Re: [Full-disclosure] Ford Motors IT Contact

[Valdis . Kletnieks]

On Tue, 27 May 2008 12:50:38 EDT, Stack Smasher said:

> "If you see me laughing, you better have backups"

Even funnier if the contractor is the one tasked with doing backups. :)


pgp6kzamRhjnO.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Gary Wilson]

On Tue, May 27, 2008 16:46, Simon Smith wrote:
> Does anyone here have a contact for Ford Motors IT Department,
> Specifically for abuse?
> --
>

Europe, or US?  And in relation to their online activities or other?

When I was on my placement year, I did all of Ford Europe's website and I
was employed by the Marketting company Winderman Cato Johnson - so I guess
contacting them if it's Europe and to do with their online prescence.

Things may have changed, but a quick google suggests Wunderman are still
heavilly involved with Ford, Europe.

HTH

GW



-- 
   /   Gary Wilson, aka dragon/dragonlord/dragonv480\
 .'(_.--.  e: [EMAIL PROTECTED] MSN: dragonv480   .--._)`.
<   _   |  Skype:dragonv480 ICQ:342070475 AIM:dragonv480   |   _   >
 `.( `--' w: http://volvo480.northernscum.org.uk   `--' ).'
   \w: http://www.northernscum.org.uk   /


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1588-1] New Linux 2.6.18 packages fix several vulnerabilities

[dann frazier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA-1588-1[EMAIL PROTECTED]
http://www.debian.org/security/   dann frazier
May 27, 2008http://www.debian.org/security/faq
- --

Package: linux-2.6
Vulnerability  : denial of service
Problem type   : local/remote
Debian-specific: no
CVE Id(s)  : CVE-2007-6712 CVE-2008-1615 CVE-2008-2136 CVE-2008-2137

Several vulnerabilities have been discovered in the Linux kernel that may
lead to a denial of service. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2007-6712

Johannes Bauer discovered an integer overflow condition in the hrtimer
subsystem on 64-bit systems. This can be exploited by local users to
trigger a denial of service (DoS) by causing the kernel to execute an
infinite loop.

CVE-2008-1615

Jan Kratochvil reported a local denial of service condition that
permits local users on systems running the amd64 flavor kernel
to cause a system crash.

CVE-2008-2136

Paul Harks discovered a memory leak in the Simple Internet Transition
(SIT) code used for IPv6 over IPv4 tunnels. This can be exploited
by remote users to cause a denial of service condition.

CVE-2008-2137

David Miller and Jan Lieskovsky discovered issues with the virtual
address range checking of mmaped regions on the sparc architecture
that may be exploited by local users to cause a denial of service.

For the stable distribution (etch), this problem has been fixed in version
2.6.18.dfsg.1-18etch5.

Builds for linux-2.6/s390 and fai-kernels/powerpc were not yet available at
the time of this advisory. This advisory will be updated as these builds
become available.

We recommend that you upgrade your linux-2.6, fai-kernels, and
user-mode-linux packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

The following matrix lists additional source packages that were rebuilt for
compatability with or to take advantage of this update:

 Debian 4.0 (etch)
 fai-kernels 1.17+etch.18etch5
 user-mode-linux 2.6.18-1um-2etch.18etch5

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- ---

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-18etch5.dsc
Size/MD5 checksum: 5672 70da3d3fa9c813c51429d8b5d3b2e8ea
  
http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17+etch.18etch5.dsc
Size/MD5 checksum:  740 94f5cb267a06c1dec878da90b9f1dd83
  
http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.18-1um.orig.tar.gz
Size/MD5 checksum:14435 4d10c30313e11a24621f7218c31f3582
  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-18etch5.diff.gz
Size/MD5 checksum:  5351147 abe5e0484f16f812708afc484e161bc5
  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1.orig.tar.gz
Size/MD5 checksum: 52225460 6a1ab0948d6b5b453ea0fce0fcc29060
  
http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.18-1um-2etch.18etch5.diff.gz
Size/MD5 checksum:17351 2f7dba888df3958188615ea041eca743
  
http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17+etch.18etch5.tar.gz
Size/MD5 checksum:55660 0538ff4f7178e76ea127ebef056d6b06
  
http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.18-1um-2etch.18etch5.dsc
Size/MD5 checksum:  892 be5c0a2ad62acc5172513a9ce287c94c

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-source-2.6.18_2.6.18.dfsg.1-18etch5_all.deb
Size/MD5 checksum: 41462358 4a72841c24a18efce23193d77f367fe1
  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-support-2.6.18-6_2.6.18.dfsg.1-18etch5_all.deb
Size/MD5 checksum:  3718002 4f526d410be4803e0caa37b49447f4d2
  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual-2.6.18_2.6.18.dfsg.1-18etch5_all.deb
Size/MD5 checksum:  1083076 615903cc33714c0cfa8dbcc48772a939
  
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6.18_2.6.18.dfsg.1-18

Re: [Full-disclosure] Ford Motors IT Contact

[Nate McFeters]

Is this in response to a vulnerability to report, or in response to some
other form of abuse, like spam?

-Nate


On 5/27/08, Gary Wilson <[EMAIL PROTECTED]> wrote:
>
>
> On Tue, May 27, 2008 16:46, Simon Smith wrote:
> > Does anyone here have a contact for Ford Motors IT Department,
> > Specifically for abuse?
> > --
> >
>
> Europe, or US?  And in relation to their online activities or other?
>
> When I was on my placement year, I did all of Ford Europe's website and I
> was employed by the Marketting company Winderman Cato Johnson - so I guess
> contacting them if it's Europe and to do with their online prescence.
>
> Things may have changed, but a quick google suggests Wunderman are still
> heavilly involved with Ford, Europe.
>
> HTH
>
> GW
>
>
>
> --
>   /   Gary Wilson, aka dragon/dragonlord/dragonv480\
> .'(_.--.  e: [EMAIL PROTECTED] MSN: dragonv480   .--._)`.
> <   _   |  Skype:dragonv480 ICQ:342070475 AIM:dragonv480   |   _
> >
> `.( `--' w: http://volvo480.northernscum.org.uk   `--' ).'
>   \w: http://www.northernscum.org.uk   /
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Simon Smith]

In response to them still being infected with sql slammer and it probing 
my networks regularly.

Nate McFeters wrote:
> Is this in response to a vulnerability to report, or in response to some 
> other form of abuse, like spam?
>  
> -Nate
> 
>  
> On 5/27/08, *Gary Wilson* <[EMAIL PROTECTED] 
> > wrote:
> 
> 
> On Tue, May 27, 2008 16:46, Simon Smith wrote:
>  > Does anyone here have a contact for Ford Motors IT Department,
>  > Specifically for abuse?
>  > --
>  >
> 
> Europe, or US?  And in relation to their online activities or other?
> 
> When I was on my placement year, I did all of Ford Europe's website
> and I
> was employed by the Marketting company Winderman Cato Johnson - so I
> guess
> contacting them if it's Europe and to do with their online prescence.
> 
> Things may have changed, but a quick google suggests Wunderman are still
> heavilly involved with Ford, Europe.
> 
> HTH
> 
> GW
> 
> 
> 
> --
>   /   Gary Wilson, aka dragon/dragonlord/dragonv480\
> .'(_.--.  e: [EMAIL PROTECTED]
>  MSN: dragonv480   .--._)`.
> <   _   |  Skype:dragonv480 ICQ:342070475 AIM:dragonv480  
> |   _   >
> `.( `--' w: http://volvo480.northernscum.org.uk  
> `--' ).'
>   \w: http://www.northernscum.org.uk   /
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 

- simon

--
http://www.snosoft.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Anders B Jansson]

Simon Smith wrote:
> In response to them still being infected with sql slammer and it probing 
> my networks regularly.

Ah, them and a gazillion of others.

I ran a little experiment some time ago.

I had an unused ipadress (bog standard dynamic home issue cable feed) and just 
for fun I installed nepenthes (and Nessus) on an old PC and logged how, when 
and with what is was attacked.

After a week I dropped generic portscans from the log because it was too much 
to process.

After a month I dropped sql-slammer from the log because it was also to much to 
process.

After six months I cancelled the entire project because it was too depressing.

Now I only detect,log and drop ssh brute force attempts (avg 3-4 per day, 
mainly from mainland china and some from korea).

Limiting the continued propagation of sql-slammer is both a worthy and 
commendable deed.

But I'm afraid that it's totally futile.

Even if you _do_ manage to get someone to react and investigate they will just 
tell you that the source is a server managed by some external entity that 
management has forced them to accept on their network (see last weeks 
discussion on that subject).
-- 
// hdw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Michael Holstein]

> In response to them still being infected with sql slammer and it probing 
> my networks regularly.
>   
Let me guess .. it's 136.1.7.55 ?

Here's what I get (from ford) every time that IP pops up in our 
automated abuse report ..

--snip--

Our investigation into this matter has determined that the recent onset
of attacks from this IP is the result of the IP being forged by an
external party.  External parties will commonly use IP addresses that
belong to large organizations to mask network traffic.

--snip--

Cheers,

Michael Holstein
Cleveland State University


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Ray P]

When that stuff first showed up last year I emailed their ARIN contact and got 
a real person. They got back to me within a day and said the same thing. SQL 
Slammer is a single packet UDP attack so their response is 100% plausible.

Ray

> 
> > In response to them still being infected with sql slammer and it probing 
> > my networks regularly.
> >   
> Let me guess .. it's 136.1.7.55 ?
> 
> Here's what I get (from ford) every time that IP pops up in our 
> automated abuse report ..
> 
> --snip--
> 
> Our investigation into this matter has determined that the recent onset
> of attacks from this IP is the result of the IP being forged by an
> external party.  External parties will commonly use IP addresses that
> belong to large organizations to mask network traffic.
> 
> --snip--
> 
> Cheers,
> 
> Michael Holstein
> Cleveland State University
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_
Keep your kids safer online with Windows Live Family Safety.
http://www.windowslive.com/family_safety/overview.html?ocid=TXT_TAGLM_WL_Refresh_family_safety_052008___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Simon Smith]

Indeed, that is the IP address.

That IP address appears to be bound to some sort of a VPN system for 
ford. Perhaps its infected VPN users?

Michael Holstein wrote:
> 
>> In response to them still being infected with sql slammer and it 
>> probing my networks regularly.
>>   
> Let me guess .. it's 136.1.7.55 ?
> 
> Here's what I get (from ford) every time that IP pops up in our 
> automated abuse report ..
> 
> --snip--
> 
> Our investigation into this matter has determined that the recent onset
> of attacks from this IP is the result of the IP being forged by an
> external party.  External parties will commonly use IP addresses that
> belong to large organizations to mask network traffic.
> 
> --snip--
> 
> Cheers,
> 
> Michael Holstein
> Cleveland State University
> 
> 

-- 

- simon

--
http://www.snosoft.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ford Motors IT Contact

[Bruce Ediger]

On Tue, 27 May 2008, Anders B Jansson wrote:

> Limiting the continued propagation of sql-slammer is both a worthy and
> commendable deed.
>
> But I'm afraid that it's totally futile.

How so?  Code Red II and Nimda appear to have disappeared, albeit after many
years.

I suspect that somebody let loose the Crclean anti-worm on Code Red II, but
nobody appears to want to confess to it.  I bet that SQL-Slammer would be
vulnerable to the same sort of anti-worm (i.e. responding only to SQL-slammer
scans, rather than doing scanning on its own).

--NSA--CIA--FBI--NRO--TSA--JENKEM--DHS--BUTTHASH--TIARA--GHCQ--ECHELON--
   As for you government types intercepting this,
   thanks for keeping us safe from our freedoms.
   Warrantless wiretapping is un-American and unpatriotic.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200805-21 ] Roundup: Permission bypass

[Tobias Heinlein]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200805-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Roundup: Permission bypass
  Date: May 27, 2008
  Bugs: #212488, #214666
ID: 200805-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A vulnerability in Roundup allows for bypassing permission
restrictions.

Background
==

Roundup is an issue-tracking system with command-line, web and e-mail
interfaces.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  www-apps/roundup < 1.4.4-r1   >= 1.4.4-r1

Description
===

Philipp Gortan reported that the xml-rpc server in Roundup does not
check property permissions (CVE-2008-1475). Furthermore, Roland Meister
discovered multiple vulnerabilities caused by unspecified errors, some
of which may be related to cross-site scripting (CVE-2008-1474).

Impact
==

A remote attacker could possibly exploit the first vulnerability to
edit or view restricted properties via the list(), display(), and set()
methods. The impact and attack vectors of the second vulnerability are
unknown.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Roundup users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/roundup-1.4.4-r1"

References
==

  [ 1 ] CVE-2008-1474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1474
  [ 2 ] CVE-2008-1475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200805-21.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 05.27.08: EMC AlphaStor Server Agent Multiple Stack Buffer Overflow Vulnerabilities

[iDefense Labs]

iDefense Security Advisory 05.27.08
http://labs.idefense.com/intelligence/vulnerabilities/
May 27, 2008

I. BACKGROUND

AlphaStor is a suite of applications used for disk management. For more
information, please see the vendor's website at the following URL.

http://www.emc.com/products/detail/software/alphastor.htm

II. DESCRIPTION

Remote exploitation of multiple stack based buffer overflow
vulnerabilities in EMC Corp.'s AlphaStor could allow an attacker to
execute arbitrary code with SYSTEM privileges.

AlphaStor consists of multiple applications, one of which is the Server
Agent. The Server Agent is one of the core components of AlphaStor, and
is used to initiate disk management requests. The Agent consists of
several processes, one of which is the AlphaStor Command Line Interface
process. This process listens on TCP port 41025, and is prone to
multiple stack based buffer overflow vulnerabilities.

III. ANALYSIS

Exploitation of these vulnerabilities results in the execution of
arbitrary code with the privileges of the affected service, usually
SYSTEM. The vulnerabilities occur before any authentication, so they
can be exploited by anonymous attackers with the ability to create a
TCP connection to port 41025 on the server.

IV. DETECTION

iDefense has confirmed the existence of these vulnerabilities in
AlphaStor version 3.1 SP1 for Windows. Previous versions, as well as
versions for other platforms, may also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for these issues.

VI. VENDOR RESPONSE

"EMC has issued updates to correct this issue. More details can be found
in knowledgebase article emc186391 available from powerlink.emc.com. EMC
customers can further contact EMC Software Technical Support at
1-877-534-2867."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2158 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/16/2008  Initial vendor notification
04/16/2008  Initial vendor response
05/27/2008  Coordinated public disclosure

IX. CREDIT

Three of these vulnerabilities were reported to iDefense by Stephen
Fewer of Harmony Security (www.harmonysecurity.com). Two were
discovered by Sean Larsson, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 05.27.08: EMC AlphaStor Library Manager Arbitrary Command Execution Vulnerability

[iDefense Labs]

iDefense Security Advisory 05.27.08
http://labs.idefense.com/intelligence/vulnerabilities/
May 27, 2008

I. BACKGROUND

AlphaStor is a suite of applications used for disk management. For more
information, please see the vendor's website found at the following
link.

http://www.emc.com/products/detail/software/alphastor.htm

II. DESCRIPTION

Remote exploitation of an arbitrary command execution vulnerability in
EMC Corp.'s AlphaStor could allow an attacker to execute arbitrary code
with SYSTEM privileges.

AlphaStor consists of multiple applications, one of which is the Library
Manager. The Library Manager is used to manage the replacement of disk
drives in distributed locations. The Manager consists of a single
process, the "robotd" process, that listens on TCP port 3500 for
incoming connections.

The Library Manager is prone to an arbitrary command execution
vulnerability. When sent a specific request, "robotd" will use a string
from the packet as a command to execute on the system via the
CreateProcess() function. This allows an attacker to run arbitrary
programs on the host with SYSTEM privileges.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the affected service, usually SYSTEM. The
vulnerability occurs before any authentication, so it can be exploited
by anonymous attackers with the ability to create a TCP connection to
port 3500 on the server.

Since the vulnerability allows an attacker to run arbitrary programs
with arbitrary arguments, little skill is required for exploitation.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in AlphaStor
version 3.1 SP1 for Windows. Previous versions, as well as versions for
other platforms, may also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

"EMC has issued updates to correct this issue. More details can be found
in knowledgebase article emc186391 available from powerlink.emc.com. EMC
customers can further contact EMC Software Technical Support at
1-877-534-2867."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2157 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/16/2008  Initial vendor response
04/16/2008  Initial vendor notification
05/27/2008  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Stephen Fewer of Harmony
Security (www.harmonysecurity.com).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-08-033: Motorola RAZR JPG Processing Stack Overflow Vulnerability

[zdi-disclosures]

ZDI-08-033: Motorola RAZR JPG Processing Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-033
May 27, 2008

-- Affected Vendors:
Motorola

-- Affected Products:
Motorola RAZR

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable Motorola RAZR firmware based cell phones. User interaction is
required to exploit this vulnerability in that the target must accept a
malicious image sent via MMS.

The specific flaw exists in the JPEG thumbprint component of the EXIF
parser. A corrupt JPEG received via MMS can cause a memory corruption
which can be leveraged to execute arbitrary code on the affected device.

-- Vendor Response:
Motorola states:
Together, ZDI and Motorola have identified a potential vulnerability
related to viewing malicious, manipulated JPEG files affecting select
RAZR-series devices.   Although the possibility of this vulnerability
occurring is very remote and would only occur in unique circumstances,
Motorola proactively corrected it in all new device releases. 

To ensure that you have the latest software load available for your
device, please visit
http://direct.motorola.com/hellomoto/NSS/update_my_software.asp

-- Disclosure Timeline:
2007-07-10 - Vulnerability reported to vendor
2008-05-27 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/