 
 The shmem_getpage function in mm/shmem.c in the Linux kernel versions
 2.6.11 through 2.6.23 did not properly clear allocated memory in
 certain rare circumstances related to tmps, which could possibly
 allow local users to read sensitive kernel data or cause a crash
 (CVE-2007-6417).
 
 Additionally, this kernel provides a fix for megaraid_sas and updates
 it to version 3.13, updates mptsas to version 3.12.19, and updates
 e1000-ng to version 7.6.12, as well as adds igb version 1.0.8.
 
 To update your kernel, please follow the directions located at:
 
   http://www.mandriva.com/en/security/kernelupdate
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6151
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6417
 ___
 
 Updated Packages:
 
 Corporate 4.0:
 4ecd928352ae1a0e37af030841e1daca  
corporate/4.0/i586/kernel-2.6.12.34mdk-1-1mdk.i586.rpm
 e25d7be22e3e194dd1f50409d0e71b90  
corporate/4.0/i586/kernel-BOOT-2.6.12.34mdk-1-1mdk.i586.rpm
 e42a62385fd608bf8d9b3ec62d6684e8  
corporate/4.0/i586/kernel-doc-2.6.12.34mdk-1-1mdk.i586.rpm
 0522dc2efc14a6fb456bed196e5ef87e  
corporate/4.0/i586/kernel-i586-up-1GB-2.6.12.34mdk-1-1mdk.i586.rpm
 723df91e8a94e9e4654a30875fe9de94  
corporate/4.0/i586/kernel-i686-up-4GB-2.6.12.34mdk-1-1mdk.i586.rpm
 b276ba8700f7e611bfdf02b3b26c4796  
corporate/4.0/i586/kernel-smp-2.6.12.34mdk-1-1mdk.i586.rpm
 0a369c5c6e085596c2fa579074e0eed0  
corporate/4.0/i586/kernel-source-2.6.12.34mdk-1-1mdk.i586.rpm
 53e34bb761dbf927ec911248aee1f23b  
corporate/4.0/i586/kernel-source-stripped-2.6.12.34mdk-1-1mdk.i586.rpm
 c10f59cf9d289f0e9e8cdeb4e7fb3f0e  
corporate/4.0/i586/kernel-xbox-2.6.12.34mdk-1-1mdk.i586.rpm
 90a86dd0e5fb9d62edd9682f5a86f978  
corporate/4.0/i586/kernel-xen0-2.6.12.34mdk-1-1mdk.i586.rpm
 af3beaab8bf06f0beef21158e5d6878e  
corporate/4.0/i586/kernel-xenU-2.6.12.34mdk-1-1mdk.i586.rpm 
 5137cdde7b33a50562d783ee93bfa608  
corporate/4.0/SRPMS/kernel-2.6.12.34mdk-1-1mdk.src.rpm

 Corporate 4.0/X86_64:
 371f8a2b038bbe058dea1666b3b186da  
corporate/4.0/x86_64/kernel-2.6.12.34mdk-1-1mdk.x86_64.rpm
 c7c9bfe79048fb2f94ca600ddd2da911  
corporate/4.0/x86_64/kernel-BOOT-2.6.12.34mdk-1-1mdk.x86_64.rpm
 a27a0da5b9e28ce0193a83a75e6e73c8  
corporate/4.0/x86_64/kernel-doc-2.6.12.34mdk-1-1mdk.x86_64.rpm
 7615a2c0aee3363886f159f4bfc5f538  
corporate/4.0/x86_64/kernel-smp-2.6.12.34mdk-1-1mdk.x86_64.rpm
 0e896d19f066f836fcfb7dd470522d0c  
corporate/4.0/x86_64/kernel-source-2.6.12.34mdk-1-1mdk.x86_64.rpm
 b09194d6e8a07b1ae836be6335808464  
corporate/4.0/x86_64/kernel-source-stripped-2.6.12.34mdk-1-1mdk.x86_64.rpm
 6845355d4579b2f2933935c88567981b  
corporate/4.0/x86_64/kernel-xen0-2.6.12.34mdk-1-1mdk.x86_64.rpm
 f0e8c8777c6da9db4dbea6de1b0fc920  
corporate/4.0/x86_64/kernel-xenU-2.6.12.34mdk-1-1mdk.x86_64.rpm 
 5137cdde7b33a50562d783ee93bfa608  
corporate/4.0/SRPMS/kernel-2.6.12.34mdk-1-1mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIBMMImqjQ0CJFipgRAlhAAKCSx+207LFEtYh4kv4BwVKttP9FZgCg7

[Full-disclosure] iDefense Security Advisory 04.14.08: ClamAV libclamav PE WWPack Heap Overflow Vulnerability

[iDefense Labs]

iDefense Security Advisory 04.14.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 14, 2008

I. BACKGROUND

Clam AntiVirus is a multi-platform GPL anti-virus toolkit. ClamAV is
often integrated into e-mail gateways and used to scan e-mail traffic
for viruses. It supports virus scanning for a wide variety of packed
Portable Executable (PE) binaries. WWPack is one of the supported
packers. For more information visit the vendor's web site at the
following URL.

http://www.clamav.net/

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Clam AntiVirus'
ClamAV, as included in various vendors' operating system distributions,
allows attackers to execute arbitrary code with the privileges of the
affected process.

The vulnerability exists within the code responsible for reading in
sections within a PE binary packed with the WWPack executable
compressor. See the following excerpt from libclamav/pe.c:

  1879  dsize = max-min+headsize-exe_sections[nsections - 1].rsz;
  
  1883  if((dest = (char *) cli_calloc(dsize, sizeof(char))) == 
NULL) {
  
  1897  for(i = 0 ; i < (unsigned int)nsections-1; i++) {
  1898  if(exe_sections[i].rsz) {
  1899  if(!cli_seeksect(desc, &exe_sections[i]) || 
(unsigned int) cli_readn(desc, dest + headsize + exe_sections[i].rva - 
min, exe_sections[i].rsz) != exe_sections[i].rsz) {

The size of the allocated heap buffer is calculated on line 1879 using
several values that are under attacker control. The allocation takes
place on line 1883. Within the loop, starting on line 1897, data is
read into the allocated buffer (line 1899).

No validation is done to ensure that the resulting data is not written
outside the bounds of the "dest" buffer. The "headsize",
"exe_sections[i].rva", "min", and "exe_sections[i].rsz" values that are
used for this operation are all under attacker control. As such, an
exploitable heap corruption condition may occur.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the process using libclamav. In the case of
the clamd program, this will result in code execution with the
privileges of the clamav user. Unsuccessful exploitation results in the
clamd process crashing.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in ClamAV
0.92.1. Previous versions may also be affected.

V. WORKAROUND

Disabling the scanning of PE files will prevent exploitation.

  If using clamscan, this can be done by running clamscan with the 
'--no-pe' option.
  If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 
'no'.

VI. VENDOR RESPONSE



VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

03/04/2008  Initial vendor notification
03/06/2008  Initial vendor response
04/14/2008  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Damian Put and Thomas
Pollet.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 04.14.08: ClamAV libclamav PeSpin Heap Overflow Vulnerability

[iDefense Labs]

iDefense Security Advisory 04.14.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 14, 2008

I. BACKGROUND

Clam AntiVirus is a multi-platform GPL anti-virus toolkit. ClamAV is
often integrated into e-mail gateways and used to scan e-mail traffic
for viruses. It supports virus scanning for a wide variety of packed
Portable Executable (PE) binaries. PeSpin is one of the supported
packer/protectors. For more information visit the vendor's web site at
the following URL.

http://www.clamav.net/

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Clam AntiVirus'
ClamAV, as included in various vendors' operating system distributions,
allows attackers to execute arbitrary code with the privileges of the
affected process.

The vulnerability exists within the code responsible for decompressing
sections within a PE binary packed with the PeSpin executable
protector. See the following excerpt from libclamav/spin.c:

  417key32 = cli_readint32(ep+0x2fee);
  ...
  427cli_dbgmsg("spin: Resources (sect%d) appear to be 
compressed\n\tuncompressed offset %x, len %x\n\tcompressed offset %x, 
len %x\n", j, sections[j].rva, key32 - sections[j].rva, key32, 
sections[j].vsz - (key32 - sections[j].rva));
  428
  429if ( (curr=(char *)cli_malloc(sections[j].vsz)) != NULL ) {
  430  memcpy(curr, src + sections[j].raw, key32 - 
sections[j].rva); /* Uncompressed part */
  431  memset(curr + key32 - sections[j].rva, 0, sections[j].vsz 
- (key32 - sections[j].rva)); /* bzero */

On line 417, a 32-bit value is read from the file into the "key32"
variable. Then a heap buffer is allocated using the "sections[j].vsz"
value on line 429. The "memcpy" call on line 430 then copies data into
the newly allocated buffer.

No validation is performed on the "key32", "sections[j].raw", and
"sections[j].rva" values before they are used in the memory copy
operation. Since these values are under attacker control, this can lead
to an exploitable heap corruption condition.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the process using libclamav. In the case of
the clamd program, this will result in code execution with the
privileges of the clamav user. Unsuccessful exploitation results in the
clamd process crashing.

Although it would appear that the following "memset" call will cause a
DoS condition, iDefense Labs confirmed that it is possible to bypass
this call. This is accomplished through manipulating the file such that
the memory layout allows the "sections" structure to be completely
controlled via an overwrite by the "memcpy" call.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in ClamAV
0.92.1. Previous versions may also be affected.

V. WORKAROUND

Disabling the scanning of PE files will prevent exploitation.

  If using clamscan, this can be done by running clamscan with the 
'--no-pe' option.
  If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 
'no'.

VI. VENDOR RESPONSE

The ClamAV team has addressed this vulnerability within version 0.93.
Additionally, the ClamAV team reports, "the vulnerable module was
remotely disabled via virus-db update in March."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0314 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/04/2008  Initial vendor notification
03/06/2008  Initial vendor response
04/14/2008  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Damian Put.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1540-2] New lighttpd packages fix denial of service

[Steve Kemp]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


- 
Debian Security Advisory DSA-1540-2  [EMAIL PROTECTED]
http://www.debian.org/security/   Steve Kemp
April 15, 2008http://www.debian.org/security/faq
- 

Package: lighttpd
Vulnerability  : DOS
Problem type   : remote
Debian-specific: no
CVE Id(s)  : CVE-2008-1531

It was discovered that lighttpd, a fast webserver with minimal memory
footprint, was didn't correctly handle SSL errors.  This could allow
a remote attacker to disconnect all active SSL connections.

This security update fixes a regression in the previous one, which caused
SSL failures.

For the stable distribution (etch), this problem has been fixed in version
1.4.13-4etch8.

We recommend that you upgrade your lighttpd package.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz
Size/MD5 checksum:37420 89efdab79fcbac119000a64cab648fcd
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz
Size/MD5 checksum:   793309 3a64323b8482b0e8a6246dbfdb4c39dc
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc
Size/MD5 checksum: 1098 87a04c4e704dd7921791bc44407b5e0e

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb
Size/MD5 checksum:99618 ae68b64b7c0df0f0b3a9d19b87e7c40a

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb
Size/MD5 checksum:   297300 19f5b871d2a9a483e1ecdaa2325c45cb
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb
Size/MD5 checksum:63586 750cf5f5d7671986b195366f2335c9cc
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb
Size/MD5 checksum:63884 72ee2b52772010ae7c63a0a2b4761ff5
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb
Size/MD5 checksum:59138 45672a1a3af65311693a3aee58be5566
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb
Size/MD5 checksum:69890 b84d4ea8c9af282e2aeeb5c05847a95a
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb
Size/MD5 checksum:60742 f48ef372b71be1b2683d03b411c7e7cf

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb
Size/MD5 checksum:59896 60a4e61e9b5e2bafbf53474d677b36bb
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb
Size/MD5 checksum:   323946 642f46921f99dfdf8e52ed3777847cbc
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb
Size/MD5 checksum:61890 4feb260d9f611c26979872b49b09ebc1
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb
Size/MD5 checksum:65000 2ce28ddd20bcd1bf407e14bae053537b
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb
Size/MD5 checksum:72946 33c93c114c3807d63bb18a5a9b3f33b9
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb
Size/MD5 checksum:65520 82a4460351af3d4c8b9d84ec831bd006

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb
Size/MD5 checksum:63884 96876134f02cf6b3c5079d5deecca7d9
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb
Size/MD5 checksum:59086 f928fd96f37229e72661fa7140a0daa9
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb
Size/MD5 checksum:   289088 477ce333d4a1b9f506645ff22193191f
  
http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb
Size/MD5 checksum:70932 90cd2be30fb0f0e0ff97820e1b8c19f1
  
http://security.debian.org/pool/updates/main/l/lig

Re: [Full-disclosure] Web Application Security Awareness Day

[Jeff Stebelton]

On Tue, Apr 15, 2008 at 12:32 PM, n3td3v <[EMAIL PROTECTED] 
> wrote:
>
>
>
> Why May 1st 2008? Because web applications are closely related to
> e-commerce
> and May Day is a common day for peaceful anti-capitalism protests, so
> it makes sense
> to be on this day.
>
>
> 

I almost missed this little jewel, having the inestimable Mr. "n3td3v" 
in my junk list (anyone else think it odd he always refers to himself in 
the third party?)

I want to see if I can follow the logic here. May 1st is a common day 
for ANTI-capitalism protests. Web applications are tied to e-commerce. 
Therefore, the day you *protest* commerce is the perfect day to hold a 
contest that conceivably you wish to help make commerce more *secure*?  
These threads never  fail to provide some comic relief just when I need it.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Web Application Security Awareness Day

[Ureleet]

god, seriously.  can we set up a list for all these contests?  everyday i
get another contest email on fd!  its almost as bad as these conferences!  r
u serious!?


On Tue, Apr 15, 2008 at 12:32 PM, n3td3v <[EMAIL PROTECTED]> wrote:

>
> Web Application Security Awareness Day will be host on May 1st 2008.
>
> A winner will be declared for the best web application bug.
>
> To be in the running, your submission must be publically disclosed to
> a mailing list on May the 1st 2008.
> This will be the first time Web Application Security Awareness Day has
> taken place.
>
> I hope it will catch on and that it will take place every year.
>
> The purpose of Web Application Security Awareness Day? To bring
> awareness towards
> the causes and issues surrounding web application security.
>
> Why May 1st 2008? Because web applications are closely related to
> e-commerce
> and May Day is a common day for peaceful anti-capitalism protests, so
> it makes sense
> to be on this day.
>
> I hope through an increase in web application bug disclosure on this
> day it will draw attention to web application security, for the better
> of everyone.
>
> Web Application Security Awareness Day is a work in development, if it
> is successful this year,
> I will add more award catorgories for next year.
>
> All submissions must be legal and above board, I do not want things
> compromised.
>
> Happy web application bug hunting!
>
> n3td3v
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: n3td3v has a fan

[mark seiden-via mac]

in my opinion a few of the "facts" in this posting may actually be  
true (the ones with a possible harmless interpretation), but most are  
colored
by a deeply distorted view of reality.  also,  a seeming inability to  
closely read, critically think, or analyze risk rationally.
participating in politics requires all of these, as well as an ability  
to listen to other points of view.

(since i seem to be among the dramatis personae in his Davidsbund), i  
can say n3td3v seldom ceases to disappoint me, and make
me regret having had some impulse to be helpful that resulted in past  
interchanges with him.

btw, n3td3v, I know Gadi Evron, and you're no Gadi Evron.  (this is  
probably a good thing, as there probably ain't room enough
in the world for two of them...)

sadly,

the cross-eyed bear.






On Apr 14, 2008, at 11:05 PM, n3td3v wrote:

> On Mon, Apr 14, 2008 at 8:31 PM, Kurt Dillard <[EMAIL PROTECTED]>  
> wrote:
>> - Bad guys would never think to, you know, go to the campus and  
>> look around?
>
> You forget, the intelligence services are indepth with Yahoo already,
> and some of their senior software engineers are in the service.
>
> I have spoke to these people in person, I know what's going on as far
> as intelligence is concerned, I have protested for years against one
> of them who used intelligence I gave him, against me, against the
> people my intelligence was from and bettered his career.
>
> Infact, the guy used my advise so much, he setup his own intelligence
> conference in Yahoo and stood up infront of everyone and gave a talk
> on the intelligence I had given him over the years about Yahoo hacker
> enemies, thats not all, after the conference to which he gave a speech
> to, he was offered a job as Yahoo messenger security engineer, where
> the Yahoo employee, who I believe to work for french intelligence was
> able to get into a key Yahoo communication job with Yahoo Inc, to
> plant code into Yahoo Messenger service.
>
> The employee, before getting into Yahoo worked for the french military
> as an 18 year old, then suspiciously walked away from that, moved to
> the United States as Yahoo was formed into a corporation from a simple
> page on the internet as a directory.
>
> This is not all, the employee, who I know about, didn't apply for this
> job into Yahoo as , as the time a Yahoo Chat engineer, but was fast
> tracked into Yahoo by other adversaries, then after he was in Yahoo,
> (the french guy), the person who fast tracked him into Yahoo left
> Yahoo. This was way back when Yahoo was beginning to look like a major
> corporation in the internet space.
>
> For years i've given the names of these employees and other
> information to Yahoo, but they fail to act upon the information as of
> lack of formal evidence, but I have had on hands with the french
> employee, who is a senior software developer, who used my
> intelligence, not to protect Yahoo, but to further his career.
>
> Further from that, this person was fast tracked into Yahoo through
> suspicious reasoning, not only that, he asked me not to mention how he
> got fast tracked, and that the majority of his work force didn't know
> how he got into Yahoo.
>
> He told me that there was a split in Yahoo between the good guys and
> the bad, he said the good guys were good, but the bad guys knew who
> the bad guys were and had ringed together within Yahoo security team
> and the rest of its work force to gathering intelligence on Yahoo
> operations.
>
> The person in question, back in the day, when I probed him, gave me
> access to his cube via webcam, and other data. There was also phone
> call exchange between me and the employee, via corporate phone bill,
> funded by Yahoo to my cell phone.
>
> He manipulated me and the intellgience I gave him to get ahead within
> the corporation. he openly hacked into things during work hours which
> were outwidth of Yahoo, he hacked into Yahoo-assualt.org which was a
> major underground website for "Yahoo progz" and left rude comments
> under each php-nuke content management system notice ont he frontpage
> VIA comment source, so the defacement of the site over a period wasn't
> known by the immediate owners, as the defacement was source code
> based, only to prove to me he had root to the site that Yahoo security
> were investigating.
>
> He said he would stay at Yahoo even after hours, because it was far
> easier to do malice activity within the boundries of Yahoo than to go
> home to his 100k+ modem.
>
> His wife, he said was aware of his activities but fully supported him
> throughout, infact, he discovered his wife from the Yahoo Chat hacker
> scene from which he was originally head hunted from.
>
> The employee is still working in Yahoo as a senior software engineer,
> who has access and connections with Yahoo security team and is on the
> most part trusted by them as a credible part of the overall workforce
> at Yahoo, although n3td3v operations, back in the day know more is
> go

[Full-disclosure] gallarific backdoored , vulnerable to xss

[Thomas Pollet]

Hello,

I was looking at the free version of gallarific, and I found some suspicious
code in the scopbin directory.
Attached is a file I found in the zip i downloaded, in case someone wants to
decode it.

the package can be downloaded from
http://www.gallarific.com/download.php

Also, the software contains several xss flaws:

1) When modifying a user his email address like
[EMAIL PROTECTED]">alert(1);
persistent xss wil occur when viewing gadmin/users.php or moderating the
comments in gadmin/comments.php

2) When adding a comment like ">alert(1) , xss will occur
when moderating the comments

3) gallery/tags.php?tag=">alert(1)

4) probably more bugs.

Regards,
Thomas Pollet


911006.php
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Web Application Security Awareness Day

[n3td3v]

Web Application Security Awareness Day will be host on May 1st 2008.

A winner will be declared for the best web application bug.

To be in the running, your submission must be publically disclosed to
a mailing list on May the 1st 2008.
This will be the first time Web Application Security Awareness Day has
taken place.

I hope it will catch on and that it will take place every year.

The purpose of Web Application Security Awareness Day? To bring
awareness towards
the causes and issues surrounding web application security.

Why May 1st 2008? Because web applications are closely related to e-commerce
and May Day is a common day for peaceful anti-capitalism protests, so
it makes sense
to be on this day.

I hope through an increase in web application bug disclosure on this
day it will draw attention to web application security, for the better
of everyone.

Web Application Security Awareness Day is a work in development, if it
is successful this year,
I will add more award catorgories for next year.

All submissions must be legal and above board, I do not want things compromised.

Happy web application bug hunting!

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows

[Erik Harrison]

Its not always easy to know what libs all of your apps are using. Unless of
course you're managing a small set of systems, have a lot of time, or are
particularly godlike at what you do. I think it's great that they identify
the software using it. Frankly, if I'm in an enterprise environment running
Lotus for some god awful reason, that's going to get my attention more than
one of its libraries.

Yes, it does inflate their stats on number of vuln advisories published in a
year, but whatever - I don't care about that. What's the better way to deal
with it? Try and push one advisory listing 1000 apps affected in its
content? Even then, you're not going to have a accurate list. I think it
-is- better to publish one advisory per affected piece of software. When I'm
skimming the 100 or so that hit my inbox every day, I don't have the luxury
of opening each one. Unfortunate, but that's reality of most security staff.

It's only going to get worse. Reporting is going to increase and threats are
going to apply to far more products inheriting the same code. What's the
best, most scalable way of dealing with this? Anyone have any ideas on that
one?



On Tue, Apr 15, 2008 at 10:20 AM, Luigi Auriemma <[EMAIL PROTECTED]>
wrote:

> > Autonomy Keyview Folio Flat File Parsing Buffer Overflows
> > Autonomy Keyview Applix Graphics Parsing Vulnerabilities
> > Autonomy Keyview EML Reader Buffer Overflows
> > activePDF DocConverter Folio Flat File Parsing Buffer Overflows
> > activePDF DocConverter Applix Graphics Parsing Vulnerabilities
> > Lotus Notes Applix Graphics Parsing Vulnerabilities
> > Lotus Notes Folio Flat File Parsing Buffer Overflows
> > Lotus Notes EML Reader Buffer Overflows
> > Lotus Notes kvdocve.dll Path Processing Buffer Overflow
> > Lotus Notes htmsr.dll Buffer Overflows
> > Symantec Mail Security Folio Flat File Parsing Buffer Overflows
> > Symantec Mail Security Applix Graphics Parsing Vulnerabilities
>
> 12 mails for the same library?
>
> >From what I have understood all the bugs are just in this Autonomy
> Keyview library so in my opinion reporting the same identical bugs in
> each software which uses this thirdy part component and additionally
> without saying that the problem in reality is in the library is wrong
> and leads to a lot of confusion.
>
> It's just like if someone finds a bug in zlib and releases 1
> advisories, one for each program in the world which uses the library...
> the bug is not in these 1 programs but only in zlib.
>
>
> ---
> Luigi Auriemma
> http://aluigi.org
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows

[Luigi Auriemma]

> Autonomy Keyview Folio Flat File Parsing Buffer Overflows
> Autonomy Keyview Applix Graphics Parsing Vulnerabilities
> Autonomy Keyview EML Reader Buffer Overflows
> activePDF DocConverter Folio Flat File Parsing Buffer Overflows
> activePDF DocConverter Applix Graphics Parsing Vulnerabilities 
> Lotus Notes Applix Graphics Parsing Vulnerabilities
> Lotus Notes Folio Flat File Parsing Buffer Overflows
> Lotus Notes EML Reader Buffer Overflows
> Lotus Notes kvdocve.dll Path Processing Buffer Overflow
> Lotus Notes htmsr.dll Buffer Overflows
> Symantec Mail Security Folio Flat File Parsing Buffer Overflows
> Symantec Mail Security Applix Graphics Parsing Vulnerabilities

12 mails for the same library?

>From what I have understood all the bugs are just in this Autonomy
Keyview library so in my opinion reporting the same identical bugs in
each software which uses this thirdy part component and additionally
without saying that the problem in reality is in the library is wrong
and leads to a lot of confusion.

It's just like if someone finds a bug in zlib and releases 1
advisories, one for each program in the world which uses the library...
the bug is not in these 1 programs but only in zlib.


--- 
Luigi Auriemma
http://aluigi.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How should Full-Disclosure be funded?

[Ureleet]

i dont need to research a thing.  thats what you obviously dont understand
about this list, its open, its free, its full disclosure.
oh, and we dont believe you.

On Mon, Apr 14, 2008 at 10:28 PM, n3td3v <[EMAIL PROTECTED]> wrote:

> On Tue, Apr 15, 2008 at 2:43 AM, Ureleet <[EMAIL PROTECTED]> wrote:
> > n3td3v, seriously, i just googled ur name, and you seriously took out a
> > google ad for your name? and pointed it to security.yahoo.com?  really?
> > everyone google n3td3v and click on his link, if we cant make him hush
> up,
> > maybe we can at least make him spend a little money.
>
> N00b, you need to research before you post---
> http://seclists.org/fulldisclosure/2007/Nov/0510.html
>
> All the best,
>
> n3td3v
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] DEF CON 16 Retro Announcement! Back to Bang!

[Ureleet]

i just criticized the link.  and quit yelling at people for cropping your
emails if you are going to crop everyone elses, even in the middle of a
sentence.  oh
and you still cant reference yourself as a reference.

On Mon, Apr 14, 2008 at 10:23 PM, n3td3v <[EMAIL PROTECTED]> wrote:

>
> On Tue, Apr 15, 2008 at 2:28 AM, Ureleet <[EMAIL PROTECTED]> wrote:
> > On Mon, Apr 14, 2008 at 8:57 PM, n3td3v <[EMAIL PROTECTED]> wrote:
> > > See
> >
> http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061450.html
> > > to see how the bedroom hacker is no longer the threat and that the new
> > > threat to the internet is world government's and its intelligence
> > > services.
> >
> > i dont think u can quote yourself as an authority in your own email.
>
> I haven't seen anyone challenge or criticise that link yet, but i'm
> sure you're still plotting a reply as is Valdis and co.
> Maybe folks are scared to speak out against the upcoming U.S cyber
> command... I know i'm not.
>
> All the best with your securities and insecurities,
>
> n3td3v
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2008:085 ] - Updated python packages fix arbitrary code execution vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDVSA-2008:085
 http://www.mandriva.com/security/
 ___
 
 Package : python
 Date: April 15, 2008
 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0,
   Multi Network Firewall 2.0
 ___
 
 Problem Description:
 
 Integer signedness error in the zlib extension module in Python 2.5.2
 and earlier allows remote attackers to execute arbitrary code via a
 negative signed integer, which triggers insufficient memory allocation
 and a buffer overflow.
 
 The updated packages have been patched to prevent this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.1:
 9ecc4c94fe365970d42278e55bc02b73  
2007.1/i586/libpython2.5-2.5-4.3mdv2007.1.i586.rpm
 47b7294690cc9a34714394602ec52fe3  
2007.1/i586/libpython2.5-devel-2.5-4.3mdv2007.1.i586.rpm
 eebd7eb038b8b8e8646f660a1979919c  2007.1/i586/python-2.5-4.3mdv2007.1.i586.rpm
 35e7b42b7537d448d10266aff4c4d8e8  
2007.1/i586/python-base-2.5-4.3mdv2007.1.i586.rpm
 8af1b52823f5c185e317ad1284b2466b  
2007.1/i586/python-docs-2.5-4.3mdv2007.1.i586.rpm
 29a99c607e0890685053959399368dbd  
2007.1/i586/tkinter-2.5-4.3mdv2007.1.i586.rpm 
 d1c1500f11921e027dc1e84bd731d86c  2007.1/SRPMS/python-2.5-4.3mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 dfea89865b1020c76acc6f3df20613a5  
2007.1/x86_64/lib64python2.5-2.5-4.3mdv2007.1.x86_64.rpm
 53a6e2ffe62fc8872a45383c237a9144  
2007.1/x86_64/lib64python2.5-devel-2.5-4.3mdv2007.1.x86_64.rpm
 2f519a0aa522130441d6fc714e6e5a1f  
2007.1/x86_64/python-2.5-4.3mdv2007.1.x86_64.rpm
 6329e55974fb9dcf0a326a5535bccd7f  
2007.1/x86_64/python-base-2.5-4.3mdv2007.1.x86_64.rpm
 51abb3bd7c674e075b94313ee2c25e34  
2007.1/x86_64/python-docs-2.5-4.3mdv2007.1.x86_64.rpm
 819a9ec6f5e5a875f217763405f00734  
2007.1/x86_64/tkinter-2.5-4.3mdv2007.1.x86_64.rpm 
 d1c1500f11921e027dc1e84bd731d86c  2007.1/SRPMS/python-2.5-4.3mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 b9282fc19b011a9b43f020f818e6f5d9  
2008.0/i586/libpython2.5-2.5.1-5.2mdv2008.0.i586.rpm
 bc5a47bd0868f980a93a50a66914659b  
2008.0/i586/libpython2.5-devel-2.5.1-5.2mdv2008.0.i586.rpm
 2e9a41c20c32f8f603e7647fb8c078ad  
2008.0/i586/python-2.5.1-5.2mdv2008.0.i586.rpm
 a754a2f3173faef023ab6ef2b28accd1  
2008.0/i586/python-base-2.5.1-5.2mdv2008.0.i586.rpm
 7d0e443b4ad27f61168de7324f1abb15  
2008.0/i586/python-docs-2.5.1-5.2mdv2008.0.i586.rpm
 8a06ec0b5558ad0145157f63be1aa1f8  
2008.0/i586/tkinter-2.5.1-5.2mdv2008.0.i586.rpm
 ea387f81431c29c2ddf572bf81a2d27e  
2008.0/i586/tkinter-apps-2.5.1-5.2mdv2008.0.i586.rpm 
 75d0dc8f3cf8525827277937eb290b5a  
2008.0/SRPMS/python-2.5.1-5.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 760186761b14ec8caf69d12cbe1addb9  
2008.0/x86_64/lib64python2.5-2.5.1-5.2mdv2008.0.x86_64.rpm
 8984e11f060c41701d543cdf4c3e5d64  
2008.0/x86_64/lib64python2.5-devel-2.5.1-5.2mdv2008.0.x86_64.rpm
 959bf382deca1676ef6ba2b3c822e2d9  
2008.0/x86_64/python-2.5.1-5.2mdv2008.0.x86_64.rpm
 ec86c6c883320f391a4ce21723232910  
2008.0/x86_64/python-base-2.5.1-5.2mdv2008.0.x86_64.rpm
 8bc0bd727053aeb53167afb222e51c9f  
2008.0/x86_64/python-docs-2.5.1-5.2mdv2008.0.x86_64.rpm
 ba4a22d3512b03e3cae9c3bd0fd71a04  
2008.0/x86_64/tkinter-2.5.1-5.2mdv2008.0.x86_64.rpm
 ab687389eb62b10f7982098a6f6c6e21  
2008.0/x86_64/tkinter-apps-2.5.1-5.2mdv2008.0.x86_64.rpm 
 75d0dc8f3cf8525827277937eb290b5a  
2008.0/SRPMS/python-2.5.1-5.2mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 a2347d1f0b230414da44a5097e0f8a32  
2008.1/i586/libpython2.5-2.5.2-2.1mdv2008.1.i586.rpm
 ea4af4cfec51a91394898f81f8a7fa00  
2008.1/i586/libpython2.5-devel-2.5.2-2.1mdv2008.1.i586.rpm
 0ff272fb044538a38b667921f4e3b68d  
2008.1/i586/python-2.5.2-2.1mdv2008.1.i586.rpm
 39c4d2740ae5ab10c900de38516f22a9  
2008.1/i586/python-base-2.5.2-2.1mdv2008.1.i586.rpm
 398e79bf4049c5a4daa78e9e6d79c1fa  
2008.1/i586/python-docs-2.5.2-2.1mdv2008.1.i586.rpm
 19ec255c149be19420f1f92cfd48f7c7  
2008.1/i586/tkinter-2.5.2-2.1mdv2008.1.i586.rpm
 f8f679dca16457be4cfe245c8479ae68  
2008.1/i586/tkinter-apps-2.5.2-2.1mdv2008.1.i586.rpm 
 8a5d085ec03be926d64a0662ee339dfd  
2008.1/SRPMS/python-2.5.2-2.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 201857de10171d62491b22decde12ed9  
2008.1/x86_64/lib64python2.5-2.5.2-2.1mdv2008.1.x86_64.rpm
 a8338dd0b2ba9885325010d6bab22c07  
2008.1/x86_64/lib64python2.5-devel-2.5.2-2.1mdv2008.1.x86_64.rpm
 90160e5fbf2609cb627e5c473ba505b9  
2008.1/x86_64/python-2.5.2-2.1mdv2008.1.x86_64.rpm
 6f53f6bfc053d7c4f8aba17cf24e9b09  
2008.1/x86_64/python-base-2.5.2-2.1mdv2008.1.x86_64.rpm
 fc9

[Full-disclosure] clamav: Endless loop / hang with crafter arj, CVE-2008-1387

[Hanno Böck]

Advisory published at:
http://int21.de/cve/CVE-2008-1387-clamav.html

clamav: Endless loop / hang with crafter arj, CVE-2008-1387

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1387
http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html

Description

CERT-FI published an advisory with a large number of samples of crafted 
archives.
The file with the md5sum b6046d890e6bd304e3756c88b989559a (named 
b6046d890e6bd304e3756c88b989559a.arj) hangs clamav with high load.

If you're running clamav on a mailserver, an attacker can DoS your Server 
remotely by sending some mails with the archive attached.

Workaround/Fix

clamav 0.93 fixes this issue beside other security issues, if you're running 
clamav you should upgrade as soon as possible.

Disclosure Timeline

2008-03-17 CERT-FI publishes advisory
2008-03-26 Vendor contacted
2008-03-27 Vendor approves issue
2008-04-14 Vendor releases 0.93
2008-04-16 Advisory published

CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CVE-2008-1387 to this issue. This is a candidate for inclusion in the CVE 
list (http://cve.mitre.org/), which standardizes names for security problems.

Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. 
It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-04-16, http://www.hboeck.de
-- 
Hanno Böck  Blog:   http://www.hboeck.de/
GPG: 3DBD3B20   Jabber/Mail:[EMAIL PROTECTED]


signature.asc
Description: This is a digitally signed message part.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/