Re: [Full-disclosure] Technical Details of Security Issues Regarding Safari for Windows
Aviv really gave huge hint on the issue: http://blog-imgs-24.fc2.com/l/i/u/liudieyu0/0001.png ( posted at http://liudieyu0.blog124.fc2.com/blog-entry-5.html ) On Tue, Jun 10, 2008 at 10:28 PM, LIUDIEYU dot COM [EMAIL PROTECTED] wrote: The first issue is the one described in Microsoft Security Advisory 953818. It's worked out by Aviv Raff: http://www.microsoft.com/technet/security/advisory/953818.mspx http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx It's covered by news but Aviv Raff has not published technical details yet. News stories say Microsoft are going to handle this: The Internet Explorer bulletin is expected to be cumulative and might include some remediation for the Safari for Windows vulnerability disclosed last month by Nitesh Dhanjani http://news.cnet.com/8301-10789_3-9959752-57.html?part=rsssubj=newstag=2547-1_3-0-20 (It should be Aviv Raff instead of Nitesh Dhanjani, as suggested in the Microsoft security advisory and Aviv Raff's blog.) Also it sounds unnatural that Microsoft provide remediation for Safari vulnerability, and that remediation is distributed in IE patch. I provide the technical details of this issue for those who are interested: http://liudieyu0.blog124.fc2.com/blog-entry-1.html In my personal opinion this issue is rooted in IE wrongly loading DLL from desktop(instead of WINDOWS\SYSTEM32). The second issue is about the possibility that Safari can download malicious content that has confusing file name and icon which might be launched later by unknowing user. Details are here: A New Security Issue in Safari for Windows, NOT the Blended Threat Described in Microsoft Security Advisory 953818 http://liudieyu0.blog124.fc2.com/blog-entry-3.html In the post I say the main concern comes from LNK(shortcut file). Of course EXE can also be a concern if file name extension is hidden. But most people I know do have file name extension displayed in Windows. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Technical Details of Security Issues Regarding Safari for Windows
Errata -- The PNG graphic can't be reached directly. Can be viewed by following link in the aforementioned blog entry: http://liudieyu0.blog124.fc2.com/blog-entry-5.html On Wed, Jun 11, 2008 at 5:17 PM, LIUDIEYU dot COM [EMAIL PROTECTED] wrote: Aviv really gave huge hint on the issue: http://blog-imgs-24.fc2.com/l/i/u/liudieyu0/0001.png ( posted at http://liudieyu0.blog124.fc2.com/blog-entry-5.html ) On Tue, Jun 10, 2008 at 10:28 PM, LIUDIEYU dot COM [EMAIL PROTECTED] wrote: The first issue is the one described in Microsoft Security Advisory 953818. It's worked out by Aviv Raff: http://www.microsoft.com/technet/security/advisory/953818.mspx http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx It's covered by news but Aviv Raff has not published technical details yet. News stories say Microsoft are going to handle this: The Internet Explorer bulletin is expected to be cumulative and might include some remediation for the Safari for Windows vulnerability disclosed last month by Nitesh Dhanjani http://news.cnet.com/8301-10789_3-9959752-57.html?part=rsssubj=newstag=2547-1_3-0-20 (It should be Aviv Raff instead of Nitesh Dhanjani, as suggested in the Microsoft security advisory and Aviv Raff's blog.) Also it sounds unnatural that Microsoft provide remediation for Safari vulnerability, and that remediation is distributed in IE patch. I provide the technical details of this issue for those who are interested: http://liudieyu0.blog124.fc2.com/blog-entry-1.html In my personal opinion this issue is rooted in IE wrongly loading DLL from desktop(instead of WINDOWS\SYSTEM32). The second issue is about the possibility that Safari can download malicious content that has confusing file name and icon which might be launched later by unknowing user. Details are here: A New Security Issue in Safari for Windows, NOT the Blended Threat Described in Microsoft Security Advisory 953818 http://liudieyu0.blog124.fc2.com/blog-entry-3.html In the post I say the main concern comes from LNK(shortcut file). Of course EXE can also be a concern if file name extension is hidden. But most people I know do have file name extension displayed in Windows. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0125: CitectSCADA ODBC service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ~ Core Security Technologies - CoreLabs Advisory ~ http://www.coresecurity.com/corelabs/ ~ CitectSCADA ODBC service vulnerability *Advisory Information* Title: CitectSCADA ODBC service vulnerability Advisory ID: CORE-2008-0125 Advisory URL: http://www.coresecurity.com/?action=itemid=2186 Date published: 2008-06-11 Date of last update: 2008-06-10 Vendors contacted: Citect Release mode: Coordinated release *Vulnerability Information* Class: Buffer overflow Remotely Exploitable: Yes Locally Exploitable: Yes Bugtraq ID: 29634 CVE Name: CVE-2008-2639 *Vulnerability Description* Citect is a supplier of industrial automation software with headquarters in Australia and over 20 offices in Oceania, South East Asia, China, Japan, the Americas, Europe, Africa and the Middle East. Citect's products are distributed in over 80 countries through a network of more than 500 partners. According to Citect's website [1] the company, a fully owned subsidiary of Schneider Electric, has more than 150,000 licenses of its software sold to date. Citect's products are used by organizations worldwide in numerous industries including Aerospace Defense, Oil Gas, Power/Utilities, Chemical, Pharmaceutical, Manufacturing and others. CitectSCADA (Supervisory Control and Data Acquisition) is a system with the primary function of collecting data and providing an interface to control equipment such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs) etc. with an integrated Human Machine Interface (HMI) / SCADA solution to deliver a scalable and reliable control and monitoring system. The system is composed by software installed on standard computer equipment running on commercial-of-the-shelf Microsoft Windows operating systems. A vulnerability was found in CitectSCADA that could allow a remote un-authenticated attacker to force an abnormal termination of the vulnerable software (Denial of Service) or to execute arbitrary code on vulnerable systems to gain complete control of the software. To accomplish such goal the would-be attacker must be able to connect to the vulnerable service on a TCP high-port. *Vulnerable Packages* . CitectSCADA v6 . CitectSCADA v7 . CitectFacilities v7 *Non-vulnerable Packages* . Contact the vendor for fixed versions of the product. *Vendor Information, Solutions and Workarounds* In general process control networks should be physically isolated from corporate or other publicly accessible data networks as such an isolated network will limit the exposure of systems with network facing vulnerabilities only to accidental disruption or potentially malicious users or systems within the process control network itself. However, if physical isolation of the process control network is not feasible it is strongly recommended to enforce and monitor strict network access control mechanisms to verify that only the absolute minimal required set of systems from both within and outside the process control network are allowed to connect to any systems within the process control network. In this particular case, access control mechanisms on both end-systems and network boundary devices such as firewalls and IPSes must ensure that only hardened and trusted systems from that minimal set can connect to systems in the process control network running potentially vulnerable software. Nonetheless systems on that minimal set must still be considered potential attack vectors into the process control network and should they become compromised, providers of transitive trust from the process control network to external untrusted systems. Besides the recommendation of a secure network architecture with strict network access control measures, OS hardening and other sound system administration practices a specific workaround for the vulnerability reported in this advisory is provided below. The vulnerability is located in the ODBC server service, vulnerable organizations that do not require ODBC connectivity may disable the service with no adverse effects to the CitectSCADA software. Installations that require ODBC connectivity to SQL databases, spreadsheets, etc. will suffer loss of connection with ODBC data sources if this workaround is applied. Vulnerable organizations should obtain positive verification that ODBC connectivity is not necessary in their installation and prepare appropriate contingency procedures before the workaround is applied. Vendor statement: CitectSCADA is not designed to be accessible on public networks and recommends that the SCADA and control networks be protected by firewall or similar on live sites. The system must be network hardened regardless of the corrupt packet software change to ensure a secure system given the likelihood that on the same network are open industry standard protocol devices perhaps communicating via ethernet. Please follow this link on Citect website under Industries and
[Full-disclosure] Many bugs on CMS system Piugame
Many bugs on CMS system Piugame http://www.piugame.com Researcher: Psymera 1.-Overview Piugame CMS is one system used for control and contac of Pump It up Gamers over the world and Metod of control for official tournamets over the wold 2.-Description This system has a vulnerabily as Sql Injection, Bypass credentials, XSS and many others bugs The system its too poor programed and not have a good method of control on the variables has be sendend Examples: Script: club.piugame.com/list.html SQL Injection: Variable stt vulnerable XSS: Variables: “order” “stt” “tb” “ss2” “SC” “ss1” “sst1” “tbname” “page” “category” “key” “keyword” “divpage” Global Script: /home1/piuclub/public_html/_club/tempst_bbs/lib.php SQL Injection: variable: community_no And of this form many others scripts has vulnerable for many other types of attacks 4.- Disclosure Timeout Vendor Contacted: 15-Marzo-2008 Vendor never response. 11-Abril-2008 Vendor never response. 24-Mayo-2008 Vendor never response. Public Advisory: 10-Junio-2008 5.- Copyright Researcher: Psymera http://www.securitynation.com - Security Nation is a Lab Supported by RISS Security Services. http://www.riss.com.mx Copyright SecurityNation. Contact: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Out of Office AutoReply: Snort Signature to det ect credit ca rds
... just saw this while browsing the archive. Belated apologies for the annoyance. There had been a milter rule to block these from my account to the internet, but was disabled at some point for debugging and (obviously) never turned back on. Cheers Bill -Original Message- From: West, Bill (USA) Sent: Tuesday, June 10, 2008 5:21 PM To: West, Bill (USA) Subject: RE: Out of Office AutoReply: Snort Signature to det ect credit cards Folks, it is 2008. Like cell phones, e-mail autoresponders are no longer cool. Use a separate address for mailing lists (like a personal or disposable one) so we don't get bombarded with your junk. Did I mention the social engineering treasures sent around the world with each one? Do you really work in security? Gah! Randy Re: Out of Office AutoReply: Snort Signature to det ect credit cards On Fri, May 9, 2008 4:23 am, West, Bill (USA) wrote: I am no longer on-site full time and have limited access to e-mail. I will respond to you as soon as I can. If your issue is an emergency, please use the contacts below. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mambo Cookie Authentication Bypass Exploit
My social skills are great when it comes to talking to rational, non-fame-seeking people. However when the XSS and not-a-real-bug fanboys start posting someone has to stand up. As for you... I am sure you were that kid at school who told on the others just so the teacher would like you because no one else did. Why reference the charter? Its just a guideline, this is full disclosure -- aka, I can say what I want you fucking cunt. Case in point: Eat shit and die you nobody. Thanks. On Tue, 10 Jun 2008 13:09:21 +0100 Garrett M. Groff [EMAIL PROTECTED] wrote: And situations involving social interaction are not for you. Please avoid them at all costs until social skills improve. Oh, and please read the list charter that was recently distributed. On it, you will see that offensive language and personal attacks are disallowed. G -- Click here for low prices on a huge selection of popcorn poppers! http://tagline.hushmail.com/fc/Ioyw6h4dYYsIhwNuPLRBLvagsn8hIct4DdYuSZVJJkyByU9rSHxPC4/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] persistant XSS, Manipulation of Data and privileg escalation in gpotato.eu forums
Hi all, the forums of gpotato.eu is prone to multiple different vulnerabilities. Timeline for XSS: 14. May: notified gpotato.eu stating, that there are security wholes in their forum I could use to steal login-information 15. May: response: there is no bug in the forum, and as the login information is encrypted, there is no problem 15. May: sending example: scrscriptiptalert(document.cookie);/scr/scriptipt 16. May: response: Ok, there was a bug when User has IE (bullshit, but example code doesn't work anymore) 16. May: sent next example: p onmouseover='alert(document.cookie);'blabla/p no more response. It doesn't work this way anymore, but my code is still sent to the site and only gets enclosed as title=mycode. Still might be vulnearble. I don't have a timeline for manipulation and escalation, but I told them several times now. It was possible, to reply to closed threads, which seems to be fixed now. But for the same time, they know, anyone (logged in) can edit anybody's postings, which is still unfixed. http://t*nyurl.com/5ovmr7 regards MC.Iglo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: uTorrent / BitTorrent Web UI HTTP Range Header DoS
== Secunia Research 11/06/2008 - uTorrent / BitTorrent Web UI HTTP Range Header DoS - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * uTorrent 1.7.7 (build 8179) * BitTorrent 6.0.1 (build 7859) NOTE: Other versions may also be affected. == 2) Severity Rating: Less critical Impact: Denial of Service Where: From remote == 3) Vendor's Description of Software uTorrent is a lightweight and efficient BitTorrent client for Windows with many features.. Product Link: http://www.utorrent.com/ BitTorrent is the global standard for accessing rich media over the Internet. http://www.bittorrent.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in uTorrent and BitTorrent, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of HTTP requests and can be exploited to crash the application by sending an HTTP request containing a malformed Range header string. Successful exploitation requires that the Web UI interface is enabled (not default). == 5) Solution The vulnerability is fixed in BitTorrent version 6.0.3 (build 8642) and in uTorrent version 1.8beta (build 10524). == 6) Time Table 31/01/2008 - Vendor notified. 04/02/2008 - Vendor notified (2nd attempt). 04/02/2008 - Vendor response. 27/05/2008 - Status update requested. 11/06/2008 - Public disclosure. == 7) Credits Discovered by Dyon Balding, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-0071 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-7/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS Browser hijacking PoC?
Hi all, Several months ago, there was a post about a proof of concept for complete browser hijacking via XSS. IIRC, the hijacked browser would periodically query a management server, and the management server would track the hijacked browsers in a database. The person controlling the management server could then instruct the hijacked browsers to do his bidding. The thing is, I can't find the tool. I'm wondering if anyone still knows where it is. Thanks in advance! -- Aaron ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] netdouche
On Fri, Jun 6, 2008 at 5:25 PM, n3td3v [EMAIL PROTECTED] wrote: I'm not a troll---i'm a serious security researcher, that doesn't mean i'm a hacker, it just means I read news articles on Cnet News and post my opinion on the Talkback feature. you are a reposter. you havent researched anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I am who I am...
On Fri, Jun 6, 2008 at 8:21 PM, n3td3v [EMAIL PROTECTED] wrote: WHY DIDN'T YOU JUST LET ME GO AWAY AND LEAD A LIFE INSTEAD OF WRITING ABOUT ME? why dont you go away then? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] POP QUIZ
On Sun, Jun 8, 2008 at 11:19 PM, Professor Micheal Chatner [EMAIL PROTECTED] wrote: A) You are a gay faggot who sucks dicks B) All of the above go away you are not better then some of the other guys around here. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] To clear the air and conspiracy about n3td3v
On Thu, Jun 5, 2008 at 11:06 AM, n3td3v [EMAIL PROTECTED] wrote: Why did you ruin the build up to Web Application Security Awareness Day? It was because of what you and Valdis said on the weeks running upto it that nobody post anything. I mentioned mi6 to try and scare you and stop you annoying me. because people dont need a day. they need to post vulnerabilities all the time. all it looked like you were doing was piggybacking on everyone else's research. i saw it that way, and everyone else did too. Your excuse for harassing me on the weeks running upto it was don't post anything on May 1 so n3td3v can't make a name for himself, but the day wasn't about me making a name it was about people disclosing throw away vulnerabilities like cross-site scripting that people are usually too shy to post on a normal day, because those bugs seem too insignificant and too lame to post and don't usually give them enough hacker points on a normal day. then people need to quit thinking they are lame, and post them more often. a day, sponsored by you, isn't going to do it. With Web Application Security Awareness Day it was ment to bring credibility back to web application security bugs like XSS, but you didn't see it that way, you thought it was about me making a name for myself, even though I already had a name for myself already because of the bad press and conspiracy links between me and Gobbles, whoever the heck he is. no publicity is bad publicity. even when you just _don't get it_. people tell you to go away, you don't listen, you even /say/ you are going to go away, and we applauded it, and you still didn't do it. quit lying. no one cares about you or gobbles. So everyone knows who n3td3v is, but the mystery remains, who is Gobbles??? He is the real hacker you should be tracking, you've wasted all your time and resources on trashing me for no reason just because you thought I was some elite hacker called Gobbles? I'm still trying to work out in my head what all the attention is on me for and why people thought I was someone called Gobbles and that I was three people??? who cares. so dr. neal was wrong, who gives a fuck about either one of you? If that isn't enough to fuck my head up I don't know what is, a forensic study on me, just because some idiot (Neal Krawetz) thought I was Gobbles??? get over it. dr neal was doing you a favor, at least gobbles has published exploits. what have you done? I don't know who Gobbles is, I have never spoke to Gobbles, I have nothing to do with him and don't want to know him. He seems to be some elite hacker, which someone thought was me, but I have no idea about him and don't know who he is. good, again, who cares? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: www.Amazon.com down?
On Fri, Jun 6, 2008 at 4:31 PM, n3td3v [EMAIL PROTECTED] wrote: Shut up you faggot Amazon.com was down for hours, did you not read the news report? http://news.cnet.com/8301-10784_3-9962010-7.html amazon was down. it was a routing issue. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] netdouche
u dudez r obviously all a bunch of retardo losers from planet earth probably. what a bunch of ding dong lickin wang gobblin homoooz.hacking is basically gay as fuck and ppl who care about it are TOTAL FUCKING LOSERS. steve manzuik is a fuckin retard. if anyone can find his facebook i will send them an exploit that will BLOW YOUR FUCKING MIND WIDE OPEN. what ever happenned to RLOXLEY and BRONCBUSTER? They r probably suckin dickz together if i had to make a WILD FUCKIN GUESS. Letz get fuqn high and wasted all the time because nothing fuckin matters and i dont give a fuck about nothin u idiotz. - Professor Micheal Chatner, MD, CISSP On Wed, Jun 11, 2008 at 11:16 AM, Ureleet [EMAIL PROTECTED] wrote: On Fri, Jun 6, 2008 at 5:25 PM, n3td3v [EMAIL PROTECTED] wrote: I'm not a troll---i'm a serious security researcher, that doesn't mean i'm a hacker, it just means I read news articles on Cnet News and post my opinion on the Talkback feature. you are a reposter. you havent researched anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1594-1] New imlib2 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1594-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff June 11, 2008 http://www.debian.org/security/faq - Package: imlib2 Vulnerability : buffer overflows Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2008-2426 Stefan Cornelius discovered two buffer overflows in Imlib's - a powerful image loading and rendering library - image loaders for PNM and XPM images, which may result in the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 1.3.0.0debian1-4+etch1. For the unstable distribution (sid), this problem has been fixed in version 1.4.0-1.1. We recommend that you upgrade your imlib2 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.3.0.0debian1.orig.tar.gz Size/MD5 checksum: 617750 7f389463afdb09310fa61e5036714bb3 http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.3.0.0debian1-4+etch1.diff.gz Size/MD5 checksum:12944 dfaa8fc191ba424ddca3d30f22e937f2 http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.3.0.0debian1-4+etch1.dsc Size/MD5 checksum: 775 f4c69d4c2f3fb211dcc11efb3b21af41 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.3.0.0debian1-4+etch1_alpha.deb Size/MD5 checksum: 240252 84ccb092527c92ab89d9ed512e245916 http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4+etch1_alpha.deb Size/MD5 checksum: 437534 3e50828b24c37499731fab5381746431 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.3.0.0debian1-4+etch1_amd64.deb Size/MD5 checksum: 212080 d5315c907b16282b8de22b9ea95d524f http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4+etch1_amd64.deb Size/MD5 checksum: 360298 eb9bf8871df21b7fd2b6eb85001a2bab arm architecture (ARM) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.3.0.0debian1-4+etch1_arm.deb Size/MD5 checksum: 205102 56d84273f0c03b98af72a8dcb5a3f1b0 http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4+etch1_arm.deb Size/MD5 checksum: 333920 9d3d50186a2cafae99ff83dc530b6a04 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.3.0.0debian1-4+etch1_hppa.deb Size/MD5 checksum: 227236 abbac82e10c70a8ee9487474fd5fd9a8 http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4+etch1_hppa.deb Size/MD5 checksum: 387436 d65cd087d8f8ef55409ce90bd7daa629 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4+etch1_i386.deb Size/MD5 checksum: 335480 a5d1e1785b4672b0a82f74faa3e5c540 http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.3.0.0debian1-4+etch1_i386.deb Size/MD5 checksum: 205822 ea69ea39af2b9d8eff8aa21ec7dc651d ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4+etch1_ia64.deb Size/MD5 checksum: 462716 d704daabf34495a424679cfaea41d07c http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.3.0.0debian1-4+etch1_ia64.deb Size/MD5 checksum: 295084 2163e519dd163c538c336bae02cd13b1 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.3.0.0debian1-4+etch1_mips.deb Size/MD5 checksum: 207264 1e07b5e265a8a1b0f566da66a6ea835d http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4+etch1_mips.deb Size/MD5 checksum: 370422 c9228c0b2473b4b1a0c1ac71e83c6038 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.3.0.0debian1-4+etch1_mipsel.deb Size/MD5 checksum: 207918 60613fdbc42253238604de9c6014cdae
[Full-disclosure] iDefense Security Advisory 06.11.08: Multiple Vendor X Server Render Extension AllocateGlyph() Integer Overflow Vulnerability
iDefense Security Advisory 06.11.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 11, 2008 I. BACKGROUND The X Window System is a graphical windowing system based on a client/server model. The Render extension is used to provide Porter-Duff image compositing for the X server. It is built into many X servers by default, and loaded as a default module when it is not. For more information, see the vendor's site found at the following link. http://en.wikipedia.org/wiki/X_Window_System II. DESCRIPTION Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root. The vulnerability exists within the AllocateGlyph() function, which is called from several request handlers in the render extension. This function takes several values from the request, and multiplies them together to calculate how much memory to allocate for a heap buffer. This calculation can overflow, which leads to a heap overflow. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code with the privileges of the X server, typically root. To exploit this vulnerability, an attacker must be able to send commands to an affected X server. This typically requires access to the console or access to the same account as a user who is on the console. One method of gaining the required access is to remotely exploit a vulnerability in, for example, a graphical Web browser. This would then allow an attacker to exploit this vulnerability and elevate their privileges to root. If an X Server is configured to listen for TCP-based client connections, and a client is granted access to create sessions (via the xhosts file), then these vulnerabilities can be exploited remotely. IV. DETECTION iDefense has confirmed the existence of this vulnerability in X server 1.4 included with X.org X11R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected. V. WORKAROUND Access to the vulnerable code can be prevented by preventing the X server from loading the Render extension. However, doing so may seriously impair the functionality of the server. Adding the following lines to the X configuration file will disable the Render extension: Section Extensions Option RENDER disable EndSection VI. VENDOR RESPONSE The X.Org team has addressed this vulnerability by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL. http://lists.freedesktop.org/archives/xorg/2008-June/036026.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-2360 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/26/2008 Initial vendor notification 03/26/2008 Initial vendor response 06/11/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by regenrecht. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.11.08: Multiple Vendor X Server Render Extension ProcRenderCreateCursor() Integer Overflow Vulnerability
iDefense Security Advisory 06.11.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 11, 2008 I. BACKGROUND The X Window System is a graphical windowing system based on a client/server model. The Render extension is used to provide Porter-Duff image compositing for the X server. It is built into many X servers by default, and loaded as a default module when it is not. For more information, see the vendor's site found at the following link. http://en.wikipedia.org/wiki/X_Window_System II. DESCRIPTION Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to create a denial of service (DoS) condition on the affected X server. The vulnerability exists within the ProcRenderCreateCursor() function. When parsing a client request, values are taken from the request and used in an arithmetic operation that calculates the size of a dynamic buffer. This calculation can overflow, which results in an undersized buffer being allocated. This leads to an invalid memory access, which crashes the X server. III. ANALYSIS Exploitation allows an attacker to crash the Xserver; code execution is not possible. To exploit this vulnerability, an attacker must be able to send commands to an affected X server. This typically requires access to the console or access to the same account as a user who is on the console. One method of gaining the required access is to remotely exploit a vulnerability in, for example, a graphical Web browser. If an X Server is configured to listen for TCP-based client connections, and a client is granted access to create sessions (via the xhosts file), then these vulnerabilities can be exploited remotely. IV. DETECTION iDefense has confirmed the existence of these this vulnerability in X.org X11 version R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected. V. WORKAROUND Access to the vulnerable code can be prevented by preventing the X server from loading the Render extension. However, doing so may seriously impair the functionality of the server. Adding the following lines to the X configuration file will disable the Render extension: Section Extensions Option RENDER disable EndSection VI. VENDOR RESPONSE The X.Org team has addressed this vulnerability by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL. http://lists.freedesktop.org/archives/xorg/2008-June/036026.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-2361 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/26/2008 Initial vendor notification 03/26/2008 Initial vendor response 06/11/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by regenrecht. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.11.08: Multiple Vendor X Server Render Extension Gradient Creation Integer Overflow Vulnerability
iDefense Security Advisory 06.11.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 11, 2008 I. BACKGROUND The X Window System is a graphical windowing system based on a client/server model. The Render extension is used to provide Porter-Duff image compositing for the X server. It is built into many X servers by default and loaded as a default module when it is not. For more information, see the vendor's site found at the following link. http://en.wikipedia.org/wiki/X_Window_System II. DESCRIPTION Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root. The vulnerability occurs when parsing a client request for one of the following functions: SProcRenderCreateLinearGradient SProcRenderCreateRadialGradient SProcRenderCreateConicalGradient In each case, values are taken from the client request and used to calculate the number of bytes to swap in the client request data. The calculations attempt to verify that the byte swap range if valid, but they are incorrect, which can lead to heap memory being corrupted. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code with the privileges of the X server, typically root. To exploit this vulnerability, an attacker must be able to send commands to an affected X server. This typically requires access to the console or access to the same account as a user who is on the console. One method of gaining the required access is to remotely exploit a vulnerability in, for example, a graphical Web browser. This would then allow an attacker to exploit this vulnerability and elevate their privileges to root. If an X Server is configured to listen for TCP-based client connections, and a client is granted access to create sessions (via the xhosts file), then these vulnerabilities can be exploited remotely. IV. DETECTION iDefense has confirmed the existence of this vulnerability in X.org X11 version R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected. V. WORKAROUND Access to the vulnerable code can be prevented by preventing the X server from loading the Render extension. However, doing so may seriously impair the functionality of the server. Adding the following lines to the X configuration file will disable the Render extension: Section Extensions Option RENDER disable EndSection VI. VENDOR RESPONSE The X.Org team has addressed this vulnerability by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL. http://lists.freedesktop.org/archives/xorg/2008-June/036026.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-2362 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/26/2008 Initial vendor notification 03/26/2008 Initial vendor response 06/11/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by regenrecht. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.11.08: Multiple Vendor X Server Record and Security Extensions Multiple Memory Corruption Vulnerabilities
iDefense Security Advisory 06.11.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 11, 2008 I. BACKGROUND The X Window System is a graphical windowing system based on a client/server model. For more information, see the vendor's site found at the following link. http://en.wikipedia.org/wiki/X_Window_System II. DESCRIPTION Local exploitation of multiple memory corruption vulnerabilities in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root. Multiple vulnerabilities are present in the Record and Security extensions. In both cases, untrusted values are taken from a client request, and used to swap the byte order of heap memory that follows the client request. Since the number of bytes to swap is not properly validated, it is possible to corrupt heap memory located after the request. The following functions contain vulnerable code: SProcSecurityGenerateAuthorization() SProcRecordCreateContext() SProcRecordRegisterClients() III. ANALYSIS Exploitation allows an attacker to execute arbitrary code with the privileges of the X server, typically root. In order to exploit these vulnerabilities, an attacker must be able to send commands to an affected X server. This typically requires access to the console or access to the same account as a user who is on the console. One method of gaining the required access is to remotely exploit a vulnerability in, for example, a graphical web browser. This would then allow an attacker to exploit this vulnerability and elevate their privileges to root. If an X Server is configured to listen for TCP based client connections, and a client is granted access to create sessions (via the xhosts file), then these vulnerabilities can be exploited remotely. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in X server 1.4 included with X.org X11R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected. V. WORKAROUND Access to the vulnerable code in the SECURITY extension can be prevented by preventing the X server from loading the extension. However, doing so may seriously impair the functionality of the server. Adding the following lines to the X configuration file will disable the SECURITY extension: Section Extensions Option SECURITY disable EndSection VI. VENDOR RESPONSE The X.Org team has addressed these vulnerabilities by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL. http://lists.freedesktop.org/archives/xorg/2008-June/036026.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1377 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/26/2008 Initial vendor notification 03/26/2008 Initial vendor response 06/11/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by regenrecht. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.11.08: Multiple Vendor X Server MIT-SHM Extension Information Disclosure Vulnerability
iDefense Security Advisory 06.11.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 11, 2008 I. BACKGROUND The X Window System is a graphical windowing system based on a client/server model. More information about about The X Window system is available at the following link. http://en.wikipedia.org/wiki/X_Window_System II. DESCRIPTION Local exploitation of an information disclosure vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to gain access to sensitive information stored in server memory. The vulnerability exists when creating a Pixmap in the fbShmPutImage() function. The width and height of the Pixmap, which are controlled by the user, are not properly validated to ensure that the Pixmap they define are within the bounds of the shared memory segment. This allows an attacker to read arbitrary areas of memory in the X server process. III. ANALYSIS Exploitation allows an attacker to read arbitrary memory within the X Server's address space. By itself, the impact of this vulnerability is minimal. However, when coupled with a code execution vulnerability, this vulnerability can be used to greatly increase the reliability of an exploit. Additionally, this vulnerability can be used to crash the server. If the server automatically restarts, this can be useful since it resets the state of the server to a known state. If an X Server is configured to listen for TCP based client connections, and a client is granted access to create sessions (via the xhosts file), then the vulnerability can be exploited remotely. IV. DETECTION iDefense has confirmed the existence of this vulnerability in X server 1.4 included with X.org X11R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected. V. WORKAROUND Access to the vulnerable code can be prevented by preventing the X server from loading the MIT-SHM extension. However, doing so may impair the functionality of the server. Adding the following lines to the X configuration file will disable the MIT-SHM extension: Section Extensions Option MIT-SHM disable EndSection VI. VENDOR RESPONSE The X.Org team has addressed this vulnerability by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL. http://lists.freedesktop.org/archives/xorg/2008-June/036026.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1379 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/26/2008 Initial vendor notification 03/26/2008 Initial vendor response 06/11/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by regenrecht. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Metasploit - Hack ?
oh man. sarcasm On Wed, Jun 11, 2008 at 2:28 PM, Ureleet [EMAIL PROTECTED] wrote: oh, and for those that were confused.. sarcasm On Thu, Jun 5, 2008 at 4:14 PM, T Biehn [EMAIL PROTECTED] wrote: Did you just totally match up two instances of the string ARP Poisoning? You've got a lot more skills than the industry gives you credit for. I for one would be glad to replace my Guhnue software with one n3td3v expert analysiser. /sarcasm /sarcasm This could get dangerous. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
